In this Industry Buzz podcast, the UCStrategies experts discuss privacy and security issues in unified communications, including specific concerns about presence.
Transcript for Emerging Privacy Concerns in UC
Michael Finneran: Good afternoon, this is Michael Finneran, I am here with the UCStrategies experts for our weekly podcast, and today we are going to talk about some of the emerging privacy concerns in UC. Now as many of you know I track in mobility space and what got me thinking about this was a blowup we had over the past week from an application called Carrier IQ. Now the details on this are still emerging but a security researcher named Trevor Eckhart discovered this application on his HTC Android phone, loaded there by the carrier and did a nifty demonstration on web video that went viral. First, what Mr. Eckhart demonstrated was that it was impossible to turn the application off. Now the carrier claims this was put there ostensibly to allow them to monitor network performance. But what Mr. Eckhart found was the application recognized virtually every key stroke which meant could see every SMS message, and every website visited. Well initially the provider, Carrier IQ, demanded that he recant, but the EFF backed him, and now carrier IQ is on the defensive. As you might imagine lawsuits are starting to pour in against Carrier IQ, Apple, HCC, Samsung, so this one is just getting started.
Now while not entirely involved with mobility, we do have some of the same unexamined privacy issues around UC, particularly I find surrounding presence. Now today some of the vendors like ShoreTel and Mitel actually allow your presence status to be changed automatically based on location information in your phone. Now certainly we have seen some of this in the consumer market where you can allow your location to be broadcast from Facebook; foursquare has built an entire business on this. But the question I have for the UCStrategies experts today are one, are the users starting to raise flags about this? Second, and this one intrigues me, do we see different views regarding privacy from younger versus older users? But particularly what we look to get at the end of this is, what should our UC systems do to protect or at lease control the privacy of information about users?
Now a few of our UCStrategies experts have decided to weigh in on this and first I would like to go to Don Van Doren who would like to examine the overall issue of presence and privacy.
Don Van Doren (2:24): Thanks Michael, yeah I think of course, as we all know presence is going to be a critical component of all kinds of new communications and collaboration solutions. However, I think privacy and presence are clearly on a collision course. You mentioned location information, Michael; I think that is just an example where today’s technology – where it could be a situation where you could release some personal location information in a way that could be problematic.
I see a couple of big issues here. First of all, I think it is true that today’s presence information from most of the suppliers is pretty vague. In many implementations it’s just general things like, “I am busy,” or “I am away,” or “I am available;” pretty generic kinds of presence information. But as vendors work to make this more accurate and more automated, privacy concerns are going to become even more complex. The problem is, frankly, that these vague, general presence indicators really aren’t very satisfactory when we are talking about some of the ways that we are envisioning presence to be used in a highly collaborative workgroup environment, for example where you are going to want much more detailed kinds of information. So the need from a business standpoint to have better presence data is going to run smack into the issue of potential issues with privacy.
The second big issue I think is that it is one thing to control presence information within one company, but where presence is going to be really helpful in the future, I believe, is when we really get to federate with other systems and with partners and suppliers. Even customers potentially will have access to presence of people in other organizations. Then there are much greater collaboration capability opportunities, which are going to be very important, but at the same time, the privacy challenge also is magnified.
So I think part of the issue, of course, is how do we set new capabilities for setting policies, that is, either ways for individuals who can control who sees what of their presence, or maybe in some cases administration systems within an organization that set policies in various ways. In general, I think these capabilities have been pretty slow in coming on, but there are some good innovations that are on their way. Microsoft is doing some things and I think Kevin is going to be speaking about that in a minute. IBM similarly has created different privacy lists with different individuals. You can set up one perhaps even for your team that will show you available even if you have your status set to do not disturb. So a lot of interesting things that are coming onto the horizon in terms of the way this is going, and as I mentioned, Microsoft has got some very innovative ideas in this way, too. But I think another part of the answer is really establishing good policies within the company, and within the architectural design of the systems you are implementing. Especially as we inner connect and we federate, it is going to be key to be able to do this in a way that you don’t just have some open door to any federation. My presence should not inadvertently show up on some public information source out of my company’s presence system for example. So I think we are really getting to a place where companies need to start looking at these policies and put in place systems and make sure their systems are designed with the appropriate safeguards.
Michael Finneran: That you Don, and I think you are dead right that we are on a collision course between presence and privacy. One of our newer UCStrategies experts, Kevin Kieller, has some insights particularly on the capabilities in Lync and the privacy controls that it can provide. Kevin?
Kevin Kieller (6:15): Thanks, Michael. I think from the Carrier IQ perspective for me it was really about the nondisclosure by both the carriers and Carrier IQ of the information that was potentially being shared. I think while not perhaps the ultimate example, certainly Microsoft with Microsoft Lync has done a good job of both allowing organizations at the organizational level to decide on what other organizations they federate with. Then beyond that at the individual level with the new Microsoft Lync client, the individual has strong control over what information gets shared and then Microsoft has done a fairly good job of being clear in terms of what exact information is being shared. So for example, in the Lync client where you can set your location, you can also choose right there on the main screen, whether you would like your location to be shared with your other contacts. Then in terms of each contact that you set up, you are able to just simply right click on a contact and choose the change privacy relationship.
Then what Microsoft has done is they have grouped different types of contacts – friends and family, where you would share the most information – and it very clearly shows the information that it would share, for example, your calendar information, your home phone number, workgroup, colleagues, external contacts and then blocked contacts. So for instance when I use Lync, I choose not to share all information in terms of my calendar information and when I will next be available or what meeting I am in with external contacts. But for example with people in my workgroup, not only do I share that calendar information so that they can for instance see right now I am on a call, but they can see that I am going to be available in 45 minutes. They also have the capability then to be able to break in if I am on Do Not Disturb status and bother me anyway if it is important. But where I think once again Lync is a good example of being explicit in terms of the specific information that is being shared so I am in control of that and I know that and also making it very easy for a user such as myself to be able to change that.
So I think that moving forward as there is more presence information, as there is more detailed information, I think we are going to have to have vendors step up and make both the user aware of the information and then they are going to have to obviously abide by those settings accurately, so Michael, back to you.
Michael Finneran: Thank you Kevin, I know our Dave Michels has some ideas about some of the new challenges we are going to see on this front with the advent of computerization, Dave.
Dave Michels (9:06): Thanks Michael, the issues of presence and calendar those are interesting issues but I do not think that is the big issue here. I think the big issue is much more around the amount of data that can easily be collected on individual and corporate behavior. This is completely new and unlike anything we have seen before in the past. Carrier IQ is the latest version, earlier we had the iPhone was uploading information, geographic information, tracking information. Before that, we realized that the cell phone cameras were putting in geographic information on every picture that we didn’t realize. There is just this common thread that we are giving out more information than we realize or intend to, and how this information can get used or used against us.
There are really three big things coming together, there is the actual ease of the information tracking. I mean our web cookies, our smart phones, Carrier IQ, Facebook, Google are examples of just the extraordinary amount of information. Our carriers, our ISP's, our cell phone carriers, have an extraordinary amount of information that they can collect upon individual users, and that is the first point.
The second point is there is really very little legislation around consumer protection around this information. We are used to consumer protection laws, we are used to being protected fairly well, and we are used to liability laws protecting us fairly well. You buy a baseball ticket or a ski lift ticket, it says everything is your fault but you know that there are some basic assurances that are in place by law around negligence and liabilities that protect the consumer. But these things aren’t in place under this “individual information.” We have laws that the federal government cannot wire tap or spy on its citizens, but they are perfectly allowed to buy this information from Google or Facebook and they are doing this type of stuff.
The third point is the amount of terms of services or the license agreements that we now have to accept and the way we grant permission without really realizing it. You used to just go buy a CD, for example, when you wanted music. Now when you buy music on iTunes, it is a seven-page contract that you are agreeing to; it has all kinds of provisions in it that people don’t read or understand and when you combine that with the lack of maturity in the laws, there are some real opportunities for abuse that are being created. There was a lot of recent discussion around dictionary.com, a popular website that is very clear in their terms of service that they keep tracking information. Most people that use dictionary.com don’t realize that it is installing 200 tracking cookies in your browser. That is pretty significant. They say hey, we are perfectly open about it, and they are right. So it is really creating a very disturbing picture around security and privacy. I was in Chicago over the summer and I saw Second City – they did a brilliant skit where a TSA Agent was watching people going through the nudie scanners. Then he came out and said you know, I do not need to look through the nudie scanners, I know everything about people and he started picking random people out of the audience and rattling off all these detailed facts about them. Their time in the 10K race, their battle with the school board, all these things you know, how is this person doing that? He said, “well, you bought your tickets online and I googled you before the show. I do not need a scanner to figure out who you are...”
But the problem is sometimes they get it wrong. Sometimes Google gets things wrong. I just sold a pair of skis on eBay, and I checked on Google the price of the skis. Google interpreted that as I am shopping for skis and gave me ski ads for the next two weeks. I was never a ski prospect, I was never buying skis but they get things wrong all the time, is the fear, so if I go Google fertilizer or something like that, is that going to prevent me from getting on a plane sometime? ...you know, you are obviously Googling explosives – that is the concern or the threat.
Then you bring this back to consumerization, these free cell phone apps that we are installing on our phones, they have the same type of thing as dictionary.com. They can tap into your contacts, they can tap into your email, and they often disclose exactly what they are tracking, your location... It’s not clear why they need all this information, but most people want the free game or the pretty app and they go ahead and accept it and they are compromising corporate security.
One of the first examples I saw of this was Google desktop years ago, allowed you to index your entire Outlook file, all your calendar, your email, and it was all stored in Google and made it very easy to search. A great benefit, but of course, that put all that corporate information into the cloud, which probably IT was not very happy about. All kinds of issues are popping up with this type of violation of security. We really have to look at computerization carefully as we put corporate IT and corporate secrets onto consumer devices. We have to take some responsibility about what these consumer devices can report and who they are reporting to, and that is a whole new set of requirements that most people aren’t equipped to deal with or desire to deal with. Back to you, Michael.
Michael Finneran: Thank you Dave, so it is perfectly open but buried in a seven-page contract. I know that Nancy Jamison has a bone to pick with full disclosure as well, particularly with regard to the realities of a busy life and how much of that stuff you can wade through. Nancy?
Nancy Jamison (14:39): It is interesting listening to everybody else and some of it is disturbing, Michael. You are right, legislation takes forever and it is very disturbing and I was going to talk about something else but you brought something to mind in that in my own job, I track speech technologies and I just loaded Dragon Dictate onto my system. And I work with Nuance... One of the things it asks for is if you are going to train Dragon, it can learn over time and get better with the samples that you are giving it while you are working with it. But then they ask if you would be willing to download what you just did in order to improve their system, too, and I am sitting here thinking no, I do not want all my stuff especially from what I do, even if they declare it secret to be used. So it hits across all sorts of stuff, and I like what Don said, privacy and presence is on a collision course.
One of the things that concerns me, talking about a busy life is that we are too busy. So things like Facebook when they changed the security and they changed the privacy and you don’t have the time to go back and figure it out. I mean how many times have you gone into Facebook and someone says “hey, if you want to make sure that this is not used then click here, do this, do this, do this, and then put this in your status feed so that your friends will know to do the same thing.” It takes too much time, it is too difficult and if you aren’t there when that status shows up, you just don’t see it. So the comments that Kevin made about Lync I think were spot on. It should be on the screen, it should be right there, it should be simple. We are too busy, we skip over things, we don’t read the seven pages before we download music and there should be some sort of corporate ethical responsibility in order to protect our privacy and make it simple for us to know what we are getting into, brain-dead simple, to make sure that we are not exposed. I had no idea that dictionary.com put 200 cookies into my ...whatever. So those are my concerns. It should be full disclosure, it should be simple, there is probably a cottage industry that we could brew up that we could deal with all of these multiple things that we just talked about to make sure that consumers and business people are protected.
Michael Finneran: Thank you, Nancy. Steve Leaden?
Steve Leaden (17:07): From my perspective, and our consulting practice, I can tell you that very employer has the right to know about employee activity, because they are ultimately accountable for their actions. Currently every employer has the right to review e-mails for example, voice mails, documents, anything really generated on the employer’s time, because that’s part of the compensation.
So as we are evolving – we are in the evolving stages of UC – standards across the industry have yet to take shape for monitoring and tracking of staff with tools such as we are discussing today.
Let me use call recording as an example – call recording in the call center, and really where it’s likely to go, is typically used as a monitoring tool for monitoring customer service representatives. And most, as they enter the workforce, have to sign off on a paper that lets them know that they are being recorded and that will be monitored for quality assurance purposes by supervisor without their knowledge and they really must give their consent. Similarly we see this kind of evolvement happening also in the UC and presence factors of the industry.
In our consulting practice and in client engagements we have identified tools such as for example Google Latitude and RFID badges that are used in healthcare to identify and track not only where specific devices are, but individuals attached to those devices in buildings and in general areas. So depending upon what company and geographic area of the country, union approval may be needed, especially, for example, we’re out of the metro New York area, and we definitely have to look into that as part of our client engagement.
So, what the enterprise management decides to do for leveraging presence and other tools, they really need to get buy in and provide employees at least with the awareness that these tools will be used periodically for tracking and logistics purposes.
So we on the UCStrategies team and as UC experts – we really highly encourage this component to be included in an overall UC rollout at the enterprise level. And it really should be used as part of a strategy as part of your UC deployment.
Michael Finneran (19:07): When I originally proposed this topic I had no idea how many different sides would show up. But the experts have turned up some important ideas. One to start is to recognize the issues and the realities, and full disclosure has to be a part of the picture, and of course develop policies and ensure that that corporate information is protected. So I guess we do not want to federate with Facebook, but clearly this is a moving target and as time goes on we will have to modify those policies in light of new capabilities as these products continuer to improve.
In closing I would like to thank you all for listening, give you a little reminder that the UCStrategies podcasts are now available on iTunes. So if you can search under UCStrategies, any of our back podcasts are now available for download. So I would like to thank all of my UCStrategies colleagues for participating, this is a great chat this afternoon, and thank you all for taking the time to listen.