David Holtsman, former CTO of Network Solutions, recently spoke with DarwinXXX about the Fourth Amendment, the role of the Chief Privacy Officer and other hot-button privacy issues
The past six months have been an interesting time for those watching the privacy debate. What's your take on how security concerns have affected privacy so far?
David Holtsman: September 11th is not going to be a get-out-of-jail-free card for the Fourth Amendment forever. What is more interesting is that the public has now had its collective nose rubbed in the reality of what state-of-the-art data mining is capable of. It was fascinating to see how much of the terrorists’ movements could be ex post facto reconstructed by credit card records, bank cameras and strip club records. The conflicting desires for homeland security and protection of private information make for an interesting, well-balanced debate that I hope will surface during the next election cycle.
Privacy advocates have been predicting a consumer uprising on the privacy issue for a while now. Why hasn't it happened to date, and do you see any signs that consumers are starting to get savvy about the issue? It takes time to build up a critical mass of consumer awareness of the issues so that the privacy sealots don't stick out like curmudgeons for refusing to give Radio Shack their home telephone number so that they can buy a battery—my pet peeve. It takes time to change a culture. Look how long it took before it was socially unacceptable to smoke in public.
Another reason why there hasn't been a mass consumer uprising on the privacy issue is that the media has remained focused on some pretty trivial proof points. Most consumers seem to think that spam is the worst by-product of the wired world and have not yet been educated on some of the more interesting and provocative ways that advances in data mining technology (coupled with rapidly decreasing cost of storage media) are changing the very notion of privacy.
The position of Chief Privacy Officer in the United States has been criticised as being more public relations than substance. Do you agree, and what should be the ideal model for this job in your opinion?
I wholeheartedly agree. The problem starts with the fact that most Chief Privacy Officers are lawyers and approach problems by minimising corporate exposure using their weapon of choice – the draconian contract. The role of the CPO is almost always oriented around reactive compliance to these policies, not around proactive consumer relationship building. Privacy should be viewed as a part of true customer relationship management (CRM) and therefore belongs squarely inside the profit and loss centre with some standardising oversight at the executive and Board level. Privacy policies are legal Huggies for business units… they’re disposable and provide, at best, temporary protection. At some point, marketing people need to be toilet-trained.
You have said recently that the media focuses too much attention on the obvious and predictable abuses of privacy by corporations. What is the REAL danger of information misuse in your estimation? What scares you personally?
Most media coverage takes the form “Company X misused information Y that it collected from consumers A, B and C. They are being sued by privacy organisation S.” Although this kind of story gets headlines—especially if it’s about a big company like Microsoft—the resolution tends to be some kind of agreement that [the company] will take precautions that it won’t happen again.
Unfortunately it’s like what infantrymen say about bullets, “it’s the one that you don’t hear that will get you.” The really miserable privacy issues are the ones that we haven’t heard about and may never hear about. For instance, data profiling systems that automatically categorise people based upon unknown and suspect criteria. Several companies provide this kind of analysis as a finished product to assist in evaluating a consumer’s creditworthiness, employability and susceptibility to all kinds of marketing blandishments. This data can and is bought by mainstream retail companies and in some cases the U.S. government. The low costs of storage and worldwide access to broadband networking make it suddenly feasible to federate these disparate sources of data into psychographic instead of demographic information. I find that scary, but that fits my profile.
Accountability is a tough word because it implies that what Yahoo did was wrong and that there should be some sort of public punishment like a dunking chair. Maybe Jerry Yang should have to wear a scarlet “Y”? Seriously, this is the crux of the problem—there is an ever-widening gap between consumer’s expectations of privacy and the legal agreements that govern the relationship. I think that consumers should (and do) ignore the stated policies and hold the companies accountable for the spirit of the law, not the letter. An appropriate response to relationship cheating in this day and age is not being dunked; it’s being dumped.