Well,
TAS/3 depicts the infrastructure of what VRM often talks about with the Vendors. What you bring up here is great in order to highlight that the two depict a model of what individual information and identity control may look like.
I would think VRM is the tip of the spear where customer data infrastructure will grow to meets (or surpass) the vendor for the transaction. The magic moment if you will. Doc has been very good at keeping the focus on this point, but this is also like the tip of an iceburg. The infrastructure growth is something TAS/3 has been working on for just as long. Governance in this context is more about discussing what models of exchange (Information Sharing) will exist in the future generation of the Internet.
The personal data ecosystem I think is a bit different. In the PDE it seems you are including the existing Vendors data ecosystems needs as well as the Individual needs in the current eco-system. Personal data can be viewed as a Vendor term to categorize types of data to comply to some regulation (not service the customer). The scope seems a bit bigger than VRM and TAS/3 to include the flow of personal data everywhere so as to define all data as personal or not. In VRM and TAS/3 you could conceivably narrow the definition of personal information to sensitive information. All of the customers information that they re-use and use could be defined as the customers sensitive information. The customer has greater scope for data control from this more refined perspective. All of their own information can be sensitive, personal or not. IMO VRM and TAS/3 terminology tends to focus on freedoms for the Individual in the future. Less about privacy and personal more about control, exchange and common goodness.
- Mark
On 5 Jun 2011, at 23:37, Mary Hodder wrote:
Mark, It seems to me that asking a single company/product to set a personal data protection standard for all companies online around personal data security might not get us there.. (referring to TAS3).
I'm curious.. of the VRM and PDE companies in the space.. have any of them announced a level of security for their servers that is better.. kind of like adhering to a Trust Framework.. but for data security?
There is no alternative at the moment, a space I think VRM and TAS/3 can fill.
VRM is about the sales relationships we have with companies.. and managing those relationships (per Doc's explanations to me about what VRM is about) .. and I'm not sure Doc wants to get VRM work into the data security standards business, though this list is a great place to have this discussion to talk about what we need and VRM has a vested interest as does the larger PDE community in asking for it.
I think the idea is that all companies.. not just VRM companies (those who build apps to sit on Personal Data Stores or in other contexts for managing our relationships with vendors) and not just companies that build Personal Data Stores.. across the larger Personal Data Ecosystem (which includes marketing and advertising -- something VRM isn't touching) and not just companies that happen to collect personal data (but are not doing it in a user centric way.. and therefore are outside the Personal Data Ecosystem..)
all these areas will need some help figuring out how to manage issues around data collection, data sharing through api's, data leakage through RSS feeds, data base structures, data hosting, etc.
Mary
On Jun 5, 2011, at 2:23 PM, Mark Lizar wrote: On 5 Jun 2011, at 21:48, Mary Hodder wrote: Mark, The idea in the personal data ecosystem model is that users do control their own data.
But where? Most likely their personal data store will be hosted..
Very good question. I can think of a few paths to this sort of problem but it does make the security folks a bit uncomfortable.
I don't think a personal data ecosystem model means we will all be hosting our own boxes..
My favourite at the moment is the Freedom Box. A must see/hear concept about freedom in the cloud.
(kind of like today... most of us don't host our own email on our home servers.. if we even have one.. those of us who have our own domains -- like hodder.org -- likely still have someone else manage that.)
I'm curious.. of the VRM and PDE companies in the space.. have any of them announced a level of security for their servers that is better.. kind of like adhering to a Trust Framework.. but for data security?
There is no alternative at the moment, a space I think VRM and TAS/3 can fill.
- M
On Jun 5, 2011, at 1:40 PM, Mark Lizar wrote:
if the Customer had authentic and official control of their data then all the other data would be second class. The customer gets to manage access.
Does the box need to be closed? Could we all one day have our own box? :-)
- M On 5 Jun 2011, at 17:05, Mary Hodder wrote: Joe..
I think it scares people to talk about personal data security.. yes.. but i think it's healthy to talk about things that scare us..
So.. regarding locks. I think you and i are agreeing here.. in a weird way.
I want to define the locks and what the "highest standard" is.. but that doesn't mean the extreme standards.. like super cryptography. It means that .. like the schlage locks example.. we ask for schlage locks. Note that recently we changed all my house locks from Kwikset ($13 locks) to Schlage ($52 each) and we feel it's good.. safe.. and frankly the locks don't need to be completely tightened up every 6 months because they are crap. The new locks do the trick.. they have a longer thicker deadbolt, with more pins inside, better structure and screws and I think given our neighborhood, we can consider them "highest standard" for the circumstances.
