I have written about Privacy before. It is a topic I feel personally very strongly about. Here is my other blog entry in which I specify what I think should be legislated to help bring some sanity to the privacy debate.
A Case Study
This morning I read an article in buzzfeed:
The article purports that in a “closed” meeting an Uber executive suggested (possibly jokingly although the article seems to make that unlikely) that Uber could create a slush fund of $1M to fund operatives who would discover information about reporters who report negatively about Uber and leak that information to the press to hurt those reporters. He said that in particular that he had specific personal information on a reporter at BuzzFeed who is critical of Uber that he could release that would be damaging to her.
This is a nightmare scenario. We are doing commerce at all kinds of places in the cloud with all kinds of new businesses. Many of these businesses have information that we would not like broadcast. Even a HINT that some business takes less than 100% seriously our privacy is a KILLER for the business in my opinion.
There are many reasons our privacy is under attack. The government is constantly seeking more and more ability to gather information about all of us. Corporations are wanting to use private information to offer us services and make money off us, hackers are trying to break in to corporations to find personal information and IT personnel may in many cases not have the best practices and allow information to be obtained. Some may say that privacy is a lost goal. However, there is still a line that hasn’t been crossed.
WHAT WE DON”T EXPECT and never will tolerate in any way is the idea that a corporation would leverage personal information to attack its critics or create sludge funds to do so!!! In my opinion Uber needs to quash this idea that any of its executives think anything like this ever! The idea that Uber would allow customer information to be disclosed is a deal killer in my opinion.
Uber said they took customer information absolutely seriously and that they have rules and policies and violations of those policies are to be punished. Great, but it isn’t believable, why? Emil Michael is reported to have said that he had specific information on this reporter. How did he get this information if this information is guarded at Uber? Ubers response that it protects our privacy is unbelievable because obviously Mr Michael got a hold of such information. So, how seriously are we supposed to take their protestations?
Mr Michael (maybe others at Uber) are apparently upset at this reporter because she is critical of Uber for striking a deal with a French escort service. Uber rightly commented that escorts taking Uber were less likely to be attacked than in regular taxis. The reporter seemed to feel Uber was not taking women’s rights seriously by signing a deal with an escort agency. Whatever you believe about escorts her criticism doesn’t seem leveled at escorts, their patrons but somehow Uber in providing rides is somehow evil. I fail to see the logic of this attack. There is no way for me to logically conclude how Uber is being unsympathetic to women in any way by transporting them. So, this attack is weak and pathetic. Nobody would really take the reporters criticism of Uber so Mr Michaels spiteful attitude is more damning than the reporters article. So, Mr Michael is wrong and stupid on numerous points:
1) His response is way out of proportion to the attack on Uber
2) His idea of a slushfund to gather information is wrong and evil
3) His idea of disclosing the information is wrong and evil
4) Gathering information on this reporter is wrong and evil
This can’t be a “joke” because Mr Michael alleges to have specific information to attack the reporter. So, his slushfund idea and plumbers idea are not funny ideas he came up with on the spur of the moment. He researched the reporter himself. So, it is impossible to see how this could be a joke or simple meanderings of his mind that were wrong. He threatened to make public private specific information about the reporter.
In all respects Mr Michael has made egregious errors that border on incompetence. He said the meeting was considered off the record. Even so, there is no way to interpret his statements in an ethical way. They are simply wrong headed and especially wrongheaded in an eCommerce company that has private information on its patrons. This is about the worst thing that can be said about Uber if true.
I am very hopeful that the executives who run Uber are not spiteful deceptive executives interested in playing with personal information of its patrons for its advantage. I have no reason to believe that any other executive at Uber believes anything like what this executive has apparently said. However, if Mr Michael continues to be an employee of Uber then the only conclusion is that they are somewhat accepting of such conduct which makes me wonder. So, I shall wait and see what happens to Mr Michael.
The General Problem with Privacy
I believe the privacy issue is complicated. There is no “solution” that is going to solve it easily. Even improvements are going to be hard to achieve. The trend is definitely to the opposite direction right now. Our privacy is less and less being protected.
