Sunday, June 23, 2013

And so another 'digital age' comedy begins, with every country that enjoys tweeking the US adding their two cents to the story.
Hong Kong lets Snowden leave to Moscow, with Cuba among possible destinations
Edward Snowden left for Moscow on Sunday and his final destination may be Cuba, Ecuador, Iceland or Venezuela, according to various reports. The move is bound to infuriate Washington, wherever he ends up.

Another perspective.
The Surveillance-Marketing Complex, Coming Soon to a Computer Near You
… As James Risen and Nick Wingfield reported yesterday in the New York Times, the interests of tech companies and the NSA have been converging over the past decade in two ways. The first way is fairly prosaic: Lots of Silicon Valley companies are in the business of selling stuff to the NSA: storage hardware, sophisticated communications equipment, data analytics software, and more.
… But there's a second way that the interests of Fort Meade and Santa Clara County have converged: These days, they're fundamentally in the same business. The NSA calls it surveillance, and all the rest of us just call it spying. Silicon Valley, conversely, wouldn't be caught dead calling it that. They call it "targeted advertising" or "monetizing the social network." But it's pretty much the same thing.

Welcome to the “World Wide Web,” where exceptions are the rule!
Google News in Germany asks publishers to opt-in for indexing, sidesteps copyright fees
Despite its "Defend Your Net" campaign last year, Google was unable to fully put the brakes on changes to German copyright law that may mean it has to pay up for news excerpts it indexes. As a result, the company announced that unlike the other 60 countries where Google News operates by relying on sources to opt out of inclusion by request, robots.txt file or meta tags, it's requiring German publishers to opt-in. According to Google, it's pushing six billion visits per month to publishers worldwide as a free service, not something it should have to pay for. As TechCrunch points out, the issue comes as a result of the new German law that allows search engines to continue to publish snippets of news without paying, but isn't clear about just how much information that can include.

Interesting for a discussion starter, but totally impractical as a regulation.
Joseph J. Lazzarotti writes:
Most breach notification mandates require a notice be provided without unreasonable delay. In some cases, such as under HIPAA, the same standard applies but also with an outside date to provide the notice – 60 days. Proposed regulations under the Affordable Care Act would require notification to the Department of Health and Human Services in one hour!
In §155.280(c)(3) we propose that [Federally-facilitated Exchanges or FFEs], non-Exchange entities associated with FFEs, and State Exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach. We also propose that a non-Exchange entity associated with a State Exchange must report all privacy and security incidents and breaches to the State Exchange with which they are associated.
Read more on Lexology.

Perhaps something for my next Statistics class?
What do consumers expect in the way of data security and privacy protections when they sign up for a premium subscription service?
I was reading up on the class action lawsuit against LinkedIn following their breach last year, and discovered that the plaintiff had retained Serge Egelman, who conducted two new surveys in April on this question. His survey methodology and results were submitted to the court as exhibits, and I’ve uploaded the whole filing here (Exhibit A starts on p. 32, Exhibit A-2 with methodology begins on p. 43). In his declaration, Egelman states:
First, through a review of the existing academic literature, I determined that consumers incorporate data security and privacy concerns, costs, and benefits into their purchasing and consumption decisions, and that consumers are often willing to pay a premium for information security.
Second, through a survey I conducted the week of April 1, 2013, I determined that when consumers pay for a “premium” social networking service, they expect their information to be protected with a heightened level of security, and that, at a bare minimum, industry-standard security protocols will be used to guard their information.
Third, through a survey conducted the week of April 22, 2013, I determined that an internet service using industry-standard security practices has higher utility to consumers than a service with substandard security. I also determined that when consumers are evaluating the utility of a website or internet service, privacy and security concerns factor heavily into that evaluation, and that consumers will choose a website or internet service with industry-standard security practices over an otherwise identical service with substandard security.
Reading his methodology and results, I think his data support a conclusion that when thinking about data security and privacy is prompted (as by the wording of survey response alternatives), consumers will consider a business’s security standards and expect – and be willing to pay more for – better data security. These two surveys do not, however, show that consumers actually consider data security at all in making their decisions about a premium subscription service, outside of a structured survey. Then, too, the correlations he reports for some findings, while statistically significant, do not actually account for much of the variance in respondents’ answers (effect sizes were not reported, but are easily estimated for Pearson correlations). Egelman addresses the fact that many people do not actually read privacy policies or security assurances in his discussion, where he notes how when security or privacy concerns are noted by experts or the media, the word spreads quickly and people will voice their concerns or put pressure on businesses. He uses this to argue that had LinkedIn not overstated their data security, their allegedly substandard security would have been noted, discussed publicly, and would have influenced subscribers’ decisions as to whether to pay for premium services. I suspect he’s probably right on that.
The litigation aside, I think it’s unfortunate that his research on consumer expectations is first being presented as a court exhibit instead of in a privacy or security forum where it might receive greater discussion, and I hope this blog post serves to make others aware of his research so we can discuss it.

No comments: