Category Archives: Privacy

Why You Should Implement Privacy by Design Before GDPR’s First Birthday


The GDPR has established strict rules for how organizations must approach processing of personal data. One of the law’s key requirements is to implement Data Protection by Design (DPbD). DPbD essentially compels organizations to adopt a Privacy by Design (PbD) approach to the design phases of their technologies and business processes. If your organization has not yet done so, you’re nearly a year too late – GDPR turns one year old on May 25th.


Why You Should Implement Privacy by Design Before GDPR’s First Birthday


The GDPR has established strict rules for how organizations must approach processing of personal data. One of the law’s key requirements is to implement Data Protection by Design (DPbD). DPbD essentially compels organizations to adopt a Privacy by Design (PbD) approach to the design phases of their technologies and business processes. If your organization has not yet done so, you’re nearly a year too late – GDPR turns one year old on May 25th.


CES 2019 – AI Assistants Are Coming, Are We Privacy-Ready?


To experience CES this year was to experience the sensation of exiting a large football stadium. You essentially walk in a continuous herd of over 180,000 people. There were many noteworthy displays and freebies, as long as you don’t mind standing in line for two hours or having hundreds of people blocking your view. (The only line I stood in was for Starbucks).

CES 2019 – AI Assistants Are Coming, Are We Privacy-Ready?

To experience CES this year was to experience the sensation of exiting a large football stadium. You essentially walk in a continuous herd of over 180,000 people. There were many noteworthy displays and freebies, as long as you don’t mind standing in line for two hours or having hundreds of people blocking your view. (The only line I stood in was for Starbucks).

I’m also not one for flying taxis or the never-ending release of new television screens. At this point, if you buy an 8K television, it will take years for content producers to catch up to 8K content (which is why you won’t see me covering this as a trend). Although, standing under these curved OLED TVs from LG complete with a dramatic presentation was one of my favorite, personal highlights.

I’ve organized the stampede into a couple of important trends that will impact you as a consumer of technology. I’ll be covering the notable CES trends in a three-part series. These trends include the tipping point for AI-powered assistants, Level 2 vehicle automation and 5G (yes, it’s a big deal).

CES 2019 Becomes Tipping Point for AI-Assistants

You may have heard the shocking statistics regarding daily mobile phone usage. For instance, the average person spends over 4 hours per day looking at their phone. The idea of touching your mobile phone to an obsessive level, especially while driving, will become a long-forgotten concept as we transition to AI-powered voice assistants. Google was clear with CES attendees – AI-powered assistants are the next frontier in technology and Google wants to win.

One of the bigger attractions at CES was a theme park ride that took riders through a Disney-like experience designed to highlight Google Assistant. The characters and landscapes prompted daily tasks through Google Assistant, such as turning off lights, taking selfies, and ordering birthday cakes. It was a costly display that got a lot of media attention.

Mashable

Image source: Mashable

Here is a brief overview of the Google assistant-powered announcements from CES:

  • Google expects Google Assistant to be on 1 billion devices by the end of the month, up from 400 million devices a year ago.
  • Google Assistant will be on Google Maps for both iOS and Android
  • Google Assistant will be integrated with Android lock screens, Sonos Speakers, Samsung TVs, Dish set-top-boxes, Lenovo alarm clocks, IKEA blinds (yes, you read that right), Anker and JBL to retrofit your car, and has partnered with United to check you in on flights with more airlines on the way.

Amazon Alexa had 80% of the market in early 2018. When new numbers are released, you can expect market share to decrease as Google was growing at 483% growth compared to Amazon’s 8% growth. Here are a few of Amazon’s announcements from CES:

  • Alexa, in a partnership with JLB speakers, can be installed into your ceiling through a LED downlight.
  • Razer plans to integrate Alexa into its gaming platform
  • Amazon announced partnerships with Telenav and HERE technologies, which are both big players in the connected car space. Telenav is a connected car and location-based services provider and HERE sells and licenses mapping and location data, and works with companies such as BMW, Oracle, Facebook and Yahoo! Maps.
  • Echo Auto now has over 1 million pre-orders, which is a dongle that plugs into a car’s infotainment system to provide hands-free driving.

Home is Where the Privacy Is

Apple should have an answer for this at WWDC in June, if not sooner. Siri was the original AI powered assistant released four years before Alexa. The only news we got from Apple during the show came from partnership announcements with HomeKit and AirPlay 2 arriving on non-apple devices such as Samsung, LG, Vizio and Sony TVs. (Apple does not make announcements at CES, rather Apple makes announcements at its own, proprietary conferences).

However, Apple did make one very bold statement at CES. The statement was in the form of a large ad that stated, “What happens on your iPhone, stays on your iPhone.” Apple is correct to bring up privacy at a time when tech companies will have more data and information than ever before from AI-powered speakers.

Mashable

Image source: Mashable

Takeaway:

The time we spend touching our mobile phones will define this past decade as a “thing of the past.” The practice of typing everything we are thinking onto a small screen will slowly be replaced by voice activated technology. CES 2019 was a turning point with tech giants revealing AI assistants are the central focus in their strategy moving forward. However, there are serious privacy implications to having a speaker in every room of the house. Google’s Android operating system leaks more data than Facebook, even on Facebook’s worst day. The bottom line is that there are still a lot of questions to be answered before these assistants are in your ceilings, on your blinds, and in your bedroom via the alarm clock. I’ll be looking forward to Apple’s privacy-driven answer at WWDC in June.


Data Privacy: Reasons to be Optimistic


Data Privacy Day, held every year on January 28, is meant to raise awareness of as well as best practices in data privacy. This day in 2019 is, in my view, a good occasion to take stock of what the stakes of data privacy have become. In short: the stakes for data privacy have gone up. Now it seems, data privacy is a key factor to protect fundamentals of our society such as the autonomy of individual decision making and democracy.

Data Privacy Day 2019

Data Privacy Day, held every year on January 28, is meant to raise awareness of as well as best practices in data privacy. This day in 2019 is, in my view, a good occasion to take stock of what the stakes of data privacy have become. In short: the stakes for data privacy have gone up. Now it seems, data privacy is a key factor to protect fundamentals of our society such as the autonomy of individual decision making and democracy.

10 years ago, in the U.S. at least, data privacy was generally considered an issue of consumer protection. Identity theft, annoyance with direct marketing, and the creepy feeling of one’s web browsing being followed around by online behavioral advertising were the dominant concerns of the day. Fast forward to today and it’s clear the Cambridge Analytica scandal has changed this perception.

Tomas Sander, Data Protection Officer and Senior Research Scientist, Intertrust

The ever-increasing costs of the abuse of personal data

Examples of how personal data and the user interest profiles built from them have been abused to manipulate electoral behavior are now almost routine. Russian actors have identified and targeted vulnerable demographics with misinformation campaigns in the U.S. national elections of 2016 and 2018 as well as the UK’s 2016 “Brexit” election. Much of the activity by these campaigns leveraged Facebook and other social media outlets.

The use of Facebook’s user profiling for dubious political purposes isn’t limited to the Russians. In 2017, the German nationalist party “Alternative for Germany” (AfD) expanded its group of sympathizers by leveraging Facebook’s “lookalike audiences” feature. This feature allows advertisers to identify and reach out to users similar to their existing customers or supporters. This tactic is one of the reasons the AfD successfully expanded its base of supporters to become the most successful right-wing party in post-war Germany. The examples brought up so far are associated with right-wing politics. In the U.S., it has come out that an organization used similar tactics in support of a Democratic candidate in a 2017 Senate race. So, it seems safe to say that abuse of personal data and profiles is not endemic to any particular political ideology.

Other surprising findings are changing how we view the privacy debate. Machine learning and artificial intelligence technologies now allow the creation of highly sensitive inferences about us from the ordinary data we generate in our online and offline activities. Research studies show that machine learning algorithms using social media data can predict the onset of a depressive episode prior to the individuals themselves knowing, of sexual orientation, or of our personality traits. Data privacy is proving to be an important factor in preserving our control of many factors about our lives.

