Big Privacy Rises to the Challenges of Big Data



Similar documents
Powering Global Client Collaboration with Secure File Sharing

HCM Best Practices Prepare Bank for Utilization of True Analytics

Cloud-Based HCM Replaces Homemade Solution

How Delta Uses Microsoft Dynamics and Avanade to Create Next- Generation Customer Experiences

SAP In-Memory Database and Prescient Travel Safety

Five Years in the Cloud with Workday

KPMG Unlocks Hidden Value in Client Information with Smartlogic Semaphore

Privacy Statement. What Personal Information We Collect. Australia

Preferred Hotel Group Facts at a Glance

COPPA. How COPPA & Parental Intelligence Systems Help Parents Protect Their Kids Online. The Children s Online Privacy Protection Act

A New Age for Advertising Copy Testing Facial Expression Measurement Technology. Brian Sheehan Newhouse School, Syracuse University

Agenda Overview for Emerging Marketing Technology and Trends, 2015

Ten Mistakes to Avoid

Singapore Empowers Land Transport Planners With Data Warehouse

Legal Notices. Purpose and Scope of Website. StanCorp Financial Group, Inc. Contact Us. Public Affairs. Special Investigations Unit

Concept report: The Australian Personal Loans Market - Targeting the high value personal loan customer

The Promise of Industrial Big Data

To Professionals Who Know Online Marketing Is Important But Can t Seem To Get Started:

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

BLOOMBERG ENTERPRISE SOLUTIONS NSIDE DATA OVERNANCE T WFIC 2013

Analyzing Big Data: The Path to Competitive Advantage

I D C A N A L Y S T C O N N E C T I O N. C o g n i t i ve C o m m e r c e i n B2B M a rketing a n d S a l e s

Take Control of your future with this residual income, home based business.

2020 Foresight: Best Practices in Implementing Mobile Payments

ImageWare Systems, Inc.

The Enterprise IT Cloud Company

Improving Employee Engagement to Drive Business Performance

SWOT Assessment: CoreMedia, CoreMedia 7

Social Media Content - Advantages and Disadvantages

THE ETHICS OF SOCIAL MEDIA

MAXIMISING VALUE FROM DIRECT MARKETING: CUSTOMER ENGAGEMENT

Moreketing. With great ease you can end up wasting a lot of time and money with online marketing. Causing

Ridiculously Good Outsourcing. The Monetization of Big Data: Made Possible By Humans. (888) TASK

Overcoming the Gap Between Business Intelligence and Decision Support

The healthcare industry is changing more rapidly than ever, creating new opportunities for those who stand ready to seize them. Who are we?

Card Account means your Card account that is in relation to your Visa Wallet maintained and operated by Tune Money Sdn Bhd.

Cyber Risk Reduction: Why Automated Threat Verification is key

TaxSaverNetwork. Terms of Service

Things to Know Before Starting an e- Commerce Business

DIGITAL UNIVERSE UNIVERSE

Social Media Guidelines

There s no such thing as a free lunch Why fees are the future for current accounts

902 Broadway 20 th Floor New York, N.Y Business and Revenue Model Overview. Presented by Flatiron Strategies, LLC August, 2015

WHITE PAPER. Creating your Intranet Checklist

PocketSuite Terms of Service. Last modified: November 2015

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Navigating the cloud of Big Data hype, lessons to live by. Andy Beale January 2015

Earning Your Security Trustmark+

Data Monetization in the Age of Big Data 1

2020 Foresight: Best Practices in Implementing Mobile Payments

A Comparison of Media Sources for Mobile App User Acquisition

Covered California. Terms and Conditions of Use

How To Choose A Hotel Chain

RC & CREATING DATA PRIVACY OPPORTUNITIES USING BIG IN EUROPE DATA AND ANALYTICS. risk compliance RISK & COMPLIANCE MAGAZINE.

Organisation de Coopération et de Développement Economiques Organisation for Economic Co-operation and Development

Jobsite business know it better!

