Privacy and Social Business

Sometimes a blog post pulls you up short. Ben Goldacre, respected journalist and a personal hero, recently made this blog post: What does the Sienna Miller / Virgin story tell us about data security?

Someone at Virgin Airlines has been selling information on the movements of celebrities to a paparazzi agency, allowing them to stalk people:

This illustrates one very important point about large databases:

When you give people poorly restricted, poorly audited access to an entire database full of information, you allow them to realise the full financial value of that data, for any of its imaginable uses. 

This is often poorly recognised by the people running databases in large organisations (the suits rather than the dorks) and it has important real world implications that go way beyond one airline: think banks, hospitals, tax offices, and so on. 

The sensible thing to do, of course, is (1) constrain access wherever possible, and (2) run audits of who has accessed records, to see if they had any need to for their job, and so on. But more than that, if you run a database, for any purpose, you should always be thinking: what value might this data, have outside of the purpose for which it was intended?

This from some who is not only an advocate of open data, but also a great example of what can be done with data when you have access to it.

It jarred in particular because, as a Social Business evangelist, I’ve been arguing strongly in favour of transparency within organisations. Any information that does not need to be private, should be available to all employees – to enable innovation, better customer service, and generally help them to do their job more effectively. So how does this gel with Ben’s comments? And what are the broader implications of the need for privacy on social media?

A few weeks ago, I was delivering a Social Business workshop to a customer who had invited a few of their graduate intake to participate and provide input. During the meeting I was very struck by the different attitudes they expressed about use of Facebook. One viewpoint was a clear separation of “work and private life” which manifested itself as only friending real, intimate friends on Facebook and using other platforms for any form of business networking. Another was a more open attitude that sharing everything you do as it is “the modern way” and if you are open, honest and responsible in all your activities, then you have little to hide (or fear). [If the actual participants in the workshop are reading this, then please excuse me for simplifying and extending your positions to make a point – nothing is ever really that clear cut!]

I have commented before on a personal belief that intermediating organisations’ interactions with individuals is a part of the future Facebook business model. So a separation of “Work” from “Facebook” creates difficulties when one’s job role involves interacting on Facebook, since current Facebook terms of use emphasise using your real name and require that “You will not create more than one personal profile.

There is another conversation I often seem to be having about Facebook. Many people who reject the service, or use it in mostly read mode, are driven by a fear of “making everything they do public”. Even when challenged that, actually, they are only publishing things to a set of friends they have selected, they have an instinctive distrust and assumption that Facebook will just sell what they contribute to anyone they want to. What I rarely find is anyone who has actually read Facebook’s Privacy Policy, or who understands the tools Facebook provides to control who gets access to which pieces of information that you are sharing.

Now in practice, I don’t expect that everyone will read (and make the significant effort to really understand) the terms and privacy statements of every public web site they use. Of course they should, but they won’t – any more than they read the terms & conditions on their mobile phone contract to understand under what conditions their mobile phone operator will share their location and the legal regulations associated with the government’s, and other organisation’s, rights to access their call history. Even if they did, it is scarcely practical to understand the same information about every operator you roam to when travelling internationally.

Instead, there is a cultural acceptance that mobile phone companies are appropriately regulated, that their behaviour is impacted by the understanding of the effect that adverse customer reactions, and that bad publicity can have in their ability to retain customers. The same cultural maturity does not exist for social networks (yet) and so the accepted norms of their behaviour have not emerged. In their absence, different people make different assumptions (if they think about the problem at all).

Of course, even when conventions have been established, there will be mistakes, criminal activities and other circumstances that contravene these expectations – but a mature ecosystem can react responsibly to those situations and retain customer loyalty (always remembering that such services will also be delivering significant value that users are reluctant to give up unnecessarily).

Similar issue exists with the tools that exist in Facebook to allow users to control access to their content. As the capabilities become more sophisticated, most users understanding of them inevitably lags (not helped by Facebook’s evolutionary approach to adding and evolving new features, or their sometimes confusing user experience). Facebook already has the tools you need to share different content with your work colleagues, a network of business contacts, a circle of personal acquaintances, multiple intersecting groups of close friends, your family, and even the set of people you have no idea who they are but they asked to connect to you. Being able to share one piece of content with multiple sets of people has clear benefits (particularly over using multiple tools and so having to share multiple times), which is one reason why this capability is so important to Facebook in growing its usage base. It will be interesting to see how rapidly these capabilities are adopted and the uses they are put to.

