Whither privacy, post-9/11?

Security and privacy were thought to be at odds after last September, but one can complement the other to create a business edge.

Ann Cavoukian and Tyler Hamilton. Special to the Star

Business is confronting one of the greatest challenges since the advent of computerized information processing: consumer privacy. Similar to the way the environmental movement began to influence industrial manufacturing practices in the 1970s, concern for consumer privacy is reframing the way organizations handle customer data.

Numerous studies over the years suggest that a majority of consumers are worried about when, and how, their personal information is being collected, how it is being used and whether it is being adequately protected. They want to know whether the information is being sold or shared, and if so, to whom and for what purpose. Above all else, they want to have some degree of control over their privacy in an age when increasingly sophisticated telecommunications, storage and software technologies have made monitoring a person's activities effortless.

"The concern now is that we have gone too far in terms of the amount of processing going on, and the correlation of that information back to one's physical identity," said Dan Hunter, professor of legal studies at the Wharton School at the University of Pennsylvania, in a recent commentary. "Even more disturbing is that consumers don't know how the information is being used and so have no way of tracking it. One doesn't have to be a consumer-protection zealot to think there should be some controls on this."

Indeed, there is a heightened feeling among industry groups that giving more control to consumers may begin to unlock the true potential of our electronic economy, where tension has been brewing between users of personal information and consumers who fear the loss of their privacy. Studies suggest that the loss of consumer confidence related to privacy fears has already hindered the growth of e-commerce by tens of billions of dollars. The coverage of privacy issues in the media has jumped threefold since 1995, serving to feed those fears. In the Internet travel industry alone, Forrester Research estimated a revenue shortfall of $2.8 billion (U.S.) in 2001 because of privacy concerns.

Governments throughout the world are taking notice, and in many jurisdictions there has been a concerted effort to restore confidence in e-commerce with data-protection legislation as a complement to industry self-regulation. Sweeping privacy laws are already in force in Canada, the European Union, Australia and Hong Kong, to name a few. As such, consumer privacy has become a business issue and a legal issue increasingly difficult to ignore.

Jay Stanley, an e-commerce analyst at Forrester Research, says the emergence of privacy issues serves as a countervailing force against the "information revolution" and what he calls its "radical effects" on data flow. Instead of going away, privacy concerns will only multiply and amplify if something isn't done. "Like a 1965 businessman who claimed that `all this fuss over ecology is just a passing fad,' anyone today who thinks the privacy issue has peaked is greatly mistaken," wrote Stanley in a report called "Surviving the Privacy Revolution."

Many companies chose early to embrace this message. RBC Financial Group, the largest financial institution in Canada, has had a privacy code in place since 1987, and in recent years has been studying the implications of privacy for its business.

Peter Cullen, RBC's corporate privacy officer, says that internal studies suggest privacy accounts for 7 per cent of a customer's buying decision and therefore contributes 7 per cent to the over-all economic value for the organization. "As privacy is recognized to be a more emotional issue, perhaps not surprising, the bank found it accounts for 14 per cent of the value of its RBC brand with respect to personal clients."

Companies such as EarthLink, an Atlanta-based Internet service provider, have attempted to gain the trust of consumers by promoting the benefits of anonymous Web surfing and an online world without junk e-mail. The company sees this as a way of carving out a competitive advantage over its rivals.

In late 2000, EarthLink became one of the first companies in the world to appoint a chief privacy officer to oversee its day-to-day privacy practices and consumer advocacy. It has launched multi-million-dollar advertising campaigns to draw attention to its pro-privacy stance. It has also provided customers with ad-blocking software and anonymous surfing tools to further fortify their privacy on the Internet. The company's goal is simple and straightforward: Use privacy to win and keep customers.

The strategy seemed to be paying off. Surveys in mid-2001 showed that the number of consumers who cited EarthLink when asked to name an Internet service provider had jumped by nearly 70 per cent in cities where the company focused its privacy-friendly marketing efforts. In a New York Times article, published Sept. 5, 2001, EarthLink's vice-president of branding said that she believed privacy was a "very, very large component" of those improvements.

Six days after that story was published, on a date now referred to as 9/11, the unimaginable occurred. In the space of two hours, the United States experienced the most destructive and horrific act of terrorism in its history. A nation in shock immediately focused its attention on the ineptitude of U.S. intelligence agencies and airport security. How could such a nefarious plot go undetected? How could a group of terrorists, some known to the authorities, manage to co-ordinate, communicate and execute such a plan without triggering the suspicions of any law enforcement authorities?

The North American public indeed, the whole world suddenly felt completely vulnerable. Everyone wanted to feel more secure, even if that meant sacrificing civil liberties and personal freedoms, including privacy, and there followed a groundswell of support for invasive security technologies and increased public surveillance, particularly in the United States.