Websites & Social Media. in the Professional Environment. A practical guide to navigating the world of social media

SOCIAL MEDIA AND YOUR PERSONAL BRAND

COMMUNITY MANAGER REPORT

INTRODUCING TALEO 10. Solutions Built for the Talent Age. Powering the New Age of Talent

Zubi Advertising Privacy Policy

The JLL Global Premium Office Rent Tracker

SEC Staff Addresses Third-Party Endorsements of Investment Advisers on Social Media Websites

MarketsandMarkets. Publisher Sample

ENTERPRISE ASSET MANAGEMENT (EAM) The Devil is in the Details CASE STUDY

SO WHERE IS THE CONSUMER IN CONSUMER BANKING?

Global Services and Capabilities

Transcription:

Report: Big Idea Big Privacy Rises to the Challenges of Big Data Privacy Regulations Can Shock Data Miners, Yet Big Data Demands a New Privacy Compact Steve Wilson Vice President and Principal Analyst Content Editor: R Ray Wang Copy Editor: Maria Shao April 11, 2014 Produced exclusively for Constellation Research clients

Table of Contents Purpose and Intent... 3 Executive Summary... 3 Everyone Suffers When Online Crosses the Line... 4 The Big Business of Big Data... 4 Big Data Cannot Ignore Privacy Law... 6 Check the Fine Print in PII!... 6 Classical Data Privacy Controls... 7 Big Data Oil Spills... 8 Google Finds that Public Can Still Be Private... 8 Facebook Was Too Clever with Photo Tagging... 8 Target Gets Too Close to Its Female Customers... 9 More Privacy Shocks Are Likely to Come... 9 Big Privacy to Deal with Big Data... 10 A New Big Privacy Compact... 10 Parallax Points of View... 12 Alan Lepofsky, Vice President and Principal Analyst, Constellation... 12 Dr. Janice Presser, CEO, The Gabriel Institute... 12 Constellation Research Panel... 14 Disclosures... 14 Endnotes... 15 Analyst Bio: Steve Wilson... 16 About Constellation Research... 17 Organizational Highlights... 17 2014 Constellation Research, Inc. All rights reserved. 2

Purpose and Intent This report aims to enhance decision makers appreciation of the regulatory and social impacts of data analytics and Big Data by exposing some surprising strengths of data privacy law as well as shortcomings in standard privacy principles. We set out a fresh compact that innovative digital companies can strike with their communities to respect the incredible and privileged insights that Big Data provides. This report offers insights into three of Constellation s primary business research themes, Data to Decisions, Matrix Commerce and the Next-Generation Customer Experience. Executive Summary Big Data concerns the extraction of knowledge and insights from the vast underground rivers of unstructured data that course unseen through cyberspace. It represents one of the biggest challenges to privacy and data protection society has yet seen. Never before has so much personal information been available so freely to so many. Personally Identifiable Information (PII) is the lifeblood of most digital enterprises today. Many social media business models are fueled by a generally one-sided bargain for PII, and the fairness of this value exchange is currently a hot topic. Data analytics and data mining are able to pull PII almost out of thin air. Collectively, digital businesses may have gone too far in their enthusiasm for Big Data, sacrificing the trust of their users for short-term commercial gain. Big Data promises vast benefits for a great many stakeholders but the benefits are jeopardized by the excesses of a few. Some cavalier online businesses are propelled by a naive assumption that data in the public domain is up for grabs;; they err on the side of abandon. Many think the law has not kept pace with technology, but technologists often underestimate the strength of conventional data protection laws and regulations. The extraction of PII from raw data may be interpreted as a collection and as such is subject to longstanding data protection statutes. On the other hand, orthodox privacy policies and freeze-frame user agreements do not cater for the way PII can be conjured tomorrow from raw data collected today. It is unfortunate that privacy compliance efforts so often give the impression of being preoccupied with unwieldy policy documents and simplistic compulsory notices about cookies. Thus, the fit between Big Data and data privacy standards is complex and sometimes surprising. While existing laws are not to be underestimated, Constellation calls for a fresh compact with users that engages them in the far-reaching upside of transforming data to decisions. We call on Big Data businesses to exercise restraint in using powerful analytic tools, to be transparent about their business models, to offer consumers fair value for their data and to innovate in privacy as well as data mining. We call the compact Big Privacy. 2014 Constellation Research, Inc. All rights reserved. 3

