Muddling through privacy and the social Web

I'm at the Privacy and the Social Web panel at Supernova, featuring lawyer/moderator Kraig Baker, Harriet Pearson (Security Counsel/Chief Privacy Officer, IBM), Anne Toth (VP Global Policy/Chief Privacy Officer, Yahoo!), Jerry Lewis (Chief Privacy Officer/Deputy General Counsel, Comcast), and Jim Dempsey (Center for Democracy and Technology). They're discussing how:

The networked digital environment creates massive new opportunities for personal information to be collected, shared, and used. Will the law change, and if so, how? Is privacy even a viable concept any more?

These are my unedited, unproofed notes, posted as soon after the talk as possible. Sam Diaz, coincidentally, is right next to me posting as well (See Supernova: Can social media be the savior of privacy?) (I've also been posting shorter impressions of the conference on Twitter.) Harriet Pearson: when organizations can extract value from use of things like Facebook, LinkedIn, SalesForce and others, you get more widespread use. This increases the issues from a personal and consumer perspective, and also from the enterprise standpoint. We used to have work-life balance, now we have work-life integration - which sounds like something painful. It's something like passion in all forms of your life. There's a fuzziness to it that leads to a set of policy issues, and public policy and regulatory issues. Privacy is part of the equation but not the only piece. Harriet is at IBM, where 50k+ employees put themselves out there as experts on various social media sites; they have over 200,000 employees on LinkedIn, for ex. IBM's social computing guidelines for employees are here. Essentially, beware and be thoughtful. IBM believes norms and leadership must come from all quarters. "Tipping point:" staying on the right side of it. People will use social media if it provides value, if you're in a geographical area/community that accepts it, if there is transparency and individual control, and if there's community regulation. Anne Toth: one of our biggest challenges at Yahoo! from a privacy standpoint is how to integrate social functions in services that previously functioned otherwise. Yahoo! Updates=social syndication via Yahoo! Threads activity throughout the Yahoo! network. You see other people's status updates, among other things. Managing expectations: when Facebook introduced its newsfeed there was a big outcry. Yahoo! has embedded a number of different tools to provide transparency and control. You're told when Updates are being generated and who can see them. Idea is to socialize the users to public vs. private, don't want anyone to be negatively surprised. Anne remembers being surprised when LinkedIn introduced it's "who's been searching on you?" feature. There was no notice, and it prompted her to go limit her settings. Jerry Lewis: As our business has evolved to become more e-commerce focused, how do we manage the current work-life seamless integration? Shutting it down is not desirable or practical. The better way is to identify what behaviors you want to value and encourage with these tools. Organizations want to use social media to promote themselves and their products. It's a valuable recruiting tool. Getting benefits from promoting company's use of open source. Trade secrets, IP, privacy interests of individuals: Comcast has simple, easy-to-read internal policies, and there's lots of self-policing. It's been largely successful. If you thoughtfully approach these issues, you can derive a lot of value and manage the downside. Jim Dempsey: For years we've been trying to play this Tale of Two Cities kind of game: "It's the best of Webs, it's the worst of Webs." He's not going to do this. Thinks the social networking phenomenon could actually be the savior of privacy. There's been a broad push towards controls, and to some extent demand for user controls. Facebook yesterday made a teaser announcement about revamping controls, eliminating regional networks, and adding per-item choice about sharing and privacy. You see the Google Ads preference movement, Google Dashboard, what Yahoo! is offering. It's common to say, "Young people don't care about privacy, look what they post online." Things like the uproar over Beacon don't support that. Users do demand and require a sense of control, and when they don't get it they get very upset. We thus have a trend toward user control. The share/don't share, the granularity of sharing choices, the index/don't index options all show this. It's interesting to think about how corporate use plays into this. As social networking becomes increasingly integrated into professional life, you want your people sharing a lot, but not necessarily with everyone. Re advertising, up 'til now the behavioral advertising model has been based on guesswork. Social networking now says, "don't guess who I am, this is who I am." That user generated content, if you combine it with control, that is, "I have chosen to say this, I have chosen to put out there that this is who I am," this could really change and threaten the whole model of inference-based approach to advertising. Jim is enough of a pessimist to know there are countervailing considerations, such as: does anyone have the time to exercise and understand the controls. At some level its incumbent on organizations like CDT to educate users about these things. Tomorrow, CDT is launching its Take Back Your Privacy initiative, concerns social networking, the browser, apps: all ways in which your information is collected. There's also a need for a baseline federal privacy law. There's hope here for the user control envisioned by the original creators of the Internet. Kraig Baker asks about how privacy missteps can damage your brand. Yahoo!'s Anne Toth says you have to manage