I just wrapped up my BrightTalk presentation on privacy. Feedback was generally good but I received a number of comments that I was too abstract. I really wish I had more time to go into details but I only had 45 minutes! I encouraged listeners to hit me up with questions via email and I hope they take me up on the offer.

It was fun and I would do it again, although it was a bit of a challenge to maintain enthusiasm when I was just speaking into a phone staring at my computer. Check the recording and let me know what you think.

I’m going to be watching the Facebook IPO closely. I feel the underpinnings of our fragile economic recovery rest on Facebook’s success. I know many people are hoping for Facebook to fail and come crashing down from the stratosphere. Maybe they don’t like Mark Zuckerberg, or Facebook’s privacy policies, or maybe they just feel the platform is ruining our culture. Whatever the reason I would suggest those folks take a cold and detached view of how Facebook can effect our economic recovery before wishing too hard.

There is no doubt that Facebook’s IPO is one of the most hotly discussed initial public offerings in recent memory. It will be very closely watched and by most estimates it is expected to do well at open. However, reviews are mixed on the long-term success. I argue we all need to be hoping it is successful whether you like the company or not.

If it is successful at IPO, and...

In it’s settlement with Myspace earlier this week the Federal Trade Commission showed that it is willing to forgive little when it comes to privacy violations. Myspace agreed to settle an FTC lawsuit accusing the company of misrepresenting its protection of personal information. As a result of the settlement Myspace is required to implement a comprehensive privacy program and will be subjected to 20 years of privacy assessments.

This is the same sort of settlement that both Google and Facebook agreed to last year, so on the face of it, the terms themselves aren’t that surprising. However, when looking a bit deeper into how Myspace violated the privacy of its users, I find it surprising the FTC treated Myspace’s violation on par with Google’s and Facebook’s.

It’s apparent that both Google and Facebook, as accused by the FTC, perpetrated privacy violations on their users as they clearly...

New York Judge Gary Brown explains in great detail why an IP-address is not sufficient evidence to identify copyright infringers.

That decision, quoted from a Torrent Freak article, could end up as a watershed moment for those accused of copyright infringement since most complaints are based on evidence the connects the defendant to an IP address. If, all of the sudden, the RIAA and MPAA or studios can’t use that as primary evidence then many (most) of their ability to go after pirates dries up.

That, in and of itself, is interesting but it started me thinking about possible wider implications. Many information security specifications, frameworks and regulations require that we protect the end user’s IP address. Off-hand I know both HIPAA and some NIST frameworks explicitly state that IP addresses should be considered personal information and therefore require special protection. To...

To end my series of posts on privacy basics I’m going to provide a brief summary of what I feel are the most important privacy laws and regulations for a non-lawyer to understand. You should work to internalize these as best you can so that future decisions take these restrictions into account.

As a baseline for your perspective it is important to understand that the US is far behind much of the world when it comes to legislation that protects its citizens’ privacy. For a visual illustration of this take a look a Forrester’s Privacy Heat map. You’ll see that the US is “cold "indeed – the US is on the same level as Russia.

Having said that the US does have an unusually long list of laws and regulations in place, but they tend to focus on very specific things rather than take a holistic view of privacy. So while most of the text of this post is devoted to US law keep in mind that the US...

I’ve come to the realization that all of the issues surrounding privacy, whether they be political, legal or cultural, are nothing more than a response to fear. This realization is changing my point of view. I’m no longer viewing privacy through a technical, political or legal lens but rather I’m viewing it primarily as a human issue. It’s this new context that has lead me to conclude that those that approach privacy through an understanding of our human nature will be the future market leaders. Those that follow the traditional corporate line of doing the minimum to comply with the law will ultimately lose to those with a deeper understanding and a human approach.

I originally wanted this post to detail a method for a “human approach” to privacy but unfortunately I couldn’t find any easy answers, nor a one-size-fits-all methodology. I’m not giving up though. I still want to try to...

After writing about privacy related topics for months it’s been brought to my attention that although I often touch on privacy best practices I haven’t written a post specifically outlining them. This is going to be that post.

If you’ve been following my blog you should be somewhat familiar with many of the regulations in the European Union, the US and other part of the world, but putting those aside there are things we should be doing regardless of specific legal and regulatory obligations. Following privacy best practices not only lower risks of violating some regulation but it can be a competitive advantage as well as it helps build trust among the people who willingly share their personal information with you.

Personal Information

To kick this off, since personal information is at the center of all the best practices, let’s make sure we’re on the same page with the definition...

The increasing frequency of cyber attacks against companies of all sizes and the consequent disclosure of user information gathered by the attacker has led to an explosion of data breach regulations around the world. It’s important for your business to understand what data breach notification is and the expectations set out by data breach laws and regulations.

It’s long been regarded by information security professionals that it’s not a questions of “if” you suffer a data breach it is just a matter of “when.” The inevitability of a data breach makes it a risk you need to understand. Don’t be complacent when there isn’t much of a threat of a data breach: As soon as your service or site becomes the “in thing” and growth booms, that is when you become the likely target. And it is precisely at that time when you don’t have the bandwidth to figure out how to react. Plan ahead and be ready to...

I’ve been critical of those collecting personal data on their site who don’t offer a privacy policy. The common defense has been “we can’t afford a lawyer.” I’m here to tell you that even if you can’t afford a lawyer you should still have a policy available to users notifying them of what you intend on doing with their data. In this post I’m going to walk you through an inventory method that will give you a solid framework from which you can build a policy.

Note: I am not a lawyer and therefore you should not take what I say as legal advice. You are responsible for the accuracy of your own privacy policy.

Create an Inventory

The process of creating a privacy policy starts with what is probably going to be the most difficult step: You must inventory all of the current and future uses of the personal data you are going to collect, store and/or process. If you are banking on using your...

I came across an article today in the New York Times reporting on a smart phone app that uses the location data collected in Four Square and combines it with Facebook’s social graph to identify women near the user. The article describes it this way:

Girls Around Me uses Foursquare, the location-based mobile service, to determine your location. It then scans for women in the area who have recently checked-in on the service. Once you identify a woman you’d like to talk to, one that inevitably has no idea you’re snooping on her, you can connect to her through Facebook, see her full name, profile photos and send her a message.

You can read in the article title that the app is described as “creepy,” which it is, and that it is a violation of Four Square’s API policy but since I assume that the user is consenting to the data mining this app performs it is legal. Which has me thinking that...