Tag Archives: regulatory compliance

It’s time for a Location Data Code of Conduct: Four Needed Policies

Article first published as It’s Time for a Location Data Code of Conduct: Four Needed Policies on Technorati.

Later this month the European Union’s “Article 29 Working Party” is likely to issue new rules requiring mobile and smartphone providers to treat location-based data as Personally Identifiable Information (PII). Last week, Apple, Google and others testified on the Hill regarding their use—or misuse—of consumer’s location data from smartphones.

minority-report-monitoring_280px-sqWhat is driving the speed and intensity of this regulatory response? A simple fact: location-based data links mineable information context about what you are doing, when and where, in a manner that is explicitly tied to your identity. This is a watershed threat to privacy we have not seen since the commercialization of the Internet (when we had to pay for Internet access).

Providers of smartphones and mobile applications need to realize and proactively manage this. If not, life could quickly become much harder for them. This would not just be bad for providers; if would curtail innovation enjoyed by consumers.

Now is the time for industry to get out in front and establish a Code of Conduct guiding use of location-based data (just as the Mobile Marketing Association did years ago for text messaging). Not only could this head off costly regulation; it could also set the standard for a trusted consumer experience, significantly expanding the location-based service market.

An effective Location-based Data Code of Conduct should include the following policies:

1. Enable users to turn location services on or off easily and transparently

Location-based tracking and promotion is great when people are gift shopping. However, sometimes it is simply an invasion of privacy. This applies equally to the enterprise, as companies don’t want their mission-critical staff to turn off corporate mobile phones to protect their private lives when they are out of the office. Smartphone and mobile app providers need to enable people to turn location-based services on or off. Those who make this easy and transparent will establish market leadership.

2 Manage location-based data with the same fidelity as billing data

Yes, mobile phones have tracked where you were (and when) for years. However, smartphones now combine this with data about what exactly you are doing—in a format that can be mined for targeted marketing, legal discovery, and more. Providers need to treat these data as sensitively as they do with billing data: asking for consent before collection or sharing, encrypting it, guarding it behind firewalls, and anonymizing it for marketing analysis. Those who fail to do this will lose customers and face lawsuits or worse.

3. Require mobile app providers to adhere to the code of conduct

Right now people are “up in arms” because a few very visible, publicly traded companies are keeping their location-based data. Imagine what this will become when hundreds of “fly by night” companies exploit location data for identity theft, targeted burglaries and more? Industry needs to create an App Store-agnostic, straightforward certification program for location-based app providers. This will create the same trust needed for location services growth that similar self-policing programs did for eCommerce and mobile marketing.

4. Let customers request anonymization of their location data

Consumers are already worried about their online data be stored forever in search engines. However, search engines can only crawl data actively posted. Location-data is collected passively; removing the conscious “should I post this” moment. As a result, consumers face a Hobson’s Choice on consumers: do I forgo location services or permanently lose privacy? Providers need to enable customers to request anonymization of all stored location data. This process can be balanced (e.g., linked to continued service use). However, it must exist.

Location-based services are enormously exciting and present an unimagined range of applications for commerce, logistics, medicine and more. A smart Location Data Code of Conduct will enable all of use to exploit this innovation safely, profitably and effectively.

Article first published as It’s Time for a Location Data Code of Conduct: Four Needed Policies on Technorati.

“PII” also means “Privacy is important”

In the technology industry, “PII” stands for “Personally Identifiable Information.” However, anyone who provides technology to customers should also think of it as standing for “Privacy Is Important.” Two important events this week—one regarding Google and one regarding Facebook—underscored the importance of this and served as reminders of how important protection of privacy is to mainstream adoption of technology.

Protection of privacy has proven vital to technology adoption

security-icon-bigFrom its inception, use of Information Technology (IT) presented the potential for enormous productivity and convenience benefits. However, this potential was not realized on a widespread basis until technology companies packaged technology into products that were 1) easy-to-use and 2) safe-to-use.Everyone remembers that making technology easy-to-use is vital to success. Fewer remember that making it safe-to-use if vital to making it a success on a ubiquitous basis. However, one only has to look at a few examples to see how important protection of privacy and security has been to the widespread adoption of IT:

  • “Techies” were happy using the World Wide Web to browse for content. However, mainstream use by families did not occur until Parental Controls became readily available.
  • Consumers were comfortable using the Browser to look for information. However, they not comfortable using it for commerce until use of SSL and multi-step authentication became standard.
  • Companies were interested in using mobile devices to provide greater productivity to their staff. However, they did not do this on a widespread basis until they had access to enterprise technology that enabled them to fully control mobile access to company data.
  • Students widely enjoyed sharing information about themselves on social networks. However, the broader public was not comfortable doing this until companies enabled social network members to control who could see their information.

This is because your identity is your most important asset in an information economy

These are just a few examples. However they underscore the importance of enabling people to protect their identity and personal information when using connected (i.e., online and mobile) information technology. This is because of circular phenomenon:

As use of IT has become more widespread, we have become an Information Economy. In an Information Economy, who we are—and what we know—is our most important asset. Protection of this asset is paramount to each person’s value. As such, the ability to protect the privacy of our information vital for continued expansion of the technologies enabling our Information Economy.

Two events this week highlighted sensitivity to privacy

Two rather public, albeit very different, events this week highlighted our sensitivity to protection of privacy and PII:

Google announced their successful defense of Gmail accounts to penetration attacks origination from IP addresses in China. This led to reinforcement of their commitment to protecting Gmail accounts in pursuit of their mission of making information useful; something met with broad mainstream approval.

At CES, Facebook suggested that consumers “no longer cared about [their] privacy.” While on face value this appeared to marginalize the importance of privacy, upon more care reading it actually highlighted the importance of enabling people to control sharing of different levels of information for distinct purposes.

These remind us what we need to do to protect privacy and PII

These two events—and the reactions of everyone from technologists to reports to mainstream consumers to them—serve as a reminder of what we need to do to protect privacy and foster widespread adoption of technology:

  1. Assume all information you customer provides you is private unless explicitly told otherwise.
  2. Secure access to this information—both with technology and policies for access control
  3. Enable your customers to determine who can see what information about them and when and how they can see it.

If you do this, you customers will feel safe and comfortable using your technology (for more thoughts on this, see my prior post on “Creating Safe Environments for Staff and Consumers.”) This will leader to wider and deeper adoption of it and growth of your market. (It is also, quite simply, this is “the right thing to do.”)

Are we approaching the point where this needs to be a global standard?

The rise of the Internet increased use of IT in everyday life several thousand-fold. The rapid adoption of more and more powerful smart phones (and their connectivity to everything from bank accounts to corporate systems to social networks) is increasing our connectivity (and access to private information) even faster.

As such, it may be time to create simple, but effective overarching standards for general protection of PII. (Similar but what the US government did for health care with creation of the Privacy Rule in HIPPA Part II in 2003.) The benefit of this is that all consumers would have much greater trust in their privacy, leading to increased adoption of IT—regardless of vendor or application. The price would be industry-wide increases in cost due to compliance and validation. The trick would be to develop a standard that encourages the right outcomes—without unduly restricting speed and innovation.