and fulfill user expectations over time. Through one errant action - "I mean, Tiger Woods is living this right now" - years of trust can be destroyed. Need to get what you want and expect every time. Jerry Lewis: how we handle and treat customer information is a key piece of that. Says Comcast tries to put on its "consumer" hat: would I like this? "We're all consumers too, we all have likes and dislikes, we're probably representative of a lot of our users." Focus groups too. "We're excessively vigilant and probably over-analyze this," but they want to make sure things act like people think they should. Kraig Baker asks about issues of personal security, when you're letting lots of people know where you are and what you're doing. "I have a hard time thinking of how the proliferation of connectedness adds to security," says Harriet Pearson." There are issues, and we have to figure it out. Not on our own, but with help from various parts of society. Normal people aren't going to have the time to figure it out in detail. IBMers use social media outside the company, and they try to mitigate the risk of this: from a straightforward IT security standpoint, from a brand-protection standpoint, and others. One of the easy ways to lose trust is not to secure the information you have under your management. The easiest way to screw up privacy is to screw up security. The "oops, I lost the information, I couldn't handle it properly" phenomenon. Over the longer term, if you don't have a long-haul process for properly and securely managing information, you can't expect trust. Jim Dempsey: It seems logical that intelligence garnered from social networking will be exploited for criminal purposes. On social networking sites themselves, there's the issue of how information is used internally: in any other company your biggest security threat is the insider threat, assume that's the same for social networking companies as well. Sam Diaz (in audience) asked Jerry Lewis about @comcastcares. Lewis acknowledges humorously that cable companies don't have the most stellar reputation for customer service, and that's not acceptable. So, they started reaching out to people, and saying, "Where do you live? We'll send a truck over right now." It's a great story because the customer got what he needed. Comcast actively monitors the discussion around Comcast. "One of the more valuable things we get is what's going on on Twitter." Helpful diagnosing and fixing things like bad routers and servers. And, they now have relationships with customers on Twitter. "There're still people who bash us, and we still drop the ball," but at the end of the day we help people better get the value out of the services they're paying for. Interacting in realtime in various ways has really increased customer satisfaction. Woman who lost health benefits "allegedly" lost them - "It's an IBM employee," clarifies Harriet Pearson. Harriet continues, "Part of what needs to happen is a paradigm change for how the law approaches privacy." Policy, law, and other organizations need to optimize around the concept that "it's out there, but I need to be able to control it." What we thought was happening a decade ago is really happening now. That paradigm shift is really hard to achieve, but governments around the world are exploring what the paradigm should be. Let's imagine the information is out that, but a core concept should be it shouldn't be able to harm someone. Another: organizations should be accountable for their actions. If you get your arms around those concepts, then you get into the more amorphous realm of zones of privacy. It's an incredibly complicated problem that deserves some new thinking. Jim Dempsey: "You tapped into my inner paranoid here." We could do a whole session on governmental access to information. The way the law is currently structured, it's statutorily unclear what the government can get. "'Subpena' is latin for 'no judge has ever seen this piece of paper.'" Subpenas are issued by prosecutors, etc. We need to have a major update to checks and balances, while still letting law enforcement do their job. Years ago we created an elaborate regulatory structure around credit reports and credit reporting agencies. You have a right to see the information and challenge it before it becomes final. Led to a whole market for "credit reporting agencies," which Google and Facebook and MySpace are not. If I find derogatory information about you through a credit reporting agency, I'm required to tell you; social networks fall completely outside that framework, yet are used to make adverse decisions about people. Ultimately we're going to need something like the Fair Credit Reporting Act, part of the catch-up that needs to occur. Kraig Baker asks where privacy will evolve in the next 5-10 years. Anne Toth says we need to make it easy for people to exercise their choices and be aware of what digital footprints they're leaving. Jerry Lewis sees focusing on technology and innovation rather than law. Spam is controlled at your inbox, not via anti-spam laws. A combination of good technology, responsiveness to customers, go a lot further toward empowering us and giving us the control we want. Harriet Pearson says there is a role for regulation, but the most regulated areas for privacy are healthcare and financial, and none of us feel that great about the situations there. The issue of cyber-security, more needs to be done to secure the infrastructures that underlie businesses and society. Investment in foundational areas to address security. We can't mature and get into the big productivity shift unless we can do it securely. Jim Dempsey, "I'll close on a post-modern note and say that we'll muddle on through. A true post-modern note is that muddling through takes efforts by individuals and companies."