Everyone Suffers When Online Crosses the Line Consider Pay-as-You-Drive car insurance, a new product with premiums scaled according to how you drive. By analyzing data from automobile black boxes, the insurance company can tell not only how far the car has gone (so that infrequent drivers can enjoy discounted fees) but can also detect where it has gone, how fast it has been going and so on. Higher risk driving behaviors attract extra levies or other forms of disincentive. GPS signals could be used to inform these services, but explicit vehicle tracking arouses privacy fears. So some Pay-as-You-Drive systems promise not to use GPS, and instead draw only on more innocuous speed and time measurements. Yet, the privacy picture is not so simple. Recent research at the University of Denver has shown that when combined with map data, speed and time can be used to infer the location of a car at any time, just as precisely as GPS coordinates. Dr. Rinku Dewri and his colleagues write that because of this, customer privacy expectations in non-tracking telematics applications need to be reset and new policies need to be implemented to inform customers of possible risks. 1 Constellation does not allege that insurance companies are exploiting automobile black box data in this way, but the temptations of Big Data prove time and time again to be irresistible. If time and speed data can be accessed by third parties and linked to maps or other data sets to extract insights about drivers, it may only be a matter of time before this routinely happens. When businesses go too far with advanced data analytics and leave users feeling violated or betrayed, then everyone suffers. Disillusioned customers don t just abandon the firms that have squandered their trust; they also lose confidence in cyberspace more broadly and withdraw from other new and worthwhile services, like e-government, e-health, digital payments and e-commerce at large. Constellation Chairman and CEO Ray Wang has argued cogently for a correction to the way business is done around Big Data, so customers take back some control: We won t be able to build sustainable digital business models until we agree on some limits to how customer data can be used. A compact must be reached on the balance between privacy and convenience. 2 This research report begins to unpack what such a new compact might look like. First, let s review how Big Data processes and business models convert raw data into Personally Identifiable Information (PII) and expose how this extraction collides with international privacy best practice. The Big Business of Big Data It s not for nothing people call it data mining. The raw material of Big Data namely all the ones and zeroes coursing beneath us in the digital environment is often likened to crude oil, alluding to the enormous riches to be extracted from an undifferentiated matrix. Look at photo data, for instance, and the rapid evolution of tools for monetizing it. These tools range from simple metadata embedded in digital photos which record when, where 2014 Constellation Research, Inc. All rights reserved. 4

and with what sort of device they were taken, through to increasingly sophisticated pattern recognition and facial recognition algorithms. Image analysis can extract places and product names from photos and automatically pick out objects. It can identity faces by re-purposing biometric templates that originate from social network users tagging their friends for fun in entirely unrelated images. Image analysis lets social media companies work out what people are doing, when and where, and who they re doing it with, thus revealing personal preferences and relationships, without anyone explicitly liking anything or friending anyone. The ability to mine photo data defines a new digital gold rush. Like petroleum engineering, image analysis is very high tech. There is extraordinary research and development (R&D) going on in face and object recognition. The infomopolies like Facebook and Google (whose fortunes are made on nothing other than information) and digital media companies like Apple have invested enormously in their own R&D and in acquiring start-ups in this space. And, of course, they pay over-the-odds for photo companies like Picasa, Instagram and Snapchat 3 - not merely because photos are fun and tagging them is cool, but because the potential for extracting intelligence from images is unbounded. So more than data mining, Big Data is really about data refining, as suggested by Figure 1, transforming unstructured information into fresh insights, decisions and value. Figure 1. The Metaphor of Data Refining Photo data I M A G E A N A L Y S I S Location from placenames, landmarks Linkages from who took photo, recognised companions Deduced Likes from trend data, recognised objects, emotions Behaviour Patterns from trend data Future Intelligence? Business models for monetizing photo data are still embryonic. Some entrepreneurs are beginning to access photo data from online social networks. For example Facedeals, a proof of concept from advertising invention lab Redpepper, provides automated check-in to retail stores by face recognition; the initial registration process draws on images and other profile information made available by Facebook (with the member s consent) over a public API (see http://redpepperland.com/lab/details/check-in-with-your-face). It is not clear if Facedeals accesses the biometric templates, but nothing in Facebook s privacy and data use 2014 Constellation Research, Inc. All rights reserved. 5

