Go Charter Communications!

It’s not every day RedMonk gets a chance to commend a commercial organization for properly protecting its customers’ data. In fact this protection is such a rare occurrence we decided to award Charter Communications a RedMonk gold star for its current legal maneuvers against the Recording Industry Association of America (RIAA). Charter is seeking to block subpoenas, issued on behalf of RIAA, to hand over the names of customers for alleged copyright offences. Charter is not the only ISP to have filed suit against the litigation happy RIAA—so have Verizon and SBC—but Charter, unlike its peers, has actually refused to hand over any customer details. We take our cowls off!

Sadly few organizations in the public or private sectors seem interested in, let alone willing to defend, a customer’s rights to privacy of personal data. This reticence partly explain why so few innovative solutions to ongoing secure management of customer information have been developed. Current privacy initiatives tend to be somewhat static, or purely focused on the relationship between websites and consumers (P3P). IBM is now trying change all that with an intriguing privacy-oriented R&D program; of which more later.

In the long run it is in Charter’s interests to work closely with the media and publishing companies which constitute RIAA’s membership. But for now it is protecting its customers from their legal threats and deserves applause for doing so. Compare and contrast Charter Communications fight against Big Media with the behavior of JetBlue, the US airline until recently famous for its aggressive use of technology to underpin good customer service, exemplified by satellite TV at every seat. Now, however, JetBlue has become known for something else—handing over customer information, including itineraries and home addresses, to a non-governmental organization. The firm in question is Torch Concepts, a software startup positioning itself as a Homeland Security supplier.

The data provided by JetBlue was apparently combined with information, including social security numbers and vehicle ownership details, purchased from Acxiom, the consumer profiling giant. This program looks like a proof of concept for the proposed Computer Assisted Passenger Prescreening System (CAPPS II), a classic John Pointdexter-style Big Government profiling initiative. For a sense of the PR problems JetBlue has just created for itself though take a look at the op-ed article penned by News.com’s Declan McCullagh here.

The JetBlue debacle has thrown up some unfortunate side effects. One should pity poor Unisys. Within the last couple of weeks it began a new ad campaign about how it helped JetBlue treat customers as people through effective use of their data. The timing of the campaign couldn’t be worse. From where we’re sitting JetBlue has done pretty much the exact opposite of what the Unisys ad claims: so much for JetBlue as a poster child for customer relationship management.

At this point RedMonk would like to make a clear statement: we strongly believe in the crucial importance of good intelligence and sophisticated technology in preventing terrorism. However, we also believe in fundamental rights to privacy for consumers and citizens. State power, like corporate power, requires checks and balances. The Patriot Act notwithstanding, saying no to the government is sometimes the right thing to do.

The aforementioned abuses of customer data might not seem so bad had JetBlue bothered to tell its customers it was breaking its own privacy policy, or had Charter’s competition, who craved in under pressure from RIAA, told customers they were sharing information with RIAA.

We probably shouldn’t get too carried away in calling out Charter. After all, according to an excellent analysis in the New York Times last weekend, cable companies are afforded greater protection in law from outside requests on their customer data than other service providers. Laissez-faire market-driven approaches to the protection of customer data have in the US created an inconsistent patchwork of privacy standards from industry to industry. Customer information is regulated differently in separate and distinct markets, despite the fact that these markets are increasingly overlapping and converging.

The Patriot Act as it stands overrides some of the protections enshrined in these different regulatory environments, which brings us back to JetBlue.

JetBlue’s response to the privacy fugazi is illuminating. It has just hired Deloitte & Touche to analyze and assess its current privacy policy and procedures. The press release claims that JetBlue did not hand over payment or credit card information, and that all data was destroyed by Torch Concepts after use. Customers can only hope this is true, because there’s no way to really know. And even worse, JetBlue is far from alone. Practically every European airline that runs flights to the US also provides similar data—including itinerary information and dietary preferences—to US federal bodies. Special meals can potentially tell you a lot–kosher, or asian vegetarian anyone? The EU’s data privacy directors are now calling for assurances as to how such data will be used, but for now this information is still routinely passed on to US federal authorities. Considering the EU makes so much noise about data privacy its decision to allow airlines to hand this information to US authorities is perhaps surprising. But then again, global terrorism is a threat that requires global cooperation to combat. We can’t think of a better better mitigating circumstance. What the EU is now calling for, is a clear policy statement from Homeland Security organizations laying out how information passed on by European airlines will be used.

