Mike Spinney, CIPP, is principal of the communications consultancy SixWeight, and has more than fifteen years experience providing strategic communications counsel to business organizations. His resume includes a stint with the U.S. Navy's intelligence service, many years as a public relations hack, and occasional turns as a writer. From 2003 to 2005 he served with the International Association of Privacy Professionals as editor of the group's monthly member newsletter, the Privacy Advisor , and manager of the IAPP's communications program. Since that time Spinney has immersed himself in leading privacy issues, earned professional credentials as a Certified Information Privacy Professional, and became a respected voice within the community of privacy professionals.
Today, Spinney is a writer and independent communications consultant, providing privacy-savvy counsel to his clients. He is a member of the prestigious Ponemon Institute, co-chair of the IAPP's Boston chapter, and a member of the Merrimack Valley Venture Forum. Spinney is a monthly contributor to the 1to1: Privacy newsletter, maintains his privacy blog, Private Communications, and is an opinionist for Spot-On.com. His byline has appeared in a variety of publications, including Inc., Cigar Aficionado, RFID Journal , Robb Report, Interface Tech News, TIDE, and Portland Magazine, to name a few.
Call me Nostradamus
Just caught this story from The Hill in which Sen. Joseph Lieberman calls for more surveillance cameras.
Yeah, the dateline is July 1, my post on this topic was July 1, and today is July 6, but I hadn't seen the article or heard his comments prior to making this observation (which I actually made publicly on June 30 during the RIM Renaissance conference). Besides, it didn't take Nostradamus or much imagination to make such a prediction.
I will point you to this quote from Mr. Lieberman, though:
?I think it?s just common sense to do that here much more widely. And of course, we can do it without compromising anybody?s real privacy.?
What exactly does "real privacy" mean? What does Lieberman think it means, and is that the same as what you or I think it means? And, ominously, do we want Congress to determine what it means under conditions of high anxiety over a possible terror threat? Debate still rages over the long-term implications of the Patriot Act. Let's not feel pressured to jump to a decision on surveillance and DNA only to suffer under the same burden of regret.
Mike
Chilling Implications
I turned on the television Friday morning to news of the failed terror attack in the UK. While the MSNBC report cycled through a video loop of images from the scene, and as Joe Scarborough and his team provided as much as was known at the time and the few updates that were available, one thing struck me.
The news reports made much of the fact that the London is, perhaps, the most CCTV/surveillance camera-saturated city in the world, and that the lack of an explosion meant there would be forensic evidence to be checked against Scotland Yard's extensive DNA library, and that both factors would likely contribute to quick arrests in the case.
Good news for investigators in the United Kingdom, but chilling implications for those of us here in the United States.
I know this event will influence the ongoing liberty/security debate here in America. As a nation we're already paranoid about some future act of terror, and we're constantly being told that we need to fear this shadowy enemy called terrorism. If the events of this past weekend result in a stronger push for and greater acceptance of remote security camera networks, and an undermining of opposition to extensive DNA cataloging, it will not be welcome news.
Using fear as a means of achieving legislative change is poor public policy. Loss of liberty should never be tolerated by patriots.
Adding Audience
About a year ago I started writing for Spot-On.com, an eclectic opinion mill that has been steadily gaining audience and influence. I started out with a tech-focus, but have since concentrated on political and social issues, reflective of my grumpy Libertarian perspective. I enjoy the opportunity to strech my legs and give voice to a point-of-view that is often ignored. Every once in a while I'll get a validation boost when an email comes my way, or when something I've written gets the attention of an outside authority, such as this editorial from Dental Economicsmagazine.
Well, news this morning of a syndication deal with WashingtonPost.Newsweek Interactive means that I and the rest of my Spot-On.com colleagues will add significantly to our audience. Since I write about privacy issues occasionally, I hope to make the most of this fantastic opportunity to not only carp about what's bugging me politically, but also continue to raise awareness over important privacy issues.
Mike
Shameless Self Promotion
Before the weekend, thought I'd post a link to my latest at Spot-On, a piece dealing with how well government agencies are doing in keeping the public trust. Or not.
Mike
Apples & Oranges
While I haven't been blogging about the TJX breach, I have been tracking the incident and there's a curious element to the response that has not gotten much attention in the news.
While it's clear that TJX was caught off guard by the breach from a communications perspective -- their public comments have often been inaccurate, contradictory, and misleading (likely not intentional, just symptomatic of their lack of preparedness). But one thing the discount retailer has done very well is amp up the marketing.
