Andrew Walls
Research Director
5 years at Gartner
35 years IT industry
Andrew Walls is a research director in Gartner Research, where he specializes in information security practices, tools and markets in social media, enterprise governance, awareness/communications, directories, investigations and security program management. ...Read Full Bio
by Andrew Walls | May 7, 2012 | 3 Comments
On a regular basis I find myself perplexed by someone asserting that they have a ‘right’ to something. This is particularly the case when someone tells me that they have a right to privacy. What on earth do they mean?
I am not the first to ask this question and many different (and often conflicting) answers have been offered. A right to maintenance of confidentiality over personal data, the right to be left alone, etc. These are all potentially useful definitions of this particular right, but what appears to be missing – IMHO – is an acknowledgement that rights are constructed by society. Rights do not have an existence outside of a social context. Different human cultures define rights in different ways, drawing on religion, culture and environmental drivers to construct baseline statements or principles regarding the privileges of individuals and/or groups.
I find the right to privacy (however it is defined) particularly odd. Humans are social animals. We congregate in groups and erect complex cultures and social structures. Social interaction is based on the exposure and sharing of personal data. All of that personal data that many of us consider private (such as your birth date, favorite color, etc.) is known by many people, only some of which we know and can control through some sort of culture-based behavioral expectation. A lot of people tell me that the growth of IT has spurred the public outcry around privacy because IT makes personal information accessible to people and organizations that we do not personally know and with whom we do not share a cultural basis for management of behavior. The security analyst in me, translates this to “we used to have security through obscurity (difficulty of getting access to personal data), but now the obscurity has been removed.”
This makes sense to me. As the use case changes so must the controls we apply. If we are to enable innovation without engaging in undue privacy risks, we need to develop new security approaches to replace the obscurity that we once enjoyed. But let’s not kid ourselves. The right to privacy under discussion also is changing as people are alternately repulsed by and attracted to the power of new IT service delivery options.
Rights are fluid and dynamic. Their meanings change across time and cultures and (here’s the part that drives IT security investment) the policies and laws written to define and enforce these rights will experience continual change. The end result is that your privacy and data protection program can never rest.
Category: Uncategorized Tags: privacy, security
by Andrew Walls | February 17, 2012 | Comments Off
This morning I spent some time listening in on a hearing on DHS monitoring of social networking and media. The hearing was held by the US Congressional Sub-committee on Counterterrorism and Intelligence, chaired by Patrick Meehan. Transcripts of the testimony are available here ( http://homeland.house.gov/hearing/subcommittee-hearing-dhs-monitoring-social-networking-and-media-enhancing-intelligence ) as well as a video playback of the hearing.
The substance of the discussion did not offer any surprises, but the expressed motivations of the subcommittee members was fascinating. There were repeated mentions of the ‘chilling effect’ on private speech if people knew that their utterances on social media were being captured, stored and analyzed by government entities. Fundamentally, the argument against DHS monitoring of public speech on social media systems was based on protection of free speech rights. This is not a long bow to draw and there are a host of vignettes available in Orwell’s “1984″ that articulate the concept better than I can. What I find interesting about this argument is that it mirrors the rationale that has led various states within Germany to pass laws making it illegal for employers to monitor or capture the social media conversations of their employees.
In the employer/employee scenario, it is possible that an employee will self-censor their public speech if they anticipate a negative reaction by their employer. In the German context, employer monitoring of their employees’ social media activities is viewed as a privacy intrusion that limits free speech and public debate. (Set aside for the moment the issue of the enforceability of such a law.) Similar logic is being voiced in support of new EU regulations regarding privacy and data protection.
If we accept that government monitoring of social media conflicts with free speech rights, it is a short path to drawing the same conclusion concerning employer monitoring of social media. When an employee represents an employer in social media, we expect the employee to self-censor and we also expect the employer to obtain and deploy security controls that monitor for compliance and enforce policy where possible. Should that same self-censorship be expected in all use of social media by employees or should society place limits on the degree to which employers can inspect their employees’ personal activities and use the fruits of that inspection to drive management decisions?
This is a tricky area. In certain circumstances it is illegal under US laws for an employer to seek out personal information regarding an employee or job candidate. For example, in a job interview, it is illegal to ask an employee about their religious affiliation or whether they are pregnant or plan to get pregnant. It is trivial to discover this information if the individual is a regular participant in Facebook. In other circumstances, there are no legal restrictions on employers viewing the activities of employees in a public environment.
If we want to support free speech in social media without any fear of retribution by employers or potential employers, we have a lot of work ahead of us. To start with, it is impossible to block employers from seeing the social media conversations of employees or possible future employees. What if a manager uses their home PC or a cybercafe to view a user profile? How could we identify the manager’s relationship to the employer? Should social media providers provide logs of source IPs and user profiles utilized to view a person’s profile? This might enable the user to identify who was looking at their profile, but the collection, storage and dissemination of this data would create a significant burden on social media providers. I am also dubious that the average user would actually analyze this data to detect who was having a look. The various social media platforms already offer a host of privacy features that users can configure to restrict access to their content, but the adoption of these capabilities is spotty at best. Placing the burden on the average user is not realistic any more than we would expect people to wear disguises when they attend a public event that their employer opposes.
At the end of the day, this is a social problem, not a technological problem. Despite this, we can expect to see a blizzard of attempts at regulation and a steady flow of technology and services that attempt to control employer actions and protect employees’ free speech. This is why Gartner positions social media as a disruptive technology. Social media is actively disrupting traditional patterns of social interaction; creating both benefits and threats to all of us.
Category: Uncategorized Tags: social; regulation; privacy
