Tuesday, March 28, 2006

CASPIAN's Disproportionate Influence

Two of the most active organizations in RFID are Wal-Mart and CASPIAN.

Wal-Mart, the world’s largest retailer, is a major force behind the early success and adoption in RFID. The company’s mandate that suppliers adopt RFID tagging to help drive cost out of the supply chain has been well-chronicled. If you are a developer of RFID or related technologies, you probably started high-fiving colleagues and hugging complete strangers when Wal-Mart used its bully pulpit to give RFID a real shot in the arm (no pun intended. Okay, pun a little bit intended).

Then there’s CASPIAN. That acronym stands for Consumers Against Supermarket Privacy Invasion and Numbering. CASPIAN hates the idea of item-level tagging, and they make no secret of that fact. Whenever there’s an RFID initiative, you can be certain that CASPIAN will be there to give its side of the story, warning of spying and Big Brother and describing end-times scenarios.

When VeriChip’s implantable medical RFID chip won FDA approval you didn’t have to be named Nostradamus to see a response from CASPIAN in the future.

When nightclubs in Europe started programs extending VIP treatment to patrons who agreed to be tagged with ID/debit chips powered by RFID, the technology’s detractors were quick to point out that their worst-case scenario was coming to pass.

The problem is, organizations like Wal-Mart have been relatively silent in response to CASPIAN's aggressive campaign against RFID. Wal-Mart and other pro-RFID organizations have invested heavily in the technology and in RFID-enabled programs, but have not spent much to promote their investments. Instead, the industry and its proponents seem resigned to allowing RFID to be buffetted by the detractors in the belief that, eventually, RFID will simply become an unstoppable juggernaut.

That scenario will likely play out over the next few years. Meantime, there are a lot of smaller organizations without the means to be patient who could benefit from a healthy nudge along and the support of a coordinated campaign to boost RFID's image.

Observation: CASPIAN is a headache to the RFID industry, but the industry has no one to blame but itself. CASPIAN has set the terms of debate and has succeeded in painting RFID with a broad and sinister brush. Rather than engage CASPIAN in the open, establish standard terminology for the industry, and aggressively counter CASPIAN’s efforts, the RFID industry as a whole has instead turned introspective, seemingly afraid to meet the challenge.

Organizations that have staked their success on RFID need to clearly communicate the value that technology brings to their products in clear and real terms. Sci-fi visions of device-to-device communications are not what this discussion is about. Instead, the dialog needs to confront misinformation, allay fears, and describe how RFID is improving product and performance today. RFID and its purveyors need to earn the trust of the public, and trust is earned through open, honest communication.

By the way, CASPIAN may be right to raise many of the issues they do, and CASPIAN’s voice is an important one in this debate. But it should not be the dominant voice, nor should the RFID industry allow CASPIAN to go unchecked.

Thursday, March 23, 2006

Of Privacy, PII, and Bicycles

As often happens, when news breaks of a significant privacy breach, I find myself discussing the issue with one of my privacy pals.

I think I’m a pretty smart guy, and well-informed on privacy issues, but I always feel a little bit smarter upon the conclusion of a conversation with one of these guys.

I like to think I’ve provided the same benefit to my friends, but I know I’ve gotten the better of the deal. (By the way, does it make me a privacy geek to admit that I enjoy talking about the latest breach?)

This morning, when news broke about Fidelity’s breach of privacy following the theft of a laptop computer containing retirement information and PII for nearly 200,000 HP employees, I turned to Richard Purcell of the Corporate Privacy Group.

Immediately we discussed the issue policy and awareness. I wanted to know his view on whether corporate data protection policy (and awareness) was keeping pace with the realities of an increasingly mobile workforce. That was all Richard needed to hear.

“Wells Fargo, SAIC, Ford Motor Co, Boeing, UC Berkley, Metro State Denver, Bank of Rhode Island, Brazos Higher Ed, UW Medical Center, UCLA, MCI, Medco Health, Ameriprise... the list goes on and on.”

In moments he rattled off a list of organizations that have recently reported the theft of laptop computers containing unencrypted PII.

The problem is that knowledge workers are encouraged (perhaps even expected – or pressured) to take their work with them in order to be more productive, but little thought has gone into the ramifications of data on the hoof. Transfer sensitive customer files onto a laptop and you’ve just increased your risk factor exponentially.

Richard compares the situation to bicycle theft.

“Laptop thefts have occurred over many, many years. They are obvious targets due to their high perceived value and mobility. They are stolen not because of the data they contain, but for their intrinsic resale value. That's obvious. Bicycles are in the same category. Leave your bike unlocked somewhere, and someone is going to steal it. No-brainer.

“Is there a lesson here? Duh. Lock it! Lock down the laptop whenever unattended and encrypt the data. Better, don't put such data on laptops - use the machines to link over secure transmissions to servers where the stored data is securely accessible. If you absolutely must put PII onto a laptop system, and can't encrypt it, then de-identify it – make sure the data does not point specifically to a known person.

And finally, like the bike analogy, don't expose yourself to double jeopardy by placing valuable stuff in easily stolen containers. I would never put my wallet in a pouch on my unlocked bicycle. Yet, we continually hear about just that kind of stupid (yes, it is nothing short of stupid) behavior in these stolen laptop stories.”

See what I mean? I’m feeling smarter already.

Richard’s point is that many organizations make the issue more complex than it needs to be. Writing policies related to mobile data may seem to be a daunting task, but it should take no more than the application of a little common sense.

That said, policy and training are among Corporate Privacy Group’s specialties, and I wanted to hear more.

“Most policies are just now coming up to date with the fact that devices are ‘in the wild,’ including not just laptops, but phones, media devices, and PDAs that have between 1GB and 40GB of memory. I have a simple 6GB device that can act as an external drive. No problem fitting a file with 200k+ personal records on that little puppy.

“So there's a mix of policies; the important thing is that practices are just not keeping pace. It is hypocritical for companies to, on the one hand, require data to be locked down, and, on the other hand, set difficult deadlines that force employees to indulge in risky behavior (like putting large files on their laptops to take home and work on over the weekend).

“Companies have to accept that putting 200k+ records on a laptop is like putting trade secrets on that same laptop. Management would never tolerate having their pre-audit financials wandering around on unprotected devices. For the same reason, they have to treat PII as a valuable asset that is always protected, even if that causes a bit of difficulty in accessing the data. So be it - cost of doing business.”

Recommendation: From my perspective, crisis communications starts with crisis prevention. Understanding risk and addressing risk factors with smart policy and thorough practice – including top-to-bottom training and awareness – is the first step. It’s a lot more pleasant preventing a data breach than it is explaining to your customers, partners, lawyers, and regulators how such a thing could have happened and what you are going to do to keep it from happening again.

Finally, it’s time this discussion moved front and center. Mobile data is data at risk. In Richard’s words, “it's a big deal to start banging the gong on mobile PII - anytime any asset goes mobile, additional safeguards are needed - it's elementary.”

Monday, March 20, 2006

RFID Viruses? More Hype than Horror

In a world where technology remains arcane to most, some would have us believe a boogieman lurks behind every microchip, that a looming techno-enabled disaster is one keystroke away, and every innovation carries with it the potential to usher in the End of the World as We Know It. Enough real threats do exist in the form of viruses, worms, Trojans, spyware, and other malware that such claims are given credence in the eyes of the uninformed, and it becomes easy to get caught up in the hysteria when new reports of cyber-terrorism arise.

We saw this phenomenon recently when the Kama Sutra worm spread around the globe. Many claimed that piece of malware would be the equivalent of the Black Plague for the world’s computers, but that worm’s dreaded deadline came and went without the expected dire results.

Radio frequency identification (RFID) technology has been the target of doom prophets almost from the moment it arrived on the scene. Conspiracy theorists have used RFID to foment talk of secret military programs established to implant tracking chips in innocent civilians, or devious marketeers riding shotgun in black helicopters alongside their evil government counterparts, tracking shoppers all the way home courtesy Big Brother’s latest and greatest scheme.

The most recent example of such overwrought fear-mongering comes in the guise of a paper, written by a group from the University of Amsterdam entitled "Is Your Cat Infected with a Computer Virus?"

This paper theorizes that it is possible for an RFID tag to carry a virus and, in exceptional circumstances, to spread that virus via vulnerable RFID readers and middleware.

The problem with this paper, written in academic style to create a sense of credibility, is that it is full of assumptions and based on highly specific conditions that must be met in order for such a virus to be created and have any hope of spreading.

Most folks in the RFID industry are calling balderdash on this paper.

The code described in "Is Your Cat Infected with a Computer Virus?" works only within the environment constructed specially for the purpose by the authors of the paper. There are no known vulnerabilities in any middleware system similar to those described in the paper.

Because the authors failed to find an exploitable vulnerability in any RFID systems, they deliberately build a system that would allow their virus to spread.

To be fair, the authors claim their paper is offered mostly as a proof of concept, and it is theoretically possible for any data storage device can carry viral code, but that does not mean the virus will be able to spread successfully on its own and, in this case, the authors of Is Your Cat Infected failed to show that an RFID virus can actually spread in the real world.

