Burton Group Identity Blog

Blogger: Gerry Gebel

Over at the Privacy Law blog, I found a post about the troubles Life is good finds itself in because it “collected sensitive information from consumers and failed to secure it in compliance with its own privacy and security policies.” This incident reminds me of what I've said about web site privacy policies for a long time. Typical privacy policies have two sections: the first section expresses the sincere concern of the internet property when handling your personal data and they share at least some of their intended uses of your data. The second part of the policy then goes on to say exactly how the internet property is going to violate your privacy by evaluating traffic patterns, sharing data with partners, etc.

Of course, as long as we insist on overloading simple e-commerce transactions with personal data, then bad things will happen. No amount of encryption or other security practices can provide the internet property with 100% assurance that the sensitive data it is now custodian for will never be abused or fall into the wrong hands. A regular litany of data spills reminds us of the increased risk a merchant takes on when it must manage excess personal data. The data model currently used for e-commerce (and even in bricks and mortar sites) is straining under pressure from all sides. Visa and others behind the PCI standard are enforcing higher fines for non-compliance, as noted by Mark Mac Auly. The National Retail Federation, an industry organization, pushed back in an open letter to Visa and MasterCard. In dispute are the rules of what credit card data elements should be stored and for how long, among other issues. One of the primary purposes for storing credit card and customer data is to settle potential transaction disputes. The situation illustrates the tension between credit card companies, banks, and merchants regarding the collection, use, and archiving of transaction data.

My colleague, Bob Blakley, has blogged here about the identity oracle concept - a potential ingredient to a solution for today's personal data collection maladies. He also commented on the Life is good incident here. Bob's emphasis on the importance of intermediaries and agents for transactions makes a lot of sense. Consumers register with trusted agents, whose business depends on the protection of sensitive and private information. Retailers benefit if they can rely on intermediaries to reduce transaction risk - the retailer only receives payment approval codes for example, instead of credit card number, expiration date, CVV code, etc. The equation works if the cost of the intermediary services is less than what the merchant could lose as a result of a data spill plus the cost spent in implementing security controls. Sounds like there is a business model in there somewhere.

Getting back to my earlier point - it's not the privacy policy that is at issue. It's the data collection policy that must be examined - especially as it relates to transaction metadata. Now is the time to think about new data models that are better suited to 21st century commerce.