building-trust-in-the-digital-age-report
building-trust-in-the-digital-age-report
building-trust-in-the-digital-age-report
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
BUILDING TRUST IN THE DIGITAL AGE:<br />
RETHINKING PRIVACY, PROPERTY<br />
and SECURITY<br />
mak<strong>in</strong>g <strong>in</strong>formation systems work INITIATIVE<br />
bus<strong>in</strong>ess with CONFIDENCE<br />
icaew.com/<strong>in</strong>formationsystems
Build<strong>in</strong>g Trust <strong>in</strong> <strong>the</strong> Digital Age: Reth<strong>in</strong>k<strong>in</strong>g Privacy, Property and Security forms part of <strong>the</strong> Mak<strong>in</strong>g<br />
Information Systems Work thought leadership programme of <strong>the</strong> ICAEW IT Faculty.<br />
New technology has transformed <strong>the</strong> way we <strong>in</strong>teract and do bus<strong>in</strong>ess. However, as <strong>the</strong> number<br />
of technology opportunities grows, so too do <strong>the</strong> challenges of successful implementation.<br />
The Mak<strong>in</strong>g Information Systems Work programme considers <strong>the</strong>se opportunities and challenges,<br />
engag<strong>in</strong>g all sectors of <strong>the</strong> economy <strong>in</strong> <strong>the</strong> debate.<br />
This <strong>in</strong>itiative is not just about mak<strong>in</strong>g technology work. It is about mak<strong>in</strong>g technology work<br />
with <strong>the</strong> wider systems around us. In order to do this, <strong>in</strong>formation systems need to be based on:<br />
• value: <strong>the</strong> economic case for IT <strong>in</strong>vestment;<br />
• <strong>trust</strong>: a secure environment to transfer <strong>in</strong>formation; and<br />
• standards: a sound technical basis for <strong>the</strong> exchange of <strong>in</strong>formation between parties.<br />
Build<strong>in</strong>g Trust <strong>in</strong> <strong>the</strong> Digital Age: Reth<strong>in</strong>k<strong>in</strong>g Privacy, Property and Security considers <strong>the</strong> actions<br />
that <strong>in</strong>dividual bus<strong>in</strong>esses can take to address concerns about <strong>the</strong> security and use of <strong>digital</strong><br />
<strong>in</strong>formation, as well as <strong>the</strong> wider social and legal implications of <strong>digital</strong> technology. This builds<br />
on <strong>the</strong> first <strong>report</strong> <strong>in</strong> <strong>the</strong> programme, Measur<strong>in</strong>g IT Returns, which considers <strong>the</strong> opportunities to<br />
create value through IT and <strong>the</strong> challenges faced by many bus<strong>in</strong>esses <strong>in</strong> apply<strong>in</strong>g f<strong>in</strong>ancial analysis<br />
to <strong>the</strong>se opportunities.<br />
ICAEW operates under a Royal Charter, work<strong>in</strong>g <strong>in</strong> <strong>the</strong> public <strong>in</strong>terest. As a world-lead<strong>in</strong>g<br />
professional accountancy body, ICAEW provides leadership and practical support to over<br />
136,000 members <strong>in</strong> more than 160 countries, work<strong>in</strong>g with governments, regulators and<br />
<strong>in</strong>dustry to ensure <strong>the</strong> highest standards are ma<strong>in</strong>ta<strong>in</strong>ed.<br />
The ICAEW IT Faculty is a network of chartered accountants and o<strong>the</strong>r professionals who have<br />
an active <strong>in</strong>terest <strong>in</strong> IT. The faculty provides help and support to its 3,000 members regard<strong>in</strong>g<br />
best use of IT. It also has a wide-rang<strong>in</strong>g public <strong>in</strong>terest role and a thought leadership programme<br />
which promotes debate and research.<br />
We welcome views and comments on this work and <strong>the</strong> o<strong>the</strong>r <strong>the</strong>mes of <strong>the</strong> Mak<strong>in</strong>g Information<br />
Systems Work programme. To contact us, please email <strong>in</strong>formationsystems@icaew.com or<br />
telephone Kirst<strong>in</strong> Gillon on +44 (0)20 7920 8538.<br />
For more <strong>in</strong>formation on Mak<strong>in</strong>g Information Systems Work and to download<br />
<strong>report</strong>s, visit icaew.com/<strong>in</strong>formationsystems. Alternatively, visit our community site<br />
IT Counts at ion.icaew.com/itcounts, follow us on Twitter @ICAEW_ITFaculty or<br />
jo<strong>in</strong> our L<strong>in</strong>kedIn group ICAEW IT Faculty.<br />
© ICAEW 2011<br />
Dissem<strong>in</strong>ation of <strong>the</strong> contents of this paper is encour<strong>age</strong>d. Please give full acknowledgement of source<br />
when reproduc<strong>in</strong>g extracts <strong>in</strong> o<strong>the</strong>r published works.<br />
No responsibility for any persons act<strong>in</strong>g or refra<strong>in</strong><strong>in</strong>g to act as a result of any material <strong>in</strong> this paper can<br />
be accepted by ICAEW or <strong>the</strong> authors.<br />
November 2011<br />
ISBN 978-0-85760-435-4
BUILDING TRUST IN THE DIGITAL AGE:<br />
RETHINKING PRIVACY, PROPERTY<br />
and SECURITY<br />
mak<strong>in</strong>g <strong>in</strong>formation systems work INITIATIVE
Contents<br />
Table of fIGURES and PANELS<br />
iii<br />
Executive summary<br />
v<br />
1. Address<strong>in</strong>g CONCERNS about IT 1<br />
1.1 Aims of <strong>the</strong> <strong>report</strong> 2<br />
1.2 Generat<strong>in</strong>g value through IT 2<br />
1.3 Risks surround<strong>in</strong>g <strong>in</strong>formation security 3<br />
1.4 Risks surround<strong>in</strong>g <strong>in</strong>formation use 6<br />
1.5 Information security, privacy and <strong>in</strong>tellectual property 6<br />
1.6 Our approach to <strong>build<strong>in</strong>g</strong> <strong>trust</strong> 7<br />
1.7 Summary 9<br />
2. Rights over PERSONAL <strong>in</strong>formATION 11<br />
2.1 The bus<strong>in</strong>ess value of personal <strong>in</strong>formation 12<br />
2.2 Legal considerations 13<br />
2.3 Market considerations 17<br />
2.4 Underly<strong>in</strong>g questions about privacy 19<br />
2.5 Collect<strong>in</strong>g and reta<strong>in</strong><strong>in</strong>g personal <strong>in</strong>formation 26<br />
2.6 Us<strong>in</strong>g personal <strong>in</strong>formation <strong>in</strong> <strong>the</strong> private sector 28<br />
2.7 Shar<strong>in</strong>g personal <strong>in</strong>formation across <strong>the</strong> public sector 30<br />
2.8 Summary 32<br />
3. Rights over INTELLECTUAL PROPERTY 33<br />
3.1 The bus<strong>in</strong>ess value of <strong>in</strong>tellectual property 34<br />
3.2 Legal considerations 35<br />
3.3 Market considerations 36<br />
3.4 Underly<strong>in</strong>g questions about <strong>in</strong>tellectual property 37<br />
3.5 Streng<strong>the</strong>n<strong>in</strong>g <strong>in</strong>tellectual property rights 41<br />
3.6 Encourag<strong>in</strong>g open approaches 42<br />
3.7 The push for transparency 45<br />
3.8 Co-creation of <strong>in</strong>tellectual property 47<br />
3.9 Summary 48<br />
4. Information SECURITY PRACTICES 51<br />
4.1 Pr<strong>in</strong>ciples of <strong>in</strong>formation security 52<br />
4.2 Established <strong>in</strong>formation security practices 53<br />
4.3 Mak<strong>in</strong>g decisions about security measures 57<br />
4.4 Build<strong>in</strong>g skills and organisational structures for security 58<br />
Contents<br />
i
4.5 Embedd<strong>in</strong>g good practices throughout <strong>the</strong> bus<strong>in</strong>ess 59<br />
4.6 Secur<strong>in</strong>g <strong>in</strong>formation beyond bus<strong>in</strong>ess boundaries 60<br />
4.7 Personal <strong>in</strong>formation practices 62<br />
4.8 Intellectual property practices 67<br />
4.9 The grow<strong>in</strong>g regulatory <strong>age</strong>nda 68<br />
4.10 Summary 69<br />
5. Build<strong>in</strong>g TRUST 71<br />
5.1 Impact of new technology 72<br />
5.2 Trust <strong>in</strong> bus<strong>in</strong>ess 74<br />
5.3 Recognise and debate issues 75<br />
5.4 Develop new <strong>the</strong>oretical th<strong>in</strong>k<strong>in</strong>g 76<br />
5.5 Balance control and use of <strong>in</strong>formation 79<br />
5.6 Create supportive <strong>in</strong>stitutions 82<br />
5.7 Summary 85<br />
Appendix – Areas for RESEARCH 87<br />
A.1 The role of academic research 87<br />
A.2 Shar<strong>in</strong>g bus<strong>in</strong>ess experience and knowledge 87<br />
A.3 Support<strong>in</strong>g collective actions 89<br />
A.4 Research challenges 90<br />
Acknowledgements 92<br />
Bibliography 93<br />
ii<br />
Contents
Table of fIGURES and PANELS<br />
Figures<br />
Figure 1.1: ICAEW approach to <strong>build<strong>in</strong>g</strong> <strong>trust</strong> <strong>in</strong> <strong>the</strong> <strong>digital</strong> <strong>age</strong> 7<br />
Figure 5.1: Information supply and demand curves 73<br />
Figure 5.2: Impact of IT on <strong>in</strong>formation quantity 73<br />
Panels<br />
Panel 1.1: Hack<strong>in</strong>g a security bus<strong>in</strong>ess 4<br />
Panel 1.2: Attack on Estonia’s <strong>in</strong>frastructure 5<br />
Panel 1.3: Hack<strong>in</strong>g and blagg<strong>in</strong>g 5<br />
Panel 2.1: OECD Fair Information Pr<strong>in</strong>ciples 13<br />
Panel 2.2: The EU regime of data protection 14<br />
Panel 2.3: US privacy laws 14<br />
Panel 2.4: Privacy as a human right 15<br />
Panel 2.5: English super <strong>in</strong>junctions and <strong>the</strong> <strong>in</strong>ternet 15<br />
Panel 2.6: US Federal Trade Commission approach 16<br />
Panel 2.7: Information accountability and <strong>the</strong> Fair Credit Report<strong>in</strong>g Act 17<br />
Panel 2.8: Los<strong>in</strong>g <strong>in</strong>vestor confidence: <strong>the</strong> case of Phorm 18<br />
Panel 2.9: HP’s position on privacy 18<br />
Panel 2.10: Approaches to privacy 20<br />
Panel 2.11: Genocide <strong>in</strong> Rwanda and identity cards 22<br />
Panel 2.12: Balanc<strong>in</strong>g privacy and security 23<br />
Panel 2.13: US and European attitudes to privacy 23<br />
Panel 2.14: The varied reaction to Google’s Street View 24<br />
Panel 2.15: ‘The <strong>in</strong>ternet of th<strong>in</strong>gs’ and privacy 26<br />
Panel 2.16: Los<strong>in</strong>g <strong>the</strong> power to forget 27<br />
Panel 2.17: Behavioural advertis<strong>in</strong>g 29<br />
Panel 3.1: UK <strong>in</strong>tellectual property law 35<br />
Panel 3.2: Alternative bus<strong>in</strong>ess models: Spotify 37<br />
Panel 3.3: Welfare economics of <strong>in</strong>tellectual property rights 38<br />
Panel 3.4: The newspaper <strong>in</strong>dustry and <strong>the</strong> <strong>in</strong>ternet 39<br />
Panel 3.5: The role of <strong>the</strong> Internet Service Provider 41<br />
Panel 3.6: The Creative Commons 42<br />
Panel 3.7: The Open Data movement 45<br />
Panel 3.8: YouTube copyright requirements 47<br />
Panel 3.9: Crushpad bus<strong>in</strong>ess model 48<br />
Panel 4.1: Types of au<strong>the</strong>ntication 52<br />
Panel 4.2: Security standards: ISO 27001/2 key provisions 53<br />
Panel 4.3: Breach notification laws 55<br />
Table of figures and panels<br />
iii
Panel 4.4: Payment Card Industry Data Security Standard (PCI DSS) 56<br />
Panel 4.5: Information security governance 58<br />
Panel 4.6: The consumerisation of IT 59<br />
Panel 4.7: HMRC data loss 60<br />
Panel 4.8: Cloud comput<strong>in</strong>g 61<br />
Panel 4.9: Ga<strong>in</strong><strong>in</strong>g comfort over service providers 61<br />
Panel 4.10: Privacy impact assessments 63<br />
Panel 4.11: Facebook’s privacy sett<strong>in</strong>gs and controls 64<br />
Panel 4.12: The controversial launch of Google Buzz 65<br />
Panel 4.13: Privacy audits 65<br />
Panel 4.14: The problems of anonymity: <strong>the</strong> Netflix data prize 66<br />
Panel 4.15: Information security regulation and <strong>the</strong> House of Lords <strong>report</strong> 68<br />
Panel 5.1: Build<strong>in</strong>g bus<strong>in</strong>ess <strong>trust</strong> 74<br />
Panel 5.2: Contentious questions 76<br />
Panel 5.3: Information ethics 77<br />
Panel 5.4: The cases of TJX and ChoicePo<strong>in</strong>t 77<br />
Panel 5.5: Differences between tangible and <strong>in</strong>tangible property 78<br />
Panel 5.6: Encourag<strong>in</strong>g <strong>in</strong>novation with IT 80<br />
Panel 5.7: Private property rights 80<br />
Panel 5.8: The tr<strong>age</strong>dy of <strong>the</strong> commons 81<br />
Panel 5.9: The tr<strong>age</strong>dy of <strong>the</strong> anti-commons 81<br />
Panel 5.10: The Internet Governance Forum 82<br />
Panel 5.11: Requirements for good regulation 83<br />
Panel 5.12: Standards and <strong>in</strong>formal regulation <strong>in</strong> <strong>the</strong> technology <strong>in</strong>dustry 84<br />
Panel 5.13: Build<strong>in</strong>g effective market pressures 84<br />
Panel A.1: Suggested research topics on <strong>in</strong>formation practices 88<br />
iv<br />
Table of figures and panels
Executive summary<br />
Address<strong>in</strong>g concerns about IT<br />
Information technology (IT) transforms <strong>the</strong> way that many bus<strong>in</strong>esses operate and presents<br />
tremendous opportunities to <strong>in</strong>crease revenues, cut costs and create new customer value.<br />
However, alongside <strong>the</strong>se opportunities, <strong>the</strong>re are grow<strong>in</strong>g concerns about <strong>the</strong> control and<br />
security of <strong>digital</strong> <strong>in</strong>formation which a bus<strong>in</strong>ess needs to man<strong>age</strong> <strong>in</strong> order to capture and<br />
reta<strong>in</strong> value from IT. These concerns are fuelled by:<br />
• high-profile data breaches and <strong>the</strong> growth of cyber attacks;<br />
• <strong>in</strong>dividual experience of identity <strong>the</strong>ft, phish<strong>in</strong>g emails, spam and computer viruses;<br />
• controversial use of personal <strong>in</strong>formation by governments and bus<strong>in</strong>esses; and<br />
• repeated failures to secure <strong>in</strong>tellectual property and prevent o<strong>the</strong>rs from exploit<strong>in</strong>g it.<br />
These <strong>in</strong>cidents can result <strong>in</strong> substantial f<strong>in</strong>ancial losses for bus<strong>in</strong>esses, governments and<br />
<strong>in</strong>dividuals, dam<strong>age</strong>d reputations and reduced confidence <strong>in</strong> IT systems more broadly. Therefore,<br />
this is an area of grow<strong>in</strong>g importance for bus<strong>in</strong>ess and economic success. Fur<strong>the</strong>rmore, <strong>the</strong>se<br />
issues affect all of us as <strong>in</strong>dividual consumers or citizens.<br />
Trust is an important feature of any economy and society. It enables bus<strong>in</strong>esses and <strong>in</strong>dividuals to<br />
carry out economic transactions and social <strong>in</strong>teractions <strong>in</strong> <strong>the</strong> belief that o<strong>the</strong>r parties will behave<br />
<strong>in</strong> a non-harmful way. Build<strong>in</strong>g <strong>trust</strong> that o<strong>the</strong>r parties will secure and use <strong>digital</strong> <strong>in</strong>formation <strong>in</strong><br />
acceptable ways is <strong>the</strong>refore an important element of address<strong>in</strong>g concerns about, and <strong>build<strong>in</strong>g</strong><br />
confidence <strong>in</strong>, a <strong>digital</strong>ly-based economy.<br />
Our approach to address<strong>in</strong>g concerns is based on <strong>the</strong> belief that bus<strong>in</strong>esses cannot build <strong>trust</strong> <strong>in</strong><br />
isolation. While <strong>the</strong>y are necessary, today’s good practices are not enough. Bus<strong>in</strong>esses operate<br />
with<strong>in</strong> a network of formal and <strong>in</strong>formal norms which <strong>in</strong>fluence and limit <strong>the</strong>ir actions. As a result,<br />
good <strong>in</strong>formation practices are ultimately grounded <strong>in</strong> clear rights and duties over <strong>in</strong>formation<br />
and need to be built on an accepted framework of social expectations and laws.<br />
Digital technology is disrupt<strong>in</strong>g and challeng<strong>in</strong>g many aspects of <strong>the</strong> exist<strong>in</strong>g social and legal<br />
environment. Consequently, it is not enough for bus<strong>in</strong>esses to implement today’s good practices<br />
<strong>in</strong> isolation. We also need to encour<strong>age</strong> widespread eng<strong>age</strong>ment, understand<strong>in</strong>g and debate of<br />
<strong>the</strong> issues presented by <strong>digital</strong> <strong>in</strong>formation to build a social and legal framework which is broadly<br />
accepted and can underp<strong>in</strong> <strong>in</strong>dividual bus<strong>in</strong>ess actions<br />
By summaris<strong>in</strong>g a wide range of bus<strong>in</strong>ess practice, underly<strong>in</strong>g <strong>the</strong>ory and new areas of debate,<br />
this <strong>report</strong> aims to achieve two pr<strong>in</strong>cipal benefits:<br />
• to help man<strong>age</strong>ment make better decisions about <strong>digital</strong> <strong>in</strong>formation and improve bus<strong>in</strong>ess<br />
performance <strong>in</strong> relation to <strong>in</strong>formation risks; and<br />
• to <strong>in</strong>form widespread public debate about <strong>digital</strong> <strong>in</strong>formation and <strong>the</strong>reby support <strong>the</strong><br />
development of a variety of regulatory, <strong>in</strong>dustry and social solutions.<br />
In <strong>the</strong> process, it br<strong>in</strong>gs toge<strong>the</strong>r three areas of th<strong>in</strong>k<strong>in</strong>g that are often looked at separately:<br />
privacy, <strong>in</strong>tellectual property rights and <strong>in</strong>formation security. While <strong>the</strong>se cont<strong>in</strong>ue to be dist<strong>in</strong>ct<br />
fields, <strong>the</strong> <strong>digital</strong> environment br<strong>in</strong>gs <strong>the</strong>m closer. As a result, this <strong>report</strong> takes a first step <strong>in</strong><br />
br<strong>in</strong>g<strong>in</strong>g toge<strong>the</strong>r key elements of a disparate and complex literature to support more <strong>in</strong>tegrated<br />
bus<strong>in</strong>ess practices and policy-mak<strong>in</strong>g.<br />
Rights over personal <strong>in</strong>formation<br />
Personal <strong>in</strong>formation is <strong>in</strong>formation that is associated with an identifiable <strong>in</strong>dividual. Most bus<strong>in</strong>esses<br />
hold personal <strong>in</strong>formation about employees and customers as part of <strong>the</strong>ir day-to-day operations.<br />
Executive summary<br />
v
Personal <strong>in</strong>formation can also be used to generate revenue. As a result, personal <strong>in</strong>formation can<br />
be important <strong>in</strong>tellectual property, especially for consumer or advertis<strong>in</strong>g-based bus<strong>in</strong>esses.<br />
While many bus<strong>in</strong>esses may want to make extensive use of personal <strong>in</strong>formation, <strong>in</strong>dividuals reta<strong>in</strong><br />
rights over <strong>in</strong>formation about <strong>the</strong>mselves and bus<strong>in</strong>esses have a range of duties regard<strong>in</strong>g <strong>the</strong>ir<br />
use and treatment of personal <strong>in</strong>formation. In Europe <strong>in</strong> particular, personal <strong>in</strong>formation is subject<br />
to substantial regulation. Personal <strong>in</strong>formation can also be protected through laws targeted on<br />
sensitive pieces of personal <strong>in</strong>formation or based on <strong>the</strong> human rights framework, <strong>in</strong>clud<strong>in</strong>g <strong>the</strong><br />
right of privacy. It can also be protected through commercial pressures.<br />
The notion of a private space has been established s<strong>in</strong>ce Aristotle’s Politics. However, it rema<strong>in</strong>s a<br />
nebulous idea which is subject to diverse views on its scope and importance. We summarise some<br />
of <strong>the</strong> key <strong>the</strong>oretical ideas about privacy around <strong>the</strong> follow<strong>in</strong>g questions:<br />
• What is <strong>the</strong> scope of privacy<br />
• What is <strong>the</strong> role of consent<br />
• What are <strong>the</strong> benefits of privacy<br />
• What harm is caused by breaches of privacy<br />
• How should privacy be balanced with o<strong>the</strong>r <strong>in</strong>terests<br />
• How can different cultural views be reconciled<br />
• How can we understand fragmented and <strong>in</strong>consistent behaviour<br />
IT <strong>in</strong>creases <strong>the</strong> value of personal <strong>in</strong>formation, lead<strong>in</strong>g to greater bus<strong>in</strong>ess use and commercial<br />
exploitation of it. This is also lead<strong>in</strong>g to grow<strong>in</strong>g contention about <strong>the</strong> limits of bus<strong>in</strong>ess use of<br />
personal <strong>in</strong>formation and <strong>the</strong> ways <strong>in</strong> which <strong>in</strong>dividuals can reta<strong>in</strong> control over it.<br />
More is known and remembered. While data protection pr<strong>in</strong>ciples limit <strong>the</strong> personal<br />
<strong>in</strong>formation that can be collected and reta<strong>in</strong>ed, emerg<strong>in</strong>g practices and technologies enable<br />
bus<strong>in</strong>esses to ga<strong>the</strong>r <strong>in</strong>creas<strong>in</strong>g amounts of user and location data. Regardless of its ultimate use,<br />
<strong>the</strong> extensive collection and retention of <strong>in</strong>formation <strong>in</strong> itself may cause <strong>in</strong>dividuals concern and<br />
discomfort. Fur<strong>the</strong>rmore, <strong>the</strong> <strong>in</strong>ability to ‘forget’ personal <strong>in</strong>formation may have long-term effects<br />
on society as <strong>in</strong>dividuals become more conscious of <strong>the</strong>ir actions and <strong>in</strong>hibit <strong>the</strong>ir behaviour<br />
accord<strong>in</strong>gly or suffer disproportionate consequences.<br />
Bus<strong>in</strong>esses are extensively profil<strong>in</strong>g <strong>in</strong>dividuals. While profil<strong>in</strong>g has been a bus<strong>in</strong>ess practice<br />
for many years, <strong>the</strong> sophistication of analytical systems, comb<strong>in</strong>ed with <strong>the</strong> vast <strong>digital</strong> footpr<strong>in</strong>t<br />
created by most people, is mak<strong>in</strong>g profil<strong>in</strong>g much more powerful. This can provide benefits by<br />
target<strong>in</strong>g products and services to specific <strong>in</strong>dividuals. However, profil<strong>in</strong>g can result <strong>in</strong> unequal<br />
treatment and can offend deeply-held perceptions of fairness. There is often a lack of due process<br />
and accountability about decisions. There are also concerns about <strong>the</strong> long-term impact of<br />
filter<strong>in</strong>g <strong>in</strong>formation or services to narrow audiences based on this segmentation.<br />
Governments are connect<strong>in</strong>g <strong>in</strong>formation about citizens. The opportunity to share <strong>in</strong>formation<br />
more effectively across governments is often essential to <strong>in</strong>creas<strong>in</strong>g <strong>the</strong> efficiency and quality of<br />
public services. However, it raises practical concerns about <strong>the</strong> quality of <strong>in</strong>formation and how it is<br />
man<strong>age</strong>d. It also leads to many questions about <strong>the</strong> degree of governmental power and control<br />
ga<strong>in</strong>ed through centralis<strong>in</strong>g personal <strong>in</strong>formation.<br />
Rights over <strong>in</strong>tellectual property<br />
To generate revenue, bus<strong>in</strong>esses rely on <strong>in</strong>tellectual property and confidential <strong>in</strong>formation which<br />
can <strong>in</strong>clude <strong>in</strong>ventions, formulae, novel processes, creative content, brand names, designs and<br />
customer lists.<br />
Intellectual property rights aim to secure <strong>the</strong> cash flow benefits from <strong>the</strong> exploitation of <strong>in</strong>formation<br />
resources for <strong>the</strong> rights-holder. Bus<strong>in</strong>ess will sometimes use <strong>in</strong>tellectual property rights to keep<br />
<strong>in</strong>formation secret. However, <strong>in</strong> many cases, <strong>in</strong>tellectual property rights enable a bus<strong>in</strong>ess to sell<br />
access to <strong>in</strong>formation products and services and keep <strong>the</strong> related revenue stream.<br />
In many cases, <strong>in</strong>tellectual property rights are clear and <strong>the</strong> related bus<strong>in</strong>ess challenges are largely<br />
practical <strong>in</strong> nature. However, this clarity can mask deep differences of op<strong>in</strong>ion about <strong>the</strong> benefits<br />
of strong of <strong>in</strong>tellectual property rights compared to <strong>the</strong> benefits that can be obta<strong>in</strong>ed from <strong>the</strong><br />
free flow of <strong>in</strong>formation.<br />
vi<br />
Executive summary
As <strong>the</strong> opportunities to share <strong>in</strong>formation for a wide range of social and economic benefits grow,<br />
debates touch on complex underly<strong>in</strong>g questions, <strong>in</strong>clud<strong>in</strong>g:<br />
• What are <strong>the</strong> net economic benefits of <strong>in</strong>tellectual property rights<br />
• What is <strong>the</strong> moral basis of <strong>in</strong>tellectual property rights<br />
• What is <strong>the</strong> impact of chang<strong>in</strong>g consumer attitudes to pay<strong>in</strong>g for content<br />
• Are breaches of <strong>in</strong>tellectual property rights morally wrong<br />
We consider three areas of particular debate which stem from <strong>the</strong> changes brought by <strong>digital</strong><br />
technology.<br />
There are alternatives to strong rights. Intellectual property rights have been substantially<br />
streng<strong>the</strong>ned <strong>in</strong> recent years to enable bus<strong>in</strong>esses to generate more revenue from <strong>the</strong>ir <strong>in</strong>formation<br />
content or <strong>in</strong>ventions. However, <strong>the</strong>re are alternative approaches which put a greater emphasis<br />
on <strong>in</strong>formation shar<strong>in</strong>g. Supporters of <strong>the</strong>se approaches argue that bus<strong>in</strong>esses should develop<br />
bus<strong>in</strong>esses models which embrace <strong>the</strong> new technological opportunities and <strong>the</strong> openness that<br />
<strong>the</strong>se enable, ra<strong>the</strong>r than reta<strong>in</strong> models which are no longer effective <strong>in</strong> <strong>the</strong> <strong>digital</strong> environment.<br />
There is greater openness <strong>in</strong> <strong>the</strong> public and private sectors. The push for transparency is<br />
seen most prom<strong>in</strong>ently <strong>in</strong> <strong>the</strong> public sector, where <strong>the</strong> Open Data movement is push<strong>in</strong>g for<br />
<strong>the</strong> widespread release of government data to drive a variety of economic and social benefits.<br />
As technology has improved, pressures have also grown <strong>in</strong> corporate <strong>report</strong><strong>in</strong>g for more<br />
comparable and timely data from bus<strong>in</strong>esses. However, while <strong>the</strong>re are great benefits to<br />
transparency, it also potentially creates new risks, especially when changes <strong>in</strong> <strong>in</strong>centives change<br />
<strong>the</strong> behaviour of <strong>in</strong>dividuals.<br />
Bus<strong>in</strong>esses are <strong>in</strong>teract<strong>in</strong>g more with each o<strong>the</strong>r and <strong>the</strong>ir customers. This is result<strong>in</strong>g <strong>in</strong><br />
co-creation of <strong>in</strong>tellectual property across supply cha<strong>in</strong>s and with customers. While bus<strong>in</strong>esses<br />
may want to maximise <strong>the</strong>ir rights over <strong>in</strong>tellectual property, <strong>the</strong>re also may be new questions<br />
about how <strong>the</strong> benefits of this collaboration are shared and grow<strong>in</strong>g perceptions of unfairness<br />
where bus<strong>in</strong>esses exploit <strong>the</strong> creativity of o<strong>the</strong>rs.<br />
Information security practices<br />
In many cases, <strong>in</strong>formation rights are well established and clear. Therefore, <strong>the</strong> bus<strong>in</strong>ess imperative<br />
is to secure those rights effectively. The field of <strong>in</strong>formation security deals with <strong>the</strong> protection of<br />
valuable and/or sensitive <strong>in</strong>formation and is built around three key pr<strong>in</strong>ciples, namely confidentiality,<br />
<strong>in</strong>tegrity and availability.<br />
The pr<strong>in</strong>ciples of <strong>in</strong>formation security are reflected <strong>in</strong> a wide range of established <strong>in</strong>formation<br />
security practices. Bus<strong>in</strong>ess processes and man<strong>age</strong>ment techniques are a central part of any<br />
<strong>in</strong>formation security strategy. Given <strong>the</strong> dom<strong>in</strong>ance of IT, technical computer security is also a<br />
very important component of <strong>in</strong>formation security.<br />
Despite <strong>the</strong> existence of a wide range of good practices, many bus<strong>in</strong>esses struggle to implement<br />
effective <strong>in</strong>formation security. One reason for cont<strong>in</strong>u<strong>in</strong>g security failures is that it is often difficult<br />
to connect security measures to bus<strong>in</strong>ess priorities and <strong>the</strong>reby ga<strong>in</strong> sufficient man<strong>age</strong>ment and<br />
employee attention.<br />
It can be difficult to make good decisions about <strong>in</strong>formation security <strong>in</strong>vestments. Good practice<br />
suggests that man<strong>age</strong>ment should assess <strong>the</strong> risks surround<strong>in</strong>g <strong>in</strong>formation and balance <strong>the</strong> costs<br />
of security measures aga<strong>in</strong>st <strong>the</strong> possible impact of security failures. However, <strong>the</strong> difficulty of<br />
quantify<strong>in</strong>g <strong>the</strong>se matters limits <strong>the</strong> effectiveness of structured decision-mak<strong>in</strong>g processes <strong>in</strong> practice.<br />
While many <strong>in</strong>formation security measures are technical, a bus<strong>in</strong>ess is also likely to benefit from<br />
techniques which <strong>in</strong>tegrate security skills and knowledge across technical and bus<strong>in</strong>ess functions.<br />
Information governance is a set of man<strong>age</strong>ment practices which aims to protect <strong>the</strong> quality and<br />
control of <strong>in</strong>formation throughout <strong>the</strong> organisation and <strong>in</strong>tegrate accountability accord<strong>in</strong>gly<br />
IT has enabled <strong>in</strong>formation to be more dispersed, putt<strong>in</strong>g greater emphasis on <strong>in</strong>dividual behaviour<br />
and mak<strong>in</strong>g it more important to embed good security practices. As employees <strong>in</strong>creas<strong>in</strong>gly<br />
use consumer devices, and frequently <strong>the</strong>ir own personal devices, to store or access corporate<br />
data, embedd<strong>in</strong>g good behaviour will become ever more important. Tra<strong>in</strong><strong>in</strong>g can help raise<br />
employee awareness of security policies and processes. Culture and senior-level commitment are<br />
also important factors and, where security can be aligned with <strong>the</strong> objectives and brand of <strong>the</strong><br />
bus<strong>in</strong>ess, it is more likely to become central to bus<strong>in</strong>ess activities.<br />
Executive summary<br />
vii
A grow<strong>in</strong>g security challenge concerns <strong>the</strong> explosion <strong>in</strong> outsourc<strong>in</strong>g and collaboration across<br />
supply cha<strong>in</strong>s. As a result, <strong>in</strong>formation rarely sits <strong>in</strong> one organisation as a static resource but<br />
<strong>in</strong>stead is <strong>the</strong> subject of cont<strong>in</strong>ual flows between different parties. This may lead to a shift <strong>in</strong><br />
security th<strong>in</strong>k<strong>in</strong>g, away from establish<strong>in</strong>g a secure perimeter around <strong>the</strong> organisation to a more<br />
dynamic model which emphasises security across a supply cha<strong>in</strong>.<br />
F<strong>in</strong>ally, as security failures <strong>in</strong>creas<strong>in</strong>gly impact on <strong>in</strong>dividual consumers and citizens, <strong>the</strong>re is<br />
a develop<strong>in</strong>g regulatory <strong>age</strong>nda, particularly around <strong>the</strong> security of personal <strong>in</strong>formation.<br />
As a result, a bus<strong>in</strong>ess may need to shift its th<strong>in</strong>k<strong>in</strong>g from <strong>in</strong>ternal risk man<strong>age</strong>ment to meet<strong>in</strong>g<br />
external demands.<br />
Build<strong>in</strong>g <strong>trust</strong><br />
New technology is a central part of economic development. However, transformation <strong>in</strong> economic<br />
possibilities through new technology often creates social tensions and new questions <strong>in</strong> parallel.<br />
Unless we recognise and address <strong>the</strong> social challenges related to <strong>digital</strong> <strong>in</strong>formation, <strong>the</strong>re is a risk<br />
that opportunities to use it are missed.<br />
Trust <strong>in</strong> an important feature which underp<strong>in</strong>s <strong>the</strong> use and value of new technologies and <strong>the</strong>refore<br />
can support <strong>the</strong> development of a <strong>digital</strong> economy. Bus<strong>in</strong>esses can build <strong>trust</strong> at an <strong>in</strong>dividual<br />
level by implement<strong>in</strong>g good practices. However, good practices need to be underp<strong>in</strong>ned by clear<br />
social expectations and legal obligations. We identify four essential elements to <strong>build<strong>in</strong>g</strong> broader<br />
<strong>trust</strong> around <strong>digital</strong> <strong>in</strong>formation.<br />
Recognise and debate issues. Regulators, law makers and <strong>the</strong> technology <strong>in</strong>dustry have a major<br />
role to play. However, all bus<strong>in</strong>esses are affected by some of <strong>the</strong> issues raised <strong>in</strong> this <strong>report</strong>, as<br />
are all <strong>in</strong>dividual consumers and citizens. Therefore, debates need to eng<strong>age</strong> broadly across all<br />
sections of society <strong>in</strong> order to take account of different <strong>in</strong>terests and perspectives.<br />
Develop new <strong>the</strong>oretical th<strong>in</strong>k<strong>in</strong>g. While technology is <strong>the</strong> direct cause of <strong>the</strong> difficulties outl<strong>in</strong>ed<br />
<strong>in</strong> <strong>the</strong> <strong>report</strong>, it is radical changes to <strong>the</strong> economics of <strong>in</strong>formation which are at <strong>the</strong> heart of <strong>the</strong><br />
social tensions. Therefore, we need to encour<strong>age</strong> a variety of new th<strong>in</strong>k<strong>in</strong>g which is rooted <strong>in</strong> <strong>the</strong><br />
economics of <strong>digital</strong> <strong>in</strong>formation.<br />
Balance control and use of <strong>in</strong>formation. There needs to be clear rights over <strong>in</strong>formation to<br />
enable parties to form expectations about its use and protection. However, this control needs to<br />
be balanced with <strong>the</strong> ability of different parties to use and share <strong>in</strong>formation for a wide range of<br />
benefits.<br />
Create supportive <strong>in</strong>stitutions. A variety of <strong>in</strong>stitutions are needed which can address this broad<br />
range of issues and develop robust and flexible solutions. Institutions need to <strong>in</strong>clude many<br />
participants, <strong>in</strong>clud<strong>in</strong>g regulators, bus<strong>in</strong>esses, <strong>in</strong>dividual consumers and <strong>the</strong> technology <strong>in</strong>dustry<br />
and promote common approaches, as far as is possible.<br />
Although each of <strong>the</strong>se elements is essential, <strong>the</strong>y are also fraught with difficulty which may limit<br />
realistic progress. Academic research can play an important role <strong>in</strong> develop<strong>in</strong>g deeper understand<strong>in</strong>g<br />
of <strong>the</strong> challenges of <strong>the</strong> <strong>digital</strong> environment and support<strong>in</strong>g each of <strong>the</strong>se elements.<br />
viii<br />
Executive summary
1. Address<strong>in</strong>g CONCERNS<br />
about IT<br />
There are grow<strong>in</strong>g concerns about <strong>the</strong> control and security<br />
of <strong>digital</strong> <strong>in</strong>formation, fuelled by high-profile security breaches<br />
and controversial uses of personal <strong>in</strong>formation. But how much<br />
do <strong>the</strong>se concerns matter And what can <strong>in</strong>dividual bus<strong>in</strong>esses<br />
do about <strong>the</strong>m
1. Address<strong>in</strong>g CONCERNS<br />
about IT<br />
1.1 Aims of <strong>the</strong> <strong>report</strong><br />
Information technology (IT) transforms <strong>the</strong> way that many bus<strong>in</strong>esses operate and presents<br />
tremendous opportunities to <strong>in</strong>crease revenues, cut costs and create new customer value.<br />
However, alongside <strong>the</strong>se opportunities, <strong>the</strong>re are grow<strong>in</strong>g concerns about <strong>the</strong> control and<br />
security of <strong>digital</strong> <strong>in</strong>formation which a bus<strong>in</strong>ess needs to man<strong>age</strong> <strong>in</strong> order to capture and reta<strong>in</strong><br />
value from IT. These concerns are fuelled by:<br />
• high-profile data breaches and <strong>the</strong> growth of cyber attacks;<br />
• <strong>in</strong>dividual experience of identity <strong>the</strong>ft, phish<strong>in</strong>g emails, spam and computer viruses;<br />
• controversial use of personal <strong>in</strong>formation by governments and bus<strong>in</strong>esses; and<br />
• repeated failures to secure <strong>in</strong>tellectual property and prevent o<strong>the</strong>rs from exploit<strong>in</strong>g it.<br />
These <strong>in</strong>cidents can result <strong>in</strong> substantial f<strong>in</strong>ancial losses for bus<strong>in</strong>esses, governments and <strong>in</strong>dividuals,<br />
dam<strong>age</strong>d reputations and reduced confidence <strong>in</strong> IT systems more broadly. Therefore, this is an<br />
area of grow<strong>in</strong>g importance for bus<strong>in</strong>ess and economic success. Fur<strong>the</strong>rmore, <strong>the</strong>se issues affect<br />
all of us as <strong>in</strong>dividual consumers or citizens.<br />
By summaris<strong>in</strong>g a wide range of bus<strong>in</strong>ess practice, underly<strong>in</strong>g <strong>the</strong>ory and new areas of debate,<br />
this <strong>report</strong> aims to achieve two pr<strong>in</strong>cipal benefits:<br />
• to help man<strong>age</strong>ment make better decisions about <strong>digital</strong> <strong>in</strong>formation and improve bus<strong>in</strong>ess<br />
performance <strong>in</strong> relation to <strong>in</strong>formation risks; and<br />
• to <strong>in</strong>form public debate about <strong>digital</strong> <strong>in</strong>formation and <strong>the</strong>reby encour<strong>age</strong> <strong>the</strong> development<br />
of a variety of regulatory, <strong>in</strong>dustry and social solutions.<br />
In <strong>the</strong> process, it br<strong>in</strong>gs toge<strong>the</strong>r three areas of th<strong>in</strong>k<strong>in</strong>g that are often looked at separately –<br />
privacy, <strong>in</strong>tellectual property rights and <strong>in</strong>formation security. While <strong>the</strong>se cont<strong>in</strong>ue to be dist<strong>in</strong>ct<br />
fields, <strong>the</strong> <strong>digital</strong> environment br<strong>in</strong>gs <strong>the</strong>m closer. As a result, this <strong>report</strong> takes a first step <strong>in</strong><br />
br<strong>in</strong>g<strong>in</strong>g toge<strong>the</strong>r key elements of a disparate and complex literature to support more <strong>in</strong>tegrated<br />
bus<strong>in</strong>ess practices and policy-mak<strong>in</strong>g.<br />
1.2 Generat<strong>in</strong>g value through IT<br />
IT systems and <strong>the</strong> <strong>in</strong>ternet have become a major source of economic and social value across <strong>the</strong><br />
world. ICAEW’s 2008 <strong>report</strong> Measur<strong>in</strong>g IT Returns highlights a wide range of evidence as to <strong>the</strong><br />
f<strong>in</strong>ancial and social impact of IT, <strong>in</strong>clud<strong>in</strong>g:<br />
• grow<strong>in</strong>g world-wide expenditure on IT, with sales on IT and telecoms expected to top<br />
$3.6 trillion <strong>in</strong> 2011; 1<br />
• widespread academic research attribut<strong>in</strong>g substantial economic growth <strong>in</strong> <strong>the</strong> 1990s to IT<br />
<strong>in</strong>vestments; 2<br />
• cont<strong>in</strong>u<strong>in</strong>g <strong>in</strong>vestments <strong>in</strong> IT by bus<strong>in</strong>ess and government, as well as grow<strong>in</strong>g consumer<br />
markets, lead<strong>in</strong>g to a pervasive <strong>in</strong>fluence of IT on all our activities and <strong>in</strong>teractions; and<br />
• <strong>the</strong> emergence of major new bus<strong>in</strong>esses based on <strong>the</strong> <strong>in</strong>ternet, such as Google.<br />
IT transforms <strong>the</strong> economics of <strong>in</strong>formation by reduc<strong>in</strong>g its costs massively while also <strong>in</strong>creas<strong>in</strong>g<br />
<strong>the</strong> benefits that can be obta<strong>in</strong>ed through its use. As a result, it becomes economically viable or<br />
beneficial to collect, store, use and share vast amounts of <strong>in</strong>formation.<br />
1<br />
Amanda Andrew, ‘iPad to boost 2011 IT spend to $3.6 trillion’.<br />
2<br />
See, for example, Erik Brynjolfsson and Loren Hitt, ‘Comput<strong>in</strong>g productivity: firm level evidence’ and<br />
Dale Jorgenson and Khuong Vu, ‘Information technology and <strong>the</strong> world economy’.<br />
2 Address<strong>in</strong>g concerns about IT
This shift is particularly important because <strong>in</strong>formation is an enormously powerful resource.<br />
It underp<strong>in</strong>s all our activities and <strong>in</strong>teractions, mak<strong>in</strong>g <strong>the</strong> impact of IT profound.<br />
By us<strong>in</strong>g IT systems effectively, bus<strong>in</strong>esses have seen many opportunities to generate greater<br />
value through:<br />
• improved efficiency of operations;<br />
• new and enhanced products and services;<br />
• different ways of work<strong>in</strong>g, such as outsourc<strong>in</strong>g and globalisation; and<br />
• <strong>the</strong> ability to reach and service new markets.<br />
While potentially creat<strong>in</strong>g value for shareholders, <strong>the</strong>se changes have also resulted <strong>in</strong> substantial<br />
customer benefits, with lower costs, improved services and greater choice <strong>in</strong> many <strong>in</strong>dustries.<br />
These trends will cont<strong>in</strong>ue <strong>in</strong> future. Comput<strong>in</strong>g power keeps grow<strong>in</strong>g, enabl<strong>in</strong>g bus<strong>in</strong>esses to<br />
collect and store more and more <strong>in</strong>formation, as well as undertake more sophisticated analysis.<br />
Mobile and o<strong>the</strong>r technologies such as RFID will provide fur<strong>the</strong>r opportunities for data capture,<br />
lead<strong>in</strong>g to new products and services and transform<strong>in</strong>g <strong>the</strong> way we do th<strong>in</strong>gs. As more and<br />
more people become connected, <strong>the</strong> benefits of <strong>the</strong> <strong>in</strong>ternet will fur<strong>the</strong>r <strong>in</strong>crease, reflect<strong>in</strong>g <strong>the</strong><br />
economic phenomenon of network effects.<br />
1.3 Risks surround<strong>in</strong>g <strong>in</strong>formation security<br />
However, <strong>the</strong>se benefits are not without risks to bus<strong>in</strong>esses and <strong>in</strong>dividuals. As <strong>the</strong> use of IT and<br />
<strong>the</strong> <strong>in</strong>ternet has grown, so too have concerns about <strong>the</strong> security of <strong>in</strong>formation, fuelled by regular<br />
<strong>in</strong>cidents of security failures.<br />
These <strong>in</strong>cidents have a significant cost to bus<strong>in</strong>esses, such as:<br />
• costs related to <strong>in</strong>vestigat<strong>in</strong>g and fix<strong>in</strong>g problems;<br />
• lost revenue or productivity from system downtime;<br />
• lost revenue from <strong>the</strong> <strong>the</strong>ft of <strong>in</strong>tellectual property; and<br />
• f<strong>in</strong>es from regulatory failures.<br />
The 2010 survey on <strong>in</strong>formation security breaches by InfoSecurity Europe and PwC <strong>report</strong>ed that<br />
<strong>the</strong> aver<strong>age</strong> cost of <strong>the</strong> worst <strong>in</strong>formation security <strong>in</strong>cidents <strong>in</strong> large bus<strong>in</strong>esses was £280,000-<br />
£690,000. For small bus<strong>in</strong>esses, <strong>the</strong> aver<strong>age</strong> cost of <strong>the</strong> worst security <strong>in</strong>cidents was <strong>report</strong>ed to<br />
be £27,500-£55,000.<br />
Failures can cause significant reputational dam<strong>age</strong> to a bus<strong>in</strong>ess and a catastrophic security failure<br />
could even threaten <strong>the</strong> survival of a bus<strong>in</strong>ess which relies heavily on confidence <strong>in</strong> its security<br />
practices. Academic research suggests that <strong>the</strong>re is a direct impact on market value from such<br />
reputational dam<strong>age</strong>. For example, <strong>in</strong> a study from 2004, ‘The effect of <strong>in</strong>ternet security breach<br />
announcements on market value: capital market reactions for breached firms and <strong>in</strong>ternet security<br />
developers’, Husey<strong>in</strong> Cavusoglu et al showed that <strong>the</strong> announcement of <strong>in</strong>ternet security breaches<br />
had an immediate negative effect on market valuation of approximately 2%. Ano<strong>the</strong>r survey<br />
by Paul Bolster et al, ‘Security breaches and firm value’ (2010), found significant and negative<br />
effects on market value when a security breach is <strong>report</strong>ed by major news outlets. When <strong>report</strong>ed<br />
elsewhere, though, <strong>the</strong> impact is m<strong>in</strong>imal.<br />
While many security failures stem from human error or carelessness, <strong>the</strong> growth of cybercrime<br />
is caus<strong>in</strong>g significant concern, as cybercrime has become a major and, <strong>in</strong> some cases, highly<br />
organised, crim<strong>in</strong>al <strong>in</strong>dustry. An estimate by security firm Detica, <strong>in</strong> conjunction with <strong>the</strong> UK<br />
government’s Cab<strong>in</strong>et Office <strong>in</strong> 2011, put <strong>the</strong> total annual loss <strong>in</strong> <strong>the</strong> UK due to cybercrime at just<br />
over £26bn. 3 This broke down <strong>in</strong>to:<br />
• £21bn loss for bus<strong>in</strong>ess;<br />
• £3.1bn loss for citizens; and<br />
• £2.2bn loss for government.<br />
Hackers may be driven by non-f<strong>in</strong>ancial motives. They may want to claim credit for high-profile<br />
attacks and demonstrate <strong>the</strong>ir technical prowess to o<strong>the</strong>r hackers or <strong>the</strong> world more broadly.<br />
3<br />
Detica, The Cost of Cyber Crime: a Detica Report <strong>in</strong> Partnership with <strong>the</strong> Office of Cyber Security and Information<br />
Assurance <strong>in</strong> <strong>the</strong> Cab<strong>in</strong>et Office.<br />
Address<strong>in</strong>g concerns about IT<br />
3
They may also have political reasons for attack<strong>in</strong>g particular targets, a grow<strong>in</strong>g phenomenon<br />
known as ‘hacktivism’.<br />
It is notoriously difficult to ga<strong>in</strong> accurate statistics around this k<strong>in</strong>d of crim<strong>in</strong>al activity. There are<br />
few formal <strong>report</strong><strong>in</strong>g requirements on bus<strong>in</strong>esses and <strong>the</strong>y are likely to m<strong>in</strong>imise <strong>the</strong>ir <strong>report</strong><strong>in</strong>g<br />
of <strong>in</strong>cidents to avoid bad publicity. In practice, many statistics are based on surveys which draw<br />
on small samples of security specialists.<br />
Regardless of <strong>the</strong> exact figures, though, <strong>the</strong>re is little doubt that <strong>the</strong> impact of security failures<br />
today is potentially severe given our reliance on IT systems throughout <strong>the</strong> economy and<br />
government.<br />
Theft of <strong>in</strong>tellectual property and <strong>in</strong>dustrial espion<strong>age</strong><br />
The <strong>the</strong>ft of <strong>in</strong>tellectual property and o<strong>the</strong>r <strong>in</strong>dustrial secrets is a major concern of many bus<strong>in</strong>esses.<br />
The Detica/Cab<strong>in</strong>et Office <strong>report</strong> estimated <strong>the</strong> annual value of such <strong>the</strong>ft at £16.8bn, mak<strong>in</strong>g it<br />
<strong>the</strong> biggest component of <strong>the</strong> £20bn bus<strong>in</strong>ess losses.<br />
Anecdotal evidence suggests that attacks on bus<strong>in</strong>esses are becom<strong>in</strong>g <strong>in</strong>creas<strong>in</strong>gly prevalent and<br />
sophisticated. While <strong>the</strong> threat from <strong>in</strong>siders sell<strong>in</strong>g bus<strong>in</strong>ess secrets rema<strong>in</strong>s significant, many<br />
bus<strong>in</strong>esses are also fac<strong>in</strong>g highly targeted attacks on <strong>the</strong>ir <strong>in</strong>tellectual property from organised<br />
cyber crim<strong>in</strong>als. Attacks may be carried out to order. In some cases, <strong>the</strong>re are suspicions of state<br />
sponsorship. Frequently, attacks are so covert that bus<strong>in</strong>esses only become aware of <strong>the</strong> <strong>the</strong>ft at a<br />
much later date, when <strong>the</strong>y discover copies of <strong>the</strong>ir technology <strong>in</strong> <strong>the</strong> marketplace. For example,<br />
senior employees may be sent highly personalised emails which appear to be from a colleague<br />
or o<strong>the</strong>r close contact. These emails encour<strong>age</strong> <strong>the</strong>m to follow l<strong>in</strong>ks which <strong>in</strong>fect <strong>the</strong>ir computer<br />
with various types of malware, <strong>the</strong>reby giv<strong>in</strong>g crim<strong>in</strong>als access to <strong>in</strong>ternal systems. Known as<br />
‘spear-phish<strong>in</strong>g’, attacks like <strong>the</strong>se often draw on <strong>in</strong>formation posted on social websites to<br />
conv<strong>in</strong>ce <strong>the</strong> victim that <strong>the</strong> email is au<strong>the</strong>ntic.<br />
Even <strong>in</strong>formation security bus<strong>in</strong>esses can be <strong>the</strong> victims of attacks, as shown by <strong>the</strong> experience<br />
of RSA.<br />
Panel 1.1: Hack<strong>in</strong>g a security bus<strong>in</strong>ess<br />
Information security firm RSA sells tokens which customers use to au<strong>the</strong>nticate, or validate,<br />
<strong>the</strong>ir identity when logg<strong>in</strong>g onto a system. Each token is associated with a specific <strong>in</strong>dividual<br />
and provides a unique passcode which needs to be used, along with a system password, when<br />
users log on. This streng<strong>the</strong>ns <strong>the</strong> security around systems as <strong>the</strong> passcode is based on an<br />
advanced cryptography process.<br />
In March 2011, RSA suffered a highly sophisticated hack<strong>in</strong>g attack <strong>in</strong> which crim<strong>in</strong>als stole<br />
<strong>in</strong>formation which perta<strong>in</strong>ed to <strong>the</strong> token system and weakened <strong>the</strong> protection which <strong>the</strong><br />
tokens provided. 4 The company subsequently admitted that <strong>in</strong>formation stolen <strong>in</strong> this attack<br />
had been used to attack one of its customers, defence company Lockheed Mart<strong>in</strong>.<br />
As a result of <strong>the</strong> breach, RSA offered to replace all tokens <strong>in</strong> circulation, which totalled up<br />
to 40 million. It also suffered reputational dam<strong>age</strong> and <strong>the</strong> long-term impact of <strong>the</strong> breach<br />
rema<strong>in</strong>s to be seen.<br />
Availability and <strong>in</strong>tegrity of services<br />
Ano<strong>the</strong>r area of bus<strong>in</strong>ess risk concerns <strong>the</strong> availability and <strong>in</strong>tegrity of services.<br />
Denial of service attacks have become an established tool of extortion aga<strong>in</strong>st bus<strong>in</strong>esses. In<br />
<strong>the</strong>se attacks, crim<strong>in</strong>als send a huge volume of traffic to a website <strong>in</strong> order to overwhelm it and<br />
ultimately take it offl<strong>in</strong>e. This can cause reputational dam<strong>age</strong> to a bus<strong>in</strong>ess, as well as f<strong>in</strong>ancial<br />
losses. Therefore, crim<strong>in</strong>als may aim to get payment from <strong>the</strong> bus<strong>in</strong>ess <strong>in</strong> order to cease <strong>the</strong><br />
attack. They may also get large amounts of publicity <strong>in</strong> <strong>the</strong> process.<br />
Fur<strong>the</strong>rmore, <strong>the</strong>re are major concerns about attacks on utilities or critical pieces of national<br />
<strong>in</strong>frastructure which would disrupt essential economic or social services. Utilities such as water<br />
or bank<strong>in</strong>g systems, for example, could be targeted by terrorists. Attacks on a country’s <strong>in</strong>ternet<br />
<strong>in</strong>frastructure could also have a potentially devastat<strong>in</strong>g impact on all services based around <strong>the</strong><br />
<strong>in</strong>ternet, as experienced by Estonia.<br />
4<br />
Robert McMillan, ‘Is it time for RSA to open up about Securid hack’<br />
4 Address<strong>in</strong>g concerns about IT
Panel 1.2: Attack on Estonia’s <strong>in</strong>frastructure<br />
In April 2007, Estonia suffered a concerted attack on its <strong>in</strong>ternet <strong>in</strong>frastructure. 5 The websites<br />
of <strong>the</strong> Estonian Parliament, banks, newspapers and broadcasters were all targeted. This was<br />
largely through denial of service attacks, although some defacement of websites was also seen.<br />
Estonia was particularly vulnerable to such attacks as it had made extensive use of <strong>the</strong> <strong>in</strong>ternet<br />
for government and bank<strong>in</strong>g services.<br />
Estonia claimed that <strong>the</strong> attacks had <strong>the</strong> state back<strong>in</strong>g of Russia, due to <strong>the</strong>ir scale and<br />
sophistication. However, Russia denied responsibility and it has proved difficult to identify<br />
where <strong>the</strong> attacks orig<strong>in</strong>ated from.<br />
Identity <strong>the</strong>ft and cybercrime aga<strong>in</strong>st <strong>in</strong>dividuals<br />
There have been many high-profile <strong>in</strong>formation security breaches which have exposed <strong>the</strong> personal<br />
details of citizens and consumers, from <strong>the</strong> UK government’s loss of data concern<strong>in</strong>g 25 million<br />
child benefit recipients to TJX’s exposure of 45 million customers’ credit card details. 6<br />
Where personal <strong>in</strong>formation is appropriated by crim<strong>in</strong>als, it can be used for f<strong>in</strong>ancial ga<strong>in</strong> <strong>in</strong><br />
identity <strong>the</strong>ft cases or credit card frauds. Individuals may be sent emails which conta<strong>in</strong> viruses or<br />
lead <strong>the</strong>m to fake sites which aim to extract fur<strong>the</strong>r personal <strong>in</strong>formation from <strong>the</strong>m. Crim<strong>in</strong>als<br />
may send emails which aim to deceive <strong>in</strong>dividuals <strong>in</strong>to giv<strong>in</strong>g money to <strong>the</strong>m directly. The Detica/<br />
Cab<strong>in</strong>et Office survey estimated <strong>in</strong>dividual losses from identity <strong>the</strong>ft at £1.7bn per annum, with<br />
losses of £1.4bn from o<strong>the</strong>r onl<strong>in</strong>e scams.<br />
Crim<strong>in</strong>als may also target <strong>in</strong>dividuals to ga<strong>in</strong> access to personal computers for use <strong>in</strong> o<strong>the</strong>r attacks.<br />
A botnet, for example, is a large network of computers which crim<strong>in</strong>als control. This type of<br />
network is used for activities such as denial of service attacks or send<strong>in</strong>g out spam emails. In many<br />
cases, <strong>the</strong> <strong>in</strong>dividual will be unaware that <strong>the</strong>ir computer is part of a botnet.<br />
The range of methods used to access personal <strong>in</strong>formation illegally was extensively highlighted <strong>in</strong><br />
2011 through <strong>the</strong> News of <strong>the</strong> World phone hack<strong>in</strong>g scandal.<br />
Panel 1.3: Hack<strong>in</strong>g and blagg<strong>in</strong>g<br />
There are a number of techniques which can be used to access personal <strong>in</strong>formation illegally.<br />
Hack<strong>in</strong>g phone mess<strong>age</strong>s, for example, has been <strong>the</strong> subject of substantial controversy <strong>in</strong> <strong>the</strong><br />
UK. Blagg<strong>in</strong>g, where <strong>in</strong>dividuals pretend to be someone else <strong>in</strong> order to ga<strong>in</strong> confidential and<br />
sensitive <strong>in</strong>formation, is also a well-known illegal practice. These activities are typically undertaken<br />
by private <strong>in</strong>vestigators, who <strong>the</strong>n sell <strong>the</strong> <strong>in</strong>formation to a variety of <strong>in</strong>terested parties.<br />
The UK Information Commissioner undertook a study <strong>in</strong> 2006 which considered <strong>the</strong>se illegal<br />
practices, entitled What Price Privacy Now It documented what it termed ‘an unlawful trade <strong>in</strong><br />
confidential personal <strong>in</strong>formation’, based on <strong>in</strong>formation held both by public bodies, <strong>in</strong>clud<strong>in</strong>g<br />
<strong>the</strong> National Health Service, <strong>the</strong> tax authorities and <strong>the</strong> police, and private bus<strong>in</strong>esses, such as<br />
banks and telephone companies.<br />
The <strong>report</strong> cited five ma<strong>in</strong> clients for this k<strong>in</strong>d of <strong>in</strong>formation:<br />
• <strong>the</strong> media;<br />
• <strong>in</strong>surance companies;<br />
• lenders and creditors;<br />
• those <strong>in</strong>volved <strong>in</strong> matrimonial disputes; and<br />
• crim<strong>in</strong>als.<br />
Anecdotal evidence suggests that <strong>the</strong> media use of such techniques has dim<strong>in</strong>ished s<strong>in</strong>ce <strong>the</strong><br />
jail<strong>in</strong>g of a journalist and private <strong>in</strong>vestigator for phone hack<strong>in</strong>g <strong>in</strong> 2007. However, it appears<br />
that <strong>the</strong> trade cont<strong>in</strong>ues <strong>in</strong> earnest <strong>in</strong> o<strong>the</strong>r areas. Follow<strong>in</strong>g <strong>the</strong> revelations about phone<br />
hack<strong>in</strong>g at <strong>the</strong> News of <strong>the</strong> World <strong>in</strong> 2011, Christopher Graham, <strong>the</strong> UK Information Commissioner,<br />
called for prison sentences for such offences, a recommendation from <strong>the</strong> 2006 <strong>report</strong> which<br />
was not fully implemented at <strong>the</strong> time. 7<br />
5<br />
BBC News, ‘The cyber raiders hitt<strong>in</strong>g Estonia’.<br />
6<br />
BBC News, ‘UK’s families put on fraud alert’; Jaikumar Vijayan, ‘TJX data breach: at 45.6M card numbers, it’s<br />
<strong>the</strong> biggest ever’.<br />
7<br />
Erik Larson, ‘Phone-hack<strong>in</strong>g shows jail needed for data <strong>the</strong>ft, U.K. Privacy Chief says’.<br />
Address<strong>in</strong>g concerns about IT<br />
5
1.4 Risks surround<strong>in</strong>g <strong>in</strong>formation use<br />
In addition to risks around <strong>in</strong>formation security, <strong>the</strong>re are also grow<strong>in</strong>g concerns about how<br />
<strong>in</strong>formation is used and shared by different parties.<br />
Internet-based bus<strong>in</strong>esses are <strong>in</strong> <strong>the</strong> vanguard of push<strong>in</strong>g <strong>the</strong> commercial exploitation of personal<br />
<strong>in</strong>formation, regularly court<strong>in</strong>g controversy <strong>in</strong> <strong>the</strong> process. Governments have also been highprofile<br />
users of personal <strong>in</strong>formation, shar<strong>in</strong>g it widely across departments and mak<strong>in</strong>g use of it<br />
on broad public <strong>in</strong>terest grounds, such as safety and security. This has resulted <strong>in</strong> many projects<br />
with high-profile opposition, <strong>in</strong>clud<strong>in</strong>g national identity cards and centralised medical records <strong>in</strong><br />
<strong>the</strong> UK.<br />
Many bus<strong>in</strong>esses are concerned about <strong>the</strong> extent to which <strong>the</strong>y can successfully exploit <strong>the</strong>ir<br />
own valuable <strong>in</strong>formation. As <strong>the</strong> onl<strong>in</strong>e piracy of copyright-protected content has exploded,<br />
<strong>the</strong> creative <strong>in</strong>dustries have been push<strong>in</strong>g for stronger legislation <strong>in</strong> <strong>the</strong> enforcement of <strong>the</strong>ir<br />
legal rights. Pressures for openness and transparency may also affect <strong>the</strong> ability of bus<strong>in</strong>esses<br />
and governments to keep sensitive <strong>in</strong>formation confidential.<br />
These concerns are reflected <strong>in</strong> significant disorientation about <strong>digital</strong> <strong>in</strong>formation. While <strong>the</strong>re<br />
are many new opportunities to share <strong>in</strong>formation and enjoy valuable and <strong>in</strong>novative services,<br />
many bus<strong>in</strong>esses and <strong>in</strong>dividuals also feel uncomfortable as <strong>the</strong>y sense a loss of control over pieces<br />
of <strong>in</strong>formation that <strong>the</strong>y have traditionally controlled.<br />
As a result, we see grow<strong>in</strong>g pressure for new laws and regulations to streng<strong>the</strong>n rights over<br />
<strong>in</strong>formation. We also see <strong>in</strong>consistent attitudes and behaviour as people grapple with <strong>the</strong> new<br />
opportunities from <strong>digital</strong> <strong>in</strong>formation, for example:<br />
• extensive shar<strong>in</strong>g of personal <strong>in</strong>formation on <strong>the</strong> <strong>in</strong>ternet, alongside grow<strong>in</strong>g concerns about<br />
privacy;<br />
• widespread breach<strong>in</strong>g of copyright protections by generally law-abid<strong>in</strong>g citizens; and<br />
• deeply divergent attitudes on <strong>the</strong> provision of new <strong>in</strong>ternet-based services.<br />
These concerns and uncerta<strong>in</strong>ties create significant risks for bus<strong>in</strong>esses try<strong>in</strong>g to <strong>in</strong>novate with IT<br />
and <strong>digital</strong> technologies. They also make it harder to build <strong>trust</strong> <strong>in</strong> bus<strong>in</strong>ess behaviour regard<strong>in</strong>g<br />
<strong>digital</strong> <strong>in</strong>formation. As a result, it is vital that <strong>the</strong>se concerns are addressed.<br />
1.5 Information security, privacy and <strong>in</strong>tellectual property<br />
In order to capture a broad range of concerns about IT and <strong>digital</strong> <strong>in</strong>formation, this <strong>report</strong> br<strong>in</strong>gs<br />
toge<strong>the</strong>r three areas of th<strong>in</strong>k<strong>in</strong>g that are often looked at separately.<br />
• Information security focuses on <strong>the</strong> protection of valuable or sensitive <strong>in</strong>formation of any k<strong>in</strong>d,<br />
based around <strong>the</strong> pr<strong>in</strong>ciples of confidentiality, <strong>in</strong>tegrity and availability.<br />
• Privacy asserts <strong>the</strong> rights of <strong>in</strong>dividuals over <strong>in</strong>formation about <strong>the</strong>m.<br />
• Intellectual property is concerned with rights over <strong>in</strong>formation which a bus<strong>in</strong>ess or <strong>in</strong>dividual<br />
has created.<br />
Each of <strong>the</strong>se areas is well established and benefits from high degrees of professional expertise as<br />
well as respected academic research. They all l<strong>in</strong>k to <strong>the</strong> notion of confidentiality, which is central<br />
to <strong>the</strong> account<strong>in</strong>g and many o<strong>the</strong>r professions. However, each area is served by a variety of<br />
different specialists who may approach <strong>the</strong> risks from diverse perspectives, <strong>in</strong>clud<strong>in</strong>g:<br />
• technologists;<br />
• lawyers;<br />
• bus<strong>in</strong>ess man<strong>age</strong>rs;<br />
• market<strong>in</strong>g specialists; and<br />
• consumer or civic groups.<br />
While all of <strong>the</strong>se perspectives are important, this diversity of expertise presents a real challenge<br />
for bus<strong>in</strong>esses which need to develop a coherent understand<strong>in</strong>g of <strong>the</strong>ir different <strong>in</strong>formation<br />
risks. This difficulty is compounded by <strong>the</strong> fact that some of <strong>the</strong>se discipl<strong>in</strong>es ma<strong>in</strong>ta<strong>in</strong> a sharp<br />
dist<strong>in</strong>ction between personal <strong>in</strong>formation and <strong>in</strong>tellectual property issues.<br />
However, while <strong>the</strong>se cont<strong>in</strong>ue to be separate fields, <strong>the</strong> <strong>digital</strong> environment br<strong>in</strong>gs <strong>the</strong>m closer<br />
toge<strong>the</strong>r. As a result, we see grow<strong>in</strong>g conflicts or overlaps between policy solutions <strong>in</strong> <strong>the</strong>se<br />
three areas.<br />
6 Address<strong>in</strong>g concerns about IT
• Options to improve <strong>in</strong>formation security around identity may require <strong>the</strong> central collection of<br />
sensitive personal <strong>in</strong>formation, potentially underm<strong>in</strong><strong>in</strong>g privacy rights.<br />
• Conversely, <strong>the</strong> desire of privacy advocates to ma<strong>in</strong>ta<strong>in</strong> high levels of anonymity <strong>in</strong> transactions<br />
may cause discomfort to security specialists.<br />
• The owners of <strong>in</strong>tellectual property rights <strong>in</strong>creas<strong>in</strong>gly want to monitor <strong>the</strong> activities of<br />
consumers <strong>in</strong> order to enforce <strong>the</strong>ir rights, a move which is strongly opposed by privacy<br />
advocates.<br />
• Some technical solutions for personal <strong>in</strong>formation problems build on solutions already <strong>in</strong> place<br />
for <strong>in</strong>tellectual property, such as <strong>digital</strong> rights man<strong>age</strong>ment systems.<br />
The relationship between privacy and <strong>in</strong>formation security exhibits particular tensions. They both<br />
rely on <strong>the</strong> notion of confidentiality and, without effective <strong>in</strong>formation security, privacy is severely<br />
underm<strong>in</strong>ed. However, while a system may be highly secure, it can still fail to respect privacy<br />
rights by reta<strong>in</strong><strong>in</strong>g personal <strong>in</strong>formation, us<strong>in</strong>g it <strong>in</strong> <strong>in</strong>appropriate ways or collect<strong>in</strong>g personal<br />
<strong>in</strong>formation that is not required.<br />
It is also becom<strong>in</strong>g <strong>in</strong>creas<strong>in</strong>gly difficult to draw clear dist<strong>in</strong>ctions between <strong>in</strong>tellectual property<br />
and personal <strong>in</strong>formation. Historically, pieces of <strong>in</strong>tellectual property, such as a pharmaceutical<br />
formula, a piece of music or a book, were clearly different to pieces of personal <strong>in</strong>formation such<br />
as a name, address or date of birth. However, as <strong>in</strong>formation has become <strong>in</strong>creas<strong>in</strong>gly digitized, it<br />
has become harder to ma<strong>in</strong>ta<strong>in</strong> an unequivocal boundary between different types of <strong>in</strong>formation.<br />
For example, onl<strong>in</strong>e blogs or profiles typically mix personal <strong>in</strong>formation and <strong>in</strong>tellectual property,<br />
with photos and creative writ<strong>in</strong>g sitt<strong>in</strong>g alongside profile and location <strong>in</strong>formation.<br />
Fur<strong>the</strong>rmore, personal <strong>in</strong>formation is becom<strong>in</strong>g an <strong>in</strong>creas<strong>in</strong>gly important asset of many bus<strong>in</strong>esses.<br />
Indeed, it may represent a significant part of a bus<strong>in</strong>ess’s <strong>in</strong>tellectual property, especially <strong>in</strong><br />
consumer or advertis<strong>in</strong>g-based bus<strong>in</strong>esses. Consequently, <strong>the</strong>re are sharply different <strong>in</strong>terests<br />
