Feature Story

By Leslie T. O'Neill

December 18, 2007 - On Wednesday December 12 in Menlo Park, Calif., Sun hosted "Privacy and the Network of You," a Chief Privacy Officer panel discussion about Internet privacy and its impact on the individual user. Mediated by Dr. Moira Gunn, host of National Public Radio's Tech Nation and BioTech Nation programs, the panel's five privacy experts debated the current and future threats to Internet citizens' online privacy. From choosing products to protect Internet privacy to understanding the public's perception of privacy to ensuring corporate accountability, the panelists discussed the many ways privacy is changing in the online world.

Gunn described the Network of You concept, which is based on the "unprecedented amount of data being generated" by the 1.1 billion people now participating in Web 2.0, creating, storing, and sharing personal data every day. Michelle Dennedy, Sun's chief privacy officer (CPO) and member of the panel, further defined "the Network is You."

"Take the "Network is the Computer," which we know now to be true, one step further to the "Network of You." Now everything is becoming interconnected and humans are interrelating in a networked world. It's a network of human beings with unique contributions — and all of the things that come along with people is where privacy lives, explained Dennedy.

When discussing the Network of You, the panelists focused on Internet citizens' personal information and how they use it after they've decided to share it online, how organizations use it, and how the U.S. government should be involved with it. Key to the conversation was the difference between privacy, secrecy, and maintaining control over one's own information online, including contact details, Social Security numbers, health care records, photographs, and more.

"There is no ultimate secrecy once you've made the decision to share. That's different from privacy, which is a managed asset," said Dennedy. "There is privacy, but not inherently baked into everything. Ultimate secrecy with everything we do online — to say whatever we want even if it harms someone — I don't think that as a society we want that."

In addition to Dennedy, Agilent Technologies' CPO Jim Allen and Intuit's CPO Barbara Lawler sat on the panel to represent the private sector. Joanne McNabb, chief of the California Office of Privacy Protection, and Deirdre K. Mulligan, director of the Samuelson Law, Technology, and Public Policy Clinic and a clinical law professor at U.C. Berkeley School of Law, represented the public sector in this conversation about online privacy. More than twenty privacy professionals and advocates from a variety of San Francisco organizations — including U.C Berkeley, the Center for Democracy and Technology, Apple, Ariba, Cisco, and Yahoo — attended "Privacy and the Network of You."

What Technology Should Be Deployed?

As with any discussion involving the Internet, technology to protect privacy quickly entered the conversation. Dennedy described Sun's proven technologies for helping companies protect the privacy of their employees and customers, particularly through the use of data segmentation tools. She suggests that companies limit the amount of datasharing they do with their partners; for instance, an airline and a hotel need share only a traveller's estimated time of arrival, for instance, rather than his full itinerary.

"Technology has matured so that you can segment — data isn't intermingled. There's not one single point of failure. Now is the time to start applying those kinds of disciplinary segmentations, moving it down through storage technologies to the endpoints of the network," she said.

The Solaris 10 Operating System (OS) is inherently capable of segmenting information with container technology. With the virtualized operating system, users can store data in various silos of information so that, for instance, sensitive human resources, financial, and customer data are kept separate — and protected.

Dennedy also recommends using thin clients, such as the Sun Ray, to protect privacy. When the user removes his smart card, everything he was working on stays segmented, and protected, on the server, leaving no residue on the desktop. Unlike a laptop, smart phone, or any other endpoint that collects and stores data that could lead to a security breach, a thin client does not pose a security risk to the company. She believes that thin clients are particularly suitable for applications such as service call centers. "There is no reason your credit card should live on that user's PC."

"Identity management has matured. Standards are arriving. Look to innovation, but look also to what we have now. Leverage what you've got now, and force us to innovate what you really want," suggested Dennedy.

What Does Privacy Mean to the Public?

When Gunn inquired about online privacy and the general public, McNabb spoke first from a governmental perspective.

"The Office [of Privacy Protection] was created out of concerns of identity theft, which can happen because you've lost control over your information. Laws and the definitions of privacy are changing — they need to change to become more nuanced," she said. "I can tell some people some things and I don't intend for them to go online and be available to everybody — but the law doesn't always make that distinction. People need more discrete control [over their information.]," added McNabb.

"Information privacy is about negotiating relationships — figuring out the right rules of the road to whom it can be disclosed. We used to have a default of no recording. But with Web 2.0, the default is that nothing is ever forgotten," said Mulligan. "[It's a] world in which your history is there forever. We're living in a world without those kinds of rules [about when to use certain info]."

As a law professor at U.C. Berkeley's Boalt Hall, Mulligan also shared her experience with the current generation of college students. "Being on a college campus, the Network of You is rather intense — it's the most social generation, turning their lives inside out. We need to helping them understand that privacy isn't just about laws — it's about norms and technological controls. [They should] understand that they might want to maintain some control over their presentation of self. They might have to build boundaries and understand the value of having compartmentalization of life."

Lawler added to the discussion, "Information is never truly at rest anymore. In the global economy with the rapid movement of data around the world electronically, [information] lives everywhere, forever everywhere. The challenge is for organizations and individuals to figure out what that means, and what they want to control."

How Can We Ensure Accountability?

Gunn also asked the panelists to talk about organizations taking responsibility for the personal data that they store and possible share.

Mulligan pointed out that the laws governing security breaches have "heightened the institutional awareness of the importance of security. Those laws are about creating an environment in which companies that store data bear the cost of failure. It has allowed CPOs to leverage more resources."

Lawler suggested that those resources are an "investment in people, processes, and technology — it's not any one of those. Issues disclosed are human failures — human mistakes that a very rigourous data protection law didn't prevent. Every individual in every organization is accountable."

Dennedy pointed out that companies should change the way they view laptops and their users, calling one lost laptop full of personal data "a $100 million hit to liability." She said that someone with that laptop is "basically holding onto a bag of cash. It comes down to the people touching the data thinking about it in a whole new way."

Allen introduced the idea of privacy as it relates to the increasingly common corporate practice of off-shoring and outsourcing. He suggests that a company needs to do "risk analysis of them, have a good contract with personal data protection requirements, and do due diligence on them to make sure they're doing what they said they'll do in the contract." He also recommended providing training up front.

What Can the Government Do?

In addition to corporate accountability, the CPO panelists had suggestions for governmental action, particularly creating a uniform federal standard to define the actions companies need to take to protect privacy and communicate breaches with their customers.

"Right now, there are 42 states with laws, and state legislators are fond of their laws. Every law that passes makes it more difficult for a federal law to be passed." said Mulligan, who believes a federal law could create opportunities create for organizations to learn from each other's mistakes. "Standardized reporting...and a centralized resource for information on what went wrong would be useful."

Before the panel broke for lunch, McNabb closed with a final, sobering thought. "We need to develop our laws, our knowledge, and our norms to allow individuals to have more calibrated controls over how their personal information is used. Not an easy thing — there are first amendment issues — but I think it can be done. The risk to our liberty, ultimately, is huge."

For more information, go to http://www.sun.com/aboutsun/media/presskits/2007-1212/index.jsp