A few months ago, I had the honor and pleasure to sit down with one of the most awesome people in Privacy, Michelle Dennedy, Chief Privacy Officer at Cisco, and record one of her Privacy Sigma Riders podcasts. We were in Austin. We were pumped to finally get together. We were heavily caffeinated. And we didn’t actually record anything… save for the last 25 secs of what was a 45 minute conversation. Fail… fail… fail!

[Many thanks to Gerry Gebel for giving me the nucleus for this post] In the midst of the ongoing privacy and security conversation, I pointed out last week that identity is the missing leg of the security/privacy stool. Identity is both a means of expressing privacy requirements and a necessary set of security controls, as well as a key to delighting customers and driving business engagement. A colleague pointed out that while security and privacy might be different halves of the same coin, identity is the coin itself. I’m not sure I fully agree with that but it gets to sentiment I have. The use and protection of identity data has strong footing in both the privacy and security worlds. And yet identity and identity management professionals are not a first class member of the conversation. Why is that? One reason, in my opinion, is because we didn’t expect the industry to stand alone for the duration.

I had the pleasure of representing the Identity Ecosystem Steering Group (IDESG) at the International Association of Privacy Professionals’ Global Privacy Summit this week. Laura Hamady of PayPal, Heidi Wachs of Jenner and Block, and I talked about navigating the maze of online retail. My part in the talk was to illustrate the flow of personal data between the various players in different online retail scenarios. (Here’s a copy of our presentation if you are curious.) Now, as the only non-lawyer in the bunch, and likely the only identity person at the conference, I had a blast pointing out all of the data protection and handling issues that stem from identity interactions. The movement of identity data between social identity providers, your back-office systems, and third-party service providers is a dance of varying elegance. Regardless of how well those pieces are integrated, the information being shared helps your organization delight your customer. But in order to do so, the customer’s privacy needs and expectations must be met. (Not to mention sectoral and legal data protection requirements as well.) And that got me thinking. The relationship/dramatic tension/codependence of privacy and security gets a lot of rightly deserved attention. But neither privacy and security professionals can fully meet these challenges in part because their default tools are the wrong ones for the job. What’s missing from the conversation is identity management. Identity is the missing third leg of the stool. Identity helps mitigate a vast number of security threats including insider threat through the minimization of access. Identity also helps address privacy requirements but governing access control to customer data. In this regard, we can think of identity management as the operational means by which privacy implements some of its required controls. And to be clear I am not saying that identity meets all of the requirements on its own; there are many other privacy controls that require security, and not identity, to meet - traditional data protection and event monitoring being just a couple. By working with identity professionals, privacy teams can better understand the flow of customer data. They can sharpen the focus of their privacy impact assessments and can more easily identify third-parties provide services and whose terms of service need to be harmonized with the organization’s privacy policy and notices. Simply put - an organization that coordinates the efforts of its privacy, security, and identity professionals is more likely to not only meet its customers privacy requirements and most importantly, more likely to delight its customers.

Recently, I was asked to give a talk about privacy challenges of the Internet of Things. In the spirit of my “Killing IAM” talk, I give you “Big P Privacy in the Era of Small Things.”

I saw my first pair of Google Glass at the IAPP’s Privacy Summit a few weeks back. I can’t say for certain but I’ve got a feeling that the wearer was not only loving the utility his pair of Glass provided but also the circumspect looks shot his way by hundreds of privacy professionals. This got me thinking about how societal privacy issues are born – not just with Google Glass but with any technology. As Glass debuted, people have been raising multiple privacy concerns including the concern that Glass could send images of people’s faces back to the Googleplex for post-processing such as facial recognition. This concern is rooted in the asymmetric relationship between the people in the line of sight of the Glass wearer, with whom they may not have a relationship, and Google who could collect their image and use it for whatever purpose it sees fit. The random stranger might not have a relationship with the Glass wearer and she most certainly does not have a relationship with Google (or whoever makes the next Glass-like widget) in this context. The concern, I believe, is not just of asymmetric relationships and power imbalances but also one of post-processing. Certainly Google isn’t the first organization to gather data for post-processing. From a privacy perspective, news agencies deploy photographers to gather images of people for their form of post-processing – publishing newspapers. Data brokers have gathered both publically and privately available data for post-processing – selling information about one party to another. Our governments gather huge amounts of public and private data, including CCTV images, for their flavor of post-processing as well. The desire on the part of innovating enterprises is to continue to find ways to post-process information. In fact, this isn’t a desire but a business imperative. And this leaves me with nagging questions:

Even though DC faces a budget crisis and there are radical inequities in our public education system, the city is looking to expand its surveillance program. As I have mentioned before, there are strong evidence that CCTV surveillance doesn’t lower the crime rate and doesn’t add to the public good. Hopefully, the city council will put a stop to this but I doubt it will.

The last part of my series on apps and privacy has gone up over at Gartner.

I had let Privacy Mirror languish for a bit, and having found a free few hours, I decided to update Privacy Mirror to take advantage of Facebook’s Graph API. (For those of you not familiar with my Privacy Mirror experiment, it is a very basic app that explores what personal data apps can see via your friends.) Since I last updated Privacy Mirror, Facebook rolled out two major features. The first was the previously mentioned Graph API, which is a RESTful API that results Facebook data as JSON. The second, and frankly the more interesting, was extended permissions. The newish extended permissions govern how apps can access data and how users are informed of this use. It is these extended permissions at the bottom of the recent kerfuffle over Facebook allowing app developers access to phone numbers and addresses. (Ars Technica did a good job over covering this, and here is Facebook’s current response.) Extended permissions work like this. First, an app developer encodes a request for access to various pieces of your profile data, as well as pieces of your friends’ profile data. Second, when you add the app to your profile, the app asks you for your permission. The following is a picture of what it looks like when Privacy Mirror asks for access to your and your friends’ information.

I’ve posted the second part of my ‘I “like” you, but I hate your apps’ series over on my Gartner blog.

I’ve been doing a lot of thinking lately about how the apps on our smartphones and Facebook profiles introduce strangers into our interactions. I’ve broken my thoughts up into a three-part post over on my Gartner blog. Check out part 1 and give me your thoughts on it.