Top 5 Data Privacy Predictions for 2014

Privacy was a hot topic in 2013, from Edward Snowden’s disclosures and WikiLeaks, to hogan lovells logo version3discussions around the privacy implications of the NSA programs, to the launch of new technologies like Google Glass. The arrival of a new year often prompts predictions – here are a few for 2014 from Harriet Pearson, Partner at Hogan Lovells, as well as a few from UnboundID CEO Steve Shoaff.

1. Watch NIST’s Space!
Harriet: Concerns about cybersecurity risk have never been greater. Almost every organization is taking extra steps to secure its systems and data. Enhanced monitoring and other security measures can create privacy issues, however. In early 2014 the National Institute for Standard and Technology, or NIST, will issue a “privacy methodology” as part of the Cybersecurity Framework mandated by President Obama. I expect the cybersecurity framework—and the accompanying privacy methodology—to be endorsed and adopted by leading companies, and it may form the basis for new regulation. cis_banner_gold_w_pic

2. The FTC Forges Ahead.
Steve: The FTC, now under the helm of Edith Ramirez, has continued to take a leadership role in enforcing privacy cases, based upon its authority to prevent “unfair or deceptive acts”. As Daniel J. Solove and Woodrow Hartzog (professors of law at George Washington and Samford University, respectively) commented to Bloomberg BNA, “FTC privacy and security enforcement began with merely enforcing broken promises that companies made. But in the past 5-10 years, the FTC has developed a much more robust and expansive enforcement approach…The FTC seems poised to move beyond the four corners of a company’s privacy policy and take a holistic view about whether a company adequately protects consumers through things like design decisions and training programs.” Some recent signals of this direction include:

  • FTC Commissioner Julie Brill authored a “Claim Your Name” call to action article on in October 2013. She writes, “Data brokers, marketers and other companies that join the big-data stampede while ignoring basic privacy principles do so at their own peril.”
  • The FTC held a November 2013 workshop on the “Internet of Things,” saying that the FTC is “interested in the consumer privacy and security issues posed by the growing connectivity of consumer devices.”
  • In November 2013, the FTC hired LaTanya Sweeney as Chief Technologist and Andrea Matwyshyn as a Senior Policy Advisor. In Chairwoman Ramirez’s comments on these new posts, she noted that “Technology issues are increasingly central to the FTC’s work” and “insights on the intersection of technology innovation and data privacy and security law will be enormously valuable to the FTC’s efforts to protect consumer privacy while promoting innovation.”

Unless the Wyndham case constrains the authority of the FTC, expect the FTC to continue their expansive enforcement trajectory.

3. Europe Continues to Shape Privacy Debate.
Harriet: It would be enough for the European Union to occupy a prominent space on the global privacy stage if all that were happening on that continent consisted of its work on a proposed General Data Privacy Regulation that includes novel concepts such as the right to be forgotten; imports to Europe the American idea of data breach notification laws; and establishes outsize fines of 2% or more of annual revenue. Europe’s ongoing attention to and concern about US government access to information adds to the complex political and policy debate, and influences how other countries view data privacy and, increasing, trade policy.

4. Companies Will React to the Mounting Privacy Market Pressures.
Steve: With mounting consumer anxiety, impending U.S. and European regulations, and recent advances in technology, companies are finding that implementing privacy controls can be a competitive advantage.

dpdengIt’s no secret that consumers care about their data privacy. Our research – and that of others – indicates that consumers are very aware that companies use their data, and they want greater control over that usage. Mobilization initiatives like Data Privacy Day continue to grow in popularity and support, and this year saw the launch of the We The Data project. The year 2014 will see the development of regulations clarifying company practices around personal data usage. Many businesses and vendors are not waiting for regulations, though. They’re taking proactive steps to provide transparency, choice, and control, all in order to earn customer trust. Efforts in 2013 like the Microsoft “Your Privacy is our Priority” campaign, and Axciom’s show that this trend has been growing – and we expect that growth to continue.

5. Whither the Safe Harbor, Trade, and Privacy?
Harriet: The launch of the Transatlantic Trade and Investment Partnership (T-TIP) in 2013 presented a once-in-a-generation opportunity for European and US trade negotiators to start considering how to use this trade discussion to build a lasting bridge between the U.S. and European data privacy frameworks. In 2014 businesses involved in digital trade – and which isn’t these days? – will be watching to see how the T-TIP process addresses privacy, one way or another, and whether these trade discussions can help shore up the EU-US Privacy Safe Harbor.