policies restrains the company from providing or selling the templates. But as we shall see, international privacy regulations do in fact restrict the uses that can be made of the byproducts of Big Data, should they be personal. Facebook has been taken to task for stretching social data analytics beyond what members reasonably expected to occur. 4 We believe more surprises like this await digital businesses in retail, healthcare and other industries. Big Data Cannot Ignore Privacy Law It s often said that technology has outpaced privacy law, yet by and large that's just not the case. Technology has certainly outpaced the intuitions of consumers, who are increasingly alarmed at what Big Data can reveal about them behind their backs. However, data privacy principles set down in 1980 by the Organization of Economic Cooperation and Development (OECD) still work well, despite predating the World Wide Web by decades. Enforcement of privacy laws is gaining momentum everywhere. Outside the U.S., rights-based privacy law has proven effective against many of today's more worrying business practices. Digital entrepreneurs can feel entitled to make any use they like of data that comes their way, but in truth 30-year-old privacy law says otherwise. Information innovators ignore international privacy law at their peril. In this section, we will see why, by reviewing the surprising definition of Personally Identifiable Information, and how good old technology-neutral privacy principles are as relevant as ever. Check the Fine Print in PII! Privacy is personal, as they say, by definition. But it s important to check the technical definition of personal data, because the fine print often surprises. The U.S. General Services Administration (GSA) defines Personally Identifiable Information as information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual (underline added). 5 This means that items of data can constitute PII if other data can be combined to identify the person concerned. And note carefully that the fragments are each regarded as PII rather than the whole data that eventually identifies someone. People often presume that PII stands for Personally Identifying (rather than Identifiable) Information. The difference is subtle but very important. The definition means that some data can and should be classified as PII before it is identified, rather than after, with due consideration to the context of the data flows and the potential for identification. This after all is only prudent; if personal data needs certain safeguards, then it is best they be applied before the data is identified and it s too late. For further practical guidance on classifying and treating PII, please see Is it Personal Information or Not? Embrace the Uncertainty, http://constellationr.com/content/itpersonal-information-or-not-embrace-uncertainty. 2014 Constellation Research, Inc. All rights reserved. 6

Constellation Research Panel Valuable comments on this research were received from the following people (all responsibility for the text remains with Constellation): Professor Graham Greenleaf, Faculty of Law, University of New South Wales. Associate Professor David Lindsay, Faculty of Law, Monash University. Dr. Alana Maurushat, Senior Lecturer, Faculty of Law, University of New South Wales. Rich Toohey, President of Rewards Member Experience, Marriott. Disclosures Your trust is important to us, and as such, we believe in being open and transparent about our financial relationships. With our clients permission, we publish their names on our website. 2014 Constellation Research, Inc. All rights reserved. 14

Analyst Bio: Steve Wilson Steve Wilson is Vice President and Principal Analyst at Constellation Research, Inc. He focuses on digital identity, privacy and cyber security across the business research themes of Consumerization of IT and Next-Generation Customer Experience. Experience Steve has worked in ICT innovation, research, development and analysis for over 25 years. He holds double degrees in physics and electrical engineering. His career began in R&D and medical software engineering in Australia and the U.S. He moved into cyber security in 1995 and specialized in identity management, holding R&D leadership and Principal Consultant roles with Security Domain (later Baltimore Technologies), KPMG, PwC and SecureNet. In 2004, Steve founded Lockstep Consulting to concentrate on identity and privacy research and analysis. He is personally responsible for numerous breakthroughs in difficult areas of identity infrastructure and governance, including national scale authentication, PKI, smartcards, digital credentials, fraud control and privacy engineering. He has provided advice on identity frameworks to the governments of Australia, Hong Kong, New Zealand, Malaysia, Singapore, Kazakhstan and Macau. Influence Steve has been involved in security public policy and industry development for over 16 years. He was a member of the Australian Law Reform Commission s Developing Technology committee (2007-08), the Federal Privacy Commissioner s PKI Reference Group (2000) and the National E-Authentication Council (1998-2001). He contributed to the American Bar Association PKI Assessment Guidelines (1999-2002) and was co-author of the APEC Electronic Authentication guidelines (1998-2001). Steve chaired the Certification Forum of Australasia over 1999-2002 and the OASIS PKI Committee from 2007 to 2008. He is a current member of the International Association of Privacy Professionals, the Australian Government Gatekeeper PKI Advisory Committee, and the Privacy Coordination Committee of the National Strategy for Trusted Identities in Cyberspace (NSTIC). Patents System and method for anonymously indexing electronic record systems US 8,347,101; AU 2005220988 Authenticating electronic financial transactions US 8,286,865; US 8,608,065; NZ 589160 Verified anonymous code signing AU 2012101460 Decoupling identity in the Internet of Things (pending). Twitter: @steve_lockstep Blog: http://lockstep.com.au/blog 2014 Constellation Research, Inc. All rights reserved. 16

