The airport VAT scam: thay are pocketing your personal data along with the extra cash

Much heat was generated last week following the expose by The Independent about the practice of airport retailers collecting passenger destination data in order to report lower VAT revenues while pocketing the VAT effectively paid by those passengers deemed “zero-rated”. I commented, along with many others, on the ethics and legality of the practices but all the time my main focus and concern was elesewhere.

What struck me in the debate – in online forums ranging from the Institute of Directors to consumer advocacy groups – was how little mention was made about the personal data that is harvested from each boarding pass; nor about the legality or otherwise of its capture and use. There seems to be a complacent consensus that “this is just how the business works”.

Firstly, a comment about the law: data protection legislation in the EU (and increasingly, beyond) is clear that electronic data about a person can only be collected and used for:
– lawful purposes;
– with the explicit consent of the person;
– for the purposes of specific, defined, business objectives;
– for as long as the data is required and no longer

That many of these provisions are ridden over roughshod across the economy is thinly veiled with the ubiquitous “privacy notices” that most of us do not read (it has been estimated that it would take you six weeks working full-time to read a year’s worth of such notices). However, many retailers are falling foul of the law just by collecting personal data without providing the statutory privacy notice.

Lesson #1: If anyone asks you for your personal data (to be included in any computerised system), ask to see their privacy notice which is required to state explicitly what the data is being collected and used for.

Secondly, in airports, retailers are indeed required to ask for the destination of a passenger if that has an impact on the sales price, the tax or duty charged to that sale (whether such savings are passed on the passenger was the subject of the previous heated discussions). I’m sure that most retail outlets are trying to do the best by their customers and cut down queuing and processing time: the advent of the 2-D bar code on passenger boarding passes was thus a boon. No more manual checking of paper boarding passes and keying in the required data.

However, the point of sales scanner is not choosy. It scans the entire data set, whether that data is required or not. Different off-the-shelf and proprietary POS software will handle that data in different ways.

The legally prudent and risk-averse retailer would collect simply the destination datum and match that to a particular sale so provide the required and adequate proof to tax and excise services that a certain sale was not subject to duty, VAT, or other taxes.

The lack of analysis from journalists themselves is not very reassuring. From a later Independent article:

Airports may insist that the motive for the irritating demand from their retailers to see a boarding pass is “to understand how demand in our shops changes according to destination, times of the day or during different seasons,” the real reason is to identify purchases for which no VAT is due.

Although strictly true, this is missing the point. Evidence indicates that few retailers who collect personal data will willingly discard that which is not required because therein lies a goldmine for data analytics. Whether it is a benign goal of “knowing your customer” or understanding patterns of movement through a business day, that data is not the retailers to use as they wish without restriction. Remember that your boarding pass does not simply state that Joe Bloggs is flying to New York – it’s telling a whole story of Joe Bloggs, flying in discounted business class in seat 5A, with a OneWorld frequent flyer account, two items of checked baggage, flying today with American Airlines, and who checked in early online. If you are comfortable with sharing all that – and for the retailer to reuse that data in any further way it chooses, then be my guest. But it is your right to know what is being done with your data – and the retailer’s legal obligation to let you know – and to request that it’s use be strictly limited.

Lesson #2: Assume that whoever collects your boarding pass data is going to maximize its use for their benefit – and not just for yours. Note that IATA, the association responsible for the 2-D boarding pass standard, never mentions retailers or indeed any party outside the air travel industry in its guidelines for use of boarding pass data. In the absence of any clear signal to the contrary, retailers have just assumed its OK to use whatever they can get their hands on.

Finally, it is worth thinking about the technology itself: there is an increasing and worrying trend – particularly strong in Silicon Valley – to insist that anything technology can do should be allowed to flourish. And that anyone standing in the way is simply an old-fashioned reactionary. Furthermore, this model of personal data collection fits well with an economy driven (often by desperation) to market ever more aggressively and improve sales. I take a different view based on a societal model that recognizes that laws and customs evolve over time to reflect what is important – and trying to sell me more and more goods that I don’t want, ought to be something over which I can assert some control.

The fact that there are strong (and if anything a trend to stronger) privacy and data protection regulations, is a reflection of societal concern about potential and reals abuses in the collection of personal data. I’m not averse to anyone willingly handing over their data in return for some benefit provided it is done knowingly and transparently.

Lesson #3: If someone wants your data, assume they are making money from it, one way or another. Maybe its time for you to put a price on that transfer and use.

Or to uphold certain societal values that suggest that not all data should have a price tag. In Michael Sandel’s words, we risk becoming a market society rather than a market-driven economy and the difference is important. The latter is a tool; the former is an end in itself where literally anything is for sale. Think about that next time you hand over your passenger data and wonder whether it will affect, for example, future health or life insurance premiums, let alone the price that you will be presented with as an offer for your next flight.

Safe travels!

Posted in Data Protection, Privacy | Leave a comment

Is privacy a barrier to innovation?

A common theme at this year’s IAPP Global Privacy Summit in Washington, D.C., this last week was: how do we address the concern that increasing demands for privacy might stifle innovation?

Well, I have a simple answer: innovation has always been driven by constraints and limitations. It is only the increasingly coddled and slothful culture of Silicon Valley that seems to think otherwise.

Two examples to underline my view.

Firstly, take a look at the two photos below:

The Millau Viaduct, France

Millau Viaduct, Tarn Valley, France
Photo: Emma Dupont

The Vasco de Gama bridge, Lisbon, Portugal Source: gigantesdomundo.blogspot.com

The Vasco de Gama bridge, Lisbon, Portugal
Source: gigantesdomundo.blogspot.com

Stunning feats of engineering and beautiful to boot.
And both constructed according to some of the toughest building codes and architectural standards on the planet.

If the architects had come along and said “Look at our beautiful design but please do not pester us with your petty requests to conform with the law, be safe, or expect us to accept any liability.” They would not get the contract. And yet that is exactly how the whiny young digirati of Silicon Valley would have us believe is the only way to do business: we want the right to build anything we want and to hell with restrictions – you are just cramping our innovation. That small group of multimillionaires may think it’s OK but I’m pretty sure nobody else agrees.

Furthermore, the opposite to their claim is more often true: that constraints and limitations actually spur innovation. Look at Dr Seuss.

The popular children’s author wrote “Green Eggs and Ham” in response to a $50 bet with Random House co-founder Bennett Cerf that he couldn’t write a book using 50 or fewer distinct words. His inspired book was the result of a seemingly impossible, if unrealistic constraint. The constraint enabled the innovation rather than stymied it and the book has sold more than 200 million copies worldwide.

So maybe it is time to tell app and software developers: if you’re so damned smart and innovative, go ahead and develop solutions that are smart, beautiful, privacy-protecting, easy-to-use and cheap – and please don’t come back to us until you have. That would be an innovation race on which I would gladly wager $50.

Posted in Uncategorized | Leave a comment

A vocabulary for digital toddlers

I have a strong memory as a small child around reactions to the word “dog”. We didn’t have a dog at home; neither did our neighbours; but they were around. However, I quickly discovered that I could say the word “dog” and suddenly everyone around me would start looking around – even when there wasn’t one there. Such power from a three-letter word! Such fun! And the fun was particularly when there wasn’t a dog to be seen. This was an early introduction to and fascination with language.

(Please stay with me: you are on the right blog – humour me).

As toddlers, beginning to find our way around the world, we come to understand that ‘things’ out there all have names, labels that we can use to refer to things, even those that  can’t be seen, either presently or at all. I had struggled to understand the word “electric” (and pity my poor parents here) but finally gotten that it was something about being shiny, new, and dangerous to touch. “Electricity”, I assumed meant “electric city” and, knowing that I lived in a city, meant I was in a dangerous place. Thankfully the delusion didn’t have lasting consequences but you can start to see how a little understanding can be potentially dangerous.

In today’s increasingly digital-driven world I feel that I am in a place dominated by toddlers, all struggling with vocabulary for this complex digital world growing around us. We think we understand some words – often, reasonably enough, based on our existing ‘world model’ or our attempts to have the word make sense according to that model – only to be let down at some decisive moment.

Two words clearly represent for me such a struggle: “data” and “privacy”. Together with the myriad phrases that can be built from those two innocuous words (“we value your privacy”, “your data is safe”), we are left – if we care to probe deeper – with a sense of inadequacy, of illiteracy even.

I should explain.

On Wednesday morning, I hosted my annual “Privacy Breakfast” on the eve of the IAPP Global Privacy Summit in Washington, D.C. As on previous occasions, I brought together around 25 friends and colleagues from Europe and the US, from private and public sectors, from legal, research and explicitly privacy-related professions. The theme for this year’s discussion (held under Chatham House rules, so no personal attribution of comments) was the role of Standards in ensuring privacy in cloud-based services.

As more and more services available to us through PCs, laptops, tablets and smartphones are delivered to us from cloud-based platforms, bewilderment and fascination grow around the types and scales of data that flow between our devices and these services – particularly data that might or does impact upon our privacy as individuals.

Whether as a response to public outcry, as a matter of principle or good business practice, we are faced with ever more notices that “we value your privacy” or that “your data is safe with us”. While laudable in their own right, and certainly preferable to silence on the matter, such statements of principle are often not enough, unless there is a pre-existing and strong bond of trust between the parties to any transaction. So how is anyone to trust the claims made by an unknown or untried merchant?

In medieval times, as cities grew, the number of merchants selling wares at a city market (and often coming to the city expressly and uniquely for such market days) far outstripped the small number known personally to any citizen. Reputation obviously played a part but could take time to cultivate and be lost overnight. Weights and measures were the early Standards at such markets – ensuring the customer received the length of cloth they paid for; and the merchant received payment in legally recognised coinage.

The Viennese “El” for the measurement of linen and drapery, embedded in the wall of St. Stephen’s Cathedral by the medieval market square

The statement of principle, “a yard of linen for only three groats!”, was backed up by the recognition of the unit of currency; the quality of the cloth validated by a Guild; and an objective measure of the lengths involved: the yardstick, the “el”, and so forth. The statement of principle was given teeth by having such a measure against which to verify, validate, or refute the claim.

If the claims don’t measure up, customers could run the merchant out of town or have them suspended from their Guild or could turn to the law or public authority to resolve any dispute. Claims again could be tested against the objective measures at hand.

In our conversation on Wednesday, we returned time and again to the role that Standards can play here but also to the paucity of a vocabulary for the digital age. The absence of a common vocabulary, even for critical issues such as cross-border data flows, is damaging. In its absence, we are all forced to rely on extremely subjective (and possibly self-serving) definitions. “It is like competing for privacy in a Tower of Babel”. Customers aren’t making the connections on their own either between claims about privacy and the daily realities of intense and often intrusive personal data mining and profiling (see Jeff Gould’s article for such an example).

There is a world of difference therefore between a cloud-service provider making the sincere but ultimately consequence-free statement “we value your privacy” and another that can demonstrate – often with third party certification – conformance and compliance with an objective set of tests and criteria. In the pre-digital economy, we have grown accustomed to relying on Standards for purchases of whole ranges of goods and services, from a humble lightbulb to a house: we don’t expect the lightbulb to explode; we do expect it to fit the socket; and we expect that the shop only stocks ones that conform to accepted Standards.

In the digital economy, it should be little different: it shouldn’t be down to the end-user or customer to have to read through reams of privacy statements or check millions of lines of code to be sure that their privacy really is being protected. Simple, certifiable and certified statements to this effect ought to be the norm.

Some progress has been made – the ISO 27018 Standard that I have written extensively about in the past couple of months – and new initiatives are underway, such as the one to name, classify and catalogue the many types of data that are exchanged in online cloud-service transactions, so that customers and suppliers can agree contracts and terms of use around commonly agreed terms.

Posted in Uncategorized | Leave a comment

Microsoft confirms compliance with cloud data privacy Standard – one more step in the right direction

I have a particular soft spot for Microsoft’s Office365, I admit it. Ever since my two former companies in Europe (that developed semantic technologies on various platforms, including an open source Apache-based service and Apple iOS) started using SharePoint, I felt that this has a great platform with great potential. When I set up business in the USA in 2010, it felt natural therefore to start using the modest offering at the time, Office Live for Small Business, and when that integrated with SharePoint and other online services to become Office365, it was irresistible – and at an insane price point of $6 per month.

A key differentiator for me was the notable absence of advertising and monetization of my – and my company’s – data. I have just never felt comfortable with offerings like GoogleDocs. If they are scanning every single byte of data coming in and going out of their services, how can I be really certain that some commercially sensitive information doesn’t find its way into the wrong hands? I’d much rather pay a few dollars a month for a service that does none of that.

Despite that, and despite the assurances which I have always taken in good faith, there is always a niggling doubt in the back of my mind: I have assurances in my contract with them but what if Microsoft is analyzing my data for their own monetary gain? How would I know? What assurances do I have?

When so much of one professional life is centred around the development of international standards – and cajouling and persuading people and companies that they really are important, it is nice for once to be in the position of a consumer (and active in the fight for online trust and greater privacy) and feel reassured that a service you are using has been independently verified. And not by just anyone – but by the formidable British Standards Institute, whose track record on standards compliance and certification across a range of domains is world-renowned.

Now, suitably empowered and feeling more in control of my own data – it’s back to work, with Office365, naturally! 😉

Posted in Data Protection, Privacy, Standards | Leave a comment

Apple CEO Tim Cook takes a swing at firms selling your data

Last Friday, President Obama led a White House cybersecurity and consumer protection event, hosted at Stanford University, that was intended to bring together many senior technology company executives. Notably absent were the CEO’s of Facebook, Google and Yahoo – maybe still bearing a grudge against the federal government for the latter’s reported intrusive information gathering and surveillance.

Refreshing on the other hand was to hear Apple CEO, Tim Cook make a clear statement about Apple’s own business practices: “We have a straightforward business model that’s based on selling the best products and services in the world, not on selling your data,” Cook is reported as saying. “We don’t sell advertisers any information from your email content, from your messages, or your Web browsing history.”

This is in stark contrast to the practices of Silicon Valley neighbor Google, whose GMail service was analyzed in detail last year by Jeff Gould during an ongoing class-action suit against the Mountain View giant.

What is difficult from a consumer point of view, however, is to know who or what to believe in this increasingly hot topic. Or, more precisely, to have a reference against which to judge the various statements made. This only serves to underline the importance of formally approved Standards, as I wrote about in December.

I don’t expect Google to demonstrate certified compliance with the ISO 27018 cloud privacy Standard any time soon. It would seem anathema to their core business model and mightily difficult to achieve given the way data gathering touches every aspect of its sprawling empire.

Despite the well-intentioned statements of its CEO, however, there is no evidence that Apple wishes to demonstrate conformance either. Apple takes a very haughty attitude to Standards in general and there is no reason to think that they would lower themselves to actually having to prove a claim here either – relying rather on their formidable marketing machine an enormous uncritical fan-base.

In December last year, Microsoft announced that their Azure cloud services had been certified as compliant. Hopefully others will follow. As I stated in December,

Common agreed Standards help the conversation by, at the very least, providing the right questions that should be asked by fiduciaries.

and again,

The value of many Standards can be as simple as knowing that they exist; knowing that they may be applicable; and knowing who to ask about whether they apply and are applied.

The ISO/IEC 27018 Standard exists; we know that it applies to privacy in cloud-based services and helps protect personal information; we also now know that large cloud service providers are starting to be certified as compliant. It’s nice to know that we don’t just have to take vendors’ word for it. We want to trust Tim Cook and others but having certified proof goes a long way: “Trust but verify”!

Posted in Data Protection, Privacy, Standards | Leave a comment

ISO/IEC 27018 – What Does It Offer?

All this week, I have been blogging about the new ISO/IEC 27018 Standard and what it means for protecting personal information in cloud-based services. So, what does the Standard actually offer?

The standard gives new, clear guidance based on EU Data Protection Authority input on how a data processor should protect customer data, including a requirement that providers must either stop mining customer data for advertising purposes, or gain explicit consent to do so. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing.

Whereas other standards and processes require fast responses and repairs in order for a Service Level Agreement to remain in force, the ISO 27000-series of standards require identifying and fixing the root causes of the problems that arise. This approach is essential to the long-term information security as well as to the health of privacy-protecting cloud infrastructure.

1. Spelling out the true cost of the “free lunch” of many online services

Barely a week goes by without a new concern being raised about how cloud service providers use customer data. Nowhere is this more prominent than in the concern about use of personal data for advertising. Of course, some service providers will always find disingenuous ways to claim that the people most affected are not really their customers but just “users” – they would assert that their customers are the advertisers and that users simply consent to exchange their personal data for some “free” service.

People are rightly worried that their data is used or misused for such purposes without their express consent – only to be told, if they do decide to take up the cause, that consent is an implicit or explicit condition for use of the service.  The ISO 27018 Standard can help here – a service provider who claims compliance with the controls and best practices laid out in the Standard will only use customer data as intended for use within the particular service. They cannot use that data for additional purposes such as advertising or marketing without the customer’s express consent. Most significantly, if they comply with the ISO 27018 controls, they cannot make it a condition of use of the service that a person is effectively coerced to allow use of their personal data for advertising and marketing.  Those all-too-common, often misleading, “we value your privacy” statements will finally have to mean something.

2. Transparency and Peace of Mind

Using a cloud service provider that conforms to the controls specified in ISO 27018, will provide peace of mind to customers, confident that the provider will return, transfer, or securely dispose of any personal data at the customer’s request, and within a reasonable period of time, as required in the Standard, for customers leaving their service.

A cloud service provider may have legitimate (but still clearly defined and limited) reasons for retaining customer data – imagine you forgot to renew a cloud service subscription and everything you had patiently assembled disappeared the following day! Or they need to hold on to billing information and history for accounting purposes. But once a clearly defined retention period has passed, data will be permanently deleted and removed from those services. The customer, and all data associated with them, can be “forgotten” by the cloud service.

3. Transparency of sub-processors

It is not sufficient for a cloud service provider to not know – or pretend not to know – about what their own suppliers and contractors that also handle personal data are up to. Such sub-processors, as they are known, help service providers with data storage, processing and security. ISO 27018 requires providers to be clear about who they work with before customers enter into a contract.  If those relationships or partners change, then customers have an opportunity to object or terminate their agreement.

4. Don’t just take the provider’s word for it!

If in doubt – check it out! Customers can rely on independent third party verification that a particular supplier really is implementing the controls that ISO 27018 requires. Cloud service providers must go through a rigorous certification process by an accredited and independent certification body in order to In order to be verified as compliant. And that isn’t a one-off procedure either: providers must submit to regular, periodic review in order to maintain their certification as conformant with the standard.

5. Globally applicability

The ISO 27018 standard has taken into account public policy from around the world as it incorporates input from many regional regulators. Conform to the standard, and a cloud service provider makes the whole job of conforming to particular legislation in one country or region that much easier. The standard provides a common set of guidelines for the whole industry and adds needed protections to improve PII security and compliance in an increasingly cloud-based information environment.