Posted in Data Privacy | Tagged , , , , , , , , , , , , , , , ,

Comments Off

A Look Back: 2013 Year in Review

planning-2013-640x400It may be cliché, but the end-of-year retrospective is still a good time to reflect over a company’s changes and successes, and a way to chart how the company’s message is resonating in the marketplace. Here’s a quick review of UnboundID in the news over 2013.

The year started with a mention of Nick Crown’s presentation at ITEXPO on BYOI vs. BYOD in an article in Mobility Techzone. “BYOD and the challenges it brings will continue to be a driver for our customers in 2013. More importantly, we see BYOI – whereby individuals leverage their own personal identifiers/credentials (e.g. Facebook, Google, etc.) to access company resources – also increasing in importance this year.”

At the end of January UnboundID released its new Identity Data Platform, as mentioned on, and was profiled as a Network World Product of the Week.

Then in April, Peter Bernstein of TechZone360 covered the release of the UnboundID Privacy Suite, saying “This new solution brings transparency, choice and control to the collection and ongoing management of personal data, while authorizing and governing the use of this data in real time.” The release was also covered in the IAPP Privacy Advisor that month.

UnboundID also contributed an article to the new WeTheData site discussing the value of personal identity data, and consumers’ willingness to give it away for free. And in a Compass Intelligence survey, consumers shared their feelings on the use of their data and what kind of value they’d like to receive when they share that data, as reported in SecureID News.

And as the Big Data trend continued its surge, Kami Haynes contributed an article to the Direct Marketing News on countering Big Data paranoia with Little Data optimism.

These are just a few mentions in the media – for more, check out our website. From the value of consumer data to the benefits of privacy as a company differentiator, UnboundID continues to make news – and there’s more to come in 2014!

Posted in Data Privacy, Identity Data Platform, Identity Etiquette, UnboundID Privacy Suite | Tagged , , , , , , , , , , , , , , , , ,

Comments Off

Is That Mannequin Watching You?

by Kami Haynes, Director of Corporate Marketing

“You can observe a lot by watching.” – Yogi Berra

It’s likely that the last time you shopped at Macy’s, Target, Cabela’s, Family Dollar, Benetton or Warby Parker, you were tracked. No, not online – retail brick-and-mortar stores are tracking customers as well. Retail location analytics technologies are being used by a variety of retail outlets to gather information on customer behavior via wireless signals, facial recognition, hidden cameras and even simple tactics like zip code gathering.

Wireless tracking technologies such as those offered by Euclid, Nomi, Wireless Werx, and Mexia Interactive provide brick-and-mortar stores with analytic data that’s quite similar to website traffic reports. These vendors offer technology that picks up the wireless signals from cell phones to provide retailers with data on how many customers pass by the store, how many enter, where they go inside the store, and how much time they spend at various locations within the store. Nomi can also match a phone to an individual who may have downloaded the retailer’s app or provided an email address – this data is used to develop a profile so the store has specific information for the customer’s online shopping, repeat visits, and purchase history. The value of these analytics to the retailer include use of the information to optimize store layout, revise stock decisions, or increase staffing at registers, all in order to give the customer more of what they want.

These tracking technologies provide overviews of customer behavior that look like heat maps, using anonymous, aggregated data, giving the store general details about shopping behaviors, not necessarily what you did when you were there. So is that creepy? Let’s consider that online shoppers give up tons of personal information, knowingly or unknowingly, and as long as they perceive a value in the exchange they seem willing. There’s a perception that providing personal data results in a more personalized shopping experience, but research shows that consumers do want to have a say in how their data is used. So why not just let customers know that they’re being monitored?

That’s what Nordstrom tried when they experimented with this type of tracking technology. Nordstrom actually posted signs in stores to let people know that the wireless technology was in use, but ultimately they decided to end the experiment because they received customer complaints.

And what about that simple question at the register: “Can I get your zip code?” Is it really a big deal? Consider that just a birthdate, gender and ZIP code is enough information to identify up to 87 percent of Americans, according to Harvard Professor Latanya Sweeney. With a zip code and name from a credit card, retailers can use services like Harte-Hanks’ GeoCapture to pull up an address – which can easily be used to gather additional data such as phone number, past purchase details, and so forth.

Unsurprisingly, retail analysis technology is getting more and more sophisticated. Video technology from RetailNext can differentiate men from women, or children from adults. Brickstream’s video information counts the number of people in different locations within the store and can help indicate how many registers should be open – it can also let customers know how long they’ll wait in the checkout line. London’s Realeyes technology analyzes facial cues in order to gauge the “happiness levels” of shoppers, including their reactions at checkout. Synquera, a Russian software company, uses facial recognition to determine gender, age and mood in order to deliver appropriate marketing messages and offers at checkout.

