Management of corporate privacy policies spawns a new software and services sector
As Sun Microsystems CEO Scott McNealy once declared: There's zero privacy on the Internet. Get over it!
But that notion is unacceptable to growing numbers of consumers. The awareness of how companies use and abuse personal information is spurring lawmakers and consumers to push for greater controls over how customer data is used by businesses.
The financial and health-care industries are required by law to enact privacy policies. Other sectors are implementing privacy practices in an attempt to self-regulate and avoid governmental oversight, security consultant Larry Ponemon says.
The growing emphasis on privacy has led to the creation of a new industry. Software vendors, consultants, certification authorities, and nonprofit organizations are rushing to market solutions to help individuals and businesses manage the use of personal data. By some estimates, the market for privacy products and services will be a billion-dollar industry by the end of the decade.
Vendors of privacy technologies range from major system developers such as Hewlett-Packard and IBM to upstarts such as IDcide, PrivacyRight, and Zero-Knowledge Systems.
There's also a handful of nonprofit organizations that offer privacy-seal programs to audit and certify that a company's Web site meets with certain industry practices for privacy protection. Trust-e's Privacy Seal service, the Better Business Bureau Online's Privacy Seal Program, and WebTrust's privacy-certification program all offer auditing and compliance services to businesses.
"What we do is all about establishing trust between consumers and corporations," says Dave Steer, Trust-e's communications director. The Web made privacy real to a lot of people, he adds. In the past, data use happened behind the scenes; now, the Web has made business practices visible to consumers.
All of the major consulting firms, from IBM Global Services to PricewaterhouseCoopers, have privacy practices in place. Most of the heavy lifting associated with becoming privacy-compliant involves a detailed assessment of a company's existing privacy practices and ongoing audits, and many large companies are bringing in outside help to expedite this effort.
"The most time-consuming part of enacting corporate privacy rules is the work that occurs between the legal or compliance department and line-of-business managers," says Lorrie Cranor, an AT&T Labs researcher and chair of the World Wide Web Consortium's Platform for Privacy Preferences specification working group. "Once you get agreement on the privacy policies, implementing the technology is easy," she says.
The task of codifying privacy practices in software falls to the IT department. Early implementers created their own software from scratch, but a number of commercial products are starting to come to market. Hand-coding privacy rules into corporate databases and applications is an enormous task that ultimately isn't scalable.
"Corporate privacy policies are very complex and touch on all aspects of a company's business," says consultant Ponemon. "Without technology, the problem of enforcing privacy practices is intractable."
Many of the privacy tools coming to market are first generation; some products are still in beta. As the science of privacy management matures, we're likely to see integrated suites of tools that address the breadth of issues that companies need to manage. We're also likely to see the integration of privacy and security products.
For example, Tivoli Systems Inc.'s one-year-old Secureway Privacy Manager is part of an integrated suite of security tools and requires the Policy Director authentication software to run. The Privacy Manager takes complex privacy policies and integrates them in all applicable businesses processes, says Penny Portillo, a Tivoli product manager.
There are many different types of privacy technologies. Anonymizers, for instance, separate a user's identity from his transactions so that buying habits can't be tracked. Curiously, this type of software hasn't really caught on with consumers or businesses, Ponemon notes.
Another type of privacy software is the trust filter: middleware that provides privacy-policy management for all connected applications and systems. The filter lets users create their own privacy profiles that can be automatically distributed to multiple Web sites. When a site's privacy practices don't match that of the user, the filter can prevent the Web site from putting cookies on the user's computer to collect personal data.
PrivacyRight is developing this type of software in its TrustFilter product. It includes a Permissions Engine, Java-based middleware that enforces privacy regulations and profiles by evaluating requests for data and comparing them with privacy rules. The platform also includes Audit Server, which helps administrators audit privacy compliance.
Probing and scanning technology is another emerging category in the privacy-tools market. This type of software looks at the ways data is captured, stored, and used in an organization on an ongoing basis. The software then compares this against the company's privacy practices to determine violations or aberrant activity.
Probing and scanning can also be used to experiment with different levels of privacy that a company might want to enact, and to gauge how those various levels will affect the business, its Web site, and other systems.
IDcide makes two probe technologies: The PrivacyWall Site Analyzer remote monitor for consultants and the PrivacyWall Site Monitor for IT departments to monitor Web sites for privacy compliance.
Many vendors also offer consulting services. Zero-Knowledge Systems provides system assessments before implementing its Freedom Internet Privacy Suite.
Because privacy policies touch so many aspects of a business and its applications, many experts advocate the creation of a privacy framework that will govern how practices and tools are implemented across the enterprise. IBM Global Services created the Enterprise Privacy Architecture, which will be used by its consultants and will also be adopted in various IBM products. The framework will help companies integrate customer privacy preferences into business processes and application logic.
The International Security, Trust, and Privacy Alliance also has devised a framework for privacy practices that addresses how personal information should be handled as it travels across jurisdictions. Privacy rules are context-sensitive, notes Michael Willet, chairman of the alliance's Framework Committee. Different rules apply depending on who has the data and what's being done with it. "To ensure data safety, you need a technology that embeds the privacy intelligence into the data-delivery mechanism," Willet says.
The alliance's members include American Express, Carnegie Mellon University, IBM, Intel, J.P. Morgan Chase, Trust-e, and Zero-Knowledge.
According to Lucian Hughes, an associate partner in consulting firm Accenture's Technology Labs in Palo Alto, Calif., privacy monitoring and auditing will increasingly be handled by trusted third parties. "I liken this trend to the creation of banks in Europe during the Renaissance," Hughes says. "Eventually, people stopped hiding money in their mattresses. They were willing to give up direct control of their money in exchange for the various benefits the banks could offer."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.