There are plenty of actual threats to worry about that we don't need to get caught up in the hype of bogus hazards like the RFID virus.

At least not yet…

Tuesday, March 14, 2006

Radioactive

I’ve not been avoiding the issue of privacy and RFID, but it’s one that needs to be addressed. There is so much fear surrounding this technology and the many uses – real and fictional – that issues related to privacy, and how to communicate effectively when you are a supplier or user of RFID, need to be addressed.

But where to begin?

I guess the best way to begin is by asking, what is RFID? The short answer is Radio Frequency IDentification. With that answer come even more questions, and this is where things get sticky.

RFID is most closely associated with microchips that send low-power signals that can be read passively by receivers to track things, most often items that move along a supply chain. Think in terms of the barcode that UPS uses and that allows you to track your packages to and from their destination. There’s no doubt that RFID’s potential in this context is huge. The cost and efficiency improvements made possible by RFID are only just now being explored, and once the actual cost of RFID chips is lowered to the point of economic viability, you’ll see this industry take off.

But RFID is also associated with spying. There’s a pervasive fear that RFID chips will find their way into products that will allow others (whether criminal, governmental, or commercial) to track people and learn more about us than we’d like. The recent practice of RFID chip implantation in human subjects is doing little to quell such fears.

The idea of implantation and other methods of tracking individuals has been described as the “creepy factor.” I keep looking for examples of companies whose fortunes are tied to the success of RFID using public communications to address the creepiness of RFID, but I’m missing it if it’s out there.

I’ll track RFID more closely in the coming weeks, but wanted to get the discussion started. Your thoughts and suggestions on this subject are appreciated.

Wednesday, March 08, 2006

Search Questions

I’ve been following the discussion around search for a while. It’s a fascinating issue, but I’d be lying if I told you I understand it. Most folks happily type in all manner of search terms into their engine of choice and browse to whatever returns are offered, and they do so without thinking of the implications.

There are a couple of interesting nuggets to consider, however, that make this a curious affair. Google’s market cap is, as of this writing, $107.71 billion. The Department of Justice seems to have a keen interest on what terms people are typing into their search window. Clearly there’s value to the information the public plugs into these “free” tools.

I have many questions, and few answers. Random though they may be, here are my questions:

1. If my search terms are not traceable, why does the DoJ care? I know there's a lot of mumbo jumbo about simply wanting to look for patterns in search traffic, but it just seems like a canard to me. My opinion is that it’s all about setting precedent. I think the feds want to establish that precedent so that they can have easier access to this information in order to conduct more specific data forensics in the future.

2. Why would Google put up such a fight against the US government about cooperating in a supposedly innocuous scheme, but seemingly cave in to the demands of the Chinese government to engage in broad censorship? It appears to be a matter of pure greed, and it doesn't jibe with Google's "do no evil" morality statement. Evil isn't a matter of relativism, and we are judged by the company we keep. Not that Google should act as an arm of the U.S. Department of State, but if our national strategy to confront and beat Communism in China is to do so through economics, I’d like to see more cooperation. Censorship is antithetical to the idea of "do no evil." Period.

3. Why would Google et al want to indefinitely save my search terms, anyway? Unless there's a specific service they plan on offering, one that helps me find things if I have a pattern of looking for the same things over and over again (I keep hearing of such a service, but haven't seen it offered yet), the idea that an engine as popular as Google's would want to assume the cost and burden of saved search data seems without reason. There's got to be a purpose ($$) behind it.

4. Secrecy and inconsistency seem to be creating a growing sense of discomfort among consumers around the issue of search tools. Google takes most of the heat, but the fact is all the major players (and a ton of sketchy minor players) are engaged in aggressive strategies to use search as a foot in the door to consumer desktops. Spyware/malware/adware becomes part of this discussion as well, and that’s a topic no one but the so-called advocates want to raise. Secrecy doesn't engender trust. That's why people are finding it hard to trust either of the major entities in this debate. The feds haven't exactly covered themselves with glory on issues of personal privacy lately, and Google is clearly more about making large coin than they are about doing no evil.

I, like most computer users, use Google because it works and it seems to work better than most search services. I don't tend to enter sketchy search terms, so I don't think much about it, but I do wonder about it – moreso now than ever. I would be uncomfortable using Gmail, though, for these very reasons.

Personal communications are an issue where content is a very real concern, not because the content of my email would land me in hot water but simply because it's personal communication. Google still has plenty of questions around their Gmail policy.

