The Snapchat data breach

Steve Wilson

Former Vice President and Principal Analyst
Constellation Research

Steve Wilson is former VP and Principal Analyst at Constellation Research, leading the business theme Digital Safety and Privacy. His coverage includes digital identity, data protection, data privacy, cryptography, and trust. His advisory services to CIOs, CISOs, CPOs and IT architects include identity product strategy, security practice benchmarking, Privacy by Design (PbD), privacy engineering and Privacy [or Data Protection] Impact Assessments (PIA, DPIA). Coverage Areas: -  Identity management, frameworks & governance-  Digital identity technologies-  Privacy by Design -  Big Data; “Big Privacy”-  Identity & privacy innovation Previous experience: Wilson has worked in ICT innovation, research, development and analysis for over 25 years. With double…...

Read more

Yesterday it was reported by The Verge that anonymous hackers have accessed Snapchat's user database and posted 4.6 million user names and phone numbers. In an apparent effort to soften the blow, two digits of the phone numbers were redacted. So we might assume this is a "white hat" exercise, designed to shame Snapchat into improving their security. Indeed, a few days ago Snapchat themselves said they had been warned of vulnerabilities in their APIs that would allow a mass upload of user records.

The response of many has been, well, so what? Some people have casually likened Snapchat's list to a public White Pages; others have played it down as "just email addresses".

Let's look more closely. The leaked list was not in fact public names and phone numbers; it was user names and phone numbers. User names might often be email addresses but these are typically aliases; people frequently choose email addresses that reveal little or nothing of their real world identity. We should assume there is intent in an obscure email address for the individual to remain secret.

Identity theft has become a highly organised criminal enterprise. Crime gangs patiently acquire multiple data sets over many months, sometimes years, gradually piecing together detailed personal profiles. It's been shown time and time again by privacy researchers (perhaps most notably Latanya Sweeney) that re-identification is enabled by linking diverse data sets. And for this purpose, email addresses and phone numbers are superbly valuable indices for correlating an individual's various records. Your email address is common across most of your social media registrations. And your phone number allows your real name and street address to be looked up from reverse White Pages. So the Snapchat breach could be used to join aliases or email addresses to real names and addresses via the phone numbers. For a social engineering attack on a call centre -- or even to open a new bank account -- an identity thief can go an awful long way with real name, street address, email address and phone number.

I was asked to compare the theft of stolen phone numbers with social security numbers. I surprised the interviewer when I said phone numbers are probably even more valuable to the highly organised ID thief, for they can be used to index names in public directories, and to link different data sets, in ways that SSNs (or credit card numbers for that matter) cannot. 

So let us start to treat all personal inormation -- especially when aggregated in bulk -- more seriously! And let's be more cautious in the way we categorise personal or Personally Identifiable Information (PII).

Importantly, most regulatory definitions of PII already embody the proper degree of caution. Look carefully at the US government definition of Personally Identifiable Information:

      information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual (underline added).

This means that items of data can constitute PII if other data can be combined to identify the person concerned. That is, the fragments are regarded as PII even if it is the whole that does the identifying.

And remember that the middle I in PII stands for Identifiable, and not, as many people presume, Identifying. To meet the definition of PII, data need not uniquely identify a person, it merely needs to be directly or indirectly identifiable with a person. And this is how it should be when we heed the way information technologies enable identification through linkages.

Almost anywhere else in the world, data stores like Snapchat's would automatically fall under data protection and information privacy laws.  Regulators would take a close look at whether the company had complied with the OECD Privacy Principles, and whether Snapchat's security measures were fit for purpose given the PII concerned. But in the USA, companies and commentators alike still have trouble working out how serious these breaches are. Each new breach is treated in an ad hoc manner, often with people finessing the difference between credit card numbers -- as in the recent Target breach -- and "mere" email addresses like those in the Snapchat and Epsilon episodes.

Surely the time has come to simply give proper regulatory protection to all PII.

Top 3 things to look for in 2014

pending

Guy Courtin was formerly Vice President and Principal Analyst at Constellation Research covering Matrix Commerce and how the Internet of Things drives the evolution of commerce.  Guy has over 15 years experience in the technology space and specifically in the supply chain space. Most recently he was the Vice President of Research at SCM World. Where he focused on the service providers that empowered supply chains. Prior to SCM World, Guy held numerous senior positions. He was responsible for product marketing at RSi, a retail supply chain solution provider. There managed RSi’s go to market strategy around their leading cloud based supply chain solutions. He also spear headed Progress Software’s supply chain group. Where he was responsible for driving revenue and market share as well…...

Read more

When it comes to the supply chain space and solutions, there are three trends I am looking for in 2014:

• Software providers will strive to offer full supply chain solution suites. Mega vendors such as SAP, Infor and Oracle have been ahead of this game, just by their sheer size. A growing number of service providers such as JDA and Logility will continue to push in this direction –looking to offer their own supply chain solution platform.  Practioners will seek service providers that can address larger and more inclusive supply chain challenges, rather than simply optimizing pieces of the overall puzzle. They recognise that optimizing parts of the supply chain can often times lead to unintended consequences in other parts of the supply chain. This does not mean that software providers that do not offer a full end to end solution will fall out of favour. These bolt-on solutions will continue to allow for targeted supply chain problems to be addressed. However, these solution providers will have to continue to demonstrate how their solution will be interoperable within the overall supply chain solution network. If you are already engaged with a mega vendor, lean on them to understand how their solution suite can address your larger supply chain issues. When it comes to vendors with smaller solution footprints, ensure that they can seamlessly tie into the solution ecosystem.
• Expect innovation from the non-usual suspects. Innovative solutions as well as thought leadership will not come only from best of breed providers or consultants, but also from such sources as 3pls and contract manufactures. These players will bring their unique perspective to the supply chain, and drive innovation and thought leadership from the manufacturing and transportation position….think about 3D printing from your contract manufacturers like Flextronics or Jabil and how they are applying this technology and how that innovation can impact your supply chain. Or how your logistics provider like DHL, FedEx or UPS will drive aspects like same day delivery or multi-channel retailing. Other logistics providers who can empower you to drive your supply chain into emerging marketing such as the likes of Agility or Imperial Logistics. Innovation in the supply chain had become more democratized; do not hesitate to look to all your service providers for innovative thinking.
• It will not be about big data but about actionable data. The notion of large amounts of accessible data will not diminish, on the contrary the amount of data we have access to for our supply chains will only continue to grow. But the vendors that are equipped to provide actionable data is going to be more important than big data. For example vendors such as IRI and Neilson can already provide large quantities of consumer data. Other business intelligence vendors have the ability to take massive data to cleanse and harmonize data. But practioners need to look for the vendors that are focusing on identifying that actionable data. To borrow a phrase from a conversation with SAP – “the haystack keeps getting larger and larger, and you are still looking for that needle” Solution providers will start focusing on identifying the actionable data, rather than just big data. Just because we can start looking at every last piece of data does not mean we should be doing so. Solution providers that offer the intelligence to find the key pieces of data within that haystack will be the ones that gain in relevance.  Companies like Zyme are focused on the hi-tech space will be able to give companies like Barnes and Nobles a better understanding of what data they need to be aware of for products such as the Nook tablet. Work with your service providers to go deeper than just looking at big data – understand what types of data they are comfortable with and what industries they have deep knowledge of.

2014 should be another interesting year in the space…but then again isn’t every year that way?

David Schwab Joins FusionOps Board of Directors

Constellation Research

J. Bruce Daley is a former vice president and principal analyst at Constellation Research, Inc.  , Title: Big Ideas Age Before Beauty Before there can be a wholesale conversion to the Cloud legacy applications must be converted. This will take decades and not every vendor has taken this obstacle into account when projecting growth. Professional Services Firms Need a Recurring Revenue Model The services business has a lot of advantages but one big disadvantage in that you are always going out of business. Some organizations are using the Cloud to offer clients new ways to spend money than just time-and-materials or fixed price projects. ...

Read more

David C. Schwab, who  co-founded Scopus Technology and served as Vice President of Sales until it was acquired by Siebel Systems, has joined the board of FusionOps. FusionOps is a “domain-based” Business Intelligence (BI) company that brings together cloud, Big Data, and a user-friendly interface to provide insights into supply chains. 

Built in the cloud, FusionOps provides users with pre-built metrics, tickers, and analytic reports. Business users can also fine-tune existing reports, to create new analytics, and drill down into the details. In addition, the product includes collaboration and social networking features. The company currently serves a diverse set of industries including: apparel and sportswear, mining, medical equipment, electronics, and energy companies.

The company is currently recruiting sales engineers and sales managers. Resumes can be sent to [email protected].

Schwab has been a long time Director of Sierra Ventures and helped build Sierra’s enterprise software investment practice. His primary investment focus is business applications and next generation infrastructure. Portfolio companies Dave has worked with in the past include: Accruent (acquired by Vista Equity Partners), Crosslogix (acquired by BEA Systems Inc.), CSS (acquired by Partners Group), SalesLogix (IPO and acquired by Sage), Knova (Merger of Kanisa and ServiceWare), MicroMuse (sold to IBM), OnLink Technologies (sold to Siebel Systems), and 360Commerce (sold to Oracle). His portfolio includes Corrigo, Parature, Prelert, Revionics, Trivantis, Zebra Imaging, and Zoom Systems.

In addtion his MBA from Harvard, Schwab holds two graduate engineering degrees from Stanford University and an undergraduate degree from UC San Diego.

Trends: 10 Trends for #Cloud Computing in 2014 To Dominate #Digital Disruption [Slide Share]

R "Ray" Wang

Principal Analyst and Founder
Constellation Research

R “Ray” Wang is the CEO of Silicon Valley-based Constellation Research Inc. He co-hosts DisrupTV, a weekly enterprise tech and leadership webcast that averages 50,000 views per episode and blogs at www.raywang.org. His ground-breaking best-selling book on digital transformation, Disrupting Digital Business, was published by Harvard Business Review Press in 2015. Ray's new book about Digital Giants and the future of business, titled, Everybody Wants to Rule The World was released in July 2021. Wang is well-quoted and frequently interviewed by media outlets such as the Wall Street Journal, Fox Business, CNBC, Yahoo Finance, Cheddar, and Bloomberg. Short Bio R “Ray” Wang (pronounced WAHNG) is the Founder, Chairman, and Principal Analyst of Silicon Valley-based Constellation…...

Read more

Holger Mueller

Vice President and Principal Analyst
Constellation Research

Holger Mueller is VP and Principal Analyst for Constellation Research for the fundamental enablers of the cloud, IaaS, PaaS and next generation Applications, with forays up the tech stack into BigData and Analytics, HR Tech, and sometimes SaaS. Holger provides strategy and counsel to key clients, including Chief Information Officers, Chief Technology Officers, Chief Product Officers, Chief HR Officers, investment analysts, venture capitalists, sell-side firms, and technology buyers.  Coverage Areas: Future of Work Tech Optimization & Innovation  Background: Before joining Constellation Research, Mueller was VP of Products for NorthgateArinso, a KKR company. There, he led the transformation of products to the cloud and laid the foundation for new Business Process as a…...

Read more

Ten Trends For Cloud Computing In 2014 To Dominate Digital Disruption

Constellation's cloud computing research falls under the Tech Optimization and Innovation business theme and throughout other areas where applications are applied.

The trends for 2014 cover across the entire cloud stack. Holger Mueller, VP and Principal Analyst, covers the impact of Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) as well as HR Technologies in the Future of Work. R "Ray" Wang researches the impact of Cloud Computing on business strategy and the application landscape.

Below are the 2014 trends for Cloud Computing. Join the Constellation experience as we set to help our clients dominate digital disruption.

Your POV.

The ROI on hacking Target customers' cards

Steve Wilson

Former Vice President and Principal Analyst
Constellation Research

Steve Wilson is former VP and Principal Analyst at Constellation Research, leading the business theme Digital Safety and Privacy. His coverage includes digital identity, data protection, data privacy, cryptography, and trust. His advisory services to CIOs, CISOs, CPOs and IT architects include identity product strategy, security practice benchmarking, Privacy by Design (PbD), privacy engineering and Privacy [or Data Protection] Impact Assessments (PIA, DPIA). Coverage Areas: -  Identity management, frameworks & governance-  Digital identity technologies-  Privacy by Design -  Big Data; “Big Privacy”-  Identity & privacy innovation Previous experience: Wilson has worked in ICT innovation, research, development and analysis for over 25 years. With double…...

Read more

An unhappy holiday for Target customers

A week before Christmas, Target in the US revealed it had suffered a massive payment card data breach, with some 40 million customers affected. Details of the breach are still emerging. No well-informed criticism has yet to emerge of Target's security; instead most observers say that Target has very serious security, and therefore this latest attack must have been very sophisticated, or else an inside job. It appears Target was deemed PCI-DSS compliant -- which only goes to prove yet again the futility of the PCI audit regime for deterring organized criminals.

Security analyst Brian Krebs has already seen evidence of a "fire sale" on carding sites. Cardholder records are worth several dollars each, up to $44 according to Krebs for "fresh" accounts. So the Return on Investment for really big attacks like this one on Target (and before that, on Adobe, Heartland Payments Systems, TJMaxx and Sony) can approach one billion dollars.

We have to face the fact that no amount of conventional IT security can protect a digital asset worth a billion dollars. Conventional security can repel amateur attacks and prevent accidental losses, but security policies, audits and firewalls are not up to the job when a determined thief knows what they're looking for.

It's high time that we rendered payment card data immune to criminal reuse. This is not a difficult technological problem; it's been solved before in Card Present transactions around the world, and with a little will power, the payments industry could do it again for Internet payments, nullifying the black market in stolen card data.

A history of strong standardisation

The credit card payments system is a paragon of standardisation. No other industry has such a strong history of driving and adopting uniform technologies, infrastructure and business processes. No matter where you keep a bank account, you can use a globally branded credit card to go shopping in almost every corner of the world. This seamless interoperability is created by the universal Four Party settlement model, and a long-standing plastic card standard that works the same with ATMs and merchant terminals absolutely everywhere.

So with this determination to facilitate trustworthy and supremely convenient spending in every corner of the earth, it's astonishing that the industry is still yet to standardise Internet payments! We have for the most part settled on the EMV chip card standard for in-store transactions, but online we use a wide range of confusing and largely ineffective security measures. As a result, Card Not Present (CNP) fraud has boomed. I argue that all card payments -- offline and online -- should be properly secured using standardised hardware. In particular, CNP transactions should either use the very same EMV chip and cryptography as do Card Present payments, or it should exploit the capability of mobile handsets and especially Secure Elements.

CNP Fraud trends

The Australian Payments Clearing Association (APCA) releases twice-yearly card fraud statistics, broken down by fraud type: skimming & carding, Card Not Present, stolen cards and so on. Lockstep Consulting monitors the APCA releases and compiles a longitudinal series. The latest Australian card fraud figures are shown below.

APCA like other regulators tend to varnish the rise in CNP fraud, saying it's smaller than the overall rise in e-commerce. There are several ways to interpret this contextualization. The population-wide systemic advantages of e-commerce can indeed be said to outweigh the fraud costs, yet this leaves the underlying vulnerability to payments fraud unaddressed, and ignores the qualitative problems suffered by the individual victims of fraud (as they say, history is written by the winners). It's pretty complacent to say the systemic benefit exceeds the cost of the fraud; it's would be like meekly attributing a high road toll to the popularity of motor cars. At some point, we have to do something about safety!

Frankly it's a mystery why the payments industry seems so bamboozled by CNP fraud, because technically it's a very simple problem. And it's one we've already solved elsewhere.

Card Not Present fraud is simply online carding.

Skimming and Carding

In carding, criminals replicate stolen customer data on blank cards; with CNP fraud they replay stolen data on merchant servers.

A magstripe card stores the customer's details as a string of ones and zeroes, and presents them to a POS terminal or ATM in the clear. It's child's play for criminals to scan the bits and copy them to a blank card.

The payments industry responded to skimming and carding with EMV (aka Chip-and-PIN). EMV replaces the magnetic storage with an integrated circuit, but more importantly, it secures the data transmitted from card to terminal. EMV works by first digitally signing those ones and zeros in the chip, and then verifying the signature at the terminal. The signing uses a Private Key unique to the cardholder and held safely inside the chip where it cannot be tampered with by fraudsters. It is not feasible to replicate the digital signature without having access to the inner workings of the chip, and thus EMV cards resist carding.

Online card fraud

Conventional Card Not Present (CNP) transactions are vulnerable because, like the old magstripe cards themselves, they rest on cleartext cardholder data. On its own, a merchant server cannot tell the difference between the original card data and a copy, just as a terminal cannot tell an original magstripe card from a criminal's copy.

Despite the simplicity of the root problem, the past decade has seen a bewildering patchwork of flimsy and expensive online payments fixes. Various One Time Passwords have come and gone, from scratchy cards to electronic key fobs. Temporary SMS codes have been popular but were recently declared unsafe by the Communications Alliance in Australia, a policy body representing the major mobile carriers.

Meanwhile, extraordinary resources have been squandered on the novel "3D Secure" scheme (MasterCard SecureCode and Verified by Visa). 3D Secure take-up is piecemeal; it's widely derided by merchants and customers alike. It upsets the underlying Four Party settlements architecture, slowing transactions to a crawl and introducing untold legal complexities.

A solution is at hand -- we've done it before

Why doesn't the card payments industry go back to its roots, preserve its global architecture and standards, and tackle the real issue? We could stop most online fraud by using the same chip technologies we deployed to kill off skimming.

It is technically simple to reproduce the familiar card-present user experience in a standard computer or in digital form on a smart phone. It would just take the will of the financial services industry to standardise digital signatures on payment messages sent from a card holder's device or browser to a merchant server.

And there is ample room for innovative payments modalities in online and mobile commerce settings:

• A smart phone can hold a digital wallet of keys corresponding to the owner's cards; the keys can be invoked by a payments app, ideally inside a Secure Element in the handset, to digitally sign each payment, preventing tampering, theft and replay.
• A tablet computer or smart phone can interface a conventional contactless payment card over the NFC (Near Field Communications) channel and use that card to sign transactions (see also the NFC interface demo by IBM Research).
• Many laptop computers feature smartcard readers (some like the Dell e-series Latitudes even have contactless readers) which could accept conventional credit or debit cards.

Conclusion

All serious payments systems use hardware security. The classic examples include SIM cards, EMV, the Hardware Security Modules mandated by regulators in all ATMs, and the Secure Elements of NFC mobile devices. With well-designed hardware security, we gain a lasting upper hand in the cybercrime arms race.
The Internet and mobile channels will one day overtake the traditional physical payments medium. Indeed, commentators already like to say that the "digital economy" is simply the economy. Therefore, let us stop struggling with stopgap Internet security measures, and let us stop pretending that PCI-DSS audits will stop organised crime stealing card numbers by the million. Instead, we should kill two birds with one stone, and use chip technology to secure both Card Present and CNP transactions, to deliver the same high standards of usability and security in all channels.

Download complimentary research

The FIDO Alliance - by Steve Wilson

The Consumerization of Identity - by Steve Wilson

Tuesday's Tip: Seven Lessons Learned In Customer Experience Strategies During A Data Breach (such as @Target's)

R "Ray" Wang

Principal Analyst and Founder
Constellation Research

R “Ray” Wang is the CEO of Silicon Valley-based Constellation Research Inc. He co-hosts DisrupTV, a weekly enterprise tech and leadership webcast that averages 50,000 views per episode and blogs at www.raywang.org. His ground-breaking best-selling book on digital transformation, Disrupting Digital Business, was published by Harvard Business Review Press in 2015. Ray's new book about Digital Giants and the future of business, titled, Everybody Wants to Rule The World was released in July 2021. Wang is well-quoted and frequently interviewed by media outlets such as the Wall Street Journal, Fox Business, CNBC, Yahoo Finance, Cheddar, and Bloomberg. Short Bio R “Ray” Wang (pronounced WAHNG) is the Founder, Chairman, and Principal Analyst of Silicon Valley-based Constellation…...

Read more

Every Brand Should Have A Plan For A Data Breach

The confluence of centralized personally identifiable information, reliance on digital channels, ease of hacking of magnetic stripes, and the application of the Willy Sutton rule ( a.k.a. you rob banks because that’s where the money is) improve the odds that many organizations will face a data breach.  The question is not whether one will happen, but more a question of when and to what extent.  How a brand addresses the customer experience component during a data breach will have significant impact that will subsume all other brand efforts up and until the data breach.

Source: Target

On December 19th, Target confirmed reports of a data breach affecting 40 million customers between November 27th and December 15th, 2013.  In conversation with over 30 customer experience professionals, many lessons have been learned from the recent Target breach and the largest breach with TJX (TJ Maxx and Marshall’s).  The following seven approaches highlight pragmatic and effective strategies to responding and mitigating the damage:

1. Begin by isolating and understanding the root cause of the breach. Understanding the root cause enables a realistic understanding of all the options.  While it may take some time to get to the source, the investment in resources is worth it.  The truth will set you free from weaving an ever growing snow ball of lies and half truths.  Saying that you don’t know yet is not good enough.  Sharing how you are resolving or approaching the problem helps folks understand the why not the what.
2. Catalyze a crisis command center. The command center should not be an after thought but part of the communications readiness training.  Prioritize key data. Put all your data sources to work.  Identify a protocol for decision making.  Quickly agree on talking points and messaging.  Democratize decision making and out reach to as many spokes persons as possible.  Apply the 9C’s of engagement to build out the crisis journey map.  While Target has an excellent social media program, the challenge is tackling crisis communications in defense not offense during the holiday season.
3. Trust that transparency is the right course of action. Communicate the breach as early as possible. Do not try to cover it up as Target did. In fact, Target was outed by security expert Brian Krebs first, then Target had to come clean. The result has been disastrous.  Get in front of the issue.  It’s always easier to proactively influence than react.  Customers ultimately value transparency when they can understand the process and the efforts provided to date.  Outcomes ultimately matter but in the absence of a solution, upfront communication of the situation and approach helps bridge the trust gap.
4. Activate the advocates. Leverage social media to inform key advocates and influencers.  Share core messaging.  Update frequently.  Seek input and advice.  Provide the influencers with timely updates and in some cases first line information.  While Target has done a good job on Facebook, the issue is not the communications plan, but more that the resolution is not satisfactory.
5. Resolve the root cause of the problem. Customers seek resolution, not a patchwork of disparate solutions.  In Target’s case, the root cause is a privacy breach on card data.  The cleanest way to resolve the situation would be mass card replacement through digital distribution and self service redemption.  Target unfortunately chose to use credit card monitoring and put the onus on customers to monitor their fraud status.  Customer perceive this as a half-assed measure.
6. Make a valuable offer. Use the opportunity to bring back customers not push then away.  Provide perceived value.  Solicit feedback on potential strategies with brand advocates.  Providing a new card with a stored value amount or discount is one approach.  Target’s offer of 10% off, coverage for any fraud, and security protection made perfect sense.  However, not combining the offer with a brand new card made the offer seem hallow as it did not address the root cause.
7. Rebuild trust with subsequent engagement. Determine the next course of actions.  Once the crisis has passed, brands must continue to reassure customers on security and privacy.  In Target’s case, they will need to announce what measures have been taken, how many folks have been breached, how have folks been compensated, and what is being done in the future to prevent breaches.  If the credit card industry is smart, they will also help Target in providing solutions and investing in marketing messages.

The Bottom Line: The Shift To Digital Businesses Require A New Level Of Authenticity

Good leadership is tested in a crisis. The actions any executive has to make during a crisis reflect on the core values of the company.  Trust and transparency are key pillars of an authentic business.  In a digital world, speed is the other factor that must be considered.  Preparing for a crisis is never easy.  Preparing for a data breach is actually a bit easier. Why? It’s inevitable and a key requirement in addressing customer experience as we enter a world of digital disruption.

While Monday morning quarterbacking is easy during a crisis, the point here is to take lessons learned from other disasters and get ahead of the issue.  One crisis can take down decades and billions of marketing dollars spent building a brand.  Handling a crisis well can also remake the image of a brand.  A great example is the Tylenol recall of 1982 where the mass drug recall while expensive, proved to reassure the public of J&J McNeil’s sincerity in addressing the root cause.

When product differentiation is not enough and when service differentiation is not enough, all we have our outcomes and experiences. Customer aren’t buying product or services any more.  Customers are buying outcomes and experiences.  All we have is our brand and how you handle a data breach will determine the future of your organization.  How will you prepare to dominate digital disruption?

Your POV.

Are you ready to address customer experience strategies and incorporate digital business transformation in advance of a data breach?  Are you embarking on a digital business transformation?  Let us know how it’s going!  Add your comments to the blog or reach me via email: R (at) ConstellationR (dot) com or R (at) SoftwareInsider (dot) com.

Please let us know if you need help with your Customer Centricity and Digital Business transformation efforts.  Here’s how we can assist:

• Assessing customer centricity readiness
• Developing your digital business strategy
• Connecting with other pioneers
• Sharing best practices
• Vendor selection
• Implementation partner selection
• Providing contract negotiations and software licensing support
• Demystifying software licensing

Related Research:

• Tuesday’s Tip: Understand The Five Generation Of Digital Workers
• Monday’s Musings: The Chief Digital Officer In The Age Of Digital Business
• Slide Share: The CMO vs CIO – Pathways To Collaboration
• Event Report: Seven Trends From This Year’s Human Resources Technology Conference 2013 (#HRTechConf)
• Event Report: Metaio’s #InsideAR Conference Hails The Future Of An Always On, Always Augmented Reality
• Event Report: CRM Evolution 2013 – Seven Trends In The Return To Digital Business And Customer Centricity
• Research Summary And Speaker Notes: The Identity Manifesto – Why Identity Is At The Heart of Digital Business
• Monday’s Musings: The Controversy Surrounding Gartner’s CRM Market Share Analysis
• Research Summary: Constellation Cosmos – Cloud Bill of Rights for SaaS Apps, Actian and Netsuite Achieve Epic Status
• Trends: Seven Priorities In The Shift From CMO to Chief Digital Officer
• Monday’s Musings: Understand The Four Organizational Personas Of Disruptive Tech Adoption
• Event Report: The Tweet Stream From #DF12
• Event Report: Dreamforce X (#DF12) Emerges As The South By Southwest (#SXSW) For The Enterprise
• Monday’s Musings: The New Engagement Platform Drives The Shift From Transactions
• News Analysis: KANA Enters MidMarket With Trinicom Acquisition
• Best Practices: From First To Worst – Continental In A Post United World, Lessons In Next Gen Customer Experience
• Monday’s Musings: Seven Basic Privacy Rights Users Should Demand For Social Business
• Monday’s Musings: Balancing The Six S’s In Consumerization Of IT
• Monday’s Musings: A Working Vendor Landscape For Social Business
• Product Review: Google+, Consumerization of IT, and Crossing The Chasm For Enterprise Social Business
• Monday’s Musings: Using MDM To Build A Complete Customer View In A Social Era
• Monday’s Musings: Mastering When and How High End Brands Should Use Daily Deal Sites Such As Groupon
• Best Practices: Applying Social Business Challenges To Social Business Maturity Models
• Research Summary: Software Insider’s Top 25 Posts For 2010
• Best Practices: Five Simple Rules For Social Business
• Research Report: How The Five Pillars Of Consumer Tech Influence Enterprise Innovation
• Research Report: Next Gen B2B and B2C E-Commerce Priorities Reflect Macro Level Trends
• Tuesday’s Tip: Applying The Five Stages Of Adoption Towards SCRM Projects
• Monday’s Musings: Avoiding Failure In Social CRM Projects Requires Ecosystem Coordination
• Research Report: The 18 Use Cases of Social CRM – The New Rules of Relationship Management
• Monday’s Musings: Why Every Social CRM Initiative Needs An MDM Backbone
• Monday’s Musings: 10 Essential Elements For Social Enterprise Apps

Reprints

Reprints can be purchased through Constellation Research, Inc. To request official reprints in PDF format, please contact Sales .

Disclosure

Although we work closely with many mega software vendors, we want you to trust us. For the full disclosure policy, stay tuned for the full client list on the Constellation Research website.

* Not responsible for any factual errors or omissions.  However, happy to correct any errors upon email receipt.

Copyright © 2001 – 2013 R Wang and Insider Associates, LLC All rights reserved.
Contact the Sales team to purchase this report on a a la carte basis or join the Constellation Customer Experience!

Santa gets product through customs…can you?

pending

Guy Courtin was formerly Vice President and Principal Analyst at Constellation Research covering Matrix Commerce and how the Internet of Things drives the evolution of commerce.  Guy has over 15 years experience in the technology space and specifically in the supply chain space. Most recently he was the Vice President of Research at SCM World. Where he focused on the service providers that empowered supply chains. Prior to SCM World, Guy held numerous senior positions. He was responsible for product marketing at RSi, a retail supply chain solution provider. There managed RSi’s go to market strategy around their leading cloud based supply chain solutions. He also spear headed Progress Software’s supply chain group. Where he was responsible for driving revenue and market share as well…...

Read more

First I want to wish happy holidays to everyone and their families and friends. As a child we were told that jolly Saint Nick would come down our chimneys on December 24th and deliver presents to all the good boys and girls. The rotund man dressed in red would be able to canvass the globe only powered by a sleigh pulled by reindeer – and amazingly have 100% on time delivery and usually 100% perfect order (there are still some orders I placed that had substitute products). So how does he accomplish this? He has perfect visibility into the demand (all those letters, emails and texts he receives in the North Pole) as well as his inventory levels. One advantage Santa Claus has is that he is carrying all of the inventory and doing the delivery himself, tiring yes, but he really just needs a routing schedule. This is not as simple for the rest of us.

Visibility is a term that we throw around with reckless abandon, but the goal of visibility remains a centre piece to our supply chain strategies. The ability to gain visibility was a driving theme for the adoption of the cloud in supply chain. There are numerous example s of companies leveraging cloud enabled platforms to provide a richer view of what was happening with suppliers, providing insight into planning cycles, inventory levels, manufacturing capacities, point of sale information just to name a few. Improved visibility really begins with the better communications amongst our disparate systems that power our supply chains. Companies, such as Kinaxis, have developed the concept of a supply chain control tower. The control tower allowing faster visibility into supply chain events: a centralized tool that allows for a greater ability to read and react. Other companies like One Network and E2open been able to leverage the technical advantages of the cloud – greater connectivity, allowing for greater visibility and offering true network effect. Allowing for networks to be seamless created, where information exchange can happen with fewer limitations. At the foundation, it is about improved visibility into the supply chain.

However, one variable when it comes to better supply chain visibility that does not seem to get the attention is around inventory that is held up at ports, airport or any point of exit or entry for trade. In a recent SCM World report, 80% of the respondents agreed that customers and customs problems were impacting customer service in a material way.

So when it comes to gaining improved end to end supply chain visibility, the ability to have  more robust view of what is happening to your inventory at these locations is a key element. According to a calculation done by Kelly Thomas at JDA, at any given moment $12 trillion of inventory is either sitting or moving in the world. The question becomes, how much of this inventory is being delayed due to customs issues or because of not having the proper paperwork? Not only does this impact the movement of inventory but also impacts the positioning of inventory. Firms like Cisco, HP and Dell who have very tight service level agreements (SLAs) when it comes to servicing their customers have to take into account customs when placing their inventories in different parts of the globe. This can lead to having redundant inventory that is geographically close, but separated by a border that leads to custom issues…which could delay the ability to meet their SLAs.

Companies such as Amber Road and GT Nexus provide their customers with the ability to have greater visibility into inventory when it is in this state. Where is it in the process of such stages as clearing exports, or passing import hurdles? This level of visibility is key when it comes to managing the rest of the supply chain. Allowing customers to identify what can be a bottle neck – the points of entry. Gaining this added insight into what is happening where your inventory looks to cross a border clears up on more potential blind spot in your supply chain. Since the movement of global trade is not about to abate any time soon, this blind spot carries tremendous impact on your overall supply chain.

Santa Claus has found a way to move his inventory globally without worrying about it being held up at points of exit or entry. The rest of us still need to find ways for enhanced visibility into these physical choke points in our supply chain. When it comes to visibility, make sure you work with your service provider(s) to identify the granularity and speed at which you can see into where your inventory sits. We are striving to get closer to true end to end visibility, but there remain blind spots that we must be aware of.

Facebook's challenge to the Collection Limitation Principle

Steve Wilson

Former Vice President and Principal Analyst
Constellation Research

Steve Wilson is former VP and Principal Analyst at Constellation Research, leading the business theme Digital Safety and Privacy. His coverage includes digital identity, data protection, data privacy, cryptography, and trust. His advisory services to CIOs, CISOs, CPOs and IT architects include identity product strategy, security practice benchmarking, Privacy by Design (PbD), privacy engineering and Privacy [or Data Protection] Impact Assessments (PIA, DPIA). Coverage Areas: -  Identity management, frameworks & governance-  Digital identity technologies-  Privacy by Design -  Big Data; “Big Privacy”-  Identity & privacy innovation Previous experience: Wilson has worked in ICT innovation, research, development and analysis for over 25 years. With double…...

Read more

Facebook's challenge to the Collection Limitation Principle

An extract from our chapter in the forthcoming Encyclopedia of Social Network Analysis and Mining.

Stephen Wilson, Lockstep Consulting, Sydney, Australia.
Anna Johnston, Salinger Privacy, Sydney, Australia.

Key Points

• Facebook's business practices pose a risk of non-compliance with the Collection Limitation Principle (OECD Privacy Principle No. 1, and corresponding Australian National Privacy Principles NPP 1.1 through 1.4).

• Privacy problems will likely remain while Facebook's business model remains unsettled, for the business is largely based on collecting and creating as much Personal Information as it can, for subsequent and as yet unspecified monetization.

• If an OSN business doesn't know how it is eventually going to make money from Personal Information, then it has a fundamental difficulty with the Collection Limitation principle.

Introduction

Facebook is an Internet and societal phenomenon. Launched in 2004, in just a few years it has claimed a significant proportion of the world's population as regular users, becoming by far the most dominant Online Social Network (OSN). With its success has come a good deal of controversy, especially over privacy. Does Facebook herald a true shift in privacy values? Or, despite occasional reckless revelations, are most users no more promiscuous than they were eight years ago? We argue it's too early to draw conclusions about society as a whole from the OSN experience to date. In fact, under laws that currently stand, many OSNs face a number of compliance risks in dozens of jurisdictions.

Over 80 countries worldwide now have enacted data privacy laws, around half of which are based on privacy principles articulated by the OECD. Amongst these are the Collection Limitation Principle which requires businesses to not gather more Personal Information than they need for the tasks at hand, and the Use Limitation Principle which dictates that Personal Information collected for one purpose not be arbitrarily used for others without consent.
Overt collection, covert collection (including generation) and "innovative" secondary use of Personal Information are the lifeblood of Facebook. While Facebook's founder would have us believe that social mores have changed, a clash with orthodox data privacy laws creates challenges for the OSN business model in general.

This article examines a number of areas of privacy compliance risk for Facebook. We focus on how Facebook collects Personal Information indirectly, through the import of members' email address books for "finding friends", and by photo tagging. Taking Australia's National Privacy Principles from the Privacy Act 1988 (Cth) as our guide, we identify a number of potential breaches of privacy law, and issues that may be generalised across all OECD-based privacy environments.

Terminology

Australian law tends to use the term "Personal Information" rather than "Personally Identifying Information" although they are essentially synonymous for our purposes.

Terms of reference: OECD Privacy Principles and Australian law

The Organisation for Economic Cooperation and Development has articulated eight privacy principles for helping to protect personal information. The OECD principles are as follows:

1. Collection Limitation Principle
2. Data Quality Principle
3. Purpose Specification Principle
4. Use Limitation Principle
5. Security Safeguards Principle
6. Openness Principle
7. Individual Participation Principle
8. Accountability Principle

Of most interest to us here are principles one and four:

• Collection Limitation Principle: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

• Use Limitation Principle: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [the Purpose Specification] except with the consent of the data subject, or by the authority of law.

At least 89 counties have some sort of data protection legislation in place [Greenleaf, 2012]. Of these, in excess of 30 jurisdictions have derived their particular privacy regulations from the OECD principles. One example is Australia.

We will use Australia's National Privacy Principles NPPs in the Privacy Act 1988 as our terms of reference for analysing some of Facebook's systemic privacy issues. In Australia, Personal Information is defined as: information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Indirect collection of contacts

One of the most significant collections of Personal Information by Facebook is surely the email address book of those members that elect to have the site help "find friends". This facility provides Facebook with a copy of all contacts from the address book of the member's nominated email account. It's the very first thing that a new user is invited to do when they register. Facebook refer to this as "contact import" in the Data Use Policy (accessed 10 August 2012).

"Find friends" is curtly described as "Search your email for friends already on Facebook". A link labelled "Learn more" in fine print leads to the following additional explanation:

• "Facebook won't share the email addresses you import with anyone, but we will store them on your behalf and may use them later to help others search for people or to generate friend suggestions for you and others. Depending on your email provider, addresses from your contacts list and mail folders may be imported. You should only import contacts from accounts you've set up for personal use." [underline added by us].

Without any further elaboration, new users are invited to enter their email address and password if they have a cloud based email account (such as Hotmail, gmail, Yahoo and the like). These types of services have an API through which any third party application can programmatically access the account, after presenting the user name and password.

It is entirely possible that casual users will not fully comprehend what is happening when they opt in to have Facebook "find friends". Further, there is no indication that, by default, imported contact details are shared with everyone. The underlined text in the passage quoted above shows Facebook reserves the right to use imported contacts to make direct approaches to people who might not even be members.

Importing contacts represents an indirect collection by Facebook of Personal Information of others, without their authorisation or even knowledge. The short explanatory information quoted above is not provided to the individuals whose details are imported and therefore does not constitute a Collection Notice. Furthermore, it leaves the door open for Facebook to use imported contacts for other, unspecified purposes. The Data Use Policy imposes no limitations as to how Facebook may make use of imported contacts.

Privacy harms are possible in social networking if members blur the distinction between work and private lives. Recent research has pointed to the risky use of Facebook by young doctors, involving inappropriate discussion of patients [Moubarak et al, 2010]. Even if doctors are discreet in their online chat, we are concerned that they may run foul of the Find Friends feature exposing their connections to named patients. Doctors on Facebook who happen to have patients in their webmail address books can have associations between individuals and their doctors become public. In mental health, sexual health, family planning, substance abuse and similar sensitive fields, naming patients could be catastrophic for them.

While most healthcare professionals may use a specific workplace email account which would not be amenable to contacts import, many allied health professionals, counsellors, specialists and the like run their sole practices as small businesses, and naturally some will use low cost or free cloud-based email services. Note that the substance of a doctor's communications with their patients over webmail is not at issue here. The problem of exposing associations between patients and doctors arises simply from the presence of a name in an address book, even if the email was only ever used for non-clinical purposes such as appointments or marketing.

Photo tagging and biometric facial recognitio

One of Facebook's most "innovative" forms of Personal Information Collection would have to be photo tagging and the creation of biometric facial recognition templates.

Photo tagging and "face matching" has been available in social media for some years now. On photo sharing sites such as Picasa, this technology "lets you organize your photos according to the people in them" in the words of the Picasa help pages. But in more complicated OSN settings, biometrics has enormous potential to both enhance the services on offer and to breach privacy.

In thinking about facial recognition, we start once more with the Collection Principle. Importantly, nothing in the Australian Privacy Act circumscribes the manner of collection; no matter how a data custodian comes to be in possession of Personal Information (being essentially any data about a person whose identity is apparent) they may be deemed to have collected it. When one Facebook member tags another in a photo on the site, then the result is that Facebook has overtly but indirectly collected PI about the tagged person.

Facial recognition technologies are deployed within Facebook to allow its servers to automatically make tag suggestions; in our view this process constitutes a new type of Personal Information Collection, on a potentially vast scale.

Biometric facial recognition works by processing image data to extract certain distinguishing features (like the separation of the eyes, nose, ears and so on) and computing a numerical data set known as a template that is highly specific to the face, though not necessarily unique. Facebook's online help indicates that they create templates from multiple tagged photos; if a user removes a tag from one of their photo, that image is not used in the template.

Facebook subsequently makes tag suggestions when a member views photos of their friends. They explain the process thus:

• "We are able to suggest that your friend tag you in a picture by scanning and comparing your friend's pictures to information we've put together from the other photos you've been tagged in".

So we see that Facebook must be more or less continuously checking images from members' photo albums against its store of facial recognition templates. When a match is detected, a tag suggestion is generated and logged, ready to be displayed next time the member is online.

What concerns us is that the proactive creation of biometric matches constitutes a new type of PI Collection, for Facebook must be attaching names -- even tentatively, as metadata -- to photos. This is a covert and indirect process.

Photos of anonymous strangers are not Personal Information, but metadata that identifies people in those photos most certainly is. Thus facial recognition is converting hitherto anonymous data -- uploaded in the past for personal reasons unrelated to photo tagging let alone covert identification -- into Personal Information.

Facebook limits the ability to tag photos to members who are friends of the target. This is purportedly a privacy enhancing feature, but unfortunately Facebook has nothing in its Data Use Policy to limit the use of the biometric data compiled through tagging. Restricting tagging to friends is likely to actually benefit Facebook for it reduces the number of specious or mischievous tags, and it probably enhances accuracy by having faces identified only by those who know the individuals.

A fundamental clash with the Collection Limitation Principle

In Australian privacy law, as with the OECD framework, the first and foremost privacy principle concerns Collection. Australia's National Privacy Principle NPP 1 requires that an organisation refrain from collecting Personal Information unless (a) there is a clear need to collect that information; (b) the collection is done by fair means, and (c) the individual concerned is made aware of the collection and the reasons for it.

In accordance with the Collection Principle (and others besides), a conventional privacy notice and/or privacy policy must give a full account of what Personal Information an organisation collects (including that which it creates internally) and for what purposes. And herein lies a fundamental challenge for most online social networks.

The core business model of many Online Social Networks is to take advantage of Personal Information, in many and varied ways. From the outset, Facebook founder, Mark Zuckerberg, appears to have been enthusiastic for information built up in his system to be used by others. In 2004, he told a colleague "if you ever need info about anyone at Harvard, just ask" (as reported by Business Insider). Since then, Facebook has experienced a string of privacy controversies, including the "Beacon" sharing feature in 2007, which automatically imported members' activities on external websites and re-posted the information on Facebook for others to see.

Facebook's privacy missteps are characterised by the company using the data it collects in unforeseen and barely disclosed ways. Yet this is surely what Facebook's investors expect the company to be doing: innovating in the commercial exploitation of personal information. The company's huge market valuation derives from a widespread faith in the business community that Facebook will eventually generate huge revenues. An inherent clash with privacy arises from the fact that Facebook is a pure play information company: its only significant asset is the information it holds about its members. There is a market expectation that this asset will be monetized and maximised. Logically, anything that checks the network's flux in Personal Information -- such as the restraints inherent in privacy protection, whether adopted from within or imposed from without -- must affect the company's futures.

Conclusion

Perhaps the toughest privacy dilemma for innovation in commercial Online Social Networking is that these businesses still don't know how they are going to make money from their Personal Information lode. Even if they wanted to, they cannot tell what use they will eventually make of it, and so a fundamental clash with the Collection Limitation Principle remains.

Acknowledgements

An earlier version of this article was originally published by LexisNexis in the Privacy Law Bulletin (2010).

References

Greenleaf G., "Global Data Privacy Laws: 89 Countries, and Accelerating", Privacy Laws & Business International Report, Issue 115, Special Supplement, February 2012 Queen Mary School of Law Legal Studies Research Paper No. 98/2012

Moubarak G., Guiot A. et al "Facebook activity of residents and fellows and its impact on the doctor--patient relationship" J Med Ethics, 15 December 2010