2. Trust
Fostering Trust in Digital Engagement is as
much about
HOW
You build your system and company
development culture, as it is about
WHAT
you build
1 February, 2016 copyright Krowdthink Ltd 2016 2
3. Krowd App
• Privacy Preserving Hyper-Local Digital Engagement app
(based on Wi-Fi)
• Built in a Trust Framework
• Connects People in Places
– Just needs real-time co-location validation
– Does not Know your Location
• Discover who is here
– Pseudonymous Identity
– Self-Profiled – Location-oriented Persona
• Engage with the crowd
– Share what’s happening right here right now
– What’s said in the Krowd stays in the Krowd
• Defaults to Chatham house Rules
1 February, 2016 copyright Krowdthink Ltd 2016 3
4. Cyber Security = Trust?
• Important to secure Economic Activity
• UK Gov investing £1.9Bn Cyber Security
• Does Cyber Security address Trust?
– Its an Arms race
• Does a cyber security commitment mean a
company respects privacy?
1 February, 2016 copyright Krowdthink Ltd 2016 4
5. What is Privacy?
• Principle
• Law
• Value
• Privacy Implementation
• Our Definition
1 February, 2016 copyright Krowdthink Ltd 2016 5
6. Privacy: Principle
• Basis of US Privacy Law
• Basis of EU Data
Protection Act
• Basis of new EU General
Data Protection
regulation (GDPR)
1 February, 2016 copyright Krowdthink Ltd 2016 6
7. Privacy: Law
• Human Rights
• USA
– Defined by the online service
provider!
• Enforced by FTC
– EU Safe Harbour
• EU
– Data Protection Act
• Enforced by citizen’s ICO
– New GDPR
• Enforced by ICO of any EU
country
Informed Consent
1 February, 2016 copyright Krowdthink Ltd 2016 7
10. Privacy Implementation
• 7 Principles of Privacy by Design
1. Proactive not Reactive, Preventative not
Remedial
2. Privacy as the Default Setting
3. Privacy Embedded into Design
4. Full Functionality – positive Sum, not Zero Sum
5. End-to-end Security – Full Lifecycle Protection
6. Visibility & Transparency – Keep it Open
7. Respect for User Privacy – Keep it User-Centric
• Underpins the GDPR
1 February, 2016 copyright Krowdthink Ltd 2016 10
11. Krowdthink
App Dev Principle for Privacy
• Every Digital Citizen has a different
perspective on what privacy is…but….
– We can all agree on when it’s breached..
• “When the Information I provide is used for
a purpose other than that for which it was
understood to be provided”
1 February, 2016 copyright Krowdthink Ltd 2016 11
12. Quick Trust Poll
• How many of you consider your mobile
service provider to be basically trustworthy?
– Who knows that they opted in to share
continuous (cell tower) location & movement
data for commercial/marketing purposes?
– Who knows that they opt-in to location tracking
via Wi-Fi for commercial/marketing purposes?
• How many of you have lowered your Trust in
the Mobile provider now knowing how they
sell your location & movement data?
1 February, 2016 copyright Krowdthink Ltd 2016 12
14. Transparency for Anonymization
• USA – HIPAA
– Health data released after provably below 0.04%
de-anonymization risk
– Low dimension data
• Why not for Location Data?
– It’s at least as sensitive as health data
• as defined under the Data Protection Act
– High dimension data
– 4 location data points to de-anonymize location
• With 95% accuracy
1 February, 2016 copyright Krowdthink Ltd 2016 14
15. Reluctant Digital Sharers
• Pew Research (USA) - 2015
– 59% have recently cleared cookies
– 57% refused to transact data when relevance unclear
– 25% have used a temporary username/email
– 24% given deliberately inaccurate data
– 23% refused to engage if real identity needed
– 10% encrypt calls or emails
– 9% user anonymous web browsing (Tor etc)
• Mobile Ecosystem Forum Consumer Trust Study 2015
– 30% growth, 2014 to 2015, in reluctance to data share
• 50% specifically highlight browsing and location data
• Explosion in Growth of the Ad Blocker
– 82% growth 2014-15 in UK – 12m UK active users June 2015
1 February, 2016 copyright Krowdthink Ltd 2016 15
16. The Sharers Desire
• Pew Research (USA) - 2015
– 93% of adults say that being in control of who
can get information about them is important
– 90% say controlling what information is
collected about them is important
– 93% say ability to share confidential matters
with another trusted person is important
1 February, 2016 copyright Krowdthink Ltd 2016 16
19. Online Trust Definitions
Social
An attitude of confident expectation in an online
situation of risk that one’s vulnerabilities will not
be exploited
Business
Confidence that the value exchange is fair and
equitable and that loss of trust drives an
equivalent/proportional consequence on both
parties
1 February, 2016 copyright Krowdthink Ltd 2016 19
Bit on my background – comp sci grad 30 years ago, worked on natural lang understanding systems and real-time systems
Sponsored by marconi comms – wrote layer 2 of the 1st broadband – X.25 for BTs Kilostream product – 128kBits/sec!
