More Related Content
Similar to What every product manager needs to know about security (20)
More from Silicon Valley ProductCamp (14)
What every product manager needs to know about security
- 1. What Every Product
Manager Needs to Know
About Online Privacy
and Security
Protecting Your Brand,
Revenue, and Business Model
Phil Burton, Principal Consultant and Trainer
280 Group LLC
© 2010-2011 280 Group LLC
Page 1 ©2010-2011 280 Group LLC
- 2. Why is Online Privacy Important?
• Lack of effective privacy can affect revenues
and damage your business model
loss of trust and reputation brand damage
Decreases in site visitors lower revenue
• Real and growing risk of government
regulation in US, EU
Potentially limit revenue opportunities
Potentially impact the business model
• Effective privacy requires excellent security
Page 2 ©2010-2011 280 Group LLC
- 3. Agenda
• Threats to Online User Privacy
– Corporate Policy
– Poor Operations and Programing Practices
– Lack of User Education
• Issues and Consequences
• Increased Government Regulation?
• Strategic Issues and Market Requirements
• Takeaway Ideas
Page 3 ©2010-2011 280 Group LLC
- 5. Causes of Privacy Threats
• Corporate policy
– Business model monetizes private data
– Complete indifference to privacy issues
• Poor operations and programming practices
– Badly designed, buggy software and configurations
– Poorly secured websites allow professional criminals
to steal user private data
• “contribute” content with “malware”
• forcefully plant malware
• Lack of user education
– Users don’t know how or why to protect private data
– “Social Engineering” tricks users
Page 5 ©2010-2011 280 Group LLC
- 6. Facebook Places issue
• Facebook announced location service
“Places” August 18, 2010
• Immediate criticism of default “opt-in”
– No single opt-out setting
– No ability to control which people can see check-in
– Can “check-in” friends without permission
– Available to Facebook partners and phone apps
Page 6 ©2010-2011 280 Group LLC
- 7. Facebook Policy Causes Privacy
Threats
• “Your Privacy Isn’t So Private” – San Jose
Mercury-News, Tech Files column, May 3,
2010
– Facebook is “cavalier” with privacy of its users
– “Alarm bells went off in my head over the privacy
issues”
– “Astonishing how much information Facebook now
considers ‘public’ and is sharing with its marketing
partners”
Page 7 ©2010-2011 280 Group LLC
- 8. Google and Facebook “Blurring
the Line”
• “A Blurring Line: Private and Public” – NY
Times, Bits column, March 15, 2010
– Google Buzz service “complete disaster” by
linking email accounts to status updates on social
networks
– Facebook makes members information public by
default
– Issue is “broader muddying of the line between
what is private and what is public online.”
Page 8 ©2010-2011 280 Group LLC
- 9. Corporate Indifference:
Uploaded Photos Reveal Subject
Location
• “Geotags” in uploaded photos
identify exact location
• Children, friends, houses,
expensive cars, etc.
• Website APIs make it easy
for criminals and stalkers to
locate on Google Maps
– “Cyber-casing”
• Users “compromising their privacy, if not their safety”
• Illegal under copyright law to strip out all “metadata”
• Smartphones and websites need better user controls
Page 9 ©2010-2011 280 Group LLC
- 10. Tone Deaf: Eric Schmidt calls for Young
Adult “Witness Protection Program”
• “[Schmidt ]predicts, apparently seriously, that every
young person one day will be entitled automatically to
change his or her name on reaching adulthood in
order to disown youthful hijinks stored on their
friends' social media sites.”
• Technical solution to
important policy
issue?
• Doesn’t Google have
any responsibility
here?
Page 10 ©2010-2011 280 Group LLC
- 11. Apple’s Very Different User
Privacy Policy
• Steve Jobs on user privacy:
– “ … different view … than some of our colleagues
in the Valley. We take privacy very seriously.”
– “Privacy means people know what they’re signing
up for. In plain English. … repeatedly”
– “Let them know precisely what you’re going to do
with their data.”
