Well that didn’t take long.

Less than a week after I predicted that “2012 could be a very good year for privacy,” Google announced a new privacy policy, one which would apply across almost all of its services. Far from being seen as a good thing, though, the initial reaction was a large outpouring of grief by the privacy community. Even the general media portrayed the move in a dark light.

The Washington Post, for example, was quick to point out that “A user signing up for Gmail, for instance, might never have imagined that the content of his or her messages could affect the experience on seemingly unrelated Web sites such as YouTube.”

Some of the headlines for the stories about the change:

• Google Privacy Change Provokes Outrage (Information Week)
• Use Google? Time to Get Real About Protecting Your Digital Self (The Atlantic)
• How to close your Google Account (The Washington Post)
• Google’s New Privacy Policy Raising Questions in Washington (AdWeek)
• Google changes privacy policy to make the company one big product (VentureBeat)
• Google Changes Again, Launches One Privacy Policy to Rule Them All (Mashable)
• Google’s new privacy policy: Is this war? (KPCC radio)
• Big Brother? Google’s new privacy policy creates one massive database (Tecca)

And there’s many more just like them.

Common Sense Media claims to be “…dedicated to improving the lives of kids and families by providing the trustworthy information, education, and independent voice they need to thrive in a world of media and technology.” Their chief executive, James Steyer, was quoted in the Washington Post article as saying: “Google’s new privacy announcement is frustrating and a little frightening. Even if the company believes that tracking users across all platforms improves their services, consumers should still have the option to opt out — especially the kids and teens who are avid users of YouTube, Gmail and Google Search.”

Of course, everyone does have the option to “opt out,” by not using the service. Well, there is another way, which I’ll tell you about later.

Not all of the media was negative, though. Forbes magazine noted in its headline: “Internet Freak-out Over Google’s New Privacy Policy Proves Again That No One Actually Reads Privacy Policies”.

Google isn’t going to be collecting any more, or any different, information with this policy change. As explained in a Google blog entry (by Alma Whitten, Google’s Director of Privacy, Product and Engineering): “…we still have more than 70 (yes, you read right … 70) privacy documents covering all of our different products. This approach is somewhat complicated.” So the company is taking 60 or so of them (the others have legal reasons to be kept separate) and rolling them into one which “…covers the majority of our products and explains what information we collect, and how we use it, in a much more readable way.”

As a consequence of this, the new policy “…makes clear that, if you’re signed in, we [i.e., Google] may combine information you’ve provided from one service with information from other services. In short, we’ll treat you as a single user across all our products.”

Again, nothing new will be collected; it will simply be amalgamated into one record rather than 2, 5, 15 or more under the current policy. Will this help users, or hurt them?

The jury is still out on that, of course, but I personally believe it will help many more people than it might possibly hurt. The telling point is who gets to see that accumulated data.

As the above cited blog post notes, “We remain committed to data liberation, so if you want to take your information elsewhere you can. We don’t sell your personal information, nor do we share it externally without your permission except in very limited circumstances like a valid court order. We try hard to be transparent about the information we collect, and to give you meaningful choices about how it is used.”

Ah, so how will it be used?

Generally, Google’s critics and the company itself agree that the data will be used to personalize your experience across the multiple Google platforms (search, Gmail, Google+, YouTube, Android, etc. – each of those “70 plus” privacy policies referenced earlier refers to a different service/platform). Some see that as, well, in Gizmodo’s words: “The End of ‘Don’t Be Evil’.”

Google, though, thinks this will – for the great majority of its users – improve their on-line experience and improve it dramatically.

Not only will the search engine know more about what you’re searching for (if you enter “Jaguar” as a search term, do you mean automobiles or wild animals?), but it can tailor the advertising you see (and you will see advertising) to your tastes and desires. So if I enter “Mannequin Pis” as a search term (or to find pictures) I might see that priority is given to the famous Brussels statue or it might be to the restaurant in Olney, Maryland (about 10 miles from my office). The deciding point might be where my Android phone indicates I’m located at the time I search.

Some people find that “creepy.” I’m not one of them.

For twenty years I’ve been waiting for a personalization service like this. It was one of the reasons I became so interested in directory services and, later, identity services. It’s the promise of being my personal assistant, in theory, that’s finally being delivered.

One example that Google’s Whitten points out: “We can provide reminders that you’re going to be late for a meeting based on your location, your calendar and an understanding of what the traffic is like that day.” She could have added that emails could be automatically sent to other others scheduled for that meeting letting them know you would be late – and actually reschedule the meeting knowing what their calendars look like and approximately how long it will take you to get to the office. I find that to be an excellent use of technology. If it also means I’ll see more ads for cruises, antiques and restaurants (things I’m interested in) and fewer for shoes, fast food and skiing (which I’m not interested in) then I consider that a plus.

