jump to navigation

Social Media as a Privacy Tool? June 14, 2012

Posted by Heather Mark in privacy.
Tags: , , , , ,
add a comment

As one that closely follows the intersection of privacy and technology I read with great interest a paper released by Google entitled “Vanity or Privacy? Social Media as a Facilitator of Privacy and Trust.”  The paper is to be presented at the  2012 ACM Conference on Computer Supported Cooperative Work.  The paper is relatively short and presented as though it was undertaken in the nature of academic research.  I doubt I need to replay for the reader Google’s recent privacy issues and its recent changes to the company’s privacy policy.  With that in mind, it is difficult to read the short paper as anything other than a justification for these recent changes.   Unfortunately for Google, the paper is patently one-sided and the premises themselves are flawed, to put it mildly. It should be noted that the authors of the paper do include the following caveat: “While these examples offer no judgment on whether social media is good for privacy in any absolute sense, they do support our contention that it is possible to design social media systems that are engaging and supportive of privacy and trust.”

Before I delve into the paper itself, it is important to provide some baseline definitions for privacy and trust, particularly with respect to the online environment.  Privacy has traditionally been defined as the right to be let alone.   (more…)

Of Payments, Privacy and Social Networks June 13, 2012

Posted by Heather Mark in Industry News, InfoSec & Privacy.
Tags: , , , , , ,
add a comment

By now, many of you have probably heard about the smartphone app creatively and aptly named “Girls Around Me.” For those that have not heard, it is essentially an application that aggregates the “check in” location data of women using Facebook, foursquare, and other social, location based services.  It then displays for the user the locations and names of “girls around” him (or her, I don’t think the app discriminates).  The app promises to “turn your town into a dating paradise.”  For privacy professionals, the app sparks an interesting debate.  Is privacy infringed if the person in question volunteers the information.  On one side of the argument are those that would say “no – if the user has volunteered information then privacy is not compromised by the application.”  The converse of that argument, however, is one that centers on a definition of privacy that hinges on the appropriate use of information.  If the user did not volunteer the information in an effort to join this “dating paradise” then privacy is certainly infringed.  Certainly, one can see that the application in the wrong hands has the potential for misuse.  But, what if we use the information for good, rather than evil? (more…)

Guest Post: “Of Payments, Privacy, and Social Networks” April 15, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy.
Tags: , , , , ,
add a comment

As I have been out of town at a charity event and had little time to blog, I am publishing a blog from the incomperable Dr. Heather Mark 😉  Please enjoy…

“By now, many of you have probably heard about the smartphone app creatively and aptly named “Girls Around Me.” For those that have not heard, it is essentially an application that aggregates the “check in” location data of women using Facebook, foursquare, and other social, location based services.  It then displays for the user the locations and names of “girls around” him (or her, I don’t think the app discriminates).  The app promises to “turn your town into a dating paradise.”  For privacy professionals, the app sparks an interesting debate.  Is privacy infringed if the person in question volunteers the information.  On one side of the argument are those that would say “no – if the user has volunteered information then privacy is not compromised by the application.”  The converse of that argument, however, is one that centers on a definition of privacy that hinges on the appropriate use of information.  If the user did not volunteer the information in an effort to join this “dating paradise” then privacy is certainly infringed.  Certainly, one can see that the application in the wrong hands has the potential for misuse.  But, what if we use the information for good, rather than evil?”  read more here! 

Looking for Expertise? Mark Consulting Group is now open for Business January 25, 2012

Posted by Chris Mark in Uncategorized.
Tags: , , ,
add a comment

As a professional consultant, entrepreneur, and executive, I have decided to once again hang a shingle and open my newest venture Mark Consulting Group.  Unlike other companies I have founded, this will remain a boutique consulting operation focused on helping companies with strategy, marketing, bizdev, operations, branding, and the like.  We have significant social media expertise and the other principals bring a variety of unique skills to the table.  Our objective is simple.  To help you increase revenue through increased business or retain more profit through increased operational efficiencies. Either way, your business is more successful.  Please take a moment to review my website and if you have a particular need, please don’t hesitate to contact me directly.  We have work samples on the site.  http://www.markconsultinggroup.com