This article in Bank Technology Newsexamines what may at first seem to be a contradictory response from consumers, but actually makes perfect sense. I've heard a number of people question consumer response, wondering out loud why affected shoppers continue to spend money at TJX. After all, hasn't research shown that consumers will bolt a vendor that doesn't respect privacy?
It's an apples and oranges comparison, actually. Consumers, above nearly all else, want convenience and a good deal. As a discount retailer, TJX stores know all about cutting price, and when they found themselves in the spotlight, while their corporate spokespeople were stuttering their way through explanations and interviews, their marketers were buying air time and (I suspect, though I can't tell for sure since I don't shop there) lowering prices. Here in TJX's back yard, the television is busting with commercials for the various TJX stores.
Ponemon Institute research showed the fallout for banks that fail to respect customer privacy, but banks are not able to manipulate costs the way a retailer can. Retailers have more and different options. Besides, a long-term relationship with a retailer is more of a series of short-term decisions. Choosing to do business with a bank is a more serious commitment on the part of the consumer, and requires a completely different level of commitment on the part of the bank.
In her article, Holly Sraeel understands and articulates the difference.
Prior Proper Planning...
You know the Seven Ps of Preparation, don't you? Prior proper planning prevents p*ss poor performance. (Some would substitute the coarser word in that phrase with "pretty", but I'm an ex-Navy man and that's the way I learned it.)
Getting back to the issue of preparation, I had the privilege of introducing Beth Givens of the Privacy Rights Clearinghouse to members of the Ponemon Institute's RIM Council today during the monthly RIM conference call. Beth pointed us toward an excellent article from February's Law.com. The article by White & Case lawyer David Bender, entitled "Why You Must have a Security Breach Response Plan," serves as a great thumbnail for any organization that may be wondering what they need to do should they experience a breach.
Of course, I'm pleased to see that David has included a couple bullets related to communications. The communications portion of David's checklist requires it's own plan to make certain an organization is prepared to let the public and other audiences know what's going on and to do so in a manner that is consistent with the truth and in keeping with the law. It is possible to say the wrong thing even if intentions are good, but with a plan in place in advance, the chance for such occasions are minimized.
New Thinking
When I read blog entries such as this one at ZDNet, I get both amused and frustrated at the lack of critical thinking that drives opinion on these and other important issues. You'd think it's an either/or proposition, and that the only available options outside of inaction are both evil and unacceptable. Yet, while hand-wringing goes on over current practice and worst option alternatives, no one's talking about other available approaches to the vexing challenge of maintaining watch lists without violating privacy.
IBM's Jeff Jonas figured the solution out a while ago and writes about it often in his blog (which is worth reading for a host of reasons). This entry is worth reading for a safe, innovative take on the issue of managing watch lists effectively, and without the troublesome privacy issues that most folks are worried about.
Been There, Done That
I?m usually quicker on the uptake on issues like this, but I?ve been very busy with other aspects of my business that I?ve neglected my blogging. So, for those of you still paying attention?
Hmmm. Where have I read that before? Oh, yeah? back in August when I wrote Has Notice Failed? (registration required) for the 1to1: Privacy newsletter. Sure, Computerworld may have a bigger readership, but the fact that my Kilroy was there to greet Jay Cline and his readers when they arrived nearly six months later makes me feel better about the whole thing (and just a touch superior).
I guess you could say I?m the Macomber Bombay of the privacy world. Aren?t familiar with Macomber Bombay? Good luck with a Google search, since the ancient archives of MAD Magazine don?t seem to have made it online yet, but Bombay was the fictional, unknown photographer for Life who was waiting at the summit of Mt. Everest to get the photo of Edmund Hillary?s historic ascent, among other first human achievements chronicled on film.
To be clear, I?m not busting on Cline. The piece he wrote for Computerworld was excellent. I?m just contorting my humble frame to pat myself on the back. I should be careful lest I strain a muscle. After all, pride cometh before a fall.
Simple Reminder
I just came across an interesting story from yesterday?s Chicago Tribune. Seems a resident of Chicago?s West Side was able to pilfer some financial documents from a dumpster outside the offices of SFX Baseball. The story made the news because SFX Baseball handles contract negotiations and other financial matters for professional baseball players, and the suspect in this case had accumulated PII on 91 major leaguers, including stars Jim Thome, Moises Alou, and Pedro Martinez.