.. so maybe it's asking that when a site collects personal data.. they partition it across multiple data bases.. in ways that make it hard to steal and put back together.. unless you know how to do it.. as opposed to keeping the whole of user data in one DB. Or maybe we say.. attach bits of user data to other non PII data in a data structure.. and make an obscure way to connect it back to the user.. unless you know the way to do it. In other words don't store: name, address and CC all together. Or whatever.
Maybe the whole of user data at a service is only stored in a single DB when it's not attached to the public internet.
Maybe the api data available is fully examined publicly .. or maybe api's with any PII access require special oversite..
Those are a couple of suggestions.. we can talk about asking for the Schlage standard without telling IT people exactly how to do it.. they can figure that out on their own and in relative secrecy which means the details don't so easily get to the bad guys.
I agree we need laws against breaking and entering.. i think we have a lot of those now.. but how do you enforce that in Uzbekistan? We don't have international laws and enforcements at the same levels as we do at the nation state level (nation states in my view are an anachronism.. i think they are passe but we don't have a lot to take their place.. the real power is in global markets.. for good and for bad.. and it's too scary to talk about the fact that they are kind of passe.)
I don't know that you get the whole world on board with a culture of not breaking and entering.. we have uneasy peace (and wars) across the world as it is. We can ask for it.. but many won't respect it at all.
What I'm asking for is to create a "highest" standard for services.. put it in writing.. and then show up and ask those guys: "hey.. are you following the standard?" because we'd really like you to....
Give the IT guys something practical to implement instead of just lamenting the fact that our data is leaking all over.
So I'm asking for that.. what does that look like?
mary
ps.. did you see the thing last week that 30m Google user's data leaked out of Google? I don't think any service is immune here..
On Jun 4, 2011, at 11:03 PM, Joe Andrieu wrote: Absolutely, I think we can, but it's hard. And it scares people. Which makes both regular folks and experts avoid it. Same reason locksmiths don't talk about locks. Most locks are crap and subject to trivial attacks. Most people don't want to hear about that and most experts don't want the techniques leaked to a wider criminal audience. Plus, there's the unfortunate tendency to enjoy being one of the few wizards who understand the secret magic. But in the end, most people are fine with the $30 Schlage lock, even thoough it's pretty much useless for anyone with even moderate training or industry. For most people, it provides the security they care about and, in fact it keeps out enough potential criminals that people are mostly happy. Which is to say that what I'm talking about is figuring out the digital equivalent of (1) simple locks, (2) laws and rules against breaking and entering and constitutional protection against unreasonable search and seizure, and (3) a cultural shift that locks are to be expected and respected. I think just getting /that/ in place will do more for our society then the, also important, more detail oriented work of outright security. I think of it this way. For most of my information, I don't need the equivalent of Fort Knox. Locks on my doors are just fine. Today, we not only don't have digital locks on the doors, but it's common practice to grab the pies cooling in my window sill. And too much of the data security conversation ends up sounding like Fort Knox! To track this back to the FTC paper, it doesn't even address what minimal business practices should be followed, that is, that there should be locks on the doors. The main reason I push back against too much fixation on data security is because (1) I think doing that 100% is literally impossible (see Wikileaks) and ultimately is distracting. The data is out there. It will continue to be out there. It will continue to be created and put out there by people you know, simply because they tweet or blog or check in and mention you. I don't believe we can contain the data. I do believe we can penalize inappropriate use of that data. To point again at the Do-Not-Call registry, it solved a significant annoyance not by data security--the fact that my phone number is available was never seen as the problem--but by inappropriate use of that data. And (2) because I believe the world will be a better place with more intimate, more trusting, more valuable relationships, especially compared to the minor cost of the risk of criminal use of my data. To me, security is almost entirely about independence, not engagement. In fact, the approaches I know preclude more engagement by their very nature. But, I want Google to know what I'm looking for. I want facebook to know the statuses I want to share with my friends. I want FourSquare to know where I am. I want WordPress to know what I write. Information sharing is the essence of digital relationships... and the bane of data security. And, as you know, I've spent a lot of time working through these issues from an information sharing perspective; that's my lens, rose colored or otherwise. So, yes, I think we should be able to have conversations about data security--even as I explain why that's not my focus. From our previous conversations, I think you and I are aligned on most of these issues. I just think the biggest bang for our buck is figuring out how individuals can contribute (data) to our digital experience without fear of exploitation. Right now, the vast majority of exploitation is legal and accepted business practice. THAT I think we can change much more rapidly than we can control data through rigorous security. -j Joe Andrieu
">
+1 (805) 705-8651 On 6/4/2011 4:42 PM, Mary Hodder wrote:
" type="cite">Joe.. i agree we should collect less data and have more honest businesses. We don't have as many problems talking about that stuff.. and we can keep doing it and that part will get dramatically better soon, i think.
but some data will be collected..
and i know criminals will do their thing.. but more.. or less is the question...
