Liveblogging for this post has now ended. Please start reading this post from the bottom.
06:21:05 pm: Audience question: concerned about add-ons to Firefox. [Reminds me about Chrome extensions - they disclose what information an extension will have access too, but one of the descriptors is "this extension will have access to all your private form data". Which is kind of alarming because it sounds like the extension could sniff passwords out. If that's not true, they need to rephrase it.] Ryan is plugging What App which is a service that rates app security. [I love the security paranoids who won't use credit cards online in this day and age.] Ok, wrapping up now.
06:16:02 pm: Audience comment: internet searches on job applicants for screening purposes. Big issue for employer data collection.
Gin: In some ways, government regulation won’t be enough in the long run. Technology will need to fill in the gaps.
06:11:34 pm: Mozilla sometimes takes a minimal approach when it comes to data. If you don’t keep user data, a government can’t require you to deliver up what you don’t have.
06:06:52 pm: LinkedIn believes it needs to be very clear about what information it collects, and how readers can control their personal information. LinkedIn is very clear about monetization – describing what users get if they pay the subscription fee. Trust is key for their professional networking site. [Giving users the control helps a lot, apparently.]
06:02:05 pm: Gelman: user information is valuable. Is there a business strategy that leverages that? Sure, but it puts privacy on the line. [It's a big balancing act. Depends on business model, whether it's against your overall company mission, how will your customers feel? etc. Consent is a big thing... if users sign up to something knowing what they're getting into, then less risk re violation of trust]
05:58:47 pm: Fourth issue: do you think there’s a tension between monetization [chasing revenue] and privacy? [This question reminds me of the Rapleaf story.] Gin: sure. His company could have gone down the route where consumer information was exploited. But he wanted a tool to help consumers, not the other way around.
05:54:52 pm: Should be an internal process to address UGC which violates that user’s local laws.
05:53:35 pm: Mozilla finds it very difficult to keep up with privacy regulations across the world. They want to crowdsource legal compliance similar to how they develop Firefox with an open source model.
Mozilla has several PPs broken down by product, not by countries. Firefox.de no really within German jurisdiction.
LinkedIn: “mission is to connect professional worldwide”. One PP, one TOU. By law, some provisions may or may not apply in different jurisdictions, so there are country-specific addenda to customize them. LinkedIn has a single “server” accessible worldwide. [single domain?]
Question from audience: rush to the bottom? Catering to the lowest common denominator? Isn’t that what happens if you only have one policy? How do you deal with different regimes?
Martin: It’s tough. It’s a big issue especially with user-generated content. [Now we're getting into thorny jurisdictional issues in internet business.] Martin mentions differing free speech standards as an issue.
05:48:34 pm: Ryan draws analogy with Google in China – actions overseas can have a beneficial reputational effect back at home as well. Could also apply to privacy issues.
05:45:51 pm: Third issue: how do you deal with consumer expectations overseas? [They have different cultural views - eg, Europe is tougher.] Martin: Mozilla benefits from users around the world. Firefox has over 50% market share in Poland. Big share in Germany too. Users and governments there are more savvy about demanding more privacy protections there. Plays into the competitive issue – how it can be used for competitive advantage. Eg, they felt Firefox is more secure, so it gave Firefox an uptick in market share. German data protection authority issued statement that people need to be aware of certain ads – picking the right browser can help with this. People in Europe really care about this stuff, more so than US. Ryan: So you actually got a market share boost from a government statement on privacy! Martin: we had a 4-5% jump [!]
05:42:43 pm: Gelman mentioning Mint again – they are prime because they collect really juicy information (financial info across all your fin services providers). So from day 1, they need to get security and privacy right, even if they’re small, because they are a huge hacking target. [ie, Why do you rob banks? Because that's where the money is. I guess start-ups like this need a lot of initial capital.]
05:39:37 pm: Ryan: What about Twitter? They were taken down last Thursday by an attack. Is there a point where you can get too big and not have enough? Gelman: Need to identify what data is at risk and adjust your investment in security accordingly. [Aren't these points kind of obvious?] Ryan: If you’re a start-up, and you don’t have the resources to secure things… it’s tricky because you still need to do it. Like if you want to process credit card transactions. Rottenberg mentioning PayPal as an example. [the acoustics of this room are terrible, I'm missing comments...]
Gin: of course, if you’re bigger, you’re a bigger target. In any event, you can’t guarantee 100% security.
Rottenberg: agrees. And that PPs should be written in plain English. LinkedIn making significant investment in IS security. As they’ve grown, they become a bigger target, so they have to scale security accordingly.
05:32:04 pm: Audience comment: what about teenagers? Can they understand privacy in a meaningful way? Doesn’t this affect how you can use privacy for competitive advantage?
LinkedIn uses a popup to notify of PP changes. As does FB. [So change events are particularly crucial.]
Gelman jumping in: but what about small companies which don’t have the resources? Those ones who just rip off eBay’s policies? It’s like everyone know they have to have one, but no one knows what it means. Stanford student start-ups will just throw up a policy without even customizing it.
For LinkedIn, you can use it as a “thinking document” [mapping out information flows].
05:24:05 pm: Rottenberg: even small start-ups need to consider this [I guess you need to build user trust from day 1].
05:21:29 pm: Gelman: depends on business type. If you’re CEO of Mint, you need to know how to talk about the intricacies of privacy to your investors. Rottenberg: it’s also a big trust issue. Privacy interests of LinkedIn are aligned with those of users. Zero incentive for LinkedIn to do otherwise with privacy.
05:17:33 pm: Gin: probably not a big an advantage from a competition perspective, but it’s still an important part of the overall mission of companies.
05:14:54 pm: Q&A format. Privacy & competition is the first issue up. How much is privacy a part of company strategy? Are people using privacy to compete? Mozilla: Bing seems to be attacking Google using privacy-related tactics. Eg, Bing giving logs after 6 months, vs Google’s 9 months.
05:08:32 pm: Ryan’s kicking it off now.
Intro: I’m attending a talk on privacy at SLS. No special reason I’m liveblogging this apart from me itching to give this liveblogging functionality a try. The talk is relevant to what I’m doing at work at the moment. The panel today comprises: Erika Rottenberg, General Counsel of LinkedIn;
Julie Martin, Associate General Counsel of Mozilla;
Jeremy Gin, Founder of Sitejabber; and
Lauren Gelman, Privacy Expert from Stanford’s CIS.