Posted on

Does big data mean the end of access control?

Access control is a keystone in conventional approaches to protecting personal information. Lately, however, there is a great deal of uncertainty about whether big data repositories such as “data lakes” do in fact contain personal information, and whether access control is possible in these unstructured environments. Does access control still have any relevance in the world of big data?

Do data lakes contain personal information?

Privacy laws are written to protect “personal information” held by organizations – that is, any information that could potentially identify specific individuals. Yet as larger and larger volumes of data are collected and aggregated through “big data” initiatives, the definition of personal information is getting fuzzy. Many corporations are creating “data lakes”: massive repositories of relatively unstructured data collected from one or several sources. These often contain a mix of metadata (user activity data, such as web search terms, IP addresses, or GPS data) and personal content (such as personal messages and social media posts) which, in combination, can very frequently identify individuals. For example, publicly available, searchable databases of Twitter activity map tweets by location – locations so specific that they can show which house a supposedly anonymous person was in when they posted a message. In the commercial realm, some retailers and entertainment venues have begun tracking customers’ movements through their buildings using smart phone MAC addresses, which can be considered personal information.

As these examples show, data lakes can contain extremely sensitive personal information. This data is not intended to be viewed by anyone – it is usually processed by computer algorithms – but too often, any employee involved in data analysis can access personal information about specific individuals. Privacy principles have traditionally emphasized access control: providing users with access only to the information that they need to do their work. But does access control have any meaning in unstructured big data environments?

Eroding informed consent

Access control is based on the privacy principle of limiting the use and disclosure of individuals’ personal information to those purposes for which it was collected. In other words, it is about informed consent: individuals have a right to know what their personal information will be used for before they share it with an organization. The reality is that companies that use big data often have legally dubious consent practices. Lengthy, impenetrable Terms of Use agreements violate the spirit of informed consent. Many users of social media, in particular, do not know who has access to their personal information.

For social media companies, “privacy” usually means privacy from other users, not from corporations.

For example, the vast majority of Facebook users are unaware that advertisers can buy all posts or personal messages containing certain keywords: for example, a cosmetics company could buy posts and messages that include the words, “beautiful,” “skin,” or “makeup.” The company can then display an ad to both the senders and recipients of these messages. When anyone clicks on the ad, the company receives the full contents of their profile. In the end, a “private message” is stored in data banks or data lakes belonging to Facebook and to the advertiser, to be used for various consumer research and marketing purposes.

Is access control compatible with data lakes?

Data lakes are not set up to protect identity. They usually contain a mix of different types of personal data that in combination can often identify individuals. Privacy regulations demand that personal information be protected by access controls, yet data lakes are not structured for access control: usually, anyone with access has access to all of the data. Though the data may be intended for aggregate level analysis and not viewing of individual-level data, an employee intent on selling data to identity thieves or stalking an ex-spouse could do a great deal of damage.

Companies have taken different approaches to protecting privacy in the context of big data initiatives. Some will create several separate data lakes, often based on business function (operations, marketing, security and risk, etc.). This approach can help to ensure that data use aligns with the purposes for which data was collected. Companies also vary in their decisions on who will have access to data. Will it be a tier model?  Will there be a super administrator with access to everything? How will departments share the data? How can access be separated?

Shifting from access control to use control

As we’ve stated before, the ground rules for privacy have not changed with the introduction of big data. Personal information needs to be protected by privacy safeguards including access control. We know that unstructured and semi-structured big data models do not lend themselves to access control. Fortunately, most of the purposes for which big data is used do not require access to individual-level personal information. Rather than access control, the concept of “use control” may be more appropriate to big data contexts: focusing not so much on limiting which data can be accessed, but in what form it can be accessed. Rather than locking up personal information, it is possible to blur it – to make sure that personal data is not viewable as information about an individual, but only as a pixel in a much larger picture.

Posted on

Privacy Ground Rules for Big Data

Corporate big data initiatives are collecting massive volumes of personal data, largely for marketing purposes. There is a great deal of confusion about how these practices fit with privacy regulations. Are there any clear ground rules for big data privacy?

The metadata problem

We live our daily lives around a set of passwords: passwords for our phones, bank accounts, computers, and emails, for work and school. Passwords are one of the most common means of protecting privacy. They are keys securing our personal information and property.

There is one type of personal data we cannot protect with passwords: the traces we leave every time we use the internet and phone networks.  In effect, we can keep our personal information private, but not our metadata: data including network connections, internet searches, website navigation paths, and personal contacts. For example, we can erase browser cookies, but somewhere, there is a log of our browsing patterns or search engine keywords. Facebook tracks the sites that you visit, even if you don’t have a Facebook account. The web simply isn’t designed or configured to give users control over their metadata.

