From NPR, the father of a soldier killed in Iraq requests to access his son’s yahoo account, but is refused by Yahoo based on its privacy policy. This raises the issue whether cyber properties are tranferrable? Visit here for details.
Daniel J Weitzner has an editorial in this week’s Computerworld online called “Openess as a Privacy Protection Strategy“. At first it seems like a contradictory statement and he references David Brin’s seminal work, The Transparent Society.
But just as Brin argues that increases in loss of privacy from surveillance aren’t Orwellian as long as _everybody_ has access to the surveillance, Weitzner seems to argue that customers needn’t necessarily fear companies collecting large amounts of information about them as long as this activity is “transparent,”
As Weitzner puts it:
Is the transparent enterprise destined to be the engine of the elimination of privacy? Has the analytic power and data-gathering reach of today’s information networks rendered privacy a disappearing artifact of simpler, less-networked times? I don’t believe so, but in order to retain the dignity, control and occasional solitude that are at the heart of privacy, we have to start designing systems differently.
First, we should embrace transparency as a design philosophy that can help people ensure that information about them isn’t used in a way that’s contrary to legally permissible purposes or in violation of agreements under which it was collected. Our design goal should be to provide active transparency to users. In many cases, people are comfortable about information collection, provided they know that it’s happening, understand the purpose of it and can check that it’s not being used inappropriately.
While I still think there is a very strong case to be made for actively working to minimize data collection, just as I believe there is a very strong case for actively working to minimize governmental surveillance, I think Weitzner’s point is valid. Transparency of data handling, i.e., making customers aware of what data is being collected about them and how it will be used, is a perfectly valid design goal. Software engineers need to be thinking about how this goal would affect their system designs.
If you’re like me, you carry around a pack of “customer loyalty cards” every where you go. I have one for my favorite Chinese restaurant (Buy 7 buffet dinners, get the 8th for free), a used CD store (Buy 15 DVDs, get the 16th, free), and no less than 3 customer loyalty cards for coffee shops (Border’s Cafe, Weaver Street Market, and Cup-A-Joe).
Most of these loyalty cards are simple and benign. They are just business card sized pieces of paper which the sales clerk at the store marks when you make a purchase. Because they have no personal information associated with them, I like to think of them as anonymous customer loyalty cards. Their simplicity is a tremendous advantage to stores. For a fairly low cost, the issuers of these cards can build repeat business.
I can’t help but note that their simplicity is accompanied by a complete and utter lack of security. The only thing that keeps these loyalty cards from being subject to spoofing attacks (i.e., customers falsifying marking purchases on their card), is the honor system, as far as I can see. But that’s a subject for a different blog.
There is another class of consumer loyalty cards, which I call profile cards, that aren’t nearly so benign. Most commonly these are found in grocery stores. A customer fills out a customer profile survey and is issued a card with a unique identifier. The Harris-Teeter where I shop calls them “Very Important Customer” cards and I’m proud to report that I am Very Important Customer #4-098911769-1. Every time I buy something at my local Harris-Teeter, I flash my VIC card and get discounts on various items. You can bet your bottom dollar that Harris-Teeter keeps track of all purchase I make with my VIC card and uses that information for various marketing and business analytics purposes.
On the whole, is this such a bad thing? If Harris-Teeter knows that I am going to buy 4, 2-liter bottles of Diet Dr. Pepper every Friday afternoon on my way home from work, maybe they’ll make sure it’s on the shelf when I get there. And if they give me 10 cents off the price just for associating the purchase with my name, why not?
The problem is that profile customer loyalty cards are getting stores into trouble on multiple ways. First, the profile information such as your personal buying habits are increasingly becoming subject to subpoena requests in various criminal and in some cases even civil court cases. If John Doe bought a 12-pack of Rolling Rock beer 90 minutes before he was involved in a late-night car crash, it could potentially be used as evidence to support charges of drunk driving.
As far as I can tell, the situation hasn’t gotten so bad yet. So far stores have been reasonably successful in refusing to divulge such information. But in an era where government officials can demand that libraries hand over your book check out records (thank you PATRIOT Act), one can only imagine that the pressure to hand over customer profile buying habits will increase, not decrease.
In addition to being criticized for handing over customer data in legal proceedings, these stores are also feeling pressure to use the information they collect in ways that they don’t want to. Imagine this scenario. a batch of ground beef is found to be tainted and the FDA issues a recall on the meat. The grocery store pulls the meat off the shelf, but some of it has been sold already. Does the grocery store have an obligation to search through its customer profiles and try to find the people who bought the meat and notify them. This scenario is the subject of at least one class action suit from customers.
So these profile customer loyalty cards, as valuable as they are to the stores that issue them, can have significant negative consequences associated with them. At minimum the stores that issue them can find themselves keeping several lawyers busy in court fending off various lawsuits relating to how they use or don’t use the data, not to mention the uneasiness that an increasing number of shoppers have about the potential privacy invasion. Some stores have abandoned their customer loyalty program for these reasons.
Dropping the customer loyalty program all together is not the only option however. The customer loyalty card programs can be saved, and can continue to be valuable to both the customers and the stores that issue them without raising the sticky privacy issues that currently plague profile based customer loyalty cards.
I think the problem stems that our society as a whole is infatuated with computers and databases and in the IT industry, customer relationship management is one of the hottest areas. In my opinion, the problem is that companies take a default position of collecting all the information they can about their customers without thinking of the legal obligations or troubles that it might cause. We have an “all or nothing” approach to customer loyalty cards.
But there’s a third way. It’s entirely possible for companies to get most of the benefits from their customer loyalty cards while incurring none of the legal headaches. All they have to do is simply stop associating their customer loyalty cards with individuals.
The problem with my VIC card is not that it has a unique number on it, the problem is that it has my name and address associated with it. So imagine a third kind of customer loyalty card, let’s call it the “deidentified customer loyalty card.” Suppose my Harris-Teeter simply gave away cards with the unique numbers on them but did not collect the names and addresses of the people who held the cards. This would still allow Harris Teeter to build some fairly sophisticated profiles about my buying habits and would enable them to market to me with instant coupons issued at the cash register, etc. It would still allow them to sell trend data to consumer goods manufacturers which they could analyze for business trends etc. But gone would be those pesky subpoenas to hand over data about a person’s buying habits because they simply would not have the information. Likewise, the “failure to notify” lawsuits would go away for the same reasons. And finally, Harris Teeter could truly say that they are protecting the privacy of their customers because all of the information is deidentified from the start.
To muddy the waters a bit, Harris Teeter could collect some general demographic data while still protecting keeping the information deidentified. I’m not likely to care if Harris Teeter knows that card number #4-098911769-1 is associated with a white male living in zip code 27517 and is in the 30-40 age group. And such information would not targetable by lawyers.
To summarize, anonymous customer loyalty cards are great for generating repeat business but can’t be used for business analytics because there is literally no data associated with them. Profile-based customer loyalty cards give value to the customer and can help generate repeat business while at the same time, generating a wealth of customer profile information that can be analyzed and used for various business purposes. However, profile based customer loyalty cards are a land mine of potential legal lawsuits and consumer fears. Deidentified customer loyalty cards could still be valuable to customers, generate repeat business and could still generate profile information that is almost as valuable as the profile-based cards, while removing the many thorny legal issues and reassuring customers of their privacy.
In this case, the innovation is not a new technology. Sometimes innovation comes from giving careful thought to what you are doing. Sometimes innovation comes from collecting less data, not more.
–Calvin Powers
The Chicago Sun Times reported in article on June 24th 2004 regarding the airline industry’s disclosure of passenger information records to the the Transportation Security Administration and its contractors.
This is hardly a new story. It originally broke in September 2003 when JetBlue admitted it had handed over the information of over 5 million passengers, in direct violation of it’s stated privacy policy. Since then, more and more airlines have sheepishly admitted to having done so also. According to the Sun-Times article, 4 major airlines and 2 major reservation systems have admitted to doing the same thing.
The thing that’s new about this story has to do with the claim that this activity is in direct violation of Federal law.
Up to this point, discussion about this fiasco has been limited to the fact that these disclosures are in violation of the airline’s publicly stated privacy policy. As a result the FTC has been investigating these acts as “deceptive trade practices” based on complaints from the Electronic Privacy Information Center and others.
Check out the full complaint at:
http://www.epic.org/privacy/airtravel/jetblue/ftccomplaint.html
The Sun-Times article quotes Sentor Joe Lieberman of Connecticut, top Democrat on the Senate Governmental Affairs Committee as saying that the Transportation Security Administration ”may have violated” the “Privacy Act”.
The Sun-Times article is not specific about which “Privacy Act” Senator Lieberman was referring to. But I believe it’s a safe bet that he was referring to The Privacy Act of 1974 (http://www.usdoj.gov/foia/privstat.htm).
Senator Liberman specifically mentions a failure to notify the data subjects that their information had been collected. But in my opinion, the more interesting requirements in the Privacy Act of 1974 is the requirment that agencies who collect information about individuals must:
“publish in the Federal Register upon establishment or revision a notice of the existence and character of the system of records, which notice shall include–
(A) the name and location of the system;
(B) the categories of individuals on whom records are maintained in the system;
(C) the categories of records maintained in the system;
(D) each routine use of the records contained in the system, including the categories of users and the purpose of such use;
(E) the policies and practices of the agency regarding storage, retrievability, access controls, retention, and disposal of the records;
(F) the title and business address of the agency official who is responsible for the system of records;
(G) the agency procedures whereby an individual can be notified at his request if the system of records contains a record pertaining to him;
(H) the agency procedures whereby an individual can be notified at his request how he can gain access to any record pertaining to him contained in the system of records, and how he can contest its content; and
(I) the categories of sources of records in the system;”
One can’t help but wonder if the TSA, and by extension, the Homeland Security Department, has even considered these requirements, much less complied with them. The Sun-Times article reports that an official from the Homeland Security Department said that the agency is investigating.
I think this will be an interesting test of the Homeland Security Departmnents commitment to privacy and look forward to seeing how they respond to Lieberman’s challenge.
A new analysis of 40 online privacy statements from nine financial institutions that are covered by the Gramm-Leach-Bliley Act (GLBA) was completed in July. Our findings show that compliance with the GLBA “clear and conspicuous” requirement by the analyzed policies is at best questionable, and demonstrate that most policies require a reading skill considerably higher than the Internet population’s average literacy level.