– Wall Street Journal, Technology, Kara Swisher and Walt
Mossberg, June 7, 2010, p. R3.
Page 11 ©2010-2011 280 Group LLC
- 12. Threats to Online User Privacy
Poor Operations and Programming
Practices
Page 12 ©2010-2011 280 Group LLC
- 13. The Not-Private Blog
• The “niece’s blog”
– The aunt periodically did Google search on nieces
and nephews to keep up with their activities
– College freshman niece wrote one blog for parents
and relatives
– Wrote second blog for just for friends
• Password protected
• Drugs, sex, wild parties, disparaging comments on family
• Google found it with normal “spidering”
Page 13 ©2010-2011 280 Group LLC
- 14. Credit Card Numbers Revealed
• Web site Blippy.com revealed credit card numbers
Page 14 ©2010-2011 280 Group LLC
- 15. Credit Card Numbers Revealed
• Not enough
testing
– http://techie-
buzz.com/tech-
news/credit-
card-numbers-
of-blippy-users-
show-up-on-
google.html
(April 23, 2010)
Page 15 ©2010-2011 280 Group LLC
- 16. Not So Private Chats on
Facebook
• Insufficient
testing or poor
configuration
revealed private
chats on
Facebook
Page 16 ©2010-2011 280 Group LLC
- 17. Poor Operations Practices
Reveals iPad phone and email info
• AT&T website
exposed phone IDs
email addresses of
114,000 iPad
owners
– dozens of CEOs,
military officials,
and top politicians
– FBI investigating
– Wall Street Journal,
June 11, 2010
Page 17 ©2010-2011 280 Group LLC
- 18. Poorly Protected Website Infected
with “Drive-By” Malware
• Hackers
successfully
penetrate well-
known site
– Plant “Drive-by
downloads” on
poorly protected
sites
• safeweb.norton.
com/buzz
Page 18 ©2010-2011 280 Group LLC
- 20. “Forget Email... Social's the New
Spam Vector”
• “… this shift in spammer strategy from email to
social networking sites tracks perfectly with users'
online behavior”
• “spammers are counting on … our collective
naïveté.”
Page 20 ©2010-2011 280 Group LLC
- 24. Zuckerberg Public Letter Really
Targets Federal Government
• Zuckerberg letter to blogger and
Op-Ed piece in Wash. Post, May 24, 2010 --
http://www.washingtonpost.com/wp-
dyn/content/article/2010/05/23/AR2010052303828.html
– “There needs to be a simpler way to control your
information," he wrote. "In the coming weeks, we will
add privacy controls that are much simpler to use. We
will also give you an easy way to turn off all third-party
services.”
– First response to “furor over Facebook's user privacy
moves that left the site with a public relations problem
and fighting to defend its reputation.”
Page 24 ©2010-2011 280 Group LLC
- 25. Analysts Say Facebook May Need
User Approvals
• “Facebook Seeps Onto Other Web Sites,” -
NY Times, April 19, 2010
– Analysts say Facebook’s desire to spread its
tentacles across the Web could run into privacy
hurdles, as it will require the company to share
increasing amounts of personal information about
its users with other sites.
– “They are going to have to secure more
consumers’ approval for data-sharing,” said Augie
Ray, analyst at Forrester Research.
Page 25 ©2010-2011 280 Group LLC
- 26. Damage to Facebook Brand
• Why Facebook’s “private” messages are a joke,
Jesse Stanchak on May 6, 2010,
http://smartblogs.com/socialmedia/2010/05/06/why-facebooks-
private-messages-are-a-joke/
• ACLU Weighs in on Facebook’s Privacy Issues,
Rex Gradeless, May 13, 2010,
http://socialmedialawstudent.com/featured/aclu-weighs-in-on-
facebooks-privacy-issues/
• 6 Alternatives to Facebook, Itamar Kestenbaum,
May 20, 2010,
http://www.socialmediatoday.com/SMC/199443
… and many, many more …
Page 26 ©2010-2011 280 Group LLC
- 27. Pervasive Mistrust of Website
Intentions
• Increased Privacy Concerns – “Tell-All
Generation Keeps Some Things Offline,” –
NY Times, May 9, 2010
– “Mistrust of the intentions of social sites appears to
be pervasive … telephone survey found 88
percent of 18- to 24-year olds said there should be
a law … to delete stored information [on social
media websites.]
