Get documents about "Silicon Valley Business Journal Crime Laboratory
W
Description
Silicon Valley Business Journal Crime Laboratory document sample
Document Sample
Privacy Of Data
A Business Perspective
Tom Rosamilia
Vice President, World Wide Data Management
Development &
General Manager, IBM Silicon Valley Laboratory
Privacy Is Headline News
“Privacy #1 issue in
the 21Century”
-Wall Street Journal,
January 24, 2000
“Anyone today who thinks the privacy issue has peaked is
greatly mistaken…we are in the early stages of a sweeping
change in attitudes that will fuel political battles and put once-
routine business practices under the microscope.”
Forrester Research, March 5, 2001
The Need For Privacy
Consumer Concerns
– About collection, use and sharing of information
– Privacy grows as a global issue
Business Initiatives
– Integration of services, M&A, strategic partnerships need coordinated
integration of privacy infrastructure
– Organizations identifying new business models to leverage the internet
Public and Organizational Policy
– Rise of U.S. and worldwide regulation
– Rise of legal proceedings against businesses
Expanding Markets, IT Infrastructure
General Privacy Concerns
Profiling Surveillance
Cookies, Web Bugs, LBS, CCTV,
Spyware Biometrics
IT Insecurity New
Trojan Horses, Technologies
Viruses, Bugs, Data Mining, Knowledge
Hackers Management, Pervasive
Computing, Life Sciences,
Virtual Enterprises
Pestering Fraud
Junk Mail, Spam, Identity Theft,
Undesired Electronic Fraud
Customization Loss Of Control
Loss Of Self-Determination
Discrimination
Security Incidents On The Rise
90000
80000
70000
60000
50000
40000
30000
20000
10000
0
1995 1996 1997 1998 1999 2000 2001 2002
Source: CERT/CC Statistics 1995-2002
The Cost Of Computer Crime
Total Annual Losses ($M)
500
456
450
400 378
350
300
265
250
200
150 137 124
100 100
50
0
'97 '98 '99 '00 '01 '02
Source: 2002 CSI/FBI Computer Crime and Security Survey. 2002
survey based on responses from 503 security computer practitioners.
80% of respondents reported losses, only 40% could quantify
Most serious financial losses occurred through theft of information
and financial fraud.
Privacy Post 9/11
Public safety, security, critical infrastructure dominate
privacy concerns
Increased willingness to grant governments access to
personal data
Nothing changed regarding privacy and business
– No reduction in consumer expectations
– Increased value of trusted relationships
Increased technical requirements
– Privacy needs information security
• Without proper privacy controls, personal data can be exploited
by criminals
Privacy on and off the Internet: What
consumers want, November 2001
Consumers And Privacy
How do consumers feel?
Most People Are "Privacy Pragmatists" Who
100% While Concerned about Privacy, Will
10
90% 22 Sometimes Trade It Off for Other Benefits
80%
70%
60% 64 Unconcerned
50% 54
Pragmatist
40%
Fundamentalist
30%
20%
10% 25 26
0%
1999 2003
Consumers have lost all control over how personal information is
collected and used by companies - 69% agree ( )
Most businesses handle the personal information they collect about
consumers in a proper and confidential way - 54% disagree ( )
Existing laws and organizational practices provide a reasonable level
of protection for consumer privacy today - 53% disagree ( )
Source: The Harris Poll® #17, March 19, 2003
Cost Of Privacy Concerns
No Privacy = No Sales
“Concerned consumers shop less - 61% of Internet users refused
to make a purchase online because of privacy fears.”
Alan F. Westin, Jan 2000
“Consumer privacy apprehensions continue to plague the Web …
these fears will hold back roughly $15 billion in e-Commerce
revenue.”
Forrester Research, Sep 2001
“Privacy and security concerns could cost online sellers almost
$25 Billion by 2006”
Jupiter Research, May 2002
Privacy Regulations
Misconceptions And Realities
Myth: Offline data storage, handling and sharing practices are not high
priorities for privacy regulation and litigation
Reality: These areas are covered in regulations around the world
Myth: Cost of compliance is insignificant
Reality: Costs estimated at $5-$12 million for medium sized businesses,
and $75+ million for larger businesses, esp. financial & health care.
Myth: Companies not responsible for privacy practices of affiliates
Reality: Accountability applies to business contractors & outside agents
Myth: Privacy concerns only B2C business
Reality: Privacy, confidentiality and secrecy rules apply to B2B and B2C
(esp. employee related privacy risks)
Myth: Privacy is pure cost, with no tangible economic value
Reality: Proper privacy risk management is becoming a competitive
advantage in some circles (see companies like eLoan, AMEX, Expedia)
Risks Of Not Addressing Privacy
Legal Risks
– Fines, lawsuits, imprisonment, ...
