Tag Archives: data brokers

Privacy Engineering: How Researchers Can Protect Consumers and Companies

By Marc Dresner, IIR

Those of you who follow this blog know I’ve been a little
hung up on privacy lately. 

My last two posts, respectively, have dealt with
data brokers and the relatively unchecked accumulation of people’s personal information on- and offline by companies nowadays.

Today I want to look at the privacy engineering movement
that’s been gaining traction in the IT community and why researchers ought to
take note.
But first, just to refresh, in my previous posts I’ve echoed
a growing sentiment among experts that we may be on the brink of a privacy
backlash in response to a perceived lack of informed consent and
transparency with regard to Big Data collection and use.
In a nutshell, there’s mounting consumer anxiety over what some characterize as a sort of Big Brother-style corporate surveillance.
It’s a worrisome trend at a time when trust in brands and
companies’particularly among younger cohorts’is already abysmally low.


A Consumer Trust Crisis

Coca-Cola’s Global Director of Human and Cultural Insights,
Tom LaForge, summed up the trust situation well in a speech I attended earlier
this year:
‘Whether or not a competitor will steal share is not what
you should worry about. Worry instead about whether or not people will allow
you to stay in business, because ‘big’ is on probation,’ said LaForge.

‘Worry about
whether or not people will allow you to stay in business, because ‘big’ is on
probation.’ 
‘ Tom LaForge, 
The Coca-Cola Co. 
‘People do not trust big entities,’ he added. ‘They don’t
trust governments. And global corporations are often bigger than governments. Corporations
are about as big as it gets.’
How bad is this trust crisis? LaForge said ‘corporations are losing the social
license to operate’ as a result.
In such a climate, it’s not implausible that a
well-publicized privacy breach (note that’s privacy
breach, not data security breach) might
cause serious, even irreparable damage to a brand, company or other
institution’s credibility and relationship with the public.

Privacy: It’s About Ethics Not Compliance

Accordingly, experts are advising companies to think about
privacy not in terms of compliance, but in terms of ethics.
Indeed, the reason privacy is getting so much attention
these days is arguably because current legislation and regulation don’t go far
enough and may not be able keep pace with technological change.
In lieu of statute, companies must sort out privacy ethics
on their own. That’s a complicated affair in which the research community can
be an invaluable resource.
But first, I humbly suggest that researchers get acquainted
with ‘privacy engineering.’

What is Privacy Engineering?

An increasingly popular approach with the tech set, privacy engineering endeavors to
systematize privacy and embed it in the products and processes companies use, buy, create
and sell. 
I conducted a podcast interview on the subject with one of its pioneers, Michelle Dennedy, VP and Chief Privacy Officer at
McAfee, back in April.
Dennedy, whose credentials straddle the legal and
technological aspects of data security and privacy, is also co-author of ‘The Privacy Engineer’s Manifesto: Getting from Policy to Code to QA to Value.’

‘Privacy
engineering is a way to build respect for information about people back into
our infrastructure.’ 
- Michelle Dennedy, McAfee 
‘Privacy engineering is a way to build respect for information about
people back into our infrastructure and to think about data from the consumer
perspective,’ Dennedy told me.

It’s particularly important for researchers to familiarize themselves
with this approach, I think, in part because companies are increasingly looking outside the
research function to data scientists to manage Big Data.

You don’t need to be an IT specialist to understand ‘The Privacy
Engineer’s Manifesto’ and it may be just the blueprint consumer researchers need
to insinuate themselves in the fundamental discussions that shape not only
privacy policy and practice, but the manner and extent to which companies
harness Big Data moving forward.

See Also: Privacy by Design

I would also advise researchers to familiarize themselves
with another, similar concept: Privacy by Design’ (PbD).

PbD is both an approach
and a landmark resolution approved by international data protection and
privacy commissioners in Jerusalem in 2010.
The PbD framework sets out seven foundation principles aimed
at ensuring that privacy is embedded into new technologies and business
practices from the outset and boils down to three key tenets:
-         
Trust and control
-         
Freedom of choice
-         
Informational
self-determination
According to Dr. Ann Cavoukian, former Privacy and
Information Commissioner of Ontario, Canada, and architect of PbD, privacy
policies are becoming meaningless to people and companies should not hide
behind them.
‘If your company does something with people’s information
that might raise ethical questions, stating it in a privacy policy’even if it
isn’t buried in jargon’does not equate to informed consent. People check the box
without reading all the time,’ Cavoukian told a room full of consumer
researchers back in May.
‘Privacy isn’t
something people think they should have to ask for; it’s a presumption.’ 
‘ Privacy and Information Commissioner
Ann Cavoukian

‘Privacy isn’t something people think they should have to
ask for; it’s a presumption,’ Cavoukian added.

Bottom line: A privacy policy may protect a company in a
lawsuit, but it won’t help in the court of public opinion, where the stakes
may be much higher.
To illustrate just how serious the threat of a
public backlash has become, Cavoukian cited a variety of survey data,
most notably a January 2014 AP-GfK poll in which more than 60% of respondents
said they value their privacy over anti-terror protections.

PbD and privacy
engineering offer a compelling safeguard to companies because they’re
inherently proactive. You’re embedding privacy protection in everything you do
and design’right down to the code’from the get-go.
While it may seem expensive to take the necessary steps to
ensure that all current and future products, systems, etc., meet standards that
may not be mandated by law, the cost may be infinitely higher to implement,
revise and rebuild after a privacy breach.

How does this
apply to researchers?