Now, if Google was going to package this information and distribute it to its advertisers or sell it to other third parties to do so, then I’d be in the forefront of those protesting – and I’d quite possibly be looking to replace those Google services I do use. But they aren’t. Google’s policy regarding this data stays the same, “We don’t sell your personal information, nor do we share it externally without your permission. [emphasis added]” No one has ever shown that Google violates this pledge.

Forbes’ Kashmir Hill sums it up best, I think: “When Google starts bundling everything it knows about its users and selling that to insurance companies, background check companies, and the Department of Homeland Security, that’s when I’ll trot out the ‘evil label.’ But using information from Gmail to suggest more appropriate YouTube videos or reminding an Android smartphone user that they have a Google calendar appointment in a half hour on the other side of town doesn’t strike me as the work of Lucifer.”

I did promise you a way to stop Google from amalgamating all of your data, didn’t I? It’s quite simple, just create separate accounts for the services you want to keep separate – Gmail, YouTube, Picassa, what have you. Google can’t force you to put every service under one account, so you can do this to maintain relative privacy – just remember which accounts cover which services!

In other privacy news, the EU has proposed updated regulations covering data breaches and the mis-handling of personal information. Companies could face penalties as high as 2% of their yearly global sales (not just EU sales) but, on the plus side, companies would now only have to deal with the privacy agency of the country they’re headquartered in rather than face all 27 EU data-protection agencies. So, stricter rules, bigger “teeth” in the law but easier compliance – it’s too soon to tell if this is a plus or a minus – and for whom.

Finally, a new debate is starting in the US about privacy and healthcare. Some have proposed what’s called a universal patient identifier, or UPI – a single unique health-care identification number for every inhabitant. This would be very useful for doctors, emergency workers, hospitals, pharmacists – and patients. Proponents say UPIs not only facilitate information sharing among doctors and guard against needless medical errors, but may also offer a safety advantage in that health records would never again need to be stored alongside financial data like Social Security numbers. Privacy activists say the data would be collected and sold to third parties causing a rise in distrust of the medical profession and a deterioration in care. Expect this debate to go one for quite some time.

Here at KuppingerCole we’ll be following these issues – as well as all identity privacy issues – as they play out round the world.

Happy New Year! At least, I sincerely hope the new year will be a happy one. But – at least in the Identity and Access marketplace – I fear it will be more of the same with banner headlines touting security breaches, insider scams and worse. Without further ado, here’s what my crystal ball sees coming down the pike in 2012.

Phishing ramps up, especially spear-phishing
Phishing is the hacker’s “art” of getting authentication and/or identity information through social engineering methods. Typically this is done via email (for example, telling you to click a link to keep your bank account credentials updated) but can also be done by means of social networking sites (such as Facebook or Twitter). Spear-phishing is typically a combination of the two, when company information is harvested from, say, Facebook or LinkedIn then people in that organization are targeted via email. This was the method used for the RSA breach which has now been attributed to persons acting on behalf of a nation-state (rumored to be China, but no “smoking gun” has been revealed).

Standard old-fashioned phishing, due to its “scatter-shot” nature, is fairly easy to combat with email security apps. Bayesian filters, originally developed to keep spam out of your inbox, can be equally effective with the phishing emails which are usually about bank accounts, on-line retail accounts or other sites where credentials and/or credit card numbers can be expected to be found. Typically, the email recipient is re-directed to a fraudulent web site made to look like the legitimate one, or given an attachment with the email described as a form to fill out (with loads of identity information requested) which must be submitted in order to “regain access” to the site in question.

More recently, the attachments have included a Trojan-like payload which is insinuated onto the recipient’s computer when the attachment is opened and this is the preferred method for spear-phishing attacks. For example, the RSA attack was an email with the subject “2011 Recruitment Plan.” Attached was a spreadsheet titled “2011 Recruitment plan.xls.” The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (since corrected by Adobe).

It’s extremely difficult, if not impossible, to automate a defense against spear-phishing. Draconian measures would be needed such as forbidding employees to put company information on social networking sites or quarantining all email with attachments. The only effective measure in combating these types of attacks is user education. It’s expensive, it’s time-consuming and it’s less than 100% effective. In the RSA case, the infected employee retrieved the spear-phishing email from their trash folder!

Your money is better spent in strengthening protection on your valuable assets. Data encryption, for example, could have saved quite a few companies embarrassment in 2011, such as security consultant STRATFOR. Vow right now to encrypt all valuable data and all identity data for your organization.