These kinds of technology are a booming business. An ABI Research report predicts that “alternative” location technologies will be an $8 billion business by 2017. So what’s the difference between online tracking and physical location tracking? While both suffer from a lack of transparency over which data is gathered and how it’ll be used, online retailers have faced a lot of scrutiny over the past few years and many have updated and clarified their privacy policies so that they’re more open about what they do with your data. Brick-and-mortar retailers don’t offer even this level of transparency – but the privacy pros are taking the technology challenge on head-first, including the Future of Privacy Forum (FPF) as they develop privacy controls for retail location-based analytics. The FPF states on the Smart Stores section of their site that their goal is to “…make sure that these technologies are subject to privacy controls and are used responsibly to improve the consumer shopping experience.” This, according to the site, includes the de-identification of data, allowing customers the option not to be tracked, and transparency around what data is being used. “By being transparent about what is going on, location companies and retailers can make sure shoppers understand the benefits of the bargain.”

Other retailers have taken a different tactic – Kenneth Cole and Timberland have installed Swirl, an opt-in technology that lets customers share their location when they visit the store and receive offers. A Timberland executive explained in an AdAge article that that from May to August of this 2013 they’ve used the app in two of their East Coast shops, and over the course of that period they pushed approximately 750 shoppers a 20 percent discount. Of the recipients, 72 percent checked out the offer and 35 percent redeemed it. Another example of this kind of opt-in marketing is the Placed app, which offers cash and gift cards to customers for providing location information within a store. Users of the app provide basic demographic information such as gender, age, and income, agree to GPS, Wi-Fi and cellular tracking, and they get rewarded.

It comes down to a tricky balancing act: by gathering data about customer activities, retailers can offer more pleasurable shopping experiences, bigger discounts, and quicker checkout. But customers need to know what’s going on and should have the ability to opt out – or at the very least, they should be aware if a retailer is using cameras or Wi-Fi location tracking. While many of the companies specializing in retail analytics claim to keep data secure or to be sensitive to privacy concerns, how many of these companies are household names? Consumers don’t know what retail outlets they serve, or what tactics are being used. A much greater level of transparency is needed so that customers can choose to participate, or avoid stores that are utilizing the technology if they prefer.

And just an “enhanced experience” isn’t enough in exchange for the data that’s being accumulated. Customers want real value for their data, including cash or discounts. The benefit to the customer needs to be more than just an “optimized flow of the retail floor” or shorter wait time at checkout. While 51 percent of respondents in a recent Compass Intelligence study agreed that they want companies to use identity data to improve their experience, 61 percent said that they would respond favorably to some sort of incentive, whether cash-based or discount-based.

As consumers become more aware of the level of tracking happening in all aspects of their lives, they can easily find it creepy or become resentful over the lack of transparency around how much tracking is being done, when it’s done, how the accumulated data is used, and the data’s value to the individual. Retailers need to be more honest about how they’re gathering the data, and more respectful of the customers they serve, or they run the risk of alienating their audience. And let’s face it – the idea that the mannequin has cameras for eyes is totally creepy.

Posted in general | Tagged , , , , , , , , , , , , , , , , , , , , ,

Comments Off

UnboundID LDAP SDK for Java 2.3.5

by Neil Wilson, Principal Engineer

We have just released the 2.3.5 version of the UnboundID LDAP SDK for Java. You can get the latest release online at the UnboundID website or the SourceForge project page, and it’s also available in the Maven Central Repository.

There are a lot of improvements in this release over the 2.3.4 version. A full copy of the release notes for this version may be found on the UnboundID website, but many of the improvements are related to connection pooling, load balancing, and failover, but there are other additions and a number of bug fixes also included in this release. Some of the most notable changes include:

