Difference between revisions of "Privacy Risk"

From MgmtWiki
Jump to: navigation, search
(=Conduct Risk)
(Problems)
(32 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
==Full Title or Meme==
 
==Full Title or Meme==
The growing concern about the risk of exposure of [[User Private Information]] has been labeled as a [[Privacy Risk]] that has be legislated into a legal and reputational risk for [[Enterprise]]s that collect and store that information.
+
The growing concern about the risk of exposure of [[User Private Information]] has been labeled as a [[Privacy Risk]] that has been legislated into a legal and reputation risk for [[Enterprise]]s that collect and store that information.
 +
===Author===
 +
Tom Jones (2019-09-06)
  
 
==Context==
 
==Context==
 
===User Risk===
 
===User Risk===
The meaning of the term [[Privacy]] has been growing as the [[Information Age]] has expanded into every aspect of our human experience. While it started with the Warren and Brandeis article as the "right to the let alone" into a wide range of [[Internet Bill of Rights|User Rights]]. While users have shown increasing anxiety about their privacy, they continue to show very little apetitie for changing their behavior to protect their [[Privacy]]. As a result governments around the  
+
The meaning of the term [[Privacy]] has been growing as the [[Information Age]] has expanded into every aspect of our human experience. While it started with the Warren and Brandeis article as the "right to the let alone" <ref name="Warren">Warren and Brandeis ''The Right to Privacy'' (1890-12-15) Harvard Law Review http://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html</ref> it has expanded into a wide range of [[Internet Bill of Rights|User Rights]]. While users have shown increasing anxiety about their privacy, they continue to show very little appetite for changing their behavior to protect their [[Privacy]]. As a result federal and state governments around the world have been passing laws designed to give users more control over their [[User Information]].
 +
 
 
===Enterprise Risk===
 
===Enterprise Risk===
While in an earlier age it was possible to appeal to an[[Enterprise]]'s good will, in an age of "maximizing shareholder value" the only way to coerce socially beneficial behaviors is by delineating risks to their continued profitability or existence. The are two broad categories of Enterprise Risk: Legal risk and [[Conduct Risk]].
+
While in an earlier age it was possible to appeal to an [[Enterprise]]'s good will, in an age of "maximizing shareholder value" the only way to coerce socially beneficial behaviors is by demonstrating risks to their continued profitability or existence. The are two broad categories of Enterprise Risk: Legal risk and [[Conduct Risk]].
===Legal Risk===
+
====Legal Risk====
===Conduct Risk===
+
*Compliance with legislation mandates always entail additional expenses for a hosting provider, both operational and fines for non-compliance.
Since executive compensation is often predicated on shareholder value, any risk must be measured strictly in that metric to become an important consideration for executive action by the bulk of public companies. A similar calculus will apply to public enterprises because of pressures from the population at large. In both cases [[Conduct Risk]] is a growing
+
*The risk of tort costs will also expand with additional legislation mandates, both for lawyers fees and judgements.
 +
 
 +
====Conduct Risk====
 +
Since executive compensation is often predicated on shareholder value, any risk must be measured strictly in that metric to become an important consideration for executive action by the bulk of public companies. A similar calculus will apply to public enterprises because of pressures from the population at large and thanks to the investigations of a free press where it still exists. In both cases [[Conduct Risk]] is a growing discipline that [[Enterprise]]s have learned to fear through the experiences with general business cases describe on the page [[Conduct Risk]] as well as those cases that are specific to service providers. For example, since the 2016 US presidential election Facebook has been called on the carpet in several countries for numerous privacy lapses that continue to grow.<ref>Kevin Roose, ''No gentile Giant, But a Juggernaut Playing Hardball.'' (2018-12-06) p. B1 New York Times</ref><ref>Adam Satariano +1, ''Leveraging User Data To Show Favoritism Among Its partners.'' (2018-12-06) p. B1 New York Times</ref> When Facebook reported that 3 million users in Europe had abandoned them it lost $120 Billion in market value and the stock has continued to lose value throughout 2018.<ref>Over $119bn wiped off Facebook's market cap after growth shock. The Guardian https://www.theguardian.com/technology/2018/jul/26/facebook-market-cap-falls-109bn-dollars-after-growth-shock</ref> The loss to Equifax market cap after their privacy breach is more that 30% with some experts doubting that the company can continue in existence after all the legal cases are settled.<ref>''Equifax’s stock has fallen 31% since breach disclosure, erasing $5 billion in market cap.'' (2017-09-14) Market Watch https://www.marketwatch.com/story/equifaxs-stock-has-fallen-31-since-breach-disclosure-erasing-5-billion-in-market-cap-2017-09-14</ref>
 +
 