The story should serve as a reminder to everyone of the importance of shredding any and all documents that might provide ID thieves with a piece of your identity puzzle.
You?ve got to wonder what the folks at SFX Baseball were thinking when they didn?t shred. It?s one of the simplest ways to protect against data and identity theft. Shredders are cheap, and there are even shredding services that will come to your office to ensure proper disposal of documents.
Heck, in some places you can even find shredding kiosks where, for a little pocket change you can buy a few minutes of heavy-duty shredding.
I?ve gotten fed up with tracking each new data breach story. There have been so many that I?d end up with a terminal case of carpal tunnel syndrome if I commented on each one, but this one caught my attention, and because the holidays are a time when people seem to be handling more financial documents than usual, it was a convenient excuse to provide a simple reminder to shred.
It?ll be interesting to see SFX Baseball?s reaction to this boneheaded blunder.
Speaking Their Language
Recently, during a conference call in which I and a number of privacy luminaries discussed the challenges of integrating privacy-related strategies within marketing campaigns, the conversation turned to language.
I?ve discussed this phenomenon a few times in the past, but in this instance it became clear that successfully communicating privacy?s value is about more than simply expressing facts and figures to colleagues, but about understanding and speaking in their language.
What does that mean? Marketers want to know that what you are selling as a privacy advocate means higher conversion rates for their efforts. They aren?t as worried about compliance as you are because that?s a check box, not a strategic initiative. They need a compelling argument to convince them that they can be more successful at what they do. Making the case that following a few simple guidelines will establish a trust-based relationship, and that a trust-based relationship is a more profitable relationship is the key. Give them the data, such as studies by Ponemon and Yankelovich, then show how you will work with them to achieve desired results.
This is a challenge that extends well beyond the bounds of the privacy community, mind you. Seeing things from the other guy?s perspective, anticipating questions and taking the burden of proof upon yourself in order to establish the terms of debate is the way arguments are won.
Recommendation: Be sympathetic to the challenges your colleagues face and take the initiative to be a partner in solving problems. Don?t assume that, because you understand the issue, your colleagues will, too. Make your case, commit to working with them on their terms, then follow-through.
The Quest for the Holy Grail
A recent article in The NewStandard, which bills itself as an independent online newspaper untainted by the corrupting influence of corporate mammon, carried an article dated November 27 with a provocative headline:
Written by Megan Tady, the, article describes the activities of Internet companies and online marketers as ?predatory behavior,? and reports that the US Public Interest Research Group (US PIRG) and the Center for Digital Democracy (CDD) have filed a 50-page complained with the FTC in an effort to enlist the aide of the feds to put a stop to their attempts to achieve one-to-one communications with consumers.
What a bunch of nonsense.
The complaint is based on the faulty premise that interactive marketing, by definition, requires that companies spy on consumers. It's ridiculous and dangerous assumption, and one that ignores the concept of customer choice. It also removes a huge incentive for companies to place a premium on treating customer information with respect.
I often shop for fly fishing gear at the online properties of Orvis, LL Bean. I have done business with both stores for years, I trust both to respect my personal information, and when they communicate with me, I?d rather they stick to telling me about the stuff I?m most likely to buy. And as long as that trust is not violated, I?ll continue to do business with both companies and to provide them with information about my preferences so they can better serve my needs.
Orvis and LL Bean don?t need to ?spy? on me because they?ve earned my trust. That trust translates to a competitive advantage.
In effect the article attacks the holy grail of marketing by saying that companies, rather than target customers and potential customers with highly specific messaging, should instead go back to the mass mail model ? send postcards to tens of thousands of "residents" in a particular zip code and hope for a strong enough return to make a profit off of the effort.
In marketing they call it ?spray and pray,? and it is far more maddening than behavioral targeting. Regulating away a company?s ability to target based on behavior would be counter productive; it would eliminate an important tool that responsible companies are already using to provide consumers with better service.
Behavioral targeting isn?t about spying, it?s about two-way communication and it?s about achieving a positive one-on-one experience.
Value of Privacy Savvy Gains More Ground
Word of privacy's value is getting around to an ever-widening circle. I recently wrote in 1to1 Privacy of the eye-opening experience I had at a business breakfast when a personal security expert spoke of how easy it is to obtain personally identifiable information - the building blocks of a credit profile.
To hear the gasps of those in attendance was a reminder that, while many of those with whom I interact daily are acutely aware of privacy issues, there remains a great deal of ignorance even within groups who should know better.