– Seizure of files and data
– Injunctive measures (e.g. blocking of data flow)
Business Risks
– Damage to reputation, public/consumer trust
– Press “goes negative”, brand name tarnished
– Loss of business products and opportunities
– Inability to transfer data across national boundaries
– Loss of customers and market share
Privacy blowouts hurt the business bottom line!
Privacy Blowouts
The Cost Of Mistakes
Eli Lilly Prozac Email Incident
– FTC settlement, lasts 20 years
– State fines
Microsoft Passport
– FTC settlement
– Fines if broken ($11K per incident)
Doubleclick
– Class action, FTC, $400K states
Ziff Davis
– Exposed credit cards on the web
– Identity theft resulted, $125K to states
Toysmart
– Privacy promises survive bankruptcy
The Business Case For Privacy
A Competitive Advantage
Consumer Customer Competitive
Trust
Confidence Loyalty Advantage
Having a reputation for being a privacy positive company
can drive business – it can become a key business
differentiator.
Privacy should be viewed as a business issue, not a
compliance issue
Need for Technological Solutions
Technology alone is insufficient…
Consumer
Concerns
PRIVACY
Business
nitiatives
• Business Issue
•Not a compliance issue
Laws &
Org Policies •Build it in up front
Expanding
•A competitive advantage
Markets
But we can change ingredients and
improve overall quality of solution.
-business on demand
Retail Telecom. Gov’t.
Finance Mfg. Insurance
Customer / +++
Partner
Applications Customer Enterprise Product Value
Relationship Resource Lifecycle Chain
Mgmt. Planning Mgmt. Mgmt.
Application Integration Layer
Middleware
Integration
Platform
Access, store, manage, analyze, integrate & distribute
formation
n demand
Hippocratic Databases
Vision: Database Privacy Data Queries Other
systems that take Policy Collection
responsibility for the
Privacy Attribute Data
privacy of data they
Constraint Access Collection
manage, while not Control Analyzer
impeding the flow of Privacy Validator
information. Metadata Query Data
Data
Creator Intrusion Retention
Key privacy Accuracy
principles derived Analyzer Detector Manager
from principles Audit Audit
behind current Info Info
privacy legislations.
Our design shows
how databases can
support these
principles. Record Encryption
Privacy Audit Store
Prototype of core Access Support
Metadata Trail
functionality. Control
ippocratic Database Support for
The Principle of Limited Use
Queries
1. The financial people cannot
access medical records.
Attribute
Access
Principle of 2. The physicians can Control
Limited Use access medical records for
treatment purpose.
The database shall run
only those queries
3. The public-affair person
that are consistent
can only see records of
with the purposes
patients who have “opt-in”
for which
for research purpose.
the information
has been collected.
Privacy Record
Store
Metadata Access
Control
Demonstration of Hippocratic Concept
on DB2
Yirong Xu
IBM Almaden Research Center
DB2 Enablement of P3P
APPEL
Privacy
P3P: New W3C standard to encode company privacy Preference
policies and user privacy preferences in XML.
• Programmatically match preferences & policies.
Matchin
• Solves the problem that current policies are written by
result
lawyers, for lawyers.
• Current implementations do the matching in the client
(browser). Policy-Preference
Matching
Advantages of server-centric preference matching
using relational databases: APPEL to SQL
Converter
• Server-side matching necessary for thin clients, e.g.
mobile devices.
• Sets up infrastructure for policy enforcement. SQL Query
Prototype enables DB2 with P3P support. query results
• Shreds P3P policy into relational tables.
• Converts APPEL preferences into SQL queries. Database
• Match by running SQL queries.
P3P Policy Storing Policy
Privacy
Shredder Metadata
Policy
Demonstration of DB2
Enablement of P3P
Yirong Xu
IBM Almaden Research Center
rivacy Preserving Data Mining
Insight: Preserve privacy at the
Alice’s Alice’s Bob’s
individual level, while still building
age salary age
accurate data mining models at the
aggregate level.
30 | 70K ... 50 | 40K ...
Add random noise to individual values
to protect privacy.
• Can dramatically change distribution of 30 Randomizer Randomizer
values. becomes
EM algorithm to estimate original 65 65 | 20K ... 25 | 60K ...
distribution of values given
randomized values + randomization
function. Reconstruct Reconstruc
• Estimate only accurate over thousands distribution distribution
of values => preserves privacy. of Age of Salary
Algorithms for building classification
models and discovering association Data Mining Algorithms
rules on top of privacy-preserved data
with only small loss of accuracy.
Data Mining Model
Summary
Privacy is not a short-term issue - public concern is grounded in
deep-rooted feelings about our autonomy, identity and freedom.
Privacy is more than a compliance issue - it is a business issue.
Sustained business requires trust: customers and employees
must trust that we keep their personal information secure and
private
The problem will grow as the value of personal information grows.
Security enables privacy, so the two must be aligned
Privacy-enhancing technologies must keep evolving to meet often
competing demands of consumers and enterprises
Related docs
