Risk mitigation

One of today’s news stories is that several of the firms responsible for the colossal explosion at the Buncefield oil depot have been hit with fines totalling almost £10m. The judgement centred around ‘slackness’ in operational practices at the site, resulting in serious breaches of health and safety law.

It has taken a while for the penalties to be applied: the explosion happened early on Sunday 11th December 2005. On that day, I was on a flight from Heathrow to San Francisco. Buncefield (near St Albans, north of London) is a little way east of the long-haul flight path from Heathrow to North America, and the gigantic plume of smoke from Buncefield was clearly visible from the right hand side of the plane.

The reason for my trip was to take part in my first team meeting with the group I had recently joined, in Sun Microsystems’ Chief Technology Office. That new role also marked the beginning of my increasing interest in matters of online privacy, and the way in which privacy and identity technology have to interact with corporate and public policy.

I thought of that when I heard an oil industry specialist being interviewed today about the lessons learned from the Buncefield disaster. He said that companies needed to be asking themselves three very simple questions (as opposed to the traditional “one question… do you feel lucky…?”):

  1. Do we understand clearly what can happen when something goes wrong?
  2. Do we have systems in place to prevent and/or manage such failures?
  3. Do we have metrics which tells us whether we are getting it right?

I come back, once again, to Michelle Dennedy’s key principle: organisations which process personal data should treat it as if it were toxic waste. Exactly the same principles should apply:

  1. Does the organisation’s strategy or business plan take into account what can happen when personal data is mishandled, when there is a containment breach, or an explosion of negative publicity?
  2. Are there systems in place to constrain the collection of personal data, manage its retention and prevent inappropriate disclosure?
  3. Do the organisation’s staff and managers get the information which would tell them whether or not personal data is being well managed?

Here’s what I suspect:

  • Some organisations have a reasonable handle on (2)… but a lot more probably have far less of a grasp than they like to believe.
  • Fewer organisations actually weave ‘personal data and privacy risk management’ into their strategy at a corporate, executive level.
  • Still fewer actively seek external evidence of data breaches and reflect that in a ‘data management dashboard’ to inform and guide day-to-day operations.

Of course, if you know otherwise, I’d be delighted to be proved wrong… who knows, I might even end up writing an analyst report on cases of good practice. If you’ve got a good story to tell, you know where to find me…

New role…

As of July 19th, I start a new full-time role as a Research Director with Gartner Group (more specifically, in the Identity and Privacy Services team under the ‘Burton Group’ brand).

I am absolutely delighted to have this opportunity. Not only will I be continuing to explore the same topics (digital identity, online privacy, access management and security…), I will also be joining a fantastic group of people – including the likes of Bob Blakley and Ian Glazer – for whom I have enormous respect. If there’s a downside, it’s that they set a formidable standard to match up to.

This is going to be a fun ride, though, so I hope you will stick with me and join the excitement!

Step One: I’ll be at Catalyst in San Diego again this year, so if you’re going to be there please come and say hi. If you’re not going to be there… naughty, naughty!

Some housekeeping:

Obviously, I will not be doing any more consulting work through Future Identity – but for continuity reasons, the Future Identity website will persist, as an archive of presentations and published papers. I’ll also continue to blog and tweet using the Future Identity persona*, though I expect there a gentle separation will emerge between that and any blogging I do in my corporate role via the Gartner Blog Network.

*I have been saying, for several years now, that sensible use of different personas is key to maintaining control over our digital footprint. I do generally point out, in the same breath where possible, that doing a good job of persona management takes thought, time and effort.

Establishing, maintaining and killing off discrete personas are the most obvious use-cases. The real trick, though, is to be able to segue one persona into another, while maintaining your control and your audience. The more you work on establishing a brand, the harder it can be to ‘unhook’ brand awareness and attach it to something new. As “social network” services enter their second and third generations, that’s something they will have to come to terms with.

Large ISPs broaden attack on Digital Economy Act

I read with interest that BT and TalkTalk have requested a judicial review of the Digital Economy Act 2010 before it is brought into force. As readers of this blog will be aware, opposition to the Digital Economy Bill was vociferous, widespread, and based on both principle and detail.

Interestingly, BT and TalkTalk have opted to attack implementation of the Bill on a wide front – at least, as far as I can infer from this article on the BBC News site. Here are some of the points on which I understand they will seek clarification through the judicial review process:

– does the Act unfairly restrict competition in the telecomms market, by applying a Code of Conduct only to network service providers with more than 400,000 subscribers? (TalkTalk argue that the result of this could be a flight of customers to smaller, less regulated ISPs);

– does the Act conflict with EU legislation, which rules that ISPs are “mere conduits” of the information they transmit and thereby limits their liability arising from that information?

and perhaps most fundamental of all,

– did the way in which the Bill was passed undermine its legitimacy? (They argue that it was rushed through with insufficient parliamentary debate, in a truncated process far short of the normal legislative timetable – and it’s hard to dispute that point: the Bill was passed in a matter of hours, instead of the 3-4 weeks of Committee Stage deliberation and revision normal for a Bill of this scope).

If the judicial review finds in their favour on that point, it could set a fascinating precedent.

Privacy and bindweed

This being the height of the growing season in our garden, it is also the time when too much attention to any given part of a flower-bed is likely to reveal that bane of the gardener’s life, a vigorous, thrusting tentacle of bindweed (convolvulus arvensis). The worst thing about bindweed is its deeply-buried, brittle and highly regenerative root system. No matter how diligently you dig and rummage and loosen, chances are you will leave a fragment of root behind – and in due course the whole grisly process starts again from the tiniest remnant. As one of my uncles used to put it, it’s enough to make a man kick his grandmother.

That’s rather how I feel about another pernicious and unwelcome part of the landscape: the often-repeated claim that “if you have nothing to hide, you have nothing to fear”.

Just like the bindweed, this is impossible to eradicate, and just like the bindweed, it stifles and chokes more desirable things, such as rational debate about privacy and why and how to protect it. If I had my way, I’d recruit a small army of bindweed eradicators, and we would periodically blitz the garden; we might not wipe the bindweed out, but we would probably at least keep it from strangling the flowers.

With that in mind, I’d like to recruit all my readers (yes, both of you ;^) as privacy pest controllers, armed with these handy tools to counter the “nothing to hide” argument.

1 – “A virtuous person cannot be the victim of crime”. That’s obviously nonsense, isn’t it? Just because I have no murky secrets in my past,and my life is a model of probity, doesn’t mean I have nothing of interest to the criminal. Indeed, in the online world I might, as a result, have a spotless reputation. Just the thing, if you’re looking for a clean ID to hi-jack.

The point is that the “nothing to hide, nothing to fear”argument glibly – and fatally – skims over the question “from whom do you have nothing to fear?”. Fatally, because when that question is answered, it becomes obvious that the people you should fear can harm your interests whether or not you have ‘anything to hide’.

2 – We are social animals. Personal privacy is a social concept. If you have nothing to hide from anyone, you are not a social being as the rest of us understand it.

Please… whenever you encounter the ‘privacy bindweed’, attack it at the roots with these weedkillers. Just be warned: one go is not enough. This requires long-term and repeated effort – but the privacy garden will thank you for it.

Peony “Pink Sorbet”
(larger images available here)