Elements of trust for Internet privacy
Most of us disclose a lot of private information on the Internet without really thinking about it. What we search for, the links we click, and our email can be very personal.
In an ideal world, we would all read and understand the privacy statement of each company whose services we use. We would check to see to what extent they limit themselves to using our information only to serve us, or whether they claim rights to use our information for their own purposes.
But it's asking a lot of people to read long statements when they're often just wanting to get things done. And it’s not always obvious who is collecting this information about us.
Most of us make decisions about who we trust with our personal information at a simpler level.
How do you decide who to trust?
I think about four simple things that are likely to influence how a company (or other organisation) will respect my privacy preferences over time. I think about their motivations, leadership, discipline, and track record.
Why does the organisation want the information? Do they use it to make money?
It’s useful to understand a little bit about how a company makes its money. If an Internet service is free to use, but you’re being shown advertisements that are somehow tailored to you, there’s a good chance that someone’s using your information to make money. That could change the approach to using your information.
What do the organisation’s leaders say about privacy?
Priorities for a company are strongly influenced by its leaders. For example, Bill Gates made privacy one of Microsoft’s top priorities through the Trustworthy Computing memo he wrote in 2002. If a CEO or Chair makes privacy a top priority, it will encourage the company’s employees to do the same. A quick web search is often all that’s needed to see what a company’s leaders have been saying about privacy.
Privacy doesn’t happen by accident – even with the very best of intentions.
Does the organisation have information security and privacy by design as a mandatory, company-wide requirement?
In the data-driven world of the Internet where data is public by default, privacy protection requires continual effort and discipline. For example, Microsoft has a published the Security Development Lifecycle, a mandatory, company-wide engineering standard that includes privacy by design. Even then of course it would still be possible for mistakes to happen, but at least there will be fewer of them.
Does the organisation have a history of privacy issues?
It's easy to do a web search on a company with a few key words to pick up privacy breaches and investigations by regulators like the Privacy Commission. For a multi-national company, the US Federal Trade Commission and the European Commission could also be relevant.
It is Privacy Awareness Week, a great time to pause and think about how much you reveal about yourself as you use the Internet.
Are you comfortable with what you reveal, and who you’re revealing it to?
Weighing up what you know about an organisation's motivations, leadership, discipline, and track record provides a rule of thumb for deciding who you might want to trust with your private information. This article has focused primarily on the companies you might give your information to, but of course the same elements of trust are useful to consider for any services, regardless of who provides them.
Organisations that strive to build trustworthy services that use people’s information may want to consider how they respond to these fundamentals. From the cloud codes of conduct under development in New Zealand and around the world, it is clear that privacy is one of the basics that people want to know about. Many of the disciplines that apply to security and reliability are also relevant for enhancing privacy.
Article by Waldo Kuipers, Corporate Affairs Manager, Microsoft New Zealand Limited
Update (12 June 2012): A video of the presentation to the Privacy Forum is now live should you prefer that format.