Privacy, Security & Innovation: Converging Responsibilities & Business Opportunities

Subscription Options

Subscribe Magazine

Subscribe Newswire

Widgets & RSS Feeds

It is hard not to see, hear and feel the buzz around privacy and security circles pertaining to security, privacy, identity theft and data breaches. These issues are filling the sails for legislators and advocates who are pushing for self-governance and solutions. While their concerns are valid, the media headlines may also be sensationalizing and conflating the actual threat and potential harm to consumers. The number and scope of proposed legislative efforts in play may be daunting for businesses to comprehend. Senators Rockefeller and Lieberman have bills on cybersecurity, the White House is advancing a strategy for trusted identities and Representatives Boucher, Sterns and Rush have introduced privacy bills with potential impact to online and offline data collection.

For the past five years the Online Trust Alliance (OTA) has been advocating best practices to enhance online trust and confidence as a key requirement to ensure the vitality of online services. It turns out we are not alone. U.S. Commerce Secretary Gary Locke stated at a meeting in late July that “the importance of cyber security can be summed up in one word: confidence.” I cannot agree more. Trust and confidence is what underpins everything we do on the Internet; they are the foundation of the Internet economy.

As business and industry groups debate these issues, questionable privacy practices and identity theft continue to make headlines. So whose responsibility are these issues? The scope crosses nearly every work discipline and it is clear we can no longer “stove pipe” the responsibility and defer accountability to others. Cybercriminals are basking in our indecision and protracted efforts to reach consensus. While we chase their shadows, the fraudsters continue to out flank us.

Shifting Targets

In the early 2000s, links and images in email became disabled by default due to the rising fear of virus laden documents, beacons and the like. Fast forward 10 years and we find the threats remain the same, but the attack vectors have shifted. Criminals have moved to softer targets, focusing on Web sites and infrastructure. Based on data provided by Microsoft and Symantec, over the past five years malware infected email has decreased by over 90 percent while infected Web pages have increased over 500 percent.

As sites and browsers have become more secure, we have experienced a shift of malicious activity infiltrating the online advertising ecosystem. By compromising legitimate sites, they are leveraging and ultimately defrauding a trusted and legitimate distribution network. By simply purchasing advertisements and infecting them with malicious code they have uncovered a fast and efficient delivery vector. Consider the facts. Based on Alexa, it is estimated over 1 million sites carry advertising, served by upwards of 300 plus ad networks and ad exchanges. Multiply that by the number of advertising agencies and advertisers submitting creative, the number of potential touch points is overwhelming. The design and structure of the ad marketplace, which provides flexibility and significant value to the dynamic needs of the market place, has by its same design proven ripe for exploits. In the absence of integrated controls we can only expect these attacks to flourish. Do we need to make structural and systemic changes to the way we operate?

In early August The Wall Street Journal launched a series of investigative reports titled “What They Know.” While some of the articles may be alarmist, they underscore the challenges business and technical decision makers are facing. Data mining and Web analytics have helped fuel the Internet economy. Consumers are realizing significant value from unlimited free email accounts, news services, cloud storage and geo location services, but do they understand and appreciate how their online behavior has become the currency which supports these services?

If we continue down the path of business as usual, without data stewardship and accountability we may risk a “tragedy of the trust commons” with long-term ramifications. While businesses are prospering and industry sales are on the upswing, do we fully understand the long term impact and responsibilities? How will this data be used and can it be exploited tomorrow? What technologies should be used to protect data and users and what constitutes reasonable efforts to render it anonymous?

Security and Privacy

These questions, issues and trade offs can be perplexing. The chasm between consumer’s expectations, privacy advocates and today’s business operations must be aligned. It is no longer the issue of security or privacy, but security and privacy.

The Commerce Department has created an Internet Policy Task Force focusing on four critical issues; privacy, cybersecurity, protection of intellectual property and freedom of flow of information. I believe these are of vital importance to innovation, economic prosperity, education, civic activity, cultural life and last but not least our national security. Not only should these be top priorities of the government, but business leaders must share the responsibility to ensure that the Internet remains an open and trusted infrastructure. Businesses have become stewards of consumer trust. Stewardship includes leadership and responsibility for not short term gains, but long term prosperity.