It may feel like an age since Ed Snowden made his revelations about US and UK Government spying last year, but the issue of balancing security and privacy continues largely unresolved. Now, a film documenting the NSA contractor’s first interviews with journalists, CITIZENFOUR, has hit UK cinemas, and GCHQ has a new head who says tech companies are facilitating terrorism. A perfect time to take another look at data security in the industry…. (first published in the June issue of Mobile Marketing, republished here)

Guardian editor Alan Rusbridger has called indiscriminate smartphone tracking “the biggest debate of the 21st century”, while Chi Onwurah MP, former head of telecoms technology at Ofcom and now leader of Labour’s digital government review, told Mobile Marketing that “mobile is the next big security scandal waiting to happen”.

The American Civil Liberties Union (ACLU) is currently suing the US government for its role in mass surveillance, as well as advocating a Fair Data equivalent to the Fair Trade mark for companies. Speaking at an event staged by The Economist earlier in the year, Christopher Soghoian from the ACLU levelled blame at the ad execs who built the big data marketing systems now proven to be a key tool for US and UK spies. “I’m not here to tell you what you’ve done is evil,” he told the audience. “But it is.” And with the EU and US currently reconsidering data protection legislation, the landscape is set to change quite significantly.

“People’s understanding of what can be gathered from mobiles has improved quite a lot over the last few years,” says Forrester analyst Anthony Mullen. “Data security is now the number two concern for smartphone owners according to TRUSTe – second, of course, to battery life.” It’s the range of data generated by smartphones compared to desktop, he says, that has had companies rubbing their hands but consumers wringing theirs.

Even young people, often perceived as indifferent, are becoming increasingly worried. Research from youth marketing specialists Voxburner found that 67 per cent of 16-to-24 year olds consider security their number one concern when buying an internet-connected device. But Luke Mitchell, head of insight at Voxburner, says: “Yes, young people are aware of data privacy issues and are concerned about the misuse of their data, but there is also a sense of acceptance and powerlessness among them.”

“When WhatsApp was bought by Facebook it was making no serious revenue, so the purchase price indicated that the social network was buying the OTT messaging service based on the value of each user,” says McAfee’s Raj Samani. “That works out at about $40 each, compared to around $30 when it bought Instagram and $20 when Google purchased YouTube.” The value of personal data is increasing, Samani says, but the perceived value among ordinary people is actually decreasing. “We’ve actually seen people give away their personal data for chocolate.”

Put simply, Forrester’s Mullen believes that: “Privacy policies have to be written so a grandmother could understand them. Brands should not be scared of asking for lots of data, but obviously if they don’t get data handling right, that will hinder growth. Third parties basically don’t care. From the conversations I have, it’s clear they’re just not getting it. So brands have to put pressure on them. Future mobile services need to move to prediction but brands have to be clear and transparent about who they’re sharing with.”

Privacy is the new green

Aurelie Pols has been working in data analytics for a decade and sold her first startup to what is now Digitas LBi. She now works out of Spain, which has handed out 80 per cent of the EU’s total data protection fines to date, where she leads an analytics company and specialist law firm Mind Your Privacy. If data is the new oil, Pols declared during a recent webinar with CoolaData, then privacy is the new green.

“Certain industries, like advertising, have this weird sensation that giving customers choices will make them lose money,” she told Mobile Marketing. “That’s not really the case. And the industry doesn’t seem to know how to ask for consent: ‘No let’s not ask them, let’s just take the data and say nothing’.”

More so than simply not knowing how to ask for permission, Forrester’s Mullen says that those in the industry, particularly ad networks, “have their fingers in their ears”. “Ad networks are invested in capturing a lot of local data, often employing obtuse ways of finding out what consumer identities are. Marketers and vendors will just capture as much as they possibly can and work out what to do with it later. There needs to be better planning on data need and for who capturing and measuring data is going to benefit. App developers are likewise being greedy and capturing as much as they can.”