– “Two weeks ago, Senator Charles Schumer …
petitioned the Federal Trade Commission to
review privacy policies of social networks.”
Page 27 ©2010-2011 280 Group LLC
- 28. Brand Damage: Poor Customer
Sat with Social Media websites
• ForeSee Results, Annual E-Business Report for the
American Customer Satisfaction Index (ACSI), July
20, 2010 – http://www.foreseeresults.com/research-white-
papers/ACSI-e-business-report-2010.shtml
• “…interviews with approx. 70,000 customers …to
measure satisfaction with more than 200 companies
in 44 industries and 10 economic sectors”
• Key finding: “Social Media: Customer satisfaction
with social media sites is poor (70) … lowest industry
aggregate score of any of the e-business or e-retail
industries.”
– Better than only airlines and subscription TV (66)
Page 28 ©2010-2011 280 Group LLC
- 29. Backlash Over Un-Deletable
Cookies
“Cookies' Cause Bitter Backlash” -- Wall
Street Journal, September 19,2010,
http://online.wsj.com/article_email/SB10001424052748704416904575502261335698370-
lMyQjAxMTAwMDIwMDEyNDAyWj.html
• Companies now using “Flash cookies” that can “re-
spawn” after being deleted by user
• Six lawsuits filed since July
• "There are some in the industry who do not believe
that users should be able to block tracking…," Chris
Hoofnagle, director, Berkeley Center for Law & Technology's
information-privacy programs
• Two bills introduced into Congress
• Federal Trade Commission expected to issue new
guidelines by December.
Page 29 ©2010-2011 280 Group LLC
- 30. Consumers Reports Takes Notice
• June, 2010 Magazine
– Two out of three online U.S. households use social networks
such as Facebook and MySpace, nearly twice as many as a
year ago.
– But “millions … put themselves and their families at risk by
exposing very sensitive personal information,” … national
survey of 2,000 online households conducted in January.
• March 23, 2011 email on “Zombie cookies”
– Describes privacy threat from cookies “are bits of code
placed on your computer by companies that track you
while you're on the Internet — they come back even
after you have carefully deleted them. And that's not
illegal.”
– Invites reader to sign online petition
Page 30 ©2010-2011 280 Group LLC
- 31. ACLU Cites “Social Insecurity”
"We're just at the beginning (italics added for
emphasis) of seeing what the implications are for so
much information being posted on social networks,"
Nicole Ozer, the technology and civil liberties policy
director .. ACLU, N Cal.
Page 31 ©2010-2011 280 Group LLC
- 32. “Do Not Track” Option in FireFox
4 Browser
• Released March 23
• Builds on “Privacy
Mode” in FireFox,
Internet Explorer
• Depends on website
voluntary compliance
Page 32 ©2010-2011 280 Group LLC
- 34. Twitter Settles Federal Trade
Commission Charges (June, 2010)
• FTC charged Twitter deceived consumers and put
privacy at risk
• First case by FTC
against social
media site
• Complaint charged
poor security allowed
hackers to gain admin control, send phony tweets
• Twitter barred for 20 years from misleading consumers
about security, privacy, confidentiality, also must create
comprehensive security program, with outside auditing
Page 34 ©2010-2011 280 Group LLC
- 35. Google Settles with FTC Over
Buzz (March, 2011)
• US Federal Trade Commission
charged Google with violations of • Late breaking news!
