Resuming our 'controversial question' series, we invited a large number of suppliers (both in Australia and in other parts of the world) to consider this statement: "Privacy is dead. Long live privacy."
Graham Sowden, Managing Director APAC, Okta opens the batting, noting that "The statement posed really captures current attitudes towards privacy in the digital age. On the one hand, many of us have accepted that participating in the online world requires some sacrifice of our privacy. On the other hand, we are also increasingly aware of the extent of that sacrifice, becoming uncomfortable with it, and pushing back."
Never one for understatement, Daniel Harding, Director - Australia Operations, MaxContact exclaims, "Privacy is a topic that has never been as hot as it is now."
Richard Bird, Chief Customer Information Officer at Ping Identity points toward the three big elephants in the room - "The rise of efforts to secure privacy for human beings in the digital world has finally run headlong into the reality that big tech companies have built entire business empires around your data. In response Amazon, Google, Facebook and other big tech companies spent a record-breaking amount of money lobbying to protect their data-driven empires and ultimately to fight against privacy, just in the US in 2020."
Moving our aim from the "too big to care" down to the "it's really important" part of the business world, Prakash Durgani, Vice President of Asia Pacific and Japan, Twilio Segment says, "Every company today is in the business of customer experience, regardless of what they sell, who they sell it to or what platform they use. As organisations continue to look at ways to provide richer and more engaging experiences, they'll also need to prioritise being respectful of customer privacy. The key to survival will be leaning into first-party data — data collected directly from a company's interactions with its own customers — and building direct relationships with customers."
Claudia Pirko, ANZ Regional Vice President, BlackLine expands on that last point, "Once lost or diminished, trust in a company's privacy policies can be difficult to regain. Identifying vulnerabilities and risks, and putting stronger controls in place to address them, should be part of the long-term solution for businesses seeking to repair damage in privacy - and to avoid incurring it."
Marc Laliberte, Senior Security Analyst, WatchGuard Technologies reminds us that "User privacy has been crumbling for years. Each new security breach and data dump further chips away at any degree of privacy that does remain. Adding to the challenge is the fact that connected devices are far more intertwined in our everyday lives than ever before."
Offering a local perspective, Nick Savvides Senior Director of Strategic Business, APAC at Forcepoint: "Here in Australia, we have had a rather interesting history with privacy; public interest in digital privacy has risen and dropped continuously over time.
"A few years ago, I had said that the privacy era was upon us, with people starting to care about how their data was being handled and that organisations and regulators would have responded in kind. I think I was both and right and wrong about this, consumers did become more concerned about privacy, but they just didn't do much about it, while organisations continued to collect and analyse more data as regulators continued to tweak policy.
So, what Nick Savvides is saying that people really care about privacy; except they don't.
Drilling a little deeper, Savvides continues - "Privacy is dead is an easy conclusion to come to, but I don't think it is true. Privacy is a deceptively complex topic, it's something that must be looked through social and technological lenses, which themselves change over time.
"It is true today that more data is being created, stored, indexed and analysed than ever before, and has been growing at an exponential rate for the last 15 years. I'd say that the pandemic accelerated that even further, as it pushed so many small businesses, and so many formerly face-to-face interactions and dealings into the online and digital worlds, creating even more data."
We addressed this topic in a recent look forward in the area of data storage.
Savvides continues, "I'd say that the pandemic made a lot of people ignore the privacy concerns that they may have had lingering in the back of their minds. This is because we had to turn to technology to fill in for human interaction and communication.
"Concerns about the privacy of platforms fell to the wayside, as we all clamoured to use new and existing services to maintain social connections. Even our homes, which we would normally consider a private place, were put on show to our colleagues, bosses and external customers. I doubt many people read the terms and conditions, privacy policies of the services they signed up for during the pandemic.
"This is not a surprise for me, because just like cyber-security, and risk in general, humans will generally ignore risk, when they desire the outcome, I think we can all relate when a box pops up and you think "Urgh go away! I just want to talk to my friends/play this game/do my job".
Pointing out the virus-driven imperative, Sam Deckert, Managing Director, Peak Insight reminds us that "The business world's suddenly increased usage of digital collaboration tools has highlighted the implications such tools can have for individual privacy. Clearly, some of the tools offer far more security and privacy than others."
David Nicol, Managing Director ANZ at BlackBerry expands on this, noting that "Privacy has long been, and likely always will be, important in our society. The events of 2020 served to accelerate the mass global migration online across all facets of our lives. In this fast-paced data-driven digital economy, ensuring the privacy of personal data has never been more critical to establishing trust with customers, partners and employees. Everyday Australians are gaining a much better understanding of the amount of information they share online, and the real risk of this information falling into the wrong hands or being used for purposes other than what is intended."