“There is an issue with third-parties in the supply chain and the obvious one is advertising where there’s a mesh of different data flows going on,” echoes Simon Rice, group manager for technology at the Information Commissioner’s Office (ICO). “When you click on a URL, so many things are going on in the background to make the decision on which ad to serve – and you can’t predict at present where that data will go.”

The ACLU’s Christopher Soghoian flagged data brokers as a potential loose cog in the big data machine, naming the likes of Acxiom, which works with everyone from Google to Microsoft to tie up in-store and digital purchasing data. “You quickly run into organisations that don’t have a brand that can be damaged. If a third-party misuses or loses data – who will be held accountable?”

Acxiom now runs a service that enables users to find out what data it holds on them (aboutthedata.com). You just have to enter a whole load of personal details to get started… Needless to say Acxiom CEO Scott Howe favours self-regulation and brands the US Rockefeller data bill currently going through Congress as worse than the worst parts of Obamacare.

Heartbleed

The high-profile ‘Heartbleed’ security flaw found in April could have allowed hackers to access passwords and other supposedly encrypted data. The ICO’s Simon Rice says those targeting it would have had to be very lucky to get anything other than “a big blob of data”, but nevertheless, this was a serious hole in the open source code Open SSL used by everyone from Google, Amazon and Rackspace to secure their vast infrastructure.

As a not-for-profit project with only one full-time employee, the Open SSL team has successfully lobbied the big companies that use its software to contribute to its future success. Rice doesn’t advocate closed networks, with everyone from the FT to the BBC advocating open source, he simply asks: “Should companies have done a bit more code review from an organisational perspective?”

The industry’s attention has now turned to encryption as the ‘sure-fire’ way to protect data. Forrester’s Anthony Mullen says that they’re expecting to see more encryption tools – possibly even something from smartphone OS owners who were annoyed at how their data was being commandeered by security services. “It’s quite a lid that’s been lifted and it’s good for the health of the web,” he adds.

“The maths for encryption works,” Rice agrees. “The problem is it’s got to be implemented properly. If the data is secure in transit but then stored in plain text at the other end, the encryption was bullet proof – but the implementation wasn’t. My concern on the app side of things is that any app developer could just grab a code library from somewhere online, with no idea where the code came from and no due diligence process that they can explain to the user.”

McAfee says it now finds 39,000 new malware threats every single day, housing more than 40m of them in its purpose-built ‘zoo’. The data revolution in many ways, Raj Samani says, has been led by those offering ‘Hacking as a Service’, and the opportunity to rent malware or find it open source and learn how to use it by watching videos on YouTube. If robbing banks was high risk with potentially no reward, the gravitation towards cyber criminality is, arguably, just good business sense.

Data first

So what if your company is built solely on the use of data? The recently launched Cloze app has been developed specifically to help professionals manage the “novel a day” of social information they now receive as part of modern working life. Users sacrifice their personal information in order for Cloze’s algorithm to prioritise all the messages coming into their various inboxes and streams, with a premium service that adds extra features.

The company’s co-founder Alex Cote says accessing customer data is the “nature of the beast”, but as companies have been criticised for storing personally identifiable information in plain text, he explains how Cloze has been built with security and privacy baked in. “The team has built Cloze so that data is encrypted in our database so even employees can’t access it. Cloze doesn’t share any details across different users’ accounts and our security pledge, found easily on the company website, explains that data will not be sold or shared with advertisers.”

It’s not just startups that are making huge efforts to collect and analyse customer data in order to engage users, upsell services and attract advertisers. “Data is at the heart of the FT‘s strategy,” says Kristina Eriksson, head of media relations at the FT. “It gives us a deeper understanding of our audience and facilitates smarter product development and marketing.”

The FT famously shunned a presence in Apple’s App Store in order to have full visibility and control over customer data. “Because our mobile app is web-based, we are able to apply the same analytics as on desktop to campaigns on this platform, on- and offline, unlike pure ‘native’ offerings,” Eriksson says. This strategy doesn’t seem to have hurt, with mobile accounting for nearly a quarter of all new subscriptions and overall digital subscriptions to FT.com growing 31 per cent during 2013 to represent almost two-thirds of the publisher’s total paying audience.