which need to be considered, as <strong>in</strong>dividuals look to assert control over <strong>the</strong>ir personal <strong>in</strong>formation<br />
and bus<strong>in</strong>esses look to exploit it as <strong>the</strong>ir <strong>in</strong>tellectual property.<br />
F<strong>in</strong>ally, <strong>the</strong> changed economics of <strong>in</strong>formation is at <strong>the</strong> heart of all <strong>the</strong>se issues. The opportunities<br />
to collect, use and share almost unlimited amounts of <strong>in</strong>formation transform <strong>the</strong> economic<br />
<strong>in</strong>centives around <strong>in</strong>formation and <strong>in</strong>crease <strong>the</strong> risks around it significantly. They also raise<br />
profound challenges to established rights over <strong>in</strong>formation, such as who should benefit from <strong>the</strong><br />
commercial exploitation of personal <strong>in</strong>formation or user-generated <strong>in</strong>tellectual property.<br />
1.6 Our approach to <strong>build<strong>in</strong>g</strong> <strong>trust</strong><br />
Trust is an important feature of any economy and society. It enables bus<strong>in</strong>esses and <strong>in</strong>dividuals to<br />
carry out economic transactions and social <strong>in</strong>teractions <strong>in</strong> <strong>the</strong> belief that o<strong>the</strong>r parties will behave<br />
<strong>in</strong> a non-harmful way. Build<strong>in</strong>g <strong>trust</strong> that o<strong>the</strong>r parties will secure and use <strong>digital</strong> <strong>in</strong>formation <strong>in</strong><br />
acceptable ways is <strong>the</strong>refore an important element of address<strong>in</strong>g concerns about, and <strong>build<strong>in</strong>g</strong><br />
confidence <strong>in</strong>, a <strong>digital</strong>ly-based economy.<br />
Our approach to <strong>build<strong>in</strong>g</strong> <strong>trust</strong> <strong>in</strong> <strong>the</strong> <strong>digital</strong> <strong>age</strong> is represented <strong>in</strong> Figure 1.1.<br />
Figure 1.1: ICAEW approach to <strong>build<strong>in</strong>g</strong> <strong>trust</strong> <strong>in</strong> <strong>the</strong> <strong>digital</strong> <strong>age</strong><br />
Recognise and<br />
debate issues<br />
Personal<br />
<strong>in</strong>formation<br />
Intellectual<br />
property<br />
Information<br />
security<br />
Concerns<br />
about<br />
<strong>digital</strong><br />
<strong>in</strong>formation<br />
Develop<br />
new <strong>the</strong>oretical<br />
th<strong>in</strong>k<strong>in</strong>g<br />
Balance control<br />
and use of<br />
<strong>in</strong>formation<br />
Collective<br />
actions<br />
Individual<br />
actions<br />
Trust and value<br />
creation<br />
Create supportive<br />
<strong>in</strong>stitutions<br />
Address<strong>in</strong>g concerns about IT<br />
7
Concerns about <strong>digital</strong> <strong>in</strong>formation can stem from three sources – personal <strong>in</strong>formation, <strong>in</strong>tellectual<br />
property and <strong>in</strong>formation security.<br />
In order to address <strong>the</strong>se diverse concerns, we need to underp<strong>in</strong> specific actions and solutions <strong>in</strong><br />
four ways:<br />
• recognise and debate issues which arise around <strong>the</strong> collection, use, shar<strong>in</strong>g and exploitation<br />
of <strong>digital</strong> <strong>in</strong>formation;<br />
• develop new <strong>the</strong>oretical th<strong>in</strong>k<strong>in</strong>g which addresses <strong>the</strong> radically changed economics of <strong>the</strong><br />
<strong>digital</strong> environment;<br />
• balance control and use of <strong>in</strong>formation so as to maximise <strong>the</strong> benefits which can be realised<br />
from it; and<br />
• create supportive <strong>in</strong>stitutions that can develop a variety of practical solutions and encour<strong>age</strong><br />
<strong>the</strong> evolution of new social norms.<br />
These elements underp<strong>in</strong> <strong>the</strong> collective actions that can be taken by governments, bus<strong>in</strong>esses,<br />
<strong>the</strong> technology <strong>in</strong>dustry and <strong>in</strong>dividuals to address concerns about <strong>digital</strong> <strong>in</strong>formation. Collective<br />
actions could <strong>in</strong>clude regulation, voluntary codes of conduct and consumer pressures on<br />
bus<strong>in</strong>esses.<br />
In turn, collective actions <strong>in</strong>form <strong>the</strong> <strong>in</strong>dividual actions that a bus<strong>in</strong>ess can take around <strong>digital</strong><br />
<strong>in</strong>formation. These actions are reflected primarily <strong>in</strong> good practices <strong>in</strong> <strong>in</strong>formation security and<br />
personal <strong>in</strong>formation.<br />
All of <strong>the</strong>se different elements contribute to <strong>build<strong>in</strong>g</strong> <strong>trust</strong> <strong>in</strong> <strong>the</strong> behaviour of <strong>in</strong>dividual bus<strong>in</strong>esses<br />
and <strong>the</strong> wider social and legal framework which surrounds <strong>digital</strong> <strong>in</strong>formation. This will ultimately<br />
enable bus<strong>in</strong>esses, <strong>in</strong>dividuals and economies more broadly to achieve susta<strong>in</strong>able value creation<br />
through <strong>digital</strong> technology.<br />
Our approach to address<strong>in</strong>g concerns is <strong>the</strong>refore based on <strong>the</strong> belief that bus<strong>in</strong>esses cannot build<br />
<strong>trust</strong> <strong>in</strong> isolation. While <strong>the</strong>y are necessary, today’s good practices are not enough. Bus<strong>in</strong>esses<br />
operate with<strong>in</strong> a network of formal and <strong>in</strong>formal norms which <strong>in</strong>fluence and limit <strong>the</strong>ir actions.<br />
As a result, good <strong>in</strong>formation practices are ultimately grounded <strong>in</strong> clear rights and duties over<br />
<strong>in</strong>formation and need to be built on an accepted framework of social expectations and laws.<br />
Digital technology is disrupt<strong>in</strong>g and challeng<strong>in</strong>g many aspects of <strong>the</strong> exist<strong>in</strong>g social and legal<br />
environment. The economic effect of IT is play<strong>in</strong>g a powerful role <strong>in</strong> underm<strong>in</strong><strong>in</strong>g and challeng<strong>in</strong>g<br />
established expectations around <strong>in</strong>formation and this uncerta<strong>in</strong>ty has a significant impact on<br />
bus<strong>in</strong>esses.<br />
Where <strong>the</strong> wider legal and social environment is not clear, bus<strong>in</strong>ess practices are weakened, often<br />
becom<strong>in</strong>g ‘tick box’ compliance exercises without clear reference to an underly<strong>in</strong>g framework of<br />
rights and duties. The result<strong>in</strong>g uncerta<strong>in</strong>ty presents bus<strong>in</strong>esses with difficult decisions on how to<br />
<strong>in</strong>novate with <strong>in</strong>formation <strong>in</strong> ways which are socially acceptable.<br />
Consequently, it is not enough for bus<strong>in</strong>esses to implement today’s good practices <strong>in</strong> isolation.<br />
We also need to encour<strong>age</strong> widespread eng<strong>age</strong>ment, understand<strong>in</strong>g and debate of <strong>the</strong> issues<br />
presented by <strong>digital</strong> <strong>in</strong>formation to build a social and legal framework which is broadly accepted<br />
and can underp<strong>in</strong> <strong>in</strong>dividual bus<strong>in</strong>ess actions.<br />
Report structure<br />
This <strong>report</strong> consolidates and summarises a wide range of academic and bus<strong>in</strong>ess literature to<br />
map out:<br />
• current understand<strong>in</strong>g of <strong>in</strong>formation rights and good practices; and<br />
• areas which are test<strong>in</strong>g <strong>the</strong> limits of knowledge and practice.<br />
It is structured <strong>in</strong> <strong>the</strong> follow<strong>in</strong>g way.<br />
Chapters 2 and 3 consider <strong>the</strong> current bus<strong>in</strong>ess environment for personal <strong>in</strong>formation and<br />
<strong>in</strong>tellectual property <strong>in</strong> turn and <strong>the</strong>refore set out <strong>the</strong> context for <strong>in</strong>dividual and collective actions<br />
<strong>in</strong> <strong>the</strong>se areas. Each chapter:<br />
• summarises what we know about <strong>in</strong>formation rights, outl<strong>in</strong><strong>in</strong>g key legal and commercial<br />
considerations for bus<strong>in</strong>esses; and<br />
• outl<strong>in</strong>es areas of grow<strong>in</strong>g contention, highlight<strong>in</strong>g <strong>the</strong> underly<strong>in</strong>g philosophical and economic<br />
debates about <strong>in</strong>formation rights and consider<strong>in</strong>g new practices which are test<strong>in</strong>g <strong>the</strong> limits of<br />
established th<strong>in</strong>k<strong>in</strong>g.<br />
8 Address<strong>in</strong>g concerns about IT
Chapter 4 focuses on <strong>in</strong>formation security. It also <strong>in</strong>cludes good practices around personal<br />
<strong>in</strong>formation and <strong>in</strong>tellectual property.<br />
F<strong>in</strong>ally, Chapter 5 goes on to consider collective actions and outl<strong>in</strong>es <strong>the</strong> elements we th<strong>in</strong>k<br />
are needed to underp<strong>in</strong> broad <strong>trust</strong> <strong>in</strong> <strong>digital</strong> <strong>in</strong>formation, namely recognis<strong>in</strong>g and debat<strong>in</strong>g<br />
issues, develop<strong>in</strong>g new <strong>the</strong>oretical th<strong>in</strong>k<strong>in</strong>g, balanc<strong>in</strong>g <strong>the</strong> control and use of <strong>in</strong>formation<br />
and creat<strong>in</strong>g supportive <strong>in</strong>stitutions.<br />
Throughout this <strong>report</strong>, we refer primarily to bus<strong>in</strong>esses. However, we believe that much of<br />
our analysis is also relevant to government and not-for-profit organisations, both of which<br />
need to balance <strong>the</strong> opportunities and risks that technology br<strong>in</strong>gs. In addition, we recognise<br />
that <strong>the</strong>re are some specific issues for governments which we highlight specifically <strong>in</strong> Chapters<br />
2 and 3.<br />
We also focus our analysis on bus<strong>in</strong>ess risks related to <strong>digital</strong> <strong>in</strong>formation. While we recognise that<br />
<strong>the</strong>re are serious risks related to national security and critical <strong>in</strong>frastructures, for example, from<br />
<strong>in</strong>formation security failures, this <strong>report</strong> focuses on bus<strong>in</strong>ess-related aspects of security. We also<br />
recognise <strong>the</strong> important contribution that technology will make to resolv<strong>in</strong>g <strong>the</strong>se issues. While<br />
we have not highlighted <strong>the</strong>se aspects <strong>in</strong> detail and are skeptical that technology can solve all<br />
of <strong>the</strong> problems around <strong>digital</strong> <strong>in</strong>formation, technological solutions form an important aspect<br />
of <strong>build<strong>in</strong>g</strong> <strong>trust</strong>.<br />
1.7 Summary<br />
Information technology (IT) transforms <strong>the</strong> way that many bus<strong>in</strong>esses operate and presents<br />
tremendous opportunities to <strong>in</strong>crease revenues, cut costs and create new customer value. However,<br />
alongside <strong>the</strong>se opportunities, <strong>the</strong>re are grow<strong>in</strong>g concerns about <strong>the</strong> control and security of <strong>digital</strong><br />
<strong>in</strong>formation which a bus<strong>in</strong>ess needs to man<strong>age</strong> <strong>in</strong> order to capture and reta<strong>in</strong> value from IT. These<br />
concerns are fuelled by:<br />
• high-profile data breaches and <strong>the</strong> growth of cyber attacks;<br />
• <strong>in</strong>dividual experience of identity <strong>the</strong>ft, phish<strong>in</strong>g emails, spam and computer viruses;<br />
• controversial use of personal <strong>in</strong>formation by governments and bus<strong>in</strong>esses; and<br />
• repeated failures to secure <strong>in</strong>tellectual property and prevent o<strong>the</strong>rs from exploit<strong>in</strong>g it.<br />
These <strong>in</strong>cidents can result <strong>in</strong> substantial f<strong>in</strong>ancial losses for bus<strong>in</strong>esses, governments and <strong>in</strong>dividuals,<br />
dam<strong>age</strong>d reputations and reduced confidence <strong>in</strong> IT systems more broadly. Therefore, this is an<br />
area of grow<strong>in</strong>g importance for bus<strong>in</strong>ess and economic success. Fur<strong>the</strong>rmore, <strong>the</strong>se issues affect<br />
all of us as <strong>in</strong>dividual consumers or citizens.<br />
Trust is an important feature of any economy and society. It enables bus<strong>in</strong>esses and <strong>in</strong>dividuals to<br />
carry out economic transactions and social <strong>in</strong>teractions <strong>in</strong> <strong>the</strong> belief that o<strong>the</strong>r parties will behave<br />
<strong>in</strong> a non-harmful way. Build<strong>in</strong>g <strong>trust</strong> that o<strong>the</strong>r parties will secure and use <strong>digital</strong> <strong>in</strong>formation <strong>in</strong><br />
acceptable ways is <strong>the</strong>refore an important element of address<strong>in</strong>g concerns about, and <strong>build<strong>in</strong>g</strong><br />
confidence <strong>in</strong>, a <strong>digital</strong>ly-based economy.<br />
Our approach to address<strong>in</strong>g concerns is based on <strong>the</strong> belief that bus<strong>in</strong>esses cannot build <strong>trust</strong> <strong>in</strong><br />
isolation. While <strong>the</strong>y are necessary, today’s good practices are not enough. Bus<strong>in</strong>esses operate<br />
with<strong>in</strong> a network of formal and <strong>in</strong>formal norms which <strong>in</strong>fluence and limit <strong>the</strong>ir actions. As a result,<br />
good <strong>in</strong>formation practices are ultimately grounded <strong>in</strong> clear rights and duties over <strong>in</strong>formation<br />
and need to be built on an accepted framework of social expectations and laws.<br />
Digital technology is disrupt<strong>in</strong>g and challeng<strong>in</strong>g many aspects of <strong>the</strong> exist<strong>in</strong>g social and legal<br />
environment. Consequently, it is not enough for bus<strong>in</strong>esses to implement today’s good practices<br />
<strong>in</strong> isolation. We also need to encour<strong>age</strong> widespread eng<strong>age</strong>ment, understand<strong>in</strong>g and debate of<br />
<strong>the</strong> issues presented by <strong>digital</strong> <strong>in</strong>formation to build a social and legal framework which is broadly<br />
accepted and can underp<strong>in</strong> <strong>in</strong>dividual bus<strong>in</strong>ess actions<br />
By summaris<strong>in</strong>g a wide range of bus<strong>in</strong>ess practice, underly<strong>in</strong>g <strong>the</strong>ory and new areas of debate,<br />
this <strong>report</strong> aims to achieve two pr<strong>in</strong>cipal benefits:<br />
• to help man<strong>age</strong>ment make better decisions about <strong>digital</strong> <strong>in</strong>formation and improve bus<strong>in</strong>ess<br />
performance <strong>in</strong> relation to <strong>in</strong>formation risks; and<br />
• to <strong>in</strong>form widespread public debate about <strong>digital</strong> <strong>in</strong>formation and <strong>the</strong>reby support <strong>the</strong><br />
development of a variety of regulatory, <strong>in</strong>dustry and social solutions.<br />
Address<strong>in</strong>g concerns about IT<br />
9
In <strong>the</strong> process, it br<strong>in</strong>gs toge<strong>the</strong>r three areas of th<strong>in</strong>k<strong>in</strong>g that are often looked at separately: privacy,<br />
<strong>in</strong>tellectual property rights and <strong>in</strong>formation security. While <strong>the</strong>se cont<strong>in</strong>ue to be dist<strong>in</strong>ct fields, <strong>the</strong><br />
<strong>digital</strong> environment br<strong>in</strong>gs <strong>the</strong>m closer. As a result, this <strong>report</strong> takes a first step <strong>in</strong> br<strong>in</strong>g<strong>in</strong>g<br />
toge<strong>the</strong>r key elements of a disparate and complex literature to support more <strong>in</strong>tegrated bus<strong>in</strong>ess<br />
practices and policy-mak<strong>in</strong>g.<br />
10 Address<strong>in</strong>g concerns about IT
2. Rights over PERSONAL<br />
<strong>in</strong>formation<br />
Rights over personal <strong>in</strong>formation enable <strong>in</strong>dividuals to control<br />
<strong>in</strong>formation about <strong>the</strong>mselves for a range of <strong>in</strong>dividual and social<br />
benefits. However, personal <strong>in</strong>formation is also a valuable bus<strong>in</strong>ess<br />
resource. As IT <strong>in</strong>creases <strong>the</strong> ability of bus<strong>in</strong>esses to ga<strong>the</strong>r,<br />
aggregate, analyse and share personal <strong>in</strong>formation, what are<br />
<strong>the</strong> risks to <strong>in</strong>dividuals and society from greater use of personal<br />
<strong>in</strong>formation<br />
Recognise and<br />
debate issues<br />
Personal<br />
<strong>in</strong>formation<br />
Intellectual<br />
property<br />
Information<br />
security<br />
Concerns<br />
about<br />
<strong>digital</strong><br />
<strong>in</strong>formation<br />
Develop<br />
new <strong>the</strong>oretical<br />
th<strong>in</strong>k<strong>in</strong>g<br />
Balance control<br />
and use of<br />
<strong>in</strong>formation<br />
Collective<br />
actions<br />
Individual<br />
actions<br />
Trust and value<br />
creation<br />
Create supportive<br />
<strong>in</strong>stitutions
2. Rights over PERSONAL<br />
<strong>in</strong>formation<br />
2.1 The bus<strong>in</strong>ess value of personal <strong>in</strong>formation<br />
Personal <strong>in</strong>formation is <strong>in</strong>formation that is associated with an identifiable <strong>in</strong>dividual, such as name<br />
or address. It can also <strong>in</strong>clude <strong>in</strong>formation which is less specific but which, when comb<strong>in</strong>ed with<br />
o<strong>the</strong>r data, can be used to identify an <strong>in</strong>dividual, for example comb<strong>in</strong>ations of <strong>age</strong>, workplace and<br />
gender.<br />
Most bus<strong>in</strong>esses hold personal <strong>in</strong>formation about employees and customers as part of <strong>the</strong>ir dayto-day<br />
operations. Personal <strong>in</strong>formation can also be used to generate revenue, for example:<br />
• tailor<strong>in</strong>g products and services to <strong>in</strong>dividual customers based on known preferences;<br />
• market<strong>in</strong>g products to exist<strong>in</strong>g or potential customers;<br />
• giv<strong>in</strong>g advertisers access to customers or service users; and<br />
• sell<strong>in</strong>g it to third parties for market<strong>in</strong>g or advertis<strong>in</strong>g purposes.<br />
As a result, personal <strong>in</strong>formation can be important <strong>in</strong>tellectual property, especially for consumer<br />
or advertis<strong>in</strong>g-based bus<strong>in</strong>esses. However, IT has vastly <strong>in</strong>creased <strong>the</strong> value that a bus<strong>in</strong>ess can<br />
derive from it.<br />
Increased volume of personal <strong>in</strong>formation<br />
The reduced costs of <strong>in</strong>formation achieved through IT mean that bus<strong>in</strong>esses and governments<br />
can collect and store vastly more personal <strong>in</strong>formation than was previously possible. This trend is<br />
aided by <strong>the</strong> digitisation of activities, with social and economic <strong>in</strong>teractions <strong>in</strong>creas<strong>in</strong>gly carried<br />
out on <strong>the</strong> <strong>in</strong>ternet or underp<strong>in</strong>ned by IT systems.<br />
Information about our characteristics, location and activities can be captured through a wide<br />
range of technologies, such as:<br />
• CCTV cameras which capture im<strong>age</strong>s of <strong>in</strong>dividual movements and activities;<br />
• road traffic technologies which recognise number plates and record <strong>the</strong> movements of vehicles;<br />
• transport technology systems which record when and where <strong>in</strong>dividuals access public<br />
transport systems;<br />
• credit card systems which record <strong>the</strong> time and location of all purchases;<br />
• social security and tax records which record <strong>in</strong>come and o<strong>the</strong>r f<strong>in</strong>ancial <strong>in</strong>formation;<br />
• smart energy meters which track <strong>in</strong>dividual consumption of energy;<br />
• entry cards to workplaces which record when employees enter and leave <strong>build<strong>in</strong>g</strong>s;<br />
• electronic patient records which capture details of patients’ illnesses and treatments;<br />
• mobile phone records which log <strong>the</strong> calls and locations of <strong>in</strong>dividuals; and<br />
• passports and o<strong>the</strong>r identity documents which record when <strong>in</strong>dividuals cross borders.<br />
Greater value from personal <strong>in</strong>formation<br />
The power of IT goes beyond simply collect<strong>in</strong>g <strong>in</strong>formation. It allows sophisticated search<strong>in</strong>g,<br />
match<strong>in</strong>g, aggregation and analysis of <strong>in</strong>formation that would have been impossible us<strong>in</strong>g paperbased<br />
systems.<br />
Aggregation techniques <strong>in</strong> particular radically change <strong>the</strong> impact of <strong>the</strong> <strong>in</strong>formation ga<strong>the</strong>red.<br />
They shift <strong>the</strong> context of <strong>in</strong>formation and transform what may have historically been relatively<br />
<strong>in</strong>nocuous data, much of which is already public, <strong>in</strong>to someth<strong>in</strong>g far more powerful. 8<br />
8<br />
Helen Nissenbaum, ‘Protect<strong>in</strong>g privacy <strong>in</strong> an <strong>in</strong>formation <strong>age</strong>: <strong>the</strong> problem of privacy <strong>in</strong> public’.<br />
12 Rights over personal <strong>in</strong>formation
By piec<strong>in</strong>g toge<strong>the</strong>r disparate pieces of <strong>in</strong>formation about <strong>in</strong>dividuals, <strong>the</strong>ir locations, activities<br />
and preferences, it becomes possible to develop rich profiles which can <strong>the</strong>n be used for many<br />
purposes, such as:<br />
• segment<strong>in</strong>g audiences to personalise and target products, services, market<strong>in</strong>g and advertis<strong>in</strong>g;<br />
and<br />
• differentiat<strong>in</strong>g between customers <strong>in</strong> <strong>the</strong> delivery or pric<strong>in</strong>g of products and services.<br />
This leads to a wide range of potential benefits for bus<strong>in</strong>esses and is result<strong>in</strong>g <strong>in</strong> many new<br />
bus<strong>in</strong>ess models based on <strong>the</strong> analysis and commercial exploitation of personal <strong>in</strong>formation. It can<br />
also generate greater value from services for customers.<br />
2.2 Legal considerations<br />
While many bus<strong>in</strong>esses may want to make extensive use of personal <strong>in</strong>formation, <strong>in</strong>dividuals reta<strong>in</strong><br />
rights over <strong>in</strong>formation about <strong>the</strong>mselves and bus<strong>in</strong>esses have a range of duties regard<strong>in</strong>g <strong>the</strong>ir<br />
use and treatment of personal <strong>in</strong>formation. In Europe <strong>in</strong> particular, personal <strong>in</strong>formation is subject<br />
to substantial regulation. Personal <strong>in</strong>formation can also be protected through laws targeted on<br />
sensitive pieces of personal <strong>in</strong>formation or based on <strong>the</strong> human rights framework, <strong>in</strong>clud<strong>in</strong>g <strong>the</strong><br />
right of privacy. It can also be protected through commercial pressures.<br />
Data protection laws<br />
Data protection regulation protects <strong>the</strong> rights of <strong>in</strong>dividuals around <strong>the</strong> collection, process<strong>in</strong>g and<br />
shar<strong>in</strong>g of <strong>the</strong>ir personal data. Pr<strong>in</strong>ciples of data protection were orig<strong>in</strong>ally developed <strong>in</strong> <strong>the</strong> 1970s<br />
and were followed <strong>in</strong> <strong>the</strong> early 1980s by <strong>the</strong> declaration of <strong>the</strong> Fair Information Pr<strong>in</strong>ciples by <strong>the</strong><br />
OECD and <strong>the</strong> Council of Europe.<br />
Panel 2.1: OECD Fair Information Pr<strong>in</strong>ciples<br />
The OECD’s eight basic pr<strong>in</strong>ciples were stated <strong>in</strong> its 1980 Guidel<strong>in</strong>es on <strong>the</strong> Protection of<br />
Privacy and Transborder Flows of Personal Data. These pr<strong>in</strong>ciples have been hugely <strong>in</strong>fluential<br />
and form <strong>the</strong> basis of many national laws <strong>in</strong> this area, such as <strong>the</strong> UK Data Protection Act 1998<br />
and EU Directive 95/46/EC on data protection.<br />
The pr<strong>in</strong>ciples can be broadly described as follows.<br />
• Collection limitation pr<strong>in</strong>ciple: data should be collected legally with <strong>the</strong> consent of <strong>the</strong><br />
data subject where appropriate and should be limited to <strong>the</strong> data that is needed.<br />
• Data quality pr<strong>in</strong>ciple: data should be relevant and kept accurate.<br />
• Purpose specification pr<strong>in</strong>ciple: <strong>the</strong> purpose should be stated at <strong>the</strong> time of data collection.<br />
• Use limitation pr<strong>in</strong>ciple: personal data should not be used for o<strong>the</strong>r purposes unless with<br />
<strong>the</strong> consent of <strong>the</strong> <strong>in</strong>dividual.<br />
• Security safeguards pr<strong>in</strong>ciple: personal data should be protected by a reasonable degree<br />
of security.<br />
• Openness pr<strong>in</strong>ciple: <strong>in</strong>dividuals should be able to f<strong>in</strong>d out what personal data is held and<br />
how it is used by an organisation.<br />
• Individual participation pr<strong>in</strong>ciple: an <strong>in</strong>dividual should be able to get details of all<br />
<strong>in</strong>formation held by a data controller about <strong>the</strong>m and challenge it if <strong>in</strong>correct.<br />
• Accountability pr<strong>in</strong>ciple: <strong>the</strong> data controller should be accountable for comply<strong>in</strong>g with<br />
<strong>the</strong> pr<strong>in</strong>ciples.<br />
The European Union has taken a lead role <strong>in</strong> this area <strong>in</strong> order to pursue dual objectives. First,<br />
harmonisation of <strong>the</strong> rules aims to facilitate <strong>the</strong> free flow of personal <strong>in</strong>formation across Europe<br />
and support <strong>the</strong> s<strong>in</strong>gle market. As such, it provides a broad framework to enable <strong>the</strong> shar<strong>in</strong>g of<br />
personal <strong>in</strong>formation across Europe without <strong>the</strong> need for <strong>in</strong>dividual contracts. Second, it views <strong>the</strong><br />
protection of personal <strong>in</strong>formation as a fundamental right and <strong>the</strong> legislation aims to support <strong>the</strong><br />
observation and enforcement of this right.<br />
Rights over personal <strong>in</strong>formation<br />
13
Panel 2.2: The EU regime of data protection<br />
In EU Directive 95/46/EC, <strong>the</strong> EU implements <strong>the</strong> Fair Information Pr<strong>in</strong>ciples, along with some<br />
key additional requirements. Particular features <strong>in</strong>clude:<br />
• <strong>the</strong> establishment of an oversight and enforcement body, such as <strong>the</strong> UK’s Information<br />
Commissioner’s Office (ICO);<br />
• additional requirements relat<strong>in</strong>g to electronic files; and<br />
• limits on <strong>the</strong> <strong>in</strong>ternational transfer of personal <strong>in</strong>formation.<br />
This regime <strong>the</strong>refore provides strong protection of personal <strong>in</strong>formation, with clear rights<br />
given to <strong>in</strong>dividuals and mechanisms for enforcement. It also enables <strong>the</strong> transfer of personal<br />
<strong>in</strong>formation across <strong>the</strong> EU.<br />
However, critics argue that it is a cumbersome, <strong>in</strong>flexible and adm<strong>in</strong>istrative approach that has<br />
been implemented <strong>in</strong>consistently across member states. 9 Obligations regard<strong>in</strong>g <strong>the</strong> transfer<br />
of data outside <strong>the</strong> EU are often described as particularly dated, given <strong>the</strong> high degree of<br />
<strong>in</strong>ternational work<strong>in</strong>g <strong>in</strong> many bus<strong>in</strong>esses. Workarounds have been put <strong>in</strong> place to overcome<br />
some of <strong>the</strong>se challenges, such as safe harbours, B<strong>in</strong>d<strong>in</strong>g Corporate Rules (BCRs) and model<br />
contract clauses. These mechanisms provide ways for multi-national bus<strong>in</strong>esses to adhere to<br />
acceptable standards and move personal <strong>in</strong>formation around <strong>the</strong> world. They are, though,<br />
difficult to apply and few countries or bus<strong>in</strong>esses have been successful <strong>in</strong> be<strong>in</strong>g accepted<br />
through <strong>the</strong>se mechanisms.<br />
Fur<strong>the</strong>rmore, critics argue that data protection regulation potentially gives too much protection<br />
to <strong>in</strong>formation that is not particularly sensitive, with no reference to harm or risk. As a result,<br />
data protection can place heavy duties on bus<strong>in</strong>esses to comply with rules which may not be<br />
justified by <strong>the</strong> benefits of regulation.<br />
Targeted laws<br />
In contrast to Europe, <strong>the</strong> US does not does not have a comprehensive regime of data protection.<br />
Instead, it has a variety of laws which are targeted at <strong>the</strong> protection of particularly sensitive pieces<br />
of <strong>in</strong>formation. 10<br />
Panel 2.3: US privacy laws<br />
The Health Insurance Portability and Accountability Act (HIPAA), enacted <strong>in</strong> 1996, is one of <strong>the</strong><br />
best-known pieces of US regulation <strong>in</strong> this area and concerns health records. One of <strong>the</strong> Act’s<br />
key provisions concerns <strong>the</strong> strict privacy of health records and payment <strong>in</strong>formation. It also<br />
specifies a number of security measures that should be taken to protect health <strong>in</strong>formation.<br />
However, <strong>the</strong> Act has been criticised on <strong>the</strong> basis of its complexity, adm<strong>in</strong>istrative burden and<br />
cost. Some doctors also argue that it has stifled research and follow up consultations. 11<br />
Ano<strong>the</strong>r example is <strong>the</strong> law enacted by <strong>the</strong> State of Massachusetts which sets out appropriate<br />
standards for protect<strong>in</strong>g <strong>the</strong> personal <strong>in</strong>formation of anyone resident <strong>in</strong> <strong>the</strong> state. 12 It applies<br />
to all bus<strong>in</strong>esses, wherever <strong>the</strong>y are situated <strong>in</strong> <strong>the</strong> world. The law sets out a range of security<br />
standards which need to be followed, <strong>in</strong>clud<strong>in</strong>g au<strong>the</strong>ntication measures, encryption of all<br />
personal <strong>in</strong>formation stored on portable devices, up-to-date firewalls and virus protection and<br />
employee education on <strong>in</strong>formation security. While many of <strong>the</strong>se measures could be seen<br />
as good security practices, some bus<strong>in</strong>esses have argued that compliance with <strong>the</strong> law has<br />
been onerous.<br />
9<br />
Neil Rob<strong>in</strong>son, Hans Graux, Maarten Botterman and Lorenzo Valeri give a summary of <strong>the</strong> strengths and<br />
weaknesses of <strong>the</strong> current approach <strong>in</strong> <strong>the</strong>ir Review of <strong>the</strong> European Data Protection Directive.<br />
10<br />
For a good overview of <strong>the</strong> various protections <strong>in</strong> US law, see John T. Soma, J. Zachary Courson and John<br />
Cadk<strong>in</strong>, ‘Corporate privacy trend: <strong>the</strong> ‘value’ of personally identifiable <strong>in</strong>formation (‘PII’) equals <strong>the</strong> ‘value’<br />
of f<strong>in</strong>ancial assets’.<br />
11<br />
Jennifer F. Wilson, ‘Health Insurance Portability and Accountability Act Privacy rule causes ongo<strong>in</strong>g concerns<br />
among cl<strong>in</strong>icians and researchers’.<br />
12<br />
See 201 CMR 17.00 Standards for <strong>the</strong> Protection of Personal Information for Residents of <strong>the</strong> Commonwealth.<br />
14 Rights over personal <strong>in</strong>formation
Human rights laws<br />
Personal <strong>in</strong>formation can also be protected through <strong>the</strong> human rights framework and <strong>the</strong> specific<br />
right of privacy.<br />
Panel 2.4: Privacy as a human right<br />
The orig<strong>in</strong>al statement of modern human rights is <strong>the</strong> 1948 UN Universal Declaration of<br />
Human Rights. This document was based on <strong>the</strong> experiences of World War II, where <strong>the</strong><br />
collection and use of personal <strong>in</strong>formation about <strong>in</strong>dividuals’ identity and ethnicity had such<br />
terrible consequences. As such, Article 12 of <strong>the</strong> Declaration reads:<br />
‘No one should be subjected to arbitrary <strong>in</strong>terference with his privacy,<br />
family, home or correspondence, nor to attacks on his honour or reputation.<br />
Everyone has <strong>the</strong> right to <strong>the</strong> protection of <strong>the</strong> law aga<strong>in</strong>st such <strong>in</strong>terferences<br />
or attacks.’<br />
This article is reflected <strong>in</strong> many subsequent human rights documents, <strong>in</strong>clud<strong>in</strong>g <strong>the</strong> European<br />
Convention of Human Rights, and national constitutions and charters of rights such as <strong>the</strong> UK<br />
Human Rights Act 1998.<br />
In practice, <strong>the</strong> right to privacy is largely used by <strong>the</strong> rich and famous to protect <strong>the</strong>mselves from<br />
photographers and journalists. As such, <strong>the</strong> ma<strong>in</strong> issues here frequently concern <strong>the</strong> balance<br />
between a right to privacy and <strong>the</strong> freedom of <strong>the</strong> press. In <strong>the</strong>se circumstances, a privacy right<br />
may be outweighed by <strong>the</strong> freedom of <strong>the</strong> press where <strong>the</strong> public <strong>in</strong>terest is deemed to be more<br />
important and justifies <strong>the</strong> publication of personal and sensitive <strong>in</strong>formation. This is especially <strong>the</strong><br />
case for people <strong>in</strong> positions of public responsibility, although it can also be said more generally for<br />
those <strong>in</strong> <strong>the</strong> public eye.<br />
However, <strong>the</strong> right to privacy may be develop<strong>in</strong>g broader application and was <strong>in</strong>voked <strong>in</strong> <strong>the</strong><br />
2011 News of <strong>the</strong> World phone hack<strong>in</strong>g scandal <strong>in</strong> <strong>the</strong> UK by ord<strong>in</strong>ary <strong>in</strong>dividuals, such as victims<br />
of high-profile crimes.<br />
There is also grow<strong>in</strong>g difficulty <strong>in</strong> enforc<strong>in</strong>g privacy rights <strong>in</strong> an environment of global media<br />
platforms. The case of super <strong>in</strong>junctions <strong>in</strong> England highlights some of <strong>the</strong>se problems.<br />
Panel 2.5: English super <strong>in</strong>junctions and <strong>the</strong> <strong>in</strong>ternet<br />
Follow<strong>in</strong>g <strong>the</strong> implementation of an explicit right to privacy <strong>in</strong> <strong>the</strong> UK Human Rights Act, <strong>the</strong><br />
English courts began to grant what became known as ‘super <strong>in</strong>junctions’ to stop <strong>the</strong> press<br />
publish<strong>in</strong>g certa<strong>in</strong> pieces of personal <strong>in</strong>formation about <strong>in</strong>dividuals. While <strong>in</strong>junctions have<br />
been available for many years, <strong>the</strong> super <strong>in</strong>junction was notable for <strong>the</strong> fact that <strong>the</strong> press were<br />
also prohibited from disclos<strong>in</strong>g that an <strong>in</strong>junction had been granted.<br />
However, super <strong>in</strong>junctions were only enforceable <strong>in</strong> England and media <strong>in</strong> o<strong>the</strong>r countries<br />
could publish <strong>the</strong> <strong>in</strong>formation freely. Fur<strong>the</strong>rmore, <strong>the</strong> apparent anonymity of many social<br />
media platforms encour<strong>age</strong>d <strong>the</strong> breach<strong>in</strong>g of <strong>the</strong> <strong>in</strong>junctions.<br />
A media storm erupted <strong>in</strong> <strong>the</strong> spr<strong>in</strong>g of 2011 as <strong>in</strong>dividuals posted <strong>in</strong>formation on global<br />
platforms, such as Twitter, about <strong>the</strong> identity of those hold<strong>in</strong>g super <strong>in</strong>junctions. 13 Once <strong>the</strong><br />
<strong>in</strong>formation was released, it was impossible to enforce <strong>the</strong> prohibition <strong>in</strong> practice, regardless of<br />
<strong>the</strong> actual legal position.<br />
Informal regulation<br />
While not a formal legal constra<strong>in</strong>t, a bus<strong>in</strong>ess may want to comply with voluntary codes of<br />
conduct. Voluntary codes typically conta<strong>in</strong> rules and regulations which are specific to <strong>the</strong> needs of<br />
particular <strong>in</strong>dustries. This can focus attention on areas which are particularly risky and can be<br />
a more flexible and responsive approach than formal regulation.<br />
There is a danger, though, that <strong>in</strong>formal regulation can become self-serv<strong>in</strong>g and fail to provide<br />
sufficient levels of protection to <strong>in</strong>dividuals. It can also be confus<strong>in</strong>g if different codes of conduct<br />
apply to different <strong>in</strong>dustries, mak<strong>in</strong>g it difficult to identify and enforce an <strong>in</strong>dividual’s rights.<br />
13<br />
BBC News, ‘Twitter user <strong>in</strong> bid to break super-<strong>in</strong>junctions’.<br />
Rights over personal <strong>in</strong>formation<br />
15
Panel 2.6: US Federal Trade Commission approach<br />
The US Federal Trade Commission (FTC) developed an early version of Fair Information<br />
Pr<strong>in</strong>ciples which focuses on four key areas.<br />
• Notice: before collect<strong>in</strong>g personal <strong>in</strong>formation, a bus<strong>in</strong>ess should give consumers notice<br />
of its privacy practices.<br />
• Consent: consumers should have a choice as to how <strong>the</strong>ir personal <strong>in</strong>formation is used,<br />
and should be able to opt out of secondary uses of <strong>the</strong>ir personal data by <strong>the</strong> bus<strong>in</strong>ess.<br />
• Access: consumers should be able to access <strong>in</strong>formation held about <strong>the</strong>m and make sure<br />
it is accurate.<br />
• Security: a bus<strong>in</strong>ess should ensure that any personal <strong>in</strong>formation that it holds is secure.<br />
In contrast to <strong>the</strong> EU, <strong>the</strong> FTC orig<strong>in</strong>ally took a less formal approach <strong>in</strong> which bus<strong>in</strong>esses were<br />
left to adopt <strong>the</strong> pr<strong>in</strong>ciples on a voluntary basis. However, this approach seemed to have<br />
limited success. For example, <strong>in</strong> a survey from 2000, entitled ‘Protect<strong>in</strong>g privacy onl<strong>in</strong>e: is<br />
self-regulation work<strong>in</strong>g’, Mary Culnan found that only 14% of privacy disclosures by onl<strong>in</strong>e<br />
bus<strong>in</strong>esses constituted a full privacy policy, suggest<strong>in</strong>g that most bus<strong>in</strong>esses were not follow<strong>in</strong>g<br />
<strong>the</strong> pr<strong>in</strong>ciples fully.<br />
The FTC has subsequently taken a more proactive approach, pursu<strong>in</strong>g a number of high-profile<br />
data breach cases through <strong>the</strong> courts and obta<strong>in</strong><strong>in</strong>g substantial f<strong>in</strong>ancial settlements<br />
<strong>in</strong> <strong>the</strong> process. Fur<strong>the</strong>rmore, <strong>in</strong> 2010-2011, it charged Google with privacy breaches<br />
surround<strong>in</strong>g <strong>the</strong> launch of its Buzz product. In <strong>the</strong> result<strong>in</strong>g settlement, Google was barred<br />
from misrepresent<strong>in</strong>g its privacy policies, required to implement a comprehensive privacy<br />
policy and be subject to third party audits on its privacy practices every 2 years for 20 years. 14<br />
The pr<strong>in</strong>ciple of accountability<br />
The current regulatory framework is under pressure from two sides.<br />
• There is pressure from <strong>in</strong>dividuals and consumer and civic groups to streng<strong>the</strong>n rights aga<strong>in</strong>st<br />
<strong>the</strong> bus<strong>in</strong>ess use of personal <strong>in</strong>formation, especially around new practices such as behavioural<br />
advertis<strong>in</strong>g. This is seen <strong>in</strong> proposals to streng<strong>the</strong>n European laws, as well as proposals for<br />
legislation <strong>in</strong> <strong>the</strong> US.<br />
• There is pressure from bus<strong>in</strong>esses to m<strong>in</strong>imise regulation, especially regulation that <strong>the</strong>y see<br />
as <strong>in</strong>flexible and process driven. There is also a desire to simplify <strong>the</strong> <strong>in</strong>ternational regulatory<br />
environment.<br />
To address <strong>the</strong>se pressures, a different approach has been proposed which focuses on <strong>the</strong><br />
pr<strong>in</strong>ciple of accountability as a means of protect<strong>in</strong>g personal <strong>in</strong>formation <strong>in</strong> this complex<br />
environment. While accountability was <strong>in</strong>cluded <strong>in</strong> <strong>the</strong> OECD’s Fair Information Pr<strong>in</strong>ciples, it is<br />
be<strong>in</strong>g developed as an alternative approach to prescriptive regulation around personal <strong>in</strong>formation.<br />
Advocates of <strong>the</strong> accountability approach ma<strong>in</strong>ta<strong>in</strong> that it is no longer realistic <strong>in</strong> practice for an<br />
<strong>in</strong>dividual to have full and mean<strong>in</strong>gful control over who has access to <strong>the</strong>ir personal <strong>in</strong>formation<br />
given <strong>the</strong> amount of data that is available, captured and exchanged by bus<strong>in</strong>esses. However, by<br />
mak<strong>in</strong>g bus<strong>in</strong>esses more accountable for <strong>the</strong>ir use of personal <strong>in</strong>formation, <strong>in</strong>dividuals can develop<br />
greater confidence that bus<strong>in</strong>esses are respect<strong>in</strong>g <strong>the</strong>ir privacy rights. Therefore, <strong>the</strong> notion of<br />
accountability takes a pr<strong>in</strong>ciples-based approach which focuses on outcomes, ra<strong>the</strong>r than lay<strong>in</strong>g<br />
down specific rules concern<strong>in</strong>g exactly who can access <strong>in</strong>formation under what circumstances.<br />
This enables jurisdictions and bus<strong>in</strong>esses to develop <strong>the</strong>ir own approach to protect<strong>in</strong>g personal<br />
<strong>in</strong>formation, depend<strong>in</strong>g on specific circumstances.<br />
Daniel Weitzner, lead<strong>in</strong>g a group of academics which <strong>in</strong>cludes Tim Berners-Lee, has argued<br />
<strong>in</strong> favour of <strong>the</strong> concept of <strong>in</strong>formation accountability. In an article entitled ‘Information<br />
accountability’ (2008), he def<strong>in</strong>es it as:<br />
‘<strong>the</strong> claim of <strong>in</strong>dividuals, groups, and <strong>in</strong>stitutions to determ<strong>in</strong>e for <strong>the</strong>mselves<br />
when, how, and to what extent <strong>in</strong>formation about <strong>the</strong>m is used lawfully and<br />
appropriately by o<strong>the</strong>rs.’ 15<br />
14<br />
Federal Trade Commission, ‘FTC charges deceptive privacy practices <strong>in</strong> Google’s rollout of its Buzz social<br />
network’.<br />
15<br />
Daniel J. Weitzner, Harold Abelson, Tim Berners-Lee, Joan Feigenbaum, James Hendler and Gerald Jay<br />
Sussman, ‘Information accountability’, p87.<br />
16 Rights over personal <strong>in</strong>formation
Panel 2.7: Information accountability and <strong>the</strong> Fair Credit Report<strong>in</strong>g Act<br />
To provide an example, Weitzner et al highlight <strong>the</strong> Fair Credit Report<strong>in</strong>g Act (enacted <strong>in</strong><br />
<strong>the</strong> US <strong>in</strong> 1970) as an example of regulation which focuses on outcome, and <strong>the</strong> use of <strong>the</strong><br />
<strong>in</strong>formation, ra<strong>the</strong>r than controll<strong>in</strong>g what <strong>in</strong>formation is collected or who has access to it.<br />
Under this Act, credit <strong>age</strong>ncies are able to collect whatever <strong>in</strong>formation <strong>the</strong>y feel is relevant to<br />
mak<strong>in</strong>g a credit <strong>report</strong>. They can also undertake whatever analysis <strong>the</strong>y wish. However, <strong>the</strong>ir<br />
<strong>report</strong>s can only be used for <strong>the</strong> purposes of credit or employment checks and not for any<br />
o<strong>the</strong>r k<strong>in</strong>d of profil<strong>in</strong>g. Penalties are <strong>in</strong> place <strong>in</strong> <strong>the</strong> event of non-compliance and <strong>in</strong>dividuals<br />
have high levels of transparency around <strong>the</strong> process.<br />
The Galway and Paris projects, which <strong>in</strong>volved regulators, academics, lawyers, government<br />
representatives and IT <strong>in</strong>dustry experts, considered <strong>in</strong> more detail what accountability might<br />
look like <strong>in</strong> practice. Phase two of <strong>the</strong> project outl<strong>in</strong>ed n<strong>in</strong>e core elements of implement<strong>in</strong>g an<br />
accountability project:<br />
• policies that reflect current laws and o<strong>the</strong>r relevant standards;<br />
• executive oversight and responsibility for privacy;<br />
• appropriate staff and delegation of responsibility to tra<strong>in</strong>ed resources;<br />
• education and awareness of <strong>the</strong> programme by staff and suppliers;<br />
• ongo<strong>in</strong>g risk assessment and mitigation relat<strong>in</strong>g to new products or processes;<br />
• regular risk assessment and validation of <strong>the</strong> accountability programme;<br />
• policies to man<strong>age</strong> major privacy events or compla<strong>in</strong>ts;<br />
• processes to enforce policies <strong>in</strong>ternally; and<br />
• a method of redress where privacy rights have been breached.<br />
However, critics of this approach see it as a US-centric one, com<strong>in</strong>g from a tradition of <strong>in</strong>formal<br />
regulation and market-driven approaches, ra<strong>the</strong>r than recognis<strong>in</strong>g <strong>the</strong> human rights basis for<br />
privacy and <strong>the</strong> full scale regulation of Europe.<br />
2.3 Market considerations<br />
There may also be customer expectations and market pressures regard<strong>in</strong>g <strong>the</strong> treatment of<br />
personal <strong>in</strong>formation. While market pressures do not have <strong>the</strong> force of regulation, <strong>the</strong>y do drive<br />
organisational behaviour to some degree <strong>in</strong> market economies and support <strong>the</strong> observation of<br />
privacy. Indeed, where a bus<strong>in</strong>ess fails to protect privacy rights, market reactions and reputational<br />
dam<strong>age</strong> are likely to be as harmful as direct f<strong>in</strong>ancial losses aris<strong>in</strong>g from regulatory breaches.<br />
There are two situations where market pressures are particularly important:<br />
• where regulators and legislators are beh<strong>in</strong>d <strong>the</strong> latest bus<strong>in</strong>ess and technological <strong>in</strong>novations<br />
<strong>in</strong> personal <strong>in</strong>formation; and<br />
• where bus<strong>in</strong>esses want to look beyond compliance and <strong>in</strong>corporate privacy as a brand value.<br />
Innovative use of personal <strong>in</strong>formation<br />
One of <strong>the</strong> major economic success stories of recent years has been <strong>the</strong> tremendous growth<br />
of <strong>in</strong>ternet bus<strong>in</strong>esses, such as Google and Facebook. These bus<strong>in</strong>esses have typically made<br />
<strong>in</strong>novative use of personal <strong>in</strong>formation to create popular applications and platforms. However,<br />
many of <strong>the</strong>se uses of personal <strong>in</strong>formation go beyond established regulatory or legal standards.<br />
As a result, customer reaction can become an important limit on <strong>the</strong> bus<strong>in</strong>ess exploitation of<br />
personal <strong>in</strong>formation. Indeed, <strong>in</strong> many of <strong>the</strong> cases where bus<strong>in</strong>esses have changed <strong>the</strong>ir policies<br />
around personal <strong>in</strong>formation, it has been driven by consumer reaction and outr<strong>age</strong>, as much<br />
as by <strong>the</strong> threat of legal action. The impact of consumer outr<strong>age</strong> is demonstrated <strong>in</strong> <strong>the</strong> case of<br />
Phorm.<br />
Rights over personal <strong>in</strong>formation<br />
17
Panel 2.8: Los<strong>in</strong>g <strong>in</strong>vestor confidence: <strong>the</strong> case of Phorm<br />
Phorm sells software which tracks <strong>the</strong> web activities of users and builds up a detailed picture<br />
of <strong>in</strong>dividual user preferences and <strong>in</strong>terests. In order to generate revenue, it <strong>the</strong>n uses this<br />
<strong>in</strong>formation to target advertis<strong>in</strong>g for its bus<strong>in</strong>ess clients. In 2008, Phorm signed deals with <strong>the</strong><br />
UK’s largest Internet Service Providers (ISPs) to give it access to <strong>the</strong> ISPs’ customers and <strong>the</strong>reby<br />
build up an enormous database of profile <strong>in</strong>formation. 16<br />
This was an early example of behavioural advertis<strong>in</strong>g. Phorm had commissioned a <strong>report</strong> from<br />
Ernst & Young, which confirmed that its activities were legal. Consequently, its share price<br />
soared, given <strong>the</strong> lucrative opportunity which this appeared to present.<br />
However, <strong>in</strong>formation emerged which suggested that Phorm had been triall<strong>in</strong>g <strong>the</strong> system on<br />
<strong>the</strong> customers of one ISP, BT, without disclos<strong>in</strong>g it to <strong>the</strong> <strong>in</strong>dividuals <strong>in</strong>volved. While <strong>the</strong> legal<br />
advice had been clear that <strong>the</strong> practice was acceptable if consent was obta<strong>in</strong>ed, this scenario<br />
was more contentious. It also generated a substantial backlash from BT customers.<br />
Phorm was never prosecuted by <strong>the</strong> UK regulators or <strong>the</strong> EU for breaches of <strong>the</strong> law, and<br />
privacy campaigners were not given permission to pursue a private prosecution. However,<br />
its reputation was badly dam<strong>age</strong>d and <strong>in</strong>vestors deserted it.<br />
Privacy as a brand value<br />
A bus<strong>in</strong>ess clearly has to comply with relevant regulations regard<strong>in</strong>g personal <strong>in</strong>formation.<br />
However, it can choose to go beyond an approach of strict compliance and place strong respect<br />
for privacy rights as part of its wider corporate values and ethics.<br />
By demonstrat<strong>in</strong>g good practices around personal <strong>in</strong>formation, a bus<strong>in</strong>ess may be able to earn<br />
greater returns <strong>in</strong> <strong>the</strong> long term. It may also be able to dist<strong>in</strong>guish itself when competitors<br />
experience privacy failures and <strong>the</strong>reby avoid be<strong>in</strong>g ta<strong>in</strong>ted by association. Conversely, even if<br />
legally compliant, a perception of poor privacy practices can impact <strong>the</strong> reputation of a bus<strong>in</strong>ess.<br />
In this sense, privacy feeds <strong>in</strong>to <strong>the</strong> wider brand value of a ‘<strong>trust</strong>worthy bus<strong>in</strong>ess’ and can play an<br />
important part <strong>in</strong> <strong>build<strong>in</strong>g</strong> this reputation.<br />
Panel 2.9: HP’s position on privacy<br />
The technology company HP has stated its position on privacy as one which goes beyond strict<br />
legal compliance. L<strong>in</strong>k<strong>in</strong>g privacy closely with wider corporate values and ethics, <strong>the</strong> HP Global<br />
Master Privacy Policy states:<br />
‘We follow privacy policies and data protection practices to comply with <strong>the</strong><br />
law and to earn <strong>trust</strong> and confidence <strong>in</strong> HP and its bus<strong>in</strong>ess practices... All HP<br />
employees, board members, and contracted parties work<strong>in</strong>g on behalf of HP<br />
must comply with <strong>the</strong>se policies, even if local law is less restrictive.’ 17<br />
Based around <strong>the</strong> OECD Fair Information Pr<strong>in</strong>ciples, HP applies a s<strong>in</strong>gle standard for privacy<br />
throughout its global bus<strong>in</strong>ess, which meets <strong>the</strong> str<strong>in</strong>gent legal requirements of <strong>the</strong> EU and<br />
<strong>the</strong>reby applies stricter standards than are necessary <strong>in</strong> o<strong>the</strong>r jurisdictions, such as many parts<br />
of <strong>the</strong> US. To help <strong>in</strong> this, <strong>the</strong>y have developed a highly contextual modell<strong>in</strong>g tool which enables<br />
anyone work<strong>in</strong>g with customer <strong>in</strong>formation to design <strong>the</strong>ir processes and use of personal<br />
<strong>in</strong>formation to comply both with legal requirements and <strong>the</strong>ir broader privacy standards. 18<br />
The value of such an approach will depend on factors such as <strong>in</strong>dustry and brand position<strong>in</strong>g.<br />
Bus<strong>in</strong>esses that hold large amounts of <strong>in</strong>formation about <strong>in</strong>dividual customers, for example, are<br />
more likely to benefit from such an approach.<br />
There is still limited evidence regard<strong>in</strong>g <strong>the</strong> extent to which strong privacy protections are seen<br />
as a differentiat<strong>in</strong>g factor and many bus<strong>in</strong>esses cont<strong>in</strong>ue to focus on <strong>the</strong> compliance aspects <strong>in</strong><br />
practice. However, a study <strong>in</strong> 2006 by Acquisti et al suggests that privacy breaches do have a<br />
short-term effect on <strong>the</strong> market value of bus<strong>in</strong>esses. 19 This mirrors research on <strong>in</strong>formation security<br />
breaches highlighted <strong>in</strong> Chapter 1, which provides evidence for a reduction <strong>in</strong> market value when<br />
a breach is announced.<br />
16<br />
Christopher Williams, ‘BT and Phorm: how an onl<strong>in</strong>e privacy scandal unfolded’.<br />
17<br />
Available onl<strong>in</strong>e at <strong>the</strong> HP Global Citizenship Center.<br />
18<br />
The HP case study is outl<strong>in</strong>ed <strong>in</strong> Privacy by Design: Essential for Organizational Accountability and Strong<br />
Bus<strong>in</strong>ess Practices.<br />
19<br />
Alessandro Acquisti, Allan Friedman and Paul Telang,‘ Is <strong>the</strong>re a cost to privacy breaches An event study’.<br />
18 Rights over personal <strong>in</strong>formation
2.4 Underly<strong>in</strong>g questions about privacy<br />
The notion of a private space has been established s<strong>in</strong>ce Aristotle’s Politics. However, it rema<strong>in</strong>s a<br />
nebulous idea which is subject to diverse views on its scope and importance. We summarise some<br />
of <strong>the</strong> key <strong>the</strong>oretical arguments about privacy around <strong>the</strong> follow<strong>in</strong>g questions:<br />
• What is <strong>the</strong> scope of privacy<br />
• What is <strong>the</strong> role of consent<br />
• What are <strong>the</strong> benefits of privacy<br />
• What harm is caused by breaches of privacy<br />
• How should privacy be balanced with o<strong>the</strong>r <strong>in</strong>terests<br />
• How can different cultural views be reconciled<br />
• How can we understand fragmented and <strong>in</strong>consistent behaviour<br />
What is <strong>the</strong> scope of privacy<br />
While it is a well-used term, <strong>the</strong> scope of privacy is hard to articulate and def<strong>in</strong>e. The idea of<br />
hav<strong>in</strong>g a sphere of <strong>in</strong>dividual and family activity which is private dates back at least to Aristotle’s<br />
Politics. Historically, <strong>the</strong> term referred primarily to physical privacy and protection from undue<br />
<strong>in</strong>terference from <strong>the</strong> state. Therefore, it focused on protect<strong>in</strong>g property from government search<br />
or seizure, as well as protect<strong>in</strong>g <strong>the</strong> <strong>in</strong>dividual from physical search<strong>in</strong>g or <strong>in</strong>vasion.<br />
Today, <strong>the</strong> prime focus of privacy is personal <strong>in</strong>formation. This was first illum<strong>in</strong>ated <strong>in</strong> detail by<br />
Samuel Warren and Louis Brandeis <strong>in</strong> <strong>the</strong>ir sem<strong>in</strong>al 1890 essay ‘The right to privacy’. This essay<br />
was written aga<strong>in</strong>st a backdrop of new photographic technology which was be<strong>in</strong>g used <strong>in</strong> an<br />
<strong>in</strong>creas<strong>in</strong>gly <strong>in</strong>trusive manner. Describ<strong>in</strong>g privacy as ‘<strong>the</strong> right to be left alone’, <strong>the</strong>y argued <strong>in</strong><br />
favour of a right of privacy <strong>in</strong> US law.<br />
Through <strong>the</strong> 1960s, governments and bus<strong>in</strong>esses were <strong>in</strong>creas<strong>in</strong>gly us<strong>in</strong>g computers to process<br />
personal data. M<strong>in</strong>dful of this, <strong>in</strong> his book Privacy and Freedom (1967), Alan West<strong>in</strong> developed <strong>the</strong><br />
concept of <strong>in</strong>formation privacy <strong>in</strong>to ‘<strong>the</strong> ability to determ<strong>in</strong>e for ourselves when, how and to what<br />
extent <strong>in</strong>formation about ourselves is communicated to o<strong>the</strong>rs’. 20 As a result, privacy became<br />
strongly l<strong>in</strong>ked with control over personal <strong>in</strong>formation.<br />
Information privacy is an <strong>in</strong>tr<strong>in</strong>sically subjective topic. As it is ultimately concerned with exercis<strong>in</strong>g<br />
choice about whe<strong>the</strong>r to keep <strong>in</strong>formation with<strong>in</strong> a private doma<strong>in</strong> or whe<strong>the</strong>r to share it with<br />
o<strong>the</strong>rs, it will be strongly <strong>in</strong>fluenced by <strong>the</strong> psychology, social and political attitudes and personal<br />
experience of <strong>in</strong>dividuals. It is dependent on <strong>the</strong> specific context of <strong>in</strong>formation shar<strong>in</strong>g. Shar<strong>in</strong>g<br />
medical <strong>in</strong>formation with a doctor, for example, is qualitatively different to shar<strong>in</strong>g it with an<br />
<strong>in</strong>surance company.<br />
The scope of privacy has also changed substantially over time. Historically, privacy was largely<br />
a matter for <strong>the</strong> wealthy, who could afford to separate <strong>the</strong>mselves physically from <strong>the</strong> poorer<br />
population and <strong>the</strong>refore develop an expectation of privacy. The rich may also have had an<br />
<strong>in</strong>terest <strong>in</strong> keep<strong>in</strong>g <strong>in</strong>formation about <strong>the</strong>ir wealth secret. In contrast, poorer sections of society<br />
who lived <strong>in</strong> overcrowded accommodation had little notion of privacy, little opportunity to<br />
exercise it and possibly less need for it.<br />
Def<strong>in</strong><strong>in</strong>g what behaviour is private or open to public scrut<strong>in</strong>y is ano<strong>the</strong>r area grounded <strong>in</strong> a social<br />
context. For example, 50 years ago, homosexual acts and abortion were generally not seen as<br />
private matters which were left to <strong>the</strong> discretion of <strong>the</strong> <strong>in</strong>dividual. Instead, <strong>the</strong> state believed that<br />
it had a legitimate right to <strong>in</strong>tervene and crim<strong>in</strong>alise such behaviour. Attitudes have changed<br />
substantially s<strong>in</strong>ce <strong>the</strong>n and such actions are believed by many to fall with<strong>in</strong> <strong>the</strong> private doma<strong>in</strong>.<br />
As a result, f<strong>in</strong>d<strong>in</strong>g a s<strong>in</strong>gular def<strong>in</strong>ition of privacy has proved difficult at any po<strong>in</strong>t <strong>in</strong> time. While<br />
def<strong>in</strong>itions such as those of Warren and Brandeis or West<strong>in</strong> have been <strong>in</strong>fluential, <strong>the</strong>y are quite<br />
dist<strong>in</strong>ct and demonstrate that <strong>the</strong> notion of privacy covers many different scenarios. Indeed, <strong>the</strong><br />
number of dist<strong>in</strong>ct scenarios <strong>in</strong> which privacy is <strong>in</strong>voked is grow<strong>in</strong>g and <strong>in</strong>cludes:<br />
• structured databases conta<strong>in</strong><strong>in</strong>g personal <strong>in</strong>formation for analysis and segmentation;<br />
• <strong>the</strong> shar<strong>in</strong>g of personal <strong>in</strong>formation across a range of bus<strong>in</strong>esses or government <strong>age</strong>ncies; and<br />
• <strong>the</strong> widespread and often voluntary shar<strong>in</strong>g of public <strong>in</strong>formation and im<strong>age</strong>s about<br />
<strong>in</strong>dividuals.<br />
20<br />
Alan West<strong>in</strong>, Privacy and Freedom, p322.<br />
Rights over personal <strong>in</strong>formation<br />
19
In his article ‘A taxonomy of privacy’ (2006), Daniel Solove develops a taxonomy which def<strong>in</strong>es<br />
four ma<strong>in</strong> types of privacy scenarios: <strong>in</strong>formation collection, <strong>in</strong>formation process<strong>in</strong>g, <strong>in</strong>formation<br />
dissem<strong>in</strong>ation and <strong>in</strong>vasion. Each of <strong>the</strong>se types has a number of associated sub-types, such as<br />
<strong>in</strong>formation aggregation, surveillance, secondary use and exclusion. It may be that a taxonomy of<br />
this type could help to ref<strong>in</strong>e <strong>the</strong> analysis and discussion of privacy.<br />
What is <strong>the</strong> role of consent<br />
One important difference between privacy scenarios is <strong>the</strong> vary<strong>in</strong>g degree of <strong>in</strong>dividual consent<br />
over <strong>the</strong> use or shar<strong>in</strong>g of personal <strong>in</strong>formation. Contrast, for example, scenarios where <strong>in</strong>dividuals<br />
have voluntarily shared <strong>in</strong>formation <strong>in</strong> return for benefits and where <strong>the</strong>re has been opaque data<br />
ga<strong>the</strong>r<strong>in</strong>g or shar<strong>in</strong>g. Individuals are free to share what <strong>in</strong>formation <strong>the</strong>y want with o<strong>the</strong>rs. Consent<br />
is <strong>the</strong>refore an important solution to many privacy concerns. In practice, consent is usually ga<strong>in</strong>ed<br />
through opt-<strong>in</strong>s and opt-outs relat<strong>in</strong>g to <strong>the</strong> capture, use and shar<strong>in</strong>g of personal <strong>in</strong>formation.<br />
However, <strong>the</strong> notion of consent is problematic. In many cases, especially <strong>in</strong> <strong>the</strong> area of law<br />
enforcement, security and police <strong>in</strong>telligence, consent is not relevant to <strong>the</strong> ga<strong>the</strong>r<strong>in</strong>g of<br />
<strong>in</strong>formation. The state is entitled to ga<strong>the</strong>r <strong>in</strong>formation to protect citizens and <strong>the</strong>y do not need<br />
to ga<strong>in</strong> <strong>the</strong> consent of <strong>the</strong> suspect <strong>in</strong> order to do so. O<strong>the</strong>r laws will set out <strong>the</strong> limits of what<br />
government <strong>age</strong>ncies can do <strong>in</strong> this context.<br />
With<strong>in</strong> <strong>the</strong> private sector, it is important to consider what really constitutes <strong>in</strong>formed consent by<br />
an <strong>in</strong>dividual. Frequently, people click on a box to give consent without read<strong>in</strong>g <strong>the</strong> terms and<br />
conditions and <strong>the</strong>refore without understand<strong>in</strong>g exactly to what <strong>the</strong>y are consent<strong>in</strong>g. The amount<br />
of personal <strong>in</strong>formation that is be<strong>in</strong>g shared makes it potentially very cumbersome <strong>in</strong> practice to<br />
consent to every action.<br />
People may consent to shar<strong>in</strong>g <strong>in</strong>formation <strong>in</strong> order to obta<strong>in</strong> short-term benefits, without proper<br />
understand<strong>in</strong>g or consideration of <strong>the</strong> full risks surround<strong>in</strong>g <strong>the</strong> long-term use of <strong>the</strong> <strong>in</strong>formation.<br />
It may be <strong>the</strong> case that if all bus<strong>in</strong>esses are operat<strong>in</strong>g <strong>in</strong> <strong>the</strong> same way, <strong>in</strong>dividuals have little<br />
choice <strong>in</strong> practice but to consent to <strong>the</strong> use of <strong>the</strong>ir personal <strong>in</strong>formation <strong>in</strong> order to benefit from<br />
<strong>the</strong> services offered.<br />
Current conceptions of consent also focus on <strong>the</strong> <strong>in</strong>itial decision to release <strong>in</strong>formation to ano<strong>the</strong>r<br />
party. However, as <strong>in</strong>formation is <strong>in</strong>creas<strong>in</strong>gly aggregated and subject to radical shifts <strong>in</strong> context,<br />
an <strong>in</strong>dividual’s consent may change over time as <strong>the</strong> implications of releas<strong>in</strong>g <strong>in</strong>formation change.<br />
What are <strong>the</strong> benefits of privacy<br />
There are a number of different philosophical approaches which can be taken on <strong>the</strong> benefits of<br />
privacy. As a result, debates around <strong>the</strong> right to use or restrict access to personal <strong>in</strong>formation are<br />
often rooted <strong>in</strong> quite profound disagreements about <strong>the</strong> role of <strong>the</strong> state, <strong>the</strong> power of <strong>the</strong> market<br />
and <strong>the</strong> underly<strong>in</strong>g foundations of society. 21<br />
Panel 2.10: Approaches to privacy<br />
Human rights<br />
Many promoters of privacy focus on its quality as a fundamental human right and its l<strong>in</strong>k with<br />
human dignity and personality. It also protects <strong>in</strong>dividuals from abuses of power.<br />
Social value<br />
Ano<strong>the</strong>r way to approach privacy is to see its value <strong>in</strong> <strong>the</strong> broader context of society. As such,<br />
privacy can be seen to protect societal and democratic values, for example freedom of<br />
association. It can be associated with an <strong>in</strong>novative and creative culture, provid<strong>in</strong>g a private<br />
space to generate radical ideas and develop new th<strong>in</strong>gs. It can also provide rules on how we<br />
treat one ano<strong>the</strong>r, especially where <strong>the</strong>re are compet<strong>in</strong>g <strong>in</strong>terests.<br />
Communitarian<br />
By contrast, communitarians, led by Amitai Etzioni, argue aga<strong>in</strong>st an <strong>in</strong>dividualistic approach<br />
that sharply dist<strong>in</strong>guishes between <strong>the</strong> private and public spheres. Ra<strong>the</strong>r, <strong>the</strong>y advocate a<br />
more community-based approach which does not accept a wholly private sphere of activity.<br />
Communitarians <strong>the</strong>refore dislike <strong>the</strong> idea of <strong>in</strong>dividuals separat<strong>in</strong>g <strong>the</strong>mselves from <strong>the</strong> rest of<br />
society and m<strong>in</strong>imise <strong>the</strong> role of privacy.<br />
21<br />
Some of <strong>the</strong>se are outl<strong>in</strong>ed <strong>in</strong> more detail <strong>in</strong> <strong>the</strong> onl<strong>in</strong>e Stanford Encyclopaedia of Philosophy.<br />
20 Rights over personal <strong>in</strong>formation
Panel 2.10: Approaches to privacy (cont<strong>in</strong>ued)<br />
Fem<strong>in</strong>ism<br />
Some fem<strong>in</strong>ist th<strong>in</strong>kers are highly sceptical of <strong>the</strong> notion of privacy. Ca<strong>the</strong>r<strong>in</strong>e MacK<strong>in</strong>non, for<br />
example, argues that privacy represents <strong>the</strong> opportunity to hide <strong>the</strong> dom<strong>in</strong>ant behaviour of<br />
men beh<strong>in</strong>d closed doors and perpetuate exist<strong>in</strong>g power structures. However, o<strong>the</strong>r fem<strong>in</strong>ists<br />
see a strong role for privacy. Decisions such as Roe v Wade and Griswold v Connecticut, which<br />
affirmed a woman’s right to abortion and contraception respectively <strong>in</strong> <strong>the</strong> US, were strongly<br />
grounded <strong>in</strong> privacy arguments.<br />
Economics<br />
The Chicago Bus<strong>in</strong>ess School, and Richard Posner <strong>in</strong> particular, developed an economic<br />
approach to privacy <strong>in</strong> <strong>the</strong> 1980s. In economic <strong>the</strong>ory, markets are efficient when each party<br />
has perfect <strong>in</strong>formation. More <strong>in</strong>formation improves <strong>the</strong> quality of <strong>the</strong> transaction, with<br />
lower transaction costs and a more accurate match between supply and demand. On this<br />
basis, buyers and sellers have no rational reasons for want<strong>in</strong>g to withhold <strong>in</strong>formation about<br />
<strong>the</strong>mselves. If <strong>the</strong>y wish to withhold <strong>in</strong>formation, it can only be to create a personal advant<strong>age</strong>.<br />
A buyer, for example, may not want a seller to know that he or she has a poor credit history.<br />
Many economists consequently see privacy as a barrier to efficient market transactions.<br />
This deep divergence of views underlies many of <strong>the</strong> contentious debates seen today, mak<strong>in</strong>g it<br />
difficult to f<strong>in</strong>d consensus about <strong>the</strong> scope and strength of privacy rights. 22<br />
What harm is caused by breaches of privacy<br />
The variety of justifications for privacy, comb<strong>in</strong>ed with <strong>the</strong> different scenarios <strong>in</strong> which privacy<br />
rights may be <strong>in</strong>voked, means that a range of possible harms is seen as result<strong>in</strong>g from breaches<br />
of privacy. Some of <strong>the</strong>se are clearer and may possess more weight than o<strong>the</strong>rs. 23<br />
Look<strong>in</strong>g at privacy as a human right, <strong>the</strong> harm from privacy breaches is essentially subjective.<br />
There could be a sense that an <strong>in</strong>dividual’s autonomy has been <strong>in</strong>fr<strong>in</strong>ged and this could be seen as<br />
harmful <strong>in</strong> itself. There could be a feel<strong>in</strong>g of embarrassment or a loss of dignity, for example, if a<br />
neighbour learns of a sensitive medical condition or f<strong>in</strong>ancial difficulties.<br />
Systemic breaches of privacy can be seen to erode wider social values. They may reduce underly<strong>in</strong>g<br />
levels of <strong>trust</strong> <strong>in</strong> <strong>the</strong> government or between <strong>in</strong>dividuals. They may make people more conscious<br />
of <strong>the</strong>ir actions and <strong>the</strong>reby <strong>in</strong>hibit <strong>in</strong>dividual behaviour and creativity. Therefore, breaches could<br />
result <strong>in</strong> long-term changes of behaviour and underm<strong>in</strong>e democratic <strong>in</strong>stitutions.<br />
Many concerns centre on how personal <strong>in</strong>formation will actually be used and <strong>the</strong> direct harm that<br />
this could cause <strong>in</strong>dividuals, for example:<br />
• <strong>the</strong>re could be f<strong>in</strong>ancial loss where personal <strong>in</strong>formation is appropriated by crim<strong>in</strong>als; and<br />
• <strong>in</strong>dividuals could be discrim<strong>in</strong>ated aga<strong>in</strong>st or targeted on <strong>the</strong> basis of personal characteristics<br />
or past behaviour.<br />
Perceived harms from privacy breaches have strongly <strong>in</strong>fluenced <strong>the</strong> development of privacy<br />
protections. Privacy was recognised as a major issue follow<strong>in</strong>g World War II, particularly <strong>in</strong> countries<br />
which had seen <strong>the</strong> target<strong>in</strong>g of particular groups or <strong>in</strong>dividuals based on personal <strong>in</strong>formation.<br />
In <strong>the</strong> Ne<strong>the</strong>rlands, for example, a detailed census which had been compiled about all citizens<br />
<strong>in</strong> <strong>the</strong> 1930s was immediately seized by <strong>the</strong> Nazis on <strong>in</strong>vasion and used to identify and target<br />
Jewish citizens. As a result of this registration system and <strong>the</strong> accompany<strong>in</strong>g identity cards, <strong>the</strong><br />
Dutch Jews had <strong>the</strong> highest death rate of all Jews <strong>in</strong> Europe <strong>in</strong> World War II. 24 This direct l<strong>in</strong>k with<br />
human suffer<strong>in</strong>g led to <strong>the</strong> human rights framework of <strong>the</strong> late 1940s, which <strong>in</strong>corporated a right<br />
to privacy. Despite this experience, <strong>the</strong> use of national identity registers to target <strong>in</strong>dividuals has<br />
been seen on a number of subsequent occasions.<br />
22<br />
For an <strong>in</strong>terest<strong>in</strong>g attempt to br<strong>in</strong>g some of <strong>the</strong>se ideas toge<strong>the</strong>r, see Ann Cavoukian, Privacy as a<br />
Fundamental Human Right vs. an Economic Right: An Attempt at Conciliation.<br />
23<br />
For example <strong>the</strong> ICO categorises <strong>the</strong> harms as tangible harm to <strong>the</strong> <strong>in</strong>dividual, <strong>in</strong>tangible harm to <strong>the</strong><br />
<strong>in</strong>dividual and broader societal harm. See ICO, Data Protection - Protect<strong>in</strong>g People, a Data Protection Strategy<br />
for <strong>the</strong> Information Commissioner’s Office.<br />
24<br />
William Seltzer and Margo Anderson, ‘The dark side of numbers: <strong>the</strong> role of population data systems <strong>in</strong><br />
human rights abuses’.<br />
Rights over personal <strong>in</strong>formation<br />
21
Panel 2.11: Genocide <strong>in</strong> Rwanda and identity cards<br />
A recent example of <strong>the</strong> use of national identity cards for horrific ends was seen <strong>in</strong> <strong>the</strong><br />
Rwandan genocide of 1994, where an estimated 800,000 people were killed largely on <strong>the</strong><br />
basis of <strong>the</strong>ir ethnic group.<br />
The national identity card conta<strong>in</strong>ed an ethnic group classification. Although it had been<br />
recommended to remove <strong>the</strong> classification, this had been ignored and identity cards were<br />
an important way of separat<strong>in</strong>g <strong>the</strong> ethnic groups. The identity cards of victims were <strong>the</strong>n<br />
collected and handed to superiors. 25 Follow<strong>in</strong>g <strong>the</strong> genocide, ethnic group was removed from<br />
identity cards.<br />
Concerns about privacy grew substantially <strong>in</strong> <strong>the</strong> 1960s and 1970s as adm<strong>in</strong>istrative tasks were<br />
computerised and governments and bus<strong>in</strong>esses started to store and analyse large amounts<br />
of personal <strong>in</strong>formation. At <strong>the</strong> same time, <strong>the</strong>re was a grow<strong>in</strong>g dis<strong>trust</strong> <strong>in</strong> governments, <strong>in</strong><br />
particular, about how <strong>the</strong>y may use personal <strong>in</strong>formation. As a result, <strong>the</strong>re was <strong>in</strong>creased<br />
regulation of <strong>the</strong> area to reflect <strong>the</strong>se concerns.<br />
The situation rema<strong>in</strong>ed relatively stable until <strong>the</strong> explosion of <strong>the</strong> <strong>in</strong>ternet. Privacy became a major<br />
issue aga<strong>in</strong> as consumers left a grow<strong>in</strong>g <strong>digital</strong> footpr<strong>in</strong>t of activities and preferences.<br />
However, <strong>the</strong> events of 9/11 and subsequent terrorist attacks round <strong>the</strong> world provide a<br />
stark counterbalance. The prevention of terrorist activities has become a key priority for all<br />
governments and privacy rights have often been eroded <strong>in</strong> <strong>the</strong> process.<br />
How should privacy be balanced with o<strong>the</strong>r <strong>in</strong>terests<br />
Just as <strong>the</strong>re are benefits to controll<strong>in</strong>g access to personal <strong>in</strong>formation, <strong>the</strong>re are also benefits to<br />
transparency and <strong>in</strong>formation shar<strong>in</strong>g which need to be balanced <strong>in</strong> <strong>the</strong> application of privacy<br />
rights.<br />
In his article ‘Social and political dimensions of privacy’ (2003), Alan West<strong>in</strong> describes this clash<br />
between <strong>the</strong> benefits of transparency, surveillance and privacy:<br />
‘Though democratic societies value and <strong>in</strong>stitutionalize privacy, democracies<br />
must also provide for <strong>the</strong> disclosure of <strong>in</strong>formation necessary to <strong>the</strong> rational<br />
and responsible conduct of public affairs and to support fair deal<strong>in</strong>g <strong>in</strong> bus<strong>in</strong>ess<br />
affairs. Officials must eng<strong>age</strong> <strong>in</strong> surveillance of properly-identified anti-social<br />
activity to control illegal or violent acts. Manag<strong>in</strong>g this tension among privacy,<br />
disclosure and surveillance <strong>in</strong> a way that preserves civility and democracy, and<br />
copes successfully with <strong>the</strong> chang<strong>in</strong>g social values, technologies and economic<br />
conditions, is <strong>the</strong> central challenge of contemporary privacy def<strong>in</strong>ition and<br />
protection.’ 26<br />
Different po<strong>in</strong>ts of view reflect different economic <strong>in</strong>terests. There are also deep differences<br />
which go to <strong>the</strong> heart of <strong>the</strong> relationship between <strong>the</strong> <strong>in</strong>dividual and <strong>the</strong> state. This section has<br />
highlighted a number of different arguments that can be used to promote or limit a right to<br />
privacy and central to each one is a particular view of <strong>the</strong> relationship between <strong>the</strong> <strong>in</strong>dividual,<br />
wider society and <strong>the</strong> state. Some approaches to privacy focus on <strong>the</strong> primacy of <strong>the</strong> <strong>in</strong>dividual.<br />
O<strong>the</strong>r approaches highlight <strong>the</strong> social context of privacy and <strong>the</strong> need for privacy to work <strong>in</strong><br />
conjunction with o<strong>the</strong>r rights and <strong>in</strong>terests.<br />
As a result, different weight may be put on different elements, for example, balanc<strong>in</strong>g privacy<br />
rights with:<br />
• demands to protect security;<br />
• opportunities to prevent harm to o<strong>the</strong>r <strong>in</strong>dividuals, for example through <strong>in</strong>fectious diseases,<br />
child abuse and paedophilia;<br />
• <strong>the</strong> need for medical and social research based on detailed <strong>in</strong>dividual <strong>in</strong>formation;<br />
• f<strong>in</strong>ancial benefits that can result from prevent<strong>in</strong>g tax or benefit abuse fraud; and<br />
• opportunities for improved services, greater efficiency and lower prices.<br />
25<br />
Jim Fussell, ‘Group classification on national ID cards as a factor <strong>in</strong> genocide and ethnic cleans<strong>in</strong>g’.<br />
26<br />
Alan West<strong>in</strong>, ‘Social and political dimensions of privacy’, p432. See also Kirstie Ball and David Murakami Wood,<br />
A Report on <strong>the</strong> Surveillance Society for <strong>the</strong> Information Commissioner.<br />
22 Rights over personal <strong>in</strong>formation
Panel 2.12: Balanc<strong>in</strong>g privacy and security<br />
A major topic of debate is <strong>the</strong> potential conflict between privacy rights and <strong>the</strong> promotion of<br />
security, or <strong>the</strong> prevention of harm more broadly. 27 This is often couched <strong>in</strong> terms of ‘noth<strong>in</strong>g<br />
to hide’ and <strong>the</strong> view that <strong>the</strong> only people who are worried about privacy are those who<br />
have someth<strong>in</strong>g to hide. By contrast, <strong>in</strong>nocent <strong>in</strong>dividuals who have done noth<strong>in</strong>g wrong<br />
should have no objections to <strong>the</strong> government access<strong>in</strong>g <strong>in</strong>formation about <strong>the</strong>m where <strong>the</strong>se<br />
processes may <strong>in</strong>crease security. This argument has been deployed <strong>in</strong>creas<strong>in</strong>gly s<strong>in</strong>ce <strong>the</strong><br />
9/11 attacks as governments m<strong>in</strong>e data about <strong>in</strong>dividuals and <strong>the</strong>ir activities to spot patterns,<br />
networks and suspicious activity.<br />
Privacy advocates take a different approach. They argue that <strong>the</strong> ‘noth<strong>in</strong>g to hide’ argument is<br />
based on a particular view of privacy, namely that it is concerned with hid<strong>in</strong>g bad th<strong>in</strong>gs ra<strong>the</strong>r<br />
than see<strong>in</strong>g it as a social value. The fact that an <strong>in</strong>dividual has done noth<strong>in</strong>g wrong does not<br />
<strong>in</strong>evitably mean that <strong>the</strong>y wish to share everyth<strong>in</strong>g with <strong>the</strong> government. In his article ‘“I’ve<br />
got noth<strong>in</strong>g to hide” and o<strong>the</strong>r misunderstand<strong>in</strong>gs of privacy’ (2007), Daniel Solove says:<br />
‘The key misunderstand<strong>in</strong>g is that <strong>the</strong> noth<strong>in</strong>g to hide argument views<br />
privacy <strong>in</strong> a particular way—as a form of secrecy, as <strong>the</strong> right to hide th<strong>in</strong>gs.<br />
But <strong>the</strong>re are many o<strong>the</strong>r types of harm <strong>in</strong>volved beyond expos<strong>in</strong>g one’s<br />
secrets to <strong>the</strong> government.’ 28<br />
He argues that <strong>the</strong>re are many long-term effects on <strong>the</strong> relationship between state and citizen<br />
which also need to be considered <strong>in</strong> <strong>the</strong> debate. These could <strong>in</strong>clude <strong>the</strong> impact of discourag<strong>in</strong>g<br />
<strong>in</strong>dividuals from act<strong>in</strong>g freely and ‘chill<strong>in</strong>g’ <strong>the</strong>ir behaviour. It could also lead to a breach of<br />
<strong>trust</strong> between <strong>in</strong>dividuals and <strong>the</strong> state.<br />
O<strong>the</strong>rs argue that, <strong>in</strong> most cases, it is possible to make use of personal <strong>in</strong>formation to improve<br />
security while also recognis<strong>in</strong>g and respect<strong>in</strong>g privacy. This requires clarity of objectives and<br />
methods so that only relevant <strong>in</strong>formation is reta<strong>in</strong>ed or used. However, ga<strong>in</strong><strong>in</strong>g clarity over<br />
<strong>in</strong>formation requirements often leads to <strong>in</strong>creased costs and time, add<strong>in</strong>g a fur<strong>the</strong>r element<br />
to <strong>the</strong> decision-mak<strong>in</strong>g process.<br />
How can different cultural approaches be reconciled<br />
Diverse views on <strong>the</strong> benefits and harms of privacy also reflect cultural ground<strong>in</strong>gs. Privacy, as<br />
outl<strong>in</strong>ed <strong>in</strong> this <strong>report</strong>, is largely drawn from Western political and philosophical traditions of<br />
<strong>in</strong>dividual liberty and o<strong>the</strong>r countries may have different concepts of privacy. Even between<br />
<strong>the</strong> US and Europe, though, <strong>the</strong>re are major cultural differences over <strong>the</strong> mean<strong>in</strong>g and basis for<br />
privacy.<br />
Panel 2.13: US and European attitudes to privacy<br />
While <strong>the</strong>re are strong notions of privacy <strong>in</strong> both <strong>the</strong> US and Europe, <strong>the</strong>y reflect very different<br />
cultural and historical factors. As a result, <strong>the</strong> approaches are quite dist<strong>in</strong>ct, even though <strong>the</strong>y<br />
all fall with<strong>in</strong> <strong>the</strong> concept of ‘privacy’. In his 2008 article ‘The two Western cultures of privacy:<br />
dignity versus liberty’, James Whitman outl<strong>in</strong>es dist<strong>in</strong>ct social and cultural contexts of privacy <strong>in</strong><br />
<strong>the</strong> US, Germany and France.<br />
In <strong>the</strong> US, privacy is strongly associated with protection from state <strong>in</strong>terference and <strong>the</strong> right<br />
of an <strong>in</strong>dividual to do whatever <strong>the</strong>y want with<strong>in</strong> <strong>the</strong>ir private space. It is <strong>the</strong>refore libertarian<br />
<strong>in</strong> its focus and notions of privacy are at <strong>the</strong>ir strongest <strong>in</strong> connection with state-sponsored<br />
action. By contrast, privacy is not as strong <strong>in</strong> <strong>the</strong> commercial sector. Both <strong>the</strong> freedom of<br />
<strong>the</strong> press and <strong>the</strong> operation of <strong>the</strong> free market are equally strong pulls <strong>in</strong> <strong>the</strong> US. As a result,<br />
privacy is frequently of secondary importance when applied <strong>in</strong> <strong>the</strong> private sector, with market<br />
forces left to operate.<br />
By contrast, <strong>in</strong> France and Germany, <strong>the</strong> notion of privacy is strongly tied to ideas of<br />
personality, dignity and control over an <strong>in</strong>dividual’s public im<strong>age</strong>. In France, privacy laws<br />
descended from laws relat<strong>in</strong>g to <strong>in</strong>sult. In Germany, <strong>the</strong>y are drawn from Kantian ideas of<br />
personality and <strong>the</strong> right of all <strong>in</strong>dividuals to be treated equally and with dignity. As a result,<br />
privacy laws tend to be more restrictive of <strong>the</strong> press and focused on <strong>in</strong>dividual control over<br />
<strong>in</strong>formation which is made public. They are generally less concerned with state <strong>in</strong>terference.<br />
27<br />
For example, Information and Privacy Commissioner (Ontario) / Deloitte and Touche, The Security – Privacy<br />
Paradox: Issues, Misconceptions and Strategies.<br />
28<br />
Daniel J. Solove, ‘“I’ve got noth<strong>in</strong>g to hide” and o<strong>the</strong>r misunderstand<strong>in</strong>gs of privacy’, p767.<br />
Rights over personal <strong>in</strong>formation<br />
23
This complicates <strong>the</strong> protection of personal <strong>in</strong>formation by <strong>in</strong>ternational bus<strong>in</strong>esses. Regulation<br />
around personal <strong>in</strong>formation is grounded <strong>in</strong> national legal systems, and <strong>the</strong>refore compliance<br />
is already complex for a bus<strong>in</strong>ess with operations <strong>in</strong> different countries. With different cultures,<br />
bus<strong>in</strong>esses also have to contend with potentially different attitudes and actions by employees,<br />
customers or suppliers.<br />
How do we understand fragmented and <strong>in</strong>consistent behaviour<br />
One feature of chang<strong>in</strong>g technology is that social attitudes can become fragmented and<br />
<strong>in</strong>consistent. While some people adopt new technology quickly, o<strong>the</strong>rs are more cautious and<br />
recognise <strong>the</strong> risks that it may br<strong>in</strong>g. Attitudes may also change quickly as more <strong>in</strong>formation<br />
about <strong>the</strong> technology becomes available.<br />
It has even been suggested that different generations will take <strong>in</strong>creas<strong>in</strong>gly diverse approaches to<br />
<strong>the</strong> issues. Those who enjoy social network<strong>in</strong>g sites, for example, suggest that <strong>the</strong> importance of<br />
privacy will shr<strong>in</strong>k as people <strong>in</strong>creas<strong>in</strong>gly enjoy <strong>the</strong> benefits of widespread <strong>in</strong>formation shar<strong>in</strong>g.<br />
Mark Zuckerberg, founder of <strong>the</strong> social network site Facebook, subscribes to this view:<br />
‘Privacy is no longer a social norm… People have really gotten comfortable not<br />
only shar<strong>in</strong>g more <strong>in</strong>formation and different k<strong>in</strong>ds, but more openly and with<br />
more people…That social norm is just someth<strong>in</strong>g that has evolved over time’ 29<br />
However, many <strong>in</strong>dividuals still exhibit significant concerns, especially when <strong>the</strong>y believe that a<br />
bus<strong>in</strong>ess has gone too far <strong>in</strong> push<strong>in</strong>g services ahead of privacy considerations, for example <strong>in</strong> <strong>the</strong><br />
case of Google’s Street View service.<br />
Panel 2.14: The varied reaction to Google’s Street View<br />
Google’s Street View service was launched <strong>in</strong> 2007 and provides pictures of streets, <strong>build<strong>in</strong>g</strong>s<br />
and o<strong>the</strong>r public features. L<strong>in</strong>ked with Google’s map service, it enables a user to view a street<br />
as if <strong>the</strong>y were walk<strong>in</strong>g or driv<strong>in</strong>g along it.<br />
It is primarily used for directions with some people also us<strong>in</strong>g it to help with activities such as<br />
house-hunt<strong>in</strong>g. In addition, it can showcase particular land marks. For example, VisitBrita<strong>in</strong>,<br />
an <strong>age</strong>ncy which promotes <strong>the</strong> UK as a tourist dest<strong>in</strong>ation, partnered with Google on Street<br />
View as a way to highlight a wide range of tourist hotspots round <strong>the</strong> country. Therefore, it can<br />
provide many benefits to a variety of users and Google has cont<strong>in</strong>ued to expand <strong>the</strong> cover<strong>age</strong><br />
of <strong>the</strong> service round <strong>the</strong> world on this basis.<br />
Street View is simply utilis<strong>in</strong>g public <strong>in</strong>formation. It is tak<strong>in</strong>g photographs of public places, such<br />
as roads, cars and houses. Therefore, it is only captur<strong>in</strong>g <strong>in</strong>formation that is available to anyone<br />
walk<strong>in</strong>g <strong>in</strong> <strong>the</strong> street.<br />
However, Street View has been highly controversial. 30 Follow<strong>in</strong>g a raft of compla<strong>in</strong>ts when it<br />
was launched, <strong>the</strong> UK’s ICO subsequently ruled that <strong>the</strong> service is perfectly legal, provided<br />
that <strong>in</strong>dividuals cannot be specifically identified. Likewise, car number plates need to be<br />
blurred. Never<strong>the</strong>less, controversy cont<strong>in</strong>ues and surveys show that people are particularly<br />
worried that <strong>the</strong> im<strong>age</strong>s could be used by burglars, although <strong>the</strong> police have no evidence of<br />
this. Fur<strong>the</strong>rmore, many feel that <strong>the</strong> service is an <strong>in</strong>vasion of privacy, as <strong>the</strong>y have not given<br />
consent for im<strong>age</strong>s of <strong>the</strong>ir property to be posted onl<strong>in</strong>e.<br />
As a result, it rema<strong>in</strong>s a controversial service which some people see as a valuable and<br />
fasc<strong>in</strong>at<strong>in</strong>g resource, while o<strong>the</strong>rs see it as a privacy violation. Reconcil<strong>in</strong>g <strong>the</strong>se widely different<br />
reactions and expectations rema<strong>in</strong>s a challenge for bus<strong>in</strong>esses such as Google.<br />
Hard evidence <strong>in</strong> this area is <strong>in</strong>consistent. Surveys show that, despite a growth <strong>in</strong> <strong>in</strong>formationshar<strong>in</strong>g<br />
behaviours, <strong>in</strong>dividuals are <strong>in</strong>creas<strong>in</strong>gly concerned about <strong>the</strong> use of <strong>the</strong>ir personal<br />
<strong>in</strong>formation by bus<strong>in</strong>esses and governments. In a 2010 survey by <strong>the</strong> UK ICO, 92% of<br />
respondents were concerned about <strong>the</strong> protection of personal <strong>in</strong>formation. 31 This ranks second,<br />
just beh<strong>in</strong>d concerns about crime, and reflects an <strong>in</strong>crease of more than 20% s<strong>in</strong>ce 2004.<br />
29<br />
Bobbie Johnson, ‘Privacy no longer a social norm’.<br />
30<br />
Sam Knight, ‘All-see<strong>in</strong>g Google Street View prompts privacy fears’.<br />
31<br />
Social and Market Strategic Research, Report on <strong>the</strong> F<strong>in</strong>d<strong>in</strong>gs of <strong>the</strong> Information Commissioner’s Office Annual<br />
Track 2010.<br />
24 Rights over personal <strong>in</strong>formation
While <strong>the</strong>se views should concern bus<strong>in</strong>esses, it should also be recognised that <strong>the</strong>re has always been<br />
a section of public op<strong>in</strong>ion which has strongly valued privacy irrespective of developments <strong>in</strong> IT.<br />
This is brought out by Alan West<strong>in</strong>’s research on consumer attitudes on privacy. He describes three<br />
types of person:<br />
• privacy ‘fundamentalists’, who are highly dis<strong>trust</strong>ful of organisations which collect personal<br />
data and exercise privacy controls as far as possible;<br />
• privacy ‘pragmatics’, who weigh up <strong>the</strong> benefits of shar<strong>in</strong>g <strong>in</strong>formation <strong>in</strong> particular cases,<br />
assess bus<strong>in</strong>esses on <strong>the</strong> basis of <strong>the</strong>ir privacy practices and want as much <strong>in</strong>formation as<br />
possible to support <strong>in</strong>formed decision mak<strong>in</strong>g; and<br />
• privacy ‘unconcerneds’, who generally <strong>trust</strong> organisations <strong>in</strong> data ga<strong>the</strong>r<strong>in</strong>g and have no<br />
significant concerns about <strong>the</strong> use of <strong>the</strong>ir personal <strong>in</strong>formation.<br />
In <strong>the</strong> first of a series of surveys undertaken by West<strong>in</strong> <strong>in</strong> 1990, approximately 25% of <strong>the</strong> US<br />
public were fundamentalists, 57% were pragmatics and 18% were unconcerned. 32 As a result,<br />
many concerns are not new. A significant proportion of <strong>the</strong> public were extremely concerned<br />
about <strong>the</strong> use of <strong>the</strong>ir personal <strong>in</strong>formation prior to <strong>the</strong> <strong>in</strong>ternet and <strong>the</strong> emergence of many of<br />
<strong>the</strong> issues raised <strong>in</strong> this <strong>report</strong>.<br />
Fur<strong>the</strong>rmore, we frequently see <strong>in</strong>consistent behaviour around personal <strong>in</strong>formation and people<br />
often do not act rationally <strong>in</strong> shar<strong>in</strong>g personal <strong>in</strong>formation. Information shar<strong>in</strong>g is a trade-off,<br />
whereby <strong>in</strong>dividuals get a benefit from hand<strong>in</strong>g over <strong>in</strong>formation about <strong>the</strong>mselves. They <strong>the</strong>refore<br />
make a choice as to whe<strong>the</strong>r this is an acceptable trade-off.<br />
The evidence suggests that people have difficulty <strong>in</strong> exercis<strong>in</strong>g choice effectively. In practice, <strong>the</strong>y<br />
often give away significant <strong>in</strong>formation about <strong>the</strong>mselves <strong>in</strong> exchange for fairly small rewards,<br />
despite affirm<strong>in</strong>g a strong belief <strong>in</strong> privacy. There is a grow<strong>in</strong>g stream of research <strong>in</strong> <strong>the</strong> field of<br />
behavioural economics which considers this apparent contradiction between a desire for privacy<br />
and a will<strong>in</strong>gness to share <strong>in</strong>formation widely. 33<br />
The tim<strong>in</strong>g of costs and benefits are seen to be particularly important <strong>in</strong> this regard. On <strong>the</strong> one<br />
hand, <strong>in</strong>dividuals are pass<strong>in</strong>g over personal <strong>in</strong>formation for an immediate and specific benefit.<br />
The risks of privacy breaches, on <strong>the</strong> o<strong>the</strong>r hand, are both long-term and not certa<strong>in</strong>. In most<br />
cases, <strong>the</strong>re will be no direct cost or loss from shar<strong>in</strong>g personal <strong>in</strong>formation with ano<strong>the</strong>r party.<br />
As a result, <strong>in</strong>dividuals often underestimate and disregard <strong>the</strong> risks attached to privacy when<br />
offered an immediate ga<strong>in</strong>.<br />
However, <strong>the</strong>re is a grow<strong>in</strong>g need to understand consumer and citizen views better, raise awareness<br />
of <strong>in</strong>dividual rights and responsibilities over personal <strong>in</strong>formation, and ensure that concerns are<br />
channelled appropriately. Consumer and civil society groups <strong>the</strong>refore have an important role to<br />
play <strong>in</strong> debates.<br />
Limits of <strong>the</strong> current framework for personal <strong>in</strong>formation<br />
IT <strong>in</strong>creases <strong>the</strong> value of personal <strong>in</strong>formation, lead<strong>in</strong>g to greater bus<strong>in</strong>ess use and commercial<br />
exploitation of it. This is also lead<strong>in</strong>g to grow<strong>in</strong>g contention about <strong>the</strong> limits of bus<strong>in</strong>ess use of<br />
personal <strong>in</strong>formation and <strong>the</strong> ways <strong>in</strong> which <strong>in</strong>dividuals can reta<strong>in</strong> control over it.<br />
Sections 2.5 to 2.7 highlight three examples where established rights and regulation are be<strong>in</strong>g<br />
stretched by new possibilities:<br />
• The pervasive collection and retention of personal <strong>in</strong>formation means that more is known<br />
and remembered.<br />
• The sophisticated use of personal <strong>in</strong>formation <strong>in</strong> <strong>the</strong> private sector means that bus<strong>in</strong>esses are<br />
extensively profil<strong>in</strong>g <strong>in</strong>dividuals.<br />
• Wide shar<strong>in</strong>g of personal <strong>in</strong>formation across <strong>the</strong> public sector means that governments are<br />
connect<strong>in</strong>g <strong>in</strong>formation about citizens.<br />
32<br />
For a summary of West<strong>in</strong>’s studies over <strong>the</strong> years, see Ponnurangam Kumaraguru and Lorrie Faith Cranor,<br />
Privacy Indexes: A Survey of West<strong>in</strong>’s Studies.<br />
33<br />
Alessandro Acquisti and Jens Grossklags, ‘What can behavioral economics teach us about privacy’<br />
Rights over personal <strong>in</strong>formation<br />
25
2.5 Collect<strong>in</strong>g and reta<strong>in</strong><strong>in</strong>g personal <strong>in</strong>formation<br />
While data protection pr<strong>in</strong>ciples limit <strong>the</strong> personal <strong>in</strong>formation that can be collected and reta<strong>in</strong>ed,<br />
emerg<strong>in</strong>g practices and technologies enable bus<strong>in</strong>esses to ga<strong>the</strong>r <strong>in</strong>creas<strong>in</strong>g amounts of user<br />
and location <strong>in</strong>formation. Regardless of its ultimate use, <strong>the</strong> extensive collection and retention of<br />
<strong>in</strong>formation <strong>in</strong> itself may cause <strong>in</strong>dividuals concern and discomfort. For example, simply collect<strong>in</strong>g<br />
<strong>in</strong>formation <strong>in</strong> some circumstances could be seen as a breach of human rights, imp<strong>in</strong>g<strong>in</strong>g on <strong>the</strong><br />
dignity of <strong>in</strong>dividuals.<br />
Fur<strong>the</strong>rmore, collect<strong>in</strong>g and reta<strong>in</strong><strong>in</strong>g <strong>in</strong>formation may have long-term social effects. The <strong>in</strong>ability<br />
to ‘forget’ personal <strong>in</strong>formation, for example may have long-term effects on society as <strong>in</strong>dividuals<br />
become more conscious of <strong>the</strong>ir actions and <strong>in</strong>hibit <strong>the</strong>ir behaviour accord<strong>in</strong>gly or suffer<br />
disproportionate consequences.<br />
There are also practical concerns, for example:<br />
• hav<strong>in</strong>g large amounts of personal <strong>in</strong>formation <strong>in</strong>creases <strong>the</strong> risks of a data breach as well as<br />
<strong>the</strong> costs of ma<strong>in</strong>tenance; and<br />
• reta<strong>in</strong><strong>in</strong>g personal <strong>in</strong>formation encour<strong>age</strong>s its use <strong>in</strong> various ways, putt<strong>in</strong>g more pressure on<br />
privacy rights.<br />
Collect<strong>in</strong>g <strong>in</strong>formation<br />
In <strong>the</strong> course of any transaction, a bus<strong>in</strong>ess will potentially collect a variety of personal <strong>in</strong>formation.<br />
While a direct cash transaction will require no personal <strong>in</strong>formation at all, order<strong>in</strong>g goods on <strong>the</strong><br />
<strong>in</strong>ternet, for example, will require some personal <strong>in</strong>formation, such as f<strong>in</strong>ancial and delivery <strong>in</strong>formation.<br />
In addition, a bus<strong>in</strong>ess can also collect <strong>in</strong>formation which is not strictly necessary for <strong>the</strong> completion<br />
of <strong>the</strong> transaction. While <strong>the</strong>re may be regulatory requirements about <strong>the</strong> <strong>in</strong>formation that can<br />
be requested, a bus<strong>in</strong>ess may ask for <strong>in</strong>formation such as alternative contact details, demographic<br />
<strong>in</strong>formation or product and service preferences. An <strong>in</strong>dividual may also agree to provide a<br />
bus<strong>in</strong>ess with far more extensive <strong>in</strong>formation about <strong>the</strong>mselves and <strong>the</strong>ir activities <strong>in</strong> return for<br />
discounts or o<strong>the</strong>r benefits. Store loyalty cards, for example, are voluntary schemes which enable<br />
a retailer to l<strong>in</strong>k f<strong>in</strong>ancial transactions with particular <strong>in</strong>dividuals, <strong>the</strong>reby provid<strong>in</strong>g substantially<br />
richer <strong>in</strong>formation about customer preferences and trends which <strong>the</strong>y can analyse.<br />
In <strong>the</strong>se two cases, <strong>the</strong> data collection has been consensual, for specific purposes and where <strong>the</strong>re<br />
are established regulations. However, as data ga<strong>the</strong>r<strong>in</strong>g goes <strong>in</strong>creas<strong>in</strong>gly beyond <strong>in</strong>formation<br />
associated with specific transactions, <strong>the</strong> limits are becom<strong>in</strong>g less clear. This is especially <strong>the</strong> case<br />
where <strong>in</strong>formation has been aggregated with o<strong>the</strong>r pieces of data or where it is be<strong>in</strong>g used for a<br />
markedly different purpose.<br />
Public and location-based data, for example, is <strong>in</strong>creas<strong>in</strong>gly captured by surveillance cameras,<br />
transport systems or phone companies via wireless and o<strong>the</strong>r technologies which are becom<strong>in</strong>g<br />
embedded <strong>in</strong> everyday objects. In <strong>the</strong>se cases, <strong>the</strong> <strong>in</strong>dividual may be unaware that data about<br />
<strong>the</strong>m is even be<strong>in</strong>g collected. The opportunities presented by RFID technology, for example,<br />
highlight some of <strong>the</strong> risks here.<br />
Panel 2.15: ‘The <strong>in</strong>ternet of th<strong>in</strong>gs’ and privacy<br />
The ‘<strong>in</strong>ternet of th<strong>in</strong>gs’ is a term used to describe what is seen as <strong>the</strong> next generation of<br />
technology whereby chips are embedded <strong>in</strong>to everyday physical objects and are able to transmit,<br />
capture and store <strong>in</strong>formation. As a result, all k<strong>in</strong>ds of <strong>in</strong>formation about location, status and<br />
activity can be captured and transmitted. One such vision is outl<strong>in</strong>ed <strong>in</strong> a write up of an ECsponsored<br />
workshop <strong>in</strong> 2008 which considered <strong>the</strong> implications of <strong>the</strong> <strong>in</strong>ternet of th<strong>in</strong>gs:<br />
‘… an <strong>in</strong>dividual’s mobile phone may consult any stationary sensor <strong>in</strong> <strong>the</strong><br />
room about its location, <strong>the</strong> <strong>the</strong>rmometer on <strong>the</strong> wall about <strong>the</strong> temperature<br />
and <strong>the</strong> hygrometer about <strong>the</strong> local wea<strong>the</strong>r, and communicate this to <strong>the</strong><br />
person’s friends; and <strong>the</strong>ir phones will play <strong>the</strong>ir friend’s tune when <strong>the</strong><br />
person is enter<strong>in</strong>g <strong>the</strong> same <strong>build<strong>in</strong>g</strong>.’ 34<br />
The opportunities to change <strong>the</strong> way we do th<strong>in</strong>gs are enormous. However, <strong>the</strong>re are significant<br />
privacy concerns <strong>in</strong> this area, as so much <strong>in</strong>formation will be captured about locations and<br />
activities. While each piece of <strong>in</strong>formation may not be personally identifiable, it could be fairly<br />
easy to identify <strong>in</strong>dividuals from a comb<strong>in</strong>ation of pieces of <strong>in</strong>formation. This raises questions<br />
about what <strong>in</strong>formation is be<strong>in</strong>g captured, what it could be used for and who can benefit from it.<br />
34<br />
Output from European Commission / EPoSS expert workshop, Internet of Th<strong>in</strong>gs <strong>in</strong> 2020: Roadmap for <strong>the</strong><br />
Future, p5. See also ICAEW’s response to <strong>the</strong> related EC-consultation on this topic.<br />
26 Rights over personal <strong>in</strong>formation
There is also substantial track<strong>in</strong>g of <strong>the</strong> activities of <strong>in</strong>dividuals on <strong>the</strong> <strong>in</strong>ternet, frequently without<br />
<strong>the</strong>ir knowledge or consent. This k<strong>in</strong>d of track<strong>in</strong>g supports behavioural advertis<strong>in</strong>g, which is<br />
discussed <strong>in</strong> more detail <strong>in</strong> panel 2.17.<br />
How regulators should approach this widespread collection of <strong>in</strong>formation is not yet clear. As<br />
mentioned earlier <strong>in</strong> this chapter, those who support <strong>the</strong> approach of accountability may suggest<br />
that attempts to stem <strong>the</strong> tide of <strong>in</strong>formation capture are likely to fail and regulators should<br />
<strong>in</strong>stead focus on how <strong>in</strong>formation is used. O<strong>the</strong>rs po<strong>in</strong>t to technical solutions which anonymise<br />
data or process transactions without disclos<strong>in</strong>g identity details. This may enable bus<strong>in</strong>esses to<br />
capture <strong>in</strong>formation and realise some benefits from it while not identify<strong>in</strong>g specific <strong>in</strong>dividuals.<br />
The role of consent is ano<strong>the</strong>r important underly<strong>in</strong>g question. While this may be an appeal<strong>in</strong>g<br />
solution, and one that <strong>the</strong> EC is follow<strong>in</strong>g <strong>in</strong> its e-privacy directive, 35 it presents many practical issues<br />
around what constitutes consent, how consent can be given and <strong>the</strong> extent to which <strong>in</strong>dividuals<br />
are <strong>in</strong>formed about <strong>the</strong> risks attached to personal <strong>in</strong>formation. It raises serious challenges as <strong>the</strong><br />
context and value of <strong>in</strong>formation shifts through aggregation or analysis techniques. Consumers<br />
also need to be presented with a real choice, and not feel that <strong>the</strong>y have to consent simply to<br />
participate <strong>in</strong> <strong>the</strong> <strong>digital</strong> economy.<br />
Reta<strong>in</strong><strong>in</strong>g <strong>in</strong>formation<br />
Once a transaction is complete, a bus<strong>in</strong>ess may <strong>the</strong>n delete related <strong>in</strong>formation, as it is no longer<br />
needed for <strong>the</strong> purpose of <strong>the</strong> orig<strong>in</strong>al transaction. Alternatively, a bus<strong>in</strong>ess can look to reta<strong>in</strong> and<br />
reuse <strong>the</strong> <strong>in</strong>formation, provided that it has complied with regulatory requirements, such as ga<strong>in</strong><strong>in</strong>g<br />
consent from <strong>the</strong> data subject. Most commonly, this reuse would be for market<strong>in</strong>g purposes.<br />
Like collect<strong>in</strong>g <strong>in</strong>formation, reta<strong>in</strong><strong>in</strong>g personal <strong>in</strong>formation <strong>in</strong> itself potentially has some implications<br />
of harm to <strong>in</strong>dividuals, regardless of how it is used. In particular, it potentially breaches what <strong>the</strong><br />
European Commission has termed a ‘right to be forgotten’. The EC sees that <strong>in</strong>dividuals should<br />
have an enforceable right for <strong>in</strong>formation about <strong>the</strong>m to be deleted when <strong>the</strong>y want, and <strong>the</strong>reby<br />
enable <strong>the</strong>m to be ‘forgotten’. 36 Such a right is central to any claims to be able to control personal<br />
<strong>in</strong>formation and concerns have arisen particularly <strong>in</strong> <strong>the</strong> context of social websites which do not<br />
delete <strong>the</strong> profiles of <strong>in</strong>dividuals who have deactivated <strong>the</strong>ir account.<br />
Fur<strong>the</strong>rmore, keep<strong>in</strong>g personal <strong>in</strong>formation forever potentially has long-term implications for <strong>the</strong><br />
nature of society, as outl<strong>in</strong>ed by Viktor Mayer-Schönberger.<br />
Panel 2.16: Los<strong>in</strong>g <strong>the</strong> power to forget<br />
In his book Delete: The Virtue of Forgett<strong>in</strong>g <strong>in</strong> <strong>the</strong> Digital Age (2008), Viktor Mayer-Schönberger<br />
argues that los<strong>in</strong>g <strong>the</strong> power to delete <strong>in</strong>formation potentially has a massive impact on our society.<br />
While hav<strong>in</strong>g all this <strong>in</strong>formation available may seem to offer many benefits, it may also have a<br />
‘chill<strong>in</strong>g’ effect on what people do and what <strong>in</strong>formation <strong>the</strong>y are prepared to share.<br />
As <strong>in</strong>dividuals, we forget embarrass<strong>in</strong>g or stupid behaviour from our youth and we would choose<br />
not to share that <strong>in</strong>formation with potential employers, for example. Los<strong>in</strong>g <strong>the</strong> ability to ‘forget’,<br />
and be<strong>in</strong>g cont<strong>in</strong>ually aware of <strong>the</strong> possible impact of actions or activities <strong>in</strong> <strong>the</strong> future, may<br />
reduce our ability to act freely:<br />
‘Forgett<strong>in</strong>g plays a central role <strong>in</strong> human decision-mak<strong>in</strong>g. It lets us act<br />
<strong>in</strong> time, cognizant of, but not shackled by, past events. Through perfect<br />
memory we may lose a fundamental human capacity—to live and act firmly<br />
<strong>in</strong> <strong>the</strong> present.’ 37<br />
We also forget as a society and enable <strong>in</strong>dividuals to have a second chance, for example <strong>in</strong> <strong>the</strong><br />
cases of failed marri<strong>age</strong>s or bus<strong>in</strong>esses. By reta<strong>in</strong><strong>in</strong>g vast amounts of <strong>in</strong>formation about every<br />
<strong>in</strong>dividual, we potentially change some of <strong>the</strong>se mechanisms and force <strong>in</strong>dividuals to live with <strong>the</strong><br />
consequences of <strong>the</strong>ir actions forever.<br />
An example of <strong>the</strong> direct harm to <strong>in</strong>dividuals from such data retention is found through <strong>the</strong> grow<strong>in</strong>g<br />
practice for employers to search <strong>the</strong> <strong>in</strong>ternet for potentially damag<strong>in</strong>g <strong>in</strong>formation or photographs<br />
of employees or job candidates. A survey by Microsoft <strong>in</strong> 2010 even suggested that 70% of HR<br />
man<strong>age</strong>rs have rejected job candidates because of <strong>in</strong>formation <strong>the</strong>y have found on social network<strong>in</strong>g<br />
sites. 38<br />
35<br />
ICO, ‘UK bus<strong>in</strong>esses must ‘wake up’ to new EU law on cookies, Information Commissioner warns’.<br />
36<br />
European Commission Justice Directorate-General, ‘European Commission sets out strategy to streng<strong>the</strong>n EU<br />
data protection rules’.<br />
37<br />
Viktor Mayer-Schönberger, Delete: The Virtue of Forgett<strong>in</strong>g <strong>in</strong> <strong>the</strong> Digital Age, p12.<br />
38<br />
Michelle Sherman, ‘Social media research + employment decisions: may be a recipe for litigation’.<br />
Rights over personal <strong>in</strong>formation<br />
27
Of course, HR man<strong>age</strong>rs typically exercise high levels of common sense <strong>in</strong> reach<strong>in</strong>g <strong>the</strong>ir decisions<br />
and are perfectly aware that a picture of a young person eng<strong>age</strong>d <strong>in</strong> high-spirited activity at a<br />
party does not <strong>in</strong>dicate that <strong>the</strong> person is <strong>in</strong>capable of hold<strong>in</strong>g down a job. It may also be that, <strong>in</strong><br />
many cases, <strong>the</strong> decision to reject, or not to promote, on <strong>the</strong> basis of <strong>the</strong> particular <strong>in</strong>formation<br />
discovered was very sound and completely justified. However, it demonstrates that <strong>the</strong>re are<br />
risks of disproportionate consequences from <strong>the</strong> long-term retention of some pieces of personal<br />
<strong>in</strong>formation.<br />
While reta<strong>in</strong><strong>in</strong>g personal <strong>in</strong>formation can potentially lead to harm, though, deletion is also<br />
problematic <strong>in</strong> practice. Information that has been openly shared on <strong>the</strong> <strong>in</strong>ternet may have been<br />
copied or tagged by o<strong>the</strong>rs and <strong>the</strong>refore it may be impossible to delete it entirely. There are also<br />
philosophical arguments. While as a society we have allowed people to forget bad marri<strong>age</strong>s or<br />
bankruptcy, <strong>the</strong>re are o<strong>the</strong>r events which we do not allow to be forgotten, such as serious crime.<br />
As a result, we need to consider what <strong>in</strong>formation should be reta<strong>in</strong>ed for what purposes which<br />
balances <strong>the</strong> different <strong>in</strong>terests and recognises <strong>the</strong> technological realities of <strong>digital</strong> data and its<br />
propensity to be copied. It aga<strong>in</strong> raises <strong>the</strong> question of consent regard<strong>in</strong>g <strong>the</strong> voluntary post<strong>in</strong>g of<br />
<strong>in</strong>formation on social websites and <strong>the</strong> extent to which <strong>in</strong>dividuals should be left to man<strong>age</strong> <strong>the</strong><br />
risks surround<strong>in</strong>g <strong>the</strong>ir behaviour <strong>the</strong>mselves. There are also questions regard<strong>in</strong>g <strong>the</strong> long-term<br />
implications for <strong>in</strong>dividual behaviour which rema<strong>in</strong> unexplored at this st<strong>age</strong>.<br />
2.6 Us<strong>in</strong>g personal <strong>in</strong>formation <strong>in</strong> <strong>the</strong> private sector<br />
While profil<strong>in</strong>g has been a bus<strong>in</strong>ess practice for many years, <strong>the</strong> sophistication of analytical<br />
systems, comb<strong>in</strong>ed with <strong>the</strong> vast <strong>digital</strong> footpr<strong>in</strong>t created by most people, is mak<strong>in</strong>g profil<strong>in</strong>g<br />
much more powerful. This can provide benefits by target<strong>in</strong>g products and services to specific<br />
<strong>in</strong>dividuals. However, profil<strong>in</strong>g can result <strong>in</strong> unequal treatment and can offend deeply-held<br />
perceptions of fairness. There is often a lack of due process and accountability about decisions.<br />
There are also concerns about <strong>the</strong> long-term impact of filter<strong>in</strong>g <strong>in</strong>formation or services to narrow<br />
audiences based on this segmentation.<br />
This section considers two particularly controversial applications of profil<strong>in</strong>g by bus<strong>in</strong>esses:<br />
• <strong>in</strong>ternet advertis<strong>in</strong>g; and<br />
• price discrim<strong>in</strong>ation.<br />
Internet advertis<strong>in</strong>g<br />
In <strong>the</strong> last ten years, <strong>the</strong> economy has seen <strong>the</strong> rise of <strong>in</strong>ternet-based bus<strong>in</strong>esses. Their bus<strong>in</strong>ess<br />
models are usually based on two key elements:<br />
• provid<strong>in</strong>g free services to users; and<br />
• rais<strong>in</strong>g revenue through <strong>the</strong> use of advertis<strong>in</strong>g.<br />
Early <strong>in</strong>ternet advertis<strong>in</strong>g focused on <strong>the</strong> search process, so that when users searched for<br />
<strong>in</strong>formation about a particular topic, <strong>the</strong>y were presented with adverts that were relevant to that<br />
topic. While still an important part of <strong>in</strong>ternet advertis<strong>in</strong>g, <strong>the</strong> <strong>in</strong>dustry has evolved, with adverts<br />
<strong>in</strong>creas<strong>in</strong>gly targeted to specific users based on <strong>the</strong>ir <strong>in</strong>ternet activities.<br />
Indeed, advertis<strong>in</strong>g is particularly attractive on <strong>the</strong> <strong>in</strong>ternet because adverts can be heavily<br />
targeted to specific users. As websites can ga<strong>the</strong>r a wealth of <strong>in</strong>formation about users’ desires<br />
and preferences every time <strong>the</strong>y visit, it is possible to make a more accurate match between<br />
consumers and advertisers.<br />
This type of advertis<strong>in</strong>g generally works by provid<strong>in</strong>g <strong>the</strong> advertiser with access to particular<br />
profiles of users to display banners or o<strong>the</strong>r types of adverts. It does not provide details of<br />
<strong>in</strong>dividual users to a third party and <strong>the</strong>refore may not breach privacy regulations. However, such<br />
techniques generally ga<strong>the</strong>r and exploit an enormous amount of personal <strong>in</strong>formation <strong>in</strong> order<br />
to generate revenue.<br />
28 Rights over personal <strong>in</strong>formation
Panel 2.17: Behavioural advertis<strong>in</strong>g<br />
Behavioural advertis<strong>in</strong>g, highlighted <strong>in</strong> <strong>the</strong> Phorm case study, is advertis<strong>in</strong>g which is based on<br />
past <strong>in</strong>ternet brows<strong>in</strong>g and onl<strong>in</strong>e activities. 39 A bus<strong>in</strong>ess captures <strong>in</strong>formation about its website<br />
users and <strong>the</strong>n targets advertis<strong>in</strong>g on that basis, or sells <strong>the</strong> <strong>in</strong>formation to a third party for this<br />
purpose. For example, a user who has been search<strong>in</strong>g for holidays may be displayed a range<br />
of adverts related to flights and hotels when <strong>the</strong>y log onto <strong>the</strong>ir email. A user who has jo<strong>in</strong>ed<br />
particular social network<strong>in</strong>g groups may be displayed adverts on that topic. Emails are typically<br />
be scanned for key words, which are <strong>the</strong>n used to segment <strong>the</strong> user for advertis<strong>in</strong>g purposes.<br />
It <strong>the</strong>refore goes far beyond simply advertis<strong>in</strong>g based on search terms and develops a deeper<br />
understand<strong>in</strong>g of <strong>the</strong> <strong>in</strong>dividual user.<br />
On <strong>the</strong> one hand, advocates argue that this type of advertis<strong>in</strong>g is beneficial as it targets adverts<br />
much more accurately than has previously been possible. This helps both advertisers and <strong>the</strong><br />
<strong>in</strong>dividual, as <strong>the</strong> <strong>in</strong>dividual is gett<strong>in</strong>g adverts which are likely to be of more <strong>in</strong>terest to <strong>the</strong>m.<br />
Opponents, though, argue that users are largely unaware of <strong>the</strong> amount of personal <strong>in</strong>formation<br />
that is be<strong>in</strong>g captured and analysed and <strong>the</strong>y are not consent<strong>in</strong>g or <strong>in</strong> control of <strong>the</strong>ir <strong>in</strong>formation.<br />
Fur<strong>the</strong>rmore, <strong>the</strong>y are <strong>the</strong>n subjected to <strong>in</strong>trusive advertis<strong>in</strong>g which <strong>the</strong>y may not want.<br />
In <strong>the</strong> UK, <strong>the</strong> Internet Advertis<strong>in</strong>g Bureau has developed a code of good practice concern<strong>in</strong>g<br />
such techniques. 40 Based on three core pr<strong>in</strong>ciples of notice, choice and education, <strong>the</strong> code<br />
aims to help consumers understand what data is be<strong>in</strong>g collected and how it is be<strong>in</strong>g used.<br />
Never<strong>the</strong>less, such advertis<strong>in</strong>g is an area of grow<strong>in</strong>g <strong>in</strong>terest to regulators as techniques<br />
become more sophisticated and bus<strong>in</strong>esses ga<strong>the</strong>r <strong>in</strong>creas<strong>in</strong>g amounts of personal <strong>in</strong>formation<br />
to use for such ends.<br />
However, techniques such as behavioural advertis<strong>in</strong>g fund many free <strong>in</strong>ternet products and<br />
services and are creat<strong>in</strong>g substantial value for bus<strong>in</strong>esses and shareholders. Without <strong>the</strong>m,<br />
bus<strong>in</strong>esses would need to f<strong>in</strong>d o<strong>the</strong>r ways to fund <strong>the</strong>ir activities and this could result <strong>in</strong> users<br />
hav<strong>in</strong>g to pay to access even basic <strong>in</strong>ternet services. Indeed, advocates argue that <strong>the</strong> value<br />
delivered to consumers through <strong>in</strong>ternet services l<strong>in</strong>ked to behavioural advertis<strong>in</strong>g outweighs<br />
<strong>the</strong> benefits derived by advertisers or <strong>the</strong> bus<strong>in</strong>esses <strong>in</strong> question. 41 Therefore, fram<strong>in</strong>g<br />
legislation that balances <strong>the</strong> protection of personal <strong>in</strong>formation with bus<strong>in</strong>ess <strong>in</strong>novation is<br />
challeng<strong>in</strong>g. Fur<strong>the</strong>rmore, given <strong>the</strong> rapidly evolv<strong>in</strong>g technology, ensur<strong>in</strong>g that regulation is<br />
not easily evaded or quickly out-dated will be important.<br />
A somewhat different approach to this challenge is presented by economists who suggest that<br />
<strong>in</strong>dividuals should be given full ownership rights over <strong>the</strong>ir personal <strong>in</strong>formation, which could<br />
be stored <strong>in</strong> a central data store. 42 They would <strong>the</strong>n have <strong>the</strong> choice to sell it to o<strong>the</strong>r parties for<br />
advertis<strong>in</strong>g or o<strong>the</strong>r purposes. In this way, <strong>the</strong> <strong>in</strong>dividual would f<strong>in</strong>ancially benefit from <strong>the</strong> use<br />
of <strong>the</strong>ir data. They argue that this would contrast with <strong>the</strong> current position, where bus<strong>in</strong>esses<br />
potential benefit from <strong>the</strong> use and exploitation of <strong>the</strong> personal <strong>in</strong>formation of millions of consumers.<br />
However, this solution raises concerns about <strong>the</strong> extent to which <strong>in</strong>dividuals would make rational<br />
decisions about <strong>the</strong>ir personal <strong>in</strong>formation, especially where <strong>the</strong>re is a direct f<strong>in</strong>ancial benefit from<br />
allow<strong>in</strong>g o<strong>the</strong>rs access.<br />
Price discrim<strong>in</strong>ation<br />
Price discrim<strong>in</strong>ation is <strong>the</strong> economic practice of charg<strong>in</strong>g customers different prices which are not<br />
related to <strong>the</strong> costs of serv<strong>in</strong>g <strong>the</strong> customers.<br />
The economics of price discrim<strong>in</strong>ation are simple and attractive to bus<strong>in</strong>esses. Customers are<br />
often will<strong>in</strong>g to pay different amounts for <strong>the</strong> same products depend<strong>in</strong>g on <strong>the</strong>ir circumstances<br />
and characteristics. Indeed, some people actually like to pay a higher price for what is essentially<br />
an identical product because it shows o<strong>the</strong>r people that <strong>the</strong>y can afford it.<br />
A bus<strong>in</strong>ess would clearly like to capture <strong>the</strong> maximum amount that each customer is prepared to<br />
pay. By do<strong>in</strong>g this, a bus<strong>in</strong>ess can maximise <strong>the</strong>ir profits while still deliver<strong>in</strong>g products and services<br />
to satisfied customers.<br />
39<br />
Julia Angw<strong>in</strong>, ‘The web’s new gold m<strong>in</strong>e: your secrets’; Emma Conners, ‘Up close and too personal’.<br />
40<br />
Available onl<strong>in</strong>e, www.youronl<strong>in</strong>echoices.com/good-practice-pr<strong>in</strong>ciples<br />
41<br />
McK<strong>in</strong>sey, Consumers Driv<strong>in</strong>g <strong>the</strong> Digital Uptake: The Economic Value of Onl<strong>in</strong>e Advertis<strong>in</strong>g-based Services for<br />
Consumers’.<br />
42<br />
For discussion of this approach, see Corien Pr<strong>in</strong>s, ‘When personal data, behavior and virtual identities become<br />
a commodity: would a property rights approach matter’<br />
Rights over personal <strong>in</strong>formation<br />
29
There are many well-established examples of price discrim<strong>in</strong>ation. Airl<strong>in</strong>es, for example, charge<br />
passengers very different prices for seats next to each o<strong>the</strong>r based on when <strong>the</strong>y book and <strong>the</strong><br />
precise tim<strong>in</strong>g of <strong>the</strong>ir journey. However, price discrim<strong>in</strong>ation has been hampered <strong>in</strong> practice by<br />
<strong>the</strong> difficulty <strong>in</strong> understand<strong>in</strong>g what each customer will pay. IT and <strong>in</strong>ternet profil<strong>in</strong>g can provide<br />
far more sophisticated <strong>in</strong>formation and analysis of this and <strong>the</strong>refore potentially open <strong>the</strong> door to<br />
far greater price discrim<strong>in</strong>ation.<br />
In an article entitled ‘Privacy, economics, and price discrim<strong>in</strong>ation on <strong>the</strong> <strong>in</strong>ternet’ (2003), Andrew<br />
Odlyzko argues:<br />
‘The key po<strong>in</strong>t is that price discrim<strong>in</strong>ation offers a much higher payoff to sellers<br />
than any targeted market<strong>in</strong>g campaign. Adjacent seats on an airplane flight<br />
can br<strong>in</strong>g <strong>in</strong> revenues of $200 or $2000, depend<strong>in</strong>g on conditions under which<br />
tickets were purchased. It is <strong>the</strong> potential of extend<strong>in</strong>g such practices to o<strong>the</strong>r<br />
areas that is likely to be <strong>the</strong> ‘Holy Grail’ of ecommerce and <strong>the</strong> <strong>in</strong>spiration for <strong>the</strong><br />
privacy erosion we see.’ 43<br />
Many people see price discrim<strong>in</strong>ation as a perfectly legitimate and economically sensible bus<strong>in</strong>ess<br />
practice. Libertarians, for example, argue that even where price discrim<strong>in</strong>ation is at play, it still<br />
represents a transaction between consent<strong>in</strong>g parties and it is simply a matter of <strong>in</strong>dividual choice<br />
as to whe<strong>the</strong>r to make a purchase on <strong>the</strong>se terms. A customer can decide not to purchase a good<br />
at a higher price.<br />
Overt price discrim<strong>in</strong>ation, though, rema<strong>in</strong>s a controversial and difficult subject for bus<strong>in</strong>esses to<br />
confront directly because it underm<strong>in</strong>es many deeply-held beliefs about fairness. Conceptions of<br />
justice, such as that described by John Rawls, 44 have equal treatment at <strong>the</strong>ir core. To achieve just<br />
decisions, Rawls describes a ‘veil of ignorance’, whereby decisions are made on <strong>the</strong> basis of no<br />
knowledge of <strong>in</strong>dividual characteristics. Therefore, decisions should not deliberately advant<strong>age</strong><br />
one group over ano<strong>the</strong>r, as <strong>the</strong> decision maker has no idea to which group he or she belongs.<br />
Historically, <strong>the</strong> ‘veil of ignorance’ has been real <strong>in</strong> many cases, as bus<strong>in</strong>esses or governments<br />
knew very little about <strong>in</strong>dividuals. However, this is changed fundamentally by rich <strong>in</strong>dividual<br />
profiles. While it may make economic sense for a bus<strong>in</strong>ess to be highly discrim<strong>in</strong>at<strong>in</strong>g <strong>in</strong> its<br />
products and services, <strong>the</strong>re are deeper questions around whe<strong>the</strong>r that is acceptable to wider<br />
society, for example:<br />
• charg<strong>in</strong>g <strong>in</strong>dividuals who have a genetic predisposition to a serious illness substantially more<br />
for health <strong>in</strong>surance, or refus<strong>in</strong>g cover<strong>age</strong> entirely; or<br />
• charg<strong>in</strong>g higher prices to poorer <strong>in</strong>dividuals on <strong>the</strong> basis that <strong>the</strong>y are less desirable<br />
customers.<br />
While such practices happen already to some extent, personal profil<strong>in</strong>g enables far more extensive<br />
discrim<strong>in</strong>ation <strong>in</strong> price and service provision.<br />
Given <strong>the</strong>se broader social concerns, Odlyzko argues that while price discrim<strong>in</strong>ation may become<br />
<strong>in</strong>creas<strong>in</strong>gly common <strong>in</strong> bus<strong>in</strong>ess, it is likely to rema<strong>in</strong> hidden and covert. Instead, he suggests<br />
that tools such as payment, or part-payment, via loyalty cards <strong>in</strong>stead of cash, personalised offers<br />
based on previous deal<strong>in</strong>gs with a bus<strong>in</strong>ess and bundl<strong>in</strong>g products and services toge<strong>the</strong>r are likely<br />
to become more prevalent as proxies for price discrim<strong>in</strong>ation.<br />
2.7 Shar<strong>in</strong>g personal <strong>in</strong>formation across <strong>the</strong> public sector<br />
The opportunity to share <strong>in</strong>formation across governments is often essential to <strong>in</strong>creas<strong>in</strong>g <strong>the</strong><br />
efficiency and quality of public services. However, it raises practical concerns about <strong>the</strong> quality<br />
of <strong>in</strong>formation and how it is man<strong>age</strong>d. It also leads to many questions about <strong>the</strong> degree of<br />
governmental power and control ga<strong>in</strong>ed through centralis<strong>in</strong>g personal <strong>in</strong>formation.<br />
Rationale for <strong>in</strong>formation shar<strong>in</strong>g<br />
In most governments, <strong>in</strong>formation has historically been collected by <strong>in</strong>dividual <strong>age</strong>ncies for<br />
specific purposes. While this is entirely appropriate, it has often resulted <strong>in</strong> high levels of<br />
<strong>in</strong>efficiency and potentially reduced <strong>the</strong> quality of services and outcomes, for example:<br />
• <strong>the</strong> same piece of <strong>in</strong>formation is collected multiple times for different <strong>age</strong>ncies, so it <strong>the</strong>n<br />
needs to be stored and ma<strong>in</strong>ta<strong>in</strong>ed multiple times; and<br />
43<br />
Andrew Odlyzko, ‘Privacy, economics, and price discrim<strong>in</strong>ation on <strong>the</strong> <strong>in</strong>ternet’, p112.<br />
44<br />
John Rawls, A Theory of Justice.<br />
30 Rights over personal <strong>in</strong>formation
• it is difficult to jo<strong>in</strong> toge<strong>the</strong>r <strong>in</strong>formation on <strong>the</strong> same <strong>in</strong>dividuals, potentially result<strong>in</strong>g <strong>in</strong> poor<br />
decision mak<strong>in</strong>g and service.<br />
The opportunity to share <strong>in</strong>formation more effectively across governments, <strong>the</strong>refore, is a very<br />
attractive one and is often an underly<strong>in</strong>g condition to <strong>in</strong>creas<strong>in</strong>g <strong>the</strong> efficiency and quality of<br />
public services. However, it raises many concerns.<br />
There are practical concerns about <strong>the</strong> quality of <strong>in</strong>formation and how it is man<strong>age</strong>d. Where<br />
<strong>in</strong>formation is <strong>in</strong>accurate, for example, shar<strong>in</strong>g it multiplies <strong>the</strong>se problems and it becomes very<br />
difficult to correct <strong>the</strong> <strong>in</strong>formation fully. The <strong>in</strong>formation may also not be of a good enough<br />
quality to be used <strong>in</strong> a different way. It is particularly important to compare <strong>the</strong> context <strong>in</strong> which<br />
<strong>in</strong>formation was orig<strong>in</strong>ally ga<strong>the</strong>red with <strong>the</strong> context <strong>in</strong> which it is to be reused. The <strong>in</strong>formation<br />
may be ga<strong>the</strong>red <strong>in</strong> an <strong>in</strong>formal context, for example, where complete accuracy is not essential.<br />
As a result, <strong>the</strong> <strong>in</strong>formation may not be robustly verified and may rema<strong>in</strong> slightly <strong>in</strong>accurate. If it<br />
is to be reused <strong>in</strong> a context where accuracy is essential, this could be problematic. It could also be<br />
out-of-date, unless <strong>the</strong>re are robust procedures <strong>in</strong> place for updat<strong>in</strong>g <strong>in</strong>formation.<br />
There are fur<strong>the</strong>r concerns about <strong>the</strong> degree of power and control a government may ga<strong>in</strong> through<br />
<strong>the</strong> centralisation of personal <strong>in</strong>formation, and how it could use this <strong>in</strong>formation to abuse power.<br />
Many of <strong>the</strong> fears relat<strong>in</strong>g to government use and abuse of personal <strong>in</strong>formation are exemplified<br />
<strong>in</strong> George Orwell’s novel 1984 and <strong>the</strong> concept of ‘Big Bro<strong>the</strong>r’.<br />
The dangers of a government know<strong>in</strong>g everyth<strong>in</strong>g about citizens are seen by many as great.<br />
A government could cause harm to <strong>in</strong>dividuals through discrim<strong>in</strong>ation and different treatment.<br />
Feel<strong>in</strong>g under constant surveillance may reduce <strong>trust</strong> <strong>in</strong> one ano<strong>the</strong>r and make us more cautious<br />
<strong>in</strong> our activities and expression. Therefore, even where <strong>the</strong> <strong>in</strong>tentions of a government are benign,<br />
many see dangers <strong>in</strong> large-scale government collection and consolidation of personal <strong>in</strong>formation.<br />
Of course, where <strong>in</strong>tentions are less benign, <strong>the</strong>re are even greater risks of abuse and harm to<br />
<strong>in</strong>dividuals.<br />
Fur<strong>the</strong>rmore, <strong>in</strong> many cases, such as crime prevention or security, <strong>the</strong> citizen does not consent<br />
to <strong>in</strong>formation be<strong>in</strong>g collected or reused. The government can also be a monopolistic provider<br />
of services <strong>in</strong> many cases, so that citizens have no choice about whe<strong>the</strong>r to release personal<br />
<strong>in</strong>formation. This situation changes <strong>the</strong> balance of power significantly and contrasts with bus<strong>in</strong>ess,<br />
where customers can choose between competitors.<br />
Approach to government <strong>in</strong>formation shar<strong>in</strong>g<br />
