So Charles sent out a link to a few of us on an article, "Price of Privacy," from Bob Sullivan at MSNBC.com's Red Tape Chronicles site.
The article discussed individual privacy looking at the concepts of "pay to allow" and "pay to protect."
The article proves the point that people value certain personal identity "attributes" (and their values) more than others, depicted through the divergence of the dollar-values when asked to "allow" or "protect" access.
No kidding. :-)
But from a "you-and-me" perspective, I just don't see the concept of an individual pay-to-allow or pay-to-protect becoming a part of everyday life.
As the author notes in his examples, "avoiding store loyalty cards can be very expensive." No kidding. :-)
Pay-to-allow or pay-to-protect is a fun way to look back. I sometimes have a hard time distinguishing between the two.
Using the loyalty card example at, let's say, a grocery store -- And since we love bananas, I have to buy a pound of bananas every week regardless. Let's say they cost $3. If I use my Shoppers Club card, I save $.50 and pay only $2.50 for bananas. If I don't use my loyalty card, it costs me $3 for bananas.
As the concept goes, my grocery store is paying me $.50 for giving them information on my love of bananas.
But aren't I paying them an extra $.50 if I decide that I don't want them to track my purchases?
I understand the importance of the exercise, especially from the perspective of an individual who has been harmed by a breach of privacy and, from a legal perspective, and is seeking compensatory damages.
But as long as we're talking legalese -- let's think about the punitive side of the issue.
Businesses are governed, among other things, through legislation, regulation and policy, but also behave based on the risk (real or perceived) of legal action resulting in the payment of punitive damages, or bad press.
These two areas -- policy and legal -- are what will shape the face of individual privacy (not the individual themselves) in the months and years to come.
Patient information was freely shared before HIPAA.
Businesses did very little to notify individuals of data breaches until California Senate Bill 1386.
TJX's significant data loss (theft) resulted in... lawsuits. No fines that I could find. I wonder if they still qualify for VISA PCI Incentives?
The bottom line is, individuals aren't capable of managing their privacy. Not for lack of intelligence, and not for lack of trying, but for lack of the "giant centralized LDAP in the sky." The de-centralized nature of all that personal data mean the only practical solution is for those businesses (and individuals) using and storing the data to be responsible for proper handling and disclosure.
Reveal business or trade "secrets" --- go directly to jail.
Revel your customers' "secrets" --- maybe get some bad press? A few civil suits?
The only way to ensure proper handling of our data is to apply a strong "visible hand" (sorry Adam Smith) to businesses -- regulations and public policy, that have stiff penalties for data breaches.
And as a side effect, that generates more need for IT Security guys like me. :-)
...in my humble opinion.......
"Providing thought leadership in Identity Management"
1 comment:
Good points on both sides.
Another way to look at this is in terms of economic clout. Business and government both have tremendous ability to impinge on individuals. They have the money available to to affect almost any aspect of your life. The goverment has police and taxing authority. Business has economic authority.
If you are sued by a major corporation, most people cannot defend or pursue such a suit without orders of magnitude more risk to their personal welfare. A $100,000 loss won't break a major corporation, but it would drive most individuals to bankruptcy. This economic reality drives behavior. Like Craver, they do the economically rational thing, and not necessarily the "right" thing.
This is common now. You can sign up for a free lunch, and listen to a sales pitch. You can sign up for a free vacation, and sit through a timeshare pitch. For some folks the consequences are a surprise. For others a simple economic tradeoff.
Now, if the economic landscape were more level, pay to release and pay to protect could be weighed more evenly. What would level the landscape? The big LDAP in the sky might do it. So might a service consolidator that acted as your identity proxy provider.
I really think the issue is more fundamental, and I think Craver has touched it in the punitive discussion. Currently, organizations have no liability for harm caused by misuse of data they collect and maintain. That needs to change.
Post a Comment