“Our focus is on using engagement data intelligently to correlate the amount of time a brand message is exposed to our audience with the outcomes of the campaign. By matching a client’s content to FT articles through FT Smart Match we can improve campaign performance significantly.” Eriksson says that the FT works hard to ensure data protection is built into its products from the start and the company collaborates closely with technology and network providers to address any potential risks. No individual data is available internally, she adds, with analysis only made around general demographic cohorts.

Inrix, a big data analytics company working on building a huge ‘population analytics’ platform, is currently partnering with Havas on a smart city project in Oxford – a brief that seems somewhat out of the usual territory for a media agency. The project has been devised by Havas’ new chief data officer Mike Potts, who became the company’s first ever CDO back in February. He says he was appointed “to send a message to the market that we’re really serious about this”.

Matt Simmons, director of marketing for EMEA at Inrix, believes that data analysis is crucial to 21st century business. “Big data and the analysis of that data is also a catalyst for creating new and innovative services that can provide real value across a number of sectors,” he says. “Companies that use data to deliver better insights to customers and decision-makers stand a greater chance of differentiating themselves from competitors and driving their business forward in this technology-driven age.”

No Data?

Far from the smart use of data helping good companies distinguish themselves from the rest, some in the industry now believe that a full-blown ‘no data’ policy could start to be the true differentiator, identified as a trend to watch for 2014 by TrendWatching.com. “Brands will have to walk a fine line between offering consumers a valuable (and ideally seamless) service, and freaking them out with aggressive if not downright scary ‘services’. Yes, consumers want to feel served, but they don’t like to be watched.”

“Online services are actually starting to use privacy to promote their brand,” the ICO’s Rice flags. “Microsoft has just announced that they won’t do any targeted advertising for education products – now Google says they will do the same thing.” Pols welcomes this, adding: “I hope this means that in the future it’s going to be a more egalitarian battle than what it is now. I’d actually like services to allow me to pay but they say ‘this is not our business model’. This ‘free economy’ gives people no choice. You should be able to pay for stuff to keep your data private.”

Data legislation

In a landmark decision, the EU has now ruled that Google users have the ‘right to be forgotten’, with the search engine now facing an administrative task of truly unknown complexity and scale to adhere to this. Short of having a full Digital Magna Carta, something father of the internet Tim Berners-Lee demanded on the 25th anniversary of his invention, Europe has already begun the long process of revising its entire 1995 Data Protection Directive.

This is already tabled to include a more wide-ranging ‘right to be forgotten’ and while most of our commentators believe the new believe the new rules are going to be a positive thing, McAfee’s Samani says that any legislation brought in to protect citizens, and brands, from the threat of data loss, has to be realistic. “The ‘right to be forgotten’ is technically impossible. You have a digital tattoo once your data goes out there and once your data’s gone it’s gone.”

Pols believes that given that data is transferred from one continent to another at the click of a mouse, the only way to move forwards is to have global data legislation.“The US and UK get stuck with the word ‘privacy’ and as long as we find it difficult to define privacy, we can’t legislate for it. Data protection, favoured in the rest of the EU, is something totally different. Internationally, in the last six months alone, it feels like the Americans are starting to align with this. It’s certainly better than two years ago where in the US the attitude was ‘privacy is dead, just get over it’.”

“Europe’s going to lead this – spurred by legislation and informed by the continent’s recent history of fascism – and completely redrawing engagement lines between brands and consumers,” Anthony Mullen from Forrester adds. “And the press will have a field day when the flood gates open – way more than the EU cookie law. There will be a lot of pressure from journalists to get brands to change their behaviour.”

My Data?