In a <strong>report</strong> commissioned by <strong>the</strong> UK government <strong>in</strong> 2008, Richard Thomas, <strong>the</strong> <strong>the</strong>n Information<br />
Commissioner, and Mark Walport of <strong>the</strong> Wellcome Trust undertook a review of <strong>in</strong>formation-shar<strong>in</strong>g<br />
activities <strong>in</strong> <strong>the</strong> UK public sector to determ<strong>in</strong>e <strong>the</strong> opportunities and challenges. They identified<br />
three core areas of <strong>in</strong>formation shar<strong>in</strong>g, namely to:<br />
• enhance security and crime prevention and detection;<br />
• improve <strong>the</strong> quality and efficiency of services; and<br />
• support medical and o<strong>the</strong>r statistical research.<br />
They concluded that all three areas could potentially provide many benefits. Shar<strong>in</strong>g <strong>in</strong>formation<br />
relat<strong>in</strong>g to security and crime could prevent future <strong>in</strong>cidents happen<strong>in</strong>g and help to detect<br />
crim<strong>in</strong>als or terrorists. Improv<strong>in</strong>g <strong>the</strong> quality or efficiency of services could reduce <strong>the</strong> costs of<br />
public services and improve <strong>the</strong> citizen experience, as well as improve specific outcomes. Research<br />
could help to improve <strong>the</strong> quality of life and healthcare. However, each had its own set of<br />
challenges and <strong>the</strong>refore each also needed a dist<strong>in</strong>ct style of th<strong>in</strong>k<strong>in</strong>g.<br />
Where consent is not <strong>the</strong> appropriate basis of <strong>in</strong>formation use, such as <strong>in</strong> <strong>the</strong> cases of crime or<br />
medical research, <strong>the</strong> legal framework is based on <strong>the</strong> notion of proportionality. This means that<br />
<strong>in</strong> order for <strong>in</strong>formation shar<strong>in</strong>g to go ahead, <strong>the</strong> risks and potential harm are outweighed by<br />
<strong>the</strong> potential benefits. Clearly, this has to be considered on <strong>the</strong> basis of specific situations.<br />
In respond<strong>in</strong>g to <strong>the</strong> Thomas and Walport <strong>report</strong>, <strong>the</strong> British Computer Society argued that a<br />
fundamental weakness <strong>in</strong> proportionality is <strong>the</strong> identity of those whose benefits and risks are<br />
be<strong>in</strong>g compared. The <strong>in</strong>terests of <strong>the</strong> government and <strong>the</strong> <strong>in</strong>dividual data subject will be very<br />
different, which raises serious challenges <strong>in</strong> apply<strong>in</strong>g proportionality. They argued:<br />
‘In most government Departments <strong>in</strong>formation risk man<strong>age</strong>ment is largely<br />
concerned with Departmental benefits and Departmental risk. Until a robust<br />
and transparent means of <strong>in</strong>corporat<strong>in</strong>g risks to citizens’ <strong>in</strong>terests <strong>in</strong> <strong>in</strong>formation<br />
Rights over personal <strong>in</strong>formation<br />
31
isk man<strong>age</strong>ment methodology is agreed, it is hard to see how <strong>the</strong> “objective<br />
judgement” commended by <strong>the</strong> review can be effectively applied.’ 45<br />
Follow<strong>in</strong>g on from <strong>the</strong> <strong>report</strong> and responses to it, <strong>the</strong> ICO published a Code of Practice for Data<br />
Shar<strong>in</strong>g <strong>in</strong> 2011. This <strong>in</strong>cludes a def<strong>in</strong>ition of data shar<strong>in</strong>g, an outl<strong>in</strong>e of <strong>the</strong> legal environment,<br />
factors to consider <strong>in</strong> decid<strong>in</strong>g whe<strong>the</strong>r to share data with o<strong>the</strong>r bodies and a wide range of<br />
specific practices around consent, security and governance.<br />
2.8 Summary<br />
Personal <strong>in</strong>formation is <strong>in</strong>formation that is associated with an identifiable <strong>in</strong>dividual. Most bus<strong>in</strong>esses<br />
hold personal <strong>in</strong>formation about employees and customers as part of <strong>the</strong>ir day-to-day operations.<br />
Personal <strong>in</strong>formation can also be used to generate revenue. As a result, personal <strong>in</strong>formation can<br />
be important <strong>in</strong>tellectual property, especially for consumer or advertis<strong>in</strong>g-based bus<strong>in</strong>esses.<br />
While many bus<strong>in</strong>esses may want to make extensive use of personal <strong>in</strong>formation, <strong>in</strong>dividuals reta<strong>in</strong><br />
rights over <strong>in</strong>formation about <strong>the</strong>mselves and bus<strong>in</strong>esses have a range of duties regard<strong>in</strong>g <strong>the</strong>ir<br />
use and treatment of personal <strong>in</strong>formation. In Europe <strong>in</strong> particular, personal <strong>in</strong>formation is subject<br />
to substantial regulation. Personal <strong>in</strong>formation can also be protected through laws targeted on<br />
sensitive pieces of personal <strong>in</strong>formation or based on <strong>the</strong> human rights framework, <strong>in</strong>clud<strong>in</strong>g <strong>the</strong><br />
right of privacy. It can also be protected through commercial pressures.<br />
The notion of a private space has been established s<strong>in</strong>ce Aristotle’s Politics. However, it rema<strong>in</strong>s a<br />
nebulous idea which is subject to diverse views on its scope and importance. We summarise some<br />
of <strong>the</strong> key <strong>the</strong>oretical ideas about privacy around <strong>the</strong> follow<strong>in</strong>g questions:<br />
• What is <strong>the</strong> scope of privacy<br />
• What is <strong>the</strong> role of consent<br />
• What are <strong>the</strong> benefits of privacy<br />
• What harm is caused by breaches of privacy<br />
• How should privacy be balanced with o<strong>the</strong>r <strong>in</strong>terests<br />
• How can different cultural views be reconciled<br />
• How can we understand fragmented and <strong>in</strong>consistent behaviour<br />
IT <strong>in</strong>creases <strong>the</strong> value of personal <strong>in</strong>formation, lead<strong>in</strong>g to greater bus<strong>in</strong>ess use and commercial<br />
exploitation of it. This is also lead<strong>in</strong>g to grow<strong>in</strong>g contention about <strong>the</strong> limits of bus<strong>in</strong>ess use of<br />
personal <strong>in</strong>formation and <strong>the</strong> ways <strong>in</strong> which <strong>in</strong>dividuals can reta<strong>in</strong> control over it.<br />
More is known and remembered. While data protection pr<strong>in</strong>ciples limit <strong>the</strong> personal<br />
<strong>in</strong>formation that can be collected and reta<strong>in</strong>ed, emerg<strong>in</strong>g practices and technologies enable<br />
bus<strong>in</strong>esses to ga<strong>the</strong>r <strong>in</strong>creas<strong>in</strong>g amounts of user and location data. Regardless of its ultimate use,<br />
<strong>the</strong> extensive collection and retention of <strong>in</strong>formation <strong>in</strong> itself may cause <strong>in</strong>dividuals concern and<br />
discomfort. Fur<strong>the</strong>rmore, <strong>the</strong> <strong>in</strong>ability to ‘forget’ personal <strong>in</strong>formation may have long-term effects<br />
on society as <strong>in</strong>dividuals become more conscious of <strong>the</strong>ir actions and <strong>in</strong>hibit <strong>the</strong>ir behaviour<br />
accord<strong>in</strong>gly or suffer disproportionate consequences.<br />
Bus<strong>in</strong>esses are extensively profil<strong>in</strong>g <strong>in</strong>dividuals. While profil<strong>in</strong>g has been a bus<strong>in</strong>ess practice<br />
for many years, <strong>the</strong> sophistication of analytical systems, comb<strong>in</strong>ed with <strong>the</strong> vast <strong>digital</strong> footpr<strong>in</strong>t<br />
created by most people, is mak<strong>in</strong>g profil<strong>in</strong>g much more powerful. This can provide benefits by<br />
target<strong>in</strong>g products and services to specific <strong>in</strong>dividuals. However, profil<strong>in</strong>g can result <strong>in</strong> unequal<br />
treatment and can offend deeply-held perceptions of fairness. There is often a lack of due process<br />
and accountability about decisions. There are also concerns about <strong>the</strong> long-term impact of<br />
filter<strong>in</strong>g <strong>in</strong>formation or services to narrow audiences based on this segmentation.<br />
Governments are connect<strong>in</strong>g <strong>in</strong>formation about citizens. The opportunity to share <strong>in</strong>formation<br />
more effectively across governments is often essential to <strong>in</strong>creas<strong>in</strong>g <strong>the</strong> efficiency and quality of<br />
public services. However, it raises practical concerns about <strong>the</strong> quality of <strong>in</strong>formation and how it is<br />
man<strong>age</strong>d. It also leads to many questions about <strong>the</strong> degree of governmental power and control<br />
ga<strong>in</strong>ed through centralis<strong>in</strong>g personal <strong>in</strong>formation.<br />
45<br />
The British Computer Society’s Response to <strong>the</strong> M<strong>in</strong>istry of Justice on <strong>the</strong> ‘Data Shar<strong>in</strong>g Review’ by Richard Thomas<br />
and Dr Mark Walport, p2.<br />
32 Rights over personal <strong>in</strong>formation
3. Rights over<br />
INTELLECTUAL PROPERTY<br />
Rights over <strong>in</strong>tellectual property enable bus<strong>in</strong>esses to reta<strong>in</strong> <strong>the</strong><br />
cash flow benefit from <strong>the</strong>ir creative ideas and use of sensitive<br />
<strong>in</strong>formation. However, <strong>in</strong>novation and creativity are <strong>in</strong>herently<br />
collaborative and iterative processes. As IT enables ever cheaper<br />
shar<strong>in</strong>g of <strong>in</strong>formation, how do we balance <strong>the</strong> need for rights<br />
with <strong>the</strong> opportunities generated by shar<strong>in</strong>g ideas<br />
Recognise and<br />
debate issues<br />
Personal<br />
<strong>in</strong>formation<br />
Intellectual<br />
property<br />
Information<br />
security<br />
Concerns<br />
about<br />
<strong>digital</strong><br />
<strong>in</strong>formation<br />
Develop<br />
new <strong>the</strong>oretical<br />
th<strong>in</strong>k<strong>in</strong>g<br />
Balance control<br />
and use of<br />
<strong>in</strong>formation<br />
Collective<br />
actions<br />
Individual<br />
actions<br />
Trust and value<br />
creation<br />
Create supportive<br />
<strong>in</strong>stitutions
3. Rights over INTELLECTUAL<br />
PROPERTY<br />
3.1 The bus<strong>in</strong>ess value of <strong>in</strong>tellectual property<br />
To generate revenue, bus<strong>in</strong>esses rely on <strong>in</strong>tellectual property and confidential <strong>in</strong>formation, which<br />
can <strong>in</strong>clude <strong>in</strong>ventions, formulae, novel processes, creative content, brand names, designs and<br />
customer lists.<br />
Intellectual property is strongly protected <strong>in</strong> Western legal systems and <strong>in</strong>creas<strong>in</strong>gly demanded<br />
of o<strong>the</strong>r countries as a pre-condition to participat<strong>in</strong>g <strong>in</strong> <strong>in</strong>ternational trade. Specific pieces of<br />
<strong>in</strong>tellectual property can be legally protected through a variety of means, for example:<br />
• <strong>in</strong>ventions or novel processes can be protected through patents;<br />
• creative content (<strong>in</strong> <strong>the</strong> form of literary, artistic, musical and dramatic works, films, broadcasts,<br />
communications to <strong>the</strong> public and software) can be protected as copyright;<br />
• certa<strong>in</strong> databases can be protected <strong>in</strong> <strong>the</strong> EU through database rights;<br />
• brand names can be protected as trademarks and designs can be protected as registered<br />
designs and design rights; and<br />
• formulae and customer lists can be protected as confidential <strong>in</strong>formation, copyright and<br />
potentially patentable <strong>in</strong>ventions.<br />
IT raises major challenges for protect<strong>in</strong>g and exploit<strong>in</strong>g <strong>in</strong>tellectual property and commercially<br />
sensitive <strong>in</strong>formation. However, it also presents significant opportunities for bus<strong>in</strong>esses to ga<strong>in</strong><br />
new audiences for creative content, as well as collaborate <strong>in</strong> <strong>in</strong>novative and creative activities.<br />
Economics of <strong>in</strong>formation goods<br />
It is well established that <strong>the</strong> economics of <strong>in</strong>formation goods are substantially different to<br />
tangible goods. With tangible goods, every item has a cost of production which reflects <strong>the</strong><br />
physical materials, labour and overhead costs. By contrast, <strong>in</strong>formation goods, such as <strong>in</strong>ventions,<br />
creative content and customer lists, have a high upfront cost as <strong>the</strong> <strong>in</strong>formation output is created<br />
but <strong>the</strong>re is, <strong>in</strong> <strong>the</strong>ory, no cost attached to copy<strong>in</strong>g <strong>the</strong> pure <strong>in</strong>formation once it has been created.<br />
Therefore, <strong>the</strong> cost of <strong>the</strong> first copy is high but practically zero for subsequent copies.<br />
In practice, <strong>the</strong> economics of <strong>in</strong>formation goods have largely been tempered by physical<br />
manifestations, such as paper records, DVDs or books. As a result, <strong>the</strong>re has been a real cost<br />
attached to copy<strong>in</strong>g <strong>in</strong>formation and <strong>the</strong> economics have been just like any o<strong>the</strong>r tangible good.<br />
IT transforms <strong>the</strong> economics of creative content by turn<strong>in</strong>g <strong>the</strong> dissem<strong>in</strong>ation of <strong>in</strong>formation <strong>in</strong>to<br />
a virtual, ra<strong>the</strong>r than a physical, activity. This elim<strong>in</strong>ates many of <strong>the</strong> cost structures surround<strong>in</strong>g<br />
<strong>in</strong>formation goods and <strong>in</strong>deed br<strong>in</strong>gs us closer to <strong>the</strong> economics of pure <strong>in</strong>formation. There<br />
are still substantial costs attached to creat<strong>in</strong>g <strong>the</strong> content and runn<strong>in</strong>g an onl<strong>in</strong>e <strong>in</strong>frastructure.<br />
However, <strong>the</strong> marg<strong>in</strong>al cost of copy<strong>in</strong>g, stor<strong>in</strong>g and dissem<strong>in</strong>at<strong>in</strong>g an <strong>in</strong>dividual piece of data gets<br />
very close to zero.<br />
While this leads to many challenges for bus<strong>in</strong>ess models which have been built on sell<strong>in</strong>g<br />
<strong>in</strong>dividual pieces of content, it also creates new bus<strong>in</strong>ess opportunities. In particular, <strong>the</strong> changed<br />
economics have led to what is termed <strong>the</strong> ‘long tail’ effect. 46 By remov<strong>in</strong>g <strong>the</strong> need for physical<br />
media such as books or CDs, bus<strong>in</strong>esses can ma<strong>in</strong>ta<strong>in</strong> a much larger <strong>in</strong>ventory of <strong>in</strong>formation<br />
goods. This enables a variety of niche content to f<strong>in</strong>d a distribution channel, provid<strong>in</strong>g consumers<br />
with greater choice and lead<strong>in</strong>g to fur<strong>the</strong>r opportunities for <strong>in</strong>novation.<br />
46<br />
Chris Anderson, The Long Tail: Why <strong>the</strong> Future of Bus<strong>in</strong>ess is Sell<strong>in</strong>g Less of More.<br />
34 Rights over <strong>in</strong>tellectual property
Reduced costs of <strong>in</strong>formation shar<strong>in</strong>g<br />
By massively reduc<strong>in</strong>g <strong>the</strong> costs of shar<strong>in</strong>g <strong>in</strong>formation, IT also encour<strong>age</strong>s all k<strong>in</strong>ds of collaboration<br />
and jo<strong>in</strong>t work<strong>in</strong>g between bus<strong>in</strong>esses or between bus<strong>in</strong>esses and customers. This has particularly<br />
been seen along supply cha<strong>in</strong>s, as bus<strong>in</strong>esses have been able to outsource <strong>in</strong>creas<strong>in</strong>g amounts<br />
of work to third party suppliers. It has led to new opportunities to work with partners to create<br />
<strong>in</strong>tellectual property. It has also enabled models which br<strong>in</strong>g toge<strong>the</strong>r employees and customers<br />
from all over <strong>the</strong> world.<br />
Fur<strong>the</strong>rmore, it provides a wide range of opportunities to share creative content with fresh<br />
audiences. Encourag<strong>in</strong>g <strong>the</strong> free flow of <strong>in</strong>formation also enables bus<strong>in</strong>esses to <strong>in</strong>novate and<br />
create valuable products or services.<br />
3.2 Legal considerations<br />
Intellectual property rights aim to secure <strong>the</strong> cash flow benefits from <strong>the</strong> exploitation of<br />
<strong>in</strong>formation resources for <strong>the</strong> rights-holder. Bus<strong>in</strong>ess will sometimes use <strong>in</strong>tellectual property rights<br />
to keep <strong>in</strong>formation secret. However, <strong>in</strong> many cases, <strong>in</strong>tellectual property rights enable a bus<strong>in</strong>ess<br />
to sell access to <strong>in</strong>formation products and services and keep <strong>the</strong> related revenue stream.<br />
While <strong>in</strong>tellectual property rights provide exclusive control over <strong>in</strong>formation, this control is<br />
typically limited <strong>in</strong> some way, for example rights are not perpetual. Time limits enable <strong>the</strong> creators<br />
and <strong>in</strong>ventors to ga<strong>in</strong> commercial advant<strong>age</strong> for a particular period and <strong>the</strong>reby recoup <strong>the</strong>ir<br />
<strong>in</strong>vestment. Thereafter, <strong>the</strong> content and <strong>in</strong>ventions are opened up for broader use and shar<strong>in</strong>g.<br />
Intellectual property rights can also be limited by <strong>the</strong> extent to which o<strong>the</strong>rs can use <strong>the</strong><br />
<strong>in</strong>formation. In some cases, absolutely no use of <strong>the</strong> <strong>in</strong>formation is allowed, whereas <strong>in</strong> o<strong>the</strong>r<br />
cases, some use may be tolerated.<br />
Panel 3.1: UK <strong>in</strong>tellectual property law<br />
Three of <strong>the</strong> ma<strong>in</strong> types of <strong>in</strong>tellectual property rights <strong>in</strong> <strong>the</strong> UK are copyright and database<br />
right, patents and trademarks.<br />
Copyright protects creative content such as music, movies, books, photographs and software.<br />
A database can be protected by copyright if it has been created with orig<strong>in</strong>ality. Database<br />
right is similar to copyright and applies specifically to databases where <strong>the</strong> creator has <strong>in</strong>vested<br />
significant time <strong>in</strong> its compilation and verification.<br />
In <strong>the</strong> UK, copyright lasts for <strong>the</strong> lifetime of <strong>the</strong> creator plus 70 years. It automatically applies to<br />
a wide range of creative content and no registration process is required. Some countries, such<br />
as <strong>the</strong> US, have rules which allow <strong>the</strong> limited use of copyrighted material without reference to<br />
<strong>the</strong> rights-holder for purposes such as education, criticism, news <strong>report</strong><strong>in</strong>g and research. The<br />
UK has more limited exceptions <strong>in</strong> place.<br />
Patents protect <strong>in</strong>ventions. They provide stronger protection than copyright but are more<br />
limited <strong>in</strong> <strong>the</strong>ir application. Periods are shorter, up to 20 years <strong>in</strong> <strong>the</strong> UK. Patents also have<br />
to be applied for and renewed on an annual basis, mak<strong>in</strong>g it an expensive process. Once a<br />
patent is granted, no-one else can use <strong>the</strong> <strong>in</strong>vention throughout <strong>the</strong> period, unless <strong>the</strong>y pay<br />
<strong>the</strong> rights-holder a licence fee. However, <strong>the</strong> <strong>in</strong>vention has to be published, enabl<strong>in</strong>g o<strong>the</strong>rs to<br />
understand what has been done, even if <strong>the</strong>y cannot freely copy it.<br />
Trademarks protect brands or logos which have a commercial value and stop <strong>the</strong>m be<strong>in</strong>g<br />
imitated or used by o<strong>the</strong>r bus<strong>in</strong>esses. A counterfeit handbag, which is presented as if it were<br />
made by an expensive brand, is an example here. Trademarks also have to be registered <strong>in</strong><br />
advance and renewed every 10 years. However, <strong>the</strong>re is no prescribed limit to how many times<br />
<strong>the</strong>y can be renewed.<br />
The picture is not complete without mention<strong>in</strong>g confidential <strong>in</strong>formation. Trade secrets are<br />
based on <strong>the</strong> protection afforded to confidential <strong>in</strong>formation and <strong>the</strong>y are typically def<strong>in</strong>ed as<br />
confidential <strong>in</strong>formation which is secret, substantial and identified. 47<br />
Trade secrets are important because many pieces of <strong>in</strong>formation, such as customer lists, fall<br />
<strong>in</strong>to this category. They also provide an alternative approach to patent protection and many<br />
small bus<strong>in</strong>esses <strong>in</strong> particular rely on trade secrets ra<strong>the</strong>r than <strong>in</strong>vest<strong>in</strong>g time and money <strong>in</strong><br />
register<strong>in</strong>g patents. Fur<strong>the</strong>rmore, <strong>the</strong>y enable a bus<strong>in</strong>ess to keep <strong>in</strong>formation secret, unlike<br />
patent protection. However, <strong>the</strong>y do not provide such strong protection as patents, with<br />
recompense for breaches be<strong>in</strong>g difficult to achieve <strong>in</strong> practice.<br />
47<br />
Michael Risch, ‘Why do we have trade secrets’<br />
Rights over <strong>in</strong>tellectual property<br />
35
Challenge of enforc<strong>in</strong>g <strong>in</strong>tellectual property rights<br />
It has always been possible to breach <strong>in</strong>tellectual property rights by copy<strong>in</strong>g <strong>in</strong>formation goods.<br />
However, this has been historically limited by <strong>the</strong> cost and time of <strong>the</strong> act of physically copy<strong>in</strong>g.<br />
As a result, while <strong>in</strong>dividuals may have eng<strong>age</strong>d <strong>in</strong> trivial examples of copy<strong>in</strong>g for personal use,<br />
large-scale breaches, known as piracy, were largely undertaken by crim<strong>in</strong>al gangs for profit.<br />
Changes <strong>in</strong> technology have fundamentally changed <strong>the</strong> scale and ease with which <strong>in</strong>dividuals<br />
can copy material.<br />
• The shift of <strong>in</strong>formation from an asset l<strong>in</strong>ked to a physical resource to a <strong>digital</strong> and virtual one<br />
has reduced <strong>the</strong> marg<strong>in</strong>al cost of copy<strong>in</strong>g <strong>in</strong> most cases.<br />
• Improvements <strong>in</strong> communications technology, such as broadband, have vastly <strong>in</strong>creased <strong>the</strong><br />
amount of data which can be exchanged and reduced <strong>the</strong> time it takes.<br />
• New tools and applications have been developed which make <strong>the</strong> process of copy<strong>in</strong>g<br />
relatively straightforward.<br />
Large-scale piracy has also been enabled by websites which l<strong>in</strong>k people toge<strong>the</strong>r so that <strong>the</strong>y can<br />
share music, video and <strong>in</strong>creas<strong>in</strong>gly books. The explosion of onl<strong>in</strong>e file shar<strong>in</strong>g, as it is known,<br />
can be traced back to <strong>the</strong> Napster website <strong>in</strong> <strong>the</strong> late 1990s. 48 Napster, like subsequent sites such<br />
as <strong>the</strong> Pirate Bay, was ultimately shut down after <strong>the</strong> courts found it guilty of help<strong>in</strong>g users to<br />
<strong>in</strong>fr<strong>in</strong>ge copyright rules. However, similar sites cont<strong>in</strong>ue to exist and many consumers have not<br />
been deterred from engag<strong>in</strong>g <strong>in</strong> illegal file-shar<strong>in</strong>g activities.<br />
3.3 Market considerations<br />
The ma<strong>in</strong> commercial decision about <strong>in</strong>tellectual property is how it will be turned <strong>in</strong>to cash. In<br />
<strong>the</strong> case of <strong>in</strong>ventions, trade secrets and trademarks, this will be done <strong>in</strong>directly through <strong>the</strong> use<br />
of <strong>the</strong> <strong>in</strong>formation <strong>in</strong> <strong>the</strong> production and sale of o<strong>the</strong>r goods. With creative content, bus<strong>in</strong>esses<br />
typically look to sell it directly to customers.<br />
Exploit<strong>in</strong>g creative content<br />
While creative bus<strong>in</strong>esses have generally sold <strong>the</strong>ir products and services direct to customers,<br />
<strong>the</strong>re are a range of bus<strong>in</strong>ess models which use and exploit creative content <strong>in</strong> different ways.<br />
In an article from 2002, ‘Intellectual Property and <strong>the</strong> Organization of Information Production’,<br />
Yochai Benkler highlights <strong>the</strong> wide variety of ways <strong>in</strong> which <strong>in</strong>formation is both an <strong>in</strong>put and an<br />
output of a bus<strong>in</strong>ess model. He places bus<strong>in</strong>esses models across two different axes.<br />
• Monetisation strategy: a bus<strong>in</strong>ess will seek to monetise its content <strong>in</strong> two broad ways – directly<br />
through sales or <strong>in</strong>directly through know-how or <strong>build<strong>in</strong>g</strong> reputation. Of course, some<br />
organisations or <strong>in</strong>dividuals do not <strong>in</strong>tend to monetise <strong>the</strong>ir content at all and <strong>the</strong>y develop<br />
<strong>the</strong>ir content altruistically or purely for pleasure.<br />
• Production costs: a bus<strong>in</strong>ess will <strong>in</strong>cur different costs relat<strong>in</strong>g to its use of exist<strong>in</strong>g content<br />
<strong>in</strong> <strong>the</strong> production of its <strong>in</strong>formation products and services. Where a bus<strong>in</strong>ess owns a large<br />
catalogue of creative content, it can reuse it <strong>in</strong> many ways at no cost. By contrast, a bus<strong>in</strong>ess<br />
without any significant catalogue of its own has to pay to access exist<strong>in</strong>g content, <strong>in</strong>creas<strong>in</strong>g<br />
its production costs.<br />
In mov<strong>in</strong>g to <strong>the</strong> virtual world, many content producers have replicated <strong>the</strong>ir bus<strong>in</strong>ess models<br />
from <strong>the</strong> physical world, sell<strong>in</strong>g <strong>in</strong>dividual pieces of content to consumers. These models are<br />
meet<strong>in</strong>g with vary<strong>in</strong>g degrees of success, however, and bus<strong>in</strong>esses are experiment<strong>in</strong>g with new<br />
models which are made possible by <strong>the</strong> changed economics.<br />
For example, <strong>the</strong>re are grow<strong>in</strong>g numbers of bus<strong>in</strong>ess models based on giv<strong>in</strong>g away content for<br />
free and monetis<strong>in</strong>g <strong>the</strong> value through advertis<strong>in</strong>g or o<strong>the</strong>r revenue streams. Internet bus<strong>in</strong>ess<br />
models tend to rely heavily on advertis<strong>in</strong>g to obta<strong>in</strong> value from content, ra<strong>the</strong>r than requir<strong>in</strong>g<br />
users to pay for access<strong>in</strong>g <strong>the</strong> content. This model is also seen <strong>in</strong> <strong>the</strong> music <strong>in</strong>dustry, where<br />
established artists frequently look to o<strong>the</strong>r revenue streams, such as live concerts, merchandis<strong>in</strong>g<br />
or paid endorsements.<br />
48<br />
Mat<strong>the</strong>w Green, ‘Napster opens Pandora’s box: exam<strong>in</strong><strong>in</strong>g how file-shar<strong>in</strong>g services threaten <strong>the</strong><br />
enforcement of copyright on <strong>the</strong> <strong>in</strong>ternet’.<br />
36 Rights over <strong>in</strong>tellectual property
Some bus<strong>in</strong>esses, especially <strong>in</strong> <strong>the</strong> music and media <strong>in</strong>dustries, are experiment<strong>in</strong>g with<br />
subscription models. In <strong>the</strong>se models, content is not bought by a consumer. Instead, an <strong>in</strong>dividual<br />
consumes content over <strong>the</strong> network on-demand. Typically, a consumer pays a subscription and<br />
has access to limited or unlimited amounts of content for <strong>the</strong> contracted period.<br />
Alternatively, a bus<strong>in</strong>ess can make most content available free but charge for premium content.<br />
Sometimes called a ‘freemium’ bus<strong>in</strong>ess model, it assumes that consumers will pay for th<strong>in</strong>gs<br />
which <strong>the</strong>y particularly value, even if <strong>the</strong>y will not pay for creative content more broadly. 49 Spotify<br />
has built its bus<strong>in</strong>ess model on this basis.<br />
Panel 3.2: Alternative bus<strong>in</strong>ess models: Spotify<br />
Spotify has been promoted as a new and potentially susta<strong>in</strong>able way of generat<strong>in</strong>g revenue from<br />
music content <strong>in</strong> <strong>the</strong> <strong>digital</strong> <strong>age</strong>. 50 It has been supported by a number of <strong>the</strong> major music labels<br />
<strong>in</strong> Europe and its bus<strong>in</strong>ess model is markedly different from a traditional music retailer. Instead<br />
of sell<strong>in</strong>g particular pieces of music, it is based on a user access<strong>in</strong>g music on-demand through its<br />
website.<br />
In order to generate revenue, Spotify allows users to access music <strong>in</strong> two ways. Firstly, <strong>the</strong>y can<br />
access it completely free. However, <strong>the</strong>y have to listen to adverts on a regular basis between <strong>the</strong>ir<br />
song choices to fund <strong>the</strong> service. Alternatively, if <strong>the</strong> user wants to avoid <strong>the</strong> adverts, <strong>the</strong>y can<br />
switch to a subscription model, whereby <strong>the</strong>y pay a fee and have no adverts presented to <strong>the</strong>m.<br />
This is a good example of a freemium model, with a mix of free and premium paid-for options,<br />
but whe<strong>the</strong>r it generates susta<strong>in</strong>able value rema<strong>in</strong>s to be seen.<br />
3.4 Underly<strong>in</strong>g questions about <strong>in</strong>tellectual property<br />
In many cases, <strong>in</strong>tellectual property rights are clear and <strong>the</strong> bus<strong>in</strong>ess challenges are largely practical<br />
<strong>in</strong> nature. For example, where <strong>in</strong>formation is self-evidently important and a bus<strong>in</strong>ess wants to keep it<br />
secret, <strong>the</strong> issues largely concern <strong>the</strong> effective implementation of <strong>in</strong>formation security practices.<br />
However, this clarity can mask deep differences of op<strong>in</strong>ion about <strong>the</strong> benefits of strong <strong>in</strong>tellectual<br />
property rights compared to <strong>the</strong> benefits that can be obta<strong>in</strong>ed from <strong>the</strong> free flow of <strong>in</strong>formation.<br />
The ability to generate new ideas, creative content and culture has been a central feature of human<br />
endeavour and development throughout history. There is an <strong>in</strong>herent tension, though, between <strong>the</strong><br />
opportunity to build new ideas on what has come before and <strong>the</strong> desire to control <strong>the</strong> <strong>in</strong>formation<br />
which has been created. The limits on <strong>in</strong>tellectual property rights highlighted <strong>in</strong> this chapter reflect a<br />
desire by law-makers to balance <strong>the</strong>se compet<strong>in</strong>g <strong>in</strong>terests over <strong>in</strong>formation.<br />
As <strong>the</strong> opportunities to share <strong>in</strong>formation for a wide range of social and economic benefits grow,<br />
debates touch on some complex underly<strong>in</strong>g questions, <strong>in</strong>clud<strong>in</strong>g:<br />
• What are <strong>the</strong> net economic benefits of <strong>in</strong>tellectual property rights<br />
• What is <strong>the</strong> moral basis of <strong>in</strong>tellectual property rights<br />
• What is <strong>the</strong> impact of chang<strong>in</strong>g consumer attitudes to pay<strong>in</strong>g for content<br />
• Are breaches of <strong>in</strong>tellectual property rights morally wrong<br />
What are <strong>the</strong> net economic benefits of <strong>in</strong>tellectual property rights<br />
Intellectual property has been legally protected <strong>in</strong> one form or ano<strong>the</strong>r <strong>in</strong> Europe s<strong>in</strong>ce <strong>the</strong> fifteenth<br />
century, and specific rights have evolved to reflect <strong>the</strong> economic and political needs of <strong>the</strong> times.<br />
The development of <strong>the</strong> pr<strong>in</strong>t<strong>in</strong>g press was a major spur to protect books, lead<strong>in</strong>g to early copyright<br />
protections. In <strong>the</strong> UK, <strong>the</strong> growth of manufactur<strong>in</strong>g and trade <strong>in</strong> <strong>the</strong> same period led to grants of<br />
privilege from <strong>the</strong> Crown to protect <strong>in</strong>ventions as well as monopolies <strong>in</strong> trade.<br />
The benefits of strong rights over <strong>in</strong>tellectual property today are largely economic. This reflects<br />
<strong>the</strong> fact that many <strong>in</strong>tellectual property rights are, <strong>in</strong> practice, held by bus<strong>in</strong>esses or commercial<br />
<strong>in</strong>termediaries, such as record companies, ra<strong>the</strong>r than <strong>the</strong> orig<strong>in</strong>al content creator.<br />
49<br />
Pascal-Emmanuel Gobry, ‘What is <strong>the</strong> freemium bus<strong>in</strong>ess model’<br />
50<br />
Tim Bradshaw, ‘Spotify on song with 1m pay<strong>in</strong>g subscribers’.<br />
Rights over <strong>in</strong>tellectual property<br />
37
Panel 3.3: Welfare economics of <strong>in</strong>tellectual property rights<br />
The conventional argument for <strong>in</strong>tellectual property rights centres on <strong>the</strong> economics of<br />
<strong>in</strong>novation. 51 Information creation, <strong>in</strong>vention and <strong>in</strong>novation have high upfront costs. An<br />
<strong>in</strong>dividual or bus<strong>in</strong>ess has to <strong>in</strong>vest substantial time and resources develop<strong>in</strong>g <strong>the</strong> content or idea<br />
before any cash can be realised <strong>in</strong> return. However, <strong>the</strong> nature of <strong>in</strong>formation means that it can<br />
easily be copied and <strong>the</strong>refore appropriated by o<strong>the</strong>rs.<br />
Intellectual property rights provide protection to <strong>in</strong>formation creators and give <strong>the</strong>m confidence<br />
that <strong>the</strong>y will be able to reap <strong>the</strong> f<strong>in</strong>ancial rewards of <strong>the</strong>ir <strong>in</strong>vestment. Without <strong>the</strong>se rights,<br />
it is argued, competitors could immediately copy <strong>the</strong> <strong>in</strong>vention or content. Fur<strong>the</strong>rmore, as<br />
<strong>the</strong> competitor would not have <strong>the</strong> <strong>in</strong>vestment costs to recoup, it could charge lower prices.<br />
As a result, <strong>in</strong>dividuals or bus<strong>in</strong>esses would be reluctant to make <strong>in</strong>vestments <strong>in</strong> research and<br />
development or new creative content. This could lead to an under<strong>in</strong>vestment <strong>in</strong> <strong>in</strong>novation and<br />
creativity and <strong>in</strong>tellectual property rights aim to correct this market failure.<br />
Some economists have extended this basic <strong>the</strong>ory to argue for stronger rights over <strong>in</strong>tellectual<br />
property. Known as <strong>the</strong> Property Rights movement, and developed out of <strong>the</strong> Chicago Bus<strong>in</strong>ess<br />
School, this <strong>the</strong>ory argues that <strong>the</strong> purpose of <strong>in</strong>tellectual property rights is to maximise <strong>the</strong><br />
economic value of <strong>the</strong> <strong>in</strong>formation good. On this basis, stronger rights should be granted to <strong>the</strong><br />
creator, which last <strong>in</strong>def<strong>in</strong>itely and are not limited by some of <strong>the</strong> restrictions seen <strong>in</strong> <strong>in</strong>tellectual<br />
property laws today. This approach would make rights more directly comparable to tangible<br />
property rights.<br />
Advocates argue that full ownership rights are necessary because, if no-one has exclusive control<br />
over a resource, no-one has <strong>the</strong> <strong>in</strong>centive to look after it. As a result, <strong>the</strong> quality of it <strong>in</strong>evitably<br />
degrades over time.<br />
However, <strong>the</strong> economic benefits of <strong>in</strong>tellectual property rights are not clear cut. Intellectual property<br />
rights are fundamentally <strong>in</strong>efficient <strong>in</strong> economic terms as <strong>the</strong>y build monopolies over ideas or<br />
content. They create a risk of underutilisation of <strong>in</strong>formation resources by limit<strong>in</strong>g access to <strong>the</strong>m.<br />
Fur<strong>the</strong>rmore, s<strong>in</strong>ce <strong>in</strong>novation and creativity are <strong>in</strong>herently iterative, with ideas and content from<br />
one person <strong>build<strong>in</strong>g</strong> on ideas from ano<strong>the</strong>r, strong rights potentially stifle progress and cultural<br />
development. Therefore, <strong>the</strong> long-term benefits of <strong>in</strong>tellectual property can be questioned. 52<br />
There is limited objective economic evidence about <strong>the</strong> short and long-term impact of <strong>in</strong>tellectual<br />
property rights. The UK Strategic Advisory Board on Intellectual Property Policy (SABIPP) 53<br />
commissioned a detailed survey of economic research <strong>in</strong> this area <strong>in</strong> May 2010 and concluded<br />
that more research was urgently required. 54 Most economic research to date has concentrated on<br />
<strong>the</strong> short-term losses to rights-holders from <strong>in</strong>tellectual property breaches. However, <strong>the</strong>se losses<br />
need to be balanced with any ga<strong>in</strong>s to society aris<strong>in</strong>g from a greater flow of creative content.<br />
It is also important to understand <strong>the</strong> long-term impact of chang<strong>in</strong>g economic <strong>in</strong>centives and<br />
rewards, for example <strong>the</strong> degree to which <strong>in</strong>formation production actually reduces or changes<br />
when <strong>in</strong>tellectual property rights are not observed.<br />
What is <strong>the</strong> moral basis of <strong>in</strong>tellectual property rights<br />
Although <strong>the</strong>y have a strong economic basis, <strong>the</strong>re are also moral justifications for <strong>in</strong>tellectual<br />
property rights. Creative output can be seen as an extension of an <strong>in</strong>dividual’s personality,<br />
particularly draw<strong>in</strong>g on <strong>the</strong> ideas of philosopher Immanuel Kant. This leads to claims of natural<br />
rights over <strong>in</strong>formation which an <strong>in</strong>dividual has created, just as an <strong>in</strong>dividual has natural rights<br />
over personal <strong>in</strong>formation about <strong>the</strong>mselves. John Locke argued for natural rights over creative<br />
output on <strong>the</strong> basis that <strong>in</strong>dividuals should be able to benefit from <strong>the</strong> fruit of <strong>the</strong>ir labours. If <strong>the</strong>y<br />
have <strong>in</strong>vested time and resources <strong>in</strong> creat<strong>in</strong>g ideas and <strong>in</strong>formation content, and developed a<br />
close identification with it, o<strong>the</strong>rs should not be able simply to copy it.<br />
However, as with <strong>the</strong> economic case for <strong>in</strong>tellectual property rights, <strong>the</strong>re are also arguments<br />
aga<strong>in</strong>st <strong>the</strong> moral case advanced by Locke and Kant. 55 Opponents contend that <strong>in</strong>formation<br />
51<br />
For example, Stanley M. Besen and Leo J. Rask<strong>in</strong>d, ‘An <strong>in</strong>troduction to <strong>the</strong> law and economics of <strong>in</strong>tellectual<br />
property’.<br />
52<br />
For a debate on <strong>the</strong> property rights <strong>the</strong>ory of <strong>in</strong>tellectual property, see Peter Menell, ‘Intellectual property<br />
and <strong>the</strong> Property Rights Movement’, and Richard Epste<strong>in</strong>, ‘The Property Rights Movement and <strong>in</strong>tellectual<br />
property: a response to Peter Menell’.<br />
53<br />
This body was merged <strong>in</strong>to <strong>the</strong> UK Intellectual Property Office <strong>in</strong> 2010.<br />
54<br />
Christian Handke, The Economics of Copyright and Digitisation: A Report on <strong>the</strong> Literature and <strong>the</strong> Need for<br />
Fur<strong>the</strong>r Research.<br />
55<br />
David Lea, ‘From <strong>the</strong> Wright bro<strong>the</strong>rs to Microsoft: issues <strong>in</strong> <strong>the</strong> moral ground<strong>in</strong>g of <strong>in</strong>tellectual property’.<br />
38 Rights over <strong>in</strong>tellectual property
and knowledge are public goods and <strong>the</strong>refore should be shared as widely as possible. Thomas<br />
Jefferson is often quoted <strong>in</strong> this context, <strong>in</strong> a letter he wrote to Isaac McPherson <strong>in</strong> 1813:<br />
‘That ideas should freely spread from one to ano<strong>the</strong>r over <strong>the</strong> globe, for <strong>the</strong><br />
moral and mutual <strong>in</strong>struction of man, and improvement of his condition, seems<br />
to have been peculiarly and benevolently designed by nature, when she made<br />
<strong>the</strong>m, like fire, expansible over all space, without lessen<strong>in</strong>g <strong>the</strong>ir density <strong>in</strong> any<br />
po<strong>in</strong>t, and like <strong>the</strong> air <strong>in</strong> which we brea<strong>the</strong>, move and have our physical be<strong>in</strong>g,<br />
<strong>in</strong>capable of conf<strong>in</strong>ement or exclusive appropriation. Inventions <strong>the</strong>n cannot, <strong>in</strong><br />
nature, be a subject of property.’ 56<br />
What is <strong>the</strong> impact of chang<strong>in</strong>g consumer attitudes to pay<strong>in</strong>g for content<br />
As this chapter has highlighted, mov<strong>in</strong>g towards <strong>the</strong> economics of pure <strong>in</strong>formation means that<br />
it is substantially cheaper to reproduce <strong>in</strong>formation goods. Consequently, <strong>the</strong> price of <strong>in</strong>formation<br />
goods becomes more driven by <strong>the</strong> perceived value of <strong>the</strong> specific content than <strong>the</strong> cost of<br />
production. However, <strong>the</strong> extent to which consumers may be prepared to pay for pure content is<br />
a question vex<strong>in</strong>g many bus<strong>in</strong>esses.<br />
This question is made more complex by <strong>the</strong> explosion of free content on <strong>the</strong> <strong>in</strong>ternet. This has<br />
been provided by amateurs, <strong>in</strong>dependent artists and bus<strong>in</strong>esses to ga<strong>in</strong> a larger audience for <strong>the</strong>ir<br />
content. In this environment, it becomes more difficult to charge for <strong>in</strong>formation content.<br />
This affects many bus<strong>in</strong>esses which rely on creative content to generate revenue and differentiate<br />
<strong>the</strong>mselves from o<strong>the</strong>rs. The newspaper <strong>in</strong>dustry is fac<strong>in</strong>g particularly severe challenges <strong>in</strong><br />
compet<strong>in</strong>g with free content.<br />
Panel 3.4: The newspaper <strong>in</strong>dustry and <strong>the</strong> <strong>in</strong>ternet<br />
The newspaper <strong>in</strong>dustry has historically relied on a bus<strong>in</strong>ess model which bundles toge<strong>the</strong>r a<br />
range of news, analysis and services based on revenue from advertis<strong>in</strong>g and direct sales. The<br />
<strong>digital</strong> world presents two major challenges to this model.<br />
First, it un-bundles <strong>the</strong>se different aspects, which leads to niche competition <strong>in</strong> each of <strong>the</strong>se areas.<br />
Personal adverts, for example, have to compete with a wide range of specialist websites, mak<strong>in</strong>g<br />
it harder to secure readers.<br />
Second, it is compet<strong>in</strong>g <strong>in</strong> a world where news can be ga<strong>in</strong>ed from multiple sources, many of<br />
which give away <strong>the</strong>ir content for free. Therefore, <strong>the</strong> question fac<strong>in</strong>g newspapers is: why would<br />
consumers pay for news content when <strong>the</strong>y can get <strong>the</strong> same content elsewhere free 57<br />
Instead of charg<strong>in</strong>g a subscription, most newspapers have relied on onl<strong>in</strong>e advertis<strong>in</strong>g to generate<br />
<strong>in</strong>come <strong>in</strong> a <strong>digital</strong> environment. However, this is a challeng<strong>in</strong>g revenue model. It is clearly cyclical,<br />
with advertis<strong>in</strong>g revenue difficult to secure <strong>in</strong> a recession. The experience of read<strong>in</strong>g an onl<strong>in</strong>e<br />
newspaper is also very different to read<strong>in</strong>g a physical copy. Read<strong>in</strong>g a physical newspaper usually<br />
takes place dur<strong>in</strong>g an <strong>in</strong>dividual’s leisure time, mak<strong>in</strong>g it a relatively slow and relax<strong>in</strong>g experience.<br />
By contrast, most view<strong>in</strong>g of onl<strong>in</strong>e news takes places dur<strong>in</strong>g work hours, mean<strong>in</strong>g that it is quick<br />
and focused on exactly what <strong>the</strong> reader wants to know. As a result, onl<strong>in</strong>e advertis<strong>in</strong>g becomes<br />
less attractive, as readers are more transitory.<br />
As a result, some newspapers are experiment<strong>in</strong>g with models that ei<strong>the</strong>r require paid-for<br />
subscriptions or mix free and paid-for content. While basic news is ubiquitous, high-quality<br />
analysis and comment is not freely available and <strong>the</strong>refore becomes potentially valuable. On<br />
this basis, some newspapers charge for what <strong>the</strong>y deem to be valuable content. This approach<br />
appears to have worked for some high-end bus<strong>in</strong>ess publications, which have been able to adopt<br />
a range of paid-for models. However, it rema<strong>in</strong>s to be seen whe<strong>the</strong>r this will apply more broadly,<br />
and whe<strong>the</strong>r sufficient people will pay to offset <strong>the</strong> loss of advertis<strong>in</strong>g revenue from a smaller<br />
readership.<br />
Are breaches of <strong>in</strong>tellectual property rights morally wrong<br />
While <strong>the</strong>re are robust debates about <strong>the</strong> optimum strength of <strong>in</strong>tellectual property rights, few<br />
would argue aga<strong>in</strong>st such rights entirely. As a result, we would expect breaches of <strong>in</strong>tellectual<br />
property rights to be seen as morally wrong.<br />
56<br />
Thomas Jefferson, ‘Letter to Isaac McPherson, Monticello, August 13, 1813’.<br />
57<br />
Knowledge@Wharton,’Will newspaper readers pay <strong>the</strong> freight for survival’<br />
Rights over <strong>in</strong>tellectual property<br />
39
However, it seems that many people, especially <strong>the</strong> young, do not view activities such as file<br />
shar<strong>in</strong>g as wrong. The 2009 <strong>report</strong> Copycats Digital Consumers <strong>in</strong> <strong>the</strong> Onl<strong>in</strong>e Age, commissioned<br />
by SABIPP, confirmed that while <strong>the</strong>re was substantial confusion about what people could do<br />
legally and what was illegal, given <strong>the</strong> amount of legitimate free content on <strong>the</strong> <strong>in</strong>ternet, <strong>the</strong>re<br />
could also be a shift <strong>in</strong> m<strong>in</strong>d-set. In particular, <strong>the</strong> SABIPP research suggested a strong l<strong>in</strong>k<br />
between those that eng<strong>age</strong> <strong>in</strong> illegal download<strong>in</strong>g and <strong>the</strong> idea that piracy is a ‘victimless<br />
crime’.<br />
Content <strong>in</strong>dustries argue that when consumers take copies of <strong>the</strong>ir content <strong>in</strong> breach of copyright,<br />
this equates to <strong>the</strong>ft. They consider that <strong>the</strong> amount of material that is copied constitutes lost<br />
revenue to <strong>the</strong>m and, given <strong>the</strong> alleged amount of illegal file shar<strong>in</strong>g that takes place across <strong>the</strong><br />
world, this potentially amounts to a substantial sum.<br />
In response, it is argued that <strong>the</strong>re is a clear dist<strong>in</strong>ction between piracy and physical <strong>the</strong>ft.<br />
Download<strong>in</strong>g a piece of data <strong>in</strong>volves no direct loss for <strong>the</strong> content company and is quite different<br />
to steal<strong>in</strong>g a physical item which had a specific production cost. Fur<strong>the</strong>rmore, it can only be<br />
equated to a direct loss if <strong>the</strong> <strong>in</strong>dividual would have bought <strong>the</strong> content but <strong>in</strong>stead chose to<br />
access it illegally.<br />
Instead, supporters of this view argue that when consumers f<strong>in</strong>d material which <strong>the</strong>y like,<br />
however <strong>the</strong>y come by it, <strong>the</strong>y are more likely to purchase it, or similar material, legally. This<br />
is supported by research which suggests that those who use onl<strong>in</strong>e file shar<strong>in</strong>g to access free<br />
content are also more likely to purchase content legally. 58<br />
Hal Varian and Carl Shapiro broaden this po<strong>in</strong>t <strong>in</strong> <strong>the</strong>ir book Information Rules: A Strategic Guide<br />
to <strong>the</strong> Network Economy (1998), to argue:<br />
‘We th<strong>in</strong>k <strong>the</strong> natural tendency is for producers to worry too much about<br />
protect<strong>in</strong>g <strong>the</strong>ir <strong>in</strong>tellectual property. The important th<strong>in</strong>g is to maximize <strong>the</strong><br />
value of your <strong>in</strong>tellectual property, not to protect it for <strong>the</strong> sake of protection.<br />
If you lose a little of your property when you sell it or rent it, that’s just a cost of<br />
do<strong>in</strong>g bus<strong>in</strong>ess, along with depreciation, <strong>in</strong>ventory losses, and obsolescence.’ 59<br />
However, this is a complex area because it is important to recognise that, with <strong>digital</strong> technology,<br />
<strong>in</strong>formation is shared by virtue of mak<strong>in</strong>g a copy of it. This contrasts with <strong>the</strong> physical world,<br />
where it is possible to share books or records with friends or family on a temporary basis. No-one<br />
suggested that this was depriv<strong>in</strong>g rights-holders of revenue. Indeed, public libraries are based on<br />
<strong>the</strong> idea of many people view<strong>in</strong>g a s<strong>in</strong>gle copy of content and shar<strong>in</strong>g content has been seen to<br />
enhance our cultural and <strong>in</strong>tellectual world.<br />
Digital technology is different because it does leave <strong>the</strong> viewer potentially with a permanent copy<br />
of <strong>the</strong> material. However, this does mean that <strong>in</strong>tellectual property rights may operate to a degree<br />
that was not orig<strong>in</strong>ally <strong>in</strong>tended to prevent any k<strong>in</strong>d of shar<strong>in</strong>g. 60<br />
Limits of <strong>the</strong> current framework for <strong>in</strong>tellectual property<br />
In sections 3.5–3.8, we build on <strong>the</strong> underly<strong>in</strong>g questions asked <strong>in</strong> this chapter to address<br />
some of <strong>the</strong> most controversial aspect of <strong>in</strong>tellectual property today. At <strong>the</strong> heart of <strong>the</strong>se is<br />
<strong>the</strong> appropriate balance between exercis<strong>in</strong>g strong controls over <strong>in</strong>formation and lett<strong>in</strong>g it flow<br />
freely.<br />
We consider three areas of particular debate which stem from <strong>the</strong> changes brought by <strong>digital</strong><br />
technology.<br />
• We need to balance streng<strong>the</strong>n<strong>in</strong>g <strong>in</strong>tellectual property rights with encourag<strong>in</strong>g open<br />
approaches and recognise that <strong>the</strong>re are alternatives to strong rights.<br />
• The push for transparency means that <strong>the</strong>re is greater openness <strong>in</strong> <strong>the</strong> public and private<br />
sectors.<br />
• Co-creation of <strong>in</strong>tellectual property is happen<strong>in</strong>g because bus<strong>in</strong>esses are <strong>in</strong>teract<strong>in</strong>g more<br />
with each o<strong>the</strong>r and <strong>the</strong>ir customers.<br />
58<br />
See some of <strong>the</strong> arguments by Alexandros Stavrakas <strong>in</strong> ‘When piracy isn’t <strong>the</strong>ft’.<br />
59<br />
Hal Varian and Carl Shapiro, Information Rules: A Strategic Guide to <strong>the</strong> Network Economy, p97.<br />
60<br />
Lawrence Lessig, Remix: Mak<strong>in</strong>g Art and Commerce Thrive <strong>in</strong> <strong>the</strong> Hybrid Economy.<br />
40 Rights over <strong>in</strong>tellectual property
3.5 Streng<strong>the</strong>n<strong>in</strong>g <strong>in</strong>tellectual property rights<br />
Intellectual property rights have been substantially streng<strong>the</strong>ned <strong>in</strong> recent years to enable<br />
bus<strong>in</strong>esses to generate more revenue from <strong>the</strong>ir creative content or <strong>in</strong>ventions. However, <strong>the</strong>re<br />
are alternative approaches, outl<strong>in</strong>ed <strong>in</strong> section 3.6, which put a greater emphasis on <strong>in</strong>formation<br />
shar<strong>in</strong>g. Supporters of <strong>the</strong>se approaches argue that bus<strong>in</strong>esses should develop bus<strong>in</strong>esses models<br />
which embrace <strong>the</strong> new technological opportunities and <strong>the</strong> openness that <strong>the</strong>se enable, ra<strong>the</strong>r<br />
than reta<strong>in</strong> models which are no longer effective <strong>in</strong> <strong>the</strong> <strong>digital</strong> environment.<br />
Stronger legal rights and enforcement<br />
It is commonly acknowledged that <strong>in</strong>tellectual property laws of all types have grown massively<br />
<strong>in</strong> <strong>the</strong> past 50 years. The amount of copyright legislation, <strong>the</strong> length of copyright protection, <strong>the</strong><br />
number of patents and <strong>the</strong> breadth of items given trademark or patent protection are all evidence<br />
of <strong>the</strong> grow<strong>in</strong>g strength of <strong>in</strong>tellectual property rights. 61 This is generally attributed to <strong>the</strong><br />
mount<strong>in</strong>g <strong>in</strong>fluence of <strong>the</strong> content-produc<strong>in</strong>g <strong>in</strong>dustries, such as enterta<strong>in</strong>ment, pharmaceuticals<br />
and bio-technology. These <strong>in</strong>dustries are likely to benefit from stronger protection of rights and<br />
have <strong>the</strong> economic power to push for changes. In addition, <strong>the</strong> Property Rights movement<br />
described earlier has become <strong>in</strong>fluential <strong>in</strong> <strong>the</strong> US courts and supported a move towards strong<br />
<strong>in</strong>tellectual property rights.<br />
This grow<strong>in</strong>g strength is reflected <strong>in</strong> moves to standardise and harmonise <strong>in</strong>tellectual property<br />
rights across <strong>the</strong> world. As with privacy, <strong>in</strong>tellectual property rights spr<strong>in</strong>g from a Western<br />
legal tradition based on ideas of liberty and <strong>the</strong> pre-em<strong>in</strong>ence of <strong>the</strong> <strong>in</strong>dividual. However, <strong>the</strong><br />
adoption and enforcement of <strong>in</strong>tellectual property rights is <strong>in</strong>creas<strong>in</strong>gly becom<strong>in</strong>g a pre-condition<br />
to participate fully <strong>in</strong> world trade, with develop<strong>in</strong>g nations required to sign up to a range of<br />
<strong>in</strong>tellectual property measures. For example, <strong>in</strong> order to jo<strong>in</strong> <strong>the</strong> World Trade Organisation, a<br />
state also needs to ratify <strong>the</strong> Agreement on Trade-Related Aspects of Intellectual Property Rights<br />
(TRIPS). This <strong>in</strong>cludes a number of provisions concern<strong>in</strong>g copyright and patent protection.<br />
Fur<strong>the</strong>rmore, content providers have emphasised strong enforcement of exist<strong>in</strong>g laws. This can be<br />
seen <strong>in</strong> a number of areas, for example:<br />
• actions aga<strong>in</strong>st <strong>in</strong>dividual consumers who have been <strong>in</strong>volved <strong>in</strong> illegal file-shar<strong>in</strong>g activities;<br />
and<br />
• pressure on countries host<strong>in</strong>g pirate sites to prosecute operators, such as action by Sweden<br />
aga<strong>in</strong>st <strong>the</strong> Pirate Bay website.<br />
New laws <strong>in</strong> this area <strong>in</strong>creas<strong>in</strong>gly focus on <strong>the</strong> role of Internet Service Providers (ISPs) and move<br />
some responsibility on to <strong>the</strong>m to detect and <strong>report</strong> <strong>in</strong>dividuals who repeatedly commit copyright<br />
breaches.<br />
Panel 3.5: The role of <strong>the</strong> Internet Service Provider<br />
The UK’s Digital Economy Act 2010 potentially requires <strong>the</strong> largest Internet Service Providers (ISPs)<br />
to term<strong>in</strong>ate <strong>the</strong> broadband connections of persistent file sharers after a series of written warn<strong>in</strong>gs.<br />
This is similar to laws <strong>in</strong> France, where offenders will be sent warn<strong>in</strong>g letters and <strong>the</strong>n made to<br />
appear before a judge if <strong>the</strong>y persist <strong>in</strong> offend<strong>in</strong>g.<br />
ISPs are broadly resistant to <strong>the</strong> idea of greater responsibility as <strong>the</strong>y do not view <strong>the</strong>mselves as<br />
polic<strong>in</strong>g how <strong>in</strong>dividuals use <strong>the</strong>ir broadband connections. Postal services have traditionally been<br />
recognised as ‘common carriers’, mean<strong>in</strong>g that <strong>the</strong>y have no responsibility for <strong>the</strong> content of <strong>the</strong><br />
post that <strong>the</strong>y collect and distribute. While ISPs can claim to be similarly neutral, <strong>the</strong>re are some<br />
differences. In particular, it is possible to spot activities such as file shar<strong>in</strong>g without open<strong>in</strong>g <strong>the</strong> file.<br />
As a result, ISPs can identify possible transgressions more easily and <strong>in</strong> a less <strong>in</strong>vasive manner than<br />
postal service providers.<br />
However, critics argue that <strong>the</strong>re are longer-term implications for us<strong>in</strong>g ISPs <strong>in</strong> this way without<br />
hav<strong>in</strong>g appropriate controls over what <strong>in</strong>formation is be<strong>in</strong>g checked and how it is be<strong>in</strong>g used.<br />
Currently, demands for ISP monitor<strong>in</strong>g come from many sources and <strong>the</strong>re would be risks to<br />
privacy <strong>in</strong> particular if monitor<strong>in</strong>g were to become commonplace. 62<br />
61<br />
William Landes and Richard Posner, The Political Economy of Intellectual Property Law.<br />
62<br />
Geoff Huston, ‘The ISP: <strong>the</strong> uncommon carrier’.<br />
Rights over <strong>in</strong>tellectual property<br />
41
There is also significant opposition to such strong enforcement measures from consumer groups.<br />
They contend that disconnect<strong>in</strong>g broadband connections is wholly disproportionate to <strong>the</strong><br />
offence committed and may cause unreasonable harm. Many people may use <strong>the</strong> broadband<br />
connection <strong>in</strong> any s<strong>in</strong>gle household. Depriv<strong>in</strong>g <strong>the</strong> entire household from hav<strong>in</strong>g broadband<br />
punishes all members by exclud<strong>in</strong>g <strong>the</strong>m from many legitimate <strong>in</strong>ternet products and services.<br />
There are fur<strong>the</strong>r practical difficulties. What happens, for example, when an <strong>in</strong>dividual downloads<br />
content illegally us<strong>in</strong>g <strong>the</strong> wireless connection of a neighbour which is not properly secured<br />
Opponents suggest that it may also stop bus<strong>in</strong>esses provid<strong>in</strong>g free wireless to customers, <strong>in</strong> case<br />
<strong>the</strong>y use <strong>the</strong> facilities for illegal file-shar<strong>in</strong>g activities. As a result, opponents argue that laws directed<br />
at ISPs could adversely impact on all k<strong>in</strong>ds of <strong>in</strong>novative activity <strong>in</strong> <strong>the</strong> technology sector and beyond.<br />
3.6 Encourag<strong>in</strong>g open approaches<br />
An alternative to streng<strong>the</strong>n<strong>in</strong>g property rights is to focus on <strong>the</strong> benefits of <strong>in</strong>formation shar<strong>in</strong>g<br />
<strong>in</strong> terms of creativity, <strong>in</strong>novation and culture. These ideas are represented <strong>in</strong> various movements<br />
which fall under <strong>the</strong> broad banner of ‘openness’ and which are underp<strong>in</strong>ned by a belief that<br />
th<strong>in</strong>gs can be done better when <strong>in</strong>formation is shared and made freely available to o<strong>the</strong>rs. Open<br />
movements typically promote alternative licens<strong>in</strong>g schemes which protect content, but <strong>in</strong> a less<br />
restrictive way than traditional copyright licens<strong>in</strong>g.<br />
Indeed, <strong>the</strong> notion of ‘open’ is at <strong>the</strong> heart of <strong>the</strong> <strong>in</strong>ternet, both <strong>in</strong> terms of its technology platform<br />
and its culture, and <strong>the</strong>se movements have largely grown around <strong>the</strong> <strong>in</strong>ternet. This section will<br />
consider three dist<strong>in</strong>ct ‘open’ ideas:<br />
• open source software;<br />
• open access; and<br />
• open <strong>in</strong>novation.<br />
Alternative <strong>in</strong>tellectual property regimes<br />
Open movements do not ignore <strong>in</strong>tellectual property rights. Indeed, a great <strong>in</strong>sight of Richard<br />
Stallman, <strong>the</strong> pioneer of <strong>the</strong> open source software movement, was to use <strong>in</strong>tellectual property<br />
rights to ensure that future uses of <strong>the</strong> software rema<strong>in</strong>ed free and open. As a result, open<br />
movements typically promote alternative licens<strong>in</strong>g schemes which protect content, but <strong>in</strong> a less<br />
restrictive way than traditional copyright licens<strong>in</strong>g. These alternative regimes have been adopted<br />
largely by not-for-profit organisations, academics or <strong>in</strong>dividual creators, although open source<br />
software has ga<strong>in</strong>ed some traction <strong>in</strong> a bus<strong>in</strong>ess context.<br />
These alternative regimes are sometimes called ‘copyleft’ and <strong>the</strong>y have been developed <strong>in</strong> response<br />
to <strong>the</strong> opportunities presented by <strong>digital</strong> technology. The use of <strong>digital</strong> technology makes it easier<br />
to share <strong>in</strong>formation, update it or mix toge<strong>the</strong>r different pieces of exist<strong>in</strong>g content. However,<br />
ma<strong>in</strong>stream copyright protections heavily limit <strong>the</strong> use of content <strong>in</strong> this way, mak<strong>in</strong>g it difficult<br />
to maximise <strong>the</strong> opportunities presented by <strong>the</strong> technology.<br />
Proponents of more open licens<strong>in</strong>g also cite <strong>the</strong> enormous growth <strong>in</strong> copyright protection <strong>in</strong><br />
recent years. Whereas copyright rules for many years applied <strong>in</strong> practice to only a small amount<br />
of creative outputs, changes <strong>in</strong> <strong>the</strong> law have meant that copyright restrictions apply to <strong>the</strong> vast<br />
majority of content posted on <strong>the</strong> <strong>in</strong>ternet. While few would argue aga<strong>in</strong>st <strong>the</strong> right of content<br />
creators to sell <strong>the</strong>ir content, critics argue that <strong>the</strong> degree of control exercised over content today<br />
goes far beyond what was ever orig<strong>in</strong>ally <strong>in</strong>tended.<br />
Therefore, alternative licenc<strong>in</strong>g schemes aim to redress <strong>the</strong> balance and a well-known example is<br />
<strong>the</strong> Creative Commons.<br />
Panel 3.6: The Creative Commons<br />
The Creative Commons is a not-for-profit organisation that develops and promotes licences over<br />
creative works which are more open than traditional copyright licences. With<strong>in</strong> this, <strong>the</strong>re are a<br />
range of options for a creator to choose.<br />
• ‘Attribution’ licences enable o<strong>the</strong>rs to copy, perform or display <strong>the</strong> content provided <strong>the</strong>y<br />
attribute it to <strong>the</strong> creator.<br />
• ‘Attribution no derivatives’ licences enable o<strong>the</strong>rs to copy, perform or display <strong>the</strong> work but<br />
<strong>the</strong>y cannot change it <strong>in</strong> anyway.<br />
42 Rights over <strong>in</strong>tellectual property
Panel 3.6: The Creative Commons (cont<strong>in</strong>ued)<br />
• ‘Attribution non-commercial share alike’ licences enable o<strong>the</strong>rs to copy, perform or display<br />
works for non-commercial purposes only. They can also can build upon <strong>the</strong> creation and create<br />
someth<strong>in</strong>g new, although <strong>the</strong>y will have to licence it <strong>in</strong> <strong>the</strong> same way as <strong>the</strong> orig<strong>in</strong>al work.<br />
Therefore, while <strong>the</strong>y reta<strong>in</strong> some degree of control for a rights-holder, such licences aim to<br />
encour<strong>age</strong> collaboration and <strong>in</strong>novation. In a summary of <strong>the</strong> Creative Commons philosophy<br />
written <strong>in</strong> 2005, co-founder Lawrence Lessig, argues:<br />
‘We believe that many who make <strong>the</strong>ir work available on <strong>the</strong> Internet are<br />
happy to share. Or happy to share for some purposes, if not for o<strong>the</strong>rs.<br />
Or e<strong>age</strong>r that <strong>the</strong>ir work be spread broadly, regardless of <strong>the</strong> underly<strong>in</strong>g<br />
rules of copyright. And <strong>the</strong>se people, we thought, could use a simple way to<br />
say what <strong>the</strong>ir preferences were…. And thus <strong>the</strong> motivation for CC licenses:<br />
A simple way for authors and artists to express <strong>the</strong> freedoms <strong>the</strong>y want <strong>the</strong>ir<br />
creativity to carry.’ 63<br />
There are many examples of Creative Commons licences, <strong>in</strong>clud<strong>in</strong>g Wikipedia. There are also<br />
o<strong>the</strong>r organisations which have developed alternative copyright systems, such as <strong>the</strong> GNU<br />
General Public Licence for open source software.<br />
Open source software<br />
The most advanced form of open th<strong>in</strong>k<strong>in</strong>g can be seen <strong>in</strong> <strong>the</strong> software world. The idea of open<br />
source software dates back to <strong>the</strong> 1950s although <strong>the</strong> term was only adopted <strong>in</strong> <strong>the</strong> 1990s.<br />
Open source software relies on a licens<strong>in</strong>g regime which freely shares <strong>the</strong> software code among<br />
developers. This strongly contrasts with proprietary software where <strong>the</strong> code is kept secret by<br />
<strong>the</strong> software company.<br />
The open source approach allows o<strong>the</strong>rs to freely access, test and develop <strong>the</strong> code but usually<br />