The U.S. Congress pushed through the U.S.A. Patriot Act, giving intelligence authorities new powers of investigation and surveillance that made it easier to intercept e-mail, tap phone calls and use satellite-tracking and video-monitoring techniques. Previously controversial covert technologies, such as the FBI's Carnivore e-mail sniffer (now called DCS1000) and keystroke-logging program Magic Lantern, were now considered less contentious tools of investigation. The rules had changed in this war against terror. Privacy took a back seat or so it seemed.

But in the months after 9/11, heightened fear and anxiety were gradually replaced by sober second thought. Questions began to be asked about the perceived conflict between privacy and security and the distinctive roles of government authorities and the private sector.

Must privacy and security be viewed as mutually exclusive polar opposites? Or can security be achieved alongside privacy, making both complementary components in a smartly crafted program? Is it not possible for technologies of security to enhance privacy at the same time? And why are we so quick to blur the line between government objectives related to public safety and private-sector objectives related to consumer protection?

Why, for example, should the FBI's use of covert technologies such as Carnivore and Magic Lantern have any bearing on private sector business practices and the way that organizations handle customer information? The answer is that it should not and it does not. It's one thing for a law-enforcement authority to install facial-recognition technology at an airport or to monitor, consistent with legal process, e-mail communications of suspicious members of the public; it is quite another when a business sells lifestyle information, medical data or financial information to another or monitors the Internet surfing of consumers without obtaining their consent or giving proper notice.

Evidence indicates that concerns about privacy have not abated since 9/11. Indeed, we may be in for a consumer and political backlash against overly intrusive security initiatives that fly in the face of liberty. As Benjamin Franklin wrote in his Historical Review of Pennsylvania in 1759, "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."

For many in the business community who have been able to see through the emotional and political reaction to Sept. 11, privacy is just as important today as it ever was. "Sept. 11 has changed many things, but it hasn't changed our privacy strategy," said Harriet Pearson, chief privacy officer of International Business Machines Corp.

"What has changed is the emphasis with which people were once talking about privacy. I spend a lot of time now discussing the need to balance privacy with security, and the need for privacy policies within business as a matter of maintaining trust."

Pearson says fewer people are talking about privacy from what she calls a "purist, civil liberties" perspective, but she adds that this isn't necessarily a bad thing. "We've said all along that privacy is a matter of balance."

Several chief privacy officers interviewed were unanimous in their declaration that the government's battle against terrorism has not substantially changed their corporate privacy practices. The message was clear: We stand by our privacy policies unless forced to comply with the law. Building consumer trust continues to be a top priority.

Evidence that consumer privacy gained newfound momentum after 9/11 emerged in the months that followed:

In a post-9/11 consumer survey conducted by privacy expert Dr. Alan Westin, professor emeritus at Columbia University and president of Privacy & American Business, a non-profit think-tank, it was found that "increased trust in government after 9/11 has not been paralleled by increased trust in businesses handling consumer information." Asked whether the terrorist activities of Sept. 11 had affected their concerns about how online businesses collect and use personal information, 76 per cent said their views remained the same and 22 per cent said that consumer privacy was more important.

Computer and hardware manufacturers, including computer giant Hewlett-Packard Co. and home-network equipment maker Netgear Inc., began pre-installing privacy-protection software in their products to the benefit of the consumers. Meanwhile, IBM created two industry organizations the IBM Privacy Institute and the IBM Privacy Management Council to promote the development and use of privacy-enhancing technologies and to establish industry standards.

Australia joined Canada and the European Union with the introduction of sweeping privacy legislation aimed at the private sector. Sweden and Hong Kong began looking at legislation dealing with privacy in the workplace. In North America, some lawmakers including the U.S. Senate commerce committee kept the consumer privacy torch burning even as a tornado of surveillance initiatives swept the landscape.

The U.S. Federal Trade Commission launched an unprecedented crackdown on junk e-mailers, and more than 25 states proposed their own anti-spam legislation. The Ontario government, meanwhile, proposed a private-sector privacy bill considered to be the strictest on the continent.

In more recent news, the Bush administration, eager to please privacy advocates who fear unfettered surveillance as a result of the U.S.A. Patriot Act, plans to appoint a federal "privacy czar" to act as watchdog over law enforcement agencies and investigation authorities. The country's privacy officer would oversee government data-gathering practices and security initiatives to protect the privacy rights of U.S. citizens. This would include an annual audit of government security and surveillance activities.

Perhaps the most significant sign that consumer privacy remains at the forefront of industry concern came on Jan. 15, 2002, when Bill Gates sent a memo to Microsoft employees titled "Trustworthy Computing." In this memo, the founder and chairman of the world's largest software company elevated security and privacy to the "highest priority" for Microsoft's future Web strategy, known as .Net. The message came at a sensitive time for Microsoft, which had been facing one security or privacy controversy after another.

Code Red and Nimda, two of the world's most notorious Internet worms, thrived on vulnerabilities in Microsoft software, as did the majority of viruses before them. Privacy advocates accused Microsoft of using its Windows XP operating system and its Passport online authentication tool to force consumers to hand over their personal information as a requirement for taking part in the company's universe of Web services.

Meanwhile, it seemed as if most of the company's software from Internet Explorer to Windows XP to Passport were discovered to have security weaknesses or had been exploited by a hacker. Even Microsoft's own corporate network had been the target of a successful hacker attack. Understandably, Microsoft customers were asking whether the company could be trusted to protect all this information.

Clearly, Bill Gates had seen the writing on the wall. In his memo, he wrote that pursuing the four key aspects of Trustworthy Computing which he outlined as availability, security, privacy and trustworthiness was seen as integral to the company's future success. "The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways." Gates added, "Users should be in control of how their data is used. Policies for information use should be clear to the user."

Gates' memo continued: "As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable . . . If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first. If there is any way we can better protect important data and minimize down time, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services."

Microsoft's Trustworthy Computing initiative marked a major point in the company's history. To have privacy and security problems "solved first" is a shift of significant proportion for the company. "It's an incredibly important statement, and it reflects the growing concern among the industry, consumers and businesses about security and privacy," says Scott Charney, who was appointed Microsoft's chief security strategist soon after the Gates memo appeared.

Charney, formerly chief of the Computer Crime and Intellectual Property Section at the U.S. Department of Justice and co-leader of the Cybercrime Prevention and Response Practice at PricewaterhouseCoopers, said that businesses need a balanced approach to handling consumer information. Striking the right balance between sometimes harmonious but sometimes competing interests such as privacy, security, public safety, national security and economic growth is one of the great challenges we face."

There are those who question whether Gates will be able to back up his words with action, but the consensus in the industry is that the path has been laid for others to follow. And at no time has following this path become so crucial to the future health and commercial viability of the new economy.

Identity theft in North America is rampant. Hackers are keeping one step ahead of law enforcers. Junk mail is out of control and is likely to get far worse when wireless Internet and location-based technologies take hold. Internet viruses and worms are more harmful and persistent than ever, and their numbers continue to multiply. Cookies, Web bugs, spyware and other technologies of surveillance have become more sophisticated, easier to use and cheaper to deploy.

Is it any wonder why consumers are worried about their privacy; about losing control over their own personal information? Such worries ultimately affect consumer confidence, and companies that can build back this confidence and establish trusting relationships with consumers stand to benefit the most.

Earning that trust means more than simply complying with the privacy laws and regulations that have emerged across North America, Europe and parts of Asia, which all establish rules for collecting, using and sharing personally identifiable information.

An increasing number of businesses realize that trust is a currency in the new economy, and profiting from this economy means proactively obtaining as much of this currency as possible.

Herein lies the privacy payoff a payoff for businesses, consumers, investors, the Internet, the economy, and our global society as a whole.

"People want their privacy," Peter Hope-Tindall, chief privacy architect for dataPrivacy Partners Ltd. in Toronto. "People expect their privacy will be respected. People will patronize companies that protect their privacy and sometimes will even pay more for the privilege. On the other hand, people will complain about, boycott, litigate against and sell the shares of any company that treats their personal information as if it were just another corporate asset."

Respecting and protecting the privacy of consumers need not, as many organizations believe, impede the normal course of business quite the contrary. Market studies have shown that privacy and personalization are a winning combination. Consumers are more likely to hand over accurate personal information in exchange for personalized content and services if they believe the information is properly used and safeguarded. And when services are personalized, consumers have a tendency to spend more.

Austin Hill, chief strategist at Montreal-based privacy software firm Zero-Knowledge Systems, told the U.S. House subcommittee on commerce, trade and consumer protection that the business community is at a crossroads and has important decisions to make.

"We are currently experiencing the largest explosion of information in history. The new networks and devices being deployed will make personal information available anywhere, anytime. The overwhelming majority of this information being created and spread via a plethora of devices and networks will be personal information and it will primarily reside with businesses and organizations, rather than with individuals themselves.

"The information and networking explosion affects every individual, organization and business. Whether the net effect will be positive for information privacy or negative will depend on the policies we adopt, and the availability of technologies to enforce those policies." (The Toronto Star)