own privacy policy, with Buzz social
social network service
– Gmail account info used without
user OK
• FTC requires Google to get user OK
before sharing info
• 20 years of audits, fines
• “… legal order … further than
voluntary commitment,” – deputy dir,
FTC Bureau of Consumer Protection
– First such action
– “broad consequences” expected
Page 35 ©2010-2011 280 Group LLC
- 36. Online Privacy Becoming
Financial Services Industry Issue
• “View from Inside the Beltway”
– The WSJ runs a series of exposés on Internet tracking and consumer
profiling to enhance ad placement (July 2010)
– The Department of Commerce Internet Policy Task Force issues an 80-
page “policy framework” (December 2010)
– A McKinsey study shows that consumers reap a net annual benefit of $130
billion from free web-based services (paid for by advertising) (January 2011)
– Congressman Jackie Speier introduces “do-not-track” legislation (February
2011)
– McCain, Kerry circulate “online privacy bill of rights” (March 2011)
– SVB Online Seminar, Are You Tracking This? The Feds are Moving on
Internet Privacy, March 17th, 2011
Page 36 ©2010-2011 280 Group LLC
- 37. Is This the Future?
Page 37 ©2010-2011 280 Group LLC
- 38. A Legal Precedent for User
Privacy Legislation
• State privacy laws - California SB 1386
– Effective July 1, 2003
– Requires an agency, person or business that
conducts business in California …to disclose any
breach of security (to any resident).
– Similar laws now in force in 46 states in US
• What would be the impact if these laws were
extended to general privacy issues?
Page 38 ©2010-2011 280 Group LLC
- 40. Strategic Issues for PMs
• Is your company’s business model at risk from
increased government regulation?
– … in the US?
– … in privacy-focused European Union countries?
• How would government-mandated user privacy
protections affect your competitive position?
– Who benefits? Who loses? Your company? The
competition?
• Major user privacy incident?
• How do you exercise leadership in your
company?
Page 40 ©2010-2011 280 Group LLC
- 41. Define Market Requirements
• Well-researched Market Requirements
should cover both stated and unstated
(latent) needs
– Protect your company’s brand and revenue
– Perhaps protect your career
• Privacy/Security requirements not called out
because they are “universally understood” or
perhaps not understood
Page 41 ©2010-2011 280 Group LLC
- 42. Who Understands Privacy
(Security) Issues?
• Almost all end users (business, consumer) do
not begin to understand privacy issues
• Most Line of Business owners prioritize time-
to-market, or won’t invest in effective security
• Many software developers do not know how
to write secure code
• IT often deploys insecure websites and
networks
• Most product managers don’t know security
Page 42 ©2010-2011 280 Group LLC
- 43. Define Market Requirements
• Privacy Policy
– User privacy respected by web site owner
company and third parties, including advertisers
– User data protected from unauthorized access by
individuals and companies
– Simplify data sharing options and default to NONE
• User Education
– Educate about managing their data
– Educate about privacy implications of sharing data
– Provide effective and timely advice and warnings
about social engineering attacks
– Get effective help if they suspect security issue
Page 43 ©2010-2011 280 Group LLC
- 44. Influence Company Policies
• Programing, Administration and Operations
– Test all changes to prevent exposure of user data
– Ensure that user posted content is safe
– Detect and remove malware planted by hackers
– Work with security vendors on emerging threats
– Notify users proactively of security breaches, even
if not required by law
– Include partners in security programs
– Maintain ongoing programs and provide sufficient
resources, including outside help
Page 44 ©2010-2011 280 Group LLC
- 46. Takeaway Ideas
• You must understand the business
consequences of poor user privacy
– It’s only your company’s business model and
maybe your career
• As the product champion, you must articulate
the issues, document the requirements, and
influence overall policies in your company
• You do not have to be security expert
Page 46 ©2010-2011 280 Group LLC
- 47. Closure
• Questions?
• Contact me later
– phil@280group.com
– (650) 766 9970
– http://tungle.me/philburton to set up an
appointment
Page 47 ©2010-2011 280 Group LLC