Making Privacy Work in the Mobile, Wireless

1
Making Privacy Work in the Mobile, Wireless
Pervasive Computing EnvironmentPresentation by
Dr. Larry PonemonSustainability Research
Consortium Meeting, Phoenix, March 31, 2003
Page 1
2
Proposed Agenda
Page 2

• Drivers to Privacy
• Privacy in the Mobile, Wireless and Pervasive
  Computing Environment
• Questions and Answers

Ponemon Institute. Please Do Not Share Without
Express Permission
3
Page 3
Do You Have a Right to Control information
collected about you and your family? Control how
that information is being used? Have access to
review your personal information? Have the
ability to change incorrect information?
Ponemon Institute. Please Do Not Share Without
Express Permission
4
Page 4
A Case About Bad Privacy

• Story In Arizona, about 100 members of a
  retirement community were given free personal
  computers, full access to the Internet and a
  basic hands-on training program.
• Sounds too good to be true?
• Real deal is about providing significant
  information about yourself and your immediate
  family (children, grandchildren and so forth).
• So, who has the choice now? What recourse do
  these people have. And, how about our relatives
  who had their privacy violated?

Ponemon Institute. Please Do Not Share Without
Express Permission
5
A Case About Poor Wireless Security?
Page 5

• Story A major supermarket chain headquartered
  in California has a strategic partnership with a
  major retail pharmacy. Customers can now buy
  their prescription drugs and other personal
  medical items in the store (and use the regular
  store check-out line).
• Whats the Problem?
• Confidential patient information (such as
  prescription drug histories) are now co-mingled
  with individual shopping history. This
  information is now linked to the individual
  profile through loyalty card program.
• Poorly designed security architecture over data
  warehouse and point of entry (wireless 802.11
  systems), allowed unsophisticated hackers to gain
  full access to sensitive customer data.
  Furthermore, practice is a violation of
  California regulations on patient information
  protection.

Ponemon Institute. Please Do Not Share Without
Express Permission
6
Factoid . . .
Page 6

• A recent analysis of major business organizations
  shows that less than 24 of companies in the
  United States are in reasonable compliance with
  their stated Internet privacy and data protection
  policies.
• Proposition Far fewer companies would be able to
  comply with the requirements for privacy and data
  protection in the mobile, wireless and pervasive
  computing environment.

Ponemon Institute. Please Do Not Share Without
Express Permission
7
Why Does Privacy Remain a Hot Issue?
Page 7

• Rise of cyber crime and other related criminal
  activities (especially using the Internet and
  wireless Web as primary channels)
• Post 9/11 New surveillance requirements with
  focus on cyber terrorism
• Lack of consumer trust, especially use of
  wireless Web for electronic purchases and
  payments
• New enabling technologies (fastest growing
  industry sub-sector, especially new
  authentication tools)
• Growing fear about identity theft among consumers
• Additional regulatory requirements such as new
  FTC Rules and Homeland Security requirements
• Continued press and media coverage

Ponemon Institute. Please Do Not Share Without
Express Permission
8
Page 8
The Privacy Principles
Notice and Awareness Information collection
practices Usage and sharing Choice and
Consent Opt-in and opt-out policies and
methods Access and Accuracy Right to view,
modify or delete relevant information Reasonable
Security Ensuring the integrity and protection
of data Redress and Enforcement Including
dispute resolution mechanism
Ponemon Institute. Please Do Not Share Without
Express Permission
9
Post 9/11 Impact on Privacy
Page 9

• Authentication has become major focus
• Something that the company has about you usually
  in the form of individuated data (mothers maiden
  name)
• Something that your carry in your wallet,
  computer or PDA (smart chip)
• Something that defines you such as a finger
  print, and facial scan, (biometrics)

Better authentication reduces both privacy and
security risks, but only if the credentialing
process is nearly perfect.
Ponemon Institute. Please Do Not Share Without
Express Permission
10
Page 10
Post 9/11 Impact on Security and Surveillance

• Security dominates the privacy issue
• The focus on knowing the customer and stopping
  the bad guy from getting inside the critical
  infrastructure or gaining access to financial
  assets.
• Privacy rights are still important, but not at
  the cost of diminishing security and public
  safety.
• New surveillance methods draw upon multiple
  sources of customer-centric information creating
  a potential privacy blow-up if this personal
  information is not protected or managed properly.

