Categories
Building Trust Privacy

Let’s Mobilize for Better Data Stewardship

If we want organizations like Equifax to be good data stewards, we, the users and consumers, must mobilize.

In October, the Internet Society explored why the dominant approach to data handling, based around the concepts of risk and compliance, does not work. To recap: “…data handlers try to adhere to regulatory requirements and minimize the risk to themselves – not necessarily to the individuals whose data they handle. For some data handlers, the risk that poor security creates may not extend to them.”

Euphemistically put, Equifax has not been an example of forthcomingness, transparency, and accountability. Users can change this paradigm. Users can shift the cost of a data breach onto the data handler by holding the accountable for their action or lack of action.

The key is to organize. For example, Consumer Reports is organizing a campaign calling on Equifax to take the next steps to address the fallout from the data breach. Their first step was to deliver a petition signed by over 180,000 individuals to Equifax’s headquarters.

The Internet Society just pledged $10k to this cause, to help Consumer Reports make sure Equifax does everything in its power to make things right for consumers in danger of identity theft.

Other actions you can take:

  1. Sign the Consumer Reports Petition to Equifax.
  1. Prepare for a breach incident with the Online Trust Alliance’s 2017 Cyber Incident & Breach Response Guide.
  1. Read the Global Internet Report 2016 to take a close look at the economics of data breaches and consider five recommendations for a path forward.
Categories
Building Trust Privacy

Post Equifax, We Need to Reconsider How to Identify People 

Victims of identity theft will tell you the experience is like having your personal life broken into, tossed around, and thrown out onto the street. It is a violation that is indescribable. Then, you could discover that strangers are impersonating you, carrying out crimes under your name, and destroying your reputation. Unraveling the mess that follows is a long, painful and never-ending process – all this because someone else was careless or willfully negligent with your data.

Even if your data was not exposed in the Equifax breach, you should be both concerned and angry. This is a potentially catastrophic breach: roughly 143 million individuals (approximately 45% of the US population) now face the prospect of identity theft.

As a society, we need to seriously rethink why and how we identify people. How did the social security number become the default identifier, especially for non-governmental functions such as credit reporting? When the Social Security Administration first issued SSNs in 1936, their “sole purpose” was to track the earning history of workers for benefits. In fact, Kaya Yurieff points out that until 1972, the bottom of the card read: “FOR SOCIAL SECURITY PURPOSES — NOT FOR IDENTIFICATION.”

Social security numbers (SSNs) were not designed to be used for general identification, and they pre-date the digital era. They were not built to address the threat model that they face today. Part of the problem is that SSNs are now collected by businesses for unforeseen purposes and sprinkled around like confetti in servers connected to the Internet. In addition, the number is typically self-asserted; even if an individual is required to present their social security card, forgery is possible.

Koreans have first-hand experience of the pitfalls of persistent national identifiers. From 2004 to 2014, about 80% of Koreans had their national identification numbers and personal data stolen from a variety of businesses. The scandal led to calls for an overhaul of the national identity system. The system was not redesigned, but individuals over 17 were issued new numbers at an estimated cost of billions of dollars. Since 2014, the Personal Data Protection Act (PIPA) has prohibited the processing of RRNs (Resident Registration Numbers) regardless of the data subject’s consent and required data processors to delete all RRNs collected prior to August 2014 within two years.

American businesses should take a page out of South Korea’s book; they do not need to wait for legislation to embrace data minimization – limiting the amount of data they collect and retain. If a customer’s SSN is not 100% necessary to provide a service, why request their SSN in the first place? As more users are impacted by data breaches, the more users will hesitate to engage with a company that requests their SSN online. Businesses that embrace data minimization at the outset avoid this pitfall.

If a business does require a SSN from a customer, it must ask itself whether that data needs to be retained (Once identity has been established, could another identifier be used or created?) and what security measures should be put in place to protect that data (If the SSN must be used as the identifier, can it be partitioned from other personal information?).

At a macro level, it may be time to consider better ways to manage SSNs in the U.S. While this undertaking and its cost is daunting, the potential cost of all the fallout from instances of identity theft of millions of U.S. citizens outweigh these considerations. In 2016 alone, identity theft cost Americans over 16 billion USD. [5]

Ideally, we would have a system with sufficient abstraction built into it to allow an identifier to be replaced while maintaining continuity of the individual’s records. This already exists, but only on a limited scale and only after an individual has been a serial victim of identity theft. (See https://faq.ssa.gov/link/portal/34011/34019/article/3789/can-i-change-my-social-security-number: “A victim of identity theft continues to be disadvantaged by using the original number.”) We do not have to do away with social security numbers, but it should not be the “go-to” method to validate someone’s identity online or offline. In any case, SSNs need better security at the point they are provided (e.g. two-factor authentication) and when they are collected (e.g. encryption, access control, etc.). We also need easy means to revoke and replace compromised numbers.

As a citizen, for yourself and as a champion for others, – assert your privacy. If you are asked to provide your social security number, ask why the business needs it, how it will be used, and how they will protect that data. Offer to provide alternate means of identification. If you are no longer using a service, ask them to delete your account and all your associated personal data. Remember not to reuse passwords, not to answer security questions with guessable information, to choose different questions for each service, and to use encryption where you can. For more online privacy tips, please go to Sword and Shield and Your Digital Footprint Matters.

Users can take steps to protect themselves, but ultimately, the responsibility rests on the shoulders of those who handle our personal data. Data stewards must stop being cavalier with other people’s data. It’s not good enough to say “oops, we have had a data breach, sorry about that”. If companies will not take data stewardship seriously, they should not be allowed to collect and handle personal data. Furthermore, data handlers should have robust contingency plans to reduce the impact of a breach on users’ daily lives as much as possible. At the end of the day, the burden of a breach should be felt by the data handler, not the end user.

Categories
Human Rights Identity Improving Technical Security

My Data. Your Business.

In times like these, it’s easy to be paranoid.

Almost every day there is a new story about an app, a TV or a child’s toy that is collecting too much data, or a massive data breach, or the latest kind of ransomware doing the rounds of the Internet.

We may not know the specifics, but we do know that somewhere out there someone is tracking us online: in fact, most of the data monetization machine is invisible to consumers — the individuals whose data fuels it.

All this has, understandably, left many people wary. Why WOULD you trust someone or something that is gathering information on you with no real insight into how it will be used?

The consequences of this could be devasting to the economy. If do not understand how their data will be handled and used and therefore don’t trust online transactions, online business will wither and die. The economy that the Internet supports could disappear.

Today is a day when world leaders will be listening. Not only is it World Consumer Rights Day, but it is also the G20 Consumer Rights Summit in Berlin. Robin Wilton, who helps lead Technical Outreach for Identity and Privacy for Internet Society, is on a panel to send a clear message that consumers, companies, and governments must take up the cause of data protection to help create an Internet we all can trust.

The global economy depends on it.

Here’s why your data is collected

For companies, your data means money for them.

Take Snapchat, a mobile messaging service where messages “disappear” after a few moments. In 2014, Snapchat turned down a $3 billion offer from Facebook to buy it.

And just a few weeks ago, Snapchat just filed for a $3 billion IPO and debuted at $17 a piece on 1 March and popped up to as high as $26.05 on day two.

Why is a service that prides itself on “disappearing” messages be so valuable? The answer depends on what Snapchat represents to you. If you’re part of a younger market that is less interested in leaving indelible footprints on Facebook, and is more interested in spur-of-the-moment mobile messaging, then the idea of a service where your messages automatically disappear is an attractive one.

If you’re looking to acquire the company, its value lies in the personal data consumers can’t avoid disclosing – their names, their phone numbers and most importantly, their network (the people they are connected to).

Different people see different values in the same company, and that can mean tensions when it comes to consumer protection. How can the company monetize its consumers’ data, while still delivering the privacy they signed up for?

Why is it a big deal for us?

With companies willing to pay millions, even billions, for information on what we do online, there is a strong motive for companies to collect all they can, keep it forever and use it for as many purposes as they can dream up. That sends a strong signal that we need to be in control of our personal information.

And while some companies are open and clear about what they do with our data, we – as consumers – are mostly kept in the dark. And, let’s face it, innovation is happening faster than our individual ability to keep up. Sometimes it seems like there is an “act now, ask for forgiveness later” culture.

And, then there’s the issue of data breaches. Large-scale data breaches continue to plague both the commercial and the public sector and to affect millions of consumers and citizens, as noted in the Internet Society’s 2016 Global Internet Report.