 +
===Opportunity Risk===
 +
By far the biggest risk to privacy is the simple fact that data is stored in any centralized location. The following are some of the exploits that have arisen due simply to the availability of a central collection of data:
 +
# The department of motor vehicles (DMV) of each state in the US now is tasked with holding identity information on all citizens of the state that requires some sort of sovereign identification card, which will in 2020 include anyone that wants to fly on an airplane in the US<ref>US Department of Homeland Security, ''Real ID'' (announced on December 20, 2013) https://www.dhs.gov/real-id</ref>. All governments are pressured to find new sources of general funds. The DMVs have all found that they can make big bucks selling data that you are required to give them.<ref>Joseph Cox ''DMVs Are Selling Your Data to Private Investigators'' Vice (2019-09-06) https://www.vice.com/en_us/article/43kxzq/dmvs-selling-data-private-investigators-making-millions-of-dollars</ref> The sale of this data to licensed private investigators is perfectly legal, due to the Driver's Privacy Protection Act (DPPA), a law written in the '90s before privacy was recognized to be such a threat, give private investigators access to the data, which means that anyone that can pay a PI can get whatever data they want. In effect the DPPA offers no privacy what-so-ever.
 +
# Exemptions granted to scientific and educational organization to use data collected by (for example) Facebook lead to the Cambridge Analytical scandal in the US 2016 elections.
  
 
==Problems==
 
==Problems==
*Compliance by the [[Web Site]] with the agreed terms will be hard to track.
+
*Compliance by the [[Web Site]] with the agreed terms will be hard to track which means that we can expect to see continued substantial loses as regulatory and market forces exact penalties for bad behavior.
 +
* It is hard for user's to make informed choices about the impact of consent give to web sites.
 +
* [[Recovery]] and [[Redress]] require that user's be give access to their data online, but to prevent that action from being just another attack on the user's privacy is difficult.
 +
* No right, especially a right so nebulous as privacy, is absolute. The wiki page [[Privacy as the Enemy]] discusses some of the pathology of too much privacy.
  
 
==Solutions==
 
==Solutions==
*It would probably improve the conversation to change the discussion from [[Privacy]] to [[Internet Bill of Rights|User Rights]], but habits and meanings of words are had to change, so it may be neccssary to continue to talk about [[Privacy]] even though it would be more informative to talk about [[Internet Bill of Rights|User Rights]].
+
*It would probably improve the conversation to change the discussion from [[Privacy]] to [[Internet Bill of Rights|User Rights]], but habits and meanings of words are had to change, so it may be necessary to continue to talk about [[Privacy]] even though it would be more informative to talk about [[Internet Bill of Rights|User Rights]].
 
+
*Changing corporate habits can be difficult unless the CEO of the [[Enterprise]] makes and enforces a commitment to treating customer with respect. <ref>Time magazine special report on Habits</ref>
===Intent Casting===
 
 
 
{|border="1" padding="2" width="799px"
 
| Name || TBD || [[Privacy Risk]]||  Notes
 
|-
 
|Site and App Use|| || ||information will be used for providing and / or enhancing the site or service only. This information seems better a part of the following fields.
 
|-
 
|1st party ||yes||2 || data on the user device that does not leave the user device, for example apps that access the local data. This cast is to access limited (in theory) to the device itself.
 
|-
 
|2nd party  ||yes ||3 || The [[Web Site]] that the user navigated to and understand through some secure indication of the site identity.
 
|-
 
|3rd party|| yes|| 9|| Some other site that is able to access the [[User Device]] or [[User Information]] which was not the user's intent to access.
 
|-
 
|tracking || || || not clear that this can give more information that 1,2,3 above.
 
|-
 
|session||yes|| 5|| data may not persist beyond completion (may be long for commercial transaction)
 
|-
 
|duration|| yes ||shorter better|| how long can the data be held (default one year)
 
|-
 
|data category||yes|| na|| list of permitted categories (optional)
 
|}
 
  
 
==References==
 
==References==
 
<references />
 
<references />
  
 
+
[[Category:Article]]
 
[[Category:Privacy]]
 
[[Category:Privacy]]
 
[[Category:Glossary]]
 
[[Category:Glossary]]

Revision as of 15:15, 11 March 2020

Full Title or Meme

The growing concern about the risk of exposure of User Private Information has been labeled as a Privacy Risk that has been legislated into a legal and reputation risk for Enterprises that collect and store that information.

Author

Tom Jones (2019-09-06)

Context

User Risk

The meaning of the term Privacy has been growing as the Information Age has expanded into every aspect of our human experience. While it started with the Warren and Brandeis article as the "right to the let alone" [1] it has expanded into a wide range of User Rights. While users have shown increasing anxiety about their privacy, they continue to show very little appetite for changing their behavior to protect their Privacy. As a result federal and state governments around the world have been passing laws designed to give users more control over their User Information.

