Jeff Northrop

I'm going to be watching the Facebook IPO closely. I feel the underpinnings of our fragile economic recovery rest on Facebook's success. I know many people are hoping for Facebook to fail and come crashing down from the stratosphere. Maybe they don't like Mark Zuckerberg, or Facebook's privacy policy, or maybe they just feel the platform is ruining our culture. Whatever the reason I would suggest those folks take a cold and detached view of how Facebook can effect our economic recovery before wishing too hard.

There is no doubt that Facebook's IPO is one of the most hotly discussed initial public offerings in recent memory. It will be very closely watched and by most estimates it is expected to do well at open. However, reviews are mixed on the long-term success. I argue we all need to be hoping it is successful whether you like the company or not.

If it is successful at IPO, and maintains its value over the next 12-18 months, there will be a large new crop of millionaires spinning out of the company. If past patterns hold, a percentage of these individuals will take their new found wealth and invest it in tech startups. We've seen this most recently with Google's crop of new millionaires, but have seen it over and over again with IPO's dating back to the original dot com boom.

Think about that within the context of our economy. Right now a large part of the success of our struggling economic recovery is credited to the growth of startups, and most of these are technology-based companies. If the Facebook IPO succeeds there will be more encouragement to continue investing in these startups and more people with the cash to make those investments.

If the IPO fails that investment money will dry up as quick as a drop of water evaporates on hot pavement. And when that happens the red-hot tech startup scene likely withers and the rest of the economic recovery will likely follow.

So go ahead and continue hating Facebook and wishing that Zuckerburg gets knocked down a notch with the failure of an IPO, but be careful what you wish for.

In it's settlement with Myspace earlier this week the Federal Trade Commission showed that it is willing to forgive little when it comes to privacy violations. Myspace agreed to settle an FTC lawsuit accusing the company of misrepresenting its protection of personal information. As a result of the settlement Myspace is required to implement a comprehensive privacy program and will be subjected to 20 years of privacy assessments.

This is the same sort of settlement that both Google and Facebook agreed to last year, so on the face of it, the terms themselves aren't that surprising. However, when looking a bit deeper into how Myspace violated the privacy of its users, I find it surprising the FTC treated Myspace's violation on par with Google's and Facebook's.

It's apparent that both Google and Facebook, as acused by the FTC, perpetrated privacy violations on their users as they clearly misrepresented themselves in a way that warranted the settlements. But the root cause of Myspace's violation wasn't misdeeds, it was the result of poor attention to security.

The crux of the accusation comes down to Myspace's "Friend ID." That identifier is a unique number that, when known, allows direct access to the ID owner's page. The Friend ID is not secret. A quick people search on myspace.com shows results containing the Friend ID appended to the end of every URL in the list (see the image below). Clearly just exposing that number by itself is not a privacy violation. The violation occured when Myspace carelessly included the Friend ID in reports back to advertisers enabling the advertisers to link users with specific demographic profiles. That's a no-no.

view full image

To understand why providing the Friend ID to advertisers is a problem you need to understand a bit about how Google, Twitter, Facebook, etc. use the personal information they collect for advertising. While an advertiser can buy access to a particular demographic, the advertisers aren't provided the identities of specific individuals they reach. In that way, even though Google may know all about your habit of eating toilet paper, Charmin can't buy a list of users that would include your identity. The advertisers only buy the opportunity to display a message to you, preventing disclosure of personal information to the third party (a privacy violation). This is a fine but important distinction, and one that Myspace failed to make.

However, as I already mentioned, this was not an intentional action on Myspace's part yet they were still treated as roughly as other purposeful violators. The lesson here is two-fold. One, the FTC is making it apparent they will go after anyone intentionally or unintentionally disclosing personal information without consent. And two, this is yet another example of why information security professionals have to understand privacy laws. The professionals reviewing Myspace's code must have known the ID was available to advertisers. I have to believe they just didn't think it was a problem, and that is a problem.

If you want to learn how to prevent these sorts of mistakes with your own business, check out Startup Privacy coming this July.

New York Judge Gary Brown explains in great detail why an IP-address is not sufficient evidence to identify copyright infringers.