requires that any developments are also licensed on an open source basis. Therefore, a developer<br />
must license any amendments <strong>the</strong>y make on <strong>the</strong> same terms as <strong>the</strong> orig<strong>in</strong>al code was licenced.<br />
This pr<strong>in</strong>ciple of hereditary licens<strong>in</strong>g is central to <strong>the</strong> rules of <strong>the</strong> General Public Licence (GPL).<br />
Open source software is often developed by programmers on a voluntary basis and available free<br />
of charge.<br />
While <strong>the</strong>re are some philosophical arguments concern<strong>in</strong>g freedom of <strong>in</strong>formation among open<br />
source advocates, <strong>the</strong>y are largely driven by practical considerations. They argue that open source<br />
software is better than proprietary software because of <strong>the</strong> way that it is created. By hav<strong>in</strong>g many<br />
people exam<strong>in</strong>e <strong>the</strong> software, f<strong>in</strong>d and correct bugs and add on new pieces of functionality, it<br />
should be better and more robust than software which is developed by just a small number of<br />
people. There are examples of open source software which have been widely adopted, such as<br />
<strong>the</strong> Firefox web browser and <strong>the</strong> L<strong>in</strong>ux operat<strong>in</strong>g system.<br />
While <strong>the</strong> notion of open source may seem to go aga<strong>in</strong>st <strong>the</strong> <strong>in</strong>terests of commercial bodies,<br />
<strong>the</strong> economics of software can make open source an attractive model for software bus<strong>in</strong>esses.<br />
Software exhibits <strong>the</strong> economic feature of network effects, so that it becomes more valuable<br />
as more people adopt it. Therefore, <strong>in</strong> <strong>the</strong> early st<strong>age</strong>s of software, a bus<strong>in</strong>ess will want to<br />
drive adoption, potentially at <strong>the</strong> expense of earn<strong>in</strong>g profits and open source presents a good<br />
model for driv<strong>in</strong>g widespread adoption. A bus<strong>in</strong>ess can <strong>the</strong>n look for ways to make money<br />
from additional functionality or services which <strong>the</strong>y can offer around <strong>the</strong> basic software. Many<br />
commercial bus<strong>in</strong>esses may also plug pieces of open source software <strong>in</strong>to <strong>the</strong>ir products,<br />
<strong>the</strong>reby avoid<strong>in</strong>g licence fees.<br />
Open access<br />
Ano<strong>the</strong>r example of <strong>the</strong> open ethos is open access, which <strong>in</strong>volves mak<strong>in</strong>g content freely available<br />
to read. Open content goes fur<strong>the</strong>r and enables o<strong>the</strong>rs to edit content, for example wiki technology.<br />
Open access has been seen prom<strong>in</strong>ently <strong>in</strong> academic publish<strong>in</strong>g, where academics open up <strong>the</strong>ir<br />
research for widespread distribution and access. This moves away from <strong>the</strong> established model of<br />
publish<strong>in</strong>g <strong>in</strong> paid-for journals. Open access journals are usually funded by <strong>in</strong>stitutional subsidies<br />
or by publication fees, which are paid by <strong>the</strong> author’s <strong>in</strong>stitution.<br />
63<br />
Lawrence Lessig, ‘CC <strong>in</strong> Review: Lawrence Lessig on How it All Began’.<br />
Rights over <strong>in</strong>tellectual property<br />
43
Such an approach makes sense for many academics as <strong>the</strong>y do not sell <strong>the</strong>ir research directly.<br />
They are rewarded for <strong>the</strong>ir research <strong>in</strong>directly through universities and o<strong>the</strong>r sources of fund<strong>in</strong>g.<br />
Therefore, <strong>the</strong>y are not f<strong>in</strong>ancially impacted by <strong>the</strong> potential reduction <strong>in</strong> revenue which results<br />
from open access. Indeed, shar<strong>in</strong>g <strong>the</strong> results of <strong>the</strong>ir research enables wider distribution, potentially<br />
<strong>in</strong>creas<strong>in</strong>g <strong>the</strong> impact of <strong>the</strong> research and meet<strong>in</strong>g broader goals relat<strong>in</strong>g to <strong>the</strong> public good and<br />
<strong>the</strong> shar<strong>in</strong>g of knowledge.<br />
Open<strong>in</strong>g up content can be done ei<strong>the</strong>r by authors publish<strong>in</strong>g <strong>the</strong>ir research <strong>in</strong> an open repository<br />
<strong>the</strong>mselves, termed self-archiv<strong>in</strong>g, or publish<strong>in</strong>g <strong>in</strong> an open access journal. In a study by <strong>the</strong><br />
EC-funded Study of Open Access Publish<strong>in</strong>g <strong>in</strong> 2010, approximately 10-15% of peer reviewed<br />
journals were found to be open access, largely scientific and medical journals. 64<br />
There has been some academic research on <strong>the</strong> extent to which open access <strong>in</strong>creases <strong>the</strong> impact<br />
of research. Studies usually look at <strong>the</strong> number of citations for an article as a proxy for <strong>the</strong> impact<br />
of research and <strong>the</strong> number of downloads as an <strong>in</strong>dicator of readership. However, <strong>the</strong> research<br />
f<strong>in</strong>d<strong>in</strong>gs are contradictory. Gun<strong>the</strong>r Eysenbach, for example, found that open access articles were<br />
cited more frequently than closed access ones, particularly those published <strong>in</strong> open access journals. 65<br />
In contrast, Philip Davis et al, <strong>in</strong> <strong>the</strong>ir 2008 article ‘Open access publish<strong>in</strong>g, article downloads, and<br />
citations: randomised controlled trial’, found that while open access articles were downloaded<br />
more, <strong>the</strong>re was no <strong>in</strong>crease <strong>in</strong> citations <strong>the</strong> first year after publication. They argue that any<br />
apparent <strong>in</strong>crease <strong>in</strong> citations is likely to be caused by o<strong>the</strong>r factors, such as article quality.<br />
Open <strong>in</strong>novation<br />
In Open Innovation: The New Imperative for Creat<strong>in</strong>g and Profit<strong>in</strong>g from Technology (2003), Henry<br />
Chesbrough def<strong>in</strong>es open <strong>in</strong>novation as:<br />
‘…a paradigm that assumes that firms can and should use external ideas as well<br />
as <strong>in</strong>ternal ideas, and <strong>in</strong>ternal and external paths to market, as <strong>the</strong> firms look to<br />
advance <strong>the</strong>ir technology.’ 66<br />
Therefore, <strong>the</strong> essence of open <strong>in</strong>novation is shar<strong>in</strong>g ideas and work<strong>in</strong>g with partners to create<br />
new types of value or new ways of deliver<strong>in</strong>g value. This contrasts with a traditional model of<br />
research and development based on an <strong>in</strong>ternal research function which is protected by high<br />
degrees of secrecy.<br />
There has been a long tradition of universities and <strong>in</strong>dustry work<strong>in</strong>g toge<strong>the</strong>r to develop new<br />
technology, drugs or o<strong>the</strong>r <strong>in</strong>ventions. University research and development <strong>in</strong> areas such as<br />
science and technology have underp<strong>in</strong>ned many pharmaceutical and technical advances.<br />
However, it has been driven <strong>in</strong> recent years by two <strong>in</strong>terrelated factors, accord<strong>in</strong>g to Bronwyn<br />
Hall. 67 Firstly, <strong>the</strong>re is a realisation among even large firms that that <strong>the</strong>y cannot produce all <strong>the</strong><br />
parts of a product or service that a customer needs. Secondly, <strong>the</strong>ir products have to work with<br />
o<strong>the</strong>rs <strong>in</strong> <strong>the</strong> marketplace and <strong>the</strong>y need to work with o<strong>the</strong>r bus<strong>in</strong>esses to ensure this.<br />
Strong <strong>in</strong>tellectual property rights may seem to go aga<strong>in</strong>st <strong>the</strong> notion of open <strong>in</strong>novation.<br />
However, Hall argues that bus<strong>in</strong>esses which have adopted open <strong>in</strong>novation ideas have also<br />
<strong>in</strong>creased <strong>the</strong> number of patents <strong>the</strong>y have registered.<br />
At <strong>the</strong> heart of open <strong>in</strong>novation is <strong>the</strong> question of how to appropriate value. Claim<strong>in</strong>g rights<br />
over <strong>in</strong>tellectual property is clearly a way of do<strong>in</strong>g this. Indeed, clear allocations of <strong>in</strong>tellectual<br />
property can be helpful when def<strong>in</strong><strong>in</strong>g and enforc<strong>in</strong>g contracts. However, <strong>the</strong>re are o<strong>the</strong>r ways<br />
that bus<strong>in</strong>esses can ga<strong>in</strong> value from <strong>in</strong>novation without us<strong>in</strong>g <strong>in</strong>tellectual property rights. For<br />
example, products can be bundled toge<strong>the</strong>r, some of which are protected and some of which<br />
are not. A bus<strong>in</strong>ess may also want to share <strong>in</strong>ventions and ideas that <strong>the</strong>y do not plan to develop<br />
fur<strong>the</strong>r <strong>the</strong>mselves. Instead, <strong>the</strong>y may th<strong>in</strong>k that o<strong>the</strong>rs can do more with <strong>the</strong>m, from which <strong>the</strong>y<br />
can <strong>the</strong>n benefit.<br />
The complexity of patent strategy is illustrated through litigation activity around mobile phone<br />
technology. Many technology companies hold patents over different elements of a smartphone.<br />
Therefore, <strong>in</strong> order to produce a function<strong>in</strong>g phone, it may be necessary to agree licences with<br />
a number of different bus<strong>in</strong>esses. Where two bus<strong>in</strong>esses have relevant patents, cross-licens<strong>in</strong>g<br />
agreements may be made. However, where a bus<strong>in</strong>ess has made extensive use of open source,<br />
64<br />
SOAP, ‘Open Access journals are 10% of journals: f<strong>in</strong>d<strong>in</strong>gs from <strong>the</strong> Study of Open Access Publish<strong>in</strong>g (SOAP)’.<br />
65<br />
Gun<strong>the</strong>r Eysenbach, ‘Citation advant<strong>age</strong> of open access articles’.<br />
66<br />
Henry Chesbrough, Open Innovation: The New Imperative for Creat<strong>in</strong>g and Profit<strong>in</strong>g from Technology, pxxiv.<br />
67<br />
Bronwyn Hall, ‘Open <strong>in</strong>novation and <strong>in</strong>tellectual property rights - <strong>the</strong> two-edged sword’.<br />
44 Rights over <strong>in</strong>tellectual property
it may have few barga<strong>in</strong><strong>in</strong>g chips <strong>in</strong> such a negotiation. This has led to bus<strong>in</strong>esses acquir<strong>in</strong>g<br />
companies for <strong>the</strong> purpose of <strong>build<strong>in</strong>g</strong> patent portfolios to fend off litigation and reduce <strong>the</strong> costs<br />
of cross-licens<strong>in</strong>g. 68<br />
3.7 The push for transparency<br />
The push for greater transparency is seen most prom<strong>in</strong>ently <strong>in</strong> <strong>the</strong> public sector, where <strong>the</strong> Open<br />
Data movement is push<strong>in</strong>g for <strong>the</strong> widespread release of government data to drive a variety of<br />
economic and social benefits. As technology has improved, pressures have also grown <strong>in</strong> corporate<br />
<strong>report</strong><strong>in</strong>g for more comparable and timely data from bus<strong>in</strong>esses. However, while <strong>the</strong>re are great<br />
benefits to transparency, it also potentially creates new risks, especially when changes <strong>in</strong> <strong>in</strong>centives<br />
change <strong>the</strong> behaviour of <strong>in</strong>dividuals.<br />
Government <strong>in</strong>formation<br />
Most pressures for transparency to date have been felt by <strong>the</strong> public sector. The Open Data<br />
movement encour<strong>age</strong>s <strong>the</strong> voluntary release of a wide range of data by governments.<br />
Panel 3.7: The Open Data movement<br />
The Open Data movement has grown <strong>in</strong> recent years based on arguments of transparency,<br />
accountability and democracy. It aims to get governments to release as much <strong>in</strong>formation as<br />
possible. This <strong>in</strong>cludes all k<strong>in</strong>ds of transactional <strong>in</strong>formation, such as budgets, contracts, salaries<br />
and services delivered, as well as th<strong>in</strong>gs like maps, crime locations and transport <strong>in</strong>formation. It<br />
also wants <strong>the</strong> data to be released <strong>in</strong> formats that allow it to be easily reused by o<strong>the</strong>rs and turned<br />
<strong>in</strong>to mean<strong>in</strong>gful <strong>in</strong>formation.<br />
Many of <strong>the</strong> arguments <strong>in</strong> favour of releas<strong>in</strong>g <strong>in</strong>formation are based on pr<strong>in</strong>ciples of democracy<br />
and accountability. Supporters go back to Louis Brandeis’s well known remark from his 1913<br />
article, ‘What publicity can do’, to push <strong>the</strong> notion of transparency – ‘sunlight is…<strong>the</strong> best of<br />
dis<strong>in</strong>fectants’. 69 This is a pr<strong>in</strong>ciple that resonates throughout many areas of regulation and is<br />
based on <strong>the</strong> belief that transparency will drive good behaviour and hold people to account <strong>in</strong><br />
<strong>the</strong> event of failures.<br />
There are also economic drivers to open<strong>in</strong>g up government data. The reason that supporters<br />
want data <strong>in</strong> a reusable format is to encour<strong>age</strong> <strong>the</strong> development of applications that use,<br />
aggregate and analyse data. This might lead to new bus<strong>in</strong>ess opportunities and economic<br />
growth, as well as engag<strong>in</strong>g ways to present <strong>in</strong>formation to <strong>in</strong>dividuals to support accountability.<br />
A UK government white paper on <strong>the</strong> topic, published <strong>in</strong> August 2011, summarised <strong>the</strong><br />
benefits <strong>in</strong> <strong>the</strong> follow<strong>in</strong>g way:<br />
‘Open Data may be <strong>the</strong> most powerful lever of 21st century public policy:<br />
it can make accountability real for citizens; it can improve outcomes and<br />
productivity <strong>in</strong> key services through <strong>in</strong>formed comparison; it can transform<br />
social relationships – empower<strong>in</strong>g <strong>in</strong>dividuals and communities; and it can<br />
drive dynamic economic growth.’ 70<br />
Few people <strong>in</strong> democratic countries argue aga<strong>in</strong>st <strong>the</strong> virtues of transparency. However, <strong>the</strong>re<br />
are some practical concerns about <strong>the</strong> use of open data. In many cases, <strong>the</strong> data is raw, rais<strong>in</strong>g<br />
risks around its accuracy and <strong>in</strong>tegrity. There may not be clear data standards or def<strong>in</strong>itions,<br />
mak<strong>in</strong>g it difficult to compare data from different sources. In response to <strong>the</strong>se concerns,<br />
supporters of <strong>the</strong> Open Data movement often po<strong>in</strong>t to <strong>the</strong> notion of crowdsourc<strong>in</strong>g as a way<br />
of correct<strong>in</strong>g errors and <strong>in</strong>consistencies. As with open source software, <strong>the</strong>y argue that as more<br />
people see <strong>the</strong> data, more errors will be spotted and <strong>the</strong> data quality will improve.<br />
Ano<strong>the</strong>r area of concern is <strong>the</strong> surround<strong>in</strong>g context of data and its overall mean<strong>in</strong>g. Where data<br />
is taken <strong>in</strong> isolation, it may have little real mean<strong>in</strong>g or its mean<strong>in</strong>g could be mis<strong>in</strong>terpreted. For<br />
example, it is likely to be easy to f<strong>in</strong>d data about <strong>the</strong> costs of projects and much harder to f<strong>in</strong>d<br />
useful data about <strong>the</strong> benefits that have been realised. However, without both types of data, it<br />
is impossible to say whe<strong>the</strong>r value has been created.<br />
68<br />
The Economist, ‘Inventive warfare’ and ‘Patently different’.<br />
69<br />
Louis Brandeis, ‘What publicity can do’.<br />
70<br />
HM Government, Mak<strong>in</strong>g Open Data Real: A Public Consultation, p10.<br />
Rights over <strong>in</strong>tellectual property<br />
45
Panel 3.7: The Open Data movement (cont<strong>in</strong>ued)<br />
There may also be unexpected consequences and behavioural changes from <strong>the</strong> release of<br />
<strong>in</strong>formation. While it may be expected that transparency will lead to more responsible behaviour<br />
from government officials, <strong>the</strong>y may react <strong>in</strong> o<strong>the</strong>r ways if <strong>the</strong>y know that <strong>the</strong>ir actions will be<br />
made public. Although a strong advocate for <strong>the</strong> notion of openness, Lawrence Lessig argues for<br />
caution <strong>in</strong> <strong>the</strong> rush to release data:<br />
‘We are not th<strong>in</strong>k<strong>in</strong>g critically enough about where and when transparency<br />
works, and where and when it may lead to confusion, or to worse. And I fear<br />
that <strong>the</strong> <strong>in</strong>evitable success of this movement – if pursued alone, without any<br />
sensitivity to <strong>the</strong> full complexity of <strong>the</strong> idea of perfect openness – will <strong>in</strong>spire<br />
not reform, but disgust. The “naked transparency movement”…is not go<strong>in</strong>g<br />
to <strong>in</strong>spire change. It will simply push any faith <strong>in</strong> our political systems over<br />
<strong>the</strong> cliff’. 71<br />
While it is markedly different to open data, which is concerned with <strong>the</strong> lawful release of<br />
<strong>in</strong>formation by government bodies, <strong>the</strong> publication by Wikileaks of confidential government<br />
<strong>in</strong>formation also raises <strong>in</strong>terest<strong>in</strong>g questions. For example, <strong>the</strong>re have been deep differences of<br />
op<strong>in</strong>ion on <strong>the</strong> fundamental morality of publish<strong>in</strong>g such <strong>in</strong>formation. Some view it as a major<br />
force for <strong>in</strong>formation democratisation, enabl<strong>in</strong>g <strong>in</strong>dividuals to understand <strong>the</strong> activities, good or<br />
bad, of governments. O<strong>the</strong>rs view it as irresponsible and highly damag<strong>in</strong>g.<br />
The Wikileaks case also demonstrates <strong>the</strong> difficulty of def<strong>in</strong><strong>in</strong>g <strong>the</strong> limits of <strong>in</strong>formation to be<br />
published and where a notion of organisational privacy starts. While <strong>in</strong>formation published<br />
by Wikileaks was unlawfully obta<strong>in</strong>ed, and <strong>the</strong>refore very different to <strong>the</strong> type of data release<br />
advocated by <strong>the</strong> Open Data movement, it does highlight <strong>the</strong> degree of political judgement<br />
<strong>in</strong>volved <strong>in</strong> decid<strong>in</strong>g where <strong>the</strong> l<strong>in</strong>e should be drawn and where <strong>the</strong> benefits of government<br />
secrecy outweigh <strong>the</strong> benefits of transparency and <strong>in</strong>formation shar<strong>in</strong>g.<br />
Bus<strong>in</strong>ess <strong>report</strong><strong>in</strong>g<br />
While open data has largely been a public sector issue to date, <strong>the</strong>re are some broader<br />
implications for bus<strong>in</strong>esses.<br />
Many companies transact heavily with governments and <strong>the</strong> push to make contracts more<br />
transparent will have effects on <strong>the</strong>se bus<strong>in</strong>esses. Indeed, <strong>the</strong> scope of open data is typically seen<br />
to extend to any service funded by public money, whe<strong>the</strong>r it is run <strong>in</strong> <strong>the</strong> public, private or notfor-profit<br />
sector. As a result, <strong>in</strong>formation about <strong>the</strong> size or nature of public sector contracts, which<br />
a bus<strong>in</strong>ess may view as highly sensitive, is likely to become public. Bus<strong>in</strong>esses work<strong>in</strong>g extensively<br />
with <strong>the</strong> public sector may <strong>the</strong>refore have to consider <strong>the</strong> implications of such scrut<strong>in</strong>y.<br />
There are also l<strong>in</strong>ks to o<strong>the</strong>r trends <strong>in</strong> bus<strong>in</strong>ess <strong>report</strong><strong>in</strong>g towards transparency. Shareholders<br />
have always had rights to <strong>in</strong>formation through <strong>the</strong> f<strong>in</strong>ancial <strong>report</strong><strong>in</strong>g system and <strong>the</strong> publication<br />
of annual <strong>report</strong>s. The development of XBRL as a technology to tag f<strong>in</strong>ancial data provides<br />
opportunities to get this <strong>in</strong>formation to <strong>the</strong> market quicker and <strong>in</strong> a more comparable format.<br />
The SEC <strong>in</strong> particular has been a major advocate of XBRL as a means of achiev<strong>in</strong>g greater<br />
transparency and enabl<strong>in</strong>g retail <strong>in</strong>vestors <strong>in</strong> particular to make better decisions about <strong>the</strong>ir<br />
<strong>in</strong>vestments.<br />
To date, <strong>digital</strong> <strong>report</strong><strong>in</strong>g technologies have been used largely to replicate exist<strong>in</strong>g f<strong>in</strong>ancial<br />
<strong>report</strong><strong>in</strong>g, simply chang<strong>in</strong>g <strong>the</strong> technical format <strong>in</strong> which it is done. However, as <strong>the</strong> technology<br />
cont<strong>in</strong>ues to improve, and <strong>the</strong> costs of releas<strong>in</strong>g <strong>in</strong>formation reduce, <strong>the</strong>re may be pressures to<br />
go fur<strong>the</strong>r. Level 3 <strong>digital</strong> <strong>report</strong><strong>in</strong>g, as described <strong>in</strong> <strong>the</strong> ICAEW <strong>report</strong> Developments <strong>in</strong> Digital<br />
Report<strong>in</strong>g (2005), describes <strong>the</strong> tagg<strong>in</strong>g of elements at <strong>the</strong> transactional level, not simply <strong>the</strong><br />
consolidated <strong>report</strong>ed figures. While bus<strong>in</strong>esses may want to keep such <strong>in</strong>formation confidential,<br />
it is possible that pressure will grow on bus<strong>in</strong>esses to release a wider range of <strong>in</strong>formation.<br />
While such <strong>in</strong>formation is likely to be of <strong>in</strong>terest to <strong>the</strong> markets, <strong>the</strong> greatest pressure may come<br />
from governments and regulators. Tax authorities, for example, have been enthusiastic adopters<br />
of XBRL, as it gives <strong>the</strong>m data <strong>in</strong> a more useable format, improves <strong>the</strong> efficiency of <strong>the</strong>ir processes<br />
and enables more sophisticated analysis. Such bodies may look to get access to <strong>in</strong>creas<strong>in</strong>g amounts<br />
of data, which may aga<strong>in</strong> put pressures on <strong>the</strong> notion of confidential company <strong>in</strong>formation.<br />
71<br />
Lawrence Lessig, ‘Aga<strong>in</strong>st transparency: <strong>the</strong> perils of openness <strong>in</strong> government’, p1.<br />
46 Rights over <strong>in</strong>tellectual property
3.8 Co-creation of <strong>in</strong>tellectual property<br />
Bus<strong>in</strong>esses are <strong>in</strong>teract<strong>in</strong>g more with each o<strong>the</strong>r and <strong>the</strong>ir customers. This is result<strong>in</strong>g <strong>in</strong> cocreation<br />
of <strong>in</strong>tellectual property across supply cha<strong>in</strong>s and with customers. While bus<strong>in</strong>esses may<br />
want to maximise <strong>the</strong>ir rights over <strong>in</strong>tellectual property, <strong>the</strong>re may also be new questions about<br />
how <strong>the</strong> benefits of this collaboration are shared and grow<strong>in</strong>g perceptions of unfairness where<br />
bus<strong>in</strong>esses exploit <strong>the</strong> creativity of o<strong>the</strong>rs.<br />
User-generated content<br />
A major development of Web 2.0 social media technologies has been <strong>the</strong> growth <strong>in</strong> content<br />
which is generated and posted onl<strong>in</strong>e by consumers, ra<strong>the</strong>r than professional content providers.<br />
This <strong>in</strong>cludes blogs, photos and videos.<br />
Many of <strong>the</strong> <strong>in</strong>tellectual property issues to date concern<strong>in</strong>g user-generated content have<br />
concerned breaches of copyright by <strong>the</strong> content creators. By <strong>in</strong>clud<strong>in</strong>g any clips or extracts<br />
of copyright-protected material <strong>in</strong> <strong>the</strong> newly-created content, users are likely to be breach<strong>in</strong>g<br />
copyright rules. They need to obta<strong>in</strong> <strong>the</strong> permission of <strong>the</strong> rights-holder to use <strong>the</strong> extract, and<br />
this is not always done correctly, open<strong>in</strong>g up <strong>the</strong> user to legal action for breach of copyright.<br />
Some argue that such complex rules, designed to be used by professional content creators, are<br />
<strong>in</strong>appropriate <strong>in</strong> this new, amateur world. However, rights-holders often enforce <strong>the</strong>ir rights<br />
strictly and require permission to be granted <strong>in</strong> every case.<br />
User-generated content also raises new questions concern<strong>in</strong>g who has <strong>the</strong> right to exploit content<br />
which is created and shared <strong>in</strong> this environment. What k<strong>in</strong>d of rights should <strong>the</strong> content creator<br />
have over it compared to <strong>the</strong> bus<strong>in</strong>ess which is provid<strong>in</strong>g <strong>the</strong> platform for post<strong>in</strong>g and shar<strong>in</strong>g it<br />
In practice, <strong>the</strong> rights to exploit <strong>the</strong> content typically fall to <strong>the</strong> bus<strong>in</strong>ess provid<strong>in</strong>g <strong>the</strong> platform.<br />
While users may reta<strong>in</strong> formal ownership rights, <strong>the</strong> bus<strong>in</strong>ess is given open-ended rights to use<br />
it. Therefore, <strong>the</strong> bus<strong>in</strong>ess benefits from advertis<strong>in</strong>g revenue which may be earned from that<br />
particular web p<strong>age</strong>, although of course o<strong>the</strong>r commercial arrangements are also possible.<br />
Panel 3.8: YouTube copyright requirements<br />
YouTube is one of <strong>the</strong> largest websites which provides a platform for upload<strong>in</strong>g and shar<strong>in</strong>g<br />
videos. It sets out <strong>in</strong>tellectual property rights as follows: 72<br />
• The user reta<strong>in</strong>s ownership. However, he or she must grant YouTube and o<strong>the</strong>r service<br />
users licenses.<br />
• YouTube is given ‘a worldwide, non-exclusive, royalty-free, transferable licence (with right<br />
to sub-licence) to use, reproduce, distribute, prepare derivative works of, display, and<br />
perform that Content <strong>in</strong> connection with <strong>the</strong> provision of <strong>the</strong> Service…’<br />
• Services users are given ‘a worldwide, non-exclusive, royalty-free licence to access your<br />
Content through <strong>the</strong> Service, and to use, reproduce, distribute, prepare derivative works<br />
of, display and perform such Content’.<br />
Content providers also have to mark <strong>the</strong>ir work with a Creative Commons licence, which<br />
enables o<strong>the</strong>rs to reuse <strong>the</strong> content provided that <strong>the</strong>y attribute it to <strong>the</strong> orig<strong>in</strong>al creator.<br />
Co-creat<strong>in</strong>g value<br />
The traditional idea of a value cha<strong>in</strong> is based around a bus<strong>in</strong>ess creat<strong>in</strong>g a valuable product or<br />
service for a customer, which a customer <strong>the</strong>n buys and uses. This creates a clear separation<br />
between ‘producer’ and ‘user’.<br />
While <strong>the</strong> dist<strong>in</strong>ction has never been absolute, new technology <strong>in</strong>creases <strong>the</strong> opportunities to<br />
work toge<strong>the</strong>r and collaborate <strong>in</strong> <strong>the</strong> creation of value. In <strong>the</strong>ir article ‘Co-creat<strong>in</strong>g unique value<br />
with customers’ (2004), C.K. Prahalad and Venkat Ramaswamy describe value co-creation with<br />
customers <strong>in</strong> <strong>the</strong> follow<strong>in</strong>g way:<br />
‘It beg<strong>in</strong>s by recognis<strong>in</strong>g that <strong>the</strong> role of <strong>the</strong> consumer has changed from<br />
isolated to connected, from unaware to <strong>in</strong>formed, from passive to active.’ 73<br />
72<br />
See www.youtube.com/t/terms.<br />
73<br />
C.K. Prahalad and Venkat Ranaswamy,‘Co-creat<strong>in</strong>g unique value with customers’, p4.<br />
Rights over <strong>in</strong>tellectual property<br />
47
As a result, co-creation creates an experience which is personalised and based on <strong>the</strong> specific<br />
needs of a customer. Build<strong>in</strong>g this more personal relationship with <strong>the</strong> customer potentially leads<br />
to a greater degree of customer loyalty and a higher-value relationship. By pass<strong>in</strong>g activities to <strong>the</strong><br />
customer, a bus<strong>in</strong>ess may also be able to see reductions <strong>in</strong> its own costs.<br />
There are many different ways that <strong>the</strong> idea of co-creation can be realised <strong>in</strong> practice. At its<br />
simplest, a bus<strong>in</strong>ess can set up communities of customers to elicit suggestions and feedback<br />
around products and services or help each o<strong>the</strong>r with common queries. Customers can also be<br />
used <strong>in</strong> market<strong>in</strong>g activities. This has been seen <strong>in</strong> <strong>the</strong> growth <strong>in</strong> ‘viral’ market<strong>in</strong>g, whereby buzz<br />
is created by <strong>in</strong>dividuals circulat<strong>in</strong>g material promot<strong>in</strong>g a product or service without <strong>the</strong> bus<strong>in</strong>ess<br />
be<strong>in</strong>g directly <strong>in</strong>volved. Although risky, it can garner great publicity and potentially be more<br />
effective than traditional bus<strong>in</strong>ess-led market<strong>in</strong>g.<br />
However, ideas of co-creation go beyond feedback and market<strong>in</strong>g, as shown by <strong>the</strong> Crushpad<br />
example.<br />
Panel 3.9: Crushpad bus<strong>in</strong>ess model<br />
This Californian-based bus<strong>in</strong>ess specialises <strong>in</strong> w<strong>in</strong>e production. However, its value proposition is<br />
totally personalised for each customer and <strong>the</strong> degree to which <strong>the</strong>y want to be <strong>in</strong>volved <strong>in</strong> <strong>the</strong><br />
production of a barrel of <strong>the</strong>ir own w<strong>in</strong>e.<br />
Customers develop a plan for <strong>the</strong>ir w<strong>in</strong>e based on <strong>the</strong> grapes of <strong>the</strong>ir choice <strong>in</strong> consultation<br />
with Crushpad experts. The grapes are <strong>the</strong>n grown with <strong>the</strong> customer able to stay <strong>in</strong> touch via<br />
occasional videos and onl<strong>in</strong>e updates. Once <strong>the</strong> grapes are ready, <strong>the</strong> customer can become<br />
<strong>in</strong>volved <strong>in</strong> <strong>the</strong> physical process of w<strong>in</strong>emak<strong>in</strong>g, for example sort<strong>in</strong>g and crush<strong>in</strong>g <strong>the</strong> grapes.<br />
As <strong>the</strong> w<strong>in</strong>e <strong>age</strong>s, customers can taste it and decide about <strong>the</strong> blends. Samples can be sent if<br />
needed. F<strong>in</strong>ally, <strong>the</strong> customer can design a label for <strong>the</strong>ir bottles.<br />
As a result, <strong>the</strong> customer and bus<strong>in</strong>ess <strong>in</strong>teract throughout <strong>the</strong> process, mak<strong>in</strong>g it a unique<br />
experience for <strong>the</strong> <strong>in</strong>dividual.<br />
This k<strong>in</strong>d of <strong>in</strong>teraction demonstrates some of <strong>the</strong> possibilities of blurr<strong>in</strong>g <strong>the</strong> l<strong>in</strong>es between<br />
bus<strong>in</strong>esses and customers.<br />
While present<strong>in</strong>g new opportunities, <strong>the</strong>se changes potentially raise questions around <strong>the</strong><br />
appropriation of benefits between parties. Where a customer has been <strong>in</strong>volved <strong>in</strong> <strong>the</strong> co-creation<br />
of content or new products and services, <strong>the</strong>re may be grow<strong>in</strong>g questions about who has <strong>the</strong><br />
right to appropriate its profits. Customers may <strong>in</strong>creas<strong>in</strong>gly demand mechanisms for shar<strong>in</strong>g any<br />
benefits which are derived from <strong>the</strong>ir endeavours.<br />
3.9 Summary<br />
To generate revenue, bus<strong>in</strong>esses rely on <strong>in</strong>tellectual property and confidential <strong>in</strong>formation which<br />
can <strong>in</strong>clude <strong>in</strong>ventions, formulae, novel processes, creative content, brand names, designs and<br />
customer lists.<br />
Intellectual property rights aim to secure <strong>the</strong> cash flow benefits from <strong>the</strong> exploitation of<br />
<strong>in</strong>formation resources for <strong>the</strong> rights-holder. Bus<strong>in</strong>ess will sometimes use <strong>in</strong>tellectual property rights<br />
to keep <strong>in</strong>formation secret. However, <strong>in</strong> many cases, <strong>in</strong>tellectual property rights enable a bus<strong>in</strong>ess<br />
to sell access to <strong>in</strong>formation products and services and keep <strong>the</strong> related revenue stream.<br />
In many cases, <strong>in</strong>tellectual property rights are clear and <strong>the</strong> related bus<strong>in</strong>ess challenges are largely<br />
practical <strong>in</strong> nature. However, this clarity can mask deep differences of op<strong>in</strong>ion about <strong>the</strong> benefits<br />
of strong of <strong>in</strong>tellectual property rights compared to <strong>the</strong> benefits that can be obta<strong>in</strong>ed from <strong>the</strong><br />
free flow of <strong>in</strong>formation.<br />
As <strong>the</strong> opportunities to share <strong>in</strong>formation for a wide range of social and economic benefits grow,<br />
debates touch on complex underly<strong>in</strong>g questions, <strong>in</strong>clud<strong>in</strong>g:<br />
• What are <strong>the</strong> net economic benefits of <strong>in</strong>tellectual property rights<br />
• What is <strong>the</strong> moral basis of <strong>in</strong>tellectual property rights<br />
• What is <strong>the</strong> impact of chang<strong>in</strong>g consumer attitudes to pay<strong>in</strong>g for content<br />
• Are breaches of <strong>in</strong>tellectual property rights morally wrong<br />
We consider three areas of particular debate which stem from <strong>the</strong> changes brought by <strong>digital</strong><br />
technology.<br />
48 Rights over <strong>in</strong>tellectual property
There are alternatives to strong rights. Intellectual property rights have been substantially<br />
streng<strong>the</strong>ned <strong>in</strong> recent years to enable bus<strong>in</strong>esses to generate more revenue from <strong>the</strong>ir <strong>in</strong>formation<br />
content or <strong>in</strong>ventions. However, <strong>the</strong>re are alternative approaches which put a greater emphasis<br />
on <strong>in</strong>formation shar<strong>in</strong>g. Supporters of <strong>the</strong>se approaches argue that bus<strong>in</strong>esses should develop<br />
bus<strong>in</strong>esses models which embrace <strong>the</strong> new technological opportunities and <strong>the</strong> openness that<br />
<strong>the</strong>se enable, ra<strong>the</strong>r than reta<strong>in</strong> models which are no longer effective <strong>in</strong> <strong>the</strong> <strong>digital</strong> environment.<br />
There is greater openness <strong>in</strong> <strong>the</strong> public and private sectors. The push for transparency is<br />
seen most prom<strong>in</strong>ently <strong>in</strong> <strong>the</strong> public sector, where <strong>the</strong> Open Data movement is push<strong>in</strong>g for<br />
<strong>the</strong> widespread release of government data to drive a variety of economic and social benefits.<br />
As technology has improved, pressures have also grown <strong>in</strong> corporate <strong>report</strong><strong>in</strong>g for more<br />
comparable and timely data from bus<strong>in</strong>esses. However, while <strong>the</strong>re are great benefits to<br />
transparency, it also potentially creates new risks, especially when changes <strong>in</strong> <strong>in</strong>centives change<br />
<strong>the</strong> behaviour of <strong>in</strong>dividuals.<br />
Bus<strong>in</strong>esses are <strong>in</strong>teract<strong>in</strong>g more with each o<strong>the</strong>r and <strong>the</strong>ir customers. This is result<strong>in</strong>g <strong>in</strong><br />
co-creation of <strong>in</strong>tellectual property across supply cha<strong>in</strong>s and with customers. While bus<strong>in</strong>esses<br />
may want to maximise <strong>the</strong>ir rights over <strong>in</strong>tellectual property, <strong>the</strong>re also may be new questions<br />
about how <strong>the</strong> benefits of this collaboration are shared and grow<strong>in</strong>g perceptions of unfairness<br />
where bus<strong>in</strong>esses exploit <strong>the</strong> creativity of o<strong>the</strong>rs.<br />
Rights over <strong>in</strong>tellectual property<br />
49
4. Information SECURITY<br />
PRACTICES<br />
Good practices, especially <strong>in</strong> <strong>in</strong>formation security, are needed to<br />
underp<strong>in</strong> <strong>trust</strong> and value creation from <strong>digital</strong> <strong>in</strong>formation for<br />
<strong>in</strong>dividual bus<strong>in</strong>esses. How do new trends <strong>in</strong> IT change <strong>the</strong> risks<br />
fac<strong>in</strong>g bus<strong>in</strong>esses And how can <strong>in</strong>dividual bus<strong>in</strong>esses improve<br />
<strong>the</strong>ir implementation of practices<br />
Recognise and<br />
debate issues<br />
Personal<br />
<strong>in</strong>formation<br />
Intellectual<br />
property<br />
Information<br />
security<br />
Concerns<br />
about<br />
<strong>digital</strong><br />
<strong>in</strong>formation<br />
Develop<br />
new <strong>the</strong>oretical<br />
th<strong>in</strong>k<strong>in</strong>g<br />
Balance control<br />
and use of<br />
<strong>in</strong>formation<br />
Collective<br />
actions<br />
Individual<br />
actions<br />
Trust and value<br />
creation<br />
Create supportive<br />
<strong>in</strong>stitutions
4. Information SECURITY<br />
PRACTICES<br />
4.1 Pr<strong>in</strong>ciples of <strong>in</strong>formation security<br />
In many cases, <strong>in</strong>formation rights are well established and clear. Therefore, <strong>the</strong> bus<strong>in</strong>ess imperative<br />
is to secure those rights effectively. 74 The field of <strong>in</strong>formation security deals with <strong>the</strong> protection of<br />
valuable and/or sensitive <strong>in</strong>formation and is built around three key pr<strong>in</strong>ciples:<br />
• confidentiality;<br />
• <strong>in</strong>tegrity; and<br />
• availability.<br />
The pr<strong>in</strong>ciple of confidentiality protects <strong>in</strong>formation from data breaches which occur when<br />
<strong>in</strong>formation is accessed by, or dissem<strong>in</strong>ated to, unauthorised parties. Breaches occur for example<br />
when crim<strong>in</strong>als hack <strong>in</strong>to systems or access <strong>the</strong>m us<strong>in</strong>g <strong>the</strong> stolen details of <strong>in</strong>dividuals. Many<br />
data breaches are also caused by employees. This could be through malicious activities, where<br />
employees sell confidential <strong>in</strong>formation to competitors or crim<strong>in</strong>als. Alternatively, it could be<br />
caused by careless activities or omissions by employees, where <strong>the</strong>y lose sensitive <strong>in</strong>formation,<br />
for example misplac<strong>in</strong>g a laptop which conta<strong>in</strong>s customer <strong>in</strong>formation.<br />
The second pr<strong>in</strong>ciple is <strong>in</strong>tegrity. Information is often relied upon <strong>in</strong> decision mak<strong>in</strong>g and needs to<br />
be accurate and complete. Consequently, it may need to be protected from <strong>in</strong>terference or dam<strong>age</strong>.<br />
F<strong>in</strong>ancial <strong>in</strong>formation is particularly important for a bus<strong>in</strong>ess and <strong>the</strong>re needs to be sufficient<br />
security <strong>in</strong> place so that stakeholders have confidence <strong>in</strong> <strong>the</strong> accuracy of that <strong>in</strong>formation.<br />
F<strong>in</strong>ally, <strong>the</strong> pr<strong>in</strong>ciple of availability ensures that users have access to <strong>in</strong>formation when <strong>the</strong>y need<br />
it. Therefore, it protects <strong>in</strong>formation from permanent or temporary loss. This could result from, for<br />
example, natural disaster, technical or human error or sabot<strong>age</strong>.<br />
These pr<strong>in</strong>ciples are well established and <strong>in</strong>formation security practices have been present<br />
throughout history. Codes, for example, date back to Roman times, if not earlier, and protect <strong>the</strong><br />
confidentiality of <strong>in</strong>formation by limit<strong>in</strong>g access to those who know <strong>the</strong> appropriate code.<br />
Identity and au<strong>the</strong>ntication<br />
Confidentiality, <strong>in</strong>tegrity and availability are underp<strong>in</strong>ned by notions of identity. Au<strong>the</strong>ntication<br />
techniques validate whe<strong>the</strong>r people are who <strong>the</strong>y say <strong>the</strong>y are.<br />
Panel 4.1: Types of au<strong>the</strong>ntication<br />
There are three established ways of au<strong>the</strong>nticat<strong>in</strong>g a person’s identity:<br />
• through someth<strong>in</strong>g <strong>the</strong>y possess, such as a bank card, access token or formal document<br />
like a passport;<br />
• through someth<strong>in</strong>g <strong>the</strong>y know, for example mo<strong>the</strong>r’s maiden name; and<br />
• through a personal characteristic, which is primarily a biometric factor such as a f<strong>in</strong>ger<br />
pr<strong>in</strong>t or iris identification.<br />
Passwords are <strong>the</strong> most common form of identity au<strong>the</strong>ntication for IT systems. These are<br />
simple to use and adm<strong>in</strong>ister. However, <strong>the</strong>y are not a strong form of au<strong>the</strong>ntication and<br />
can usually be broken quite easily through sheer brute force of trial and error character<br />
comb<strong>in</strong>ations. Passwords may also be guessed with a little knowledge of <strong>the</strong> <strong>in</strong>dividual user,<br />
where <strong>the</strong>y have used family or pet names, for example, or common words such as ‘password’.<br />
74<br />
Relevant ICAEW publications <strong>in</strong>clude Glossary of IT Security Terms 2011, Deal<strong>in</strong>g with Internet Security Threats<br />
and Information Security Myths and Realities Revisited 2011.<br />
52 Information security practices
Panel 4.1: Types of au<strong>the</strong>ntication (cont<strong>in</strong>ued)<br />
Passwords can be streng<strong>the</strong>ned by leng<strong>the</strong>n<strong>in</strong>g <strong>the</strong>m or <strong>in</strong>clud<strong>in</strong>g more complicated<br />
comb<strong>in</strong>ations of numbers, letters or o<strong>the</strong>r characters. Users can also be required to change<br />
<strong>the</strong>m on a regular basis to reduce <strong>the</strong> impact if a password is compromised.<br />
However, creat<strong>in</strong>g stronger passwords can lead to different problems. As users typically f<strong>in</strong>d it<br />
difficult to remember long, complicated passwords, <strong>the</strong>y often write <strong>the</strong>m down. This creates a<br />
new risk of <strong>the</strong> password be<strong>in</strong>g seen and used by someone else.<br />
Ano<strong>the</strong>r way of streng<strong>the</strong>n<strong>in</strong>g au<strong>the</strong>ntication is comb<strong>in</strong>e two or more factors, known as two<br />
or three-factor au<strong>the</strong>ntication. For example, to access funds <strong>in</strong> a bank account, an <strong>in</strong>dividual<br />
needs to have a bank card (someth<strong>in</strong>g <strong>the</strong>y possess) and use a PIN (someth<strong>in</strong>g <strong>the</strong>y know).<br />
Many bus<strong>in</strong>esses use access tokens as well as passwords when employees log <strong>in</strong>to systems.<br />
New developments <strong>in</strong> this area <strong>in</strong>vestigate <strong>the</strong> use of pictures and longer passphrases, which<br />
<strong>in</strong>dividuals may f<strong>in</strong>d easier to remember, as well as greater use of biometrics as alternative<br />
forms of au<strong>the</strong>ntication.<br />
4.2 Established <strong>in</strong>formation security practices<br />
The pr<strong>in</strong>ciples of <strong>in</strong>formation security are reflected <strong>in</strong> a wide range of established <strong>in</strong>formation<br />
security practices. Bus<strong>in</strong>ess processes and man<strong>age</strong>ment techniques are a central part of any<br />
<strong>in</strong>formation security strategy. Given <strong>the</strong> dom<strong>in</strong>ance of IT, technical computer security is also a<br />
very important component of <strong>in</strong>formation security. While regulation has not historically featured<br />
heavily <strong>in</strong> this area, regulatory pressures are grow<strong>in</strong>g as <strong>the</strong> profile of <strong>in</strong>formation security failures<br />
<strong>in</strong>creases.<br />
Man<strong>age</strong>ment practices and processes<br />
A variety of measures are needed to deliver effective and efficient <strong>in</strong>formation security.<br />
Risk man<strong>age</strong>ment processes are central to man<strong>age</strong>ment th<strong>in</strong>k<strong>in</strong>g on <strong>in</strong>formation security.<br />
A bus<strong>in</strong>ess will have to prioritise between different security measures, based on <strong>the</strong> resources<br />
available to it and its specific risks. Therefore, risk man<strong>age</strong>ment underp<strong>in</strong>s a successful and<br />
proportionate security regime and is also <strong>the</strong> foundation of <strong>the</strong> more specific man<strong>age</strong>ment<br />
practices and methodologies outl<strong>in</strong>ed <strong>in</strong> this section.<br />
Information security good practices are reflected most comprehensively <strong>in</strong> <strong>the</strong> man<strong>age</strong>ment<br />
system standard ISO 27001. 75 This is an <strong>in</strong>ternational standard that was orig<strong>in</strong>ally developed <strong>in</strong><br />
<strong>the</strong> UK by <strong>the</strong> British Standards Institute, based on a Code of Practice from <strong>the</strong> Department of<br />
Trade and Industry. While adoption rema<strong>in</strong>s voluntary, public bodies and large bus<strong>in</strong>esses are<br />
<strong>in</strong>creas<strong>in</strong>gly demand<strong>in</strong>g that <strong>the</strong>ir suppliers adhere to <strong>the</strong> standard.<br />
Panel 4.2: Security standards: ISO 27001/2 key provisions<br />
ISO 27001 is a man<strong>age</strong>ment system standard which provides a specification for implement<strong>in</strong>g<br />
an <strong>in</strong>formation security man<strong>age</strong>ment system with<strong>in</strong> an organisation. This is complemented by<br />
ISO 27002, which provides a comprehensive list of possible security controls and is reflected <strong>in</strong><br />
Annex A of ISO 27001.<br />
In order to comply with <strong>the</strong> standard, man<strong>age</strong>ment needs to follow a set of procedures<br />
which will ensure that proper man<strong>age</strong>ment of <strong>in</strong>formation security, as appropriate to <strong>the</strong><br />
organisation, is tak<strong>in</strong>g place. There is a requirement to identify important <strong>in</strong>formation<br />
assets with<strong>in</strong> a def<strong>in</strong>ed scope, <strong>in</strong>clud<strong>in</strong>g <strong>the</strong>ir importance from <strong>the</strong> differ<strong>in</strong>g perpsectives of<br />
confidentiality, <strong>in</strong>tegrity and availability. A risk assessment must be undertaken, although <strong>the</strong><br />
methodology is not prescribed, and man<strong>age</strong>ment has to demonstrate how it is manag<strong>in</strong>g<br />
<strong>the</strong> identified risks. F<strong>in</strong>ally, man<strong>age</strong>ment has to confirm that <strong>the</strong> controls detailed <strong>in</strong> Annex A<br />
have been considered for <strong>the</strong>ir applicability, toge<strong>the</strong>r with any additional controls specific to<br />
<strong>the</strong> organisation. An on-go<strong>in</strong>g set of processes for man<strong>age</strong>ment review, audit, documentation,<br />
tra<strong>in</strong><strong>in</strong>g awareness and <strong>in</strong>cident man<strong>age</strong>ment is also required.<br />
75<br />
ICAEW, Information Security – An Essential Today, a Guide to ISO/IEC 27001 and ISO/IEC 27002 for Bus<strong>in</strong>ess<br />
Man<strong>age</strong>rs.<br />
Information security practices<br />
53
Panel 4.2: Security standards: ISO 27001/2 key provisions (cont<strong>in</strong>ued)<br />
The controls <strong>in</strong> Annex A are grouped <strong>in</strong>to 11 areas:<br />
• security policy;<br />
• organisation of <strong>in</strong>formation security;<br />
• asset man<strong>age</strong>ment;<br />
• human resources security;<br />
• physical and environmental security;<br />
• communications and operations man<strong>age</strong>ment;<br />
• access control;<br />
• <strong>in</strong>formation systems acquisition, development and ma<strong>in</strong>tenance;<br />
• <strong>in</strong>formation security <strong>in</strong>cident man<strong>age</strong>ment;<br />
• bus<strong>in</strong>ess cont<strong>in</strong>uity man<strong>age</strong>ment; and<br />
• compliance.<br />
The provisions of ISO 27001/2 are <strong>in</strong>corporated <strong>in</strong>to <strong>the</strong> IT Infrastructure Library (ITIL), which is a<br />
set of good practices regard<strong>in</strong>g <strong>the</strong> man<strong>age</strong>ment of IT operations and services.<br />
There is also a body of work that has grown up <strong>in</strong> <strong>the</strong> context of f<strong>in</strong>ancial statement audit and<br />
assurance. The reliability of f<strong>in</strong>ancial <strong>in</strong>formation is extremely important to <strong>the</strong> users of that<br />
<strong>in</strong>formation. As <strong>the</strong> stor<strong>age</strong> and process<strong>in</strong>g of f<strong>in</strong>ancial <strong>in</strong>formation moved from physical ledgers<br />
to computer systems, questions grew about <strong>the</strong> controls <strong>in</strong> place to ensure <strong>the</strong> <strong>in</strong>tegrity,<br />
confidentiality and availability of <strong>in</strong>formation <strong>in</strong> this new environment.<br />
As a result, <strong>the</strong> account<strong>in</strong>g profession was <strong>in</strong>strumental <strong>in</strong> develop<strong>in</strong>g new th<strong>in</strong>k<strong>in</strong>g and practices<br />
concern<strong>in</strong>g IT risks. The controls and processes which were developed are now reflected <strong>in</strong><br />
Control Objectives for Information and related Technology (COBIT), which was first published <strong>in</strong><br />
1996 by <strong>the</strong> Information Systems Audit and Control Association (ISACA) and COBIT is widely used<br />
<strong>in</strong> IT audit activities. COBIT conta<strong>in</strong>s a wide range of measures, processes and controls over <strong>the</strong><br />
man<strong>age</strong>ment of IT systems and <strong>the</strong> creation of value through IT. Although overlapp<strong>in</strong>g with ISO<br />
27001/2, it is a broader set of measures, with <strong>in</strong>formation security just one component part.<br />
Information security practices are also likely to be supported by an <strong>in</strong>formation security policy.<br />
Such a policy should outl<strong>in</strong>e bus<strong>in</strong>ess decisions and <strong>the</strong> rules and practices to be followed <strong>in</strong> a<br />
specific area. Information security policies commonly <strong>in</strong>clude matters such as:<br />
• responsibility and accountability for security matters;<br />
• employee use of <strong>the</strong> <strong>in</strong>ternet or comput<strong>in</strong>g resources for personal purposes; and<br />
• <strong>the</strong> creation, man<strong>age</strong>ment and deletion of user IDs to allow access to systems.<br />
Computer and IT security measures<br />
Computer and IT security is also an important part of <strong>in</strong>formation security today. The early<br />
computers, developed <strong>in</strong> <strong>the</strong> Second World War, were built as standalone mach<strong>in</strong>es, with no<br />
connections to o<strong>the</strong>r mach<strong>in</strong>es. This isolation helped to ma<strong>in</strong>ta<strong>in</strong> security and specific measures<br />
addressed physical and environment threats such as <strong>the</strong>ft, espion<strong>age</strong> or fire.<br />
These orig<strong>in</strong>al risks still rema<strong>in</strong> and physical and environmental security cont<strong>in</strong>ues to have an<br />
important role to play. In addition, computers have moved <strong>in</strong>to <strong>the</strong> bus<strong>in</strong>ess and consumer<br />
doma<strong>in</strong>, mak<strong>in</strong>g <strong>the</strong> environment ever more open. As a result, <strong>the</strong> risk of security failures has<br />
grown and IT security has constantly evolved to respond to new threats. This has led to a<br />
patchwork of measures <strong>in</strong> devices and hardware, operat<strong>in</strong>g systems, networks and <strong>in</strong>dividual<br />
applications, <strong>in</strong>clud<strong>in</strong>g:<br />
• technology to monitor systems and identify where and when breaches occur;<br />
• technologies such as virus protection and firewalls to keep malign <strong>in</strong>fluences out of systems;<br />
• technology to protect <strong>the</strong> <strong>in</strong>tegrity and au<strong>the</strong>nticity of communications, such as encryption<br />
and network security; and<br />
• technology to verify identity such as passwords, tokens and biometric <strong>in</strong>formation.<br />
54 Information security practices
Security is an important aspect of how IT systems are built and bus<strong>in</strong>esses should <strong>in</strong>clude security<br />
considerations <strong>in</strong> <strong>the</strong> early st<strong>age</strong>s of commission<strong>in</strong>g systems to make <strong>the</strong>m secure by design, as<br />
far as possible. A bus<strong>in</strong>ess may also want to man<strong>age</strong> its risks broadly and m<strong>in</strong>imise <strong>the</strong> impact<br />
of security breaches. For example, data can be stored across a number of different systems so<br />
that unauthorised access <strong>in</strong>to a s<strong>in</strong>gle system has less impact. It can implement processes which<br />
regularly monitor systems for <strong>in</strong>trusion attempts and breaches.<br />
Fur<strong>the</strong>rmore, <strong>the</strong> impact of technical security measures is often to restrict what a user can do.<br />
Indeed, users may bypass controls which <strong>the</strong>y perceive to be unjustified and a h<strong>in</strong>drance to <strong>the</strong>ir<br />
job. Therefore, any security strategy needs to balance security with functionality.<br />
However, <strong>the</strong>re will always be a degree of risk through us<strong>in</strong>g networked IT systems. A computer<br />
security expert may argue that <strong>the</strong> only way to be truly secure is to unplug a computer from<br />
<strong>the</strong> <strong>in</strong>ternet and shut down all network connections. In order to do bus<strong>in</strong>ess, though, this is not<br />
realistic <strong>in</strong> most cases. A bus<strong>in</strong>ess can restrict what <strong>in</strong>dividual users can do on <strong>the</strong> <strong>in</strong>ternet through<br />
a range of technical controls and man<strong>age</strong>ment policies. However, a bus<strong>in</strong>ess becomes subject to<br />
some security risks <strong>in</strong> return for connect<strong>in</strong>g computers to a wider network and ga<strong>in</strong><strong>in</strong>g access to<br />
<strong>the</strong> potential benefits that this offers.<br />
As with o<strong>the</strong>r areas of risk man<strong>age</strong>ment, a bus<strong>in</strong>ess can choose to mitigate risks, through adopt<strong>in</strong>g<br />
appropriate security measures, or simply accept <strong>the</strong>m. It can also outsource security measures to<br />
specialist suppliers, although it will not be able to transfer <strong>the</strong> risks fully.<br />
The role of regulation<br />
To date, <strong>in</strong>formation security has been left primarily to <strong>the</strong> discretion of <strong>in</strong>dividual bus<strong>in</strong>esses and<br />
approached as an <strong>in</strong>ternal risk man<strong>age</strong>ment decision ra<strong>the</strong>r than as <strong>the</strong> subject of regulation.<br />
Never<strong>the</strong>less, <strong>the</strong>re is some targeted legislation <strong>in</strong> place regard<strong>in</strong>g <strong>in</strong>formation security. For<br />
example, data protection laws <strong>in</strong> Europe <strong>in</strong>clude legal duties to prevent <strong>the</strong> unauthorised access<br />
of personal <strong>in</strong>formation. These duties are more str<strong>in</strong>gent and rights more extensive <strong>in</strong> <strong>the</strong> case of<br />
‘sensitive personal data’, such as religious beliefs, race and sexual orientation. Data subjects also<br />
have <strong>the</strong> right to correct <strong>in</strong>formation which is held about <strong>the</strong>m. F<strong>in</strong>es can be levied where <strong>the</strong>se<br />
duties are breached.<br />
The US Sarbanes-Oxley Act of 2002, which applies to all bus<strong>in</strong>esses registered on a US stock<br />
exchange, requires senior man<strong>age</strong>ment to confirm that appropriate controls are <strong>in</strong> place<br />
regard<strong>in</strong>g f<strong>in</strong>ancial <strong>in</strong>formation, <strong>in</strong>clud<strong>in</strong>g IT controls. For companies that have to comply with<br />
<strong>the</strong>se requirements, anecdotal evidence suggests that <strong>the</strong>re has been an improvement to <strong>the</strong> IT<br />
controls and security <strong>in</strong> place, although that has been at a significant cost to bus<strong>in</strong>esses. 76<br />
A grow<strong>in</strong>g area of regulation is data breach notification laws. These started <strong>in</strong> California <strong>in</strong> 2003<br />
and have subsequently been replicated <strong>in</strong> many US states. The EU also adopted a directive <strong>in</strong><br />
2009 apply<strong>in</strong>g a data breach notification law to telecommunications companies 77 and a revision<br />
of <strong>the</strong> data protection rules <strong>in</strong> Europe may <strong>in</strong>corporate a broader breach notification requirement.<br />
Panel 4.3: Breach notification laws<br />
Breach notification laws require <strong>the</strong> disclosure of <strong>in</strong>formation security breaches to nom<strong>in</strong>ated<br />
public bodies and / or subjects whose <strong>in</strong>formation has been compromised. They apply<br />
primarily <strong>in</strong> <strong>the</strong> context of personal <strong>in</strong>formation.<br />
There are various objectives for <strong>the</strong>se laws. By forc<strong>in</strong>g a bus<strong>in</strong>ess to disclose breaches to<br />
customers whose <strong>in</strong>formation has been accessed by unauthorised parties, breach notification<br />
laws enable affected <strong>in</strong>dividuals to take extra care, for example check<strong>in</strong>g statements about<br />
f<strong>in</strong>ancial affairs more closely.<br />
Notification may also improve <strong>in</strong>formation security at a macro level through openly shar<strong>in</strong>g<br />
accurate <strong>in</strong>formation on what is happen<strong>in</strong>g with regard to security threats and breaches.<br />
Currently, <strong>the</strong>re is little objective evidence around <strong>the</strong> <strong>in</strong>cidence of security breaches. Most of<br />
it emanates from <strong>the</strong> IT security <strong>in</strong>dustry itself and greater transparency of data breaches could<br />
help research on security.<br />
76<br />
Compare <strong>the</strong> views <strong>in</strong> <strong>the</strong>se articles – Jeremy Grant, ‘F<strong>in</strong>ancial chiefs hit out at Sarbox costs’ and Thomas J.<br />
Healey, ‘Sarbox was <strong>the</strong> right medic<strong>in</strong>e’.<br />
77<br />
EU Directive on Privacy and Electronic Commerce 2002/58/EC, amended <strong>in</strong> 2009.<br />
Information security practices<br />
55
Panel 4.3: Breach notification laws (cont<strong>in</strong>ued)<br />
It is also argued that such laws encour<strong>age</strong> bus<strong>in</strong>esses to adopt good security practices and<br />
discour<strong>age</strong> poor practices. Because data breaches are publicised, bus<strong>in</strong>esses may be more<br />
committed to implement<strong>in</strong>g good security measures and avoid<strong>in</strong>g bad publicity as far as<br />
possible.<br />
Data breach notification laws are not without controversy. It is not necessarily clear what<br />
should be disclosed, when it should be disclosed and what really constitutes a data breach.<br />
Fur<strong>the</strong>rmore, bus<strong>in</strong>esses are reluctant to share potentially damag<strong>in</strong>g <strong>in</strong>formation where <strong>the</strong>y<br />
believe it will be made public. However, such behaviour underm<strong>in</strong>es <strong>the</strong> broader goals of <strong>the</strong><br />
legislation. Therefore, regulators need to balance <strong>the</strong> desire to deter poor practice through<br />
widespread publicity of failures, with <strong>the</strong> desire for bus<strong>in</strong>esses to share <strong>in</strong>formation about<br />
threats and breaches, <strong>the</strong>reby improv<strong>in</strong>g understand<strong>in</strong>g of <strong>the</strong> wider environment.<br />
The evidence regard<strong>in</strong>g <strong>the</strong> success of breach notification laws has been mixed. However, <strong>the</strong><br />
pressure for such laws is likely to <strong>in</strong>crease as <strong>the</strong> profile and impact of breaches grows.<br />
There are also examples of <strong>in</strong>dustry standards which have been widely adopted. PCI DSS, for<br />
example, has to be complied with by any bus<strong>in</strong>ess which holds payment card data.<br />
Panel 4.4: Payment Card Industry Data Security Standard (PCI DSS)<br />
PCI DSS is an <strong>in</strong>formation security standard that must be followed by any bus<strong>in</strong>ess that stores,<br />
processes or transmits payment card data. 78 This is a s<strong>in</strong>gle standard that applies across all<br />
of <strong>the</strong> major card providers and replaces a variety of standards that <strong>in</strong>dividual card providers<br />
previously had <strong>in</strong> place.<br />
The standard conta<strong>in</strong>s 12 requirements regard<strong>in</strong>g <strong>in</strong>formation and IT security, <strong>in</strong>clud<strong>in</strong>g<br />
ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g a secure network, encrypt<strong>in</strong>g data when it is transmitted over public networks and<br />
restrict<strong>in</strong>g access to card data.<br />
Compliance must be verified annually through a comb<strong>in</strong>ation of <strong>in</strong>dependent audit, third<br />
party vulnerability scann<strong>in</strong>g or self-assessment, depend<strong>in</strong>g upon how <strong>the</strong> organisation is<br />
classified. Organisations ei<strong>the</strong>r pass or fail <strong>the</strong> validation process. There is a regime of f<strong>in</strong>ancial<br />
penalties <strong>in</strong> <strong>the</strong> event of non-compliance which can result <strong>in</strong> multi-million pound f<strong>in</strong>es.<br />
Man<strong>age</strong>ment challenges<br />
Despite <strong>the</strong> existence of a wide range of good practices, many bus<strong>in</strong>esses struggle to implement<br />
effective <strong>in</strong>formation security. One reason for cont<strong>in</strong>u<strong>in</strong>g security failures is that it is often difficult<br />
to connect security measures to bus<strong>in</strong>ess priorities and <strong>the</strong>reby ga<strong>in</strong> sufficient man<strong>age</strong>ment and<br />
employee attention. 79<br />
Information security practices and policies are likely to be most effective when <strong>the</strong>y are clearly<br />
aligned with bus<strong>in</strong>ess objectives and have strong executive support. In <strong>the</strong>se circumstances:<br />
• practices are more likely get employee focus and attention;<br />
• man<strong>age</strong>ment are likely to make better decisions about security and focus resources on <strong>the</strong><br />
areas of greatest need; and<br />
• it is more likely that a bus<strong>in</strong>ess will move past a ‘tick box’ mentality and apply specific<br />
practices more mean<strong>in</strong>gfully.<br />
In sections 4.3 to 4.6, we identify four particular man<strong>age</strong>ment challenges which relate to<br />
understand<strong>in</strong>g <strong>the</strong> bus<strong>in</strong>ess risks around security failures and enhanc<strong>in</strong>g <strong>the</strong> security capabilities<br />
of an organisation:<br />
• mak<strong>in</strong>g decisions about security measures;<br />
• <strong>build<strong>in</strong>g</strong> skills and organisational structures for security;<br />
• embedd<strong>in</strong>g good practices throughout <strong>the</strong> bus<strong>in</strong>ess; and<br />
• secur<strong>in</strong>g <strong>in</strong>formation beyond bus<strong>in</strong>ess boundaries.<br />
78<br />
For an overview of PCI DSS requirements, see Dick Price, ‘What is PCI DSS and who needs to know’<br />
79<br />
Gurpreet Dhillon and Gholamreza Torkzadeh consider some of <strong>the</strong> objectives for <strong>in</strong>formation security <strong>in</strong> <strong>the</strong>ir<br />
article ‘Value-focused assessment of <strong>in</strong>formation system security <strong>in</strong> organizations’.<br />
56 Information security practices
4.3 Mak<strong>in</strong>g decisions about security measures<br />
It can be difficult to make good decisions about <strong>in</strong>formation security <strong>in</strong>vestments. Good practice<br />
suggests that man<strong>age</strong>ment should assess <strong>the</strong> risks surround<strong>in</strong>g <strong>in</strong>formation and balance <strong>the</strong> costs<br />
of security measures aga<strong>in</strong>st <strong>the</strong> possible impact of security failures. However, <strong>the</strong> difficulty of<br />
quantify<strong>in</strong>g <strong>the</strong>se matters limits <strong>the</strong> effectiveness of structured decision-mak<strong>in</strong>g processes <strong>in</strong> practice.<br />
Traditional decision models<br />
Man<strong>age</strong>ment frequently f<strong>in</strong>d it difficult to make good decisions about <strong>in</strong>formation security<br />
<strong>in</strong>vestments and spend<strong>in</strong>g. Indeed, traditional decision models have often been based on ‘FUD’,<br />
or fear, uncerta<strong>in</strong>ty and doubt. 80 Alternatively, security functions may be given a fixed amount<br />
to spend however <strong>the</strong>y see fit, with little o<strong>the</strong>r f<strong>in</strong>ancial discipl<strong>in</strong>e or oversight. In <strong>the</strong>se cases,<br />
benchmark<strong>in</strong>g figures such as <strong>the</strong> percent<strong>age</strong> of IT budget which is spent on IT security become<br />
important prompts for decision mak<strong>in</strong>g.<br />
Without a structured approach to decisions, bus<strong>in</strong>esses could be under or overspend<strong>in</strong>g on<br />
security measures. Fur<strong>the</strong>rmore, even if <strong>the</strong> overall security budget is <strong>in</strong> l<strong>in</strong>e with <strong>in</strong>dustry aver<strong>age</strong>s,<br />
this provides no guidance on whe<strong>the</strong>r resources are be<strong>in</strong>g spent wisely or prioritised appropriately.<br />
As <strong>the</strong> risks to <strong>in</strong>formation security grow and bus<strong>in</strong>esses are subject to an <strong>in</strong>creas<strong>in</strong>g number of<br />