About Constellation Research Constellation Research is a research and advisory firm that helps organizations navigate the challenges of digital disruption through business models transformation and the judicious application of disruptive technologies. This renowned group of experienced analysts, led by R Ray Wang, focuses on business-themed research, including Digital Marketing Transformation; Future of Work; Next-Generation Customer Experience; Data to Decisions; Matrix Commerce; Technology Optimization and Innovation; and Consumerization of IT and the New C-Suite. Unlike the legacy analyst firms, Constellation Research is disrupting how research is accessed, what topics are covered and how clients can partner with a research firm to achieve success. Over 225 clients have joined from an ecosystem of buyers, partners, solution providers, C-suite, boards of directors and vendor clients. Our mission is to identify, validate and share insights with our clients. Most of our clients share a common trait - the passion for learning, innovating and delivering impactful results. Organizational Highlights Founded and headquartered in the San Francisco Bay Area, United States, in 2010. Named Institute of Industry Analyst Relations (IIAR) New Analyst Firm of the Year in 2011. Serving over 225 buy-side and sell-side clients around the globe. Experienced research team with an average of 21 years of practitioner, management and industry experience. Creators of the Constellation Supernova Awards the industry s first and largest recognition of innovators, pioneers and teams who apply emerging and disruptive technology to drive business value. Organizers of the Constellation Connected Enterprise an innovation summit and best practices knowledge-sharing retreat for business leaders. Founders of Constellation Academy, experiential workshops in applying disruptive technology to disruptive business models. Website: www.constellationr.com Contact: info@constellationr.com Twitter: @ConstellationRG Sales: sales@constellationr.com Unauthorized reproduction or distribution in whole or in part in any form, including photocopying, faxing, image scanning, e-mailing, digitization, or making available for electronic downloading is prohibited without written permission from Constellation Research, Inc. Prior to photocopying, scanning, and digitizing items for internal or personal use, please contact Constellation Research, Inc. All trade names, trademarks, or registered trademarks are trade names, trademarks, or registered trademarks of their respective owners. Information contained in this publication has been compiled from sources believed to be reliable, but the accuracy of this information is not guaranteed. Constellation Research, Inc. disclaims all warranties and conditions with regard to the content, express or implied, including warranties of merchantability and fitness for a particular purpose, nor assumes any legal liability for the accuracy, completeness, or usefulness of any information contained herein. Any reference to a commercial product, process, or service does not imply or constitute an endorsement of the same by Constellation Research, Inc. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold or distributed with the understanding that Constellation Research, Inc. is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. Constellation Research, Inc. assumes no liability for how this information is used or applied nor makes any express warranties on outcomes. (Modified from the Declaration of Principles jointly adopted by the American Bar Association and a Committee of Publishers and Associations.) San Francisco Andalucia Austin Belfast Boston Chicago Colorado Springs Denver London Los Angeles Monta Vista New York Pune Sacramento San Diego Santa Monica Sedona Sydney Tokyo Toronto Washington D.C. 2014 Constellation Research, Inc. All rights reserved. 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information