A couple of week’s ago I had the great opportunity and pleasure to speak with the both equally delightful and brilliant Anyck Turgeon and Scott Draughon on MyTechnologyLawyer.com about “Is encryption enough to achieve privacy?”
The feedback and followup to that show was spectacular! I got a ton of questions as a result. I will answer some of them here in the coming days. Here is the first…

Wow; very broad questions!
Privacy is going out of the window only if you leave the window open, or allow others to.
When you are out in public, you must keep in mind that you are OUT IN PUBLIC. In many to most public locations it is likely there are surveillance cameras recording your images and possibly your sounds. Don’t be doing or saying things on the streets, in stores, etc. you don’t want others to see or hear.
However, when you are in your own vehicle, home, designated private places, or on your computer, you can take steps to make sure you do not throw your privacy out the window through your own actions, or inactions.
You can also be more proactive with asking the organizations you do business with about their privacy practices, and demanding that they follow not only recognized privacy principles, but also ask them how they are complying with all their applicable data protection and privacy laws; EVERY single organization that has personally identifiable information (PII) has laws they must follow!
There are also organizations throughout the world, in every single country, that are trying to help ensure your privacy. Most of the Canadian provinces and each of the EU countries have data privacy/protection commissioners who are trying to protect individual privacy rights. As just one example of this, early this year the European Network and Information Security Agency (ENISA) published a detailed comparison of the privacy features built into electronic identification (eID) cards issued by European governments. The position paper, “Privacy Features of European eID Card Specifications,” was written to political and corporate decision-makers, and was intended to facilitate the formation of best practice guidelines and “raise awareness of the legal and social implications of new developments in eID card technologies,” according to the paper. This is just one example of the many initiatives taking place to promote privacy protections.
I could write a book about this topic! However, a few things you can do to help protect yourself include:

• Look for and read the posted privacy policies of the organizations you are thinking about sharing your PII with. Do the policies actually tell you how they are protecting your privacy? Or, do they tell you all the ways in which you do not have privacy rights? This is what many so-called “privacy” policies actually do.
• When purchasing new gadgets, appliances, vehicles, or anything else with electronics, ask the ways in which the gadget/etc. can be monitored. Monitoring can provide a lot of great benefits, but it can also be used to track where you’ve been, when you’ve been there, how long you were there, how fast you got there, etc. Ask how this information is secured, how it is used, and how long it is retained.
• Do not post ANYTHING to Internet sites that you would not want the entire world to see. Especially social networking sites. When doing online transactions check to ensure the online business is strongly encrypting your data, and is not sharing it with any other entity without your express consent.
• Do not send sensitive information through public networks via emails or other types of communications unless you have strongly encrypted it.
• Delete data you no longer need! This goes for your emails, deleting your temporary files, etc. There are many hard disk cleaners available to do this. The less PII and sensitive data you keep, the less likely it is that it will be compromised. Plus you will get additional storage space!
• Tell the organizations you do business with that you want them to have strong privacy protections in place. The more people that do this, the more actions businesses will take.
• Tell your elected officials that you want EFFECTIVE privacy laws that are feasible for both businesses and consumers/employees/individuals. They are supposed to be working for your best interests!
• Read the fine print whenever you make a purchase, join an online group, or otherwise share information online. Many “terms of use” contracts automatically require you to agree to share your information with other entities they deem appropriate. Opt out of that sharing whenever appropriate, and don’t do business with an organization if they do not give you privacy choices.

There are so many more things to add to this list. The bottom line is, be careful who you give your PII to, know the ways in which organizations collect your PII, and demand that they protect it!

Tags: Anyck Turgeon, awareness and training, encryption, Information Security, IT compliance, IT training, personally identifiable information, PII, policies and procedures, privacy training, Scott Draughon, security training

This entry was posted on Wednesday, September 23rd, 2009 at 9:38 am and is filed under Information Security, Privacy and Compliance. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.