attacks, <strong>the</strong> impact of poor decisions <strong>in</strong> this area will also <strong>in</strong>crease.<br />
Quantify<strong>in</strong>g security risks and benefits<br />
There are economic models that a bus<strong>in</strong>ess can adopt to support decision mak<strong>in</strong>g <strong>in</strong> this area.<br />
These models focus on a cost / benefit approach and aim to compare <strong>the</strong> benefits of implement<strong>in</strong>g<br />
security measures with <strong>the</strong>ir costs. This is similar to standard <strong>in</strong>vestment techniques such as<br />
Return on Investment, which is translated <strong>in</strong>to Return on Security Investment (ROSI). The basic<br />
calculation is shown below.<br />
ROSI = (Risk Exposure x % Risk Mitigated) – Solution Cost<br />
Solution Cost<br />
However, ROSI is more challeng<strong>in</strong>g than standard <strong>in</strong>vestment techniques to apply because of<br />
<strong>the</strong> uncerta<strong>in</strong>ty of <strong>the</strong> variables. For example, it is difficult to accurately predict <strong>the</strong> likelihood of<br />
breaches occurr<strong>in</strong>g. Although understand<strong>in</strong>g of breaches has improved <strong>in</strong> recent years, <strong>the</strong> range<br />
of threats and vulnerabilities around <strong>in</strong>formation makes it particularly difficult to predict breaches.<br />
The potential loss is also highly variable depend<strong>in</strong>g on <strong>the</strong> exact nature of <strong>the</strong> breach and <strong>the</strong><br />
<strong>in</strong>formation compromised. Losses could <strong>in</strong>clude:<br />
• direct loss from <strong>the</strong> <strong>the</strong>ft of <strong>in</strong>tellectual property or <strong>the</strong> levy<strong>in</strong>g of f<strong>in</strong>es regard<strong>in</strong>g <strong>the</strong> loss of<br />
personal data;<br />
• time and resources to <strong>in</strong>vestigate <strong>the</strong> breach and fix failures;<br />
• time and resources to <strong>in</strong>form customers or o<strong>the</strong>r authorities of data breaches and man<strong>age</strong> any<br />
immediate reputational dam<strong>age</strong>; and<br />
• long-term dam<strong>age</strong> to reputation and brand because of <strong>the</strong> <strong>in</strong>cident.<br />
Research by Lawrence Gordon and Mart<strong>in</strong> Loeb fur<strong>the</strong>r highlights <strong>the</strong> difficulty of security<br />
<strong>in</strong>vestment. 81 This research suggests that <strong>the</strong>re is an optimal amount of <strong>in</strong>vestment on <strong>in</strong>formation<br />
security. Therefore, even where <strong>in</strong>dividual measures appear to be justified, <strong>the</strong>y may make no<br />
overall difference to a bus<strong>in</strong>ess. As a result, quantify<strong>in</strong>g <strong>the</strong> costs and benefits of <strong>in</strong>formation<br />
security measures is likely to rema<strong>in</strong> challeng<strong>in</strong>g.<br />
Valu<strong>in</strong>g <strong>digital</strong> assets<br />
To support a more structured approach to security <strong>in</strong>vestment decisions, bus<strong>in</strong>esses can focus <strong>the</strong>ir<br />
security resources on <strong>the</strong> areas of greatest need. This <strong>in</strong>volves <strong>build<strong>in</strong>g</strong> an <strong>in</strong>ventory of <strong>digital</strong><br />
<strong>in</strong>formation assets and <strong>the</strong>n establish<strong>in</strong>g which are <strong>the</strong> most sensitive and valuable pieces of <strong>in</strong>formation.<br />
80<br />
Husey<strong>in</strong> Cavusoglu, Birendra Mishra, and Sr<strong>in</strong>ivasan Raghunathan, ‘A model for evaluat<strong>in</strong>g IT security<br />
<strong>in</strong>vestments’.<br />
81<br />
Lawrence A. Gordon and Mart<strong>in</strong> P. Loeb, ‘Return on <strong>in</strong>formation security <strong>in</strong>vestments: myths vs. reality’.<br />
Information security practices<br />
57
Like ROSI calculations, this is difficult to do <strong>in</strong> practice. Many bus<strong>in</strong>esses may have only a limited<br />
understand<strong>in</strong>g of all <strong>the</strong> <strong>in</strong>formation that <strong>the</strong>y possess and may have to undertake significant<br />
work to firm this up. Valu<strong>in</strong>g <strong>in</strong>formation is also likely to be quite arbitrary. Indeed, <strong>in</strong>formation<br />
that appears to be fairly worthless when ga<strong>the</strong>red can ga<strong>in</strong> great sensitivity or value when used<br />
<strong>in</strong> a different context. However, a bus<strong>in</strong>ess is likely to be able to improve its decisions about<br />
security where it can build up deeper understand<strong>in</strong>g of its <strong>in</strong>formation assets and <strong>the</strong>ir relative<br />
importance.<br />
4.4 Build<strong>in</strong>g skills and organisational structures for security<br />
While many <strong>in</strong>formation security measures are technical, a bus<strong>in</strong>ess is also likely to benefit from<br />
techniques which <strong>in</strong>tegrate security skills and knowledge across technical and bus<strong>in</strong>ess functions.<br />
It is commonly acknowledged that IT projects generate higher returns when <strong>the</strong>y effectively<br />
comb<strong>in</strong>e <strong>the</strong> technical skills of <strong>the</strong> IT department with <strong>the</strong> bus<strong>in</strong>ess knowledge and experience<br />
of o<strong>the</strong>r parts of <strong>the</strong> organisation. This helps to deliver technical solutions which meet real<br />
bus<strong>in</strong>ess needs. It enables accountability to be shared across <strong>the</strong> organisation and sit where it is<br />
most appropriate. It also builds common understand<strong>in</strong>g around <strong>the</strong> goals of IT projects, <strong>the</strong>reby<br />
<strong>in</strong>creas<strong>in</strong>g alignment and commitment.<br />
Follow<strong>in</strong>g on from this, <strong>in</strong>formation security also benefits from techniques which <strong>in</strong>tegrate skills<br />
and knowledge across technical and bus<strong>in</strong>ess functions. These techniques can support good<br />
practices. They may also support <strong>the</strong> spread of accountability throughout <strong>the</strong> bus<strong>in</strong>ess for a range<br />
of security measures, many of which are rooted <strong>in</strong> bus<strong>in</strong>ess processes ra<strong>the</strong>r than be<strong>in</strong>g technical<br />
IT measures.<br />
Governance techniques<br />
Information security has historically been seen as a specialist area which has attracted little<br />
attention from wider bus<strong>in</strong>ess functions. This specialisation has been emphasised by <strong>the</strong> fact that<br />
responsibility for <strong>in</strong>formation security has often sat <strong>in</strong> IT departments. However, <strong>the</strong> perception of<br />
security as a technical topic <strong>in</strong>creases <strong>the</strong> challenge of l<strong>in</strong>k<strong>in</strong>g security practices and policies with<br />
bus<strong>in</strong>ess objectives.<br />
Information governance is a set of man<strong>age</strong>ment practices which aims to protect <strong>the</strong> quality and<br />
control of <strong>in</strong>formation throughout <strong>the</strong> organisation and <strong>in</strong>tegrate accountability accord<strong>in</strong>gly. It is<br />
often associated with <strong>the</strong> notion of stewardship and typically allocates responsibility or ownership<br />
of data to particular <strong>in</strong>dividuals. This potentially helps a bus<strong>in</strong>ess to <strong>in</strong>crease accountability for <strong>the</strong><br />
use and man<strong>age</strong>ment of <strong>in</strong>formation.<br />
There are a variety of different flavours of governance <strong>in</strong> this context. The term ‘data governance’<br />
is strongly associated with <strong>the</strong> implementation and exploitation of large Enterprise Resource<br />
Plann<strong>in</strong>g (ERP) systems. It focuses on <strong>the</strong> quality, security and def<strong>in</strong>ition of data. ‘Information<br />
governance’, <strong>in</strong> contrast, has been developed particularly <strong>in</strong> <strong>the</strong> context of medical records and<br />
focuses on <strong>the</strong> effective, secure and legal use of sensitive health <strong>in</strong>formation. ‘Information security<br />
governance’ is ano<strong>the</strong>r specialist term.<br />
Panel 4.5: Information security governance<br />
The IT Governance Institute, which is <strong>the</strong> research arm of ISACA, outl<strong>in</strong>es one approach<br />
to shar<strong>in</strong>g major responsibilities over security at a senior level, <strong>in</strong>clud<strong>in</strong>g <strong>the</strong> board, senior<br />
executives, a security steer<strong>in</strong>g committee and <strong>the</strong> chief <strong>in</strong>formation security officer. Their<br />
publication Information Security Governance: Guidance for Boards of Directors and Executive<br />
Man<strong>age</strong>rs (2006) highlights responsibility over six areas:<br />
• <strong>the</strong> strategic alignment between <strong>the</strong> bus<strong>in</strong>ess and <strong>in</strong>formation security;<br />
• risk man<strong>age</strong>ment;<br />
• value delivery and <strong>the</strong> efficient implementation of <strong>in</strong>formation security;<br />
• performance measurement;<br />
• resource man<strong>age</strong>ment and shar<strong>in</strong>g <strong>in</strong>formation security knowledge across <strong>the</strong> bus<strong>in</strong>ess;<br />
and<br />
• <strong>in</strong>tegration across functions to ensure security policies and measures are understood and<br />
applied.<br />
58 Information security practices
Skills of <strong>in</strong>formation security leaders<br />
Identify<strong>in</strong>g a leader of <strong>in</strong>formation security is often seen as central to <strong>in</strong>tegrat<strong>in</strong>g security across a<br />
bus<strong>in</strong>ess. Many bus<strong>in</strong>esses may place this responsibility on IT man<strong>age</strong>rs but <strong>the</strong> new role of Chief<br />
Information Security Officer (CISO) is of grow<strong>in</strong>g importance, especially <strong>in</strong> larger bus<strong>in</strong>esses.<br />
It might be expected that such a role would have an <strong>in</strong>creas<strong>in</strong>g focus on bus<strong>in</strong>ess knowledge and<br />
stakeholder man<strong>age</strong>ment <strong>in</strong> order to improve communication and build common understand<strong>in</strong>g<br />
of security goals and measures. This would parallel a more general move <strong>in</strong> IT leaders, where<br />
deep technical skills are often seen as of lesser importance and IT leaders <strong>in</strong>creas<strong>in</strong>gly focus on<br />
understand<strong>in</strong>g <strong>the</strong> bus<strong>in</strong>ess and communicat<strong>in</strong>g with senior man<strong>age</strong>ment.<br />
A 2010 survey by Marilu Goodyear et al, Cybersecurity Man<strong>age</strong>ment <strong>in</strong> <strong>the</strong> States: The Emerg<strong>in</strong>g<br />
Role of Chief Information Security Officers, <strong>report</strong>s that CISOs believed <strong>the</strong>ir most important skills<br />
were communication skills, policy development and political skills. While <strong>the</strong> role is still <strong>in</strong> its early<br />
st<strong>age</strong>s and evolv<strong>in</strong>g, it would <strong>the</strong>refore appear that it is a more bus<strong>in</strong>ess-orientated role. This is<br />
supported by <strong>the</strong> fact that CISOs may not <strong>report</strong> to <strong>the</strong> IT function and may not even come from<br />
an IT background.<br />
4.5 Embedd<strong>in</strong>g good practices throughout <strong>the</strong> bus<strong>in</strong>ess<br />
Historically, <strong>in</strong>formation security was primarily concerned with physical controls. Information was<br />
held on paper and security was designed to protect physical media. Even <strong>in</strong> <strong>the</strong> early days of<br />
computers, security measures focused on physical access to <strong>the</strong> computer room and fire detection<br />
and prevention. However, while rema<strong>in</strong><strong>in</strong>g stored <strong>in</strong> <strong>in</strong>creas<strong>in</strong>gly large databases housed <strong>in</strong><br />
ma<strong>in</strong>frame computers, <strong>in</strong>formation has also become <strong>in</strong>creas<strong>in</strong>gly available to users on desktops<br />
and laptops and is easily transferable to mobile devices. These changes fundamentally <strong>in</strong>crease<br />
<strong>the</strong> risks of <strong>in</strong>formation security failures.<br />
For example, large amounts of <strong>in</strong>formation can be held on small devices and transferred on<br />
<strong>the</strong> basis of an email and a few key strokes. As a result, data breaches can <strong>in</strong>volve very large<br />
numbers of data records. Fur<strong>the</strong>rmore, breaches do not necessarily require malice to occur.<br />
Behaviour that is just a little careless can also lead to significant dam<strong>age</strong>.<br />
Responsibility for <strong>in</strong>formation security is now dispersed far beyond a few technical specialists<br />
<strong>in</strong>to <strong>the</strong> wider organisation. IT has enabled <strong>in</strong>formation to be more dispersed, putt<strong>in</strong>g greater<br />
emphasis on <strong>in</strong>dividual behaviour and mak<strong>in</strong>g it more important to embed good security<br />
practices. Many data breaches are caused, <strong>in</strong> practice, by <strong>in</strong>dividuals los<strong>in</strong>g or abus<strong>in</strong>g sensitive<br />
<strong>in</strong>formation <strong>the</strong>y have on computers and mobile devices. This calls for a different m<strong>in</strong>d-set,<br />
with every <strong>in</strong>dividual tak<strong>in</strong>g more responsibility for behav<strong>in</strong>g securely and follow<strong>in</strong>g basic<br />
procedures.<br />
As a result, f<strong>in</strong>d<strong>in</strong>g ways to encour<strong>age</strong> and embed good security behaviour throughout an<br />
organisation is <strong>in</strong>creas<strong>in</strong>gly important. Fur<strong>the</strong>rmore, as employees <strong>in</strong>creas<strong>in</strong>gly use consumer<br />
devices, and frequently <strong>the</strong>ir own personal devices, to store or access corporate data, embedd<strong>in</strong>g<br />
good behaviour will become even more important.<br />
Panel 4.6: The consumerisation of IT<br />
The ‘consumerisation of IT’ refers to employees’ grow<strong>in</strong>g familiarity with technology and<br />
<strong>the</strong> impact that this has on a traditional corporate IT department. As <strong>in</strong>dividuals <strong>in</strong>creas<strong>in</strong>gly<br />
use computers and mobile devices <strong>in</strong> <strong>the</strong>ir personal lives, <strong>the</strong>y are demand<strong>in</strong>g similar freedoms<br />
and flexibility <strong>in</strong> <strong>the</strong>ir work-related technology. Indeed, <strong>in</strong> many cases, employees use <strong>the</strong>ir<br />
own smartphones, tablets or laptops for work us<strong>in</strong>g a variety of communications technologies.<br />
They may make extensive use of web-based or mobile applications, as well as social media<br />
sites.<br />
In <strong>the</strong>se cases, an IT department is likely to face significant resistance to tight controls over<br />
what employees can do with <strong>the</strong>ir equipment. As a result, <strong>the</strong>re is like to be even greater<br />
reliance on employees’ understand<strong>in</strong>g of <strong>the</strong> risks and <strong>the</strong>ir ability and will<strong>in</strong>gness to take <strong>the</strong><br />
appropriate steps to protect corporate data and communications.<br />
Information security practices<br />
59
Rais<strong>in</strong>g employee awareness<br />
Tra<strong>in</strong><strong>in</strong>g can help raise employee awareness of security policies and processes.<br />
Most bus<strong>in</strong>esses have basic security policies and processes <strong>in</strong> place which facilitate consistent<br />
good practice. These could <strong>in</strong>clude <strong>the</strong> processes and authorisations required to set up new user<br />
identities (IDs), change profiles or delete IDs once staff have left. They could also <strong>in</strong>clude broader<br />
staff policies, such as <strong>the</strong> use of <strong>the</strong> <strong>in</strong>ternet for personal use, prohibitions on download<strong>in</strong>g nonofficial<br />
software, us<strong>in</strong>g memory sticks, ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g clean desks and us<strong>in</strong>g confidential b<strong>in</strong>s for<br />
sensitive wastepaper. Bus<strong>in</strong>esses may also look to develop policies around <strong>the</strong> use of social media<br />
or smartphones and tablets.<br />
In order to br<strong>in</strong>g <strong>the</strong>se policies to life, bus<strong>in</strong>esses need to tra<strong>in</strong> employees <strong>in</strong> <strong>in</strong>formation security.<br />
Security policies are <strong>in</strong>cluded <strong>in</strong> many <strong>in</strong>duction programmes for new employees.<br />
Measures are also often <strong>in</strong>cluded <strong>in</strong> <strong>in</strong>dividual performance agreements requir<strong>in</strong>g adherence<br />
to standards and performance requirements. Internal audits can be a useful way of identify<strong>in</strong>g<br />
whe<strong>the</strong>r processes and procedures are be<strong>in</strong>g followed. And ultimately, hold<strong>in</strong>g <strong>in</strong>dividuals to<br />
account <strong>in</strong> <strong>the</strong> event of serious failures sends an important mess<strong>age</strong> to <strong>the</strong> bus<strong>in</strong>ess.<br />
Culture and leadership<br />
Culture and senior-level commitment are also important factors and where security can be<br />
aligned with <strong>the</strong> objectives and brand of <strong>the</strong> bus<strong>in</strong>ess, it is more likely to become central to<br />
bus<strong>in</strong>ess activities.<br />
By contrast, <strong>the</strong> impact of failures <strong>in</strong> leadership is highlighted by <strong>the</strong> case of <strong>the</strong> HMRC data loss,<br />
where <strong>in</strong>sufficient man<strong>age</strong>ment focus led to good practices not be<strong>in</strong>g followed by staff.<br />
Panel 4.7: HMRC data loss<br />
A particularly high-profile data breach took place <strong>in</strong> <strong>the</strong> UK government <strong>age</strong>ncy Her Majesty’s<br />
Panel 4.6: The consumerisation of IT<br />
Revenue and Customs (HMRC) <strong>in</strong> 2007. In <strong>the</strong> course of audit activities, <strong>the</strong> National Audit<br />
Office requested HMRC to send it records relat<strong>in</strong>g to 25 million state benefit recipients. Junior<br />
staff put a copy of a range of all <strong>the</strong> data, <strong>in</strong>clud<strong>in</strong>g identity and bank details, onto two CDs.<br />
They proceeded to send <strong>the</strong>m through <strong>the</strong> <strong>in</strong>ternal mail, with no record, and <strong>the</strong>n via a<br />
courier. The disks did not arrive and were not subsequently found.<br />
A <strong>report</strong> on <strong>the</strong> <strong>in</strong>cident and <strong>the</strong> wider issues of data handl<strong>in</strong>g <strong>in</strong> HMRC found that <strong>the</strong><br />
<strong>in</strong>cident itself was caused by a series of errors and poor communication, such as <strong>the</strong> failure to<br />
redact personal <strong>in</strong>formation and to get authorisation for transferr<strong>in</strong>g such a large amount of<br />
data offsite.<br />
However, it concluded that <strong>the</strong> failure could ultimately be traced back to <strong>the</strong> broader policies<br />
and culture of <strong>the</strong> organisation, stat<strong>in</strong>g that ‘<strong>in</strong>formation security simply wasn’t a man<strong>age</strong>ment<br />
priority as it should have been.’ 82<br />
A wide range of <strong>in</strong>stitutional factors which had led to <strong>the</strong> <strong>in</strong>cident were cited to justify this<br />
conclusion, for example:<br />
• <strong>in</strong>formation security policy was not well communicated;<br />
• <strong>the</strong>re was <strong>in</strong>sufficient tra<strong>in</strong><strong>in</strong>g and awareness of policies and procedures; and<br />
• <strong>the</strong>re was a lack of accountability regard<strong>in</strong>g <strong>in</strong>formation.<br />
4.6 Secur<strong>in</strong>g <strong>in</strong>formation beyond bus<strong>in</strong>ess boundaries<br />
A grow<strong>in</strong>g security challenge concerns <strong>the</strong> explosion <strong>in</strong> outsourc<strong>in</strong>g and collaboration across<br />
supply cha<strong>in</strong>s. As a result, <strong>in</strong>formation rarely sits <strong>in</strong> one organisation as a static resource but<br />
<strong>in</strong>stead is <strong>the</strong> subject of cont<strong>in</strong>ual flows between different parties. This may lead to a shift <strong>in</strong><br />
security th<strong>in</strong>k<strong>in</strong>g, away from establish<strong>in</strong>g a secure perimeter around <strong>the</strong> organisation to a more<br />
dynamic model which emphasises security across a supply cha<strong>in</strong>.<br />
For example, <strong>in</strong>formation is likely to be held by a range of suppliers, not simply with<strong>in</strong> <strong>the</strong><br />
bus<strong>in</strong>ess itself. This complicates <strong>the</strong> <strong>in</strong>formation security process because <strong>the</strong> bus<strong>in</strong>ess is<br />
now dependent on multiple parties to protect <strong>in</strong>formation. A bus<strong>in</strong>ess can outsource <strong>the</strong><br />
82<br />
Kieran Poynter, Review of Information Security at HM Revenue and Customs: F<strong>in</strong>al Report, p3.<br />
60 Information security practices
implementation of <strong>in</strong>formation security policies and procedures but it cannot outsource<br />
responsibility for <strong>in</strong>formation security. Indeed, <strong>in</strong> <strong>the</strong> event of breaches, <strong>the</strong> bus<strong>in</strong>ess will cont<strong>in</strong>ue<br />
to be held responsible for failures, ra<strong>the</strong>r than <strong>the</strong> outsourc<strong>in</strong>g service provider. As service models<br />
evolve, bus<strong>in</strong>esses need to reta<strong>in</strong> an active <strong>in</strong>terest <strong>in</strong> <strong>the</strong> security practices of <strong>the</strong>ir suppliers.<br />
Th<strong>in</strong>gs are likely to get more complex as IT itself gets <strong>in</strong>creas<strong>in</strong>gly outsourced and man<strong>age</strong>d<br />
through shared <strong>in</strong>frastructure services such as <strong>the</strong> ‘cloud’.<br />
Panel 4.8: Cloud comput<strong>in</strong>g<br />
Cloud comput<strong>in</strong>g is a delivery model by which bus<strong>in</strong>esses access <strong>the</strong>ir systems over <strong>the</strong><br />
<strong>in</strong>ternet, enabl<strong>in</strong>g access wherever and whenever <strong>the</strong>y want. They share <strong>the</strong> <strong>in</strong>frastructure<br />
with o<strong>the</strong>r customers and may also share applications, depend<strong>in</strong>g on <strong>the</strong> model adopted.<br />
Therefore, <strong>in</strong>stead of a bus<strong>in</strong>ess own<strong>in</strong>g its own hardware and software, it accesses IT systems<br />
as if <strong>the</strong>y were a service, typically pay<strong>in</strong>g on <strong>the</strong> basis of use. 83<br />
The cloud model is one that generates great <strong>in</strong>terest and excitement from <strong>the</strong> technology<br />
sector. By enabl<strong>in</strong>g substantial economies of scale, it should reduce <strong>the</strong> cost of IT services<br />
significantly and provide scalability as well as flexibility for customers.<br />
However, it takes data far beyond <strong>the</strong> boundaries of an <strong>in</strong>dividual bus<strong>in</strong>ess and <strong>in</strong>deed, it<br />
may not be at all clear where <strong>the</strong> data is physically or who is <strong>the</strong> supplier at <strong>the</strong> end of <strong>the</strong><br />
cha<strong>in</strong>. This clearly raises new issues around <strong>the</strong> security of <strong>in</strong>formation and how customers can<br />
ga<strong>in</strong> sufficient comfort from cloud suppliers around <strong>the</strong>ir security processes and procedures.<br />
Suppliers often argue that <strong>the</strong> security with<strong>in</strong> a cloud environment can be substantially better<br />
than <strong>in</strong> an <strong>in</strong>dividual bus<strong>in</strong>ess, especially a small bus<strong>in</strong>ess which may lack specialist skills.<br />
However, security concerns rema<strong>in</strong> a significant barrier to <strong>the</strong> adoption of cloud delivery<br />
models <strong>in</strong> <strong>the</strong> short term.<br />
Information security by contract<br />
One important element of good practice is for bus<strong>in</strong>esses to specify requirements regard<strong>in</strong>g<br />
<strong>in</strong>formation security <strong>in</strong> <strong>the</strong>ir contracts with third parties. A bus<strong>in</strong>ess could require compliance with<br />
a standard such as ISO 27001, so as to have confidence that <strong>the</strong> supplier follows standard <strong>in</strong>formation<br />
security man<strong>age</strong>ment processes. This approach is becom<strong>in</strong>g <strong>in</strong>creas<strong>in</strong>gly common with government<br />
and large bus<strong>in</strong>ess contracts and is <strong>the</strong> biggest reason for such standards be<strong>in</strong>g adopted <strong>in</strong> practice. 84<br />
This trend has led some commentators to contend that, while underly<strong>in</strong>g technical pr<strong>in</strong>ciples,<br />
standards and processes will cont<strong>in</strong>ue to be specified by contracts, <strong>in</strong>formation security for many<br />
bus<strong>in</strong>esses is <strong>in</strong>creas<strong>in</strong>gly go<strong>in</strong>g to become a legal as well as a technical topic.<br />
Typically, it is hard for small bus<strong>in</strong>esses to specify security standards or conditions <strong>in</strong> contracts and<br />
<strong>the</strong>y are likely to have to rely on standard terms and conditions <strong>in</strong> supplier contracts. This creates<br />
new risks related to reliance on suppliers.<br />
Assurance standards<br />
Support<strong>in</strong>g contractual requirements is <strong>the</strong> ability of a bus<strong>in</strong>ess to ga<strong>in</strong> comfort through audit and<br />
assurance processes that <strong>the</strong>ir data is be<strong>in</strong>g protected adequately.<br />
Panel 4.9: Ga<strong>in</strong><strong>in</strong>g comfort over service providers<br />
There are a number of standards that can be followed to ga<strong>in</strong> comfort over <strong>the</strong> <strong>in</strong>formation<br />
security practices of a supplier.<br />
The American Institute of Certified Public Accountants (AICPA) Statement on Standards for<br />
Attestation Eng<strong>age</strong>ments No.16, Report<strong>in</strong>g on Controls at a Service Organisation (SSAE 16)<br />
was released <strong>in</strong> 2011. This replaced <strong>the</strong> AICPA’s Statement on Audit<strong>in</strong>g Standards No. 70 (SAS<br />
70) which was a widely recognised standard to ga<strong>in</strong> assurance over <strong>the</strong> <strong>in</strong>ternal controls of<br />
service providers. The update to <strong>the</strong> standard reflects <strong>the</strong> chang<strong>in</strong>g environment for service<br />
providers, <strong>in</strong>clud<strong>in</strong>g factors such as <strong>the</strong> globalisation of bus<strong>in</strong>esses and a more complex<br />
regulatory environment.<br />
83<br />
ICAEW, Cloud Comput<strong>in</strong>g: A Guide for Bus<strong>in</strong>ess Man<strong>age</strong>rs.<br />
84<br />
InfoSecurity Europe and PwC, Information Security Breaches Survey 2010.<br />
Information security practices<br />
61
Panel 4.9: Ga<strong>in</strong><strong>in</strong>g comfort over service providers (cont<strong>in</strong>ued)<br />
ICAEW also has technical guidance <strong>in</strong> this area. 85 AAF 01/06 and ITF 01/07 suggest a series<br />
of control objectives to be addressed when carry<strong>in</strong>g out an assurance eng<strong>age</strong>ment on IT<br />
outsourc<strong>in</strong>g suppliers.<br />
The International Audit<strong>in</strong>g and Assurance Standards Board’s International Standard on<br />
Assurance Eng<strong>age</strong>ments 3402, Assurance Reports on Controls at a Service Organisation (ISAE<br />
3402) conta<strong>in</strong>s substantially <strong>the</strong> same provisions for application on an <strong>in</strong>ternational basis.<br />
As with contractual requirements generally, small bus<strong>in</strong>esses may f<strong>in</strong>d it difficult to demand<br />
assurance rights <strong>in</strong> practice. This potentially <strong>in</strong>creases <strong>the</strong> risks to <strong>the</strong>m of us<strong>in</strong>g third parties. As a<br />
result, suppliers may need to publish <strong>in</strong>dependent assurance <strong>report</strong>s on a voluntary basis or f<strong>in</strong>d<br />
alternative mechanisms to w<strong>in</strong> <strong>the</strong> <strong>trust</strong> of potential customers.<br />
4.7 Personal <strong>in</strong>formation practices<br />
Information security practices are vital to ensur<strong>in</strong>g <strong>the</strong> confidentiality, <strong>in</strong>tegrity and availability of<br />
personal <strong>in</strong>formation. There are also some practices that a bus<strong>in</strong>ess could adopt which may help it<br />
to man<strong>age</strong> <strong>the</strong> specific issues associated with personal <strong>in</strong>formation.<br />
This section highlights six such practices:<br />
• organisation structures;<br />
• privacy by design;<br />
• privacy notices;<br />
• responses to privacy failures;<br />
• privacy audit and assurance techniques; and<br />
• privacy-enhanc<strong>in</strong>g technologies.<br />
Organisation structures<br />
It can be difficult to establish a coherent organisational structure around personal <strong>in</strong>formation<br />
because a number of different functions are <strong>in</strong>volved and responsibility cannot be easily conta<strong>in</strong>ed<br />
<strong>in</strong> one area.<br />
The IT function, for example, needs to be aware of privacy requirements when design<strong>in</strong>g systems<br />
and manag<strong>in</strong>g <strong>in</strong>formation security. A system can be highly secure while not respect<strong>in</strong>g privacy,<br />
for example if it reta<strong>in</strong>s or reuses <strong>in</strong>formation without <strong>the</strong> consent of <strong>in</strong>dividuals. However, it is<br />
also possible to design systems <strong>in</strong> such a way as to protect privacy, for example by obscur<strong>in</strong>g<br />
certa<strong>in</strong> pieces of data and mak<strong>in</strong>g it difficult to aggregate data toge<strong>the</strong>r.<br />
Legal functions are likely to have a central role <strong>in</strong> determ<strong>in</strong><strong>in</strong>g and implement<strong>in</strong>g privacy policies,<br />
especially where a bus<strong>in</strong>ess operates <strong>in</strong> highly regulated environment. The complexity of legal<br />
requirements is likely to require specialist skill and knowledge.<br />
Market<strong>in</strong>g functions need to be highly aware of privacy issues, as <strong>the</strong>y are likely to be reus<strong>in</strong>g<br />
personal data <strong>in</strong> customer analysis and communication and look<strong>in</strong>g to maximise <strong>the</strong> value of <strong>the</strong><br />
<strong>in</strong>formation <strong>the</strong>y have.<br />
In <strong>the</strong> US, responsibility for privacy matters has often been a high-profile role, with <strong>the</strong> recent<br />
development of <strong>the</strong> Chief Privacy Officer role <strong>in</strong> many large US bus<strong>in</strong>esses. This reflects a stronger<br />
commercial focus <strong>in</strong> <strong>the</strong> US on privacy. By contrast <strong>in</strong> Europe, privacy has often been seen as<br />
a compliance-based and adm<strong>in</strong>istrative role, apply<strong>in</strong>g <strong>the</strong> requirements of data protection<br />
legislation ra<strong>the</strong>r than provid<strong>in</strong>g strategic value. However, as <strong>the</strong> importance of personal<br />
<strong>in</strong>formation to bus<strong>in</strong>ess models grows, so too do <strong>the</strong> risks attached to it. Therefore, senior level<br />
<strong>in</strong>volvement may become more common. 86<br />
85<br />
See Technical Release AAF 01/06, Assurance Reports on Internal Controls of Service Organisations Made Available<br />
to Third Parties and Technical Release ITF 01/07, Assurance Reports on <strong>the</strong> Outsourced Provision of Information<br />
Services and Information Process<strong>in</strong>g Services.<br />
86<br />
International Association of Privacy Professionals, A Call for Agility: The Next Generation Privacy Professional.<br />
62 Information security practices
Privacy by design<br />
Privacy by design is an approach to design<strong>in</strong>g systems, processes and new products whereby<br />
privacy implications are considered as early as possible. 87 Developed as a concept <strong>in</strong> <strong>the</strong> 1990s<br />
by Ann Cavoukian, <strong>the</strong> Privacy Commissioner of Ontario, it is built on <strong>the</strong> observation that <strong>in</strong><br />
many cases, bus<strong>in</strong>esses only consider privacy requirements at <strong>the</strong> end of a project, when <strong>the</strong>y are<br />
look<strong>in</strong>g at compliance issues.<br />
Failures to take account of privacy early <strong>in</strong> a project could be due to lack of man<strong>age</strong>ment attention<br />
or <strong>in</strong>terest <strong>in</strong> <strong>the</strong> issue. There is also an <strong>in</strong>herent tension between <strong>in</strong>novation and compliance<br />
functions, and f<strong>in</strong>d<strong>in</strong>g ways to support new ideas while consider<strong>in</strong>g privacy constra<strong>in</strong>ts can be<br />
difficult <strong>in</strong> practice. Build<strong>in</strong>g a dialogue around privacy requirements across <strong>the</strong> organisation is<br />
<strong>the</strong>refore an important step and privacy impact assessments are a way of do<strong>in</strong>g this.<br />
Panel 4.10: Privacy impact assessments<br />
A privacy impact assessment (PIA) is carried out <strong>in</strong> <strong>the</strong> early st<strong>age</strong>s of any project which may<br />
make use of personal <strong>in</strong>formation and potentially threaten privacy rights. Such assessments are<br />
similar <strong>in</strong> concept to environmental impact assessments and are not usually mandated.<br />
A PIA aims to help a bus<strong>in</strong>ess identify all <strong>the</strong> privacy risks related to system, process or product<br />
changes and <strong>the</strong>reby design systems which are sensitive to privacy considerations. The UK ICO<br />
describes <strong>the</strong> benefits of PIAs as follows: 88<br />
• ‘To identify privacy risks to <strong>in</strong>dividuals.<br />
• To identify privacy and DP compliance liabilities for your organisation.<br />
• To protect your reputation.<br />
• To <strong>in</strong>stil public <strong>trust</strong> and confidence <strong>in</strong> your project/product.<br />
• To avoid expensive, <strong>in</strong>adequate ‘bolt- on’ solutions.<br />
• To <strong>in</strong>form your communications strategy.<br />
• Enlightened self-<strong>in</strong>terest.’<br />
There are number of templates and checklists which can be used to help <strong>in</strong> this process,<br />
<strong>in</strong>clud<strong>in</strong>g a handbook from <strong>the</strong> ICO. These emphasise <strong>the</strong> need for assessments to take place<br />
early <strong>in</strong> <strong>the</strong> process and go beyond a mechanical tick-box exercise. Ra<strong>the</strong>r, <strong>the</strong>y should l<strong>in</strong>k to<br />
<strong>the</strong> wider risk man<strong>age</strong>ment processes of <strong>the</strong> bus<strong>in</strong>ess.<br />
Most PIAs to date have taken place <strong>in</strong> <strong>the</strong> public sector, ra<strong>the</strong>r than <strong>the</strong> private sector. However,<br />
regulators encour<strong>age</strong> <strong>the</strong>m as useful tools <strong>in</strong> implement<strong>in</strong>g a privacy by design approach.<br />
Privacy notices<br />
Privacy notices are an important part of communicat<strong>in</strong>g privacy practices to <strong>in</strong>dividual consumers.<br />
They lay out <strong>the</strong> privacy policies and practices of a bus<strong>in</strong>ess and enable a consumer to consent to<br />
<strong>the</strong> use of <strong>the</strong>ir personal <strong>in</strong>formation <strong>in</strong> <strong>the</strong> ways specified. As a result, <strong>in</strong> consumers’ eyes, <strong>the</strong>y<br />
support:<br />
• Transparency – hav<strong>in</strong>g visibility of <strong>the</strong> personal <strong>in</strong>formation held by a bus<strong>in</strong>ess and how it is<br />
used; and<br />
• Control – hav<strong>in</strong>g <strong>the</strong> ability to opt <strong>in</strong> or out of particular uses and ma<strong>in</strong>ta<strong>in</strong> some control over<br />
what personal <strong>in</strong>formation is shared.<br />
However, privacy notices are often written <strong>in</strong> legal jargon and can <strong>the</strong>refore be difficult to<br />
understand. As a result, <strong>in</strong>dividuals frequently ignore privacy policies <strong>in</strong> practice.<br />
It is suggested that a bus<strong>in</strong>ess develop a range of notices for different audience needs, based on<br />
some simple standard templates. Where such notices are clear and easy to compare, this approach<br />
potentially builds higher levels of <strong>trust</strong> with consumers and is popular with regulators. A multilevel<br />
privacy notice will typically consist of three layers 89 :<br />
87<br />
ICO, Privacy by Design.<br />
88<br />
ICO, Privacy Impact Assessment – An Overview.<br />
89<br />
See, for example, <strong>the</strong> 2006 guidance from <strong>the</strong> OECD, Mak<strong>in</strong>g Privacy Notices Simple: An OECD Report And<br />
Recommendations.<br />
Information security practices<br />
63
• a very basic notice, with contact details and how <strong>the</strong> <strong>in</strong>formation will be used;<br />
• a condensed notice, <strong>in</strong>clud<strong>in</strong>g clear sections such as scope of <strong>the</strong> policy, personal <strong>in</strong>formation<br />
collected, use of <strong>in</strong>formation, choices and contact details; and<br />
• a full notice, with all <strong>the</strong> <strong>in</strong>formation that a consumer could need.<br />
However, <strong>the</strong>re is a balance to be struck as high levels of transparency and control are not<br />
necessarily easy to understand and exercise. Where a bus<strong>in</strong>ess seeks to give users very granular<br />
control over how <strong>the</strong>ir personal <strong>in</strong>formation is used and shared, this may result <strong>in</strong> complex<br />
and unusable sett<strong>in</strong>gs, as evidenced by <strong>the</strong> social network<strong>in</strong>g site Facebook’s difficulties <strong>in</strong><br />
this area.<br />
Panel 4.11: Facebook’s privacy sett<strong>in</strong>gs and controls<br />
Through 2009 and 2010, Facebook took substantial criticism for shar<strong>in</strong>g users’ personal<br />
<strong>in</strong>formation with o<strong>the</strong>r bus<strong>in</strong>esses and putt<strong>in</strong>g it <strong>in</strong> <strong>the</strong> public doma<strong>in</strong>. One of <strong>the</strong> issues at<br />
<strong>the</strong> heart of this debate was control and clarity over what Facebook was do<strong>in</strong>g. 90<br />
Facebook argued that <strong>the</strong>y took a granular approach, giv<strong>in</strong>g users a very specific set of<br />
controls over how <strong>the</strong>ir <strong>in</strong>formation was shared. However, this control was accompanied by<br />
default privacy sett<strong>in</strong>gs which shared <strong>in</strong>formation very publicly. Therefore, while users could<br />
cont<strong>in</strong>ue to keep <strong>the</strong>ir personal <strong>in</strong>formation private with<strong>in</strong> <strong>the</strong>ir network, <strong>the</strong> onus was on<br />
<strong>the</strong>m to man<strong>age</strong> <strong>the</strong>ir privacy sett<strong>in</strong>gs proactively. Of course, <strong>in</strong> many cases, users did not<br />
act proactively and allowed <strong>the</strong> default sett<strong>in</strong>gs to operate.<br />
Fur<strong>the</strong>rmore, <strong>the</strong> granularity meant that <strong>the</strong> privacy sett<strong>in</strong>gs became extremely complex to<br />
man<strong>age</strong> for <strong>the</strong> aver<strong>age</strong> user. As was noted by <strong>the</strong> New York Times, <strong>the</strong> Facebook privacy<br />
policy, at 5,830 words, was longer than <strong>the</strong> US constitution. There were 50 sett<strong>in</strong>gs and<br />
170 options.<br />
In an article <strong>in</strong> <strong>the</strong> Wash<strong>in</strong>gton Post, Mark Zuckerberg acknowledged <strong>the</strong> errors made by<br />
Facebook. 91 While he defended <strong>the</strong> broad position of <strong>the</strong> bus<strong>in</strong>ess, argu<strong>in</strong>g for <strong>the</strong> merits of<br />
more open data, he accepted that <strong>the</strong> controls were too complex and users did not feel <strong>in</strong><br />
control of <strong>the</strong>ir <strong>in</strong>formation:<br />
‘The biggest mess<strong>age</strong> we have heard recently is that people want easier<br />
control over <strong>the</strong>ir <strong>in</strong>formation. Simply put, many of you thought our controls<br />
were too complex. Our <strong>in</strong>tention was to give you lots of granular controls;<br />
but that may not have been what many of you wanted. We just missed <strong>the</strong><br />
mark… We have heard <strong>the</strong> feedback. There needs to be a simpler way to<br />
control your <strong>in</strong>formation.’<br />
Therefore, f<strong>in</strong>d<strong>in</strong>g <strong>the</strong> balance so as to make users feel genu<strong>in</strong>ely empowered is an important<br />
lesson for bus<strong>in</strong>esses.<br />
Responses to privacy failures<br />
In spite of good practices, privacy failures can still happen and lead to substantial reputational<br />
dam<strong>age</strong>. Therefore, manag<strong>in</strong>g <strong>the</strong> consequences of breaches is an area of grow<strong>in</strong>g importance.<br />
Bus<strong>in</strong>esses are likely to take an approach similar to o<strong>the</strong>r types of disaster man<strong>age</strong>ment activity<br />
where reputation could be dam<strong>age</strong>d. The aim is to respond quickly and effectively to customer<br />
concerns and actions could <strong>in</strong>clude:<br />
• withdrawal or amendment of <strong>the</strong> changes which raised concerns;<br />
• direct communication with <strong>the</strong> affected customers;<br />
• work<strong>in</strong>g with regulators to take on board <strong>the</strong>ir concerns; and<br />
• longer term public relations activity to rebuild reputation.<br />
Google’s experience with Buzz is a good example of such actions.<br />
90<br />
New York Times, ‘Facebook privacy: a bewilder<strong>in</strong>g tangle of options’ and Nick Bilton, ‘Price of Facebook<br />
Privacy Start Click<strong>in</strong>g’.<br />
91<br />
Mark Zuckerberg, ‘From Facebook, answer<strong>in</strong>g privacy concerns with new sett<strong>in</strong>gs’.<br />
64 Information security practices
Panel 4.12: The controversial launch of Google Buzz<br />
Google is at <strong>the</strong> lead<strong>in</strong>g edge of us<strong>in</strong>g personal <strong>in</strong>formation. However, Google has experienced<br />
problems <strong>in</strong> <strong>the</strong> development of new products and <strong>the</strong> launch of <strong>the</strong> Buzz product was one<br />
such example.<br />
Buzz is a social network<strong>in</strong>g tool l<strong>in</strong>ked with Google’s email service. Upon launch, users logged<br />
onto <strong>the</strong>ir email accounts to f<strong>in</strong>d that <strong>the</strong>y were automatically part of a new network, based<br />
on <strong>the</strong> contacts that <strong>the</strong>y had on email. Fur<strong>the</strong>rmore, o<strong>the</strong>r users could see <strong>the</strong>ir network<br />
and <strong>the</strong>refore <strong>the</strong>ir closest contacts. Given that no consent had been given for shar<strong>in</strong>g this<br />
<strong>in</strong>formation with o<strong>the</strong>rs, this not only offended many users but also breached privacy laws <strong>in</strong><br />
some countries. 92<br />
Google responded to criticism <strong>in</strong> a number of ways. First, <strong>the</strong>y amended <strong>the</strong> product to take<br />
account of <strong>the</strong> feedback. Google’s own blog stated:<br />
‘We’ve heard your feedback loud and clear, and s<strong>in</strong>ce we’ve launched Google<br />
Buzz four days ago, we have been work<strong>in</strong>g round <strong>the</strong> clock to address <strong>the</strong><br />
concerns you’ve raised….’ 93<br />
Google also issued an apology and expla<strong>in</strong>ed that, although <strong>the</strong>y had tested <strong>the</strong> system<br />
<strong>in</strong>ternally, this had been <strong>in</strong>sufficient.<br />
While this response succeeded <strong>in</strong> stemm<strong>in</strong>g some of <strong>the</strong> criticism, many claimed that it did<br />
not go far enough and a group of regulators cont<strong>in</strong>ued to exam<strong>in</strong>e whe<strong>the</strong>r it breached<br />
privacy laws. Indeed, <strong>the</strong> Canadian Privacy Commissioner, backed by regulators <strong>in</strong> n<strong>in</strong>e o<strong>the</strong>r<br />
countries, wrote an open letter to Google <strong>in</strong> April 2010. In it, she argued that although Google<br />
did respond quickly and apologise, it showed a disregard for privacy <strong>in</strong> its development of new<br />
products and services:<br />
‘While your company addressed <strong>the</strong> most privacy-<strong>in</strong>trusive aspects of Google<br />
Buzz … we rema<strong>in</strong> extremely concerned about how a product with such<br />
significant privacy issues was launched <strong>in</strong> <strong>the</strong> first place….It is unacceptable<br />
to roll out a product that unilaterally renders personal <strong>in</strong>formation public,<br />
with <strong>the</strong> <strong>in</strong>tention of repair<strong>in</strong>g problems later as <strong>the</strong>y arise. Privacy cannot<br />
be sidel<strong>in</strong>ed <strong>in</strong> <strong>the</strong> rush to <strong>in</strong>troduce new technologies to onl<strong>in</strong>e audiences<br />
around <strong>the</strong> world.’<br />
This response demonstrates <strong>the</strong> care that a bus<strong>in</strong>ess needs to take when develop<strong>in</strong>g new<br />
products for customers which also satisfies regulator and customer concerns.<br />
Privacy audit and assurance techniques<br />
To ga<strong>in</strong> confidence that <strong>the</strong>ir privacy practices are appropriate and effective, and to demonstrate<br />
this confidence to o<strong>the</strong>rs, a bus<strong>in</strong>ess can build on established audit and assurance techniques.<br />
Panel 4.13: Privacy audits<br />
A privacy audit aims to ga<strong>in</strong> comfort that a bus<strong>in</strong>ess is comply<strong>in</strong>g with relevant laws and<br />
regulations and is manag<strong>in</strong>g privacy risks <strong>in</strong> this area appropriately. As <strong>the</strong> risks and profile<br />
of privacy issues grow, so too do <strong>the</strong> demands for privacy audits. They are becom<strong>in</strong>g a<br />
particularly popular mechanism for regulators to employ.<br />
As highlighted <strong>in</strong> panel 2.6, <strong>the</strong> FTC imposed an obligation on Google to have <strong>in</strong>dependent<br />
privacy audits every 2 years for <strong>the</strong> next 20 years follow<strong>in</strong>g <strong>the</strong> Buzz product launch. Similar<br />
requirements were made by <strong>the</strong> Canadian Privacy Commissioner.<br />
The UK ICO has also <strong>in</strong>creased its privacy audit activities. Audits on private sector companies<br />
are carried out with <strong>the</strong> consent of <strong>the</strong> bus<strong>in</strong>ess, although consent is not needed <strong>in</strong> <strong>the</strong><br />
public sector. An executive summary of privacy audits is published on <strong>the</strong> ICO’s website<br />
and organisations audited by <strong>the</strong> ICO <strong>in</strong>clude Google, <strong>the</strong> Metropolitan Police, Nationwide<br />
Build<strong>in</strong>g Society and <strong>the</strong> Law Society. However, only 19% of bus<strong>in</strong>esses which were offered a<br />
privacy audit by <strong>the</strong> ICO accepted it. 94<br />
92<br />
Nicholas Carlson, ‘Warn<strong>in</strong>g: Google Buzz has a huge privacy flaw’.<br />
93<br />
Todd Jackson, ‘A new Buzz experience based on your feedback’.<br />
94<br />
Cameron Craig, ‘Data privacy: When will watchdog ICO get its teeth <strong>in</strong>to private sector audits’<br />
Information security practices<br />
65
Panel 4.13: Privacy audits (cont<strong>in</strong>ued)<br />
In response to <strong>the</strong> grow<strong>in</strong>g demand for audits, <strong>the</strong> AICPA and <strong>the</strong> Canadian Institute of<br />
Chartered Accountants (CICA) have issued a set of Generally Accepted Privacy Pr<strong>in</strong>ciples.<br />
These can be used by bus<strong>in</strong>esses or audit firms to support a range of activities, <strong>in</strong>clud<strong>in</strong>g<br />
<strong>in</strong>ternal and external privacy audits.<br />
A bus<strong>in</strong>ess can also look to third party privacy seals to provide assurance to stakeholders on its<br />
privacy practices, such as CICA’s WebTrust seals or those provided by <strong>the</strong> company TRUSTe.<br />
These schemes are usually based around <strong>the</strong> Fair Information Pr<strong>in</strong>ciples and provide mechanisms<br />
for regular audits. Privacy seals have become very popular, especially <strong>in</strong> <strong>the</strong> US, where many<br />
established websites display <strong>the</strong>m. However, critics of such schemes po<strong>in</strong>t out that a bus<strong>in</strong>ess<br />
usually pays to be accredited, rais<strong>in</strong>g questions around <strong>the</strong> <strong>in</strong>dependence of assessments.<br />
Privacy-enhanc<strong>in</strong>g technologies<br />
The notion of privacy-enhanc<strong>in</strong>g technologies (PETs) was first outl<strong>in</strong>ed by David Chaum <strong>in</strong> 1981. 95<br />
S<strong>in</strong>ce that time, a wide range of PETs have been developed which are designed to help <strong>in</strong>dividuals<br />
protect and man<strong>age</strong> <strong>the</strong>ir personal <strong>in</strong>formation. Consequently, <strong>the</strong>y can be employed to mitigate<br />
or man<strong>age</strong> many of <strong>the</strong> problems outl<strong>in</strong>ed <strong>in</strong> Chapter 2.<br />
PETs can broadly be divided <strong>in</strong>to two types. There are tools which help an <strong>in</strong>dividual man<strong>age</strong> <strong>the</strong>ir<br />
personal <strong>in</strong>formation and which are <strong>the</strong>refore focused on transparency and control. And <strong>the</strong>re are<br />
technologies which aim to prevent o<strong>the</strong>rs from ga<strong>the</strong>r<strong>in</strong>g personal <strong>in</strong>formation, <strong>in</strong>clud<strong>in</strong>g:<br />
• anonymis<strong>in</strong>g or pseudo-anonymis<strong>in</strong>g products which strip <strong>the</strong> identity of <strong>the</strong> <strong>in</strong>dividual from<br />
<strong>the</strong> rest of <strong>the</strong> data;<br />
• encryption tools which stop unauthorised parties from access<strong>in</strong>g <strong>in</strong>formation;<br />
• filters and blockers which stop third parties from reach<strong>in</strong>g <strong>in</strong>dividuals; and<br />
• track and evidence erasers.<br />
Anonymity techniques are particularly popular. For example, <strong>the</strong> Open Data movement is look<strong>in</strong>g<br />
to <strong>the</strong>se techniques to enable <strong>the</strong> release of personal <strong>in</strong>formation without compromis<strong>in</strong>g privacy<br />
rights. While <strong>the</strong>y may be attractive, anonymity techniques are challeng<strong>in</strong>g <strong>in</strong> practice. Unless <strong>the</strong>y<br />
are carried out very well, it can be possible to re-identify <strong>in</strong>dividuals by comb<strong>in</strong><strong>in</strong>g bits of data.<br />
Panel 4.14: The problems of anonymity: <strong>the</strong> Netflix data prize<br />
Netflix is a US-based bus<strong>in</strong>ess which rents movies to its customers. As part of <strong>the</strong> service,<br />
customers are <strong>in</strong>vited to post reviews and rat<strong>in</strong>gs of <strong>the</strong> films <strong>the</strong>y watch to provide feedback<br />
to o<strong>the</strong>r customers. This <strong>in</strong>formation is <strong>the</strong>n used to recommend films to o<strong>the</strong>r users.<br />
In 2007, Netflix established a prize, worth $1 million, to improve <strong>the</strong>ir recommendation<br />
algorithm. This was based on publicly releas<strong>in</strong>g a data set conta<strong>in</strong><strong>in</strong>g 100 million movie rat<strong>in</strong>gs<br />
by 500,000 users. These rat<strong>in</strong>gs were anonymised by stripp<strong>in</strong>g any identification from <strong>the</strong><br />
data set.<br />
However, two researchers from <strong>the</strong> University of Texas, Arv<strong>in</strong>d Narayanan and Vitaly Shmatikov,<br />
were able to re-identify specific <strong>in</strong>dividuals by match<strong>in</strong>g data from <strong>the</strong> Netflix data set with<br />
publicly available data from ano<strong>the</strong>r movie review site, IMBD, which did have personally<br />
identifiable <strong>in</strong>formation. 96 By us<strong>in</strong>g just 50 profiles from <strong>the</strong> IMBD site, <strong>the</strong>y were able to<br />
re-identify two <strong>in</strong>dividuals with statistical near certa<strong>in</strong>ty. Netflix subsequently abandoned<br />
plans for a second prize.<br />
Therefore, while anonymis<strong>in</strong>g techniques potentially have an important role <strong>in</strong> protect<strong>in</strong>g<br />
<strong>in</strong>dividual privacy, <strong>the</strong>re are significant difficulties <strong>in</strong> achiev<strong>in</strong>g true anonymity <strong>in</strong> <strong>the</strong> <strong>digital</strong><br />
environment. These difficulties underlie <strong>the</strong> challenge of def<strong>in</strong><strong>in</strong>g personal <strong>in</strong>formation when<br />
<strong>in</strong>dividuals can be identified through comb<strong>in</strong>ations of non-sensitive data.<br />
Governments also have concerns about <strong>the</strong> use of strong PETs, where <strong>the</strong>y limit a government’s<br />
ability to track communication between crime and terror suspects.<br />
95<br />
Enterprise Privacy Group, Privacy by Design: An Overview of Privacy-Enhanc<strong>in</strong>g Technologies.<br />
96<br />
Arv<strong>in</strong>d Narayanan and Vitaly Shmatikov, ‘Robust de-anonymization of large sparse datasets (How to break<br />
anonymity of Netflix prize dataset)’.<br />
66 Information security practices
Fur<strong>the</strong>rmore, PETs have not been heavily adopted <strong>in</strong> <strong>the</strong> marketplace by users. There are a<br />
number of possible reasons for this. The bus<strong>in</strong>ess case for adoption by bus<strong>in</strong>esses or <strong>the</strong> technology<br />
<strong>in</strong>dustry may not be clear. Instead, it is largely left to <strong>in</strong>dividual users to adopt <strong>the</strong>m. When comb<strong>in</strong>ed<br />
with a low ease of use for many of <strong>the</strong> tools, PETs to date have met with limited success <strong>in</strong> practice.<br />
4.8 Intellectual property practices<br />
Specific practices to protect <strong>in</strong>tellectual property fall <strong>in</strong>to two broad areas.<br />
• There is <strong>in</strong>tellectual property or sensitive commercial <strong>in</strong>formation that a bus<strong>in</strong>ess wants to<br />
keep secret. In <strong>the</strong>se cases, <strong>the</strong> key risks come from failures <strong>in</strong> security, for example where<br />
<strong>in</strong>tellectual property is appropriated by hackers or sold by employees. As a result, practices<br />
are largely based on <strong>in</strong>formation security pr<strong>in</strong>ciples.<br />
• There is also <strong>in</strong>formation content that a bus<strong>in</strong>ess wants to exploit but share widely. Here, <strong>the</strong><br />
risks concern access to content without pay<strong>in</strong>g for it. In <strong>the</strong>se cases, bus<strong>in</strong>esses are concerned<br />
with <strong>the</strong> enforcement of <strong>in</strong>tellectual property rights.<br />
Implement<strong>in</strong>g effective <strong>in</strong>formation security practices<br />
There are many anecdotes concern<strong>in</strong>g organised crim<strong>in</strong>al and state-sponsored gangs hack<strong>in</strong>g<br />
bus<strong>in</strong>esses <strong>in</strong> order to ga<strong>in</strong> access to valuable <strong>in</strong>tellectual property which <strong>the</strong>y can sell to rival<br />
bus<strong>in</strong>esses or governments. As a result, technical security measures are likely to be <strong>in</strong>creas<strong>in</strong>gly<br />
important to bus<strong>in</strong>esses as <strong>the</strong>y attempt to keep <strong>the</strong>ir sensitive <strong>in</strong>formation confidential.<br />
Bus<strong>in</strong>ess employees can perpetrate <strong>in</strong>tellectual property <strong>the</strong>ft by sell<strong>in</strong>g <strong>in</strong>formation to<br />
competitors. As a result, controls around <strong>in</strong>formation access for employees may be particularly<br />
important and <strong>the</strong>re are many good practices which can stop unauthorised access or track<br />
suspicious activity, such as system ID man<strong>age</strong>ment and audit trails. Staff morale can also be an<br />
important <strong>in</strong>fluence on whe<strong>the</strong>r employees may eng<strong>age</strong> <strong>in</strong> such activities.<br />
The <strong>in</strong>crease <strong>in</strong> <strong>in</strong>formation shar<strong>in</strong>g across bus<strong>in</strong>esses is also an area of grow<strong>in</strong>g risk. To a large<br />
extent, risks here can be mitigated through contractual arrangements between parties and<br />
effective security measures to protect <strong>in</strong>tellectual property from unauthorised access by suppliers.<br />
However, a bus<strong>in</strong>ess may need to consider how to structure relationships between different<br />
parties across <strong>the</strong> supply cha<strong>in</strong> and what <strong>in</strong>tellectual property it is prepared to share.<br />
Digital rights man<strong>age</strong>ment systems<br />
Technology and content companies have experimented with systems to protect <strong>in</strong>tellectual<br />
property rights for many years with vary<strong>in</strong>g degrees of success. Now termed <strong>digital</strong> rights<br />
man<strong>age</strong>ment (DRM) systems, <strong>the</strong>y stop <strong>the</strong> user from copy<strong>in</strong>g content. However, <strong>the</strong>y have<br />
attracted significant controversy. 97 As a result, while DRM systems are used, <strong>the</strong>y are not<br />
universally implemented by content producers.<br />
Critics accuse DRM technologies of be<strong>in</strong>g disproportionate. While <strong>the</strong>y can stop casual copy<strong>in</strong>g,<br />
DRM systems can never, <strong>in</strong> practice, stop determ<strong>in</strong>ed <strong>in</strong>dividuals from circumvent<strong>in</strong>g protections<br />
and illegally copy<strong>in</strong>g material. However, <strong>the</strong>y can have a disruptive and detrimental impact on<br />
o<strong>the</strong>r users.<br />
DRM systems are generally not compatible with one ano<strong>the</strong>r and <strong>the</strong>re are no clear standards <strong>in</strong><br />
place. Instead, <strong>the</strong>y are closely l<strong>in</strong>ked with <strong>the</strong> device or service which is be<strong>in</strong>g used and <strong>the</strong>refore<br />
<strong>the</strong>y can be <strong>in</strong>flexible and <strong>in</strong>convenient, lock<strong>in</strong>g users <strong>in</strong>to specific pieces of technology. This has<br />
made <strong>the</strong> idea of DRM very unpopular with users who can end up pay<strong>in</strong>g more than once for <strong>the</strong><br />
same piece of content on different platforms. It also has long term implications for <strong>the</strong> susta<strong>in</strong>ability<br />
of content. If content is tied <strong>in</strong> with particular pieces of software or hardware which are not<br />
compatible with o<strong>the</strong>r systems, it could result <strong>in</strong> content becom<strong>in</strong>g <strong>in</strong>accessible <strong>in</strong> <strong>the</strong> long-term.<br />
Ano<strong>the</strong>r criticism of DRM is that it can provide controls that go beyond <strong>the</strong> <strong>in</strong>tellectual property<br />
rights currently provided for <strong>in</strong> law. Indeed, sceptics of DRM refer to ‘Digital Restrictions<br />
Man<strong>age</strong>ment’ as a more accurate description of what it does. For example, <strong>in</strong> some cases, DRM<br />
may prevent any k<strong>in</strong>d of copy<strong>in</strong>g, which goes beyond what many countries allow through <strong>the</strong><br />
fair use doctr<strong>in</strong>e. It is also possible for <strong>the</strong> content provider to have access to see how <strong>the</strong> content<br />
has been used, giv<strong>in</strong>g <strong>the</strong>m <strong>in</strong>sight <strong>in</strong>to <strong>the</strong> <strong>in</strong>dividual consumer. Many opponents see this as<br />
<strong>in</strong>appropriate and an <strong>in</strong>vasion of privacy.<br />
97<br />
See <strong>the</strong> opposition by <strong>the</strong> Electronic Frontier Foundations at www.eff.org/issues/drm.<br />
Information security practices<br />
67
As a result of <strong>the</strong>se arguments, most music today is downloaded without DRM software. However,<br />
o<strong>the</strong>r content, such as movies and video games, is still protected <strong>in</strong> most cases by DRM software<br />
and its use cont<strong>in</strong>ues to provoke strong debate.<br />
It should be noted that DRM systems are also suggested as a way of protect<strong>in</strong>g personal<br />
<strong>in</strong>formation and enabl<strong>in</strong>g an <strong>in</strong>dividual to have control over how <strong>the</strong>ir personal <strong>in</strong>formation is<br />
accessed, used and shared.<br />
4.9 The grow<strong>in</strong>g regulatory <strong>age</strong>nda<br />
As security failures <strong>in</strong>creas<strong>in</strong>gly impact on <strong>in</strong>dividual consumers and citizens, <strong>the</strong>re is a develop<strong>in</strong>g<br />
regulatory <strong>age</strong>nda, particularly around <strong>the</strong> security of personal <strong>in</strong>formation. As a result, a bus<strong>in</strong>ess<br />
may need to shift its th<strong>in</strong>k<strong>in</strong>g from <strong>in</strong>ternal risk man<strong>age</strong>ment to meet<strong>in</strong>g external demands.<br />
Economics of <strong>in</strong>formation security<br />
An important <strong>in</strong>fluence on <strong>the</strong> development of <strong>in</strong>formation security legislation has been <strong>the</strong><br />
th<strong>in</strong>k<strong>in</strong>g of economists <strong>in</strong> <strong>the</strong> grow<strong>in</strong>g field of <strong>in</strong>formation security economics. Researchers have<br />
observed that software <strong>in</strong> many <strong>in</strong>stances cont<strong>in</strong>ues to be quite <strong>in</strong>secure, despite opportunities to<br />
improve security. In look<strong>in</strong>g for reasons for this failure, it is argued that <strong>the</strong> issues are not purely<br />
technical. Ra<strong>the</strong>r, <strong>the</strong> economic <strong>in</strong>centives around security are not fully aligned and <strong>the</strong> parties<br />
with <strong>the</strong> greatest power to improve security are not encour<strong>age</strong>d or rewarded to do so. 98<br />
In practice, <strong>the</strong> burden of secur<strong>in</strong>g data typically falls on <strong>in</strong>dividual bus<strong>in</strong>esses or consumers.<br />
However, those with <strong>the</strong> technical or f<strong>in</strong>ancial power to make a significant difference to <strong>in</strong>formation<br />
security <strong>in</strong> practice are players <strong>in</strong> <strong>the</strong> technology <strong>in</strong>dustry and f<strong>in</strong>ancial <strong>in</strong>stitutions. The economic<br />
analysis of this area is grow<strong>in</strong>g and is likely to provide new perspectives.<br />
Panel 4.15: Information security regulation and <strong>the</strong> House of Lords <strong>report</strong><br />
In 2007, <strong>the</strong> UK House of Lords Science and Technology Committee undertook a review of<br />
<strong>in</strong>ternet security relat<strong>in</strong>g to <strong>in</strong>dividual consumers. Influenced by <strong>the</strong> economic approach, <strong>the</strong>y<br />
made a number of recommendations to align <strong>in</strong>centives more effectively and <strong>in</strong>crease<br />
transparency around <strong>the</strong> actions of different market participants. For example, it recommended:<br />
• explor<strong>in</strong>g <strong>the</strong> possibility of greater vendor liability <strong>in</strong> <strong>the</strong> event of security failures which<br />
could be attributed to <strong>the</strong> negligence of <strong>the</strong> supplier;<br />
• that banks be held responsible for losses caused by f<strong>in</strong>ancial fraud;<br />
• that <strong>in</strong>ternet service providers develop stronger <strong>in</strong>dustry security standards <strong>in</strong> <strong>the</strong> provision<br />
of <strong>in</strong>ternet connections to consumers; and<br />
• <strong>the</strong> enactment of a data breach notification law.<br />
All of <strong>the</strong>se measures were <strong>in</strong>tended to shift <strong>the</strong> responsibility from <strong>the</strong> consumer onto <strong>the</strong><br />
<strong>in</strong>dustries which can make a real difference to <strong>in</strong>formation security <strong>in</strong> practice. However,<br />
despite wide-rang<strong>in</strong>g consultations on <strong>the</strong> <strong>report</strong>, <strong>the</strong> UK government did not implement <strong>the</strong><br />
recommendations.<br />
There is also grow<strong>in</strong>g research <strong>in</strong>to <strong>the</strong> economic <strong>in</strong>centives around privacy protection, such as<br />
with PETs. While <strong>the</strong> costs to implement such technologies may be clear, <strong>the</strong> benefits of be<strong>in</strong>g<br />
proactive rema<strong>in</strong> uncerta<strong>in</strong>. There has been a range of studies <strong>in</strong>to <strong>the</strong> potential bus<strong>in</strong>ess case<br />
of good privacy practices and PETs. 99 However, bus<strong>in</strong>ess behaviour <strong>in</strong> practice is typically still<br />
driven by <strong>the</strong> threat of f<strong>in</strong>ancial penalties <strong>in</strong> <strong>the</strong> event of non-compliance, ra<strong>the</strong>r than <strong>the</strong> positive<br />
benefits of good privacy practices.<br />
4.10 Summary<br />
In many cases, <strong>in</strong>formation rights are well established and clear. Therefore, <strong>the</strong> bus<strong>in</strong>ess imperative<br />
is to secure those rights effectively. The field of <strong>in</strong>formation security deals with <strong>the</strong> protection of<br />
valuable and/or sensitive <strong>in</strong>formation and is built around three key pr<strong>in</strong>ciples, namely confidentiality,<br />
<strong>in</strong>tegrity and availability.<br />
98<br />
This is explored <strong>in</strong> more detail <strong>in</strong> Ross Anderson, ‘Why <strong>in</strong>formation security is so difficult - an economic<br />
perspective’.<br />
99<br />
See, for example, London Economics, Study on <strong>the</strong> Economic Benefits of Privacy-Enhanc<strong>in</strong>g Technologies: F<strong>in</strong>al<br />
Report to The European Commission DG Justice, Freedom and Security and <strong>the</strong> ICO, The Privacy Dividend: The<br />
Bus<strong>in</strong>ess Case for Invest<strong>in</strong>g <strong>in</strong> Proactive Privacy Protection.<br />
68 Information security practices
The pr<strong>in</strong>ciples of <strong>in</strong>formation security are reflected <strong>in</strong> a wide range of established <strong>in</strong>formation<br />
security practices. Bus<strong>in</strong>ess processes and man<strong>age</strong>ment techniques are a central part of any<br />
<strong>in</strong>formation security strategy. Given <strong>the</strong> dom<strong>in</strong>ance of IT, technical computer security is also a<br />
very important component of <strong>in</strong>formation security.<br />
Despite <strong>the</strong> existence of a wide range of good practices, many bus<strong>in</strong>esses struggle to implement<br />
effective <strong>in</strong>formation security. One reason for cont<strong>in</strong>u<strong>in</strong>g security failures is that it is often difficult<br />