Anne Hardy, Chief Information Security Officer, Talend agrees - "Nowadays, the expectations regarding the processing and protection of personal data are increasing, whether from users or governments—with particularly strong expectations in terms of data privacy and security governance."
Joseph Carson, Chief Security Scientist & Advisory CISO, Thycotic returns to the points made earlier by Durgani and Savvides. "I believe the big question, when it comes to data privacy, is 'How is citizens' data being used, collected and processed?' Ultimately data privacy will evolve into Data Rights Management which means rather than giving up personal data for so called free use of internet services, citizens should and can get paid for allowing their personal data to be used for marketing purposes. It will become more about how the personal data will be used, and what monetisation is resulting from the data. In the future everyone will become an influencer."
We get agreement with Carson from Gerry Sillars, Vice President Asia Pacific and Japan at Fortanix. "Yes, privacy is dead, in the sense that consumers and citizens now willingly exchange personal data in exchange for commercial and government services. But long live privacy, because woe betide those commercial and government organisations that do not properly protect personal information and allow it - whether intentionally through their business practices or unintentionally through data breaches - to be used for purposes that consumers and citizens did not sign up for.
"With cloud-based Confidential Computing services now available - which allow personal data to be remain encrypted at all times, even when in use and/or shared with other organisations - there are no longer any excuses for not providing the level of privacy protection that consumers and citizens expect. "
Getting a little finer-grained, Noé suggests that "Privacy can be challenging, but it is not dead." He expands on the theme, telling us that "It has been evolving and it will continue to evolve. Ten years ago, privacy concerns were predominantly focused on individual risks related to the oversharing of personal information online. Since then, our digital ecosystem has tremendously developed and now extends to devices we wear and other devices around us.
"Social media has boomed, children now use digital services from an early age, identity thefts are increasing, and privacy regulations have strengthened. Data processing algorithms and Artificial Intelligence (AI) have also come into play. New technologies fuel innovation, but they can also amplify privacy risks when used without adequate controls and regulations."
Returning to our three 'elephants,' Bird expands on his earlier thought. "Commercial interests like Facebook, Google and Amazon have repeatedly shown in word and deed that they have no interest in granting privacy or even security to their users and their data. Their revenue models demand a free flow of our data, which they now acquire at virtually no cost.
"Google's actions in Australia, while tied to copyrights and royalties in this round of debates, shows the lengths that Google and other big tech companies will go to in order to protect their data driven business models. To assume that they wouldn't dare to resort to the same kind of threats when the demands for citizen privacy escalate simply underestimates the outsized scale and level of control that these big tech companies have."
"Data has become a highly sought-after commodity that is exchanged for digital products and services David Nicol tells us. "While many view this as a worthwhile trade off, the concern is allowing corporate interests to monetise personal data and control the rules of engagement. Every individual should own their own data and control what purposes it is used for. Transparency is key."
This point was also raised by Jim Cook, ANZ Regional Director, Attivo Networks in observing that "Despite the fact that we live in a world where personal information is shared at an astonishing pace through social media, online shopping and marketing, businesses continue to put convenience over privacy, for example - most people simply click accept to the 'We've changed our policy' pop up, and it's up to the security or compliance team to bring awareness to what has actually changed."
A couple of our executives pointed to the cloud as an interesting nexus in the privacy debate.
Mark Lukie, Sales Engineer Manager - APJ, Barracuda tells us that "The combination of privacy and cloud security will be a critical skill every IT executive will need to understand as more and more capabilities are now delivered as cloud services. Cloud security posture management - understanding whether and how the assets and services delivered in public cloud are adhering to compliance regimes- will be a requirement for every IT executive. In addition, as more and more companies are exposed to threats that impact the privacy of their customers or enterprises, the risk of breaches will require IT security executives to be able to effectively communicate and execute plans that encourage and require other teams to enforce compliance."
Similarly, Peter O'Connor, Vice President Sales Asia Pacific, Snowflake reminds us that "With more data being stored and accessed through the cloud than from physical locations, we’re only going to see more investment and transparency in cloud platform security offerings for customers. When migrating to the cloud, customers must be assured that their data is in the safest hands possible. Given the emphasis on remote working, and the subsequent shift to cloud infrastructure, it has never been more vital that cloud platforms continue to develop their security infrastructures to provide customers with more privacy as well as reliable and robust measures against the threat of cyber-attacks."