So if data collection and data breaches are showing no sign of stopping, what can be done?

Encryption is a key

We typically think of encryption just as a way of keeping information secret, and therefore as a way of mitigating the risk of a data breach — but in the digital world, it is much more than that.

  • It ensures that Internet traffic goes to the right destination.
  • It helps establish that you are talking to the person (or service) you meant to talk to.
  • It protects you against fraud when you pay online or in person.
  • It secures your mobile phone, your satnav, your home wireless connection.

Encryption underpins trust in almost every aspect of online activity, and as the Internet of Things expands, that list will only grow.

The Internet Society believes that encryption should be the norm. It’s the basis for fueling what the Internet brings to our economy, it’s a tool that helps us to trust our online transactions, and it helps all of us – from consumers to businesses to governments – boost our online security. It is not a threat, but a tool to help us know we’re doing our part to secure ourselves and the Internet.

Organizations Must Act.

Organizations must also play a role.

Together, with businesses and other organizations, the Internet Society believes that we need standards to handle consumer data ethically.

We propose a set of simple, but effective, principles any organization can implement, to create a culture of ethical use of personal data.

  • Publish ethical data commitments and stand by them.
  • Be honest and fair about consent and re-use.
  • Be transparent about your business model.
  • Embody ethics in product/service design.

We believe this will result in more sustainable business models for personal data, and lead to more trust between consumers and service providers.

These principles are a starting point. They should also be reinforced by practical measures, such as the Privacy by Design approach set out by Canadian and Dutch data protection commissioners in the mid-90s. For example, it recommends the practice of data minimisation: collect only what you need, keep it only for as long as you need it, destroy it safely and make sure it is secure. Restrict access – remember you are holding someone’s very personal and private data – and encrypt!

If you would like to take part in the development of these principles, please get in touch.

Consumers need policy on their side

Policy makers must step up to the plate as well.

One of the most important places to start is to create a way to reward organizations and companies for ethical data handling practices and to encourage ways for those entities to credibly signal to consumers what standards they are applying. Ethical data handling is not only a solution for consumers: it is also a foundation for trust and sustainable economic growth.

Policymakers must work to create the conditions in which ethical data handling can have a positive effect on the market.

We all have a role to play

But, above all, we, as consumers, can take steps now. Inform yourself, demand better privacy and protect the data on your devices and in your communications, by using encryption.

Categories
Building Trust Improving Technical Security Internet of Things (IoT) Privacy

What’s Your Answer? Opting Out of the IoT

I recently visited Nairobi where I took a tour of iHub (Innovation Hub – http://ihub.co.ke) and a set of related small incubator labs. After the inspiring tour, a security professional approached me. She had not wanted to ask the question in public but asked me privately: Can people opt out of the Internet of Things?

It was immediately clear what she meant: When new technologies are introduced we often have the option to not use them. When the printing press was introduced I think that there were people who chose not to use books. The Amish choose not to use cars, and in the Internet age there are many people that opt not to use social media.

But in a slightly dystopian vision of the Internet of Things there may not be any possibilities to opt out. So that is what I answered, roughly:

There may not be a possibility to opt out because in the smart cities of the future, sensors may track our moves, recognize our faces, and hear our voices. The dystopian view helps us to understand what societal boundaries we need to set and that is a discussion that will have to inform policies. To what extend do we accept that there is a minority that does not want to be exposed to technology?

Of course these discussions are taking place already; the debate around privacy and the impact of data gathering in the age of Internet and Big Data is active and engaged. But this question summarized it all and I wonder how you would have answered it.

Please use the Internet Society’s Connect platform to share your thoughts; you have to be an Internet Society member, ironically something that you cannot opt out from.

About this Series: Public speaking sometimes results in spontaneous questions that are more or less related to the topic at hand. Often the wisdom is in the question, not in the answer, and when talking about the Open Internet the questions can touch all aspects of the (Internet) Society. I hope to use some of these spontaneous questions as springboards for conversations on our Internet Society member discussion portal, Connect.

Categories
Privacy

Moving data across borders: APAC and the CBPR system

This year, Asia-Pacific is set to surpass North America as the world’s largest e-commerce market. But while it drives the global growth in online transactions, the region has yet to see a similar push by domestic economies to beef up laws to protect consumer data.  Privacy provisions in the region remain patchy, with most economies relying on disparate policies to govern the collection of personal information online.