The prevailing opinion is that the confrontation between Google and the DoJ over access to search terms was a calculation by Google to establish themselves as a champion on privacy and the little man. I think, however, that Google had already agreed to hand over the data requested by the feds - just as Yahoo!, MSN, and other search organs had already done, and changed their minds as a PR ploy. That's speculation on my part, based on the speculation of others. Too much is still not known to draw any solid conclusions.

I'm not close enough to the issue to know the answers, and I'm not so sure I've got all my facts square to even post this much, but it is a fascinating discussion and I’m curious as to what you all think.

Saturday, March 04, 2006

Q&A With Schwab CPO Janet Chapman

In response to the announcement of Charles Schwab’s security guarantee, I contacted Janet Chapman, the company’s chief privacy officer.

I was interested in learning more about Schwab’s view of privacy, how closely the privacy organization interacts with marketing, and the connection between communications and trust. Conducting a brief Q&A, I have shared my new insight with you below.

Note Ms. Chapman’s comments related to privacy training and the direct line for queries on privacy issues. Her comments indicate a strong level of understanding and commitment to privacy throughout the organization and how effectively communicating with the customer on such issues leads directly to greater trust. As Larry Ponemon’s research has shown, a trusting relationship is a more profitable relationship.


Private Communications: Please describe how Charles Schwab’s privacy organization works with corporate communications/marketing.
Janet Chapman: The Privacy Office reports into the Central Marketing Division and the Chief Marketing Officer, who sits on Schwab's Executive Committee. When I assumed responsibility for the Privacy Office 3 years ago, it was agreed that privacy should be viewed as a strategic imperative and that this would be better enabled within the marketing organization. In Marketing, the privacy function can be more preemptive and proactive. Also, this arrangement helps facilitate good employee communication, embedding privacy awareness throughout the organization


PC: Can you provide any examples of how Schwab’s investments in data protection and privacy have paid off in terms of customer trust?
JC: A central theme for Schwab’s Privacy efforts is client education – being proactive in helping clients become educated about I.D. theft prevention and helping them protect themselves. We've focused on this after checking in with our customers and learning what they care about. In 2003, we surveyed our customers to find out if they care about privacy and learned that 96% of respondents rated privacy as Very Important or Important. ID theft prevention was their top concern.

In 2004, we rewrote our privacy policy and annual notice, adding a section on ID theft prevention. We also overhauled and expanded our privacy training for Schwab employees. We created a special team of client service representatives and gave them specialized training about ID theft prevention and advice to give clients who think they may have been victimized

We also added more in-depth information on schwab.com and our affiliates' Web sites about such topics as: how to prevent ID theft, how to detect a Phish, and we increased the prominence of ID theft protection information. We encourage our clients and other consumers to visit our Privacy Information Center on schwab.com by clicking on the “Protect Your Account" button on the client log-in page, www.schwab.com/privacy .

To make it easier for clients to ask questions, we also introduced a Privacy e-mailbox for clients to directly contact Schwab with privacy/security concerns. We believe that our clients trust us because of our advocacy on their behalf.

PC: The Charles Schwab security guarantee is a bold move for an organization of your size. How did this come about and can you offer any insight as to the underpinnings of the program that give you the confidence to offer the guarantee?
JC: Our historical practice has always been to take care of our clients in instances where unauthorized account activity has occurred. With rising public concern over identity theft and account security, we realized the importance of articulating that practice as a public promise. Our clients need to know their money is safe at Schwab.

PC: The security guarantee is less than one week old. What has the response been like from customers? Potential customers? Competitors? Industry analysts?
JC: The response has been universally positive, including the response from our own employees.

Wednesday, March 01, 2006

That's What I'm Talking About!

If you track privacy closely, you know that issues related to identity theft and credit fraud are near and dear to the heart of the privacy professional. If you follow my blog (and who doesn’t?), you know I’m an advocate of building programs that help to instill brand confidence through open discussion of those issues.

Don’t kid yourself – your customers know all about the dangers. What they don’t know is what you are doing to protect them.

You can imagine my glee when I read last week that financial services firm Charles Schwab announced a security guarantee program that puts Schwab’s money where Schwab’s mouth is.

The bottom line to this program, from the consumer perspective, is that Schwab has made an investment in their security and privacy protection programs and are so confident in the efficacy of those systems and programs that they have effectively eliminated the financial risk to consumers.

Now, that’s what I’m talking about!

Schwab’s is a powerful message, and one that resonates with their audience. Note the lack of technical detail. It’s unnecessary. All that the customer needs to know is, “what does this mean for me?”

Kudos to Schwab.

Lest you think I’m late to the story, I’m currently engaged in conversation with Schwab’s privacy team on this very issue. I had hoped to have a brief “interview” to share with you by now, but we’re getting there and I will share that Q&A with you as soon as we’re done.