Ponemon Institute. Please Do Not Share Without
Express Permission
11
Factors Increasing Security and Privacy Risks in
Corporate America
Page 11

• Growing use for personal information for
  secondary purposes
• Over reliance on new authentication and
  surveillance technologies (increasing
  misclassification risk, false positives)
• Lax controls over personal information used for
  customer profiling and surveillance
• New information sharing practices among various
  organizations, without proper knowledge of due
  process and consistency
• Limited or fragmented oversight of data
  protection, security and privacy risk management

Ponemon Institute. Please Do Not Share Without
Express Permission
12
The New Surveillance Society
Page 12

• Growing concerns for most people
• Who is watching me?
• Who is watching the watchers?
• Do individuals have a choice?
• How will surveillance data (negative data) be
  used and/or shared?
• What are the long-term consequences to our
  privacy rights
• What are the costs to business and society?

Ponemon Institute. Please Do Not Share Without
Express Permission
13
Beyond Regulation
Page 13

• Consumer concerns are costing business in lost
  sales, market value and potential litigation.
• Media coverage of security and privacy blow-ups
  have major impact on corporate brand and
  reputation.
• Security and privacy concerns are not independent
  of national boundary and culture.
• Regulatory requirements are creating large demand
  for new enabling technologies (such as preference
  management tools on wireless devices).
• Security and privacy issues create real social
  and ethical risks for companies, especially those
  in high reputation industries.

Ponemon Institute. Please Do Not Share Without
Express Permission
14
General Consequences . . .
Page 14

• Many companies have become paralyzed by the
  proverbial fire storm caused by new security and
  privacy requirements.
• Advocates and regulators are still focused on
  Internet and Wireless activities, with the belief
  that technology companies are the weakest link in
  the security chain.
• The largest area for potential abuse concerns
  wireless devices, which many face large public
  resistance and regulatory groundswells.
• But, most companies are still complacent about
  data protection risk (not putting ample resources
  into preventive programs).

Ponemon Institute. Please Do Not Share Without
Express Permission
15
Consequences in the Mobile, Wireless
and Pervasive Computing Environment
Page 17
16
Page 16
What are the Privacy Challenges

• Despite improved authentication features built
  into many new devices, mobile, wireless and
  pervasive computing environments create privacy
  risks. Why?
• Privacy issues often result from human error.
  While authentication and improved access control
  may alleviate some of the error, people will
  still make mistakes using new technologies (for
  example, allowing others to use their wireless
  PDA or picture phone device).
• Security controls are not perfect. Even WAP
  Level 3 security controls on wireless devices can
  be susceptible to penetration risks.
• The always on feature of many devices creates
  real possibility that technology is open for
  abusive practices by unscrupulous companies and
  government, especially with respect to location
  tracking.

Ponemon Institute. Please Do Not Share Without
Express Permission
17
Page 17
What are the Privacy Opportunities

• Mobile, wireless and pervasive computing
  environments lend themselves to improved 1-to-1
  relationships between senders and receivers of
  communications. Why not use new mobile or
  wireless devices to capture individual privacy
  preferences in one, compact location?
• Using P3P-like methodology, privacy preferences
  can be incorporated directly into the mobile or
  wireless device providing sender with strict
  instructions on acceptable or unacceptable modes
  of communication (such as preferred product
  offers and perceptions about spam).
• Privacy preferences can be changed or updated
  instantly by the end-user in a safe and secure
  fashion.
• Privacy preference framework can be standardized
  to conform with multiple applications (hence,
  multiple senders can rely on one uniform platform
  rather than individuated databases to manage
  privacy).

Ponemon Institute. Please Do Not Share Without
Express Permission
18
What Should Companies Do to Engender Trust?
Page 18

• Develop critical privacy protections into the
  device as an integral part of the product design
  (such as using anonymization and suppression
  management tools to reduce privacy risks).
• Educate consumers of this new technology about
  the human risks associated with unintended uses
  or sharing of the mobile or wireless device.
• Develop common privacy and data protection
  standards for mobile and wireless technology
  manufacturers and software companies to make it
  more efficient to manage data protection risks in
  a holistic way.
• Use new mobile and wireless technology as a means
  to engender greater privacy protections such as
  embedding P3P preference management tools into
  the device.

Ponemon Institute. Please Do Not Share Without
Express Permission
19
Page 19
Questions Answers
Presentation by Dr. Larry Ponemon 520.290.3400 Lar
ry_at_ponemon.org