A formal privacy policy that recognizes the rights of citizens and consumers is critical to the question of consumer protection. The first element is addressable, as long as consumers care enough to lobby their representatives. But what happens when we ask ourselves questions like – what happens with the data after it has been used for a particular process? How long can this data be kept? Or how is the data tagged, so that it can be used only in certain contexts? What we’re asking is: how do we make permissions on data persistent, so they follow that data around programmatically. This data management problem is shaping up to be one of the biggest issues in IT over the next couple of years, and is already seeing instantiation, for example, in industry standards with associated technical solutions, such as HIPAA in healthcare and FERPA in education. In fact, it is also the central problem preventing online sales of music, which ultimately leads to legal skirmishes like Charter vs RIAA.

Enterprise Privacy Authorization Language (EPAL), currently under development by IBM, is one potential answer to the huge problem of managing access to customer information over time.

According to the EPAL primer at IBM.com: “EPAL is a formal language for writing enterprise privacy policies to govern data handling practices in IT systems according to fine-grained positive and negative authorization rights. It concentrates on the core privacy authorization while abstracting data models and user-authentication from all deployment details such as data model or user-authentication.”

It’s far too early to say whether EPAL will be a successful—but at least it offers an attempt to solve a thorny problem. How can a truly customer focused organization protect its customers’ information? EPAL aims to allow the capture of formal privacy policies which are then instantiated in software. How can customer information be safely shared with other organizations, without comprising the wishes of that customer? After all, the world of business is increasingly federated, with consumer services comprised of service “bundles” from a range of suppliers. In this environment, who owns the customer information and how can that customer be assured of privacy? Vendors are working on stadards-based solutions to the problem of federated access and identity (Liberty Alliance, WS-Federation) and federated XML web service transactions (WS-Transaction), but privacy has until now been given short shrift.

EPAL will potentially allow privacy and protection of customer data to become an automated, auditable process, rather than the current ad-hoc mess it is. The language will initially be instantiated in IBM Privacy Manager—eBay is an early adopter. The Privacy Commissioner of Ontario, Canada is also working with IBM, using EPAL to create a digital template of Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) act.

Organizations should look at JetBlue’s negative publicity on this issue and think carefully about the protection of their customers’ data. There is surely no more important asset in your organization; online retailers have talked in the past about the brand damage they’d suffer if they acknowledged security breaches. Too often though the guilty party wasn’t a black hat hacker, but the organization itself. Sooner or later customers are going to say: “I am mad as hell and i am not going to take it anymore.” When this happens organizations with a strong reputation for privacy management and protection of customer data are going to strongly benefit. We can already see this trend on the web: thus we trust Amazon with our identity, while other dotcoms find it much harder to win our business.

As ever there are no quick fixes or silver bullets. EPAL, for example, supports automation and control of strong privacy policies, but it doesn’t actually write them.

The landscape is changing, and privacy is growing rather than shrinking in importance. Current fears over identity theft are well placed. If government and commercial organizations could be trusted to manage our customer data we wouldn’t need laws and infrastructure to protect us.

In Europe, data protection regulation is now moving from the education to the enforcement phase. In the US the problems of SPAM and identity saturation (how many web sites and organizations hold your personal data. Do you know/have any idea?) are reaching breaking point. The current law suit against MS, which lawyers are attempting to turn into a class action suit—ostensibly for the poor security of MS products—is actually a privacy case, testing the new Californian law which requires that users are notified if their private information has been compromised. The attorney in question, Dana Taschler, is set for a PR bonanza of unbelievable proportions if the case gets anywhere at all.

From the point of view of a consumer and citizen I hope the case makes an impact. Not because MS in particular is guilty—RedMonk firmly believes that users of technology must take responsibility for how it is used. Blaming the supplier for every breach indicates an abdication of responsibility. But unfortunately for all of us, litigation seems to be the only way real change is accomplished these days, in the US at least. The threat of litigation is enough to prevent some corporate bad behavior. In the area of privacy, we need some test cases, and Microsoft in California is the first big one.

Issues associated with privacy of our identity complex are hellishly complex, and are not likely to solve themselves. The EU and US law courts need to be involved, and it’s good to see some test cases aimed at protecting consumers rather than attacking them