The four-year old APEC Cross-Border Privacy Rules (CBPR), hailed as the first pan-global framework for data privacy, might be a step in the right direction. Based on the guidelines set by the APEC Privacy Framework, the CBPR is intended to provide a minimum layer of protection for online consumers: It places limits on the types and amount of personal data that commercial entities can gather, and requires that businesses notify customers before information about them is collected or shared with third parties.

The system is voluntary, and relies largely on businesses aligning their privacy programmes with its code of conduct.  To participate, an economy must satisfy the conditions set by the Joint Oversight Panel, and must also put forward an accountability agent to review businesses for the CBPR stamp of approval.

While it does not cover the entire region, the CBPRs, if implemented properly, can provide a baseline for accountable data handling by companies operating in APEC member economies, 15 of which are in Asia-Pacific. It can also foster complementarity between domestic data protection regimes, as well as regional cooperation on privacy-related law enforcement.

The scheme is not without its limitations. To start, the CBPR system is self-regulatory, and applies only to the data collection practices of businesses—not governments and individuals—and only to data that moves across different jurisdictions. A government backstop is in place, the APEC Cross-Border Privacy Enforcement Arrangement, but only five countries in Asia-Pacific–New Zealand, Australia, Japan, Singapore and South Korea—have public enforcement authorities on the list.

Thus far, three economies, Japan, Mexico and the US, have opted into the CBPRs, but only one—the US—has an accountability agent, TRUSTe, which means that at the moment, only US-located businesses can apply for CBPR certification. As APEC observers have pointed out, the system is fraught with a ‘chicken and egg’ problem, with both companies and governments withholding their participation until the other signs up, or expresses enough interest to join. Businesses lament the lack of uniformity in the language used by regional bodies to define terms like ‘personal data’, which can hinder proper compliance. Meanwhile, civil society groups like Open Net Korea assert that CBPR-certified companies undermine the system through small-print exemptions in their privacy policies, particularly for personal data provided in mobile apps or ‘behind logins.’

The APEC Data Privacy Sub-Group, through venues like the bi-annual APEC Electronic Commerce Steering Group meetings, tries to iron out these wrinkles. This year’s first gathering, held in the Philippines last week, introduced potential improvements to the CBPRs: these included a proposed corollary certification system for commercial entities that process—in addition to those that control—data collected online; and increased interoperability between the CBPR and its European counterpart, the EU Binding Corporate Rules (BCR) system.

Undeniably, more work needs to be done on the ground. Companies must be made aware that such mechanisms, which can boost consumer trust in e-commerce and facilitate better regional trade, are worth taking up. Governments, for their part, need to be more proactive about developing and implementing domestic privacy laws, ensuring that these are consistent with emerging international standards.  

The CBPR is not a perfect system, but it is a starting point—for strategy-building, inter-sectorial cooperation, and responsible data collection, all of which would be welcome advancements in the privacy landscape in Asia-Pacific.

Categories
Building Trust Human Rights Internet Governance Privacy

The Brazilian Experience of Public Consultation for the “Marco Civil Da Internet” and The Data Protection Law

In 2014, we saw Brazil take a strong leadership role in the global community on Internet issues and we expect 2015 to be no different. As Brazil looks to implement a framework of principles and rights for Internet use, its open participatory process is giving its citizens the opportunity to help shape the future of the Internet in Brazil.

Context

Brazil has been referenced for a long-time as an example of the multistakeholder approach to Internet governance, with the establishment of the CGI.br – the Brazilian Internet Steering Committee started in 1995. It has also played an important role in advocating for the model of a bottom-up, transparent and multistakeholder approach in the World Summit on the Information Society tracks and the Internet Governance Forum.

Fueled by the Edward Snowden revelations back in mid-2013, Brazil has undertaken several efforts to reinforce clear framework on the Internet space.

At the international level, President Dilma Roussef called for principles for the use of the Internet

(UN GA 68th Speech) and strengthened rights to privacy and data protection online (UN GA 69th A/RES/69/166) . Early in 2014, Brazil also hosted a Global Multistakeholder Meeting called NETmundial, which resulted in the São Paulo Declaration on principles and roadmap for the Internet Governance.