Regulators are beginning to act

As the German poet and philosopher Friedrich Hölderlin once said, “But where the danger is, also grows the saving power.” Warnings about the possibly catastrophic impacts on society of the loss of privacy and control of our data are not only coming from a small group of privacy experts. Concerns are also reaching Main Street and the good news is it is beginning to have an impact. In California, Alastair Mactaggart and two other citizens started collecting signatures for a ballot initiative for a state privacy law. Despite formidable opposition from the state’s big tech firms, the end result was the state legislature passed The California Consumer Privacy Act of 2018. The law grants California residents important rights such as the right of access to the data a company holds about them, a right to delete data, and a right to object to the selling of their data. Mactaggart noted that the Cambridge Analytica scandal provided the boost needed for the success of the effort.

The other major privacy development of 2018 was the General Data Protection Regulation (GDPR) going into effect in the European Union. The GDPR grants Europeans a number of rights including rights of access to their data, the right to be forgotten, and to data portability. The GDPR also sets high standards for transparency to individuals about data processing and for obtaining consent.

2019 will be the year to see how effective the GDPR will be at addressing privacy concerns. Expect a major fight between European regulators and big tech! Already, a 50 Million Euro (approximately $57 million) fine was levied against Google for violations of the GDPR’s transparency and consent standards. Will the European Union strictly interpret and enforce the GDPR’s emphasis on specific, informed opt-in consent, data minimization, and data usage purpose limitation? If so, it would limit the aggressive and opaque data handling practices of tech companies that underlie many of the privacy challenges noted above.

It’s complex but not impossible

This is a complex subject technically, economically, and politically, but not impenetrable. The impact on society and our lives suggest a call to action for us to become educated and engaged. We need an effective societal debate on how we want data privacy and control of our data to be addressed. There are concrete avenues where an informed citizenship can make a tangible difference. An important debate will be around a potential Federal privacy law in the U.S. A Federal privacy law will be much contested. It could significantly strengthen privacy protections U.S. citizens receive, but also perversely, weaken them as well. A Federal law would presumably preempt state laws, so it is seen as an opportunity by anti-privacy lobbyists to rollback state-mandated privacy protections such as those granted in California.

The empowering message for this Data Privacy Day is that privacy is not necessarily lost. We as a society can decide on the rules governing how our personal data is to be collected, shared and used. Companies, even the most powerful ones, will have to play by those rules, and if they try to evade them, we can hold them accountable.


Hybrid IP/Broadcast Data: With Opportunities Come Ethical Concerns


For decades, broadcasters have been forced to rely on third parties such as Nielsen Media Research for data on their audiences. Today, data is power. It shapes targeted advertising strategies and programming decisions, and broadcasters find themselves at a significant disadvantage compared to OTT services who can collect and analyze very detailed audience data sets. While standards such as ATSC 3.0 and HbbTV can level the data playing field for broadcasters, before proceeding they should look closely at experiences with user data in the recent past.


Rome. Peace. Data-driven Business Models.


The success of data-driven Internet native companies has given the rest of the world data envy. Most companies are now considering how they can wrestle control over their data flows and add data-driven business models to their current ones. For many established companies, their use of data has generally been limited, and this recent emphasis on data brings a number of new challenges. One is understanding if they actually have the rights to data they control. If this data comes from interactions with their customers or other third-parties, the answers to this question may not be black and white. Also, as the corpus of data that companies gather continues to grow, assuring the effective security and privacy of that data becomes a critical part of their operations.

LINE-Intertrust Security Summit

The success of data-driven Internet native companies has given the rest of the world data envy. Most companies are now considering how they can wrestle control over their data flows and add data-driven business models to their current ones. For many established companies, their use of data has generally been limited, and this recent emphasis on data brings a number of new challenges. One is understanding if they actually have the rights to data they control. If this data comes from interactions with their customers or other third-parties, the answers to this question may not be black and white. Also, as the corpus of data that companies gather continues to grow, assuring the effective security and privacy of that data becomes a critical part of their operations.

