Reviewing the Future of Reputation

Daniel Solove called on bloggers with an interest in privacy to drop him a note, and he would send a copy of his latest book for review.  The only condition was that you posted a review.  So here is mine.

Solove is on a mission to get people thinking about privacy who haven’t really thought about it before. Anyone who has a Facebook profile, a blog, or who posts photos online, or has friends and family who do, ought to read it. As a very successful  blogger himself, he brings a practical perspective to the topic of gossip, ‘rumor’ and privacy on the Internet.

It would be a good book for parents to read, as it would able them to understand the mySpace etc dangers and benefits better. It is accessible enough that a teenager could learn from it, without being bored by a lot of legal rhetoric.  Solove writes well, with a deft touch.  It isn’t a dense academic book, although Solove is a highly respected privacy academic. Legal types may wish for more depth, but if so, then head over and read this.

The book works because it uses lots of anecdotes to explain complex issues, simply.  It covers the awkward and subtle tensions between privacy and the first amendment-freedom of speech brilliantly. It also provides an excellent quick tour through US privacy law history. (curious though that I didn’t see  Roe v Wade  mentioned)

Most of my own research into privacy has been about government and big business.  Solove makes the powerful point that there is a significant threat from your friends, lovers and colleagues too.

He effectively challenges the binary private-public divide, arguing coherently we need to understand shades of confidentially and exposure, and uses the burning man event, Washingtonienne, Article III, and other incidents to illustrate this. He eloquently explains the paradox  that we need greater privacy and recourse against unwanted exposure if freedom of speech is to thrive.  The dangers of vigilantism and shaming are given close attention.

He briefly touches on the power of technology to aid privacy protection, but he could have explored this in more depth.  He did call on social networking tools to offer stronger privacy default. This is good advice. I would have liked more on the copyright analogy.

My only significant  gripe was that the book is very US and tort centric. It made passing mention of UK tort, but it made no mention of European Data Protection Law, nor of the right to privacy in the Universal Declaration of Human Rights or other significant legal instruments.

He is more positive than I am about the future of privacy. 

In short, buy it.

Google applies analytics to HR

Over the last 100 years or so, organisational psychology has developed a number of methods and tests to assess personality and competency. Yet despite lots of scientific evidence that proves these tests are dramatically more effective than interviews as a selection technique, most managers dismiss psychometric testing as hocus-pocus.  Yahoo’s position is sadly, all too common.

Yahoo does not use tests, puzzles or tricks, etc., when interviewing candidates,” Jessie Wixon, a spokeswoman for Yahoo, said.

Perhaps Jessie should have a chat with my friend Adrian Furnham,  one of the worlds’s leading psychologists and author of masses of books, including this one. 

It is great to read that Google are apply testing to their recruitment processes. Mr Bock from Google is spot on. Interviews and academic scores suck as predictors for employee success. 

I picked this up from James and Jon Battelle’s search blog.

Deriving Talent, Algorithmically

How will Google scale its massive hiring ramp-up while maintaining its famously intricate screening process for ‘Googley’ employees? With an algorithm of course.

After months of interviewing their employees to decipher trends in personality and interests that mark Googlers, Google has ‘derived’ a complex hiring questionnaire. Google will begin using the surveys with all applicants this month.

I hope Google based this algorithm on valid, fair, reliable, psychological research, that deals with issues of culture and gender bias in testing, and that the results are treated with the privacy they deserve. If they have, you can forget about gaming it.  (if you are interested to see similar tests check out SHL) Judging from the NYT article it looks as if they have involved some psychological rigour to it, but if anyone has anymore info please drop me a comment or an email. 

So, my HR readers, if you have pushback from line managers who think testing is nonsense, then quote them the Google example.

Also, Google, you might have a brilliant HR product here, I’m just not sure that I want my Neo  Disc,  Myers Briggs and  16pf scores  in your cloud.

I wonder how the cosy world of HR testing products would cope with Google muscling in?



Technorati tags: , , ,

Counterpane and SAP

As part of my pre-global-warming-glacier-pace academic efforts I read quite a lot of stuff on application security. I’m just about to send the final version of a paper to the Computer Law and Security Report. It has taken ages to write. Howcome blog posts can be churned out in minutes but papers take months?

Bruce Schneier, the CTO of Counterpane,  is arguably the most famous security guy around. His Blog is well worth reading, covering such topics as forging a boarding pass, airport security and surveillance as art.  His books and heavier stuff are a must if you are interested in security, privacy and so on. If you are interested in this space, also read Jeff Jonas. 