This doesn’t mean that companies are free to use metadata however they like. The public expects that their privacy will be respected. Think of a small town where no one locks their doors: people still expect that their neighbours won’t just walk into their house and look through their things, and trespassing is still a crime. At this point in time, most physical and data assets have been designed to offer security through passwords, locks, and security systems. It can be too easy to forget that privacy and property laws apply equally to personal property that is not secured.

Privacy “ground rules” for big data

We have said previously that big data is really consumer data: records of our interactions with websites, stores, companies, public institutions, social media platforms and so on. The definition of big data is still loose. “Big data” is used to describe both unstructured and structured data collected through various channels: online, through wifi and phone networks, and in the physical world through sensors or cameras. Most often, the data collected combines personal content and metadata. Companies are effectively gathering massive amounts of personal data while the ground rules for respecting privacy are still undefined. “Data lakes” – massive repositories of relatively unstructured data collected from one or several sources, often without a specific purpose in mind – are seen as an asset by companies that want a wide variety of data for potential future analysis, or for sale to other companies.

The ground rules for personal data, despite general confusion about how they apply in new contexts, have not actually changed. Fair information principles, the basis of most privacy legislation, state that organizations should only collect, store, use, and retain personal information for specific purposes to which individuals have consented. Any information, or combination of information, that is detailed enough to potentially identify a person is personal information and these rules apply.

What does this mean for big data? For many organizations, the main incentive for adopting big data is to have large volumes of information that can be analyzed for multiple purposes, shared or sold to third parties, and retained indefinitely. Privacy principles prohibit using personal information in this way. However, in most big data contexts there is no reason for anyone to access individual level records: people need statistics, not individual profiles. De-identification and anonymization methods offer ways of converting personal information holdings into aggregated, non-identifiable data that does not need the protections outlined in privacy principles. For big data to respect privacy it needs to stay “big” – in most circumstances, it should not be possible for anyone handling data to uncover personal information about specific individuals.

Posted on

Why Invest in Privacy Risk Management?

For companies and public organizations running on limited budgets, it can be difficult to see the benefits of investing in privacy. In our experience, executives and boards do not usually ask how mitigating privacy risks can help them; they ask what similar organizations are doing, and what the potential penalties of privacy violations might be. When these are the criteria for decision making, there is very little incentive to do more than the minimum standard. Once basic privacy policies and procedures are in place, it is easy for organizations to slip into complacency.

Yet privacy, information technology, and information protection experts are emphasizing that managing privacy risk is more important than ever. Organizations hold more digitized information than ever before, and the increased use of portable devices, shared systems, and online portals creates new opportunities for information theft and hacking. Recent business and world news illustrate how data risks have materialized in the form of major breaches of citizens’ personal data. Affected organizations, particularly in the public sector, are under pressure to make changes.

Contrary to the typical narrative in management, we would suggest understanding risk management as an investment rather than an overhead cost. We suggest three ways of understanding privacy risk management beyond the usual focus on the harms of data breaches.

  • Risk management is business process improvement. Many privacy or security risks can be solved through business process improvements. In our experience, many of the recommendations in risk assessments have to do with processes.  For example, a common issue with online portals is that the handoff between registration and billing for account holders is unidirectional: there is no process to confirm that registered users have paid their fees, or to suspend their accounts when their registration has expired. Filling this gap addresses the privacy issue of unauthorized portal access, and also generates revenue.
  • Risk management is automation. Similarly, if privacy or security risks are a result of manual processes that can be automated, risk mitigation can be sold as increased efficiency. For example, if two departments host their own data sets pertaining to user profiles, investing in an automated validation tool will eliminate redundant efforts and reduce errors requiring staff attention.
  • Risk management is a selling point for funding or investment business cases. Risk and compliance managers can show how risk mitigation is a differentiating factor in the eyes of external funders, clients, and business partners. Business cases for external funding or investment and responses to requests for proposals can cite risk management as a differentiating factor with regard to external competition.

These three principles can work for private or public sector, major or small organizations.  Risk management provides both product and service companies with a competitive advantage by differentiating them from others. Government organizations facing funding cuts can leverage process improvements to improve employee utilization and limit outsourcing.

Privacy is best understood as an investment factor that improves bottom lines and provides a competitive advantage. Such an approach changes the question from, “What is the minimum I have to pay to manage this risk?” to “What is my return on investment?”