to connect security measures to bus<strong>in</strong>ess priorities and <strong>the</strong>reby ga<strong>in</strong> sufficient man<strong>age</strong>ment and<br />
employee attention.<br />
It can be difficult to make good decisions about <strong>in</strong>formation security <strong>in</strong>vestments. Good practice<br />
suggests that man<strong>age</strong>ment should assess <strong>the</strong> risks surround<strong>in</strong>g <strong>in</strong>formation and balance <strong>the</strong> costs<br />
of security measures aga<strong>in</strong>st <strong>the</strong> possible impact of security failures. However, <strong>the</strong> difficulty of<br />
quantify<strong>in</strong>g <strong>the</strong>se matters limits <strong>the</strong> effectiveness of structured decision-mak<strong>in</strong>g processes <strong>in</strong> practice.<br />
While many <strong>in</strong>formation security measures are technical, a bus<strong>in</strong>ess is also likely to benefit from<br />
techniques which <strong>in</strong>tegrate security skills and knowledge across technical and bus<strong>in</strong>ess functions.<br />
Information governance is a set of man<strong>age</strong>ment practices which aims to protect <strong>the</strong> quality and<br />
control of <strong>in</strong>formation throughout <strong>the</strong> organisation and <strong>in</strong>tegrate accountability accord<strong>in</strong>gly<br />
IT has enabled <strong>in</strong>formation to be more dispersed, putt<strong>in</strong>g greater emphasis on <strong>in</strong>dividual behaviour<br />
and mak<strong>in</strong>g it more important to embed good security practices. As employees <strong>in</strong>creas<strong>in</strong>gly<br />
use consumer devices, and frequently <strong>the</strong>ir own personal devices, to store or access corporate<br />
data, embedd<strong>in</strong>g good behaviour will become ever more important. Tra<strong>in</strong><strong>in</strong>g can help raise<br />
employee awareness of security policies and processes. Culture and senior-level commitment are<br />
also important factors and, where security can be aligned with <strong>the</strong> objectives and brand of <strong>the</strong><br />
bus<strong>in</strong>ess, it is more likely to become central to bus<strong>in</strong>ess activities.<br />
A grow<strong>in</strong>g security challenge concerns <strong>the</strong> explosion <strong>in</strong> outsourc<strong>in</strong>g and collaboration across<br />
supply cha<strong>in</strong>s. As a result, <strong>in</strong>formation rarely sits <strong>in</strong> one organisation as a static resource but<br />
<strong>in</strong>stead is <strong>the</strong> subject of cont<strong>in</strong>ual flows between different parties. This may lead to a shift <strong>in</strong><br />
security th<strong>in</strong>k<strong>in</strong>g, away from establish<strong>in</strong>g a secure perimeter around <strong>the</strong> organisation to a more<br />
dynamic model which emphasises security across a supply cha<strong>in</strong>.<br />
F<strong>in</strong>ally, as security failures <strong>in</strong>creas<strong>in</strong>gly impact on <strong>in</strong>dividual consumers and citizens, <strong>the</strong>re is<br />
a develop<strong>in</strong>g regulatory <strong>age</strong>nda, particularly around <strong>the</strong> security of personal <strong>in</strong>formation.<br />
As a result, a bus<strong>in</strong>ess may need to shift its th<strong>in</strong>k<strong>in</strong>g from <strong>in</strong>ternal risk man<strong>age</strong>ment to meet<strong>in</strong>g<br />
external demands.<br />
Information security practices<br />
69
5. Build<strong>in</strong>g <strong>trust</strong><br />
Individual good practices are not sufficient. There needs to be<br />
widespread eng<strong>age</strong>ment and action at all levels across society<br />
to address <strong>the</strong> issues raised <strong>in</strong> this <strong>report</strong>. How do we promote<br />
<strong>in</strong>formed debate And what are <strong>the</strong> elements of a social and legal<br />
framework fit for a <strong>digital</strong> economy<br />
Recognise and<br />
debate issues<br />
Personal<br />
<strong>in</strong>formation<br />
Intellectual<br />
property<br />
Information<br />
security<br />
Concerns<br />
about<br />
<strong>digital</strong><br />
<strong>in</strong>formation<br />
Develop<br />
new <strong>the</strong>oretical<br />
th<strong>in</strong>k<strong>in</strong>g<br />
Balance control<br />
and use of<br />
<strong>in</strong>formation<br />
Collective<br />
actions<br />
Individual<br />
actions<br />
Trust and value<br />
creation<br />
Create supportive<br />
<strong>in</strong>stitutions
5. Build<strong>in</strong>g <strong>trust</strong><br />
5.1 Impact of new technology<br />
Chapters 2, 3 and 4 outl<strong>in</strong>ed many good practices <strong>in</strong> <strong>the</strong> fields of personal <strong>in</strong>formation, <strong>in</strong>tellectual<br />
property and <strong>in</strong>formation security, as well as <strong>the</strong> broad legal and social environment with<strong>in</strong> which<br />
bus<strong>in</strong>esses are operat<strong>in</strong>g.<br />
They also highlighted some areas which are test<strong>in</strong>g <strong>the</strong> limits of current th<strong>in</strong>k<strong>in</strong>g.<br />
• With <strong>the</strong> rapid <strong>in</strong>crease <strong>in</strong> <strong>the</strong> collection of personal <strong>in</strong>formation, <strong>the</strong>re are new questions<br />
around who should be able to reta<strong>in</strong>, use, share and benefit from this <strong>in</strong>formation.<br />
• The changed economics of <strong>in</strong>formation goods encour<strong>age</strong>s <strong>the</strong> free and open exchange of<br />
creative content and challenges <strong>the</strong> scope and application of <strong>in</strong>tellectual property rights.<br />
• The grow<strong>in</strong>g frequency and impact of <strong>in</strong>formation security failures on bus<strong>in</strong>esses and<br />
<strong>in</strong>dividuals is lead<strong>in</strong>g to pressure for new regulation.<br />
• The <strong>in</strong>ternational operation of many bus<strong>in</strong>esses challenges <strong>the</strong> national and regional basis for<br />
established regulation <strong>in</strong> <strong>the</strong>se areas.<br />
These challenges are not surpris<strong>in</strong>g, given <strong>the</strong> radical impact that new technology can have on<br />
economies and wider social structures.<br />
Creative destruction<br />
New technology is a central part of economic development and economists have long recognised<br />
<strong>the</strong> revolutionary impact of new technology on <strong>the</strong> way that we do th<strong>in</strong>gs and <strong>the</strong> way that<br />
bus<strong>in</strong>esses and governments are organised. The Austrian economist, Joseph Schumpeter, for<br />
example, argued <strong>in</strong> <strong>the</strong> 1940s that technology was <strong>the</strong> key driver of economic growth and<br />
<strong>in</strong>novation, trigger<strong>in</strong>g a process of ‘creative destruction’, whereby established processes and<br />
bus<strong>in</strong>esses were destroyed by fresh methods built on new technology. 100<br />
IT is a particularly disruptive technology because it radically changes <strong>the</strong> economics of <strong>in</strong>formation.<br />
It shifts <strong>the</strong> supply curve of <strong>in</strong>formation by reduc<strong>in</strong>g <strong>the</strong> costs of <strong>in</strong>formation. It also shifts <strong>the</strong><br />
demand curve of <strong>in</strong>formation by <strong>in</strong>creas<strong>in</strong>g <strong>the</strong> benefits that can be ga<strong>in</strong>ed through it. This<br />
creates a vast new space of economically efficient <strong>in</strong>formation, mak<strong>in</strong>g many new activities viable<br />
and profoundly chang<strong>in</strong>g <strong>the</strong> way that a bus<strong>in</strong>ess can create and deliver value to customers.<br />
This is illustrated <strong>in</strong> Figures 5.1 and 5.2. 101<br />
Figure 5.1 shows <strong>the</strong> supply and demand curves that can, <strong>in</strong> pr<strong>in</strong>ciple, be drawn for each and<br />
every type of <strong>in</strong>formation to represent <strong>the</strong> <strong>in</strong>cremental cost of provid<strong>in</strong>g more of that <strong>in</strong>formation<br />
and <strong>the</strong> <strong>in</strong>cremental benefit of us<strong>in</strong>g such <strong>in</strong>formation. The area under <strong>the</strong> supply curve represents<br />
total costs, <strong>the</strong> area under <strong>the</strong> demand curve represents total benefits and <strong>the</strong> area between <strong>the</strong><br />
curves represents net benefits.<br />
100<br />
Joseph Schumpeter, Capitalism, Socialism and Democracy.<br />
101<br />
This section <strong>in</strong>corporates parts of ICAEW’s earlier <strong>report</strong>, Measur<strong>in</strong>g IT Returns.<br />
72 Build<strong>in</strong>g <strong>trust</strong>
Figure 5.1: Information supply and demand curves<br />
Value<br />
Efficient quantity<br />
of <strong>in</strong>formation<br />
Incremental costs<br />
Net<br />
benefits<br />
Incremental benefits<br />
Total<br />
costs<br />
Quantity<br />
Through <strong>the</strong> comb<strong>in</strong>ation of different technologies, IT changes <strong>the</strong> supply and demand curves.<br />
It does this <strong>in</strong> two ways, frequently at <strong>the</strong> same time. It reduces <strong>the</strong> costs of <strong>in</strong>formation-handl<strong>in</strong>g<br />
and communication activities and it enables bus<strong>in</strong>esses to get more benefits from <strong>the</strong> use of<br />
<strong>in</strong>formation. By shift<strong>in</strong>g both <strong>the</strong> supply and demand curves, IT potentially <strong>in</strong>creases <strong>the</strong> amount<br />
of <strong>in</strong>formation that it is economically viable to produce and <strong>the</strong> net benefits of that <strong>in</strong>formation.<br />
These shifts are shown <strong>in</strong> Figure 5.2.<br />
Figure 5.2: Impact of IT on <strong>in</strong>formation quantity<br />
Value<br />
Orig<strong>in</strong>al efficient<br />
quantity of <strong>in</strong>formation<br />
Increased efficient<br />
quantity of <strong>in</strong>formation<br />
Revised<br />
<strong>in</strong>cremental<br />
costs<br />
Revised<br />
<strong>in</strong>cremental<br />
benefits<br />
Quantity<br />
Social implications<br />
However, transformation <strong>in</strong> economic possibilities through new technology often creates<br />
social tensions and new questions <strong>in</strong> parallel. It can lead to many situations that have not been<br />
previously considered or which push aga<strong>in</strong>st <strong>the</strong> established boundaries of rights and duties.<br />
It can heighten exist<strong>in</strong>g tensions between different <strong>in</strong>terests.<br />
IT does all of <strong>the</strong>se th<strong>in</strong>gs. Fur<strong>the</strong>rmore, by enabl<strong>in</strong>g powerful aggregation and analytical<br />
techniques, IT <strong>in</strong>creases <strong>the</strong> value of all k<strong>in</strong>ds of <strong>in</strong>formation that may have been previously<br />
thought of as useless or valueless data, lead<strong>in</strong>g to new competition over how it should be<br />
used and exploited.<br />
Alongside <strong>the</strong> development of new technology, we often see new norms develop which will<br />
build confidence <strong>in</strong> it and support widespread adoption, for example:<br />
• laws govern<strong>in</strong>g how technologies are used, potentially labell<strong>in</strong>g particular uses as not socially<br />
acceptable;<br />
• laws cover<strong>in</strong>g <strong>the</strong> social consequences of technological development, such as <strong>the</strong> workers’<br />
rights developed <strong>in</strong> <strong>the</strong> wake of factory technology;<br />
• laws which replace or update laws that have become easy to evade or avoid as a result of new<br />
technology; and<br />
• social norms to def<strong>in</strong>e acceptable <strong>in</strong>dividual behaviour <strong>in</strong> <strong>the</strong> light of new technology.<br />
Build<strong>in</strong>g <strong>trust</strong><br />
73
The debate between <strong>the</strong> opportunities presented by new technology and <strong>the</strong> actions needed to<br />
build social acceptability is currently seen most prom<strong>in</strong>ently <strong>in</strong> <strong>the</strong> area of medical technology.<br />
Medical ethics and law are well established areas of <strong>the</strong>ory and practice which reflect <strong>the</strong> dilemmas<br />
faced <strong>in</strong> this area and provide a framework for doctors and lawyers to take all relevant <strong>in</strong>terests<br />
<strong>in</strong>to account when mak<strong>in</strong>g decisions. Debates <strong>in</strong> <strong>the</strong>se areas frequently focus on how to encour<strong>age</strong><br />
new areas of research and maximise <strong>the</strong> potential benefits <strong>the</strong>y br<strong>in</strong>g, such as stem cell research,<br />
while also f<strong>in</strong>d<strong>in</strong>g limits or checks which make developments socially, morally and legally acceptable.<br />
Therefore, unless we recognise and address <strong>the</strong> social challenges related to <strong>digital</strong> <strong>in</strong>formation,<br />
<strong>the</strong>re is a risk that opportunities to use it are missed.<br />
5.2 Trust <strong>in</strong> bus<strong>in</strong>ess<br />
Trust is an important feature which underp<strong>in</strong>s <strong>the</strong> use and value of new technologies and <strong>the</strong>refore<br />
can support <strong>the</strong> development of a <strong>digital</strong> economy. While <strong>the</strong> term ‘<strong>trust</strong>’ has many specific<br />
applications <strong>in</strong> this context, such as cyber <strong>trust</strong>, 102 we use it broadly to refer to <strong>the</strong> relationship<br />
between an organisation and its different stakeholders.<br />
The notion of <strong>trust</strong><br />
All bus<strong>in</strong>esses exist by creat<strong>in</strong>g value for a number of different parties, which <strong>in</strong>clude:<br />
• customers;<br />
• shareholders;<br />
• employees; and<br />
• suppliers.<br />
For any of <strong>the</strong>se relationships to be susta<strong>in</strong>able, <strong>the</strong>re also needs to be a degree of <strong>trust</strong> between<br />
<strong>the</strong> parties. If one party does not <strong>trust</strong> <strong>the</strong> o<strong>the</strong>r to deliver <strong>the</strong>ir side of <strong>the</strong> exchange and to adhere<br />
to certa<strong>in</strong> expected standards of behaviour, <strong>the</strong> relationship is unlikely to survive long. Therefore,<br />
any successful bus<strong>in</strong>ess relies on <strong>build<strong>in</strong>g</strong> <strong>trust</strong><strong>in</strong>g relationships with a variety of different parties.<br />
Panel 5.1: Build<strong>in</strong>g bus<strong>in</strong>ess <strong>trust</strong><br />
Trust is exhibited where one party expects ano<strong>the</strong>r party not to act <strong>in</strong> a harmful way, despite<br />
<strong>the</strong> opportunity to do so. Therefore, <strong>the</strong> <strong>trust</strong><strong>in</strong>g party is vulnerable to <strong>the</strong> actions of <strong>the</strong><br />
<strong>trust</strong>ed party but choses to act anyway, believ<strong>in</strong>g that <strong>the</strong> o<strong>the</strong>r party will do <strong>the</strong>m no harm.<br />
Although apparently similar, <strong>trust</strong> is not <strong>the</strong> same as prediction. It is a way of simplify<strong>in</strong>g<br />
decisions and acts as an alternative to a rational calculation of risk and reward:<br />
‘…<strong>trust</strong> reduces complexity far more quickly, economically and thoroughly<br />
than does prediction. Trust allows social <strong>in</strong>teractions to proceed on a simple<br />
and confident basis where, <strong>in</strong> <strong>the</strong> absence of <strong>trust</strong>, <strong>the</strong> monstrous complexity<br />
posed by cont<strong>in</strong>gent futures would aga<strong>in</strong> return to paralyze action.’ 103<br />
In economic terms, <strong>trust</strong> reduces transaction costs substantially and most economic and social<br />
<strong>in</strong>teractions require a degree of <strong>trust</strong> <strong>in</strong> practice.<br />
Trust is a complex notion and can be seen to operate at two levels.<br />
• Narrow scope <strong>trust</strong> concerns <strong>the</strong> <strong>trust</strong> attached to an <strong>in</strong>dividual bus<strong>in</strong>ess, based on its<br />
particular behaviour, brand and reputation. Therefore, <strong>the</strong> activities outl<strong>in</strong>ed <strong>in</strong> Chapter 4<br />
can help a bus<strong>in</strong>ess to build up this k<strong>in</strong>d of <strong>trust</strong>.<br />
• Broad scope <strong>trust</strong> concerns <strong>the</strong> wider legal and <strong>in</strong>stitutional environment. Where laws are<br />
<strong>in</strong> place to compel particular bus<strong>in</strong>ess behaviour, and <strong>the</strong>re are clear sanctions <strong>in</strong> <strong>the</strong> event<br />
of non-compliance, <strong>the</strong>re is likely to be a higher level of <strong>trust</strong> <strong>in</strong> all bus<strong>in</strong>esses. By contrast,<br />
where <strong>the</strong>re is a low level of broad scope <strong>trust</strong>, <strong>in</strong>dividual bus<strong>in</strong>esses will have to work<br />
harder to build <strong>trust</strong> with <strong>in</strong>dividual customers or o<strong>the</strong>rs.<br />
The <strong>in</strong>teraction between <strong>the</strong>se two levels of <strong>trust</strong> is hotly debated. 104 However, it is broadly<br />
recognised that both levels of <strong>trust</strong> play a role <strong>in</strong> encourag<strong>in</strong>g market transactions.<br />
102<br />
For a collection of materials on cyber <strong>trust</strong> and o<strong>the</strong>r aspects of cyber security, see Brian Coll<strong>in</strong>s and<br />
Rob<strong>in</strong> Mansell, Cyber Trust and Crime Prevention: A Syn<strong>the</strong>sis of <strong>the</strong> State-of-<strong>the</strong>-Art Science Reviews and <strong>the</strong><br />
associated papers.<br />
103<br />
J. David Lewis and Andrew Weigert, ‘Trust as a social reality’, p969.<br />
104<br />
Kent Grayson, Devon Johnson and Der-Fa Robert Chen, ‘Is firm <strong>trust</strong> essential <strong>in</strong> a <strong>trust</strong>ed environment<br />
How <strong>trust</strong> <strong>in</strong> <strong>the</strong> bus<strong>in</strong>ess context <strong>in</strong>fluences customers’.<br />
74 Build<strong>in</strong>g <strong>trust</strong>
Elements of <strong>build<strong>in</strong>g</strong> <strong>trust</strong> <strong>in</strong> a bus<strong>in</strong>ess<br />
Bus<strong>in</strong>esses can build <strong>trust</strong> at an <strong>in</strong>dividual level by implement<strong>in</strong>g good practices. However, good<br />
practices need to be underp<strong>in</strong>ned by clear legal obligations and social expectations. We identify<br />
four essential elements to <strong>build<strong>in</strong>g</strong> broader <strong>trust</strong> around <strong>digital</strong> <strong>in</strong>formation.<br />
Recognise and debate issues. Regulators, law makers and <strong>the</strong> technology <strong>in</strong>dustry have a major<br />
role to play. However, all bus<strong>in</strong>esses are affected by some of <strong>the</strong> issues raised <strong>in</strong> this <strong>report</strong>, as<br />
are all <strong>in</strong>dividual consumers and citizens. Therefore, debates need to eng<strong>age</strong> broadly across all<br />
sections of society <strong>in</strong> order to take account of different <strong>in</strong>terests and perspectives.<br />
Develop new <strong>the</strong>oretical th<strong>in</strong>k<strong>in</strong>g. While technology is <strong>the</strong> direct cause of <strong>the</strong> difficulties<br />
outl<strong>in</strong>ed <strong>in</strong> <strong>the</strong> <strong>report</strong>, it is radical changes to <strong>the</strong> economics of <strong>in</strong>formation which are at <strong>the</strong> heart<br />
of <strong>the</strong> social tensions. Therefore, we need to encour<strong>age</strong> a variety of new th<strong>in</strong>k<strong>in</strong>g which is rooted<br />
<strong>in</strong> <strong>the</strong> economics of <strong>digital</strong> <strong>in</strong>formation.<br />
Balance control and use of <strong>in</strong>formation. There needs to be clear rights over <strong>in</strong>formation to<br />
enable parties to form expectations about its use and protection. However, this control needs to<br />
be balanced with <strong>the</strong> ability of different parties to use and share <strong>in</strong>formation for a wide range of<br />
benefits.<br />
Create supportive <strong>in</strong>stitutions. A variety of <strong>in</strong>stitutions are needed which can address this broad<br />
range of issues and develop robust and flexible solutions. Institutions need to <strong>in</strong>clude many<br />
participants, <strong>in</strong>clud<strong>in</strong>g regulators, bus<strong>in</strong>esses, <strong>in</strong>dividual consumers and <strong>the</strong> technology <strong>in</strong>dustry<br />
and promote common approaches, as far as is possible.<br />
Although each of <strong>the</strong>se elements is essential, <strong>the</strong>y are also fraught with difficulty which may limit<br />
realistic progress. Academic research can play an important role <strong>in</strong> develop<strong>in</strong>g deeper understand<strong>in</strong>g<br />
of <strong>the</strong> challenges of <strong>the</strong> <strong>digital</strong> environment and support<strong>in</strong>g each of <strong>the</strong>se elements. By provid<strong>in</strong>g<br />
objective evidence on <strong>the</strong> risks and benefits attached to <strong>digital</strong> <strong>in</strong>formation, as well as different<br />
policy options, research can help policy-makers, man<strong>age</strong>ment and <strong>in</strong>dividuals make better<br />
decisions. The appendix outl<strong>in</strong>es <strong>the</strong> role and challenges of academic research and goes on to<br />
highlight a variety of possible research topics.<br />
5.3 Recognise and debate issues<br />
The start<strong>in</strong>g po<strong>in</strong>t for <strong>build<strong>in</strong>g</strong> greater <strong>trust</strong> is widespread eng<strong>age</strong>ment across society to debate<br />
issues. This <strong>in</strong>cludes representatives from bus<strong>in</strong>ess and government, as well as <strong>in</strong>dividual<br />
consumers and citizens.<br />
Indeed, <strong>in</strong>dividual consumers and citizens have a particularly important role <strong>in</strong> <strong>the</strong>se debates:<br />
• <strong>the</strong>y are <strong>the</strong> subjects of personal <strong>in</strong>formation which is be<strong>in</strong>g used by bus<strong>in</strong>esses to generate<br />
profits;<br />
• <strong>the</strong>y are creators of all k<strong>in</strong>ds of new <strong>in</strong>tellectual property which is be<strong>in</strong>g shared across social<br />
media platforms; and<br />
• <strong>the</strong>y are <strong>the</strong> consumers of services and creative content which build on <strong>the</strong>ir personal<br />
<strong>in</strong>formation and <strong>in</strong>tellectual property.<br />
Therefore, <strong>the</strong>y have a direct stake <strong>in</strong> <strong>the</strong> outcome of <strong>the</strong>se debates. However, many of <strong>the</strong> debates<br />
highlighted <strong>in</strong> this <strong>report</strong> have been dom<strong>in</strong>ated <strong>in</strong> practice by regulators, <strong>the</strong> <strong>in</strong>dustries which have<br />
been most affected by <strong>the</strong> technology changes and pressure groups. How do we get broader<br />
eng<strong>age</strong>ment <strong>in</strong> def<strong>in</strong><strong>in</strong>g new social norms and expectations which underp<strong>in</strong> more formal policy<br />
solutions<br />
Build awareness and recognition<br />
Central to <strong>build<strong>in</strong>g</strong> widespread eng<strong>age</strong>ment is rais<strong>in</strong>g awareness of <strong>the</strong> issues outl<strong>in</strong>ed <strong>in</strong> this <strong>report</strong><br />
and ga<strong>in</strong><strong>in</strong>g recognition of <strong>the</strong>ir importance. There are a number of barriers to achiev<strong>in</strong>g this.<br />
For many bus<strong>in</strong>esses, <strong>the</strong> issues outl<strong>in</strong>ed <strong>in</strong> this <strong>report</strong> primarily appear to affect those at <strong>the</strong><br />
forefront of personal <strong>in</strong>formation use or specific <strong>in</strong>dustries which develop and exploit creative<br />
content. In o<strong>the</strong>r cases, <strong>the</strong>re cont<strong>in</strong>ues to be a strong emphasis on <strong>the</strong> development of good<br />
practices as a way of solv<strong>in</strong>g concerns and issues of <strong>trust</strong>.<br />
The impact of failures on <strong>in</strong>dividual bus<strong>in</strong>esses is not necessarily clear or easily quantified, and<br />
bus<strong>in</strong>esses may be more focused on extract<strong>in</strong>g <strong>the</strong> maximum benefits that <strong>the</strong>y can from <strong>digital</strong><br />
<strong>in</strong>formation. Fur<strong>the</strong>rmore, <strong>the</strong> possible impact on society of fail<strong>in</strong>g to address <strong>the</strong>se concerns<br />
Build<strong>in</strong>g <strong>trust</strong><br />
75
is not generally regarded as catastrophic, as is potentially <strong>the</strong> case with issues such as climate<br />
change or secur<strong>in</strong>g safe energy supplies, for example. As a result, it can be difficult to ga<strong>in</strong><br />
sufficient attention and priority from senior decision makers.<br />
While <strong>in</strong>dividuals may voice concerns about <strong>the</strong> security and use of <strong>the</strong>ir <strong>in</strong>formation, <strong>the</strong>y also<br />
benefit from widespread use and shar<strong>in</strong>g of <strong>the</strong>ir personal <strong>in</strong>formation and <strong>in</strong>tellectual property.<br />
This aga<strong>in</strong> makes it difficult to ga<strong>in</strong> sufficient attention and action from <strong>in</strong>dividuals. Fur<strong>the</strong>rmore,<br />
<strong>the</strong>re are substantial economic <strong>in</strong>terests <strong>in</strong> maximis<strong>in</strong>g <strong>the</strong> use of personal <strong>in</strong>formation and<br />
tighten<strong>in</strong>g controls over <strong>in</strong>tellectual property, which may overwhelm <strong>the</strong> concerns of <strong>in</strong>dividuals.<br />
However, we suggest that a failure to address many of <strong>the</strong> issues outl<strong>in</strong>ed <strong>in</strong> this <strong>report</strong> will have<br />
significant effects on <strong>the</strong> economy and wider society.<br />
While good practices can solve many of <strong>the</strong> problems for <strong>in</strong>dividual bus<strong>in</strong>esses, <strong>the</strong>y are not<br />
sufficient. Good practices are grounded <strong>in</strong> wider legal rights and social expectations, which help<br />
a bus<strong>in</strong>ess to l<strong>in</strong>k specific policies to bus<strong>in</strong>ess objectives. Trust for <strong>in</strong>dividual bus<strong>in</strong>esses is likely<br />
to be higher when <strong>the</strong>re is broad <strong>trust</strong> <strong>in</strong> <strong>the</strong> wider <strong>in</strong>stitutional environment. Fur<strong>the</strong>rmore, as<br />
technology cont<strong>in</strong>ues to improve, lead<strong>in</strong>g edge issues will impact on a greater range of bus<strong>in</strong>esses.<br />
The use of smart meters by energy companies, for example, raises new questions concern<strong>in</strong>g <strong>the</strong><br />
analysis of detailed energy us<strong>age</strong> records and extends privacy debates <strong>in</strong>to fresh areas.<br />
Opportunities to use <strong>digital</strong> technologies will be lost if bus<strong>in</strong>esses fail to <strong>in</strong>vest <strong>in</strong> new services<br />
or creative content, or <strong>in</strong>dividuals lack sufficient <strong>trust</strong> to use <strong>the</strong>m. This potentially has a major<br />
economic impact and may reduce <strong>the</strong> social benefits that <strong>in</strong>dividual consumers ga<strong>in</strong> from new<br />
services.<br />
Fur<strong>the</strong>rmore, pervasive use and shar<strong>in</strong>g of <strong>digital</strong> <strong>in</strong>formation could result <strong>in</strong> a wide range of<br />
profound and irreversible social changes, for example, <strong>in</strong>dividuals los<strong>in</strong>g <strong>the</strong> ability to rema<strong>in</strong><br />
anonymous or shake off <strong>in</strong>formation about <strong>the</strong>ir past. As a result, <strong>the</strong>y merit serious consideration<br />
by all.<br />
Encour<strong>age</strong> debate<br />
If it can be recognised that <strong>the</strong>re are serious issues to be debated about <strong>the</strong> use and shar<strong>in</strong>g of<br />
<strong>digital</strong> <strong>in</strong>formation, we move onto <strong>the</strong> questions to be addressed. Panel 5.2 outl<strong>in</strong>es some of <strong>the</strong><br />
questions which need to be considered and debated by <strong>in</strong>dividual consumers and citizens, as well<br />
as regulators and <strong>the</strong> technology <strong>in</strong>dustry.<br />
Panel 5.2: Contentious questions<br />
• To what extent is <strong>the</strong> commercial exploitation of personal <strong>in</strong>formation a matter of concern<br />
• How should various uses of personal <strong>in</strong>formation be balanced aga<strong>in</strong>st different benefits, for<br />
example, security matters, medical and social research and personalised services<br />
• To what extent should public and location data, as well as search data, be ga<strong>the</strong>red and<br />
used by bus<strong>in</strong>esses<br />
• To what extent should bus<strong>in</strong>esses be able to use extensive personal profil<strong>in</strong>g<br />
• How should voluntary shar<strong>in</strong>g of personal <strong>in</strong>formation over <strong>the</strong> <strong>in</strong>ternet be viewed: a<br />
matter of personal choice and risk or someth<strong>in</strong>g for greater regulation<br />
• To what extent is copy<strong>in</strong>g content (when <strong>in</strong> breach of copyright) morally wrong<br />
• To what extent do consumers want to pay for creative content<br />
• How should <strong>the</strong> benefits from co-created <strong>in</strong>tellectual property be shared<br />
5.4 Develop new <strong>the</strong>oretical th<strong>in</strong>k<strong>in</strong>g<br />
By shift<strong>in</strong>g <strong>the</strong> economics of <strong>in</strong>formation, IT radically changes <strong>the</strong> ways that <strong>in</strong>formation can be<br />
collected, used and shared. However, much of <strong>the</strong> th<strong>in</strong>k<strong>in</strong>g outl<strong>in</strong>ed <strong>in</strong> this <strong>report</strong> is based on <strong>the</strong><br />
economics of <strong>the</strong> physical world, ra<strong>the</strong>r than <strong>the</strong> virtual world enabled by <strong>digital</strong> technology.<br />
Our th<strong>in</strong>k<strong>in</strong>g can often be limited by our imag<strong>in</strong>ations and an <strong>in</strong>ability to understand <strong>the</strong> full<br />
implications of new technology. Consider, for example, <strong>the</strong> early days of motor vehicles <strong>in</strong> <strong>the</strong><br />
UK, when cars had to be driven beh<strong>in</strong>d someone walk<strong>in</strong>g with a red flag to warn <strong>the</strong> public of<br />
<strong>the</strong> potential danger of a motor vehicle. 105 While this may now appear to be a strange response<br />
105<br />
The Locomotive Act 1865, also known as <strong>the</strong> Red Flag Act.<br />
76 Build<strong>in</strong>g <strong>trust</strong>
to an excit<strong>in</strong>g new technology, it was rooted <strong>in</strong> an <strong>in</strong>ability to understand <strong>the</strong> potential benefits<br />
of motor vehicles and radically different ways of manag<strong>in</strong>g <strong>the</strong>ir risks, such as road safety codes,<br />
traffic lights and o<strong>the</strong>r such methods. It was also rooted <strong>in</strong> vested <strong>in</strong>terests that were resistant to<br />
change.<br />
Therefore, as part of <strong>the</strong> <strong>in</strong>formed debate around <strong>digital</strong> <strong>in</strong>formation, we need to encour<strong>age</strong> more<br />
challeng<strong>in</strong>g and radical th<strong>in</strong>k<strong>in</strong>g which is rooted <strong>in</strong> <strong>the</strong> new economic opportunities.<br />
We highlight three areas <strong>in</strong> which established th<strong>in</strong>k<strong>in</strong>g may need to be recast:<br />
• <strong>the</strong> grow<strong>in</strong>g importance of <strong>in</strong>formation ethics;<br />
• <strong>the</strong> move from tangible to <strong>in</strong>tangible property; and<br />
• <strong>the</strong> convergence between <strong>in</strong>formation regimes.<br />
Grow<strong>in</strong>g importance of <strong>in</strong>formation ethics<br />
Ethics is concerned with determ<strong>in</strong><strong>in</strong>g right and wrong behaviour, based on moral pr<strong>in</strong>ciples.<br />
Normative ethics looks at behaviour at a general level and develops pr<strong>in</strong>ciples for determ<strong>in</strong><strong>in</strong>g<br />
right and wrong actions. Applied ethics looks at specific ethical dilemmas to determ<strong>in</strong>e <strong>the</strong> right<br />
course of action <strong>in</strong> particular circumstances.<br />
Information ethics is concerned with right and wrong behaviour surround<strong>in</strong>g <strong>in</strong>formation and has<br />
been a small field to date. 106<br />
Panel 5.3: Information ethics<br />
Notions of <strong>in</strong>formation ethics, and <strong>the</strong> expected behaviour around <strong>in</strong>formation accord<strong>in</strong>g to<br />
moral pr<strong>in</strong>ciples, can be traced back to ancient Greece. However, it moved <strong>in</strong>to <strong>the</strong> modern<br />
world follow<strong>in</strong>g <strong>the</strong> writ<strong>in</strong>gs of Norbert We<strong>in</strong>er. His books Cybernetics (1948) and The Human<br />
Use of Human Be<strong>in</strong>gs (1950) foretold many of <strong>the</strong> comput<strong>in</strong>g developments that were to<br />
come and developed a series of pr<strong>in</strong>ciples by which ethical dilemmas about <strong>in</strong>formation<br />
could be resolved. Where dilemmas could not be resolved through <strong>the</strong> extension of exist<strong>in</strong>g<br />
pr<strong>in</strong>ciples, he suggested that <strong>the</strong>y should be resolved based on ideas of freedom, equality and<br />
benevolence.<br />
We<strong>in</strong>er was ahead of his time and his work was ignored for many years. The discipl<strong>in</strong>e of<br />
<strong>in</strong>formation ethics started to take hold <strong>in</strong> <strong>the</strong> 1980s, follow<strong>in</strong>g <strong>the</strong> explosion of computer<br />
use <strong>in</strong> government and bus<strong>in</strong>esses. While it rema<strong>in</strong>s a develop<strong>in</strong>g field, it covers th<strong>in</strong>k<strong>in</strong>g and<br />
research <strong>in</strong> a wide range of areas, <strong>in</strong>clud<strong>in</strong>g:<br />
• privacy and <strong>in</strong>tellectual property;<br />
• <strong>the</strong> <strong>digital</strong> divide (which refers to <strong>the</strong> impact of technology on those who do not have<br />
access to it);<br />
• computers <strong>in</strong> <strong>the</strong> workplace; and<br />
• <strong>the</strong> responsibilities of <strong>in</strong>formation and IT professionals.<br />
There is clear scope for greatly expand<strong>in</strong>g this field and develop<strong>in</strong>g stronger moral positions on<br />
<strong>the</strong> use and shar<strong>in</strong>g of <strong>in</strong>formation to respond to some of <strong>the</strong> challenges presented <strong>in</strong> this <strong>report</strong>.<br />
The fact that a bus<strong>in</strong>ess or <strong>in</strong>dividual has <strong>the</strong> ability to use or share pieces of sensitive <strong>in</strong>formation<br />
about o<strong>the</strong>rs does not necessarily mean that <strong>the</strong>y should do so. The impact of shar<strong>in</strong>g that<br />
<strong>in</strong>formation may be profoundly or disproportionately damag<strong>in</strong>g and <strong>the</strong>refore, even if it is legal,<br />
some degree of self-restra<strong>in</strong>t may be helpful.<br />
Information ethics can apply to <strong>in</strong>dividual behaviour. It can also be <strong>in</strong>tegrated <strong>in</strong>to bus<strong>in</strong>ess ethics<br />
more broadly.<br />
Panel 5.4: The cases of TJX and ChoicePo<strong>in</strong>t<br />
TJX is a large cut-price retailer, own<strong>in</strong>g brands such as TK Maxx. ChoicePo<strong>in</strong>t provides a range<br />
of personal profil<strong>in</strong>g services, such as background screen<strong>in</strong>g and au<strong>the</strong>ntication. Both of <strong>the</strong>se<br />
US-based bus<strong>in</strong>esses suffered serious data breaches where a substantial amount of personal<br />
<strong>in</strong>formation was accessed. In TJX’s case, it was <strong>the</strong> credit card details of 45 million customers.<br />
ChoicePo<strong>in</strong>t had 145,000 customer files accessed for <strong>the</strong> purposes of identity <strong>the</strong>ft.<br />
106<br />
Luciano Floridi, ‘The <strong>in</strong>formation society and its philosophy: <strong>in</strong>troduction to <strong>the</strong> special issue on “<strong>the</strong><br />
philosophy of <strong>in</strong>formation, its nature and future developments”’.<br />
Build<strong>in</strong>g <strong>trust</strong><br />
77
Panel 5.4: The cases of TJX and ChoicePo<strong>in</strong>t (cont<strong>in</strong>ued)<br />
In an article entitled ‘How ethics can enhance organizational privacy’, Mary Culnan and<br />
Cynthia Williams outl<strong>in</strong>e how <strong>the</strong> bus<strong>in</strong>esses could have <strong>in</strong>tegrated ethical pr<strong>in</strong>ciples <strong>in</strong>to <strong>the</strong>ir<br />
compliance obligations and <strong>the</strong>reby streng<strong>the</strong>ned <strong>the</strong>ir <strong>in</strong>ternal processes. Observ<strong>in</strong>g that<br />
<strong>in</strong>dividuals are <strong>in</strong> a vulnerable position where bus<strong>in</strong>esses hold personal <strong>in</strong>formation about<br />
<strong>the</strong>m, Culnan and Williams argue that a bus<strong>in</strong>ess should adhere to <strong>the</strong> ethical pr<strong>in</strong>ciple of<br />
‘do<strong>in</strong>g no harm’. As such, by fail<strong>in</strong>g to stop crim<strong>in</strong>als from access<strong>in</strong>g personal <strong>in</strong>formation,<br />
both TJX and ChoicePo<strong>in</strong>t also failed <strong>in</strong> <strong>the</strong>ir ethical duties. They argue:<br />
‘No organization can guarantee that it will not suffer a privacy harm <strong>in</strong> <strong>the</strong><br />
future. However, <strong>the</strong> stronger <strong>the</strong> sense of moral responsibility, as evidenced<br />
by <strong>the</strong> organization’s leadership and <strong>in</strong>fused throughout <strong>the</strong> corporate<br />
culture, <strong>the</strong> more likely <strong>the</strong> organization will be to have implemented sound<br />
technical, structural, and procedural improvements.’ 107<br />
Move from tangible to <strong>in</strong>tangible property<br />
Information has shifted from be<strong>in</strong>g a resource which is attached to physical media, such as paper<br />
records, books and CDs, to be<strong>in</strong>g a virtual resource with no physical manifestation.<br />
This shift creates new <strong>the</strong>oretical challenges because of <strong>the</strong> differences between <strong>the</strong> nature of<br />
<strong>in</strong>formation and tangible assets such as land or o<strong>the</strong>r material possessions. 108 These differences<br />
have an impact on <strong>the</strong> way that property rights over <strong>in</strong>formation have developed and temper <strong>the</strong><br />
degree of control that any bus<strong>in</strong>ess or <strong>in</strong>dividual has over <strong>in</strong>formation about <strong>the</strong>m or which <strong>the</strong>y<br />
have created.<br />
Panel 5.5: Differences between tangible and <strong>in</strong>tangible property<br />
Private property rights over tangible goods are underp<strong>in</strong>ned to a significant extent by <strong>the</strong> idea<br />
of a limited resource. It is this dimension of scarcity that drives <strong>the</strong> need for clear boundaries<br />
over use and exclusion. However, <strong>in</strong>formation <strong>in</strong> itself is not scarce. While <strong>the</strong> creation and<br />
dissem<strong>in</strong>ation of <strong>in</strong>formation may <strong>in</strong>volve <strong>the</strong> use of scarce resources, <strong>in</strong>formation itself is what<br />
is termed a non-rival good. In o<strong>the</strong>r words, it can be enjoyed to an equal degree by multiple<br />
people at <strong>the</strong> same time. Shar<strong>in</strong>g a piece of <strong>in</strong>formation with o<strong>the</strong>rs does not usually degrade<br />
<strong>the</strong> quality of <strong>the</strong> <strong>in</strong>formation or deny <strong>the</strong> orig<strong>in</strong>ator of <strong>the</strong> <strong>in</strong>formation <strong>the</strong> ability to use it<br />
at <strong>the</strong> same time. This is very different to a physical product, where <strong>the</strong> use of it by ano<strong>the</strong>r<br />
party directly imp<strong>in</strong>ges on <strong>the</strong> owner’s enjoyment of <strong>the</strong> good. As a result, <strong>the</strong> underly<strong>in</strong>g<br />
justification for private property rights is weakened.<br />
One of <strong>the</strong> key elements of property rights is <strong>the</strong> right to exclude o<strong>the</strong>rs from access<strong>in</strong>g or<br />
us<strong>in</strong>g <strong>the</strong> resource. However, ano<strong>the</strong>r characteristic of <strong>in</strong>formation is that it is often nonexcludable<br />
<strong>in</strong> practice. Information can sometimes be excluded on <strong>the</strong> basis of <strong>the</strong> law, for<br />
example, it may be forbidden to share certa<strong>in</strong> types of <strong>in</strong>formation with o<strong>the</strong>rs. However, once<br />
it is released, it is difficult to exclude o<strong>the</strong>rs from ga<strong>in</strong><strong>in</strong>g access to it <strong>in</strong> practice. As a result,<br />
full property rights over <strong>in</strong>formation are challeng<strong>in</strong>g to enforce.<br />
Many different people may also be <strong>in</strong>volved <strong>in</strong> <strong>the</strong> capture, aggregation and dissem<strong>in</strong>ation of<br />
<strong>in</strong>formation with a variety of motives and potential ga<strong>in</strong>s from it. Where a bus<strong>in</strong>ess has <strong>in</strong>vested<br />
resources to capture <strong>in</strong>formation about <strong>the</strong> location or public activities of an <strong>in</strong>dividual, both<br />
<strong>the</strong> bus<strong>in</strong>ess and <strong>the</strong> <strong>in</strong>dividual may have a legitimate <strong>in</strong>terest <strong>in</strong> how <strong>the</strong> <strong>in</strong>formation is used.<br />
Therefore, rights may need to be shared among a number of different parties.<br />
As a result, <strong>the</strong> best way of look<strong>in</strong>g at <strong>in</strong>formation <strong>in</strong> legal terms is that <strong>in</strong> and of itself it is<br />
relatively <strong>in</strong>ert and <strong>in</strong>formation cannot be ‘owned’ or ‘stolen’. However, a number of <strong>the</strong> bundle<br />
of <strong>in</strong>tellectual property rights, as well as statutorily created duties and rights, arise <strong>in</strong> relation to<br />
<strong>in</strong>formation.<br />
It is also <strong>the</strong> case that <strong>the</strong> <strong>the</strong>oretical difficulties attached to own<strong>in</strong>g <strong>in</strong>formation have had m<strong>in</strong>imal<br />
impact <strong>in</strong> practice, as <strong>in</strong>formation has largely been attached to physical goods and has <strong>the</strong>refore<br />
been viewed as a tangible good for all <strong>in</strong>tents and purposes. However, <strong>in</strong> <strong>the</strong> <strong>digital</strong> world, this is<br />
not <strong>the</strong> case at all. As a result, fur<strong>the</strong>r th<strong>in</strong>k<strong>in</strong>g is needed on <strong>the</strong> implications of <strong>the</strong>se differences<br />
and whe<strong>the</strong>r our understand<strong>in</strong>g of <strong>the</strong> nature of <strong>digital</strong> <strong>in</strong>formation needs to evolve as a result.<br />
107<br />
Mary Culnan and Cynthia Williams, ‘How ethics can enhance organizational privacy: lessons from <strong>the</strong><br />
Choicepo<strong>in</strong>t and TJX data breaches’, p685.<br />
108<br />
Danny Quah, Digital Goods and <strong>the</strong> New Economy.<br />
78 Build<strong>in</strong>g <strong>trust</strong>
Convergence between <strong>in</strong>formation regimes<br />
Ano<strong>the</strong>r challenge for <strong>the</strong> current rights framework is <strong>the</strong> grow<strong>in</strong>g overlap between personal<br />
<strong>in</strong>formation and <strong>in</strong>tellectual property. This overlap affects bus<strong>in</strong>esses, as <strong>the</strong>y typically have a<br />
wide spectrum of <strong>in</strong>formation that is sensitive or valuable and which comes from a variety of<br />
sources. Some of this <strong>in</strong>formation may constitute personal <strong>in</strong>formation. Some of it may constitute<br />
<strong>in</strong>tellectual property. As a result, bus<strong>in</strong>esses need a coherent and consistent approach to<br />
<strong>in</strong>formation risks, based on <strong>the</strong> sensitivity and value of <strong>the</strong> <strong>in</strong>formation, regardless of its formal<br />
classification.<br />
However, a feature of <strong>the</strong> regime of <strong>in</strong>formation rights today is that it conta<strong>in</strong>s two very dist<strong>in</strong>ct<br />
and separate areas of legal analysis and philosophical debate: rights over personal <strong>in</strong>formation and<br />
rights over <strong>in</strong>tellectual property.<br />
There are good historical reasons why <strong>the</strong>se debates have been conducted largely <strong>in</strong> isolation<br />
from each o<strong>the</strong>r. Privacy was orig<strong>in</strong>ally based on notions of physically protect<strong>in</strong>g <strong>the</strong> home or<br />
person. It only became focused on <strong>in</strong>formation <strong>in</strong> <strong>the</strong> second half of <strong>the</strong> 20th century. Intellectual<br />
property, by contrast, focused on creative content such as books, or <strong>in</strong>ventions. These two<br />
discipl<strong>in</strong>es, <strong>the</strong>refore, appear to protect th<strong>in</strong>gs that look and feel very different.<br />
They also have different philosophical ground<strong>in</strong>gs. Privacy debates have often centred on<br />
philosophical or political arguments and privacy rights are an important part of <strong>the</strong> human rights<br />
framework. Intellectual property rights, though, are largely economic <strong>in</strong> nature and <strong>the</strong>refore <strong>the</strong><br />
subject of very different debates.<br />
However, as all pieces of <strong>in</strong>formation become digitised <strong>in</strong>to bits and bytes, an address, a photograph<br />
and a music file all start to look very similar. The overlap is clearly seen <strong>in</strong> <strong>the</strong> development of<br />
creative content on <strong>the</strong> <strong>in</strong>ternet by <strong>in</strong>dividuals. The content of a blog is an example of creative<br />
content, which could fall with<strong>in</strong> <strong>in</strong>tellectual property notions. However, it may also be conta<strong>in</strong><br />
substantial personal <strong>in</strong>formation that <strong>the</strong> writer wishes to share. Social network<strong>in</strong>g profiles also<br />
conta<strong>in</strong> a wide mix of personal <strong>in</strong>formation, such as activities and location, and <strong>in</strong>tellectual<br />
property, such as photographs.<br />
Fur<strong>the</strong>rmore, as bus<strong>in</strong>esses capture <strong>in</strong>creas<strong>in</strong>g amounts of <strong>in</strong>formation about customers or service<br />
users, personal <strong>in</strong>formation is becom<strong>in</strong>g an <strong>in</strong>creas<strong>in</strong>gly important asset of any bus<strong>in</strong>ess. In many<br />
cases, it may be <strong>the</strong>ir most valuable piece of <strong>in</strong>tellectual property and <strong>the</strong> key revenue driver.<br />
This overlap has implications for debate and public policy options. For example, <strong>the</strong>re is grow<strong>in</strong>g<br />
tension between <strong>the</strong> protection of personal <strong>in</strong>formation and <strong>in</strong>tellectual property. As copyright<br />
<strong>in</strong>fr<strong>in</strong>gements have become <strong>in</strong>creas<strong>in</strong>gly perpetrated by <strong>in</strong>dividual consumers <strong>in</strong> <strong>the</strong>ir home,<br />
pressure has grown to identify this type of activity by <strong>in</strong>terrogat<strong>in</strong>g <strong>the</strong> records of <strong>in</strong>ternet service<br />
providers. However, <strong>the</strong> records of <strong>in</strong>dividual customers are potentially personal <strong>in</strong>formation and<br />
access<strong>in</strong>g <strong>the</strong>m to <strong>report</strong> <strong>in</strong>dividuals to rights-holders could breach privacy rights. Priority has to<br />
be given to <strong>the</strong> protection of one type of <strong>in</strong>formation ahead of <strong>the</strong> o<strong>the</strong>r.<br />
As a result, we need to consider <strong>the</strong> tensions between <strong>the</strong>se different areas and <strong>in</strong>creas<strong>in</strong>gly look<br />
to develop more <strong>in</strong>tegrated th<strong>in</strong>k<strong>in</strong>g and policy solutions. This is echoed by Ian Hargreaves <strong>in</strong> his<br />
<strong>report</strong> on UK <strong>in</strong>tellectual property laws, say<strong>in</strong>g, ‘questions of IP, privacy, and security are converg<strong>in</strong>g<br />
<strong>in</strong> ways that will, over time, present sharp challenges to <strong>the</strong> current legal framework.’ 109<br />
5.5 Balance control and use of <strong>in</strong>formation<br />
The third element for <strong>build<strong>in</strong>g</strong> bus<strong>in</strong>ess <strong>trust</strong> concerns <strong>the</strong> nature of <strong>the</strong> solutions which are<br />
developed. The social and legal environment around <strong>digital</strong> <strong>in</strong>formation needs to balance two key<br />
considerations:<br />
• effective control over access to, and use, of <strong>digital</strong> <strong>in</strong>formation; and<br />
• opportunities to generate value through its widespread use and dissem<strong>in</strong>ation.<br />
How we resolve trade-offs between <strong>the</strong>se elements <strong>in</strong> a variety of specific circumstances will have<br />
a significant <strong>in</strong>fluence on future bus<strong>in</strong>ess <strong>in</strong>novation through IT. Indeed, <strong>the</strong> different ways that<br />
this balance has been struck <strong>in</strong> <strong>the</strong> US and UK are sometimes cited as underly<strong>in</strong>g factors which<br />
support <strong>the</strong> success of Silicon Valley and discour<strong>age</strong> similar <strong>in</strong>novation <strong>in</strong> <strong>the</strong> UK.<br />
109<br />
Ian Hargreaves, Digital Opportunity: A Review of Intellectual Property and Growth, p19.<br />
Build<strong>in</strong>g <strong>trust</strong><br />
79
Panel 5.6: Encourag<strong>in</strong>g <strong>in</strong>novation with IT<br />
There are many factors which have enabled Silicon Valley to become <strong>the</strong> technology and<br />
software hub of <strong>the</strong> world. Many of <strong>the</strong>se factors relate to access to capital, skills and a culture<br />
of risk-tak<strong>in</strong>g, coupled with high rewards for success. However, it is sometimes suggested that<br />
<strong>the</strong> more open legal environment regard<strong>in</strong>g <strong>in</strong>formation rights plays a role <strong>in</strong> encourag<strong>in</strong>g<br />
<strong>in</strong>novation <strong>in</strong> <strong>digital</strong> <strong>in</strong>formation.<br />
Chapter 2 outl<strong>in</strong>ed <strong>the</strong> US approach to personal <strong>in</strong>formation, which is broadly market-based<br />
and libertarian. This compares with a European approach which is strongly regulated. The<br />
<strong>in</strong>tellectual property regime of <strong>the</strong> US is also less restrictive than <strong>in</strong> <strong>the</strong> UK. In particular, <strong>the</strong><br />
doctr<strong>in</strong>e of fair use, which has not been adopted <strong>in</strong> <strong>the</strong> UK, enables limited reuse of material<br />
which is o<strong>the</strong>rwise protected by copyright.<br />
These differences raise <strong>the</strong> possibility that bus<strong>in</strong>esses which start up <strong>in</strong> <strong>the</strong> US have a significant<br />
advant<strong>age</strong> <strong>in</strong> how <strong>the</strong>y can use a variety of <strong>digital</strong> <strong>in</strong>formation to build a successful bus<strong>in</strong>ess<br />
model.<br />
In his <strong>report</strong> <strong>in</strong> 2011 on UK copyright laws which was commissioned by <strong>the</strong> government, Ian<br />
Hargreaves acknowledged that copyright law <strong>in</strong> <strong>the</strong> UK had been overtaken by technological<br />
change and was not enabl<strong>in</strong>g bus<strong>in</strong>ess and research communities to maximise <strong>the</strong>ir use<br />
of <strong>the</strong>se technologies. While he rejected <strong>the</strong> adoption of <strong>the</strong> US fair use doctr<strong>in</strong>e, he<br />
recommended implement<strong>in</strong>g a number of specific exceptions to copyright laws to support<br />
greater use and commercial exploitation of <strong>in</strong>formation <strong>in</strong> some situations.<br />
The need to balance control over <strong>in</strong>formation with <strong>the</strong> reasonable use and shar<strong>in</strong>g of <strong>in</strong>formation<br />
reflects a long-stand<strong>in</strong>g debate <strong>in</strong> property rights <strong>the</strong>ory more broadly.<br />
The <strong>the</strong>ory of property rights<br />
Rights to control access to resources, namely property rights, underp<strong>in</strong> a function<strong>in</strong>g market<br />
economy.<br />
Panel 5.7: Private property rights<br />
Private property rights are usually described as a bundle of three core powers: to use <strong>the</strong> item,<br />
to exclude o<strong>the</strong>rs from us<strong>in</strong>g it and to transfer it to a third party. 110<br />
There are strong economic justifications for property rights and <strong>the</strong>re is little debate today that<br />
property rights underp<strong>in</strong> <strong>the</strong> function<strong>in</strong>g of a market economy. Although this was recognised<br />
by Adam Smith <strong>in</strong> <strong>the</strong> 18th century, <strong>the</strong> Property Rights school of economics started properly<br />
<strong>in</strong> <strong>the</strong> 1960s with economists such as Ronald Coase, Armen Alchian and Harold Demsetz. 111<br />
In economic terms, property rights provide clear boundaries over <strong>the</strong> exclusive use of<br />
resources. They enable <strong>in</strong>dividuals to form reasonable expectations about <strong>the</strong> behaviour of<br />
o<strong>the</strong>rs regard<strong>in</strong>g resources. As a result, property rights reduce <strong>the</strong> costs of transactions and<br />
<strong>the</strong>reby encour<strong>age</strong> markets to grow.<br />
Property rights have also been justified by philosophers from <strong>the</strong> ancient Greeks, through<br />
<strong>the</strong> Enlightenment and on to <strong>the</strong> present day. The notion of private property is particularly<br />
connected with ideals of freedom and <strong>the</strong> ability of an <strong>in</strong>dividual to control his or her own<br />
dest<strong>in</strong>y. Indeed, <strong>the</strong> American Revolution is often seen to be a revolution about <strong>the</strong> ownership<br />
of land, with <strong>the</strong> prime role of <strong>the</strong> government be<strong>in</strong>g to protect and preserve property. 112<br />
There are significant legal differences between land (‘real estate’ or ‘real, heritable or<br />
immovable property’) and movable property such as goods and chattels, to say noth<strong>in</strong>g of<br />
<strong>in</strong>tangible property such as <strong>in</strong>tellectual property. Land titles are <strong>the</strong> strongest.<br />
Property rights need to strike a happy medium which provides <strong>the</strong> degree of predictability and<br />
security that <strong>in</strong>dividuals and markets need to operate while also enabl<strong>in</strong>g <strong>the</strong> reasonable use and<br />
shar<strong>in</strong>g of resources.<br />
Where resources are subject to too little control, <strong>the</strong>y risk be<strong>in</strong>g overused. This is known as <strong>the</strong><br />
tr<strong>age</strong>dy of <strong>the</strong> commons.<br />
110<br />
Anthony Honoré, ‘Ownership’.<br />
111<br />
See for example Harold Demsetz, ‘Towards a <strong>the</strong>ory of property rights’.<br />
112<br />
Paul Johnson, ‘Freeholds and freedom: <strong>the</strong> importance of private property <strong>in</strong> promot<strong>in</strong>g and secur<strong>in</strong>g<br />
liberty; O. Lee Reed and E. Clayton Hipp, ‘A ‘‘Commonest’’ manifesto: property and <strong>the</strong> general welfare’.<br />
80 Build<strong>in</strong>g <strong>trust</strong>
Panel 5.8: The tr<strong>age</strong>dy of <strong>the</strong> commons<br />
A commons is property which is held for <strong>the</strong> benefit of everyone and where <strong>the</strong>re are no<br />
restrictions on how <strong>in</strong>dividuals can use <strong>the</strong> resource, for example a field where any <strong>in</strong>dividual<br />
can allow <strong>the</strong>ir cattle to graze freely. While no longer a typical way to allocate property rights,<br />
commons do still exist <strong>in</strong> places such as Forest of Dean <strong>in</strong> <strong>the</strong> UK.<br />
In his article ‘The tr<strong>age</strong>dy of <strong>the</strong> commons’ (1968), Garret Hard<strong>in</strong> highlights <strong>the</strong> dangers of<br />
such a system of property rights, especially where <strong>the</strong> resource is limited. Us<strong>in</strong>g <strong>the</strong> example<br />
of a field with no limits on graz<strong>in</strong>g, he argues that every <strong>in</strong>dividual will want to maximise <strong>the</strong><br />
value of <strong>the</strong> commons to him or her and <strong>the</strong>refore will benefit from add<strong>in</strong>g more cattle <strong>in</strong>to<br />
<strong>the</strong> field to graze. The field, though, is ultimately a limited resource and will quickly become<br />
over-grazed and ru<strong>in</strong>ed. However, while each <strong>in</strong>dividual gets <strong>the</strong> full benefit of add<strong>in</strong>g an extra<br />
animal on to <strong>the</strong> land, <strong>the</strong> impact of <strong>the</strong> failure is shared among all of <strong>the</strong> community.<br />
As a result, no <strong>in</strong>dividual is encour<strong>age</strong>d or rewarded to look after <strong>the</strong> field or voluntarily limit<br />
his or her use of it for <strong>the</strong> good of everyone <strong>in</strong> <strong>the</strong> long term. As Hard<strong>in</strong> describes:<br />
‘Each man is locked <strong>in</strong>to a system that compels him to <strong>in</strong>crease his herd<br />
without limit – <strong>in</strong> a world which is limited… Freedom <strong>in</strong> a commons br<strong>in</strong>gs<br />
ru<strong>in</strong> to all.’ 113<br />
However, property rights can go too far. As property rights are a bundle of rights, ra<strong>the</strong>r than a<br />
s<strong>in</strong>gle right, it is possible to separate different aspects of this bundle and sell <strong>the</strong>m to different<br />
people. We see this most obviously <strong>in</strong> rent<strong>in</strong>g agreements, where <strong>the</strong> owner of <strong>the</strong> resource sells<br />
<strong>the</strong>ir right to use it and exclude o<strong>the</strong>rs from us<strong>in</strong>g it for a period of time.<br />
Where property rights are so extensive and fragmented between many different <strong>in</strong>dividuals, it can<br />
lead to deadlock and a failure to use <strong>the</strong> resource at all. This is known as <strong>the</strong> tr<strong>age</strong>dy of <strong>the</strong> anticommons.<br />
Panel 5.9: The tr<strong>age</strong>dy of <strong>the</strong> anti-commons<br />
In his article, ‘The tr<strong>age</strong>dy of <strong>the</strong> anti-commons: property <strong>in</strong> <strong>the</strong> transition from Marx to<br />
markets’ (1998), Michael Heller describes how <strong>the</strong> number of organisations with rights over<br />
shop properties <strong>in</strong> Russia led to gridlock, leav<strong>in</strong>g shops empty and lead<strong>in</strong>g to <strong>the</strong> widespread<br />
use of <strong>in</strong>formal street kiosks <strong>in</strong> <strong>the</strong>ir place.<br />
He noticed that, while <strong>the</strong> market economy was grow<strong>in</strong>g and more goods were becom<strong>in</strong>g<br />
available to purchase, this was not translat<strong>in</strong>g <strong>in</strong>to successful shops. Indeed, many of Moscow’s<br />
shop-fronts rema<strong>in</strong>ed empty. Instead, kiosks sprung up on <strong>the</strong> pavement directly <strong>in</strong> front of <strong>the</strong><br />
empty shop-fronts to be used as trad<strong>in</strong>g posts. His explanation for this development was based<br />
on <strong>the</strong> way that authorities were allocat<strong>in</strong>g new private property rights over <strong>the</strong> shops.<br />
Heller highlights an <strong>in</strong>verse correlation <strong>in</strong> <strong>the</strong> way that property rights had transitioned from<br />
a socialist environment to a market one. Where property had been highly protected under<br />
<strong>the</strong> socialist system, and <strong>the</strong>refore transitioned with extensive rights over its use, it had not<br />
performed well <strong>in</strong> <strong>the</strong> market economy. By contrast, property that had fewer rights around its<br />
use, such as residential property, was be<strong>in</strong>g traded successfully.<br />
As a result, <strong>the</strong>re were many <strong>in</strong>dividuals or government bodies with a right to veto <strong>the</strong> use of<br />
property for a particular purpose, but no-one had a sufficient set of rights which enabled <strong>the</strong>m<br />
actually to use <strong>the</strong> shop property. He identified up to six rights that could be held by multiple<br />
rights-holders over a piece of property, <strong>in</strong>clud<strong>in</strong>g rights to sell, lease, receive revenue from<br />
<strong>the</strong> sale or lease, determ<strong>in</strong>e use and occupy. Unless all <strong>the</strong> parties could agree, <strong>the</strong> property<br />
rema<strong>in</strong>ed unused.<br />
In <strong>the</strong> context of <strong>digital</strong> <strong>in</strong>formation, <strong>the</strong>re are risks similar to both <strong>the</strong> commons and anticommons:<br />
• where <strong>in</strong>formation is over-used or shared without limits, <strong>the</strong> value of <strong>in</strong>tellectual property<br />
may be dim<strong>in</strong>ished and <strong>in</strong>dividuals may become <strong>in</strong>creas<strong>in</strong>gly reluctant to share <strong>the</strong>ir personal<br />
<strong>in</strong>formation with o<strong>the</strong>rs; and<br />
• where <strong>the</strong>re are very tight controls over access to <strong>in</strong>formation, it may become impossible to<br />
<strong>in</strong>novate through its use, los<strong>in</strong>g out on a wide range of possible benefits<br />
113<br />
Garret Hard<strong>in</strong>, ‘The tr<strong>age</strong>dy of <strong>the</strong> commons’, p1244.<br />
Build<strong>in</strong>g <strong>trust</strong><br />
81
As a result, we need to understand <strong>the</strong> trade-offs between <strong>the</strong>se two extremes and build solutions<br />
which balance <strong>the</strong>m <strong>in</strong> <strong>the</strong> best possible way.<br />
5.6 Create supportive <strong>in</strong>stitutions<br />
The fourth element of <strong>build<strong>in</strong>g</strong> <strong>trust</strong> is creat<strong>in</strong>g <strong>in</strong>stitutions which can foster understand<strong>in</strong>g of<br />
different perspectives, encour<strong>age</strong> debate and develop a variety of practical solutions.<br />
Build understand<strong>in</strong>g of different perspectives<br />
One of <strong>the</strong> features of debates about <strong>in</strong>formation rights is that <strong>the</strong>y can <strong>in</strong>volve deeply oppos<strong>in</strong>g<br />
<strong>in</strong>terests and philosophical beliefs. As a result, we need to create <strong>in</strong>stitutions that <strong>in</strong>volve <strong>the</strong><br />
spectrum of <strong>in</strong>terests and beliefs and can foster understand<strong>in</strong>g between different groups.<br />
This <strong>in</strong>cludes a wide range of participants, <strong>in</strong>clud<strong>in</strong>g:<br />
• <strong>the</strong> technology <strong>in</strong>dustry;<br />
• bus<strong>in</strong>esses which are us<strong>in</strong>g and exploit<strong>in</strong>g IT and <strong>digital</strong> <strong>in</strong>formation;<br />
• governments, <strong>in</strong> <strong>the</strong>ir capacity as <strong>in</strong>formation users and IT buyers;<br />
• regulators and legislators;<br />
• <strong>in</strong>dividuals such as consumers, service users, citizens and shareholders;<br />
• th<strong>in</strong>k tanks and pressure groups; and<br />
• academics.<br />
While all participants have <strong>the</strong> same ultimate goal of maximis<strong>in</strong>g <strong>the</strong> economic and social benefits<br />
of technology, <strong>the</strong>y may have very different visions of what this looks like and <strong>the</strong> elements which<br />
are needed to build <strong>trust</strong>. As a result, <strong>in</strong>stitutions, such as <strong>the</strong> Internet Governance Forum, can<br />
play an important role <strong>in</strong> br<strong>in</strong>g<strong>in</strong>g stakeholders toge<strong>the</strong>r and <strong>build<strong>in</strong>g</strong> dialogue.<br />
Panel 5.10: The Internet Governance Forum<br />
The Internet Governance Forum is a forum where a wide range of stakeholders come toge<strong>the</strong>r<br />
and debate issues surround<strong>in</strong>g <strong>the</strong> <strong>in</strong>ternet. Participants <strong>in</strong>clude governments, bus<strong>in</strong>esses,<br />
academics and non-governmental organisations work<strong>in</strong>g <strong>in</strong> this area. It is convened under <strong>the</strong><br />
auspices of <strong>the</strong> United Nations and holds an annual meet<strong>in</strong>g.<br />
The 2011 meet<strong>in</strong>g was held <strong>in</strong> Nairobi, Kenya and sessions were arranged around <strong>the</strong>mes<br />
<strong>in</strong>clud<strong>in</strong>g:<br />
• manag<strong>in</strong>g critical <strong>in</strong>ternet resources;<br />
• access and diversity;<br />
• security, openness and privacy; and<br />
• <strong>in</strong>ternet governance for development.<br />
The forum’s broad membership goes well beyond traditional, state-dom<strong>in</strong>ated <strong>in</strong>stitutions.<br />
It has encour<strong>age</strong>d <strong>the</strong> development of local or regional forums, which have been particularly<br />
effective <strong>in</strong> promot<strong>in</strong>g <strong>the</strong> <strong>in</strong>ternet <strong>in</strong> develop<strong>in</strong>g countries. It has also enabled open<br />
discussions on a wide range of topics and built understand<strong>in</strong>g of different perspectives.<br />
The need for <strong>in</strong>ternational cooperation<br />
One of <strong>the</strong> major economic consequences of IT is that it enables extensive globalisation and<br />
<strong>in</strong>ternational communication. Many bus<strong>in</strong>esses now operate with customers, employees and<br />
suppliers from many countries. As a result, <strong>the</strong>y may be manag<strong>in</strong>g a highly complex compliance<br />
environment. A bus<strong>in</strong>ess also needs to understand and man<strong>age</strong> multiple expectations and<br />
behaviours, which may display cultural differences.<br />
Fur<strong>the</strong>rmore, cyber crim<strong>in</strong>als work across national boundaries, with many organised gangs<br />
outsourc<strong>in</strong>g activities to specialist coders around <strong>the</strong> world. The use of <strong>in</strong>fected computers and<br />
botnets means that computers can be used from anywhere <strong>in</strong> <strong>the</strong> world to launch attacks on<br />
bus<strong>in</strong>esses or <strong>in</strong>dividuals. This <strong>in</strong>ternational dimension makes it <strong>in</strong>creas<strong>in</strong>gly difficult for local law<br />