Went commercial – introduced 1st commercial RTOS to UK for a US startup, ended up VP Europe, thru acquisitions, ended up in California product managing a sw tools dev team of 300 from 5 company acquisitions
With a 10 man product management team. That product now acquired by intel as their IoT toolchain!
Moved back to UK and worked for many high tech innovation companies especially in large scale data centric systems design.
But – nothing motivated me more than when my daughter asked for a facebook account….leading to the question my wife asked – “What’s the Alternative?
Note the title change – trusted to trustworthy – its important and we’ll come back to why later.
If you listened to the government if we just added more security people would trust their digital service providers more.
True – but does it solve the problem?
Security is an ARMs race we can never win
Is it right to equate security to trust? No! Its an important foundational building block but that’s all. Trust in digital engagement is about something more.
Arte we being let alone if our every move is tracked?
Today we offer up our Consent, but is the average citizen informed?
USA – no regulation, birth of the privacy policy – its all the FTC can enforce!
EU – DPA – changes in enforcement
Sensitive data will probably include genetics – same level of sensitivity as location is currently afforded
Consent will be more rigorously defined – no more ‘legitimate interest’ catch all. Be specific.
More citizen rights – delete, portability, tighter definition of what’s personal – data, meta-data, derived data?
Big change – FINES – 4% global turnover – changes the game completely – now it’s a massive corporate risk, not an legal/IT process issue, the ICO will become an indirect tax resource not a cost to government!
Without control of privacy as individuals, we give up our right of freedom
This is no less true as a digital citizen as it is for a citizen of a nation, digital citizens are subject to the commercial imperatives of their service providers
Commercial law – the responsibility to create a profit trumps privacy legislation
In 1997 the prospective ICOs for the upcoming DPA got together and realised that the Internet was going to create a privacy problem beyond their control. So they created these 7 principles that they hoped commercial companies would follow to help ensure that control was not lost….it never happened, US legislature decided not to regulate the Internet.
But in 2010, as the full awareness of the issues were becoming clear for internet privacy, the ICOs got together and formally adopted PbD and it became a founding principle for how to assess the GDPR, the regulation that was being created to re balance the empowerment of the individual citizen with control over their digital selves. Only now are we seeing the UK ICO starting to push these principles into business.
Think up front before you write your first line of code
If you get this right you won’t have privacy settings in your application! The more privacy settings an app has the less likely it is that it respects your privacy
Architect privacy in, don’t try and bolt it in later, it won’t work
No need to compromise on functionality, there is always another way – a privacy preserving way
No security no privacy online, it has to be part of your coding culture
If you do it right you should be open for inspection – it can only help you keep your customers trust and respect as you respect their privacy
Always put the customer before the needs of your business – this is the hardest one of them all….current culture drives compromise for privacy for monetary gain
When we adopt a new app or service we have to start with Trust. Mostly because almost no one reads the privacy policy or understand sit in detail.
Consumers told all safe – it’s anonymized – they think its black or white, anonymous means totally safe…it is not.
The safer or more privacy respectful the algorithm is, the less value is left in the data….what do you think commercial entities chose? After all when was any of them challenged legally?
Their first responsibility is to shareholders first – and data = profits on the Internet economy
When we adopt a new app or service we have to start with Trust. Mostly because almost no one reads the privacy policy or understand sit in detail.
When Facebook releases a new privacy intrusion feature, such as the automated name tagging of pictures through facial recognition, what happens?
Media gets up in arms, users get annoyed, BUT
Digital Engagement Increases! We are not by nature nice – people tend to enjoy discomfort of others! Until they experience the discomfort visited upon them.
Facebook then backs off from the media attention and user grabbing activity a bit, enough to appease media and most irate users, but also not enough to
Lesson one – people are selfish – it’s a survival instinct and a good one.