Competitive Intelligence and Online Privacy, NSA Leaks from Edward Snowden

In preparation for attending the Privacy Identify Innovation conference here in Seattle with peers, my recent conversations have been around the kind of data that Edward Snowden and related NSA leaks stirred up.

twilight-zone

These conversations live in another dimension almost as spooky as the Twilight Zone.

While the NSA is in the center of this issue, we should think about the thousands of companies that have access to our personal information.

Through these companies there are an untold number of individuals who have access to our digital homes without our knowledge. Some of them knowingly allow access (while others do it accidentally.)

We have dropped the ball: not only as companies and organizations in the U.S., but as a global society we have absolutely failed to understand how the Internet of everything relates to metro, regional, ethical, and moral audiences around the world.

If this was my house it would be leaving my front door unlocked and leaving it unattended. When we have a digital version of our home we need to give a little bit of thought about the benefits and risks associated to it.

  • We have to keep in mind that data isn’t limited to live where it is created.
  • It isn’t limited to a time or place.
  • It is a universe of information that covers both historical and future possibilities.
  • Our digital neighborhood isn’t local- it is global.

We need to ask questions about who may visit our home.

What do they know about me?

This is a big question. 

You need to have a grasp of the questions below before you can really begin to identify what they know about you.

If someone is interested in you they have decided you are worth a certain amount of effort.

The reality of the situation is that there are a lot of rocks to kick over and look under.

When competitive intelligence professionals like myself get involved there is a level of strategic and investigative research that takes place using all sorts of systems that help look under rocks quickly.

Examining what is under each rock cost a little bit of money and effort. If I have intent and reason to turn over thousands of rocks I will find out more about you than being lazy and turning over just one.

The speed at which this investigation can take place depends on the tools and the likelihood that the research effort will be rewarded with knowledge.

Thinking about who really has access to the data

When I turn on the typical desktop computer there are dozens of companies involved with the security of the data.

A basic example of typical computer privacy points:

  • The Brand/Creator of the PC
  • CPU Manufacturer
  • RAM Memory Manufacturer
  • BIOS programmer
  • Video Card
  • Wireless Processor
  • High Speed Modem
  • Network Router

Software

  • Adobe Flash
  • Java
  • Microsoft Office
  • Firefox, Chrome, Internet Explorer (with several dozen plugins)
  • Internet is supplied by Comcast (Comcast router boxes, relay junctions, data stores, etc)

Web Services

  • Banking
  • Utility Payments
  • Mobile Services
  • Entertainment (Netflix, etc)
  • Social Networks (Facebook, Linkedin, etc)
  • Communication tools (email, digital phone, etc)

Securing the basic elements above almost requires a degree in rocket science.

Yet as a society of web enabled users we’ve thrown caution to the wind and have opted-in to all sorts of things like social networks and freemium web services.

Multiply the basic example above for laptops, tablets, mobile phones, etc.

Facebook is an amazing example of our blunder.

Over a billion people have joined the site and have given access to our profiles, social networks, and personal communications.

In addition to what we share on Facebook.com, Facebook scripts and widgets run on tens of millions of sites.

These scripts cover a range of login, recommendation, analytics, and sharing functions.

If you were to figure out the combined data collection of Facebook across all of these sites you’d have trillions of interactions.

But we also have Google who has access to sites with

  • Google Analytics
  • Google Webmaster
  • Google Adsense
  • Google Content Networks
  • Google Gmail
  • Google Docs

When you overlap just the properties and data collection points of Google and Facebook you end up with information on almost the entire web using population. 

The NSA may have access to that data… but who else?

While the NSA may have access, I wouldn’t typically focus on whether the NSA has it.

You should be focusing on people and organizations that seek you harm (if the NSA has reason to cause you harm, then worry about the NSA.)

Google and Facebook don’t necessarily want to harm us, but they do want to make a few dollars in profit.

The core item to think about is that there are thousands of businesses in the industry of collecting and monetizing our data or using it for harmful or monetary purposes. These include data brokers, financial organizations, major employers, and big retail brands. They also include criminal and military organizations.

The information they are collecting is specifically important to the intent of why they are collecting it.

You can help figure out where you sit in the big picture as both an individual and as a business by running through a series of questions.

What are the problems?

Data will always be created and collected by some process.

The core problem comes from the question of Good vs Evil?

Good uses:

  • Trying to use the data to improve the education system of a local town.
  • Supporting entrepreneurs to create green, sustainable business.
  • Helping third would countries raise the standard living.

Bad Uses:

  • Identifying an individual’s commute time to work so robbers know when the house is empty.
  • Discriminating against employees based on what was perceived as private.
  • Disabling a city utility by crashing the utility grid.

Why are they collecting data?

Most organizations use online data to define and segment millions of users into a size they can interact with.

They want to strategically locate communities and individuals who matter to them.

This usually revolves around simple items such as:

  • How many interactions?
  • How many relationships?
  • How many transactions?
  • How many habits?

 Who is using it?

The answer to who is using it creates a number of tangents to think about:

  • Where are they?
  • How do they store it?
  • Do they sell it?
  • Do they abuse it?
  • Do they learn from it?
  • Where do they have interests?

What laws am I dealing with?

As you answer the above questions about you begin to identify the legal structures of where your data lives.

In the U.S. we have some very specific ideas about privacy and freedom of speech. These same ideas may not apply around the globe.

  • Where does all that data live?
  • Who owns the lines it moves across?
  • What jurisdictions apply to the servers?
  • What companies have access?
  • What employees have access?
  • What criminals have access?

What ethics am I dealing with?

With some of the legal concepts detailed, we can begin to think about ethical and moral uses of the data.

Some cultures and countries have wildly different ethical and moral concepts.

  • Do they want to hurt/help me?
  • Do they want to hurt/help my family/friends?
  • Do they want to hurt/help my company?
  • Do they want to hurt/help my country?

What can I do about it?

The key to protection is understanding.

#1 – write down a list of things that are most important to you.

#2 – write down a list of people who want to hurt you.

#3- ask an expert to detail ways #1 and #2 interact.

#4- Create a plan for protecting the things most important to you can be used by people wanting to hurt you.

#5- Apply a scenario to two or three organizations you don’t like and ask yourself what you can do to them.

These basic steps will wildly vary in results depending on if  individual and group perspective.

By understanding value vs risk you can allocate where your effort will produce the most protection.