Bruce’s company, Counterpane,  has announced a new solution

Counterpane Introduces Integrated Application Monitoring & Security Auditing for SAP Platform, Empowers Enterprises to Defend Against Unauthorized Activity on SAP Applications
Technological innovations coupled with proven correlation logic and security expertise ensure customers improved compliance, enhanced security posture and prevention of financial loss

Mountain View, CA – October 2, 2006 – Counterpane Internet Security, Inc., The Managed Security Company and the authority on enterprise security, today unveiled Integrated Application Monitoring & Security Auditing for SAP Platform, a new data security solution that leverages its industry leading Managed Security Services.

I’ll be interested to see how this fits together or competes with the SAP GRC offering.  But anyway, having the world’s top security experts helping customers avoid attacks is indeed goodness. I’ll have to ask Frank, he actually does SAP security as his day job.

I also read that they have been acquired by BT Global Services.  Ovum provides comment here.  Interesting that a UK telco firm is acquiring them. (Imagine the reaction if it had been a Chinese telco)

Technorati Tags: , , , , , ,

Once more unto the breach, dear friends, once more

Second life suffers real world breach

Second Life,” the fast-growing online site where hundreds of thousands of people play out fantasy lives online, has suffered a computer security breach that exposed the real-world personal data of its users.

Or to abuse the bard further, there is something rotten in the state of online. Almost every day, I read of major lapses in security and privacy. Whether it is a bank throwing stuff away it shouldn’t, or the AOL debacle, or laptops left in the back of cars with James Bond’s details on. (I read these everyday because I get an interesting newsletter from the Privacy association !)

Back to the Second life and stuff. At the recent Geeklaw (GIKII) conference, Nic Suzor, from QUT law School in oz presented a paper on Governance in Virtual Environments.  (The slides don’t do the presentation justice, but do check out the naked gnome protest)

Nic raised the point that some people spend a lot of time in these worlds, up to 60 hours a week, and they have very little rights or protection.

Contractual terms like this worry me.

Linden Lab has the right at any time for any reason or no reason to suspend or terminate your Account, terminate this Agreement, and/or refuse any and all current or future use of the Service without notice or liability to you. In the event that Linden Lab suspends or terminates your Account or this Agreement, you understand and agree that you shall receive no refund or exchange for any unused time on a subscription, any license or subscription fees, any content or data associated with your Account, or for anything else.

If you are going to spend half your life somewhere, at least check the T&Cs. Would you sign that if you were buying somewhere to spend your weekends?

It is true that big companies often mess up with privacy. But I also worry about many of the web 2.0ish stuff that simply ignores privacy laws all together.

I like the fact that the FTC is handing out some fines.

The Federal Trade Commission announced a $1 million settlement with the social networking site on Thursday, the largest penalty levied to date under the Children Online Privacy Protection Act.

And earlier this year.

Data broker ChoicePoint Inc. yesterday agreed to pay a $10 million federal fine over security breaches that exposed more than 160,000 people to possible identity theft. Privacy experts praised the settlement as a warning to companies to get more serious about protecting sensitive information.

The Alpharetta, Ga.-based company, one of the nation’s largest buyers and sellers of personal information such as Social Security numbers, birth dates and addresses, also agreed to pay $5 million into a fund to compensate people who suffered as a result of the breaches.

I also like the fact that some consumers are beginning to take things a little more seriously themselves too. Look at the Facebook saga.

I’d suggest that anyone planning to collect personal data get their act together, sort out your policy, and make sure you enforce it. And while you are at it, put together some T&Cs that respect the on-line and off-line rights of your customers. Just because you are some hip new 2.0 thingy doesnt mean the law doesn’t apply to you.  

 I wonder how many social networks or virtual worlds have notified the UK data protection authorities when processing personal data about UK citizens. I wonder how many the IC will prosecute for not doing so.


From my head to paper…RFID and the long and winding

I have been plodding away at my PhD for some time. In between work, family, the bicycle and this blog, I have been reading and thinking about compliance and enterprise applications for the past 3 years or so.  That must change, as unless I start writing something soon, I will have forgotten all the stuff I have read and thought. I need to write it down so that I can inflict it on others….

In an attempt to kick start this process, I’m presenting at the GikII Workshop, which is part of the VI World Computer Law Conference and led by Lilian Edwards, a leading computer law academic.  Lilian has an entertaining blog on computer law stuff, that is a no mean feat.  She links to the House of Lords discussion on pervasive computing at Kim Cameron’s identity blog, another good read.

Lord Campbell of Alloway: My Lords, will the Minister explain what pervasive computing is?

