Tag - Data Security

Entries feed

Tuesday, April 25 2017

ePrivacy debate is missing the basics - ends up helping criminals and anti-trust operations

ePrivacy is part of GDPR

ePrivacy is addressing the low-level aspect of GDPR - can and are citizens and devices identified and thereby trackable in the first place?

Where GDPR address data as such, ePrivacy is focussed on the technology and telekommunications when other than the citizens access or collect data from basic devices and entities. People are also devices as they communicate and have sentive "identifiers" (biometrics are sensitive data which cannot be collected according to GDPR article 9).

The ePrivacy debate is missing the core issue

Much of the debate on ePrivacy is somehow mistaken as a repeat discussion on GDPR (which is fixed) as commercial providers focus on access to track and collect sensitive data without or merely the illusion of consent.

On one hand, this is understandable as consent is hard and in some instances almost impossible.

Informed Consent is increasingly meaningless in a digital world, where data are (ab)used for a myriad of purposes that grow almost exponentially. In addition, expressing consent PRIOR to collection is literally meaningless when data collection has already happened when the question is asked. Internet of things represent scenarios where this problem scale into the extreme as the constant tracking of devices based on their leakage of identifiers (MAC or other device identifiers or addresses)

On the other hand, this is the EXACT reason and justification of ePrivacy as it address the question of HOW basic telecommunication occur.

The KEY question and raison d'etre of ePrivacy is to require sustainable telco standards.

The existing ePrivacy regulation have been effectively sabotaged by commercial interests reducing the issue to a statement "Here we track you and you consent simply by using our site" which is essentially a tracking wall mocking informed consent.

But we also saw the existing ePrivacy beginning to work as standards are changing - Bluetooth, RFID, WIFI all have seen modification in the direction of eliminating persistent identifiers whereby basic communication does not involve collecting device and personal data if neither can be recognized from session to session. In such technical setup, Informed Consent can PRECEDE collection, i.e. the citizen can CHOSE to release a Customer # or other identifier known to the site without releasing persistent identifiers linking the citizens/device across purposes.

If the citizen - for some strange or peculiar reason actually wants surveillance - she can always release a persistent identifier such as a Device MAC or reused communication address (equivalent to or easily linkable a social security number etc.). But, at least in principle with the proper technologies applying to Privacy by Design, she can also avoid doing so and maintaining the integrity of purpose-specification and control of data.

5G represent the test of ePrivacy reform

The ePrivacy reform face an easy upfront test. 5G is in entering the final stage of standardization.

Presently the standard work with the principle of enforced Data Retention in the sense of "Mandatory Endpoint Identification" meaning that all communication according to 5G will involve the network spying on devices and thus citizen.

If this happens, EU face a cartel-enforced data-retention regime until the next major change of standards which is assumed to be VERY long (at least decades) in which case, the collapse of not only both ePrivacy and GDPR will be almost ensured but also a MASSIVE negative impact on the value-creation of otherwise impressive technologies able to provide huge improvements in wireless communication.

The win-win alternative which ePrivacy MUST enforce

The sustainable alternative would be security and identity established as contextual-only, i.e. mechanisms where basic infrastructure maintain unlinkability unless explicitly desired otherwise BY the citizen.

It is clear that the telecommunications industry are still controlled by the gatekeeper thinking even long after this has proven a massive failure. Bad wireless standards are feeding control to the horizontal OTT infrastructure where profit-streams originate from systemic profiling of citizens and companies across non-related sessions. A Data Retention problem that has been judged clearly illegal and non-compatible with the EU Charter by courts. As such the 5G standardization process (such as e.g. @5GPPP and the 5G cartel) have both ignored and not invested in security beyond systemic surveillance. In other words taxpayers money have essentially - through EU - been feeding illegal data retention activities.

But even though the actual security alternatives clearly have been suppressed in investments, this does NOT means that standards should not assume these solution can, will and must emerge. By deliberately preventing alternatives ("mandatory"), the 5G standard function as a illegal antitrust cartel that prevent innovation in a direction that would prevent systemic tracking of citizens and devices which would call for large fines as obvious violations of both EU anti-competition regulation and GDPR/ePrivacy.

You can now say, that we should just wait and let Margrethe Vestager issues the predictable fines. But this misses the point as we will still be caught in decades of MASSIVE BAD INVESTMENTS in insecure surveillance-by-design 5G technologies which best case will cause massive damage to European economy and trust in an already precarious situation.

My point - and the sole reason for this article - the ePrivacy discussion and reform needs to get back to focus on the core point and raison d'etre; to require telco standards to ensure basic communication can be established WITHOUT transfer of control from citizens to surrounding infrastructure or passive wiretapping.

5G standards as-is is ENABLING terrorism

Where I would claim 5G should be considered critical infrastructure and thus particular attention to security should be emphasized we instead see standards DELIBERATELY undermining security even though we already know that e.g. US drones use the lack of security to direct missiles. The use of e.g. wireless identifiers leaking is rapidly turning normal in commercial tracking and targeting.