  • Added a new fewest connections server set. If used to create a connection pool in which connections span multiple servers, the pool will try to send each newly-created connection to the server with the fewest number of active connections already open by that server set.
  • Updated the LDAPConnectionPool class to make it possible to specify an alternate maximum connection age that should be used for connections created to replace a defunct connection. In the event that a directory server goes down and pooled connections are shifted to other servers, this can help connections fail back more quickly.
  • Updated the failover server set to make it possible to specify an alternate maximum connection age for pooled connections that are established to a server other than the most-preferred server. This can help ensure that failover connections are able to fail back more quickly when the most-preferred server becomes available again.
  • Added a new version of the LDAPConnectionPool.getConnection method that can be used to request a connection to a specific server (based on address and port), if such a connection is readily available.
  • Added a new LDAPConnectionPool.discardConnection method that can be used to close a connection that had been checked out from the pool without creating a new connection in its place. This can be used to reduce the size of the pool if desired.
  • Added a new LDAPConnection.getLastCommunicationTime method that can be used to determine the time that the connection was last used to send a request to or read a response from the directory server, and by extension, the length of time that connection has been idle.
  • Updated the connection pool so that by default, connections which have reached their maximum age will only be closed and replaced by the background health check thread. Previously, the LDAP SDK would also check the connection age when a connection was released back to the pool (and this option is still available if desired), which could cause excess load against the directory server as a result of a number of connections being closed and re-established concurrently. Further, checking the maximum connection age at the time the connection is released back to the pool could have an adverse impact on the perceived response time for an operation because in some cases the LDAP SDK could close and re-establish the connection before the result of the previous operation was made available to the caller.
  • Updated the LDIF writer to add the ability to write the version header at the top of an LDIF file, to ensure that modify change records include a trailing dash after the last change in accordance with the LDIF specification, and to fix a bug that could cause it to behave incorrectly when configured with an LDIF writer entry translator that created a new entry as opposed to updating the entry that was provided to it.
  • Dramatically improved examples included in the Javadoc documentation. All of these examples now have unit test coverage to ensure that the code is valid, and many of the examples now reflect a more real-world usage.
  • Improved the quality of error messages that may be returned for operations that fail as a result of a client-side timeout, or for certain kinds of SASL authentication failures. Also improved the ability to perform low-level debugging for responses received on connections operating in synchronous mode.
  • Updated the in-memory directory server to support enforcing a maximum size limit for searches.
  • Added a couple of example tools that can be used to find supposedly-unique attribute values which appear in multiple entries, or to find entries with DN references to other entries that don’t exist.
  • Made a number of improvements around the ability to establish SSL-based connections, or to secure existing insecure connections via StartTLS. Improvements include making it possible to specify the default SSL protocol via a system property so that no code change may be required to set a different default protocol, allowing the ability to define a timeout for StartTLS processing as part of the process for establishing a StartTLS-protected connection.
  • Fixed a bug that could cause the LDAP SDK to enter an infinite loop when attempting to read data from a malformed intermediate response.
  • Fixed a bug that could cause problems in handling the string representation of a search filter that contained non-UTF-8 data.
Posted in LDAP SDK for Java | Tagged ,

Comments Off

The Best Policy

by Bjorn Aannestad, Director of Product Management

There’s been some gratifying buzz around our term “Identity Etiquette”, which put me in a Miss Manners frame of mind.  Taking liberties with some old adages, today I’ll say:

privacy policyand

if you can't say

In our current information systems practices we find three stakeholders whose requirements and goals must influence the use of consumer data:

  1. Regulatory Agencies and the regulations they impose
  2. Corporate polices and corporate principles
  3. The Consumer whose data we hold

The automated decisions made by our information systems about whether to permit or deny specific uses of specific data are of course based on a combination of these.  Regulations may require disclosure of data in cases that would normally be contrary to corporate policy.  Corporate policy and the principles governing “ok use” can change quickly in response to events and market pressure.  We also know that each individual consumer will make their own individual decision based on their level of trust in the corporation as well as their own preferences.

Many companies find themselves with a patchwork information privacy infrastructure – one that’s grown organically (in the bad sense!) over time as holes are patched and layers are added.  These companies find it impossible to determine if the requirements of the stakeholders are being applied consistently and correctly.  The difficulty of proving a priori correctness in such an environment has led to a niche industry for after-the-fact governance, regulatory and compliance (GRC) solutions which can report on evidence of correct or incorrect data usage. In a sense, these are the “where there’s smoke, there’s fire” approach to information governance.

Instead, let’s talk about applying an ounce of prevention. Since the OAuth2 and OIDC standards don’t tell us the basis for making a “permit” or “deny” decision about access to data – they deal only with the protocol for conveying the authorization question, the answer, and the data – there’s still work to do to deploy systems that can handle the three-stakeholder situation.

At UnboundID, we’ve built the Identity Broker so that all three (regulations, corporate policies, and consumer consent) are embodied in a single externalized authorization system:

ID BrokerIt’s now possible to migrate from a patchwork of privacy policy implementations to a well-engineered architectural component whose main purpose is to implement your best policies.

And, given the increasing regulatory momentum and consumer awareness around data sharing (see this and this), we might even predict that “a system in time saves nine (million dollars)”.

Contact our team – we’ll help you figure out how to get started.

Posted in Identity Data Platform, Identity Etiquette | Tagged , , , , , , , , , , , , , ,

Comments Off