But we need to accept that there is no consensus as yet on how Facebook should use the information that it is sharing on your behalf, to deliver more value to you, to generate revenue to fund the services, to help law enforcement agencies, or even for the greater good of society. That cultural consensus will emerge over time and be recognised in hindsight. In the meantime, we can only apply the general frameworks that already exist (e.g. UK Data Protection act, the European Data Protection Directive, the U.N. Declaration of Human Rights, etc.), as well as the laws of the lands in which the services are offered, and hope that regulators do not rush too hurriedly to enact laws in the area without first understanding the issues and how its citizens wish to balance the inevitable trade-offs they imply (the law of unintended consequences will apply).

Which brings me back to the enterprise Social Business question. Employment contracts, acceptable use policies, social computing guidelines, and other such company edicts and critical to the successful adoption of Social Business. Employees need to know what they are, and are not, allowed to do on internal social platforms. And how they are allowed to behave on external social networking sites in the context of being a company employee (whether or not they specifically declare their “views to be their own”). Many companies provide “PR Training” for employees talking to the press, with policies that no-one else would discuss any company business with journalists, and assumed that only senior leaders were likely to publish press articles.

Today, every employee is an ambassador of their company if they comment on business related issues online (or even personal issues when there is a business attribution in their online presence) and so every employee needs to know what behaviour the company considers acceptable and what would result in disciplinary action. It is as negligent for a company not to educate their employees on this as it is for an employee to ignore such an obligation. So effective adoption of a Social Business strategy must include the articulation of these principles and the effective communication of them to all employees.

In IBM this starts with the core values the company’s employees defined for how an IBMer should behave (during our first major internal jam, and one of the key starting points for our evolutions to be a Social Business). It continues with the business conduct guidelines we adhere to, the company’s privacy policy, and the social computing guidelines that form an adjunct to them. It should be noted that these are simply evolutionary extensions to the core employee guidelines that were already in place – not some completely new concept. Other companies will define, express and manage their policies in other ways, but embarking on a cultural transformation to become a Social Business – Engaged, Transparent and Nimble – without such a policy is risky, to say the least.

Which brings us back to Ben Goldacre’s blog post.

I would argue that there are good reasons for making customer’s travel details visible to employees – within strict guidelines about the use of this information (I will avoid the thorny question of whether a celebrity’s information should be protected any more than any other citizen, whilst acknowledging that there are differences in risk and potential uses of the information and the unique position of the airline industry around the use of aliases, which has been the traditional way celebrities would try to separate their business and private lives).

Preventing an employee from selling company information by limiting availability of the information is analogous to trying to make sure people don’t break laws by making it impossible to do so. The reality is that many different things need to be balanced in making a policy.

Limiting information about customers to a small number of people who absolutely need to know is sure to reduce a company’s ability to empower its employees to innovate, as well as their employee’s ability to collectively deliver better customer service to those same people. The correct balance between who information is available to, and monitoring how it is used in order to manage abuse, is something that should be a core part of the culture of the company and its operational & management procedures.

The right way of managing a risk is rarely to reduce it to the absolute minimum, because reducing risks almost always increases costs and prevents innovation. If risk/benefit analysis concentrates primarily on risks, then it will generate few benefits.

So I would rephrase Ben’s key points as: (1) constrain access to confidential data to those who can use it to improve business outcomes, in the context of a clear understanding of the employee’s obligations with respect to the data, and (2) monitor use of such records to identify improper use and reward employees who find innovative ways of creating business value from it.

Which reminds us that to become a successful Social Business organisations need two things…

  • A Social Business platform that lets them deliver Social Collaboration to their employees, their partners, their customers and the rest of the world, integrating with internal collaboration, knowledge management and business application platforms and with their external web site and public Social Networking services in an appropriate, controlled manner – delivering not just open knowledge sharing, but also appropriate access control and compliance monitoring tools.
  • A Social Business adoption strategy that manages a cultural change so that employees know how to use these knowledge sharing tools and the information they makes available, in an appropriate manner, articulated in a transparent way that is clear to its customers and partners, as well as its employees.

Which are the core topics that I created this Blog to discuss, and of which I will explore other aspects in coming posts.

[Note: This post is very Facebook focussed as it seems to be at the forefront of discussion in these areas, but the same issues apply to other online services like Twitter, LinkedIn, Flickr, YouTube, Pinterest, iTunes, Google, etc. Facebook also seems to be force to take a lead in terms of addressing these issues in order to evolve an acceptable economic model for financing its service, to position itself against new, innovative services, and to manage the parallel (and, inevitably, much slower) evolution of regulatory frameworks. This should not be taken to indicate that the issue is more important on Facebook than the other services – in fact, because the issues tend to be discussed more in the context of Facebook, there is probably more potential for users to fail to understand the issues with other services. It is the whole industry that is immature in this respect.]