BYOI (Bring Your Own Identity) : You might think I’m foolish…but I still think privacy exist

7 Flares Twitter 7 Facebook 0 LinkedIn 0 Buffer 0 Email -- 7 Flares ×

BYOI is a series I’ve decided to create to “talk” about #identitymanagement so it is about #security, #governance, #management and many other aspects of the #IAM realm.

What do you know about your own privacy? Let me rephrase, do you know where your sensitive data are stored? Do you have an idea of how are protected or if are shared to a third party without your consent? It should be a simple question  especially if referred to our own privacy. Think about it for a moment, how many privacy disclosure you’ve signed last year whether they were electronic forms or physical papers?

In the last “SPECIAL EUROBAROMETER 359” promoted by European Commission under the title “Attitudes on Data Protection and Electronic Identity in the European Union” it is impressive that:

70% of Europeans are concerned that their personal data held by companies may be used for a purpose other than that for which it was collected.

but even more impressive is that:

Only one-third of Europeans are aware of the existence of a national public authority responsible for protecting their rights regarding their personal data(33%).

But what I wonder do you know what #privacy is?

Levels of #privacy

I use to split privacy in three separate layers:

  • personal #privacy: everything related to my own life
  • business private #privacy: everything that involve myself and my employer
  • business public #privacy: everything related to me, my employer and a third party (e.g. when I have to disclose personal information in a consultancy project with a customer)

If you’re wondering why I use three layers it is for a simple reason, think at your Name,Sex and Phone Number. Those could be seen as  sensitive data or not but try to give them a value in terms of #privacy related to the following conditions:

  • In a casual conversation on a plane you share these info’s with the person sit next to you
  • A corporate app on your device require you to fill in a form with these information’s
  • A third party service used by your company require you these information’s to register your account

I am sure that everybody got a different result for each of the three lines but if you think about it  the value should be the same.Why? Because I didn’t ask you about the level of trust you have or the expected level of protection from the others but instead what you consider as “sensitive data” and how you expect others will “use” it.

One should be focus on the information’s is going to share and how these will be handle by the other party  not instead be focus on the “actor” that will use them

A person you don’t know sit next to you, a corporate app or a third party service offer the same level of protection if not correctly evaluated and this evaluation should pass through an clear information on how the data will be protected and used by the actor. Look again at the eurobarometer statistics, only 33% of the European are aware of the existence o a national public authority responsible for protecting their rights regarding personal data but what the statistic do not said is the percentage of people that are not aware about the fact that their apps are accessing to their information’s stored on the device and potentially could exchange them without the owner explicit consent.

I’ve already blogged about the concept of digital immigrants and the lack of #habits we have due the lack of knowledge regarding the new technologies. In brief a  digital immigrant is a person who was born in a time where computer,smartphones, etc.. did not exist and consequently have to continuously adapt his life to adopt new technology in a sort of infinite learning curve that lead often in an underestimation of some basic concepts like #privacy. Most of us digital immigrants find ourselves thinking “once when I was young nobody ever thought about stealing an electronic identity….”. So as digital immigrant  we tend to approach #privacy mostly in two ways:

  • a relaxed approach: I trust my company, I trust the person sit next to me and most of all I trust every app/device I put my fingers only regarding specific “non-sensitive” data that vary based on the context where I am.
  • an over-protective approach: I do not trust anybody and I always ask for explanation  on what the information’s are asked to me

What, only few of us,  digital immigrants do is to come back to whom information was disclosed with  and require a full report of how our data will are used. And you know why? because we “signed” a #privacy disclosure and we relay our trust on it.

The “non” existent privacy

I passed through a couple of odd situation recently and seen a curious “case”.

The first odd situation was in a bank. I was there for a deposit, I have an account on that bank so nothing strange  in the operation and, for the purpose of this disccusion I have a high level of trust in the bank itself. As said I was there for a deposit, I approached the front door, as always left my home keys, car keys and any other metallic object in the safety box outside the door and get it for the  security control.

At that point  my eyes blinked of surprise, that bank office require the fingerprint registration to get in

of course I had no real choice if I wanted to get in I have to register my fingerprint but was this acceptable by my own concept of #privacy? Of course was not and I even didn’t accepted any #privacy disclosure for something like this so…so I’m a curious person and I get in accepting that BIG intrusion in my own life. I get in and I did  what I was meant to do first then…then I started to ask simple questions:

  • What is the purpose of that fingerprint registration?
  • how long the information is retained?
  • Where is the #privacy disclosure signed by me?

Would you believe of the three questions which one left me literally wordless? The third one.Why? Becasuse the disclosure was at my home, I signed it when I opened the bank account because otherwise I wouldn’t be able to conclude successfully the procedure.

So my privacy was gone, I don’t care if the fingerprint registration was there only as “fake” system to discourage criminals to get in, I don’t mind if they did it in a way that protect that information etc.. what I mind is that they exchanged the trustworthy required to open a bank account with the #privacy concept that means: You have to ask me every time if I agree with you.

The second odd situation was on twitter, yeah I know don’t laugh so loud I am perfectly aware that social networks means “SOCIAL” and not “PRIVATE” but again I would like you to stop for a moment to think about the concept of #privacy. But first let me tell you about my odd episode.

As many of you I highly use or I should say I “abuse” of my spare time on social networks like Twitter. The purpose is to share your own life with others like in a sort of big community and when I type something I am fully aware that this means that anybody who read my stream may  retweet something share it and this time someone did it. No wait he did not he simply tweet something personal that he/she knows (yes I’m not going to tell you who is ) about me without my consent. Something important? Well the point is not the data but the way you use it. The point is that this was something “personal” and so inside my #privacy circle.

So please stop thinking for a moment and tell me when someone on a social network is allowed to share an information he/she knows about you ? If this information was about his/her employer would he/she do the same? Again the #privacy concept was gone and with it my “own “ life and where it was the disclosure signed by me? Would you belive me in the day by day conversation, in the “wrong” level of trust perception this person got.

If I am kind with you and I speak with you this doesn’t mean we are changing the #privacy levels.

The third episode was in the news and still is’s about the google glass.

I was looking at the video (here). Sounds appealing isn’t it? But I wonder this means that anybody who is wearing a device like that could record a video of me without my consent, may take a picture of my laptop while I am working in a public place,etc.. But isn’t something already possible with a smartphone and some good social engineering skills? So where’s the news? the news is that again I, as individual, I am not aware. I am not aware of your intentions not because of the lack of trust but of the different perception in terms of #privacy.

Google glasses are only a new level of communication that can lead to a futher loss in control of individual #privacy but this require two actions:

Individuals need to recognize that the #privacy requested in interaction is still the same as in the past only the line is now thinner due the capabilities of modern technology and so they have to be aware of the potential unwanted “#privacy intrusion”.

Companies who produce/deliver software,apps,devices who may be intrusive into #privacy of individuals should adopt a clear approach who may help everyone to have a clear idea of which data are going to be stored, how will be used and most of all if are going to be shared with someone.

So at the very end I still see many conversation about “the end of #privacy” . In this conversation people simply accept the idea that their “less” sensistve data will not be anymore protected and potentially will be shared with someone..this is a dangerous road to call me an old guy if you want, call me a foolish but:

You may think I’m foolish  but… I want my #privacy back”