Kelsey Finch is policy counsel at the Future of Privacy Forum, a Washington DC-based think tank seeking to advance best practice in data privacy. She has specialized in wearables, big data, de-identification standards and privacy by design, among other topics. Finch spoke to Red Herring about 2015’s biggest challenges, and how enterprise and consumer technology can come together to combat privacy issues.
What have been 2014’s biggest privacy problems, in your opinion? Do you see them being fixed any time soon?
Throughout 2014, we learned how vulnerable our personal information can be. It seemed like every week a new data breach was announced and sensitive data flooded the internet, including everything from celebrity nudes to medical records, taxi locations to home webcam feeds. Not to mention hundreds of millions of credit and debit card numbers stolen from retailers, banks, and other companies.
Hopefully, in the coming year we’ll see consumers and companies alike learning from these experiences and practicing better online security.
While this year has demonstrated that no system is 100% secure, it has also shown that many breaches can be prevented or mitigated by basic security hygiene. If reports that North Korea is behind the recent hack that led to disclosure of personal information of employees of Sony Pictures, making them collateral damage of an attack by a government, that would be an extremely disturbing new frontier.
Are you heartened by Europe’s insistence on privacy issues, and what do you feel is the future for Google on the continent?
Europe’s focus on privacy as a human right has helped shape the importance of treating privacy as more than a consumer protection issue, This has helped shape privacy views in the US and elsewhere. Considerations of ethics, dignity, and freedom from surveillance must be part of the privacy discussion, and Europe’s regulators have played a key role in helping focus those discussions.
Europe’s consumers, too, are making the case for privacy as a competitive advantage. Users are increasingly looking for information in many ways beyond traditional search engines — they’re using specialized travel search engine for their travel plans, review sites for recommendations, and Facebook or Twitter for real-time news and personal updates. But anywhere in the world internet companies can lose consumer trust and lose their audience with the click of a mouse. Services that users love are going to continue to be popular and valuable, those that misstep may lose their audiences.
But it is critical that E.U. regulators not make privacy regulation or enforcement a U.S. vs. E.U. issue, or focus solely on U.S. companies. The tech and data issues being debated are critical to the success of local companies throughout Europe and policies need to be developed to support the growth of local start-ups who could be the next generation of employers and innovators.
With the recent revelations about webcam postings, what are your top tips for consumers wishing to keep their data private?
Consumers need to recognize that if they can remotely access your webcam or connected device, then so can others. The first and most important step to stopping hackers from taking control of a device or sweeping up personal information is to have strong passwords. Leaving the default password in place is like leaving your front door unlocked. It’s also important to make sure your devices’ software and security patches are up to date, so that you don’t leave yourself vulnerable to preventable attacks. What it comes down to is being smart and savvy whenever you, or your stuff, connects to the internet: be careful what you click, stay alert for phishing attacks, be cautious about connecting to others’ Wi-Fi networks, and turn off your devices when they’re not in use.
What about companies?
There’s really no excuse anymore for a company to not have a plan for detecting and responding to security threats. With consumers increasingly worried about the privacy and security of their information, a strong commitment to data security can be a real competitive advantage.
Companies who handle personal information must have written policies and procedures clearly describing how that information is collected, shared, used and secured. They need regular risk assessments to uncover any new vulnerabilities and regular audits to make sure those procedures are working. From the C-suite to the customer service desk, employees should be trained on everyday security measures as well as their responsibilities during and after a data breach. It’s not enough to just be prepared on paper, either – it’s equally important that companies drill their teams and test their programs under realistic circumstances.
What do you think will be 2015’s biggest privacy challenge? Can it be surmounted?
Wearables, drones and the ever-expanding Internet of Things seem poised to take over the privacy spotlight at last. Researchers predict that there will be 4.9 billion connected “things” in use in 2015, and they will be with us everywhere we go: in our homes, cars, offices, schools, public spaces, even on (and in) our bodies. The Internet of Things promises us easier, safer, healthier and more efficient lives, but it also raises new privacy challenges.
In order to get these benefits while minimizing privacy risks, companies need to embrace “privacy by design,” baking privacy and security protections right into their products. So, some companies will need to find ways to give their customers notice and choices about their privacy on devices with very small screens, or no screens at all. Others will need to learn to handle sensitive data about people’s health and home routines. And they will all need to think about how to craft data security, whether they’re designing a watch or a refrigerator – or a t-shirt, coffee pot, elevator, car, television, thermostat, powerstrip, etc. Consumers, too, will play an important role in overcoming privacy challenges, as many connected devices double as de facto private surveillance systems. New social norms need to be developed as connected devices are introduced into new and unexpected spaces.
Do you feel the major social networks can play a positive role in promoting online privacy?
Social networks make big headlines when they get privacy wrong, but their ongoing efforts to educate and empower their users should also be acknowledged. When companies like Facebook or Twitter change their privacy policies, hundreds of millions of people are suddenly made to think about their privacy. And as users become accustomed to the increasingly granular privacy controls offered by the major social networks, they push other web services to adopt similar user-friendly dashboards and settings. Because of their enormous, global user bases, social networks can also serve as platforms for important societal debates around privacy, including discussions about ethics and government access to data.
Who is your privacy hero for 2014?
Peter Hustinx, who has skillfully navigated the challenges of privacy and technology — and the conflicting views on both in many countries. During his tenure as European Data Protection Supervisor, Hustinx has earned the respect of both industry and advocacy groups as he charted a pragmatic path for privacy in the E.U. Under his leadership Europe has become one of the most important voices in privacy, and for that he is our privacy hero.
Who would you earmark for 2015?
The technology industry. We see a sea change in attitudes as companies respond to the concerns of Snowden and advocate for their consumers against government overreaching in every country. We see evidence of this already with companies publishing transparency reports, fighting against government demands for data in court and setting encryption by default. We expect more of the same in 2015.