As organizations of all sizes struggle with their data strategies, these crucial topics are front and center in their thinking. This is also the reason Intertrust is focusing it’s fourth bi-annual LINE x Intertrust Security Summit on this very subject. The summit will be held in Rome on October 29, 2018 and appropriately, at the Museo dell’Ara Pacis, a museum named after Pax, the Roman goddess of peace. The Security Summit is bringing together executives, academics, and policy professionals from Europe, Asia, and North America to discuss these topics of data ownership, security, privacy, and other related topics. It features professionals from both traditional industries such as media, health, and energy as well as Internet-native companies to ensure a wide-ranging discussion with interdisciplinary viewpoints represented.

Speakers include:

It will be a day of timely and thought-provoking conversations. To learn more, you can find more information and request an invite here.


National Privacy Day Panel: Driving Privacy and Security in IoT


As part of National Data Privacy Day on January 28th, 2016, we are proud to have been selected to participate in an event sponsored by the California State Governor’s Office of Business and Economic Development, CyberTECH and the Ponemon Institute. Called Securing the Internet of Things: National Data Privacy Day 2016, the event was held in the California State Capitol Building and brought together leaders from the California State Government, educational institutions and private industry to discuss how all can work together to better protect privacy and security in the age of IoT (some of our thoughts on the subject can be found here).

 

Intertrust’s own Vivek Palan participated on a panel discussion entitled, “Security, Privacy and Trust in IoT Platforms.” Moderated by Davis Hake from Palo Alto Networks, the panel also included Lance Cottrell from Ntrepid, also the founder of the well-known privacy tool Anonymizer, Peter Day from Bank of the West, and Ford Winslow from centrexIT. To start with, Vivek stated the breadth of the issue by saying, “Everything you see now from household products to medical devices will be affected by IoT. The only limit is our imagination… Intertrust believes that for IoT to be successful, there is a very strong need for a common security layer with open standards .”

Mr. Cottrell made a very interesting point regarding just how to define IoT. At the heart of things, IoT is really about computers but the difference between IoT and other computing devices such as personal computers and smartphones is more psychological than technical. “The user doesn’t think of a device such as a connected car, smart meter or SCADA system as a computer but as a device that does something. The person who built it doesn’t think about it as a computer either,” (Cotrell). This also affects security since a laptop user is expected to be responsible to a large extent for their security. The same expectation does not exist with IoT devices. Mr. Day put another spin on this, saying “IoT really means a radical loss of control to end users.”

Need to Act Quickly

The panel emphasized the need for quick action to develop trust in IoT. Given the potential ubiquitous nature of these devices and the intimate connections IoT devices will have for both homes and organizations, Mr. Day suggested that the risk environment for IoT is different from other types of computing environments.  With the scope and threats of IoT deployments yet to be determined, he is particularly concerned about unforeseen risks. “The situation is similar to right before 9/11…. Policy planners must think about freely about the possibilities free of what happened in the past,” (Day).

With a reference to the recent past, Intertrust’s Mr. Palan put forth one unnerving potential privacy risk around IoT. In June 2014, it came out in the press that Facebook had been manipulating some of their user’s newsfeed posts to see if it could change their emotional state. With consumer IoT devices potentially having access to very sensitive personal data throughout an individual’s life, “imagine the type of subtle manipulation these devices could do, (Palan).”

According to Mr. Cotrell, the dangers are increasing as many IoT manufacturers are putting out product without any clear guidance on who is liable for privacy and security. “IoT is essentially creating cyber security smog. Everyone can produce it but no one has to take responsibility for it, (Cotrell).”

Building Trust

Much of the discussion was about how to establish trust for IoT devices. Mr. Palan has had some experience working for startups in the past. Noting that many companies active in the IoT space are startups, “I can understand how the pressures of releasing a product quickly can sometimes  lead to skipping non-visible aspects like security and reliability,” (Palan).  According to Mr. Palan, however, this is likely to be just a temporary state of affairs for as time goes on business pressures will make sustainable user trust a competitive advantage.