PCI DSS and Piracy January 12, 2012

Posted by Heather Mark in PCI DSS, Piracy & Maritime Security.
Tags: , , , , , , ,
add a comment

I’ve been reading quite a bit on piracy lately. Not the adventurous, swashbuckling tales of pirates flying down the Spanish Main, but piracy in its present form. From a purely detached perspective, its an interesting exercise in cause and effect. Natural disasters, for example, have an impact on the surge in piratical acts. The Christmas Tsunami left many Somali fishing villages devastated and took the last legal means of sustenance from many families that depended fishing for their survival. As a result, they turned to piracy. Of course, that is not to say that Somali pirates are the Jean val Jean’s of their day, the thief with the heart of gold doing only what is necessary to survive.  These pirates are violent and aggressive and should not be coddled.  The interesting comparison to the PCI DSS, in my mind, derives from the impact of the crime on the industry and the global reaction to the phenomenon.

Impact of the Crime

Piracy is a crime that has an impact on all consumers. Higher insurance rates, security contingents, longer routes and therefore higher fuel costs, and similar circumstances that result from piracy mean higher prices for consumers.  Any costs that cannot (or will not) be absorbed by the manufacturer or the shipping company are passed on to the consumer. Similarly, data thieves have very definitely left their mark on the consumer. Those of us involved in the electronic payment industry recognize better than most the increased cost structure that has resulted from trying to achieve and maintain compliance with the PCI DSS and the countless data security, data breach notification and consumer privacy laws at play in the United States. Ongoing compliance and security monitoring, evaluating the threat landscape and the cost of validating compliance can quickly add up for companies.  Organizations that are already seeing their margins get squeezed are required to spend additional resources on security and compliance to ensure the safety of consumers’ data. Those costs can sometimes be passed along to the consumer.

Global Reaction

Data security and piracy were both issues that “flew under the radar” until high-profile instances brought them to the public awareness. In the world of transoceanic shipping, the issues that brought awareness were a couple of kidnappings for ransom and the hijacking of the Maersk Alabama. It’s important to note, however, that even before these incidents, the shipping industry and governments worldwide were working on standards and regulations that would mitigate the problem. The reaction from the industry should sound very familiar to veterans of the PCI DSS compliance world – “The standards are too prescriptive.”  “The standards were written by people that don’t
really understand the issues.”  “How are you going to ensure that everyone is complying with these standards?’ “The cost of complying with the standards are too burdensome for small companies.” These concerns should resonate with payment security professionals. The same questions and concerns are often raised about the PCI DSS.

For the payment industry, the events that really brought public awareness were a couple of high-profile data breaches at well-known retailers. The question really is, though, “What is the alternative?”  If neither industry had done anything to address these growing issues, the constituents in the industry would have raised the alarm about the apparent lack of concern from the powers that be.  The catch-22 of the creation and enforcement of the standards is that even though these standards achieve their objective of raising industry awareness and attempting to mitigate the risk of adverse events, the companies that suffer piracy attacks or data breaches are still often cast as the villian (as opposed to the victim) in the scenario.

What’s the Answer?

That is the crux of the matter – are the issues of data security and high seas piracy “solvable?” There are a variety of issues that drive the increase in both crimes.  Economic stability, the ability of governments to project their authority into these areas, jurisdictional cooperation and other factors drive the growth of both types of crimes.

While I cannot confidently address permanent solutions to either problem, I can suggest a shift in perspective. In the realm of data security and payment security, practitioners often attempt to solve the problem by layering more and more technology in front of the sensitive data.  Tokenization is one example of how a shift in perspective can provide alternative solutions. Extracting value from the data makes significantly less attractive to thieves. So instead of asking, “How can we keep thieves from accessing the data?” one might ask “What can be done in the transaction processing chain to render the data unusable to thieves?” We are currently retro-fitting security onto a system that has been in place for fifty years. If we were to remove any preconcieved notions of what a payment infrastructure should look like, what would we design?

%d bloggers like this: