Have you noticed what I just noticed? When I search the Internet for a certain pair of running sneakers, ads for various sneakers and running apparel begin appearing on subsequent web pages long after my attention has turned to some other topic. Thanks to cookies and history-stealing techniques, data mining companies and Internet retailers know a bit more about me. Their ads follow me around the Internet, showing me sneaker options in banners and other ads, urging me to make a purchase.
You've probably already noticed this Internet advertising trend. It is hard to miss if you search the web, and news of Internet marketing businesses such as Groupon and Living Social regularly grace the business headlines. Over the past year, The Wall Street Journal published a series on Internet privacy called What They Know. The latest article revealed how certain websites use secret "supercookies" to learn even more about site visitors. Supercookies can mine your browser's history, providing marketers a view into your Internet surfing practices.
Facebook, criticized about its lack of privacy features, revamped its service to allow customers more control over how public to make postings, photos, and other content. Recently, Google launched Google+, its new social networking service, with a feature called Circles. This feature gives customers the ability to group their friends and others into circles (such as friends, parents, colleagues, teams, and classes), and then control what posts each circle can view.
My own reflections about Internet privacy shifted gears at the end of July when I attended the 2011 EDUCAUSE Institute on Computer Policy and Law in Ithaca, New York. My main goal was to develop a broader understanding of privacy and to think about how privacy tied to alternate IT sourcing. Over the four-day program, I came to see at least three distinct areas of privacy. I also found privacy at the core of the discussions around delivering IT services.
Dan Solove, law professor at George Washington University and internationally recognized expert in privacy law, delivered the keynote address. In it, he described a few case studies concerning the loss of personal privacy on the Internet. A post — seemingly innocent and harmless — went viral and took on a life of its own. The original poster lost control of the material and its veracity. This area of privacy gives credence to Scott McNealy's infamous proclamation about consumer privacy: "You have zero privacy anyway. Get over it."
Is there a role for higher education in helping its members consider the privacy implications of lives lived in the digital world?
Legally Required Privacy
Across the four-day institute, participants also discussed laws that govern privacy in higher education. Institutions must protect certain information about students and employees; they must also know the information's location and how it is protected. Here, information technology can help locate and verify (or employ) the proper security settings for electronic information that requires special protections.
Federal regulations spell out specific types of information that must remain private. For example, an institution must ensure that student information protections meet Family Educational Rights and Privacy Act (FERPA) requirements. Additionally, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the International Traffic in Arms Regulations (ITAR) each contribute additional data protection requirements.
Netscape cofounder Marc Andreessen, in the essay "Why Software Is Eating the World," observed: "Over two billion people now use the broadband Internet, up from perhaps 50 million a decade ago, when I was at Netscape, the company I cofounded. In the next 10 years, I expect at least five billion people worldwide to own smartphones, giving every individual with such a phone instant access to the full power of the Internet, every moment of every day."
Andreessen's statement about so many of us having "instant access to the full power of the Internet" suggests a third area of privacy. Given the many personal mobile devices accessing data, an institution could define certain information, such as unpublished research results or certain pieces of typically "public" directory information, private or confidential.
Today, many students, faculty, and staff share parts or all of their personal and professional lives via social media tools. It is difficult for an institution to control potentially sensitive information in the current environment of instant news, crowdsourcing, and personal mobile devices. With the tap of a few buttons, anyone can post a photo, a video, or an opinion to a favorite social site. In this age of instant Internet access, this institutional privacy will prove extremely difficult to protect.
IT and Information Privacy
Given the many types of privacy of concern to institutions, what is the IT organization's role in information privacy? I say that it's one of partnerships with individuals as well as with departments and offices across the campus. For privacy, the institution must determine what information requires protection, either legally or because of the institution's specific requirements. Who sets those institutional requirements depends on the institution's governance structure. Where the information assets are electronic, IT can assist in finding and securing the data. IT can also participate in training and education programs specific to protecting electronic information and digital identities. However, institutional privacy, like individual privacy, encompasses more than electronic information and IT. In the privacy discussion, an IT organization is also a stakeholder like other offices on campus.
Privacy and Alternate IT Sourcing
Many private and public colleges and universities are conducting privacy assessments as a first step to identify what information must be confidential and protected. Solove has published a helpful document suggesting nine key areas for a privacy assessment: privacy program; data security; data management; websites; searches and surveillance; speech and expression; privacy of students; privacy of employees; and privacy of others.
How does privacy tie to alternate IT sourcing? An institution's privacy policies and its definition of confidential information form the basis for evaluating the information security of an IT service, no matter how it's delivered. If sensitive data are in the mix, the contract or service agreement must address data ownership, how the service will store and protect data, and data retention and disposal. Federal and state law stipulates requirements for keeping certain information private. If an institution has yet to explicitly define what other information is private, then doing so is a key step toward a thorough evaluation of new models for sourcing an IT service.
Is your institution conducting a privacy assessment? Does your IT organization have a role in it? Do you think it will help your alternate IT sourcing efforts? Join the conversation and let me know.
© 2011 Donna Tatro. The text of this article is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 license.