Data is TOO dispersed
The nature of the current system is that every entity can gather information about you and must disclose policies but these policies are way too complicated and too many organizations have access to make enforcement reasonable. Virtually every company I talk to is gathering vast amounts of information about us. Frequently they can easily ask us to disclose information other organizations know about us and we become unwittingly pawns in distributing vastly more information to any entity than they need to know. The organizations have limited responsibility to insure the accuracy of any information they get or the source of any information or to disclose if they have information or not. They have no way of redacting information.
Let’s say someone is incorrectly attributed with an attribute. It could be a transaction, a charge, a statement or anything that is in error, i.e. They did not do the thing. Some people may interpret the thing as positive and others as negative. As the person goes around the internet doing business authorizing different organizations to get this or that information from this or that organization the information spreads. Sometimes the organization that has the error information may sell the information to third parties. Pretty soon hundreds of copies of this erroneous information is distributed. Now this unfortunate person goes to look for employment or credit or to buy a house or something and people discover this information. The person is denied the job or credit or simply finds people won’t do a deal with them and they may not even know why.
For financial information we have some rules. If someone denies you credit they have to disclose where they got the negative information. You can typically seek to correct the information if it is in a credit report. The credit reporting agencies are required to disclose to you that they have information to you and give you free reports of what they know about you. However, we don’t have such guarantees about information in the cloud.
The organizations in the cloud that have erroneous information about you (possibly through no fault of your own) have no need to disclose to you they have such information, to give you any means to correct or redact the information, to put your own comments in to counter the erroneous information. So, you may not know you are being denied things. You may not know what things know about you. If you do find out you have no way to correct the information.
There are two approaches to solving this problem: 1) Require that organizations remove personal information about you after say 3 years as a matter of course. 2) Put in place procedures similar to the financial information which requires that organizations that have personal information have to disclose it to you and allow you to challenge it
Either of these methods cost money. The first method is easier but some people may want information about themselves retained longer than 3 years. I also advocate that the 3 year time be lower for younger people as they are more likely to make stupid errors. Information for people under 18 for instance should routinely be removed after 1 year. In order to do this then an organization may need to know your age which is more personal information that they otherwise may not need to know. I realize no method is going to be foolproof or costless. However, measures such as these would at least get the ball rolling in the right direction rather than the very wrong direction it is going today.
The Data has value to consumers and corporations and the government
Certainly a big part of this problem is that personal information is valuable to everybody to do something they consider desirable including consumers themselves. Foreign governments are hacking into cloud companies for numerous purposes and represent 25% of all hacking according to some measures. The value of information gives an incentive for people to hack and steal and disclose information. In the case study I referred to above the executive at Uber thought the personal dirt they could dig up would be beneficial to them to hurt their opponents. This is a reason for the proliferation of information but I don’t know how to decrease the value other than for all of us to get thicker skin and to be aware of the ways people can misuse information. If you see personal information about someone that seems negative consider that everyone is not perfect. Everyone is unique. Don’t ascribe negative things about people from third parties if you don’t need to and if you need to know if it is true then make sure to give the person a chance to respond. I know I am speaking to a wall generally on this point because people do seem to like dirt and they believe dirt too readily. I am repelled by Mr Michaels alleged comments and I hope others are too. If there really is an explanation for Mr Michaels behavior I am very willing to entertain any explanation he has on these pages in his words and edit if I am in error about what is said he said.
The systems are imperfect
Our authentication systems are imperfect. Our systems are hackable. Our processes are imperfect. The fact that this is the case is irrefutable and is an excuse for why privacy breaches happen but there are better and better systems, processes and best practices that are evolving. We now see dual authentication at most Cloud Sites now. This is a huge improvement. Private information can be encrypted so that even if the data itself is obtained it cannot be interpreted. What is not permissible is that we aren’t striving to learn and get better.
People are flawed
People make mistakes. No news there. Mr Michael for instance has the wrong attitude about privacy and its importance. He seems to have misjudged the acceptable ways to respond to attack. In all ways the systems are created, run by people who themselves can be bribed or act in bad faith. There are ways to at least put in incentives for people to do better. Breaking people’s privacy should be a fireable offense at any company which has private information on individuals. Simply disclosing private information should be a crime whether or not it is negative information.
The Uber case points out another angle I had hoped would not be breached by a corporation which is willful abuse of private information. We know there are all kinds of accidental disclosures and errors people make, systemic errors however willful abuse should not be tolerated.