In Identity, Privacy, and Security, OWI takes a step back to look at privacy and security more broadly, and examine their relevance in a connected world. This paper also discusses how your company should start thinking differently about both concepts and how they relate to our Identity Building blocks, in order to improve your business and foster Trust and Safety.
Principal Analyst – Kaelyn Lowmaster
Director of Education – Katie Stephens
The New Frontier Of Digital Privacy And Security
After a year of high-profile data breaches, shoddy institutional data management, and damaging cyber attacks, it’s unsurprising that anyone would feel cynical about privacy and security in the digital world.
The volume of personal data generated and collected by companies continues to expand exponentially, making it difficult to gauge where the borders of modern privacy should be drawn. That same explosion of data also multiplies vulnerabilities for companies and institutions, so fostering digital security will continue to be an inherently lopsided battle.
But your company quite literally cannot afford to be complacent in the face of these challenges. As OWI has discussed in detail, you’re already in the personal data business, and the way your team navigates the shifting landscape of digital privacy and security will have a profound effect on customer trust levels as well as your bottom line.
OWI’s previous whitepapers have taken a look at why data stewardship and sound personal data management are core functions for any company or organization. In this whitepaper, we take a step back to look at privacy and security more broadly, and examine their relevance in a connected world. We’ll also discuss how your company should start thinking differently about both concepts and how they relate to our Identity Building blocks, in order to improve your business and foster Trust and Safety.
Privacy’s Not Dead — It’s Just Digital
The idea of privacy has undergone a massive shift in the internet age. Analog privacy typically meant the freedom from observation — confidence that no one was watching your actions, and that no one would know certain information about you unless you actively chose to tell them.
For connected consumers, though, carving out areas of total freedom from digital observation or data collection is not only an impossible goal to achieve, it’s often not a desirable one, either. We rely on nearly constant information sharing for basic daily services: Our phones’ GPS knows where we are, our home assistants listen for our voice, and our fitness trackers monitor our heartbeat. The average digital consumer owns four connected devices, and that number is likely to continue growing. That constant connectivity should not mean, however, that consumers must forfeit control for how their data is used.
Privacy as a concept is perhaps even more relevant now, when the sheer volume of identity about any given individual is so much larger than ever before. Our data-saturated context requires a new construct for thinking about the value and execution of privacy standards. To that end we’ve developed a new definition for digital privacy.
Building A Framework For Digital Privacy
Digital privacy — Freedom from the collection, use, monitoring, or sharing of personal data and digital activity without the user’s understanding, knowledge, or consent
This new definition provokes a series of important questions, such as:
- What form should consumer consent take?
- Who’s responsible for making sure a customer is informed?
- What are permissible uses of personal data?
Here we’ll take a closer look at three key concepts — consent, transparency, and legitimate interest — to approach building this new framework for digital privacy. Each of these figures prominently in the EU’s General Data Protection Regulation (GDPR), indicating that not only are regulators devoting increased attention to digital privacy, but that principles of digital privacy will soon be enforceable with real monetary penalties for violation.
With some degree of personal information collection and use necessary for digital service provision, digital privacy should be centered around user consent of personal data usage. A consumer must give permission to service providers for the use and sharing of their identity data, and that data should not be used if that permission is withdrawn. Consent must be:
- Active – A customer must choose to assent to data collection and use, either in writing, electronically, or verbally. Companies shouldn’t assume that silence equates to consent or present a consumer with a Terms of Service where “I Agree” is checked by default.
- Genuine – Consent must constitute a real choice for That is, if they don’t agree with the way a service will be using their data, they can opt out of all or part of that service.
- Specific – Consent should be solicited for each target function for which a service provider would like to use customer data. For example, if a user gives consent for a ride sharing app to use her location data so a driver can locate her, that does not mean that she has automatically consented to have her location data used for geographically targeted marketing. Service providers should ask individually for each use case.
- Withdrawable – It should be as easy for a customer to rescind consent as it is for her to give it in the first place.
Meaningful consent requires an informed consumer. In order to give permission for their personal data to be used, customers first have to understand what information will be collected, how it will be used, and with whom it will be shared. Currently, most companies rely on lengthy, complicated, and opaque terms of service designed to reduce legal liability, rather than educate customers.
Protecting digital privacy means prioritizing consumer comprehension and transparency of data use policies. Companies should make sure their communications with consumers are:
- Concise – Today, it would take the average customer nearly 250 hours a year simply to read the terms of service for the digital services she uses. Terms of service should be as brief as possible.
- Comprehensive – Balancing completeness and brevity is perhaps the greatest challenge for companies when communicating data usage policies. Policies should state what data will be collected, how and by whom it will be leveraged, as well as when and with whom it will be shared. It should also offer a clear opt-out option for consumers who do not agree with the stated terms.
- Audience-appropriate – Communications about personal data usage should also be clear, digestible, and free of technical details. Your customers, largely, are not data scientists, and they shouldn’t have to be in order to understand and approve of how their identity data is used.
- Accessible – It should not be difficult for customers to track down data usage and privacy policies. This information should be readily available and easily accessible on company websites or direct consumer communications.
Active consent isn’t the only standard for personal data processing, however. GDPR also leaves some room for legal information use based on a service provider’s “legitimate interest” — that is, when processing data is required to complete necessary business functions or carry out an agreement between a customer and a company.
Because there are so many routine business uses for personal data, the legitimate interest standard is meant to minimize friction in user experience when there is little risk that information usage will pose a risk to consumer privacy. When a ride sharing app customer enters her payment information to be billed for her trip, for example, she can reasonably expect that the company will use that information and share it with a payment processor. Completing that transaction is in the app’s legitimate interest, therefore asking for additional consent may not be necessary.
A few important points about legitimate interest and privacy:
- Consumer interest wins – Determining the legitimate interest for processing personal data might involve weighing the goals of a company against the potential risks for customers. In GDPR, though, a company’s legitimate interest is always trumped by the interests or fundamental rights and freedoms of the data subject. Legitimate interest isn’t a corporate get-out-of-jail-free card.
- The standard is meant to evolve – Legitimate interest is by design a flexible standard, meant to facilitate continuous assessment of personal data processing, even as technologies and services develop.
- Transparency still applies – Even in cases where personal data is being processed based on legitimate interest, companies should still prioritize transparency and the principles outlined above in communicating their data processing practices.
- Some data always requires consent– The flexibility of this standard also makes it tricky to apply. This is especially true where particularly sensitive data like biometrics or national identifier information is involved, or where a company collects information on individuals with whom it doesn’t have a pre-existing relationship. It’s best to err on the side of consent in order to foster Trust and Safety with customers.
With these principles of digital privacy intact, your company can begin to prioritize user-centric privacy standards without sacrificing customer experience.
Privacy Meets Security
Even if your company succeeds in developing an industry-leading privacy framework, the data you collect and process must be protected. A robust information security strategy is critical, particularly as personal information has been the target of increasingly frequent and damaging cyber attacks.
Conceptually, privacy and security are interrelated. They share underlying goals and tools: Both are aimed at protecting against unauthorized or unwanted disclosure of data, and similar cyber hygiene basics can help a company bolster both its privacy and security culture.
But the two ideas are not identical. The ultimate gauge of privacy is the customer ensuring that her data is not shared where she doesn’t want it to be. Security, though, is fundamentally an interest of the company — ensuring that all its digital assets, not just personal information, are safe from misuse. Security is not only necessary to safeguard digital privacy and the principles above, it also is one of the key pillars of Trust and Safety. Privacy requires security, and security regimes should be constructed with customer privacy in mind.
Building A Framework For Information Security
As with digital privacy, companies should approach information security with a few basic principles in mind. Confidentiality, integrity, and availability — often referred to as the CIA Triad — are the core elements of information security in practice. Here we’ll break down each concept with an eye to how they relate to identity data and the idea of consumer privacy.
At its simplest level, security means limiting access to information. Only those who absolutely need to collect, view, or process a certain set of data should be able to do so. That includes two related but distinct types of confidentiality:
- External – shielding data from unauthorized intrusion by people or processes outside of a company or its customers. This is often associated with perimeter cybersecurity.
- Internal – shielding data from access by non-critical personnel or processing within a company or organization. This is usually a function of various Identity and Access Management (IAM) processes.
Both types of confidentiality are essentially identity problems: effective verification, authentication, and authorization processes are critical to ensuring that the right people, and only the right people, can handle sensitive information. This also requires accurately demarcating the appropriate classification of various data sets. Future OWI courses will examine IAM in more detail.
The principle of confidentiality also supports the privacy components of transparency and legitimate interest, so that customers know who is accessing their data and why, and can be confident that a service provider will prevent additional disclosures.
In order for data to be secure, it must not only be kept safe from unauthorized access, but also from unauthorized modification. Maintaining information integrity means ensuring that data is dynamically correct over time, and that no one is able to make inappropriate or undetected changes or deletions. Simply, data integrity is how both customers and companies know that data can be trusted.
If unauthorized changes are made, robust information integrity processes also involve the ability to restore information to its correct, pre-altered state. Various technological tools, such as encryption or hashing algorithms, can help companies maintain integrity, especially when it is in transit.
The principle of integrity supports the privacy components of consent and legitimate interest, so that a user knows that accurate information about them is being used for authorized purposes. When users consent to the use of their personal data, they’re consenting with the assumption that the data will be accurate.
While security often focuses on preventing illegitimate data use, it is equally important that effective strategies enable legitimate use. Information availability means ensuring that data, systems, and critical functions are consistently available for authorized use when needed.
Restricting access to data and services can be as damaging as unauthorized access, and businesses learned a particularly painful lesson about the importance of data availability throughout 2017. Ransomware attacks, in which adversaries restrict access to an organization’s files until a ransom is paid, are estimated to have cost $5 billion of damage 2017, with an expected jump to $11.5 billion by 2019. Distributed denial of service (DDOS) attacks nearly doubled over 2016 levels. Regular hardware maintenance, sound backup and redundancy protocols, and regular software updates are important tools for ensuring data availability.
The principle of availability supports the privacy components of consent and legitimate interest, so that companies can reliably process data when required. This balances security and user experience in order to execute desired services.
The Identity Connection
Even as the volume and velocity of personal data collection continues to increase, the interrelated concepts of privacy and security are still fundamental to successful businesses. Privacy isn’t dead, and security is more important now than ever before — customers still have both legal rights and high expectations when it comes to the protection of their data, and the vast majority are not afraid to take action against a company they don’t trust with their personal information.
Identity, and the broad set of data we use to prove who we are, is inextricably linked with both privacy and security. Both are oriented toward making sure personal data is protected from unauthorized use, but both require companies to responsibly collect and manage personal data for legitimate uses. Constructing your company’s approach to each of the Identity Building Blocks with an eye to the privacy and security principles outlined here is necessary to cultivate Trust and Safety. In an economy that runs on data, you can’t survive if customers don’t trust you with theirs.