6. Protecting against unintended consequences

The massive flows of data across cloud computing services are becoming ever more complex. Identifying and protecting personal data in those flows is becoming a daunting issue for many providing cloud services – even if their primary business may not be the handling of sensitive or personal data. Following and using the privacy controls foreseen in ISO 27018 offers greater assurance for service providers that they are doing the right thing and doing everything recommended to protect even accidental or unintended release of PII.


So, in summarizing this series of posts: what to look out for…

….as a cloud service customer

It may be early days to be already asking cloud service providers to demonstrate conformance with the ISO 27018 or asking for their certification of compliance – but organizations don’t magically conform overnight and nudging a supplier in the right direction – or if you are a supplier, nudging your services to examine this – is a good move. It is already worth asking whether the specific privacy controls covered in the standard will be included in future audits of their cloud service offerings.

If these controls are to be included and the audits are completed, as a customer you should be looking to see that these new privacy controls are included as part of a contractual commitment to maintain a data security policy that complies with ISO 27001.

…and as a cloud service supplier

As a supplier, likewise – it could become a valuable differentiator for you to demonstrate such compliance or that you are using cloud service suppliers that complies.

Plan to apply the guidance in ISO/IEC 27018 to all customer data, even if you do not have visibility into the presence or absence of PII in the data that you process for customers – given the increasing complexity of data flows between cloud services and multiple types of device, it is difficult to be 100% certain that no PII is ever compromised. Better safe than sorry.

Privacy is not just a technology and engineering problem: information security and data protection can certainly be addressed with increasingly sophisticated tools and processes but privacy is a social issue with impacts well beyond the data stored and managed by cloud services. This requires that Boards look at the wider issues of harms and risks and in particular the consequences of decisions taken in their deployments of cloud services. ISO 27018 helps make that whole process clearer for all involved.

Conclusions

ISO 27018 emerged as a result of detailed feedback from, and dialogue with, privacy practitioners and regulators across the world. Organizations are faced with a simple question: do you prefer to voluntarily submit to using and following an agreed set of internationally approved standards or run the risk of further government regulation and intervention?

ISO 27018 helps customers and cloud service providers by ensuring that concrete guidance and specific controls for processing PII are addressed as part of an ISO/IEC 27001 audit. Many cloud service providers have commitments to information security management systems as defined in ISO/IEC 27001, and have thus, as part of that process, controls in data security policies that address protection of PII.

Certification against the ISO Standard on its own will not fix all privacy issues not is it in itself a guarantee of information security. Using it diligently and following the practices and guidelines recommended will however contribute to minimizing risk and improving an organization’s profile as a “good player” in the increasingly competitive world of cloud service suppliers.

ISO 27018 must be seen and used in the broader context of privacy strategy: as Trevor Hughes, CEO of the International Association of Privacy Professionals, put it recently: “Companies cannot view privacy as a compliance matter to be addressed by legal departments or a technical issue handled by IT…. “Rather, to avert public embarrassment and consumer backlash, they must set up ethical review processes and instill issue-spotting skills in employees throughout the organization.” ISO 27018 is a core component of that skill set.

Posted in Data Protection, Privacy, Standards | Tagged , | 1 Comment

Managing personal data in the cloud – assessing the risk

In the previous posts, I covered the key issues covered by the new ISO/IEC 27018 Standard; and how an organization would go about complying with it and proving that.

Today I want to look at the issue of privacy and personal information from the point of view of risk.

Business is no stranger to risk and there is no such thing as “zero risk”. Corporate governance involves assessing what, and how much, risk is considered acceptable for the enterprise in pursuit of its objectives; what controls and safeguards are in place to ensure that defined risk boundaries are not crossed; and what remedies are available if things go wrong. There should be no room in boardroom discussions for ostrich-like views that blithely assert that bad things “are just not going to happen” and that preparation is unnecessary timewasting.

Standards can help boards and C-suite executives by providing guidance to help reduce risk and exposure. The areas of personal data protection, information security, and the increased reliance on cloud computing solutions are no exception. The value of standards is that they provide widely accepted guidance on the best ways to tackle problems and reduce risk: to be able to assert that you conform to important standards – and better, to back that assertion with proof – is as good as it gets in terms of exercising mature fiduciary responsibility.

“Cloud computing” as a term is surrounded with a lot of inevitable marketing hype which itself can lead to confusion and lack of clarity at the level of a Board. The US National Institute for Technology and Standards (NIST) has the most succinct and widely adopted definition of cloud computing:

“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

Those configurable resources can range from the complete “solutions-in-a-box” (think of the vast array of directly user-accessible services online today) to bare-bones infrastructure of servers, memory, and storage that a client (such as an enterprise) configures and deploys in line with their existing and future computing requirements).

What this means for an organization’s leadership is that different types of cloud service deployment require very different approaches to risk mitigation and problem resolution. It is not one-size-fits-all. A couple of examples highlight the possible differences:

Company A procures a cloud-based solution to manage its payroll. All the relevant company and personnel data is held by the cloud service provider and accessed by authorized staff in Company A.

Company B procures a cloud-based solution to archive encrypted historical personnel records. All the data is again held by the cloud service provider but as it is encrypted, it can only be accessed by authorized staff in Company A in possession on the appropriate decryption keys.

It would be a common sense judgment that Company A has more to consider and worry about in terms of potential privacy risks than Company B. But this doesn’t means that Company B faces no risk – they are just different risks with different potential impacts on the company. Understanding the different sorts of cloud service that are being or could be used – as well as the types of data involved – are both important in assessing which risks and privacy controls are most relevant.

The combination of different types of cloud computing infrastructure; the sheer scale of computational power and storage; the increasingly complex flows of data; and the greater use of a dizzying range of devices – together they present privacy challenges that simply did not exist even a decade ago.

An example helps illustrate this. ISO 27002 already requires information security awareness, education and training as a necessary control. ISO 27018 extends this to cover the specific privacy issues in cloud services, adding that measures are needed to make staff aware of:

“…the possible consequences on the public cloud PII processor (e.g., legal consequences, loss of business and brand or reputational damage), on the staff member (e.g., disciplinary consequences) and on the PII principal (e.g., physical, material and emotional consequences) of breaching privacy or security rules and procedures…”

A few minutes sober reflection by any fiduciary should be enough to consider the import of such measures – but also the value to the organization of complying with it and promoting such compliance as a business virtue. These are not “IT issues”. They go to the heart of good corporate governance and fiduciary responsibility. If you are on a Board or report to one, this affects you.

Tomorrow, I will look in more detail at what the ISO/IEC 27018 Standard has to offer you and those who rely on you.

Posted in Uncategorized | Leave a comment

“We value your privacy” – oh yes? Can you prove it?

How many web sites state baldly “We value your privacy”? If you are curious and decide to click on that little link, buried at the bottom of many a webpage, that says ‘Privacy Policy’, this is one of those over eager phrases that likely awaits you. Jokes abound: “yeah, they value it so highly, they go and make a stash of money off of selling it to others!”. Do you? Do the cloud services that manage your data? Do you know for sure? How?

Imagine you are in a meeting of the Board, or the governing body of any public or private institution, and you want to ask – someone, anyone – what your organization’s privacy policy actually involves, what do you ask? As I quoted yesterday,

Common agreed Standards help the conversation by, at the very least, providing the right questions that should be asked by fiduciaries.

The value of many Standards can be as simple as knowing that they exist; knowing that they may be applicable; and knowing who to ask about whether they apply and are applied.

We know that the ISO/IEC 27018 Standard exists (at least from reading this, if not before!); we know that it applies to privacy in cloud-based services and helps protect personal information. You are in the Board meeting and your duty as a fiduciary is to ask questions. How about starting simply with “Do we use ISO/IEC 27018?”. “Yes? Great…” – now what? The CIO, the CTO, the procurement manager, whoever it might be, is telling you that the Standard is used. You are no technology specialist but is it really enough to take their word for it?

Maybe. As a comparison, in a small organization it might be enough to know that the accountant uses double-entry bookkeeping and pays all taxes. In more substantial undertakings, those assertions are checked, audited, internally and often externally – again, using commonly accepted standards.

Back to our Board, and in a similar vein, you will be exercising due diligence by asking more: “what can you show, to a lay Board member like me, that what you say about our use of technology Standards has some weight here?”.

This is where compliance and certification come in to the picture. First of all, compliance.

Showing compliance with a standard helps demonstrate an organization’s trustworthiness. Providing current and potential customers the clear signal of compliance with ISO/IEC 27018 is an easy way to confirm that personal information handled by a cloud service provider will be used only as they approve and that is being held securely. Nowhere is this more important than in the public sector, where government agencies are often subject to stricter obligations to protect information in their care.  When it comes to navigating the difficult waters of European Union data protection rules, 27018 also means that customers can count on the provider of the cloud service to help them meet their obligations.

What does compliance involve?

A cloud service’s compliance with ISO 27018 controls means that a customer will know that the service provider:

  • will keep them informed where their data is stored and who is handling it, including all “sub-processors”;
  • will ensure that their staff and contractors are bound by confidentiality agreements and receive appropriate training in handling sensitive data;
  • will not use their personal data for marketing or advertising without their explicit consent;
  • will return, transfer or destroy customer personal data at their request;
  • will help the customer with requests for accessing, correcting or deleting personal data;
  • will notify the customer promptly of any data breach and of the measures being taken to make amends, so that customers can comply with their own obligations to their users;
  • will only comply with legally required requests for disclosure of personal data;
  • will subject their services to independent and regular review.

Customers are sometimes subject to information security rules that restrict where data can be stored.  Because 27018 requires certified cloud providers to inform customers of the countries where their data may be stored, customers will have the visibility they need to ensure compliance with applicable data transfer and public procurement rules. 27018 also requires cloud providers to be upfront about the identities of any sub-contractors they engage to help with data processing before customers enter into a contract.  And if any of this changes, the cloud service provider is required to inform customers promptly to give them an opportunity to object or terminate their agreement.

Some cloud providers use cloud customer data for their own independent commercial purposes, including for targeted advertising.  This worries customers, who often handle sensitive data that shouldn’t be re-used by third parties.  To make sure that the customer is always in control, 27018-compliant providers may not use customer data for their own independent purposes, and cannot use that data for advertising or marketing purposes absent explicit consent from the customer, which cannot be a condition for receiving the cloud service.  The choice should always be with the customers.

Customers are often concerned that cloud services will lead to “lock in”, reducing flexibility and nimbleness over time and creating a culture captive to a single standard, software tool, or system.  ISO/IEC 27018 requires the cloud service provider to implement a policy to allow for the return, transfer and/or secure disposal of personal information, within a reasonable period of time.  In this way, the customer can be confident they won’t be “caught” by lock in.

EU data protection law imposes certain requirements on cloud customers – including to allow individuals whose personal information they hold to access that information, to correct it, and even to delete it.  Fulfilling these obligations can be a challenging task where an organization has its data stored in a third-party’s cloud.  But ISO 27018-compliant providers are required to help customers meet these obligations. This includes offering tools that help customers comply with their data protection obligations to their own end-users – including obligations to allow end-users to access, correct and/or erase their personal information

ISO 27018-compliant providers must specify how quickly they will notify their customers of an unauthorized disclosure of PII and how they will help their customers fulfil their notification obligations. ISO 27018 also requires cloud service providers to record the type, timing and consequences of any security incidents, the name of the reporter, to whom the incident was reported, the steps taken to resolve the incident, etc. – creating a record that will in turn assist customers in meeting their reporting obligations.

Customers can be confident that a 27018 compliant cloud service provider will only comply with legally binding requests for disclosure of their data. In the age of major data breaches and revelations about the role of intelligence agencies, this addresses a real concern. An ISO/IEC 27018-compliant cloud service provider must reject any requests for the disclosure of customers’ personal data that are not legally binding.  And if it needs to comply with a legally binding disclosure request (e.g., in relation to criminal investigations), it must always notify the relevant customer, unless prohibited from doing so by law.

Certification, simply stated, is the externally validated proof that something or someone is compliant with a standard. ISO/IEC 27018 certification will help a cloud service provider demonstrate that its cloud privacy policies and practices are robust, and in line with best industry practices. Cloud providers who adopt the new standard may be preferred over cloud providers who lag behind in implementing ISO 27018  – particularly vis-à-vis government customers who are often subject to strict procurement, security and auditing rules.

Getting certified

Organizations won’t certify directly their compliance with ISO/IEC 27018. Instead, it provides an additional statement of the applicability of ISO 27001 and certification against the controls covered in ISO 27002 and the additional controls in 27018. Certification will therefore still be against ISO 27001 and 27002 – but customers and suppliers alike should be looking in the future to see whether certification covers the additional controls covering protection of PII in the cloud, as covered by ISO 27018.

The new standards helps organizations assess potential risks and proposes additional controls for the protection of personal information that may be stored or managed in a cloud-based service.

The new standard will strengthen privacy by adding key protections for sensitive information stored in the cloud, the so called “Personally Identifiable Information” (or PII for short). This is the first international privacy standard for the cloud, incorporating privacy controls specifically for cloud services, and will help a cloud service provider demonstrate that its privacy policies and practices are robust, and in line with best industry practices.

Posted in Data Protection, Privacy, Standards | Tagged | 2 Comments

Good Governance of Cloud Services – role of privacy standards – Sony, are you listening?

I mentioned in my post yesterday, that a 2-page Boardroom Briefing on Privacy in the Cloud has now been released, and which looks at the value of the recently published ISO/IEC 27018 Standard. Please take a look and send me any feedback.

In this and the next couple of posts, I want to go in to a little more detail of the themes covered in last Friday’s roundtable. Today, I want to explain a little more about the recent ISO/IEC 27018 Standard. But first a little background:

It is rare for international standards to reach the average boardroom – but when they do, it is often not as part of thoughtful planned governance but in reaction to a major problem or disaster. Think of the fallout after Enron and the desire to beef up financial reporting standards. Many standards had been widely available but not so widely used. So when major disaster struck, government regulation was favoured over voluntary conformance using available standards.

Now consider the growing complexity of handling personal information as businesses make ever greater use of cloud computing services: A similar pattern of interventionist regulation may emerge in the area of protection of personal information in the cloud if business is not able to demonstrate that it can, and will, use standards available to it; conform with existing legislation where appropriate; and take the effort to follow good business practices.

Do organizations even know what personal information flows through their systems and services? Who is responsible for personal information? How it is managed, stored, backed-up, audited? To what risk is the organization exposed if there are issues with a cloud service provider? Who is liable? For what? To what extent?

We need look no further than today’s further news of the agonies that Sony must be undergoing in response to the latest wave of attacks on their information systems: there’s an interesting short article over at Forbes Can You Guess Who Benefits The Most From Sony’s Data Breach? that starts to highlight their plight.

Thankfully, there is help at hand.

The ISO/IEC 27018 Standard is the first global standard concerned specifically with privacy issues in cloud computing. It’s relatively new (published at the end of July 2014) and represents the result of work by a leading group of standards professionals specializing in problems related to cloud computing, information security, and privacy questions.

The standards world is no stranger to information security. Already since 2005, the ISO 27001 standard has provided a framework for identifying and classifying information security risks and choosing appropriate controls to address them. It was largely geared to the needs – prevalent at the time – of information systems managed within the clearly defined boundaries of an enterprise. This was before cloud computing really took off. The new ISO 27018 Standard recognizes that as cloud computing services have become more common, organizations are looking to understand how the increased use of such services are impacting their exposure to potential risk, none more so than in the delicate and difficult are of personal information and privacy.

ISO 27018 builds on ISO 27001, itself a comprehensive standard for implementing and maintaining an information security management system; and ISO 27002, which provides a set of policies and controls against which an organization can be certified as compliant. ISO 27001 defines an information security management process and basic requirements which aim to address an organization’s overall business risks by selecting adequate and proportionate security controls.

ISO 27018 enhances existing, more general ISO security standards in two important ways:

  • Firstly, it extends the original set of controls to provide implementation guidance for the protection of PII in cloud services; and
  • Secondly, it integrates key requirements for data processors under the European Union data protection legislation.

ISO 27018 provides additional guidance or specific criteria to ISO 27001; it also adds controls that reflect PII considerations specifically for cloud services. Customers will be able to verify compliance with the ISO 27018 controls by examining documents from a third-party ISO 27001 audit or by reviewing a publically available letter from the certifier stating that all 27018 controls were included in the scope of the 27001 certification. I will return to the issue of certification in my blog tomorrow.

So what exactly are the benefits of using and following this particular Standard?

It provides guidance to cloud service providers about how they should go about the processing of personally identifiable information of their customers. It is based on six main areas:

  • Consent: cloud providers must not use the data they receive for purposes of their own advertising and marketing unless expressly instructed to do so by the customer. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing.
  • Transparency: Cloud providers must inform customers where their data resides and make clear commitments about how that data is handled.
  • Accountability: The standard asserts that any breach of information security should trigger a review by the service provider to determine if there was any loss, disclosure, or alteration of PII.
  • Communication: In case of a breach, cloud providers should notify customers and regulators, and keep clear records about the incident and the response to it.
  • Independent Audit: A successful third-party audit of a cloud service’s compliance with 27018 documents the service’s conformance with the standard, and can then be relied upon by the customer to support their own regulatory obligations.
  • Control: Customers have explicit control of how their information is used.

No Standard on its own is a panacea. It has to be part of a comprehensive, Board-level led business strategy. As a Director and a Board Chair, I have always seen it as a central part of my function, and that of my peers, to ask questions. So it seems appropriate to leave the last word for today to one of the participants in last Friday’s roundtable:

Common agreed Standards help the conversation by at the very least providing the right questions that should be asked by fiduciaries.

Posted in Data Protection, Privacy, Standards | 2 Comments

Privacy in the Cloud – a role for Standards?

Last Friday, it was my privilege to moderate a roundtable discussion hosted by The Dewey Group in Washington, D.C. with an extremely distinguished panel of speakers:

  • Cameron Kerry, Senior Counsel, Sidley Austin LLP and former General Counsel and Acting Secretary of the United States Department of Commerce;
  • Deborah Hurley, Chair, Electronic Privacy Information Center and Fellow of Harvard University;
  • Ambassador Daniel A. Sepulveda, Deputy Assistant Secretary at the Bureau of Economic and Business Affairs, U.S. Department of State; and
  • Naomi Lefkovitz, Senior Privacy Policy Adviser at NIST

The discussion, together with a couple of dozen participants from across industry and privacy groups, was wide ranging and intense but focused on a number of important themes:

  • growth of the digital economy without a concomitant growth in the governance of digital information and the consequences of its use;
  • growth of cloud computing and the outsourcing of technology;
  • the need for (and limits to) information security coupled with protections from privacy breaches and harm;
  • the role of Standards – particularly in helping the conversations that senior executives need to have with their CTOs and CIOs.

My 2-page Boardroom Briefing on Privacy in the Cloud, released to coincide with the event, particularly looks at the value of the recently published ISO/IEC 27018 Standard.

I will be publishing a series of blogs over the next couple of days that go into a little more detail of our discussions and the themes covered.

Posted in Privacy, Standards | 2 Comments