We tend to think of this stuff as falling under the purview
of a Chief Privacy Officer, but it’s both an imperative and an opportunity for
researchers.
Consumer researchers are probably the last people who
require a lecture on the ethical collection and use of data or the sanctity of
trust’without it, we have no respondents’but as you well know, research today
is neither confined to direct response methodologies nor gathered exclusively
from opt-in panels and communities.
Moreover, a research department typically isn’t the only
entity in a company engaged in the collection of consumer data, its sole repository or the arbiter
of its use.
In short, there’s plenty of room for an unintentional breach
of privacy ethics in most organizations today. And given the stakes, this
represents an unacceptable risk.
So, the time has come for internal research functions to get
involved in privacy discussions outside departmental walls and to have a hand
not just in crafting policy and protocol, but to make the case to management for
building a company-wide culture that understands and respects consumer privacy.
So start by paying a visit to your colleagues in IT to talk
about privacy engineering. Privacy oversight will need to cover marketing,
R&D, sales, etc. 

This is a chance for research to assert influence over all of a
company’s present and future consumer information assets. It’s a natural fit.

ABOUT THE AUTHOR
Marc Dresner is IIR USA’s sr. editor and special communication project lead. He is the former executive editor of Research Business Report, a confidential newsletter for the marketing research and consumer insights industry. He may be reached at mdresner@iirusa.com. Follow him @mdrezz.

Big Privacy: It’s Coming

By Marc Dresner, IIR

My blog last week focused on data brokers and the looming threat of a Big Privacy backlash
in response to Big Data collection run amuck.

I want to
stick with Big Privacy this week, because I believe strongly that the
consequences of inaction for those in the consumer insights field could be more
serious than most of us realize.

For starters,
high-profile gaffes by Facebook, Apple (I’m referring to “Locationgate” not the naked photo scandal) and the like have done much to educate
the public on the data-for-service arrangements those of us who didn’t read the Privacy Policy unknowingly entered
into with such companies.

I think most people have since resigned themselves to this trade-off. 

Maybe that’s
because many of us did a rough cost-benefit analysis and, if not ideal, we found the
model acceptable, harmless, reasonable’ 

The absence of any evidence suggesting widespread public outrage has to do with the fact that
people don’t think they have any choice

But I suspect that more likely than not, the relative absence of any evidence that suggests widespread public outrage has to do with the fact that people don’t think they have any choice in the
matter.

A friend I recently mentioned
this to dismissed the idea, noting that Facebook isn’t forcing anyone
to use its network.

That’s true. And it’s pretty much irrelevant to a realistic discussion about privacy, because what matters here is the perception of transparency and ethical conduct.

No one is being forced to Google anything, either. But that didn’t
prevent the European Union Court of Justice from ruling in May that Google must amend search results upon request’a precedent-setting decision that asserts
the rights of the individual to control his/her personal data.

Indeed, it’s this notion of control (and informed consent) that we need to start considering when we talk about privacy.
People
are waking up to the fact that information about them is being collected and
used for purposes that they aren’t aware of and might not consent to if they
were

People are just
now starting to wake up to the fact that information about them is being
collected by unknown others and used for purposes that they aren’t aware of and
might not consent to if they were.

Most of the general
public, I think, knows that privately held data’credit reports, purchase
histories, loyalty data’about them exist and are shared between companies, but
I’d wager few people understand the extent of this sharing or what policies or
rules govern such activity.

Josh Klein, author of ‘Reputation Economics: Why Who You Know Is Worth More Than What You Have,’ points out that most people would probably be surprised to learn that Acxiom and LexisNexis have been aggregating purchase history to develop health profiles, which they sell to hospitals who then
use the information to advertise targeted medical services.


“Tell people this sort of
thing and it’s no leap for them to imagine that information going to their
insurance adjustors,” Klein said in a presentation he delivered at TMRE’s sister event, Shopper Insights in Action, this past July.

People would probably be even more shocked to know what can be amassed about them in the public domain’tax
records, voting records, ethnicity, religion, who your neighbors are, if you’re
married, do you take care of your parents, do you have children, etc.

This information isn’t
just available to Big Brother; it’s available to, well, me if I want it.

Klein pointed out that Spokeo combs publicly available sources, aggregates the data and basically provides
a docier on individuals to subscribers for about $3 per month.

Now, you can opt out of a Spokeo listing, but you cannot close the spigot of publicly available data about you. That alarms some people. 

Surveillance
is a loaded word, but that’s what is happening when we go online, isn’t it? 

Surveillance
is a loaded word, but that’s what is happening when we go online, isn’t it? And
on such a massive scale that Orwellian is almost an understatement.

Klein notes that Google only needs 22
points of data to figure out who you are wherever you log on. (Whether you hit the logo to go back to the home page or hit the
home button is one such data point.)

And then there’s mobile’where you go, what you do on your phone’it’s all being collected. 


People may have signed on, but they are not on board.

So, again, why haven’t we
seen a bigger backlash?
Maybe it’s a matter of ignorance or denial. Maybe people think it’s futile. Maybe we’re just lazy.
Whatever the
case, it is a curious thing and I’m not the only one who believes the situation is unsustainable.

Coming Next: Data Custodianship, Privacy By Design and a Huge Opportunity for Consumer Researchers.

ABOUT THE AUTHOR 
Marc Dresner is IIR USA’s sr. editor and special communication project lead. He is the former executive editor of Research Business Report, a confidential newsletter for the marketing research and consumer insights industry. He may be reached at mdresner@iirusa.com. Follow him @mdrezz.