Last month I spoke with Daryl Gayle of Target Marketing magazine and had a chance to advocate for greater cooperation between marketers and privacy pros. The results of that discussion can be found here.
There's still plenty of work to be done, but as more and more eyes open to the importance of implementing strong privacy values throughout an organization, I believe that strength of the pro-privacy argument will be self-evident and momentum will build on its own - because it's the right thing to do.
Albeit briefly, Peter points out the need for a clear definition of the term "spyware." I agree - wholeheartedly.
Depending on how you define it, spyware runs the gamut from innocuous to annoying to criminal. As a word, it is highly evocative and can be used to stir fear and create bias among certain audiences. As a communications consultant I appreciate the strategy behind using words to achieve certain objectives, but I also believe that -- in the long run -- truth is the most effective tool in communicator's chest. Exaggeration, obfuscation, and other means of distortion only serve to undermine the credibility of those who use them, no matter how noble the cause or intent.
Spyware is a serious problem. Devious individuals with malicious intent have become highly skilled at exploiting security vulnerabilities, including human ignorance, to plant nasty code on computers. When that code is designed to steal information such as passwords, account information, PII, and more, then use that information to steal money or commit fraud, that's serious business and represents an accurate depiction of what I believe spyware to be.
Law enforcement authorities and regulators need the power to deter and prosecute bad actors, but without a clear definition, it will be difficult to go after purveyors of spyware. Before you fine it, you've got to define it.
In April of 2004 the FTC convened a workshop on spyware, one goal of which was to draft a standard definition for the term. According to the workshop's transcript, it was lively discussion, but 30 months later we are still no closer to that goal.
If the industry doesn't do it, and soon, the issue will be decided through the courts by the team with the most persuasive lawyers. If that happens, no one will be happy.
Monthly Privacy Updates
The American Bar Association has initiated a monthly privacy update that will cover significant developments in privacy law and legislative activities. The first event will be Monday, October 16, from 1p - 2p ET. Options for attending include on-site in Washington, DC, or via teleconference.
For more information about participating in Monday's update, click here.
Thanks to Reed Freeman's Privacy and Information Security News for this item.
Mike
Personal Privacy Evangelist
I attended breakfast with members of the Wachusett Chamber of Commerce down the road in Sterling, Mass. this morning. I noted a day earlier that Robert Siciliano was to speak at the event, and I wanted to see the man?s presentation.
If you haven?t heard of Siciliano yet, you will soon (besides within this blog post). Siciliano is a personal security consultant who has taken up a vigorous crusade of educating regular folks about identity theft and securing PII. Earlier this year I had occasion to trade emails with Siciliano as a source for a story I wrote on whether or not credit monitoring services were of any real value as an ID theft prevention tool.
Siciliano is an evangelist. Much of his presentation consisted of headlines, facts, and figures that I?ve been familiar with for a long while, and although he covered no new ground for me, I was fascinated by his talk for two reasons.
The first was the passion he brought to the subject. Clearly, this guy has immersed himself in the issue, and he was able to make his point without much hyperbole, but merely relying on the facts to tell their own story.
The second was the reaction from other attendees. My eyes were opened to just how little people understand the issue of personal information security. As Siciliano illustrated how easy it is for criminals to assemble pieces of an individual?s identification and create an alias for themselves with that information, I watched as others around the room literally gasped and sat with eyes wide open, mouths agape.
More shockingly, there were representatives from a number of financial services organizations who were among the most affected by Siciliano?s revelations.
As privacy professionals, one of our biggest challenges is in education. Unless and until greater awareness, based on fact and reason, is generated about the issue of identity fraud and personal information security, we will continue to see more people victimized. The problem is that, while the chances are they will suffer because of their own ignorance, those of us who serve them will pay the price through the erosion of trust.
Complete list of Bloggers featured by Compliance and Privacy:
Please note: Blogs contain items that are the responsibility of the author and are presented "as is" with no endorsement from, nor editing by, nor approval from complianceandprivacy.com. The copyright owner for the blog items is that of the originator of the item. Each blog item is reproduced from the relevant feed from the originating blog, either in full or in part as that feed itself determines. All blog item header links lead directly to those items on the original blog. Blogs are dynamic. We offer them in good faith, but, where the content is outside our control we cannot be responsible for their errors, omissions or other conduct. Some of the links on this page remain on this site, others go to other sites; that is the nature of a blog. When you leave this site you are encouraged to be aware of the privacy policy of the new site before leaving personal data there.
This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.