Saturday, June 28, 2014

Challenges of Privacy and Information Technology

As the accelerating speed of technological advances is now an unquestioning reality. It is fundamentally transforming every aspect of our personal and business lives, every industry, and every country across the globe. However, it also has  the effect of fundamentally transforming the notion of privacy —  what it means to affected stakeholders (individuals, regulators,  organizations) and how each party can remain accountable in a  world that technology has turned on its head.

One of the most pressing privacy issues related to digital devices today is the increasing  ubiquity of bring your own device (BYOD) policies. According to Gartner, by 2018 up to 70% of mobile professionals will be using their smartphone to conduct work. As enticing as BYOD is for an increasing number of organizations, it is apparent that there are two sides to the BYOD coin: heads represents increased efficiencies; tails results in increased risk. And the risks are substantial. In 2014, we expect to see organizations continue to deal with a number of privacy challenges related to BYOD. Organizations need to maintain ownership of their information. With BYOD, this information is stored on devices that now sit outside the organization’s immediate control. To keep an eye on their data, organizations tend to install monitoring tools on employee smartphones. However, when implementing these tools, organizations need to be very careful that they are only monitoring the company’s data and not collecting personal information about their employees and others such as friends and family who may use the device.
The organizations can only collect personal information for a stated reason - and can use it only for that purpose. Among others things that mean a company that supplies a service can't sell its list of subscribers to another company's marketing department. Individuals must be informed, and give their consent, before personal information is collected, used or disclosed. But most firms are unaware of the new law and very few are prepared to comply. For any organization that already sends commercial electronic messages, they presumably comply with the privacy law, that requires organizations to obtain user consent, allow users to withdraw their consent, and provide the necessary contact information to do so.  Compliance with the new anti-spam law involves much the same obligations. While there are certainly some additional technical requirements and complications (along with tough penalties for failure to comply), the basics of the law involve consent, withdrawal of consent (ie. unsubscribe), and accessible contact information. 

While privacy does create some new obligations, what is not new is the claims that business is unaware and unprepared to address their privacy law obligations. The IT Act 2000 of India defines a ‘computer resource’; expansively as including a “computer, computer system, computer network, data, computer database or software”. As is evident, this definition is wide enough to cover most intrusions which involve any electronic communication devices or networks — including mobile networks. Briefly, then IT Act provides for both civil liability and criminal penalty for a number of specifically proscribed activities involving use of a computer — many of which impinge on privacy directly or indirectly as follows:  accessing; downloading/copying/extraction of data or extracts any data ; introduction of computer contaminant[3];or computer virus;  causing damage either to the computer resource or data residing on it; disruption; denial of access; facilitating access by an unauthorized person; charging the services availed of by a person to the account of another person; destruction or diminishing of value of information; stealing, concealing, destroying or altering source code with an intention.  The Act further provides for the civil remedy of “damages by way of compensation” for damages caused by any of these actions. In addition anyone who “dishonestly” and “fraudulently” does any of these specified acts is liable to be punished with imprisonment for a term of upto three years or with a fine which may extend to five lakh rupees, or with both.

In N G Arun Kumar case of November 2009, The Additional Chief Metropolitan Magistrate, Egmore, Chennai, sentenced N G Arun Kumar, a techie from Bangalore to undergo a rigorous imprisonment for one year with a fine of Rs 5,000 under section 420 IPC (cheating) and Section 66 of IT Act (hacking). Investigations had revealed that Kumar was logging on to the BSNL broadband Internet connection as if he was the authorised genuine user and ‘made alteration in the computer database pertaining to broadband Internet user accounts’ of the subscribers. The CBI registered a cyber crime case against Kumar and carried out investigations on the basis of a complaint by the Press Information Bureau, Chennai, which detected the unauthorised use of broadband Internet. The complaint also stated that the subscribers had incurred a loss of Rs 38,248 due to Kumar’s wrongful act. He used to ‘hack’ sites from Bangalore as also from Chennai and other cities.

In 2014, as organizations begin to think about the endless possibilities associated with the “internet of things” — nanotechnology, product sensors, sensor-driven analytics and sophisticated tracking capabilities — they also need to think about the privacy risks. There is a strong possibility, for example, that when an organization embeds a tracking mechanism into a product or service, it has not first sought the permission, either implicit or explicit, of the consumers being tracked. And when consumers find out, chances are they’re going to be irate. These kinds of privacy gaffes erode the very trust many organizations are attempting to cultivate to create the ultimate customer experience.
There is no question that the internet of things holds huge promise for an organization to vastly improve its strategic trajectories and business models, generate efficiencies and lower costs. However, this promise needs to be balanced against the privacy that consumers innately expect, and the privacy that they will demand alongside their customized customer experience. In 2013, participants at the 35th International Conference of Data Protection and Privacy Commissioners continued their progress by adopting eight new declarations and resolutions that delved deeper into the issues raised the year before. Four resolutions focused on technology challenges (appification, profiling, digital education and webtracking), two addressed better coordination among jurisdictions (enforcement coordination and international law), and one urged greater transparency on what data organizations are collecting and why (openness).
At a more granular level, many government bodies at federal and state levels are continuing to update their breach notification laws. Unfortunately, the massive intelligence leak by former US intelligence contractor Edward Snowden has cast a pall on the goals of cooperation. In fact, the Snowden affair has so eroded trust among nations that the European Union is considering a motion to suspend the US–EU Safe Harbor Framework. Once a respected guideline for US organizations to provide satisfactory protection for personal data of EU residents as required by the European Union’s Directive on Data Protection, the Framework now lies in limbo. This leaves Binding Corporate Rules (BCR) as one of the few frameworks available for global organizations to adhere to when seeking to transfer data of EU residents across borders.
In 2013, a number of jurisdictions around the world improved or expanded their privacy regulations. We expect similar progress to occur around the world in 2014. With the emerging global digital economy and the increasing popularity of cloud computing services, legislation which reinforces trust in the market will be a key driver for business growth as follows:
Brazil: Brazil seeks to mandate that global internet providers store data gathered from Brazilian users within Brazil.
Canada: Bill C-475, working its way through Parliament, would unify and strengthen the country’s approach to breach notification.
US: Although US lawmakers continue to push for a federal data breach notification law, Congress continues to debate whether federal law should supersede state laws.
Australia: In late 2012, the Australian Parliament passed the Enhancing Privacy Protection Act. The Act is set to take effect in 2014.
China: In late 2012, China’s standing committee of the National People’s Congress approved a directive that strengthened online personal data protection. That directive came into force in February 2013.
 Singapore: Singapore’s Personal Data Protection Act 2013 came into force in 2013.
EU: Under a policy implemented in August 2013, European communication services providers are now required to notify not only affected individuals but their respective national authority within 24 hours of detection. EU: Crafted in 2012 and expected to pass in 2014, the EU General Data Protection Regulation is designed to simplify and strengthen the European Union’s data protection framework. Instead of adhering to requirements from 27 individual data protection authorities, organizations will only have to address one set of data protection rules.

One solution, which is becoming more feasible as smartphones become more powerful, is the partitioning of the devices. This would allow employees to essentially operate two different desktops — one for work and one for personal. The other option is the use of a guest network that is separate from the main network. Organizations could create a “sandbox” where company data would reside, separated from any association with personal data, applications or online services. Organizations need to be vigilant when collecting data from social media. Consumers are voluntarily providing intimate details about themselves. Organizations need to respect their privacy, even when the consumers themselves aren’t, by anonymizing the data before using and sharing it. Anonymous data can still provide deep insights into trends and opportunities, but with a much smaller privacy impact. 

No comments:

Post a Comment