I'd like less and i'd like to know when we get real about having a way to measure security around data?
Most institutions hide/run from that kind of discussion and i don't think we solve this until we talk about it.
We have ways to talk about problems with airplanes and safety.. food safety even clear air and water ..
we have measures and standards for serious things like that..
why can't we have similar talks about personal data security?
On Jun 4, 2011, at 3:56 PM, Joe Andrieu wrote: I think our biggest problem isn't with those who will break the law and steal identifiers. That's a security issue and one that deserves appropriate secrecy on behalf of those trying to solve it... What is most broken is that it is *common business practice* to capture and exploit information about and from individuals, without permission. If there were appropriate boundaries for what is and isn't acceptable, companies like Groupon--and those who aspire to IPOs or acquisitions valued in the billions--would be forced to play by the rules. Public markets won't tolerate wholesale illegal behavior. Not indefinitely. This is the essence of privacy enforcement. Good people and companies respect privacy. Bad ones don't. Or as the aphorism puts it: "Locks don't keep criminals from stealing. They keep honest people honest." What we are trying to figure out is how to tell the difference in a new environment where the boundaries are unclear. Although many researchers and authors argue that privacy defies definition because it is so complex, I disagree. Privacy is context management. Information released or created in one context is expected to be dealt with under that context. When it leaks in ways that are inconsistent with the expectations of the originating context, privacy is violated. What we are dealing with is both new online contexts and context collapse due to online interactions. That's the problem: new contextual realities we don't have a social framework for, whether it may be enforced by law, regulation, or etiquette. To restate my initial premise: criminals will always find ways to violate context. We can legislate consequences and we can build technical barriers, but all laws can be broken and all techno-solutions can be hacked. What we /can/ do is figure out how the mainstream of well-intentioned companies and individuals can handle context management in a mutually satisfactory way. Once we figure that out, we can deal with the technical and legal barriers to violations. -j Joe Andrieu
">
+1 (805) 705-8651 On 6/4/2011 3:15 PM, Mary Hodder wrote:
" type="cite">I think there is an interesting comparison here to the banking industry.
Obviously they have big security concerns and address them with things like using .NET and double logins to check your account and making everyone come into the bank to open an account or get signing rights.
The FCRA and congress tell financial institutions they *must* give the highest security to our data.. and yet they don't. Instead, they give some security.. but have held back on making credit cards with chips (like in the rest of the world) because it was cheaper to pay out for fraud on the mag stripe data on the backs of CCs than it is to get the chips. And it's cheaper to not have restaurants get wireless swipers than wired ones so the servers walk away with your card (statistically the place you are most likely to get IDENTIFIER theft around a commercial transaction).
And they don't protect your data all that well. Just enough to not get called on by regulators.. but not so much that they can't offer you $40 a month to protect you from IDENTITY theft (i love how they use "identity" which scares people into paying the $40.. great marketing.. if they said "identifer theft" i don't think they would sell a lot of that.. )
If we mandated (lets say.. with the Kerry McCain Right's and Responsibilities legislation .. which currently leaves out a "highest" standard on data security) that data collectors of any sort maintain a highest level of security.. would we have a standard to give sites.. would we be able to hold the sites to it?
How do we know when a site collecting data is being negligent?
The bar is always moving due to the script kiddies, Anonymous, and credit card / spammers from obscure parts of the world, not to mention your average cracker.
I think if we want a standard.. we have to make a standard.. and codify it.
It doesn't have to be codified into law.. but the problem is the cryptographers and RSA types don't want to tell people outloud and in public how to be secure because the baddies will get the info.
Or at least the ones I know at Stanford and Berkeley ... and they work for the US Govt and have lead lined offices.. seriously.
So how do you make a secure standard for our data when the security people don't want to talk publicly about it.. Bruce Schneier not withstanding?
On Jun 4, 2011, at 2:39 PM, j. clark wrote: Thanks Dan.
Of note from the end of the article:
"A key failure of the FTC report is that it largely ignores the responsibility of websites in safeguarding the privacy of their users," says Wills. "These sites should play a custodial role in protecting their users and preventing the leakage of their sensitive or identifiable information. Third-party sites have a powerful economic incentive to continue to collect and aggregate user information, so relying on them to protect user privacy will continue to be a losing battle." Ah, there's a toxic leak in our ecosystem. I'm shocked! Sony's many sites, practices and breaches are but one example now dangling in the media's hooks. Alas, our attention span is short, our needs continuous, and the practice is SO widespread... what's a person to do? Is this even a valid crisis?
Where's the righteous indignation?
j.
|