There are enormous benefits from big data analytics, but also massive potential for exposure. Here's how to protect yourself and your employees
The collection and manipulation of big data,
as its proponents have been saying for several years now, can result in
real-world benefits: Advertisements focused on what you actually want
to buy; smart cars that can call for an ambulance if you're in an
accident; wearable or implantable devices that can monitor your health
and notify your doctor if something is going wrong.
It is just as obvious that such detailed information, in the hands of
marketers, financial institutions, employers and government, can affect
everything from relationships to getting a job, qualifying for a loan
or even getting on a plane.
And so far, while there have been
multiple expressions of concern from privacy advocates and government,
there has been little to update privacy protections in the online,
always connected world.
It has been almost three years since the Obama administration published what it termed a Consumer Privacy Bill of Rights (CPBR),
in February 2012. That document declared that, "the consumer privacy
data framework in the U.S. is, in fact, strong … (but it) lacks two
elements: a clear statement of basic privacy principles that apply to
the commercial world, and a sustained commitment of all stakeholders to
address consumer data privacy issues as they arise from advances in
technologies and business models."
And, as Susan Grant, director
of consumer privacy at the Consumer Federation of America (CFA), puts
it, the CPBR is, "not a bill. It has never been a piece of legislation.
We need to have something offered, to talk about – at least somewhere to
start."
Meanwhile,
organizations like the CFA and Electronic Privacy Information Center
(EPIC), and individual advocates like Rebecca Herold, CEO of The Privacy
Professor, have enumerated multiple ways that big data analytics can
invade the personal privacy of individuals. They include:
1. Discrimination
According to EPIC, in comments last
April to the U.S. Office of Science and Technology Policy, "The use of
predictive analytics by the public and private sector … can now be used
by the government and companies to make determinations about our ability
to fly, to obtain a job, a clearance, or a credit card. The use of our
associations in predictive analytics to make decisions that have a
negative impact on individuals directly inhibits freedom of
association."
Herold, in a post on
SecureWorld, noted that while overt discrimination has been illegal for
decades, big data analytics can make it essentially "automated," and
therefore more difficult to detect or prove.
In an interview,
Herold said current discrimination law is, "vague, narrowly defined, and
from the applications of it I've seen, depends upon very explicit and
obvious evidence.
"Big data analytics provides the ability for
discriminatory decisions to be made without the need for that explicit
and obvious evidence," she said.
That can affect everything from employment to promotions to fair housing and more.
Edward
McNicholas, global co-leader of the Privacy, Data Security, and
Information Law Practice at Sidley Austin LLP, said he thinks some of
the potential risks of big data are overstated, but believes, "the most
significant risk is that it is used to conceal discrimination based on
illicit criteria, and to justify the disparate impact of decisions on
vulnerable populations."
2. An embarrassment of breaches
By now, after catastrophic data breaches at multiple retailers like Target and Home Depot,
restaurant chains like P.F. Chang's, online marketplaces like eBay,
government agencies, universities, online media corporations like AOL
and the recent hack of Sony that
not only put unreleased movies on the web but exposed the personal
information of thousands of employees, public awareness about credit
card fraud and identity theft is probably at an all-time high.
But
in addition to that, there are numerous reports of big data analytics
being used to expose personal details, such as beginning to market
products to a pregnant woman before she had told others in her family.
The same can be true of things like sexual orientation or an illness
like cancer.
3. Goodbye anonymity
Herold
argues that without rules for anonymized data files, it is possible that
combining data sets, "without first determining if any other data items
should be removed prior to combining to protect anonymity, it is
possible individuals could be re-identified."
She adds that if
data masking is not done effectively, "big data analysis could easily
reveal the actual individuals who data has been masked."
4. Government exemptions
According
to EPIC, "Americans are in more government databases than ever,"
including that of the FBI, which collects Personally Identifiable
Information (PII) including name, any aliases, race, sex, date and place
of birth, Social Security number, passport and driver's license
numbers, address, telephone numbers, photographs, fingerprints,
financial information like bank accounts, employment and business
information and more.
Yet, "incredibly, the agency has exempted itself from Privacy Act (of
1974) requirements that the FBI maintain only, ‘accurate, relevant,
timely and complete' personal records," along with other safeguards of
that information required by the Privacy Act, EPIC said.
5. Your data gets brokered
Numerous
companies collect and sell, "consumer profiles that are not clearly
protected under current legal frameworks," EPIC said.
There is also little or no accountability or even guarantees that the information is accurate.
"The
data files used for big data analysis can often contain inaccurate data
about individuals, use data models that are incorrect as they relate to
particular individuals, or simply be flawed algorithms," Herold said.
***
Those
are not the only risks, and there is no way to eliminate them. But
there are ways to limit them. One, according to Joseph Jerome, policy
counsel at the Future of Privacy Forum (FPF), is to use big data
analytics for good – to expose problems.
"In many respects, big
data is helping us make better, fairer decisions," he said, noting that
an FPF report with the Anti-Defamation League showed that, "big data can
be a powerful tool to empower users and to fight discrimination. It can
be used as a sword or a shield. More data can be used to show where
something is being done in a discriminatory way. Traditionally, one of
the biggest problems in uncovering discrimination is a lack of data," he
said.
Government can also help. There is general agreement among
advocates that Congress needs to pass a version of the CPBR, which calls
for consumer rights to:
- Individual control over what personal data companies collect from them and how they use it.
- Transparency, or easily understandable and accessible information about privacy and security practices.
- The collection, use, and disclosure of personal data to be done in ways that are consistent with the context in which consumers provide the data.
- Security and responsible handling of personal data.
- Access to their personal data in usable formats, with the power to correct errors.
- Reasonable limits on the personal data that companies collect and retain.
Among those rights, Joseph said he thinks context is important.
"If I buy a book on Amazon, that book probably shouldn't be used to make
health decisions about me," he said. "When we've seen companies get in
trouble on privacy, it's been because they've used information given to
them for one purpose for some other reason altogether."
But, there
is also general agreement that, given the contentious atmosphere in
Congress, there is little chance of something resembling the CPBR being
passed anytime soon.
That doesn't mean consumers are defenseless,
however. Donna Wilson, a litigation attorney specializing in privacy and
data security risks and issues at Manatt, Phelps & Phillips, said
consumers, "need to take a strong measure of responsibility and
consciously decide with whom they will share their information and for
what purposes."
That,
she said, means consumers need to force themselves to do what almost
nobody does: Read privacy policies and terms of service agreements.
"If
consumers do not agree with what the business intends to collect, or
how it intends to use the information, they can choose not to patronize
that business," she said.
Joseph said even if users don't read an
entire policy, they should, "still take a moment before clicking ‘OK' to
consider why and with whom they're sharing their information. A recent
study suggested that individuals would give up sensitive information
about themselves in exchange for homemade cookies."
McNicholas
agrees that consumers, collectively, have some power. "New technologies
that include detailed privacy controls, such as those on Facebook, and
just-in-time notices, like the Apple requests to use location, should be
rewarded by the marketplace," he said.
Herold offers several other individual measures to lower your privacy risks:
- Quit sharing so much on social media. "If you only have a few people you want to see photos or videos, then send directly to them instead of posting where many can access them," she said.
- Don't provide information to businesses or other organizations that are not necessary for the purposes for which you're doing business with them. Unless they really need your address and phone number, don't give it to them.
- Use an anonymous browser, like Hotspot Shield or Tor (The Onion Router) when visiting sites that might yield information that could cause people to draw inaccurate conclusions about you.
- Ask others not to share information online about you without your knowledge. "It may feel awkward, but you need to do it," she said.
No comments:
Post a Comment