That decision, quoted from a Torrent Freak article, could end up as a watershed moment for those accused of copyright infringement since most complaints are based on evidence the connects the defendant to an IP address. If, all of the sudden, the RIAA and MPAA or studios can't use that as primary evidence then many (most) of their ability to go after pirates dries up.

That, in and of itself, is interesting but it started me thinking about possible wider implications. Many information security specifications, frameworks and regulations require that we protect the end user's IP address. Off-hand I know both HIPAA and some NIST frameworks explicitly state that IP addresses should be considered personal information and therefore require special protection. To that end I commented the following on Hacker News in regards to the story:

This is an important decision not only from a "piracy" perspective but from a "privacy" and "information security" view as well. Many US laws and regulations revolve around protecting personally identifiable information (PII). If this judge's conclusions stick then we have some freedom from having to protect IP addresses, which show up in just about everything we log and collect.

That could be gigantic to those who deal with HIPAA, PCI, GLBA, etc. Although I guess this has no impact on the European Union regulations and what they consider PII -- those are much tougher to deal with anyway.

However, when I started to poke around looking into how this judge's conclusions could actually impact existing laws and regulations I came up short. In fact other than HIPAA I couldn't find it explicitly stated the iP addresses alone required protection. (Although, to be honest, I didn't look that hard). I did find that in back in 2008 European regulators specifically debated about whether IP address should be treated a PII but that looks like it went no where.

I guess, in the end, while this deals a blow to those chasing pirates it's not quite as groundbreaking as I had originally suspected. It should be noted though that it is a gray area and doesn't change the fact that while IP address is generally anonymous and not personally identifiable inform

Just a reminder you can now sign up for my BrightTalk presentation on May 22nd, and another as a panelist on May 24th (Hey You! Get Off of My Cloud! ­ Identity and Access Issues in the Cloud). You can also see me presenting at the 2012 Security Congress this Fall.

On another note I've published the landing page for my forthcoming book -- Startup Privacy: The Entrepreneur's Guide to Privacy. It's still a bit of a work in progress but check it out. I'm super excited (and nervous) about this ebook project and I'm hoping to have it ready for sale in June. Stay tuned.

To end my series of posts on privacy basics I'm going to provide a brief summary of what I feel are the most important privacy laws and regulations for a non-lawyer to understand. You should work to internalize these as best you can so that future decisions take these restrictions into account.

As a baseline for your perspective it is important to understand that the US is far behind much of the world when it comes to legislation that protects its citizens' privacy. For a visual illustration of this take a look a Forrester's Privacy Heat map. You'll see that the US is "cold "indeed -- the US is on the same level as Russia.

Having said that the US does have an unusually long list of laws and regulations in place, but they tend to focus on very specific things rather than take a holistic view of privacy. So while most of the text of this post is devoted to US law keep in mind that the US is far more libertarian (a.k.a. "free market") in our approach than the rest of the developed world.

United States

The Privacy Act of 1974 was established to protect citizens' data against misuse by federal agencies. The Act governs the collection, maintenance, use, and dissemination of personally identifiable information. It prohibits the disclosure of information without the written consent of the individual although there are some exceptions. The Act also provides means for individuals to seek access to and update their records.

HIPAA - The Health Insurance Portability and Accountability Act established national standards for the protection of electronic health records. With regards to privacy the HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) by specific entities. PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual. The Rule outlines specific cases where disclosure is permitted and sets requirements for obtaining written authorization from the individual for other disclosure. It also states that when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose.

Like the Privacy Act of 1974, the HIPAA Privacy Rule gives individuals the right to request that a covered entity correct any inaccurate PHI. It also requires covered entities to take reasonable steps to ensure the confidentiality of communications with individuals. In addition it requires covered entities to notify individuals of uses of their PHI and keep track of disclosures of PHI and document privacy policies and procedures.

HITECH Act - Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, addresses the privacy and security concerns associated with the electronic transmission of health information. The HITECH Act requires HIPPAA covered entities to report data breaches affecting 500 or more individuals to HHS and the media, in addition to notifying the affected individuals.

GLBA - Gramm–Leach–Bliley Act, eliminated the restrictions on consolidation among commercial banks, investment banks, securities firms, and insurance companies, repealing part of the Glass–Steagall Act of 1933. Part of GLBA is The Financial Privacy Rule which requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and then annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer’s right to opt out of the information being shared with unaffiliated parties.

COPPA - Children's Online Privacy Protection Act, applies to the online collection of personal information by persons or entities in the US from children under 13 years of age. It details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children's privacy and safety online including restrictions on the marketing to those under 13. Under the Act children under 13 can legally give out personal information with their parents' permission.

CAN-SPAM - Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask emailers to stop spamming them. It bans false or misleading header information and prohibits deceptive subject lines. It requires that commercial email give recipients an opt-out method. It requires that commercial email be identified as an advertisement and include the sender's valid physical postal address.

The Consumer Privacy Bill of Rights announced by President Obama earlier this year does not by itself establish any new laws or regulations. Rather it summarizes current law and asks Congress to consider new laws in certain areas, but most of the bill is about best practices that the FTC wants companies to follow. These best practices are organized in a three-part framework: privacy by design, which means building privacy into your products and practices from the beginning; simplified choice for consumers; and greater transparency about data practices.

European Union

I'm going to skip over the currently active Data Protection Directive in favor a summarizing the new proposed regulations since in the next year or so they will supercede the current directive.

The Data Protection Rule, announced earlier this year, outlines proposed reforms of the EU’s 1995 data protection rules. The proposed rules still have to navigate the European Parliament and EU Council of Ministers for discussion so they still may change but to follow are the basics of the proposal.

• EU rules would apply on any personal data handled abroad by organizations that are active in the EU market and offer their services to EU citizens.
• Organizations that plan on gathering personal data would have to get explicit consent from data subjects.
• Individuals will have a right to be forgotten requiring organizations to delete data on the person upon request if there are no legitimate grounds for retaining it.
• Organizations would be expected to notify the proper authorities within 24 hours of detecting a data breach and communicate to the data subjects without delay.
• Organizations would be exposed to penalties of up to €1 million or up to 2% of the global annual revenue of a company.

Canada

PIPEDA - The Personal Information Protection and Electronic Documents Act governs how private sector organizations collect, use and disclose personal information. The law gives individuals the following rights:

• Know why an organization collects, uses or discloses their personal information
• Expect an organization to collect, use or disclose their personal information reasonably and appropriately, and not use the information for any purpose other than that to which they have consented
• Expect the personal information an organization holds about them to be accurate, complete and up-to-date with access to their personal information and ask for corrections if necessary

The law also obligates organizations to the following:

• Obtain consent when they collect, use or disclose their personal information
• Supply an individual with a product or a service even if they refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction
• Have personal information policies that are clear, understandable and readily available.

The Rest of the World

It is very US-centric of me that I lump the rest of the world together, but I'm doing it anyways. Mostly because I've covered the large markets of my readership that have applicable privacy laws, but it is important to recognize that countries like Australia, Mexico and Argentina have very robust privacy laws in place and if you are establishing businesses in those countries, or any country for that matter, you need to understand your obligations.

I will end this round-up with a bit of perspective of how some governments view their role in protecting their citizenry. On the somewhat poorly translated greetings page of the Korean Internet Security Agency they lay out a fairly ambitious vision.

Nowadays, thanks to the internet, a variety of new services have became a part of our lives so as victims of abusive comments or false rumors has been increased. Due to the Internet’s anonymity, cyberbullying has gone beyond a tolerable level and some of victims have even committed suicide. Encouraging internet users to behave ethically on the cyberspace, and leading them to learn appropriate cyber etiquette are most needed to create a safe and firm internet world.

...

Korea has been called the courteous country in the East. From now on, our mission of the 21st century is to lead the internet culture as a globalize digital courteous country. We took over excellent cultural heritage, manner, and social order from our ancestors. It is the time that we establish the right digital culture and endeavor to leave it to our descendant.

...

We, KISA will work with our enthusiasm to build a road for people, who use internet, to enter into a warm and comfortable digital world.

Pretty heady stuff and reflects the views of the Korean government where they assume a high level of responsibility to protect their citizenry. This sentiment is shared in many places around the world, just not here in the US.