New buzz words and phrases
A buzzword you may or may not hear, but that you will surely be a target of is “cloudwashing.” By this is meant the effort by vendors to associate all of their products with “the cloud” as in cloud-based computing. Whether or not the product has anything to do with cloud-based computing it will, nevertheless, be touted as somehow enabling or protecting cloud data, access, configuration, or what have you. Don’t take their word for it, ask them to demonstrate these cloud properties before you buy. While the cloud is evolutionary, not revolutionary, it still has some unique requirements in the areas of identity and security that need to be properly addressed by apps and services designed specifically for that use – not one’s which only had their marketing brochures reprinted.

We first heard about BYOD (Bring Your Own Device) in 2011 in regard to employees wishing to add connectivity to the corporate network for their iPhones and iPads. 2012 will also see them wanting to connect their Android devices (phones and tablets) so that they can do the organization’s business “their way.” While your first thought might be to resist this effort at all costs, that “cost” could be your job. Your boss, and his boss all the way up will want to use their own devices (which are probably more powerful than the company issued ones). Instead, start working now on how to safely allow them to attach to the network. Make it part of your provisioning process, so that you can quickly and easily de-provision them when the need arises – which it will, as devices become lost or stolen and employees come and go. The concept of BYOD isn’t new (I was first approached by a marketing VP with such a request back in 1987), but the emphasis is about to become dominant.

All new attack vectors, now with bright, shiny things
Malware, and malware purveyors, continually evolve. 2012 won’t halt that trend. I mentioned above the spear-phishing attacks, such as the one against RSA, which delivered a malware payload as an attachment to email. That’s a trick used in more generalized phishing, also, but the more used method is to phish someone to click on a link to a website (which might be disguised as one trusted by the target user) where a payload is surreptitiously attached to the target’s computer. But these attacks require the target to either open an attachment or click on a link that, hopefully, an educated user would recognize as a phishing attempt. So the hackers and crackers are developing new attack vectors.

One of the more insidious is to attack advertisement servers (such as Google’s DoubleClick service), either through “traditional” hacking into the server or by spear-phishing people with access to the server. These sophisticated attacks (see one description here) are hard to track down because they can be delivered from any site which uses ads from that server while the malware isn’t delivered with every ad request. You might think you got infected at funnykatz.com, but if you go back there you’ll find no evidence of something bad downloading to your machine.

Good, up-to-date anti-malware services should be installed for all users, but better education of those who have access to the powerful machines in your domain is also required. It’s really best to lock the door before the horse has a chance to wander outside!

Finally, the good news
It isn’t all gloom and doom for 2012, I feel. There will be decided improvements on the privacy front. Not a complete victory, by any means, but an improvement.

The concept of Privacy Enhancing Technology (PET) isn’t new. It was defined almost 10 years ago in “Handbook of Privacy and Privacy-Enhancing Technologies” as “…a system of ICT measures protecting informational privacy by eliminating or minimising personal data thereby preventing unnecessary or unwanted processing of personal data, without the loss of the functionality of the information system.” Microsoft’s recently acquired uProve technology is a current example. I think we’ll see more of technologies like this in coming software offerings because of another “overnight sensation” that was many years in the making.

Way back in the last century, Dr. Ann Cavoukian came up with the concept of “Privacy by Design.” Here’s how she described it:

“Back in the ’90s, it was clear to me that the time was upon us when legislation and regulation would no longer be sufficient to safeguard privacy. In my view, with the increasing complexity and interconnectedness of information technologies, nothing short of building privacy right into system design could suffice. So I developed the concept of Privacy by Design (PbD), to describe the philosophy of embedding privacy proactively into technology itself – making it the default.”

In other words, privacy shouldn’t be the icing on the cake, put on after the cake cools. It should be a major ingredient baked right in from the start.

Consider Facebook. A typical week or month at the social networking site goes like this:

1. Facebook rolls out a re-design or a new feature to “enhance the user experience” (in reality, to enhance the advertiser’s experience);
2. Privacy advocates discover all sorts of hidden flaws;
3. Facebook scrambles to make corrections;
4. Repeat.

Now that Dr. Cavoukian is the Privacy Commissioner for Ontario province in Canada a lot more people are paying attention to Privacy by Design and encouraging software vendors and service providers to incorporate the philosophy into their work by building in privacy from the start. Pressure from the growing privacy community will force the vendors to comply. 2012 could be a very good year for privacy.

In order to “accentuate the positive,” I’ll be hosting a webinar on January 26 on the subject of Privacy by Design. Joining me will be Dr. Cavoukian to explain the concept, Michelle Dennedy (Chief Privacy Officer at McAfee) creator of the iDennedy Project and author of the “Privacy Matters” blog as well as a surprise guest from the vendor community. Please join us for this fascinating topic.