Many of our contributors wanted to point out the influence of governments and regulation on privacy - with both good and bad influences.
Joanne Wong, Vice President - International Marketing, LogRhythm, for instance pointed to a collision in regulation vs. technology. "While privacy-focused regulations like GDPR tackle questions over rights to access, store and retain data, the rise in accessibility to deepfake technology will have significant impact on users' privacy and security, and business integrity. Users will need to be clear of risks they take when using emerging face apps that may harvest their face data. Organisations need to deploy updated cybersecurity measures and detection algorithms to minimise risks of being caught off-guard should hackers manipulate images or videos of their business leaders."
Cutting to the heart of regulation, Laliberte argues that "The risks are high and growing more so with each passing year. But society has realised that giving companies so much insight into our lives is neither healthy nor safe, and is beginning to turn the tide. GDPR and the CCPA are perfect examples of countries and states putting more pressure on businesses to protect users' data and privacy. To expedite an even broader commitment to privacy, we believe users will finally revolt en masse and force into existence new privacy regulations for social media services, connected devices and more. In the meantime, everyday users should continue to acknowledge that privacy is a significant issue, restrict the type of information they share online or with smart devices, and keep an eye out for attacks that might leverage their own personal data."
"Our current regulations on privacy, are focussed on the dry aspects," reminds Savvides. "On the mechanics of data collection, storage and consent, rather on the wholistic aspects of what privacy means to society. This is the next frontier of policy development.
"I believe that privacy is sybiotic with trust, and by focussing on this we can ensure that privacy survives; as trust is required for nearly every interaction work, it is more tangible to people. Cyber-security is fundamental part of ensuring digital trust, and as such it is also critical to privacy, but they are not equivalent, and I think a mistake many organisations make is to think of privacy only through a cyber-security lens. While it is true that cyber-security is big part of ensuring privacy as it can secure the systems, secure the data, detect when data is lost, and protect against unauthorised access, privacy is not just confined to these things, it is much more.
"To address this, I think that those who understand the technology, understand privacy and understand data science have an obligation to ensure that privacy stays alive and evolves while regulators have an obligation to respond quickly to the technology changes to ensure that participants are trustworthy. We also as an industry, must work to educate and better inform our users of what is possible with their data and how it can be protected."
Derek Cowan, Head of Systems Engineering ANZ, Cohesity continues this theme. "The next decade needs to instil trust in consumers that the data they exchange -- in return for more tailored experiences -- is to be used, managed, and conserved with a consistent manner of protection. To achieve this, organisations must ensure they not only meet the latest compliance and policy standards, but future proof their business with self-regulation to higher standards and technologies that can evolve based on ever-changing landscapes.
"Organisations of all sizes need to be more accountable. This starts by not making do with outdated IT systems and processes, but instead, moving to modern solutions that reduce data risks by more accurately identifying, classifying, and taking corrective action on how they handle personal data. The relationship between consumer and vendor only works when trust is in place and confidence is there, regardless of the threat or issue faced. From a compliance perspective, GDPR was merely the start, not the end goal."
Continuing the theme, Harding reminds us that "For all the data that is out there, it is incredibly important that Australian businesses follow The Privacy Act 1988, and the 13 Australian Privacy Principles (APPs).
"Although the world has never been awash with so much data, businesses have the obligation to act morally and follow the appropriate laws of the land. Contact centres, and the systems they use, can hold vast amounts of customer data and it is vital that the operators of the centres, and vendors, educate their employees on the importance of respecting the individual customer's privacy."
Drawing this to a close, the ever-hopeful Richard Bird concludes that "Governments and human beings have woken up after at least a 10 year slumber when it comes to data privacy. Only now, when the scale and depth of the data being aggregated and accumulated about citizens and consumers is coming into focus have we realised the companies who have our data are going to fight tooth and nail to keep from being forced to ensure it is kept securely and managed with privacy as the first priority."
Carson addas that "Regulations will continue to put pressure on companies to provide adequate cyber security measures and follow the principle of least privilege to protect the data they have been entitled to collect or process."
Finally, David Nicol reminds our industry that we should own the problem. "It is our responsibility as tech companies to set the bar high, commit to strong data protection standards, and welcome responsible and balanced regulatory oversight that both protects privacy and spurs innovation and competition. The truth is that privacy can be achieved without preventing users from taking advantage of cutting-edge technologies. Data protection and security can and should be embedded by design in all digital products and services."