Point is - it is only a matter of time until even terrorist do the same as this represent a certain, cheap and effective targeting system to attack particular targets including VIP.

I informed EU about and demonstrated this more than 10 years ago, but they continued to make the same basic security mistakes. I even published it as a commercial business case "Bombs for Hire" (slide 8) as part of EUs 50 years anniversary. Bombs for hire (no security without privacy)

Tuesday, August 12 2014

Stop leaking your Digital Assets

Leaking customer data is bleeding profits

Most companies are very aware of the two traditional elements of Customer Loyalty focusing on sales (get and grow), but underestimating the third increasingly more vital aspect of customers leaving (keep).

  1. Get - Customer Acquisition
  2. Grow - Customer up-selling or cross-selling
  3. Keep - Customer Retention

The reason is very simple. The cost of customer acquisition are in the accounts but excused by the sales value whereas the cost of customer leaving is a loss of revenue not recorded in the accounts as neither cost nor lost revenue. Sales are therefore constantly repeating the same mistake overspending on marketing and outbound selling while massively underspending on protecting customer relationships.

Are you feeding your customers to your competitors?

Google, Facebook and the other profiling engines make their money from making your customers defect.

Whenever you leak data on your prospects or customer interactions with you, you are not only helping your competitors target your best customers, you are also telling the marketing profilers how best to make your customers defect.

For instance, when marketing use Google Analytics to collect data on who visit your website and what they look at - that information go straight to competitors targeting your customers - every bit of information is automatically qualifying the targets and how to convert these - for the sake of Google Earnings.

Similar, when marketing mistake number of "Likes" on Facebook for loyalty and strength of customer relations, they are forgetting, that like are resold by Facebook to competitors and you increasingly have to pay Facebook to prmote you to you own customers as "Like" does not mean they see what you try to communicate.

The outcome is a negative spiral of growing marketing costs, market distortion and resources diverted from value creation to moving, trading and shouting to customers..

Do you have a strategy and means to prevent leaking customer data from happening?

Notice that this is pure strategy and mission critical analysis. That is even before we address other aspects of customer data leakage such as the lack of legality (e.g. EU Data Regulation), threats created towards customers (Identity theft etc.) and the accumulating consumer distrust from providing you with data.

Try making this simple check: Whenever your customer load a page from your website, do YOUR website trigger a connection to Google, Facebook or other customer profilers? I am not only talking about Google analytics, but any of the many ways the profilers try to get you to link to them and feed their profiling whether we talk "Like".

If so - you have just discovered the biggest drain on your bottom-line profit and need to act urgently on this! Pushing new customers and marketing resources to get or grow customers, when they are poring out in the other end. You need to plug the hole!

Are you feeding your future competitors through your choice of service providers?

All are suffering from the problem of leaking customers pushing price competition,

But huge industries are suffering even worse - consider media, telcos, payments, digital service etc. They all suffer from virtual infrastructure trying to take control of their customers and pushing themselves in front of the value chains.

What starts as a problem of growing marketing costs, customer churn (fast turnover) and over-communicating pressuring bottom-line in an industry turns into something much worse in terms of bleeding profits - commoditization were you loose the connection and direct relation to individualize services and possibility of differentiation - as the winner-takes-all engines are growing and getting more and more aggressive as they turn into virtual supermarkets owning the customers with you providing the product and service while they take the profits.

Consider your service providers - id, payments, communication, search, supply chain etc. - what are their business models? Are they in the business of leveraged network effects, i.e. to put themselves in the center of a spiders web were everybody else are feeding them data while they increasingly profit from controlling market making or creating lock-in effect based on the control of your customer data?

Are you doing something as simple as letting them control your security (log-in), communications channels or unsecured data? Do you depend on them for communicating with existing or potential customers?

if so - you have just discovered your biggest strategic problem and future drain on you bottom-line profit!

Your business model is unsustainable as your are being intermediated and are yourself training your future competitors on how to reduce you to a commodity-player with a rapidly growing pressure on profit margins.

Do you have a strategy and means to maintain control of your connections with customers?

Any other problem is secondary to dealing with the two above problems.

If you do not understand and have a clear strategy on dealing with these two aspects, your business is under attack due to your own neglect.

You can design new products, you can poor marketing costs into the operations, you can create great technology - but if you are not able to protect your customers, your business model are leaking.and your future profit under serious attack.

If you

  1. do not understand the problems, get help - because you are most likely suffering from these.
  2. do not know whether you suffer from these problems, buy the analysis - as you are working in the blind.
  3. know, you suffer but donĀ“t know what to do, get help for the workshops and training - as your strategy is omitting the key components.
  4. know what to do, but lack the skills to do it, get the expertise - as the devil is in the detail.
  5. are suffering from unfair competition, get the help to document and inform government authorities - as the lobby of the winner-takes-all players are extremely powerful and politicians and bureaucrats have no idea of the kind of problems, you are facing.

Protect your customer data from leaking, control your connection with customers and do not let unfair competition from winner-takes-all virtual infrastructure erode your market.