The Boston Consulting Group (BSG) has estimated that the personal data economy could be worth €1trn (£820bn) in Europe by 2020, roughly 8 per cent of the combined GDP of the EU-27 countries. “For European businesses and governments, the use of personal data will deliver an annual benefit of €330bn by 2020, bringing growth to an otherwise stagnant economy,” a BSG report says. In its survey of 10,000 people worldwide, 78 per cent said they would use tools to control personal data if available. “Companies that excel at creating trust should be able to increase the amount of consumer data they can access by at least five to 10 times.”

Given the value now placed on data, some are now working towards offering citizens a way to actively sell this ‘new asset type’ and reap the revenue rewards themselves. Companies like Handshakes and Datacoup have begun to offer this on their own data marketplaces, but personal data on its own, as opposed to within a group of people ‘like’ you, appears to offer little value. The FT’s interactive tool ‘how much is your data personal data worth?’ explains that data brokers already know your age, gender, postcode, ethnicity and education level, all worth a sum total $0.007. If you casually throw in that you’re a millionaire, that figure only goes up to $0.123.

Some individuals are now testing the power that the internet has over your data. Internet activist Shawn Buckles sold all of his personal records for €288 in a bid to highlight data security issues. He states on his website: “Privacy is gone. We gave it up, for no other reason but the thought that it’s useless. Why don’t we protect our rights?” Buckles was quickly followed on this mission by mum-to-be Janet Vertesi, who went to extreme lengths to hide her pregnancy from big data and was flagged as a criminal along the way.

The UK Government’s own Midata project is also working on ways for citizens to access their data for use for civic services. “The Midata programme is a voluntary programme working with companies in key sectors of the economy: energy, personal current accounts, debit cards and credit cards,” says Gemma Lobb from the Department for Business Innovation and Skills, which is backing the work. “The Government is focusing on areas where the data held will have the most value for consumers, either in terms of giving them access to the type of information that will help them make an effective switching choice, or where there is the potential for the data to drive services to empower them.”

People will eventually be able to download a transcript of their data and use it as part of the personal data economy, which is great if you trust the Government to help you manage your personal details. According to BCG, government is less trusted than brands on data management. The Midata programme itself does not have access to any data, Lobb explained, it’s working with brands so that they are encouraged to give back certain data that they hold on their customers. The team recently set up a consumer protection and trust work stream that is soon to report on its findings. “I worry about how we educate individuals of what are the additional risks are around giving people a full transcript in readable format of their personal data,” admits the ICO’s Rice. “Scammers and spammers will be onto this as well.”

The Government has wholeheartedly joined the open data revolution, even giving £10m grant funding  to London’s Open Data Institute, but questions remain around what political involvement does to the neutrality of data collection and dissemination. Plans to sell off NHS data have been “mishandled”, according to the chair of the panel set up to advise the NHS and ministers on the governance of patient information, while HMRC’s plan to sell of its data has been branded “borderline insane” by Conservative MP David Davis.

Trust

Although a complex area, it appears that words like transparency and consent are now coming into everyday vocabulary for marketers, policymakers and citizens, with seductive opportunities to collect data becoming increasingly heavily weighed against the potential to leave people feeling betrayed.

“Phase one was all about snooping – which was a great advantage for advertisers,” Forrester’s Mullen concludes. “In phase two we’re seeing more awareness and more controls. But we need to go through this to realign. Phase three will see much more automation, around wearables and contextual services, when people trust brands to do this for them. The nirvana of deeper, richer services will not come until we go through this pain.

“Privacy really is just a subset of this bigger topic – trust,” he adds. Trust is a much more positive thing to hang this change in the way that we use data on and I want to see this reframed as the trust debate.”

So it looks like we are in a transition. But we – people, government and business – are yet to really start talking to each other about, and truly understanding the consequences of, smartphone tracking, as Guardian editor Alan Rusbridger urges, less still the complexities of a full-blown debate about trust. And without this, yet more scandals, either through intention or oversight, are no doubt on their way.

Watching CITIZENFOUR on Friday was certainly one uncomfortable way to spend Halloween. Find a screening of the film here.