On the national level, Brazil focused on protecting Internet user’s rights by adopting the Brazilian Civil Rights Framework for the Internet, known as Marco Civil da Internet, that sets principles, rights and responsibilities for Internet use in Brazil. A roughly translated version of Marco Civil da Internet can be found here.

In 2015, the policy process in Brazil will focus on implementing the Marco Civil framework. Fortunately, the government will endeavor to maintain the same bottom-up and multistakeholder approach in implementation that went into construction of the original law, by opening it up to public consultation. In parallel, the government will also move forward on new legislation regarding data protection.

Last week, the government of Brazil launched two tracks for open public consultations on the implementation of the Marco Civil da Internet, and the new draft Data Protection Law.

“Marco Civil da Internet”

Sanctioned 23 April 2014, under Law no. 12,965, the “Marco Civil” has been a result of a long process that began with a set of principles for the use of Internet from CGI.br

issued in 2009. These principles were the basis for two rounds of public consultation, in an open and participatory manner, to finalize a common text submitted for the National Congress in 2011.

To keep up the good pace that led to this legislation, the next steps towards the implementation of the Law maintain the multistakeholder approach and collaborative processes, taken by flexible mechanisms to accommodate the dynamic evolution of the Internet.

The consultative process for the implementation of the Marco Civil da Internet is open into 4 main axes: Net Neutrality, Privacy, Data Log Records and Other Topics.

Net Neutrality

The principle of Net Neutrality, for instance, has been safeguarded under article 9 as The agent in charge of transmission, switching and routing is obliged to treat any data packets with isonomy, regardless of content, origin and destination, service, terminal or application.

However the same article has the exceptional provisions for discrimination or degradation of traffic due to technical requirements and emergency services prioritization. This part is subject to consultation to determine which are the exceptions and under which conditions.

Privacy and Data Retention

Privacy, Private Life, Freedom of Expression, and Honor are among the rights already safeguarded in Marco Civil. Moreover, major provisions on privacy and personal data issues will be tackled by the subsequent track on Data Protection Law. Now, the focus is on how to turn those principles into implementable rules.

Below are the pieces of Marco Civil that are up for discussion as part of the Data Retention consultation:

Article 10: the security and confidentiality standards that the provider needs to follow in acting for the record retention of Internet Connection and Access to Application logs.

Article 13: consolidated rules and liabilities for the Autonomous System Administrator to retain the connection records under strict confidentiality, in a controlled and safe environment for 1 year. The law has already foreseen some situations, e.g., precautionary connection logs required by law enforcement agencies.

Article 15: consolidate rules and liabilities for the Internet Application providers to retain access to application records under strict confidentiality, in safe and controlled environment, for at least 6 months.

Draft Data Protection Law

The second track under public consultation is the Data Protection law, which has a similar consultative process that brought about Marco Civil da Internet in 2014.

Now that Marco Civil da Internet has entered into force, the data protection piece (which has been largely stalled since 2011) is ready to go for a second round on the consultative process.

The current consultation has 52 articles, divided into 13 main axes: scope and reach; personal, anonymous or sensitive data; principles; consent; end of processing; data owner rights; communication, interconnection and sharing of data; international data transfer; parties liabilities; secrecy and security of personal data; best practices; safeguard of rights; and temporary provisions.

The current text has a strong influence from the EU regulation, mainly the Convention 108, on the definition, consent ruling, international data transfer and oversight, following the pattern adopted by many countries in South America. However, it also brings pieces of the US model, for example, adopting the market balance on the best practices, self-regulation. A roughly translated version Draft Data Protection Law here.

International Focus in 2015

We fully expect that Brazil will continue its international leadership on Internet issues through its ongoing involvement in the NETmundial Initiative, activities in the UN regarding online privacy, preparations for the follow-up to the UN World Summit on the Information Society, and with its hosting of the Global Internet Governance Forum in João Pessoa, northeast of Brazil.

Conclusion

It is critical that the Brazilian Internet community works together to ensure that this ground-breaking legislation is well-implemented and continues to evolve in a way that supports the global, open Internet; that protections of human rights remain strong; and that the Internet environment in Brazil is open for innovation, creativity, competition and free expression. Fortunately, the process of implementation is open for participation – it is up to Brazilians to seize the opportunity to shape the future of the Internet in our country.