Enterprise Risk

While in an earlier age it was possible to appeal to an Enterprise's good will, in an age of "maximizing shareholder value" the only way to coerce socially beneficial behaviors is by demonstrating risks to their continued profitability or existence. The are two broad categories of Enterprise Risk: Legal risk and Conduct Risk.

Legal Risk

  • Compliance with legislation mandates always entail additional expenses for a hosting provider, both operational and fines for non-compliance.
  • The risk of tort costs will also expand with additional legislation mandates, both for lawyers fees and judgements.

Conduct Risk

Since executive compensation is often predicated on shareholder value, any risk must be measured strictly in that metric to become an important consideration for executive action by the bulk of public companies. A similar calculus will apply to public enterprises because of pressures from the population at large and thanks to the investigations of a free press where it still exists. In both cases Conduct Risk is a growing discipline that Enterprises have learned to fear through the experiences with general business cases describe on the page Conduct Risk as well as those cases that are specific to service providers. For example, since the 2016 US presidential election Facebook has been called on the carpet in several countries for numerous privacy lapses that continue to grow.[2][3] When Facebook reported that 3 million users in Europe had abandoned them it lost $120 Billion in market value and the stock has continued to lose value throughout 2018.[4] The loss to Equifax market cap after their privacy breach is more that 30% with some experts doubting that the company can continue in existence after all the legal cases are settled.[5]

Opportunity Risk

By far the biggest risk to privacy is the simple fact that data is stored in any centralized location. The following are some of the exploits that have arisen due simply to the availability of a central collection of data:

  1. The department of motor vehicles (DMV) of each state in the US now is tasked with holding identity information on all citizens of the state that requires some sort of sovereign identification card, which will in 2020 include anyone that wants to fly on an airplane in the US[6]. All governments are pressured to find new sources of general funds. The DMVs have all found that they can make big bucks selling data that you are required to give them.[7] The sale of this data to licensed private investigators is perfectly legal, due to the Driver's Privacy Protection Act (DPPA), a law written in the '90s before privacy was recognized to be such a threat, give private investigators access to the data, which means that anyone that can pay a PI can get whatever data they want. In effect the DPPA offers no privacy what-so-ever.
  2. Exemptions granted to scientific and educational organization to use data collected by (for example) Facebook lead to the Cambridge Analytical scandal in the US 2016 elections.

Problems

  • Compliance by the Web Site with the agreed terms will be hard to track which means that we can expect to see continued substantial loses as regulatory and market forces exact penalties for bad behavior.
  • It is hard for user's to make informed choices about the impact of consent give to web sites.
  • Recovery and Redress require that user's be give access to their data online, but to prevent that action from being just another attack on the user's privacy is difficult.
  • No right, especially a right so nebulous as privacy, is absolute. The wiki page Privacy as the Enemy discusses some of the pathology of too much privacy.

Solutions

  • It would probably improve the conversation to change the discussion from Privacy to User Rights, but habits and meanings of words are had to change, so it may be necessary to continue to talk about Privacy even though it would be more informative to talk about User Rights.
  • Changing corporate habits can be difficult unless the CEO of the Enterprise makes and enforces a commitment to treating customer with respect. [8]

References

  1. Warren and Brandeis The Right to Privacy (1890-12-15) Harvard Law Review http://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html
  2. Kevin Roose, No gentile Giant, But a Juggernaut Playing Hardball. (2018-12-06) p. B1 New York Times
  3. Adam Satariano +1, Leveraging User Data To Show Favoritism Among Its partners. (2018-12-06) p. B1 New York Times
  4. Over $119bn wiped off Facebook's market cap after growth shock. The Guardian https://www.theguardian.com/technology/2018/jul/26/facebook-market-cap-falls-109bn-dollars-after-growth-shock
  5. Equifax’s stock has fallen 31% since breach disclosure, erasing $5 billion in market cap. (2017-09-14) Market Watch https://www.marketwatch.com/story/equifaxs-stock-has-fallen-31-since-breach-disclosure-erasing-5-billion-in-market-cap-2017-09-14
  6. US Department of Homeland Security, Real ID (announced on December 20, 2013) https://www.dhs.gov/real-id
  7. Joseph Cox DMVs Are Selling Your Data to Private Investigators Vice (2019-09-06) https://www.vice.com/en_us/article/43kxzq/dmvs-selling-data-private-investigators-making-millions-of-dollars
  8. Time magazine special report on Habits
Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Privacy_Risk&oldid=7349"