Lord Sainsbury of Turville: Yes, my Lords. This is an interesting subject. Some microprocessors now have in-built communication facilities. The most obvious example of that is radio identification. I do not suppose that the noble Lord ever goes to the back of his local supermarket, but if he did he would see that packages that are brought in have an identification code that can be read electronically without taking the goods off the pallet. That is done by radio communication and is an enormous step forward in efficiency. The same principle applies to smart keys; one can open a car door from a range of three feet with a smart key, using the same technology.

Note that is Lord Sainsbury speaking, I wonder if he is any relation?

If you read the whole discussion though, you will see that despite the formal lingo and funky dress code, these Lords are bang on the money….compare that to that Senator Stevens….

Back to the long and winding.. My simple method for self motivation is to set yourself up for ridicule.  By the first week of September I need to articulate my thoughts into something vaguely coherent, or I will be pelted by the academic tomato. If you’d like to attend, the details are available here.  The rest of the agenda looks really interesting, including a talk on open source killer robots.

If there are any privacy gurus out there, please drop me a note. You guys tend to be quite hard to find.

Environment, privacy, net-neutrality, myspace, Google and regulation…

Bit of a rant this….. 

Al Gore has done a fabulous job of highlighting environmental issues, especially in the US. I’m yet to see his movie, but I will. While at university in the 1980’s, a common bumpersticker on a battered student chariot was “my other car is a Porsche”, today it is probably “my other car is a Prius” The more people are aware of the problems we face, the more likely things are to change. Here in Germany, we are big on recycling, green power and so on, but there is much more we could do.

This post is not about the physical environment though, it is about  our on-line one. As we all know, Al invented the Internet, so it is aposite that I try to bring his enviro concepts into the web world. Other than using a lot of clean power (see Carr’s post on googles powerplant),  information companies don’t create environmental damage, do it? Well actually they do, but in a different way.

Just as smokestack industries, cars etc damage the analogue environment, in the  digital world spam, fraud, bugs, on-line child porn, online stalking and grooming, identity theft and privacy intrusions threaten our quality of life.  Technology creates new threats , and sometimes makes real world ills easier to perpetrate.

I’m glad that Karl Benz built the first car. (Actually his first factory was in the village where I live, Ladenburg) I’m also glad that the National Traffic and Motor Vehicle Safety act was passed in the US, despite the opposition of the car industry 

Information companies create injuries to our privacy, either intentionally, perhaps through carelessness, or  because the tools they use aren’t up to the job, or because market forces drive them to do so.  Read this paper by hirsch,  Dean and law prof at Columbia. He applies the concepts of negative externality and the tragedy of the commons to the privacy issue. Clever stuff.

Vinnie led me to Eric Keller, who posted recently on data theft and the responsibilities of software vendors. He is bang on middle stump. (cricketing metaphor for correct) The issue is brought into a much starker context by the terrible mySpace case.

Information and software companies face relatively little regulation. All of us are driven to build applications and offer solutions that the market demands.  We build software to obey laws, but only when we perceive a market demand for those solutions, for example SOX, or IFRS.

As the digital world becomes more and more vital to our personalities, our jobs, friendships, thoughts, politics and  beliefs should the web and the vast databases of information about us be determined solely by short term shareholder value?   

As consumers and users of technology, we are like 18 year olds buying our first car. All we want is horsepower and a pimped ride, seat belts are a big girls blouse. If the seatbelt was an option, we wouldn’t order it. I think lawyers call this  Volenti non fit injuria

The ongoing issue of net neutrality illustrates clearly that information companies depend on regulatory frameworks,  They need the US government to insure that the net remains free, and not controlled by the telcos, at least this is what rocketboom in her Volvo and others tell us.  The free market alone will not protect those freedoms it seems. Shock horror, Google and co are asking for regulation. rightly so, in my view.

Also recently Google, Microsoft Ebay and others have called for federal privacy legislation. This is a sign that the information companies are beginning to realise that privacy is worth protecting. See John Palfrey  and Edwards for more on this.

This is not out of altruism. Google, just like a carbon emissions producer, wants to know its boundaries. 

Personally I’d like to see a stronger legal obligation on the makers of our online world to build it safely. When I buy my kids a toy, or put them in a car in the real world, regulation helps me insure that they  are safe. When they go online into myspace or wherever, I should demand the same. I would be failing them as a parent if I didn’t.

The world’s leading manufacturers have realised, mainly after significant government and societal cohersion that they have a responsibility to protect and nurture our planet.  Software vendors and Information companies have a responsibility to protect and nurture our digital environment especially where it interacts with our analogue lives.

