The economics of the Internet have redefined the value of privacy to the ordinary individual. Most people these days gladly sell some of their personal information for what some would say is scant return and others would call valuable services. Of course, people are opposed to having information about themselves disclosed without their permission in a way that might harm them. This is an important point; what they seem to be against is the harm, not the disclosure itself.
Online privacy, pro …
Compliance and information security professionals seem to think there is a societal consensus in favor of privacy. In support of this view, they point to privacy requirements in state and federal laws; according to Privacy Journal there are more than 700 laws regarding privacy and surveillance. For a few examples, the Privacy Act of 1974 limits what the federal government can do with the data it collects. The Financial Modernization Act of 1999 (better known as the Gramm-Leach-Bliley Act, or GLBA, after its sponsors) includes provisions to protect consumers' personal financial information held by financial institutions. The Health Insurance Portability and Accountability Act of 1996, or HIPAA, does the same for health care and health insurance data subjects.
… And con
Others argue that privacy is not important. If one has nothing to hide, so this argument goes, there is no need for privacy. Online information is
It is the confluence of commerce and information that raises the issue of online privacy, though the average Internet user rarely thinks of it: The payment for public information is access to a website and a service. If one wants to have an account to use free email, listen to online radio or view videos, a person has to provide some information, such as his gender and age. People freely provide personal, professional and educational histories on social networking sites.
It is for the individual to decide whether the value received is commensurate with the value paid. What is important to information security generally, and the protection of privacy rights particularly, is the prevalent attitude toward the value of information, personally identifiable and otherwise.
Personal information and game scores
The team promises not to sell, lease or share this information, with the notable exceptions of its service providers, other baseball teams (even the crosstown Lords of Wickedness) and other partners that it may from time to time designate. The team then lets fans know its site will place cookies and Web beacons on their computers and collect all sorts of information. So, with all that, the Mets know who their fans are, where they work, when they are not working but checking out the ball scores, and the equipment they are using.
Many would say "So what?" to all of this. And that indeed is the argument against privacy altogether. No harm is done; the visitor receives something he presumably values, and there is nothing shameful in the information disclosed.
But this argument debases the value of information, including most importantly the value of the information that companies and individuals do feel is worth protecting. It is akin to saying that taking a dollar or two out of the cash drawer is no big deal. How much money is too much? How sensitive must data be to be too sensitive to disclose?
Lessons to be learned
There are significant lessons for those whose job it is to ensure compliance with privacy rules and legislation.
- The same employees who are insouciantly using company-owned systems to view seemingly harmless
websites are creating a culture that undervalues information. This attitude must be combated with
clear statements of what is and is not acceptable in regards to use of company systems and
information about the company and its employees.
People will, to be sure, still follow the fortunes of their favorite teams, but if they are urged to check privacy statements and understand what they are doing, security and privacy overall will be enhanced. They should be taught to look for terms like cookies, Web beacons or third parties and be given a simple explanation of what those things are and why they are important.
- This need not be a wholesale awareness program. Many companies use content filters to prevent
employees from surfing dangerous, immoral or resource-consuming websites. If, on a random basis,
the filter were tuned to look for more innocuous sites (such as baseball team websites),
individuals could be identified and spoken to. The objective of reaching out to individuals is not
to chastise them (tone is all-important) but to educate. The message should be that management is
concerned not about a few innocent minutes spent on the Web but about the security and privacy of
information. That word will get around: Information security and compliance professionals should
learn to use viral marketing.
- These same professionals should educate themselves on the scope of this very particular form of
data leakage. The scope of the information being freely disclosed about their personnel and, by
extension, their organizations, should cause some investigation, if not alarm. It is impractical to
ban all external Internet access and it is likewise impossible to track the business nature of
every website accessed. But they can be on the lookout for indications that some information has
fallen into the wrong hands. These signs might include certain employees receiving unsolicited
recruiting calls, vendors targeting specific managers or, worst of all, information about
individual employees being used without their approval.
- Finally, everyone should give some serious thought to the value they receive by blithely giving away personal information. How many social networks, blogs or email services is one too many? If each person had to spend actual money on a Web service, would he or she pay it? And if so, how much?
Steven J. Ross, MBCP, CISSP, CISA, is founder and principle of Risk Masters Inc. Write to him at firstname.lastname@example.org.
This was first published in September 2009