The panel as a whole saw a real opportunity for open standards, protocols and industry organizations to play a large role in IoT privacy and security. Mr. Cottrell stated that the industry needs to get away from the stance of relying on end-user education. “When you buy a phone charger, you don’t expect to have to do your own testing to make sure it is safe, you just look for a UL (Underwriter’s Laboratory) code on it,” (Cottrell). As to how this sort of “UL mark for IoT” security will actually work, “Open standards and protocols will be baked into products as a matter of course and standards bodies will make sure devices comply with security,” (Palan). The idea of introducing clear lines of liability for IoT privacy and security and coming up with indemnification mechanisms was a recurring theme throughout the panel.

Beyond the usual drumbeat of privacy and security hacks, Mr. Winslow suggested that a move from selling IoT devices to selling IoT services could provide an effective economic incentive for IoT security. “Six months ago, I saw a medical device manufacturer move to giving a device away for free and charging a subscription fee, getting 10 to 20 times the revenue,” (Winslow). With additional revenue and an added incentive to keep the service up and going, a subscription model means more resources available for security measures. 

—-

Photo Caption:

From left to right: Davis Hakes (Palo Alto Networks), Vivek Palan (Intertrust), Lance Cotrell (Ntrepid), Peter Day (Bank of the West) and Ford Winslow (centrexIT) 


Consumers Agree: Fix IoT Security and Privacy for Market Growth


As we greet the New Year (Happy New Year everyone!), like every year the tech industry starts things off with a bang at the annual CES show. This year, with introductions of everything from new AI technology for connected cars to talking sunglasses, the consumer electronics industry is looking for their next big market. And, it’s clear that consumer IoT (Internet of Things) is the theme of CES 2016. So, it’s not surprising that the consulting firm Accenture picked this time to release an international survey of consumers’ attitudes toward IoT. The Accenture survey shows what many in the industry have been pointing out for a while; for the consumer IoT market to really take off, security and privacy concerns have to be effectively addressed.

Accenture surveyed 28,000 consumers in 28 countries in October and November, 2015. They found that consumer intent to purchase such IoT products as smartwatches and fitness monitors in 2016 was around 7 to 13 percent, with little change compared to 2015. This relatively tepid enthusiasm can be explained by the perceived barriers, the first being cost with 62 percent of consumers feeling IoT products were still too expensive. The second, though, is the security and privacy risks of these products, with 47 percent of consumers citing this concern. In the expected high-growth markets of China and South Africa, security and privacy risks were cited by 58 percent of those surveyed.

Most likely consumers have been influenced by the spate of news stories about actual security and privacy risks found in the IoT products in the market today. Wired Magazine has a good roll up of some of the more egregious incidents in 2015, including a demonstration of the remote takeover of a Jeep Cherokee and security holes found in smart refrigerators and dolls. A poll of U.K. based security experts found that 75 percent felt that IoT device manufacturers were not implementing appropriate security measures.

Consumers are not the only ones concerned; IoT privacy and security concerns have reached the government level as well. In Fall 2014, an organization of the European Commission released an opinion on IoT privacy, followed by the Federal Trade Commission (FTC) in January, 2015. In December 2015, the U.S. Department of Homeland Security (DHS) put out a call for startups in Silicon Valley and others to help develop IoT security.

Some of the issues with IoT security can be attributed to the fact that many companies now getting into the market are ones that haven’t had much reason to worry about computing security in the past. This makes it even more urgent for the IoT industry to move on and create appropriate standards and best practices for security and privacy. There are, in fact, quite a number of standards consortiums and industry organizations working on this issue. Of course, we recognize that hastily cobbled together standards could lead to even more potential problems down the road. Still, given the threats to today’s consumers and tomorrow’s corporate profits, it seems a wise course for industry participants to commit even more resources in hopes of speeding the process along.