The industry should  build safer, better, cleaner, privacy aware applications, or governments and citizens will rightly demand that we do.  If we are to ride faster and further on Al Gore’s information highway, lets build safer cars. Building privacy and safety into our digital world is not easy, it will be expensive, and inconvenient, but worth it.

Technorati tags  

PrivacyLaw and Global HR.

(normal legal disclaimer bits here….) 

I have been interested in the implications of the technology and privacy interaction for the last decade or so, and it amazes me that it isn't more of an issue in sales cycles and software implementations.  I wish it was, because German law is quite strict and our enterprisey software does alot to handle the German data protection law that software from across the pond often doesn't have a clue about. (I'll save that rant for another day)

(privacy is in the news at the moment partly because people keep losing laptops with James Bond's details on and the ECJ has ruled on the transfer of airline passenger data to the US, I won't comment on these here)

Why this post?

I received a mail from a US colleague this week, who asked me what to do, as his customer has been told by someone that "under German privacy law it is illegal to have a HR database with Germans on it outside of Germany"

The someone is wrong, but there are a number of buts and myths you need to manage. Privacy law, or Datenschutz is a bigger deal here than it is the US. The German law nowadays is based on the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. (not one for pithy law titles, us Europeans)

1. The law doesn't talk about servers. It rambles on for a while about processing. ('processing') shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

It has nothing to do with where the hardware sits. The directive was written before the days of SOA, SaaS client server and the like. Someone using a laptop in Kuwait to access a server in Germany is in effect transferring data.

2. The directive is designed to improve the flow of data within the EU, so accessing or moving the data to another EU country shouldn't be an issue. You still need to manage the works council politics carefully though.

3. The directive doesn't like you to transfer data (weird term that) outside of the EU, unless it is to a country with an adequate level of protection. 

4. You can transfer the data to another country, even if it doesnt have a adequate level of protection (like the US) only if you follow certain procedures. This is where things can get messy and complicated.  The options include:

a. Join the safe harbo(u)r (if you are in the US)

b. develop a binding corporate code  This is a relatively new development, and the Schering example here is one of the few publicly accessable examples I could find. The Schering example was approved by the Berlin data protection authorities. GE's code was approved in the UK.

c. use intra-company model contracts (common practice now)

d. use consent (but this has its limits in the employment relationship)

and always treat the data as if it was still in the EU country. (so dont sell it to direct marketers or leave it on the back seat of your car)

I can expand on these in more detail in other posts, and provide a set of more extensive links, just let me know. I'd hate to bore you anymore than I already do.

I would suggest that anyone in the US needing advice on global HR privacy get in touch with Don Harris. He knows his stuff, and is a nice chap too. Ruth Boardman at Bird and Bird, and Christopher Millard at Linklaters are other experts I've worked with in Europe on Data protection issues. Despite being lawyers, they are personable, knowledgeable and a pleasue to work with.

So, if someone says we can't do a global HR system because of German privacy law, they are likely to be wrong, but be prepared for a lot of buts… My advice is to some reading, and get some advice from an expert consultant and a law firm who have real experts in this area.

If you think the Germans are tough on this, check out the Spanish. Linklaters recently reported on this. (if you are interested in more you should check out their site, it is a super example of a law firm using the web effectively to reach clients. The whitepapers are really useful, not just marketing. (software companies could learn  from them) It is risky cutting and pasting from a law firm website (see my earlier post on copyright), but here goes….

The fine imposed by the Spanish Data Protection Authority, the AEPD, on Zeppelin in this case is a salient reminder of just how seriously the matter is taken in some parts of the European Union.

Zeppelin is the Spanish producer of the television programme "Gran Hermano", the Spanish version of the popular reality TV format "Big Brother". Internet hackers managed to access details about 1,700 potential contestants on the show, and in some cases the information included details of their mental health, IQs and credit history.

While Zeppelin tried to claim that it was the innocent victim of illegal hacking activity, the incident brought to light various data protection infringements. Zeppelin was the unhappy recipient of a euro 1,081,822 fine, the highest imposed by the AEPD in a single administrative proceeding to date, and the highest anywhere in the European Union.

The breaches of the Spanish DPA committed by Zeppelin were listed as:

  1. not obtaining their express consent for the processing of sensitive data;
  2. not fulfilling the requirements for data processing by third parties, it therefore being deemed that a disclosure of data which had not been consented to had taken place; and
  3.  not complying with regulations on security measures.

Serious stuff indeed….

Technorati tags