enforcement <strong>age</strong>ncies to identify crim<strong>in</strong>als and prosecute <strong>the</strong>m effectively. While <strong>the</strong>re is some<br />
82 Build<strong>in</strong>g <strong>trust</strong>
<strong>in</strong>ternational cooperation and <strong>in</strong>telligence shar<strong>in</strong>g, such activities tend to be <strong>in</strong>consistent. Indeed,<br />
with suspicions of state sponsorship around some cybercrime activities, cross-jurisdictional action<br />
is difficult to achieve <strong>in</strong> many cases.<br />
As a result, <strong>in</strong>stitutions need to operate at a number of different levels.<br />
• There will always be a need for national <strong>in</strong>stitutions which reflect <strong>the</strong> priorities and will of<br />
<strong>in</strong>dividual states, as well as local cultures.<br />
• Regional <strong>in</strong>stitutions, for example at <strong>the</strong> EU level, can play an important role <strong>in</strong> br<strong>in</strong>g<strong>in</strong>g<br />
groups of countries toge<strong>the</strong>r and <strong>build<strong>in</strong>g</strong> regional cooperation.<br />
There is also a grow<strong>in</strong>g need to build <strong>in</strong>stitutions and f<strong>in</strong>d approaches, such as common<br />
pr<strong>in</strong>ciples, which can operate across national and regional boundaries. As well as <strong>the</strong> Internet<br />
Governance Forum, <strong>the</strong>re are also <strong>in</strong>ternational <strong>in</strong>stitutions to support formal policy frameworks,<br />
such as <strong>the</strong> Trade Related Aspects of Intellectual Property Rights (TRIPS) part of <strong>the</strong> World Trade<br />
Organisation. However, fur<strong>the</strong>r th<strong>in</strong>k<strong>in</strong>g is required on how <strong>in</strong>stitutions can support global<br />
cooperation more effectively.<br />
Institutions also need to <strong>in</strong>clude three types of participants <strong>in</strong> particular:<br />
• legislators and regulators;<br />
• <strong>the</strong> technology <strong>in</strong>dustry; and<br />
• <strong>in</strong>dividual consumers and citizens.<br />
In <strong>the</strong> rema<strong>in</strong>der of this chapter, we consider <strong>the</strong> role of each of <strong>the</strong>se participants. However, <strong>the</strong>y<br />
are likely to have very different perspectives, <strong>in</strong>terests and priorities. As a result, f<strong>in</strong>d<strong>in</strong>g agreement<br />
rema<strong>in</strong>s difficult <strong>in</strong> many cases and a variety of practical solutions are likely to be required.<br />
The role of legislators and regulators<br />
The legal and regulatory frameworks around <strong>in</strong>formation rights provide predictability and<br />
confidence <strong>in</strong> <strong>the</strong> actions of bus<strong>in</strong>esses and <strong>in</strong>dividuals around <strong>in</strong>formation. Consequently, laws<br />
and regulation underp<strong>in</strong> <strong>the</strong> bus<strong>in</strong>ess and social environment and are hugely important to<br />
<strong>build<strong>in</strong>g</strong> <strong>trust</strong> <strong>in</strong> bus<strong>in</strong>ess behaviour.<br />
However, regulators and lawmakers face significant challenges <strong>in</strong> develop<strong>in</strong>g good solutions<br />
around <strong>digital</strong> <strong>in</strong>formation because of <strong>the</strong> nature of good regulation.<br />
Panel 5.11: Requirements for good regulation<br />
ICAEW has developed a framework for good regulatory practice based on robust evidence,<br />
which outl<strong>in</strong>es <strong>the</strong> key steps which should be taken <strong>in</strong> develop<strong>in</strong>g new regulation: 114<br />
• mak<strong>in</strong>g <strong>the</strong> case for change;<br />
• options development;<br />
• evaluation of options;<br />
• plann<strong>in</strong>g implementation;<br />
• mitigat<strong>in</strong>g rema<strong>in</strong><strong>in</strong>g problems;<br />
• implementation; and<br />
• evaluation of results.<br />
All of <strong>the</strong>se steps need to be supported by consultation and eng<strong>age</strong>ment with those who will<br />
be affected by <strong>the</strong> regulation. Good regulation, <strong>the</strong>refore, by its very nature, takes time to<br />
develop.<br />
Given <strong>the</strong> pace of technological and bus<strong>in</strong>ess change, this is likely to mean that regulation is rarely<br />
at <strong>the</strong> lead<strong>in</strong>g edge of bus<strong>in</strong>ess practice and will usually be well beh<strong>in</strong>d <strong>the</strong> curve of <strong>in</strong>novation.<br />
In response to <strong>the</strong>se challenges, law makers and regulators need to develop proposals which are,<br />
as far as possible:<br />
• platform-neutral and not tied to specific technologies; and<br />
• flexible and applicable to a wide range of bus<strong>in</strong>esses models.<br />
114<br />
ICAEW, Measurement <strong>in</strong> F<strong>in</strong>ancial Report<strong>in</strong>g.<br />
Build<strong>in</strong>g <strong>trust</strong><br />
83
However, regulators are unlikely to be best placed to understand fully <strong>the</strong> new possibilities offered<br />
by IT. Many of <strong>the</strong> issues highlighted <strong>in</strong> this <strong>report</strong> are nuanced and may not be well served by<br />
heavy or blunt regulation. As a result, it is unrealistic to look at <strong>the</strong> law and formal regulation to<br />
provide def<strong>in</strong>itive solutions to many of <strong>the</strong> challenges we raise. They need to be supplemented by<br />
a range of o<strong>the</strong>r, less formal measures.<br />
The role of <strong>the</strong> technology <strong>in</strong>dustry<br />
Industry standards can be a good supplement to formal legal obligations. Such measures can be<br />
more flexible and responsive to <strong>the</strong> needs and dynamics of specific <strong>in</strong>dustries.<br />
There are some relatively successful areas of <strong>in</strong>dustry standards <strong>in</strong> IT security, such as PCI-DSS.<br />
However, <strong>the</strong> success of such schemes <strong>in</strong> practice is mixed. Informal approaches to regulation<br />
have often been seen as self-serv<strong>in</strong>g, provid<strong>in</strong>g few practical benefits to consumers <strong>in</strong> practice.<br />
The approach to privacy <strong>in</strong> <strong>the</strong> US, for example, is com<strong>in</strong>g under <strong>in</strong>creas<strong>in</strong>g pressure by<br />
lawmakers given <strong>the</strong> perceived lack of consumer protection that it embodies. However, <strong>the</strong><br />
maturity and complexity of <strong>the</strong> technology <strong>in</strong>dustry can make it difficult to develop effective<br />
alternatives to formal regulation.<br />
Panel 5.12: Standards and <strong>in</strong>formal regulation <strong>in</strong> <strong>the</strong> technology <strong>in</strong>dustry<br />
Effective standards and <strong>in</strong>formal regulation are driven by <strong>the</strong> common <strong>in</strong>terests of <strong>the</strong><br />
participants. Frequently, bus<strong>in</strong>esses may be keen to avoid costly formal regulation. They may<br />
develop standards to build <strong>trust</strong> and confidence <strong>in</strong> an <strong>in</strong>dustry as a whole to discour<strong>age</strong><br />
cowboy behaviour and support <strong>in</strong>dustry growth.<br />
However, <strong>the</strong> complexity and fragmentation of <strong>the</strong> IT <strong>in</strong>dustry makes this difficult to achieve<br />
<strong>in</strong> <strong>the</strong> context of privacy and <strong>in</strong>tellectual property. There are many different players <strong>in</strong> <strong>the</strong><br />
value cha<strong>in</strong> who have diverse <strong>in</strong>terests. For example, technology companies look<strong>in</strong>g to build<br />
bus<strong>in</strong>ess models around <strong>the</strong> shar<strong>in</strong>g of <strong>in</strong>formation content are likely to have very different<br />
<strong>in</strong>terests to content providers. Implement<strong>in</strong>g technical solutions to promote <strong>in</strong>dividual<br />
privacy may have limited value to a bus<strong>in</strong>ess which wants to use personal <strong>in</strong>formation to<br />
generate revenue.<br />
Fur<strong>the</strong>rmore, <strong>the</strong> sector is relatively young. The markets are extremely competitive and heavily<br />
driven by network effects, both <strong>in</strong> terms of technology standards and content. In many of<br />
<strong>the</strong>se sectors, <strong>the</strong>re is substantial first-mover advant<strong>age</strong>, with bus<strong>in</strong>esses often driven by <strong>the</strong><br />
need to ga<strong>in</strong> users as quickly as possible. All of <strong>the</strong>se factors are likely to deter bus<strong>in</strong>esses from<br />
cooperat<strong>in</strong>g with one ano<strong>the</strong>r to develop <strong>in</strong>dustry-based solutions.<br />
The role of <strong>in</strong>dividual consumers and citizens<br />
Social norms and expectations play a central role <strong>in</strong> <strong>build<strong>in</strong>g</strong> greater predictability for bus<strong>in</strong>esses.<br />
They also underp<strong>in</strong> market pressures on bus<strong>in</strong>esses to behave properly to one ano<strong>the</strong>r as well as<br />
to <strong>the</strong>ir customers and employees. Where bus<strong>in</strong>esses fail to observe social norms or expectations,<br />
<strong>the</strong>y may be punished <strong>in</strong> <strong>the</strong> marketplace, even if <strong>the</strong>ir actions are legal.<br />
Panel 5.13: Build<strong>in</strong>g effective market pressures<br />
Market pressures are based on customer choice. Where customers can go elsewhere,<br />
bus<strong>in</strong>esses are encour<strong>age</strong>d to behave well so as to keep <strong>the</strong>ir loyalty and custom. In <strong>the</strong> US,<br />
substantial reliance is placed on <strong>the</strong> market to drive bus<strong>in</strong>ess behaviour around <strong>the</strong> use of<br />
personal <strong>in</strong>formation. In Europe, market pressures have supported <strong>the</strong> more formal regulatory<br />
regime, especially <strong>in</strong> <strong>the</strong> UK. Market pressures, and <strong>the</strong> behaviour of consumers, can also drive<br />
<strong>in</strong>tellectual property policies and help a bus<strong>in</strong>ess to determ<strong>in</strong>e what <strong>in</strong>tellectual property <strong>the</strong>y<br />
should charge for and what <strong>the</strong>y should freely release.<br />
Market pressures are supported by a variety of factors. There needs to be real choice <strong>in</strong> <strong>the</strong><br />
provision of services and <strong>the</strong>refore creat<strong>in</strong>g competitive markets is a key step. There needs<br />
to be transparency so that customers can make <strong>in</strong>formed choices about different bus<strong>in</strong>esses.<br />
There also needs to be a degree of consensus between customers around expected bus<strong>in</strong>ess<br />
behaviour and standards so that <strong>the</strong>re is a critical mass that will impact bus<strong>in</strong>esses.<br />
However, <strong>the</strong>re are limits to <strong>the</strong> effectiveness of market pressures. In many cases, consumers<br />
may place a low priority on <strong>in</strong>formation security and privacy compared to cost and service<br />
quality. As a result, even where bus<strong>in</strong>esses exhibit poor behaviour around <strong>in</strong>formation,<br />
customers may be will<strong>in</strong>g to overlook it <strong>in</strong> favour of o<strong>the</strong>r factors. Also, diversity of op<strong>in</strong>ions<br />
can make market pressures quite fragmented <strong>in</strong> practice.<br />
84 Build<strong>in</strong>g <strong>trust</strong>
There is significant scope for policy-makers to use <strong>in</strong>formation to enhance market pressures <strong>in</strong><br />
<strong>the</strong> context of privacy and <strong>in</strong>formation security. For example, <strong>the</strong>re is often little public visibility<br />
of bus<strong>in</strong>ess processes <strong>in</strong> <strong>the</strong>se areas and transparency can potentially be <strong>in</strong>creased through<br />
regulation or voluntary <strong>in</strong>itiatives <strong>in</strong> corporate <strong>report</strong><strong>in</strong>g.<br />
However, <strong>the</strong>re is also a broad spread of consumer attitudes and expectations around how<br />
bus<strong>in</strong>esses should behave around IT and <strong>digital</strong> <strong>in</strong>formation, which <strong>in</strong>evitably weakens market<br />
pressures. Consequently, public debate can help to build more consistent and effective market<br />
pressures on bus<strong>in</strong>esses.<br />
5.7 Summary<br />
New technology is a central part of economic development. However, transformation <strong>in</strong> economic<br />
possibilities through new technology often creates social tensions and new questions <strong>in</strong> parallel.<br />
Unless we recognise and address <strong>the</strong> social challenges related to <strong>digital</strong> <strong>in</strong>formation, <strong>the</strong>re is a risk<br />
that opportunities to use it are missed.<br />
Trust <strong>in</strong> an important feature which underp<strong>in</strong>s <strong>the</strong> use and value of new technologies and <strong>the</strong>refore<br />
can support <strong>the</strong> development of a <strong>digital</strong> economy. Bus<strong>in</strong>esses can build <strong>trust</strong> at an <strong>in</strong>dividual<br />
level by implement<strong>in</strong>g good practices. However, good practices need to be underp<strong>in</strong>ned by clear<br />
social expectations and legal obligations. We identify four essential elements to <strong>build<strong>in</strong>g</strong> broader<br />
<strong>trust</strong> around <strong>digital</strong> <strong>in</strong>formation.<br />
Recognise and debate issues. Regulators, law makers and <strong>the</strong> technology <strong>in</strong>dustry have a major<br />
role to play. However, all bus<strong>in</strong>esses are affected by some of <strong>the</strong> issues raised <strong>in</strong> this <strong>report</strong>, as<br />
are all <strong>in</strong>dividual consumers and citizens. Therefore, debates need to eng<strong>age</strong> broadly across all<br />
sections of society <strong>in</strong> order to take account of different <strong>in</strong>terests and perspectives.<br />
Develop new <strong>the</strong>oretical th<strong>in</strong>k<strong>in</strong>g. While technology is <strong>the</strong> direct cause of <strong>the</strong> difficulties<br />
outl<strong>in</strong>ed <strong>in</strong> <strong>the</strong> <strong>report</strong>, it is radical changes to <strong>the</strong> economics of <strong>in</strong>formation which are at <strong>the</strong> heart<br />
of <strong>the</strong> social tensions. Therefore, we need to encour<strong>age</strong> a variety of new th<strong>in</strong>k<strong>in</strong>g which is rooted<br />
<strong>in</strong> <strong>the</strong> economics of <strong>digital</strong> <strong>in</strong>formation.<br />
Balance control and use of <strong>in</strong>formation. There needs to be clear rights over <strong>in</strong>formation to<br />
enable parties to form expectations about its use and protection. However, this control needs to<br />
be balanced with <strong>the</strong> ability of different parties to use and share <strong>in</strong>formation for a wide range of<br />
benefits.<br />
Create supportive <strong>in</strong>stitutions. A variety of <strong>in</strong>stitutions are needed which can address this broad<br />
range of issues and develop robust and flexible solutions. Institutions need to <strong>in</strong>clude many<br />
participants, <strong>in</strong>clud<strong>in</strong>g regulators, bus<strong>in</strong>esses, <strong>in</strong>dividual consumers and <strong>the</strong> technology <strong>in</strong>dustry<br />
and promote common approaches, as far as is possible.<br />
Although each of <strong>the</strong>se elements is essential, <strong>the</strong>y are also fraught with difficulty which may limit<br />
realistic progress. Academic research can play an important role <strong>in</strong> develop<strong>in</strong>g deeper understand<strong>in</strong>g<br />
of <strong>the</strong> challenges of <strong>the</strong> <strong>digital</strong> environment and support<strong>in</strong>g each of <strong>the</strong>se elements.<br />
Build<strong>in</strong>g <strong>trust</strong><br />
85
Appendix – Areas for RESEARCH<br />
A.1 The role of academic research<br />
This <strong>report</strong> maps out a wide range of bus<strong>in</strong>ess practices, as well as <strong>the</strong> established social and legal<br />
environment around <strong>in</strong>formation. However, more needs to be done to build <strong>trust</strong> around <strong>digital</strong><br />
<strong>in</strong>formation and academic research has a crucial role to play.<br />
In order to improve security measures <strong>in</strong> practice, bus<strong>in</strong>esses may benefit from shar<strong>in</strong>g <strong>the</strong>ir<br />
experiences around <strong>in</strong>formation practices through networks of peers or o<strong>the</strong>r <strong>in</strong>formal mechanisms.<br />
However, bus<strong>in</strong>esses may also be reluctant to share <strong>in</strong>formation about security failures or<br />
vulnerabilities openly. As a result, <strong>the</strong>re is a clear role for academic research <strong>in</strong> improv<strong>in</strong>g<br />
understand<strong>in</strong>g of how bus<strong>in</strong>esses seek to implement security measures <strong>in</strong> practice and how<br />
successful or o<strong>the</strong>rwise <strong>the</strong>y are <strong>in</strong> do<strong>in</strong>g so. Research can preserve <strong>in</strong>dividual anonymity while<br />
enabl<strong>in</strong>g greater shar<strong>in</strong>g of knowledge and experience.<br />
Objective evidence is also central to <strong>build<strong>in</strong>g</strong> an approved social and legal framework around<br />
<strong>digital</strong> <strong>in</strong>formation. Without robust evidence to support decision mak<strong>in</strong>g, <strong>the</strong>re is a significant risk<br />
of hasty or ill-thought through actions which do not achieve <strong>the</strong>ir ultimate objectives. Although<br />
this <strong>report</strong> has highlighted a wide range of research, <strong>the</strong>re cont<strong>in</strong>ues to be limited robust evidence<br />
on many of <strong>the</strong> topics discussed. In some cases, <strong>the</strong>re is little or no research at all.<br />
A.2 Shar<strong>in</strong>g bus<strong>in</strong>ess experience and knowledge<br />
There are two dist<strong>in</strong>ct approaches that can be taken to academic research on bus<strong>in</strong>ess practices.<br />
Quantitative analysis <strong>in</strong>terrogates statistical data with <strong>the</strong> aim of f<strong>in</strong>d<strong>in</strong>g correlations between<br />
different data elements. Such correlations can <strong>the</strong>n provide evidence to support or challenge<br />
specific propositions. In <strong>the</strong> context of bus<strong>in</strong>ess practices, quantitative research could consider<br />
<strong>the</strong> preconditions for good bus<strong>in</strong>ess performance or <strong>the</strong> consequences of particular actions, for<br />
example <strong>the</strong> decrease <strong>in</strong> share price when a bus<strong>in</strong>ess discloses a major security breach.<br />
By contrast, case studies aim to develop deep understand<strong>in</strong>g of organisational practices, structures<br />
or capabilities. By look<strong>in</strong>g at a s<strong>in</strong>gle organisation, or small group of organisations, <strong>the</strong>y typically<br />
exam<strong>in</strong>e a particular event or series of events <strong>in</strong> detail, identify reasons for success or failure and<br />
suggest lessons which may be relevant for o<strong>the</strong>rs. As such, <strong>the</strong>y can provide valuable <strong>in</strong>sights<br />
on <strong>the</strong> implementation of practices and <strong>the</strong> factors that may <strong>in</strong>fluence success. Case studies are<br />
<strong>the</strong>refore likely to be of more practical use to <strong>in</strong>dividual bus<strong>in</strong>esses.<br />
Possible research topics<br />
There has been limited research undertaken <strong>in</strong>to <strong>in</strong>formation security practices <strong>in</strong> bus<strong>in</strong>esses and<br />
consequently <strong>the</strong>re is substantial scope for more research, especially through case studies. 115<br />
This could <strong>in</strong>clude <strong>build<strong>in</strong>g</strong> detailed understand<strong>in</strong>g of organisational practices and <strong>in</strong>fluences,<br />
develop<strong>in</strong>g frameworks for bus<strong>in</strong>ess th<strong>in</strong>k<strong>in</strong>g about security requirements and identify<strong>in</strong>g key<br />
skills and capabilities that a bus<strong>in</strong>ess may need.<br />
L<strong>in</strong>ked to research on <strong>in</strong>formation security practices is research on corporate policies around<br />
<strong>in</strong>formation, and how bus<strong>in</strong>esses can effectively align practices with policies and bus<strong>in</strong>ess<br />
objectives. Given <strong>the</strong> likely importance of ga<strong>in</strong><strong>in</strong>g organisational commitment to security aims<br />
and practices, this is an area <strong>in</strong> which fur<strong>the</strong>r research would be welcome.<br />
There is also very little research on specific practices relat<strong>in</strong>g to personal <strong>in</strong>formation and<br />
<strong>in</strong>tellectual property. As a result, <strong>the</strong>re is scope for develop<strong>in</strong>g a better understand<strong>in</strong>g of<br />
organisational processes and <strong>the</strong> formation of specific policies <strong>in</strong> <strong>the</strong>se areas.<br />
115<br />
For an overview of <strong>the</strong> different approaches to <strong>in</strong>formation security research, see Gurpreet Dhillon and James<br />
Backhouse, ‘Current directions <strong>in</strong> IS security research: towards socio-economic perspectives’.<br />
Appendix – Areas for research<br />
87
Panel A.1: Suggested research topics on <strong>in</strong>formation practices<br />
Information security practices<br />
• How do bus<strong>in</strong>esses def<strong>in</strong>e <strong>the</strong>ir security priorities<br />
• What tools do man<strong>age</strong>ment use to justify security <strong>in</strong>vestments How can <strong>the</strong>se tools be<br />
ref<strong>in</strong>ed<br />
• How do bus<strong>in</strong>esses identify data assets and compare <strong>the</strong>ir importance and sensitivity<br />
• How do bus<strong>in</strong>esses encour<strong>age</strong> communication of security objectives and priorities<br />
• How are <strong>in</strong>formation risks <strong>in</strong>tegrated <strong>in</strong>to <strong>the</strong> wider bus<strong>in</strong>ess risk framework<br />
• What <strong>in</strong>fluences <strong>the</strong> development of a security-conscious culture<br />
• What skills and capabilities are needed to implement security measures effectively<br />
• How can bus<strong>in</strong>esses understand and man<strong>age</strong> third party supplier <strong>in</strong>formation risks<br />
• What techniques do bus<strong>in</strong>esses use to man<strong>age</strong> and au<strong>the</strong>nticate identities<br />
• What is <strong>the</strong> role of audit and assurance activities <strong>in</strong> <strong>in</strong>formation security<br />
Corporate <strong>in</strong>formation policies<br />
• How do bus<strong>in</strong>esses align <strong>in</strong>formation policies with bus<strong>in</strong>ess objectives How can bus<strong>in</strong>esses<br />
improve <strong>the</strong>ir ability to do this<br />
• What are <strong>the</strong> key drivers to develop<strong>in</strong>g corporate <strong>in</strong>formation policies And how do<br />
bus<strong>in</strong>esses balance different drivers<br />
• What organisational structures support <strong>the</strong> effective formation of policies<br />
• How do bus<strong>in</strong>esses <strong>in</strong>tegrate th<strong>in</strong>k<strong>in</strong>g about <strong>the</strong> benefits and risks of <strong>in</strong>formation and IT<br />
• At what st<strong>age</strong> are <strong>in</strong>formation policies considered <strong>in</strong> <strong>the</strong> development of new systems or<br />
processes with<strong>in</strong> a bus<strong>in</strong>ess<br />
Privacy practices<br />
• To what extent is privacy becom<strong>in</strong>g a value-enhanc<strong>in</strong>g component of a brand<br />
• How do bus<strong>in</strong>esses man<strong>age</strong> <strong>the</strong> <strong>in</strong>ternational complexities of privacy regulation and attitudes<br />
• What organisational structures support <strong>the</strong> effective man<strong>age</strong>ment of privacy issues<br />
• What are <strong>the</strong> benefits of adopt<strong>in</strong>g a ‘privacy by design’ approach<br />
• How have privacy impact assessments been used effectively<br />
• How do bus<strong>in</strong>esses man<strong>age</strong> communication with consumers on <strong>the</strong> treatment of <strong>the</strong>ir<br />
personal <strong>in</strong>formation<br />
• What is <strong>the</strong> role of privacy audit and assurance activities <strong>in</strong> <strong>build<strong>in</strong>g</strong> <strong>trust</strong><br />
• What is <strong>the</strong> bus<strong>in</strong>ess case of privacy-enhanc<strong>in</strong>g technologies<br />
• How do bus<strong>in</strong>esses man<strong>age</strong> customer concerns about privacy failures<br />
• How do bus<strong>in</strong>esses collect and man<strong>age</strong> consent to handle personal <strong>in</strong>formation<br />
• How do bus<strong>in</strong>esses <strong>in</strong>novate <strong>in</strong> an environment of chang<strong>in</strong>g and conflict<strong>in</strong>g customer<br />
demands<br />
• How do <strong>in</strong>dividuals obta<strong>in</strong> redress for breaches or misuse of personal <strong>in</strong>formation<br />
Intellectual property practices<br />
• How do bus<strong>in</strong>esses develop policies around what <strong>in</strong>formation to charge for and what to<br />
give away free<br />
• What alternative bus<strong>in</strong>ess models are develop<strong>in</strong>g to support <strong>the</strong> exploitation of <strong>in</strong>formation<br />
content<br />
• How do bus<strong>in</strong>esses build a culture which discour<strong>age</strong>s employees from steal<strong>in</strong>g <strong>in</strong>tellectual<br />
property<br />
• How effective are <strong>digital</strong> rights man<strong>age</strong>ment systems <strong>in</strong> protect<strong>in</strong>g <strong>in</strong>tellectual property<br />
88 Appendix – Areas for research
A.3 Support<strong>in</strong>g collective actions<br />
We also suggest some <strong>the</strong>mes for fur<strong>the</strong>r research to support <strong>the</strong> development of a social and<br />
legal environment to meet <strong>the</strong> challenges of <strong>digital</strong> <strong>in</strong>formation. These are based on <strong>the</strong> four<br />
elements of <strong>build<strong>in</strong>g</strong> bus<strong>in</strong>ess <strong>trust</strong>.<br />
Theme 1: Recognise and debate issues<br />
Researchers can help to build recognition and debate by def<strong>in</strong><strong>in</strong>g <strong>the</strong> nature and scope of issues.<br />
They can also <strong>in</strong>crease knowledge around <strong>the</strong> size and magnitude of problems to help to focus<br />
attention on areas of greatest need.<br />
There are important issues, for example, around <strong>the</strong> scope of protection for personal <strong>in</strong>formation.<br />
These <strong>in</strong>clude questions such as:<br />
• What <strong>in</strong>formation should be classified as personal <strong>in</strong>formation which needs to be protected<br />
This is especially important given <strong>the</strong> grow<strong>in</strong>g power of aggregation techniques and <strong>the</strong><br />
collection of vast amounts of public and location data.<br />
• What is <strong>the</strong> role and nature of consent <strong>in</strong> <strong>the</strong> onl<strong>in</strong>e environment <strong>in</strong> particular To what extent<br />
is consent an adequate response to extensive data ga<strong>the</strong>r<strong>in</strong>g and use by bus<strong>in</strong>esses and<br />
governments Fur<strong>the</strong>rmore, what constitutes ‘<strong>in</strong>formed consent’ <strong>in</strong> this environment<br />
• How do we make sense of conflict<strong>in</strong>g attitudes and <strong>in</strong>consistent behaviour regard<strong>in</strong>g<br />
<strong>in</strong>dividuals’ personal <strong>in</strong>formation How do we take account of <strong>the</strong> potential generational<br />
differences <strong>in</strong> this area<br />
Regard<strong>in</strong>g <strong>in</strong>tellectual property, <strong>the</strong>re are many outstand<strong>in</strong>g questions on <strong>the</strong> nature of <strong>the</strong><br />
economic harm be<strong>in</strong>g caused by breaches of <strong>in</strong>tellectual property rights. As with personal<br />
<strong>in</strong>formation, <strong>the</strong>re are also questions around chang<strong>in</strong>g attitudes, especially among younger<br />
generations.<br />
F<strong>in</strong>ally, we need to improve our understand<strong>in</strong>g of <strong>the</strong> magnitude of security breaches and <strong>the</strong><br />
impact on bus<strong>in</strong>esses, <strong>in</strong>dividuals and <strong>the</strong> economy as a whole. There is also a need to understand<br />
better <strong>the</strong> drivers towards <strong>in</strong>dividual and bus<strong>in</strong>ess behaviour around protect<strong>in</strong>g <strong>the</strong>ir valuable<br />
<strong>in</strong>formation <strong>in</strong> order to build policies which change behaviour and improve security <strong>in</strong> practice.<br />
How can we get <strong>in</strong>dividuals to care more about <strong>the</strong> protection of <strong>the</strong>ir <strong>in</strong>formation And how can<br />
we best drive bus<strong>in</strong>ess behaviour <strong>in</strong> this regard<br />
Theme 2: Develop new <strong>the</strong>oretical th<strong>in</strong>k<strong>in</strong>g<br />
New <strong>the</strong>oretical th<strong>in</strong>k<strong>in</strong>g on <strong>in</strong>formation rights is needed to support <strong>the</strong> grow<strong>in</strong>g <strong>digital</strong> economy.<br />
In particular, researchers and policy-makers may need to consider <strong>the</strong> impact on privacy and<br />
<strong>in</strong>tellectual property rights of an abundance of <strong>in</strong>formation which is low cost but valuable.<br />
There is scope to expand <strong>the</strong> field of <strong>in</strong>formation ethics and exam<strong>in</strong>e whe<strong>the</strong>r new ethical norms<br />
will help to develop greater <strong>trust</strong>. This could support both <strong>in</strong>dividuals and bus<strong>in</strong>ess decisions<br />
about <strong>the</strong> use and shar<strong>in</strong>g of <strong>digital</strong> <strong>in</strong>formation, and <strong>in</strong>cludes a range of questions on underly<strong>in</strong>g<br />
moral considerations concern<strong>in</strong>g our treatment of <strong>the</strong> sensitive or valuable <strong>in</strong>formation of o<strong>the</strong>rs,<br />
for example:<br />
• <strong>the</strong> ethics of shar<strong>in</strong>g <strong>in</strong>formation about o<strong>the</strong>r <strong>in</strong>dividuals on social network<strong>in</strong>g sites;<br />
• ethical considerations for employees <strong>in</strong> activities such as us<strong>in</strong>g customer personal <strong>in</strong>formation<br />
and access<strong>in</strong>g <strong>the</strong> <strong>in</strong>tellectual property of <strong>the</strong> bus<strong>in</strong>ess; and<br />
• <strong>the</strong> role of ethics <strong>in</strong> promot<strong>in</strong>g good practices <strong>in</strong> <strong>in</strong>dividual bus<strong>in</strong>esses.<br />
New th<strong>in</strong>k<strong>in</strong>g is also needed on <strong>the</strong> nature of <strong>in</strong>tangible property and how it can be owned and<br />
controlled.<br />
F<strong>in</strong>ally, more <strong>in</strong>tegrated th<strong>in</strong>k<strong>in</strong>g is needed between <strong>in</strong>formation security, personal <strong>in</strong>formation<br />
and <strong>in</strong>tellectual property. While <strong>the</strong>re will always be some types of <strong>in</strong>formation which rema<strong>in</strong><br />
clearly personal <strong>in</strong>formation or <strong>in</strong>tellectual property, we see a grow<strong>in</strong>g ‘grey area’ of <strong>in</strong>formation<br />
that is both personal data and <strong>in</strong>tellectual property<br />
As a result, we suggest that more <strong>in</strong>tegrated th<strong>in</strong>k<strong>in</strong>g is required which, for example:<br />
• identifies and considers conflicts or contradictions between policies <strong>in</strong> each area; and<br />
• considers <strong>the</strong> long-term implications of <strong>the</strong> convergence of <strong>in</strong>formation types.<br />
Appendix – Areas for research<br />
89
Theme 3: Balance control and use of <strong>in</strong>formation<br />
Researchers can build a stronger evidence base to help policy-makers balance <strong>the</strong> control and<br />
use of <strong>in</strong>formation and understand both <strong>the</strong> short and long-term impact of streng<strong>the</strong>n<strong>in</strong>g or<br />
weaken<strong>in</strong>g <strong>in</strong>formation rights<br />
Information rights today are based on a complex balance between <strong>the</strong> benefits of shar<strong>in</strong>g<br />
<strong>in</strong>formation and <strong>the</strong> benefits of controll<strong>in</strong>g access to it. We have highlighted <strong>the</strong> compet<strong>in</strong>g<br />
claims of, for example, transparency, surveillance and privacy <strong>in</strong>terests or <strong>the</strong> <strong>in</strong>terests of<br />
<strong>in</strong>formation producers and <strong>in</strong>formation consumers. As <strong>the</strong> opportunities to generate value from<br />
<strong>in</strong>formation cont<strong>in</strong>ue to expand at a tremendous pace, <strong>the</strong>se decisions will become <strong>in</strong>creas<strong>in</strong>gly<br />
complex and contentious.<br />
Bus<strong>in</strong>ess and public policy decisions need to be based on robust evidence around <strong>the</strong> benefits and<br />
risks of us<strong>in</strong>g <strong>in</strong>formation <strong>in</strong> particular ways. However, <strong>the</strong>re cont<strong>in</strong>ues to be a lack of evidence<br />
to <strong>in</strong>form decision makers on many of <strong>the</strong>se difficult decisions. In many cases, <strong>the</strong>re is little or no<br />
objective evidence.<br />
Consequently, <strong>the</strong>re is substantial scope for research <strong>in</strong> many areas to support policy decisions,<br />
such as <strong>the</strong> long-term risks attached to <strong>the</strong> use of personal <strong>in</strong>formation and <strong>the</strong> economics of<br />
streng<strong>the</strong>n<strong>in</strong>g or loosen<strong>in</strong>g <strong>in</strong>tellectual property rights. Research could build knowledge and<br />
understand<strong>in</strong>g <strong>in</strong> a variety of areas.<br />
• What are <strong>the</strong> specific benefits of controll<strong>in</strong>g personal <strong>in</strong>formation and <strong>in</strong>tellectual property,<br />
and what are <strong>the</strong> risks attached to failures to protect <strong>in</strong>formation adequately<br />
• What are <strong>the</strong> specific benefits of enabl<strong>in</strong>g widespread use and shar<strong>in</strong>g of personal <strong>in</strong>formation<br />
and <strong>in</strong>tellectual property, and what opportunities would be lost by prevent<strong>in</strong>g such access<br />
• What are <strong>the</strong> frameworks that can be used to balance <strong>the</strong>se different <strong>in</strong>terests While<br />
economics can be used to compare <strong>the</strong> costs and benefits of different scenarios, <strong>the</strong>re are<br />
also a wide range of social <strong>in</strong>terests <strong>in</strong>volved. Therefore, <strong>the</strong>ories of justice and human rights,<br />
among o<strong>the</strong>rs, can play an important role <strong>in</strong> weigh<strong>in</strong>g up different <strong>in</strong>terests.<br />
• How do decision makers compare <strong>the</strong> various benefits and risks <strong>in</strong> specific situations<br />
All of <strong>the</strong>se research areas are made more complex by <strong>the</strong> variety of different stakeholder <strong>in</strong>terests<br />
<strong>in</strong>volved. The benefits and risks for <strong>in</strong>dividual consumers and citizens, for example, are likely to<br />
be very different to those for bus<strong>in</strong>esses. How do we decide which <strong>in</strong>terests prevail <strong>in</strong> any given<br />
situation And when does <strong>the</strong> wider public <strong>in</strong>terest trump <strong>the</strong> <strong>in</strong>terests of <strong>in</strong>dividual stakeholders<br />
Theme 4: Create supportive <strong>in</strong>stitutions<br />
F<strong>in</strong>ally, researchers also need to develop ideas about <strong>the</strong> creation of relevant <strong>in</strong>stitutions.<br />
Regulation can only be one element of a wider social and legal framework and greater<br />
understand<strong>in</strong>g is needed of potential <strong>in</strong>dustry <strong>in</strong>itiatives as well as consumer pressures and social<br />
norms.<br />
We suggest, for example, that researchers could contribute new th<strong>in</strong>k<strong>in</strong>g about <strong>in</strong>stitutions and<br />
frameworks which would be effective at an <strong>in</strong>ternational level. This th<strong>in</strong>k<strong>in</strong>g could cover:<br />
• how <strong>in</strong>ternational frameworks and <strong>in</strong>stitutions would operate and relate to national ones;<br />
• how to understand and take account of cultural differences; and<br />
• how to recognise <strong>the</strong> different economic needs of developed and develop<strong>in</strong>g economies.<br />
Researchers can also assess <strong>the</strong> implications of change for different options. This <strong>in</strong>cludes<br />
develop<strong>in</strong>g a detailed understand<strong>in</strong>g of <strong>the</strong> current environment, how it operates and<br />
<strong>the</strong> problems that <strong>the</strong> new actions are aim<strong>in</strong>g to address. Researchers could build deeper<br />
understand<strong>in</strong>g of, for example:<br />
• <strong>the</strong> operation of regulation such as data protection laws and breach notification laws;<br />
• <strong>the</strong> mechanics, drivers and benefits of <strong>in</strong>dustry cooperation <strong>in</strong> different areas; and<br />
• actions that would better <strong>in</strong>form customer choices.<br />
90 Appendix – Areas for research
A.4 Research challenges<br />
While <strong>the</strong>re is substantial scope for more research, we also need to recognise that researchers face<br />
a series of challenges <strong>in</strong> develop<strong>in</strong>g evidence around <strong>in</strong>formation security and rights.<br />
Research discipl<strong>in</strong>es<br />
Questions on <strong>the</strong> legal and social environment cover a broad range of academic discipl<strong>in</strong>es.<br />
As a result, we have drawn on research from many different fields <strong>in</strong> develop<strong>in</strong>g this <strong>report</strong>.<br />
There is substantial research <strong>in</strong>to technical solutions across all three areas of security, privacy and<br />
<strong>in</strong>tellectual property. For example, <strong>the</strong> IT research community, drawn largely from comput<strong>in</strong>g<br />
and eng<strong>in</strong>eer<strong>in</strong>g schools, focuses on software development techniques to develop new <strong>in</strong>sights <strong>in</strong><br />
areas such as cryptography or privacy-enhanc<strong>in</strong>g technologies.<br />
The second major research discipl<strong>in</strong>e is <strong>in</strong>formation systems (IS), which <strong>in</strong>tersects IT issues with<br />
broader man<strong>age</strong>ment, social and economic research. For example, <strong>the</strong>re is grow<strong>in</strong>g research <strong>in</strong><br />
<strong>the</strong> IS field on <strong>the</strong> notion of onl<strong>in</strong>e <strong>trust</strong>, <strong>the</strong> behavioural economics of personal <strong>in</strong>formation and<br />
<strong>the</strong> implementation of security practices <strong>in</strong> bus<strong>in</strong>esses.<br />
The accountancy discipl<strong>in</strong>e has a research community which is particularly <strong>in</strong>terested <strong>in</strong><br />
<strong>in</strong>formation controls and security, and <strong>the</strong> impact of IT on wider bus<strong>in</strong>ess risk man<strong>age</strong>ment.<br />
We have drawn on philosophical, political and economic <strong>the</strong>ory to understand <strong>the</strong> basis for rights<br />
over <strong>in</strong>formation and <strong>the</strong> underly<strong>in</strong>g debates about <strong>the</strong> appropriate strength of <strong>in</strong>formation<br />
rights. There is also a small but grow<strong>in</strong>g field of <strong>in</strong>formation ethics which considers <strong>the</strong> moral<br />
aspects of <strong>in</strong>formation use and <strong>the</strong> impact of IT.<br />
F<strong>in</strong>ally, law schools have deep expertise <strong>in</strong> <strong>the</strong> areas of privacy and <strong>in</strong>tellectual property. By<br />
focus<strong>in</strong>g on legal rights and obligations <strong>in</strong> <strong>the</strong>se areas, legal researchers provide rich analysis<br />
around <strong>the</strong> objectives and scope of laws, as well as problems <strong>in</strong> enforc<strong>in</strong>g <strong>the</strong>m.<br />
The range of discipl<strong>in</strong>es <strong>in</strong>volved makes it difficult to <strong>in</strong>tegrate ideas and establish what research<br />
really tells us. While we recognise <strong>the</strong> <strong>in</strong>stitutional barriers that need to be overcome, fur<strong>the</strong>r<br />
multi-discipl<strong>in</strong>ary research would be helpful.<br />
Data challenges<br />
It is also difficult to f<strong>in</strong>d good quality data to support research projects. Good research is based<br />
on robust and clean data, and <strong>in</strong> many cases, <strong>the</strong>re is a dearth of publicly available <strong>in</strong>formation<br />
which can be used <strong>in</strong> research. Data about security practices or failures is not generally published<br />
and <strong>the</strong>refore researchers may have to look for proxies or create <strong>the</strong>ir own data sets through<br />
questionnaires.<br />
The success of case studies depends on substantial organisational access which may be difficult for<br />
researchers to agree, especially <strong>in</strong> sensitive areas such as security. Case studies are often criticised<br />
for be<strong>in</strong>g subjective and subject to <strong>the</strong> bias of <strong>the</strong> subjects and researchers. Given <strong>the</strong> specific<br />
context of each case study, it can also be difficult to develop general learn<strong>in</strong>g po<strong>in</strong>ts from <strong>the</strong>m.<br />
New regulations such as breach notification laws can help to make some <strong>in</strong>formation about<br />
security failures public and <strong>the</strong>refore can support research <strong>in</strong> <strong>the</strong>se areas. However, <strong>in</strong> order to<br />
improve understand<strong>in</strong>g of bus<strong>in</strong>ess practices, bus<strong>in</strong>esses need to make more data available for<br />
research. Greater cooperation between <strong>in</strong>dustry and academia is <strong>the</strong>refore needed to support<br />
relevant research projects.<br />
Appendix – Areas for research<br />
91
Acknowledgements<br />
ICAEW is grateful to <strong>the</strong> follow<strong>in</strong>g commentators for shar<strong>in</strong>g <strong>the</strong>ir knowledge and experience of<br />
<strong>the</strong> topics with us, provid<strong>in</strong>g helpful reactions <strong>in</strong> a personal capacity to <strong>the</strong> development of <strong>the</strong><br />
ideas <strong>in</strong> this <strong>report</strong> or comment<strong>in</strong>g on drafts of it.<br />
Mart<strong>in</strong> Abrams<br />
Richard Ann<strong>in</strong>g<br />
N<strong>in</strong>a Barakzai<br />
Jennifer Barrett<br />
Caspar Bowden<br />
David Boyes<br />
Louis Branz<br />
Ian Brown<br />
John Court<br />
Mary Culnan<br />
Gurpreet Dhillon<br />
Gus Hose<strong>in</strong><br />
Anthony House<br />
Richard Kemp<br />
Dapo Ladimeji<br />
Mike L<strong>in</strong>ksvayer<br />
Alastair MacWillson<br />
Siani Pearson<br />
Rufus Pollock<br />
Chris Potter<br />
Dick Price<br />
John Soma<br />
Paul Ste<strong>in</strong>bart<br />
Toby Stevens<br />
Steve Sutton<br />
Scott Taylor<br />
Richard Thomas<br />
Bridget Treacy<br />
Kev<strong>in</strong> Trilli<br />
Henry Wallis<br />
None of <strong>the</strong> commentators should be assumed to agree with <strong>the</strong> views expressed <strong>in</strong> this <strong>report</strong>,<br />
and <strong>the</strong>y are not responsible for any errors or omissions.<br />
The <strong>report</strong>’s pr<strong>in</strong>cipal authors are Kirst<strong>in</strong> Gillon and Robert Hodgk<strong>in</strong>son.<br />
92 Acknowledgements
Bibliography<br />
Acquisti, Alessandro, Friedman, Allan and Telang, Rahul, ‘Is <strong>the</strong>re a cost to privacy breaches<br />
An event study’, Proceed<strong>in</strong>gs of <strong>the</strong> International Conference on Information Systems, 2006.<br />
Acquisti, Alessandro and Grossklags, Jens. ‘What can behavioral economics teach us about<br />
privacy’ <strong>in</strong> Acquisti, Alessandro, De Capitani di Vimercati, Sabr<strong>in</strong>a, Gritzalis, Stefanos and<br />
Lambr<strong>in</strong>oudakis, Costas (eds.), Digital Privacy: Theory, Technologies and Practices, Boca Raton,<br />
Florida: Auerbach Publications, 2007, pp363-377.<br />
Anderson, Chris, The Long Tail: Why <strong>the</strong> Future of Bus<strong>in</strong>ess is Sell<strong>in</strong>g Less of More, New York:<br />
Hyperion, 2006.<br />
Anderson, Ross, ‘Why <strong>in</strong>formation security is hard – an economic perspective’, Proceed<strong>in</strong>gs of <strong>the</strong><br />
17th Annual Computer Security Applications Conference, 2001, pp358-365.<br />
Andrews, Amanda, ‘iPad to boost 2011 IT spend to $3.6 trillion’, The Telegraph, 30 March 2011.<br />
Angw<strong>in</strong>, Julia, ‘The web’s new gold m<strong>in</strong>e: your secrets’, Wall Street Journal, 30 July 2010.<br />
Arisotle, Politics, translated by Lord, Carnes, Chicago: University of Chicago Press, 1984.<br />
Ball, Kirstie and Wood, David Murakami (eds.), A Report on <strong>the</strong> Surveillance Society for <strong>the</strong><br />
Information Commissioner, Wilmslow, Cheshire: ICO, 2006.<br />
Bassi, Alessandro, Hitachi Europe and Horn, Geir, Internet of Th<strong>in</strong>gs <strong>in</strong> 2010: Roadmap for <strong>the</strong><br />
Future, Brussels: European Commission Information Society and Media/ EPoSS, 2008.<br />
BBC News, ‘The cyber raiders hitt<strong>in</strong>g Estonia’, 17 May 2007.<br />
BBC News, ‘UK’s families put on fraud alert’, 20 November 2007<br />
BBC News, ‘Twitter user <strong>in</strong> bid to break super-<strong>in</strong>junctions’, 9 May 2011.<br />
Benkler, Yochai, ‘Intellectual property and <strong>the</strong> organization of <strong>in</strong>formation production’,<br />
International Review of Law and Economics, vol 22, 2002, pp81-107.<br />
Besen, Stanley M. and Rask<strong>in</strong>d, Leo J., ‘An <strong>in</strong>troduction to <strong>the</strong> law and economics of <strong>in</strong>tellectual<br />
property’, Journal of Economic Perspectives, vol 5, no 1, 1991, pp 3-27.<br />
Bilton, Nick, ‘Price of Facebook privacy Start click<strong>in</strong>g’, New York Times, 12 May 2010.<br />
Bolster, Paul, Pantalone, Coleen H. and Trahan, Emery A., ‘Security breaches and firm value’,<br />
Journal of Bus<strong>in</strong>ess Valuation and Economic Loss Analysis, vol 5, issue 1, 2010, article 1.<br />
Bradshaw, Tim, ‘Spotify on song with 1m pay<strong>in</strong>g subscribers’, F<strong>in</strong>ancial Times, 8 March 2011.<br />
Brandeis, Louis, ‘What publicity can do’, Harpers Weekly, 20 December 1913.<br />
British Computer Society, The British Computer Society’s Response to <strong>the</strong> M<strong>in</strong>istry of Justice on<br />
<strong>the</strong> ‘Data Shar<strong>in</strong>g Review’ by Richard Thomas and Dr Mark Walport, 2008.<br />
Brynjolfsson, Erik and Hitt, Loren, ‘Comput<strong>in</strong>g productivity: firm level evidence’, The Review<br />
of Economics and Statistics, vol 85, no 4, 2003, pp793-808.<br />
Carlson, Nicholas, ‘Warn<strong>in</strong>g: Google Buzz has a huge privacy flaw’, Bus<strong>in</strong>ess Insider, 10 February<br />
2010.<br />
Cavoukian, Ann, Privacy as a Fundamental Human Right vs. an Economic Right: An Attempt at<br />
Conciliation, Ontario: Information and Privacy Commissioner/Ontario, 1999.<br />
Cavusoglu, Husey<strong>in</strong>, Mishra, Birendra and Raghunathan, Sr<strong>in</strong>ivasan, ‘A model for evaluat<strong>in</strong>g IT<br />
security <strong>in</strong>vestments’, Communications of <strong>the</strong> ACM, vol 47, no 7, 2004, pp87-92.<br />
Cavusoglu, Husey<strong>in</strong>, Mishra, Birendra and Raghunathan, Sr<strong>in</strong>ivasan, ‘The effect of <strong>in</strong>ternet security<br />
breach announcements on market value: capital market reactions for breached firms and <strong>in</strong>ternet<br />
security developers’, International Journal of Electronic Commerce, vol 9, no 1, 2004, pp69-104.<br />
Bibliography<br />
93
Chesbrough, Henry, Open Innovation: The New Imperative for Creat<strong>in</strong>g and Profit<strong>in</strong>g from<br />
Technology, Boston: Harvard Bus<strong>in</strong>ess School Publish<strong>in</strong>g, 2003.<br />
CIBER, Copycats: Digital Consumers <strong>in</strong> <strong>the</strong> Onl<strong>in</strong>e Age, a CIBER Report for <strong>the</strong> Strategic Advisory<br />
Board for Intellectual Property Policy, London: CIBER, 2009.<br />
Coll<strong>in</strong>s, Brian and Mansell, Rob<strong>in</strong>, Cyber Trust and Crime Prevention: A Syn<strong>the</strong>sis of <strong>the</strong><br />
State-of-<strong>the</strong>-Art Science Reviews, commissioned by <strong>the</strong> UK Office of Science and Technology<br />
as part of a Foresight project, 2004.<br />
Conners, Emma, ‘Up close and too personal’, The Weekend Australian F<strong>in</strong>ancial Review, 3-4<br />
September 2011, pp52-53.<br />
Craig, Cameron, ‘Data privacy: when will watchdog ICO get its teeth <strong>in</strong>to private sector audits’<br />
silicon.com, 28 Jul 2011.<br />
Culnan, Mary J., ‘Protect<strong>in</strong>g privacy onl<strong>in</strong>e: is self-regulation work<strong>in</strong>g’ Journal of Public Policy &<br />
Market<strong>in</strong>g, vol 19, no 1, 2000, pp20-26.<br />
Culnan, Mary J. and Williams, Cynthia Clark, ‘How ethics can enhance organizational privacy:<br />
lessons from <strong>the</strong> Choicepo<strong>in</strong>t and TJX data breaches’, MIS Quarterly, vol 33, no 4, 2009,<br />
pp673-687.<br />
Davis, Philip M., Lewenste<strong>in</strong>, Bruce V., Simon, Daniel H., Booth, James G. and Connolly,<br />
Mat<strong>the</strong>w J.L., ‘Open access publish<strong>in</strong>g, article downloads, and citations: randomised controlled<br />
trial’, British Medical Journal, vol 337, 2008, article 568.<br />
Demsetz, Harold, ‘Towards a <strong>the</strong>ory of property rights’, American Economic Review, vol 57,<br />
no 2, 1967, pp347-359.<br />
Detica, The Cost of Cyber Crime: a Detica Report <strong>in</strong> Partnership with <strong>the</strong> Office of Cyber Security<br />
and Information Assurance <strong>in</strong> <strong>the</strong> Cab<strong>in</strong>et Office, Guildford: Detica Ltd, 2011.<br />
Dhillon, Gurpreet and Backhouse, James, ‘Current directions <strong>in</strong> IS security research: towards<br />
socio-economic perspectives’, Information Systems Journal, vol 11, 2001, pp127-153.<br />
Dhillon, Gurpreet and Torkzadeh, Gholamreza, ‘Value-focused assessment of <strong>in</strong>formation system<br />
security <strong>in</strong> organizations’, Information Systems Journal, vol 16, 2006, pp293-314.<br />
Enterprise Privacy Group, Privacy by Design: an Overview of Privacy-Enhanc<strong>in</strong>g Technologies, 2008.<br />
Epste<strong>in</strong>, Richard A., ‘The Property Rights Movement and <strong>in</strong>tellectual property: a response to Peter<br />
Menell’, Regulation, W<strong>in</strong>ter 2008, pp58-63.<br />
European Commission Justice Directorate-General, ‘European Commission sets out strategy to<br />
streng<strong>the</strong>n EU data protection rules’, press release, 4 November 2010.<br />
Eysenbach, Gun<strong>the</strong>r, ‘Citation advant<strong>age</strong> of open access articles’, PLoS Biology, vol 4, no 5, 2006,<br />
pp692-698.<br />
Federal Trade Commission, ‘FTC charges deceptive privacy practices <strong>in</strong> Google’s rollout of its Buzz<br />
social network’, press release, 30 March 2011.<br />
Floridi, Luciano, ‘The <strong>in</strong>formation society and its philosophy: <strong>in</strong>troduction to <strong>the</strong> special issue on<br />
“The philosophy of <strong>in</strong>formation, its nature and future developments”’, The Information Society,<br />
vol 25, no 3, 2009, pp153-158.<br />
Fussell, Jim, ‘Group classification on national ID cards as a factor <strong>in</strong> genocide and ethnic<br />
cleans<strong>in</strong>g’, Sem<strong>in</strong>ar Series of <strong>the</strong> Yale University Genocide Studies Program, 15 November 2001.<br />
Gobry, Pascal-Emmanuel, ‘What is <strong>the</strong> freemium bus<strong>in</strong>ess model’ Bus<strong>in</strong>ess Insider, 8 April 2011.<br />
Goodyear, Marilu, Goerdel, Holly T., Portillo, Shannon, and Williams, L<strong>in</strong>da, Cybersecurity<br />
Man<strong>age</strong>ment <strong>in</strong> <strong>the</strong> States: The Emerg<strong>in</strong>g Role of Chief Information Security Officers, Wash<strong>in</strong>gton<br />
DC: IBM Center for <strong>the</strong> Bus<strong>in</strong>ess of Government, 2010.<br />
Gordon, Lawrence A. and Loeb, Mart<strong>in</strong> P., ‘Return on <strong>in</strong>formation security <strong>in</strong>vestments: myths vs.<br />
realities’, Strategic F<strong>in</strong>ance, November 2002, pp26-31.<br />
Grant, Jeremy, ‘F<strong>in</strong>ancial chiefs hit out at Sarbox costs’, F<strong>in</strong>ancial Times, 7 June 2007.<br />
Grayson, Kent, Johnson, Devon and Chen, Der-Fa Robert, ‘Is firm <strong>trust</strong> essential <strong>in</strong> a <strong>trust</strong>ed<br />
environment How <strong>trust</strong> <strong>in</strong> <strong>the</strong> bus<strong>in</strong>ess context <strong>in</strong>fluences customers’, Journal of Market<strong>in</strong>g<br />
Research, vol XLV, April 2008, pp241-256.<br />
Green, Mat<strong>the</strong>w, ‘Napster opens Pandora’s box: exam<strong>in</strong><strong>in</strong>g how file-shar<strong>in</strong>g services threaten <strong>the</strong><br />
enforcement of copyright on <strong>the</strong> <strong>in</strong>ternet’, Ohio State Law Journal, vol 63, 2002, pp799-819.<br />
94 Bibliography
Hall, Bronwyn H., ‘Open <strong>in</strong>novation and <strong>in</strong>tellectual property rights – <strong>the</strong> two-edged sword’,<br />
Japan Spotlight, Jan/Feb issue, 2010, pp18-19.<br />
Handke, Christian, The Economics of Copyright and Digitisation: A Report on <strong>the</strong> Literature and <strong>the</strong><br />
Need for Fur<strong>the</strong>r Research, London: Strategic Advisory Board for Intellectual Property Policy, 2010.<br />
Hard<strong>in</strong>, Garrett, ‘The tr<strong>age</strong>dy of <strong>the</strong> commons’, Science, vol 162, 13 December 1968,<br />
pp1243-1248.<br />
Hargreaves, Ian, Digital Opportunity: A Review of Intellectual Property and Growth, 2011.<br />
Healey, Thomas J., ‘Sarbox was <strong>the</strong> right medic<strong>in</strong>e’, Wall Street Journal, August 9 2007.<br />
Heller, Michael, ‘The tr<strong>age</strong>dy of <strong>the</strong> anti-commons: property <strong>in</strong> <strong>the</strong> transition from Marx to<br />
markets’, Harvard Law Review, vol 111, no 3, 1998, pp621-688.<br />
HM Government, Mak<strong>in</strong>g Open Data Real: A Public Consultation, 2011.<br />
Honoré, Anthony M., ‘Ownership’ <strong>in</strong> Guest, A.G. (ed.), Oxford Essays <strong>in</strong> Jurisprudence, Oxford:<br />
Oxford University Press, 1961.<br />
House of Lords Science and Technology Committee, Personal <strong>in</strong>ternet Security, 5th Report of Session<br />
2006–07, London: The Stationery Office Limited, 2007.<br />
HP, HP Global Master Privacy Policy, available onl<strong>in</strong>e at <strong>the</strong> HP Global Citizenship Center.<br />
Hunton & Williams Centre for Information Policy Leadership, Data Protection Accountability:<br />
The Essential Elements, London/New York: Hunton and Williams CIPL, 2009.<br />
Hunton & Williams Centre for Information Policy Leadership, Demonstrat<strong>in</strong>g and Measur<strong>in</strong>g<br />
Accountability, a Discussion Document – Accountability Phase II, <strong>the</strong> Paris Project, London/New York:<br />
Hunton and Williams CIPL, 2010.<br />
Huston, Geoff, ‘The ISP: <strong>the</strong> uncommon carrier’, The Internet Protocol Journal, vol 5, no 3,<br />
September 2002, pp23-27.<br />
ICAEW, Digital Report<strong>in</strong>g: A Progress Report, London: ICAEW, 2005.<br />
ICAEW, Assurance Reports on Internal Controls of Service Organisations Made Available to Third<br />
Parties, Technical Release AAF 01/06, London: ICAEW, 2006.<br />
ICAEW, Measurement <strong>in</strong> F<strong>in</strong>ancial Report<strong>in</strong>g, London: ICAEW, 2006.<br />
ICAEW, Assurance Reports on <strong>the</strong> Outsourced Provision of Information Services and Information<br />
Process<strong>in</strong>g Services, Technical Release ITF 01/07, London: ICAEW, 2007.<br />
ICAEW, Measur<strong>in</strong>g IT Returns, London: ICAEW, 2008.<br />
ICAEW response to <strong>the</strong> EC consultation Early Challenges Regard<strong>in</strong>g <strong>the</strong> “Internet of Th<strong>in</strong>gs”,<br />
27 November 2008.<br />
ICAEW, Information Security – An Essential Today, a guide to ISO/IEC 27001 and ISO/IEC 27002<br />
for Bus<strong>in</strong>ess Man<strong>age</strong>rs, London: ICAEW, 2009.<br />
ICAEW, Cloud Comput<strong>in</strong>g: A Guide for Bus<strong>in</strong>ess Man<strong>age</strong>rs, London: ICAEW, 2010.<br />
ICAEW, Glossary of IT Security Terms, London: ICAEW, 2011.<br />
ICAEW, Deal<strong>in</strong>g with Internet Security Threats, London: ICAEW, 2011.<br />
ICAEW, Information Security Myths and Realities Revisited 2011, London: ICAEW, 2011.<br />
Information and Privacy Commissioner/Ontario and Deloitte & Touche, The Security-Privacy<br />
Paradox: Issues, Misconceptions and Strategies, 2003.<br />
Information Commissioner’s Office, Privacy Impact Assessment – An Overview, onl<strong>in</strong>e resource.<br />
Information Commissioner’s Office, What Price Privacy The Unlawful Trade <strong>in</strong> Confidential<br />
Personal Information, Wilmslow, Cheshire: ICO, 2006.<br />
Information Commissioner’s Office and <strong>the</strong> Enterprise Privacy Group, Privacy by Design,<br />
Wilmslow, Cheshire: ICO, 2008<br />
Information Commissioner’s Office, Data Protection – Protect<strong>in</strong>g People, A Data Protection<br />
Strategy for <strong>the</strong> Information Commissioner’s Office, Wilmslow, Cheshire: ICO, 2009.<br />
Information Commissioner’s Office, The Privacy Dividend: The Bus<strong>in</strong>ess Case for Invest<strong>in</strong>g <strong>in</strong> Proactive<br />
Privacy Protection, Wilmslow, Cheshire: ICO, 2010.<br />
Information Commissioner’s Office, Data Shar<strong>in</strong>g Code of Practice, Wilmslow, Cheshire: ICO, 2011.<br />
Bibliography<br />
95
Information Commissioner’s Office , ‘UK bus<strong>in</strong>esses must ‘wake up’ to new EU law on cookies,<br />
Information Commissioner warns’, press release, 8 March 2011.<br />
International Association of Privacy Professionals, A Call for Agility: The Next-Generation Privacy<br />
Professional, York, ME: IAPP, 2010.<br />
Internet Advertis<strong>in</strong>g Bureau, Your Onl<strong>in</strong>e Choices, a Guide to Onl<strong>in</strong>e Behavioural Advertis<strong>in</strong>g, available<br />
onl<strong>in</strong>e.<br />
Jackson, Todd, ‘A new Buzz experience based on your feedback’, The Official Gmail Blog,<br />
13 February 2010.<br />
Jefferson, Thomas, ‘Letter to Isaac McPherson, Monticello, August 13, 1813’ <strong>in</strong> Lipscomb, A. (ed.),<br />
The Writ<strong>in</strong>gs of Thomas Jefferson XIII, 1904.<br />
Johnson, Bobbie, ‘Privacy no longer a social norm’, The Guardian, 11 January 2010.<br />
Johnson, Paul, ‘Freeholds and freedom: <strong>the</strong> importance of private property <strong>in</strong> promot<strong>in</strong>g and<br />
secur<strong>in</strong>g liberty’, Economic Affairs, vol 28, no 4, December 2008, pp32-35.<br />
Jorgenson, Dale W. and Vu, Khuong, ‘Information technology and <strong>the</strong> world economy’,<br />
Scand<strong>in</strong>avian Journal of Economics, vol 107, no 4, 2005, pp631-650.<br />
Knight, Sam, ‘All-see<strong>in</strong>g Google Street View prompts privacy fears’, Times Onl<strong>in</strong>e, 1 June 2007.<br />
Knowledge@Wharton, ‘Will Newspaper Readers Pay <strong>the</strong> Freight for Survival’ 19 May 2010.<br />
Kumaraguru, Ponnurangam and Cranor, Lorrie Faith, Privacy Indexes: A Survey of West<strong>in</strong>’s Studies,<br />
Pittsburgh, PA: Institute for Software Research International, School of Computer Science,<br />
Carnegie Mellon University, 2005.<br />
Landes, William and Posner, Richard, The Political Economy of Intellectual Property Law, Wash<strong>in</strong>gton<br />
DC: AEI-Brook<strong>in</strong>gs Jo<strong>in</strong>t Center for Regulatory Studies, 2004.<br />
Larson, Erik, ‘Phone-hack<strong>in</strong>g shows jail needed for data <strong>the</strong>ft, U.K. privacy chief says’, Bloomberg,<br />
29 July 2011.<br />
Lea, David, ‘From <strong>the</strong> Wright bro<strong>the</strong>rs to Microsoft: issues <strong>in</strong> <strong>the</strong> moral ground<strong>in</strong>g of <strong>in</strong>tellectual<br />
property rights’, Bus<strong>in</strong>ess Ethics Quarterly, vol 16, no 4, 2006, pp579-598.<br />
Lessig, Lawrence, ‘CC <strong>in</strong> Review: Lawrence Lessig on How it All Began’, Creative Commons News,<br />
12 October 2005.<br />
Lessig, Lawrence, Remix: Mak<strong>in</strong>g Art and Commerce Thrive <strong>in</strong> <strong>the</strong> Hybrid Economy, London: Pengu<strong>in</strong><br />
Books Ltd, 2008.<br />
Lessig, Lawrence, ‘Aga<strong>in</strong>st transparency: The perils of openness <strong>in</strong> government’, New Republic,<br />
9 October 2009.<br />
Lewis, J. David and Weigert, Andrew, ‘Trust as a social reality’, Social Forces, vol 63, no 4,<br />
June 1985, pp967-985.<br />
London Economics, Study on <strong>the</strong> Economic Benefits of Privacy-Enhanc<strong>in</strong>g Technologies (PETs):<br />
F<strong>in</strong>al Report to <strong>the</strong> European Commission DG Justice, Freedom and Security, July 2010.<br />
Mayer-Schönberger, Viktor, Delete: The Virtue of Forgett<strong>in</strong>g <strong>in</strong> <strong>the</strong> Digital Age, New York: Pr<strong>in</strong>ceton<br />
University Press, 2009.<br />
McK<strong>in</strong>sey, Consumers Driv<strong>in</strong>g <strong>the</strong> Digital Uptake: The Economic Value of Onl<strong>in</strong>e Advertis<strong>in</strong>g-based<br />
Services for Consumers, McK<strong>in</strong>sey/IAB Europe, 2010.<br />
McMillan, Robert, ‘Is it time for RSA to open up about Securid hack’ InfoWorld, 13 June 2011.<br />
Menell, Peter S., ‘Intellectual property and <strong>the</strong> Property Rights Movement’, Regulation, Fall 2007,<br />
pp36-42.<br />
Narayanan, Arv<strong>in</strong>d and Shmatikov, Vitaly, ‘Robust de-anonymization of large sparse datasets<br />
(How to break anonymity of Netflix prize dataset)’, Proceed<strong>in</strong>gs of <strong>the</strong> 29th IEEE Symposium on<br />
Security and Privacy, May 2008, pp111-125.<br />
New York Times, ‘Facebook privacy: a bewilder<strong>in</strong>g tangle of options, 12 May 2010.<br />
Nissenbaum, Helen, ‘Protect<strong>in</strong>g privacy <strong>in</strong> an <strong>in</strong>formation <strong>age</strong>: <strong>the</strong> problem of privacy <strong>in</strong> public’,<br />
Law and Philosophy, vol 17, 1998, pp559-596.<br />
Odlyzko, Andrew, ‘Privacy, economics, and price discrim<strong>in</strong>ation on <strong>the</strong> <strong>in</strong>ternet’, ICEC Proceed<strong>in</strong>gs<br />
of <strong>the</strong> 5th International Conference on Electronic Commerce, 2003, pp355-366.<br />
96 Bibliography
OECD Work<strong>in</strong>g Party on Information Security and Privacy, Mak<strong>in</strong>g Privacy Notices Simple: An OECD<br />
Report And Recommendations, DSTI/ICCP/REG(2006)5/FINAL/ANN, 2006.<br />
Office of <strong>the</strong> Privacy Commissioner of Canada, ‘Letter to Google Inc. Chief Executive Officer’,<br />
press release, 19 April 2010.<br />
Orwell, George, 1984, London: Mart<strong>in</strong> Secker & Warburg Ltd, 1949.<br />
Poynter, Kieran, Review of Information Security at HM Revenue and Customs: F<strong>in</strong>al <strong>report</strong>, 2008.<br />
Prahalad, C.K. and Ramaswamy, Venkat, ‘Co-creat<strong>in</strong>g unique value with customers’, Strategy and<br />
Leadership, vol 32, no 3, 2004, pp4-9.<br />
Price, Dick, ‘What is PCI DSS and who needs to know’ Chartech, February 2010, pp12-14.<br />
Pr<strong>in</strong>s, Corien, ‘When personal data, behavior and virtual identities become a commodity: Would a<br />
property rights approach matter’, SCRIPTed, vol 3, no 4, 2006, p270.<br />
Privacy by Design, Privacy by Design: Essential for Organizational Accountability and Strong Bus<strong>in</strong>ess<br />
Practices, Information and Privacy Commissioner of Ontario / The Centre for Information Policy<br />
Leadership at Hunton & Williams LLP/Hewlett-Packard (Canada), 2009.<br />
InfoSecurity Europe and PwC, Information Security Breaches Survey 2010, 2010.<br />
Quah, Danny, Digital Goods and <strong>the</strong> New Economy, LSE Centre for Economic Performance,<br />
Discussion Paper No 563, 2003.<br />
Rawls, John, A Theory of Justice, Bellknap: Boston, 1971.<br />
Reed, O. Lee and Hipp, E. Clayton, ‘A ‘‘Commonest’’ manifesto: property and <strong>the</strong> general<br />
welfare’, American Bus<strong>in</strong>ess Law Journal, vol 46, issue 1, 2009, pp103-137.<br />
Risch, Michael, ‘Why do we have trade secrets’ Marquette Intellectual Property Law Review, vol 11,<br />
no 1, 2007, pp3-76.<br />
Rob<strong>in</strong>son, Neil, Graux, Hans, Botterman, Maarten, Valeri, Lorenzo, Review of <strong>the</strong> European Data<br />
Protection Directive, Rand Europe/Information Commissioner’s Office, 2009.<br />
Schumpeter, Joseph, Capitalism, Socialism and Democracy, London: G. Allen & Unw<strong>in</strong>, 1943.<br />
Seltzer, William and Anderson, Margo, ‘The dark side of numbers: <strong>the</strong> role of population data<br />
systems <strong>in</strong> human rights abuses’, Social Research, vol 68, no 2, Summer 2001, pp481-513.<br />
Sherman, Michelle, ‘Social Media research + employment decisions: may be a recipe for<br />
litigation’, Social Media Law Update blog, 18 January 2011.<br />
SOAP, ‘F<strong>in</strong>d<strong>in</strong>gs from <strong>the</strong> Study of Open Access Publish<strong>in</strong>g (SOAP)’, 4 April 2011.<br />
Social and Market Strategic Research, Report on <strong>the</strong> F<strong>in</strong>d<strong>in</strong>gs of <strong>the</strong> Information Commissioner’s<br />
Office Annual Track 2010, Hull: SMSR, 2010.<br />
Solove, Daniel J., ‘“I’ve got noth<strong>in</strong>g to hide” and o<strong>the</strong>r misunderstand<strong>in</strong>gs of privacy’, San Diego<br />
Law Review, vol 44, 2007, pp745- 772.<br />
Solove, Daniel J, ‘A taxonomy of privacy’, University of Pennsylvania Law Review, vol 154, no 3,<br />
2006, pp477-560.<br />
Soma, John T., Courson, J. Zachary, Cadk<strong>in</strong>, John, ‘Corporate privacy trend: The ‘value’ of<br />
personally identifiable <strong>in</strong>formation (‘PII’) equals <strong>the</strong> ‘value’ of f<strong>in</strong>ancial assets’, Richmond Journal of<br />
Law and Technology, vol XV, issue 4, 2009, article 11.<br />
Stanford Encyclopaedia of Philosophy, ‘Privacy’, first published onl<strong>in</strong>e 14 May 2002.<br />
Stavrakas, Alexandros, ‘When piracy isn’t <strong>the</strong>ft’, The Guardian, 24 November 2009.<br />
Thomas, Richard and Walport, Mark, Data Shar<strong>in</strong>g Review, 2008.<br />
The Economist, ‘Inventive warfare’, 20 August 2011, pp53-54.<br />
The Economist, ‘Patently different’, 20 August 2011, p54.<br />
Varian, Hal R. and Shapiro, Carl, Information Rules: A Strategic Guide to <strong>the</strong> Network Economy,<br />
Boston: Harvard Bus<strong>in</strong>ess Press, 1998.<br />
Vijayan, Jaikumar, ‘TJX data breach: at 45.6M card numbers, it’s <strong>the</strong> biggest ever’, Computerworld,<br />
29 March 2007.<br />
Warren, Samuel and Brandeis, Louis, ‘The right to privacy’, Harvard Law Review, vol 4, 1890,<br />
pp193-220.<br />
Bibliography<br />
97
Weitzner, Daniel J., Abelson, Harold, Berners-Lee, Tim, Feigenbaum, Joan, Hendler, James and<br />
Sussman, Gerald Jay, ‘Information accountability’, Communications of <strong>the</strong> ACM, vol 51, no 6,<br />
June 2008, pp82-87.<br />
West<strong>in</strong>, Alan F., Privacy and Freedom, New York: A<strong>the</strong>neum, 1967.<br />
West<strong>in</strong>, Alan F., ‘Social and political dimensions of privacy’, Journal of Social Issues, vol 59, no 2,<br />
2003, pp431-453.<br />
Whitman, James Q., ‘The two Western cultures of privacy: dignity versus liberty’, Yale Law Journal,<br />
vol 113, 2004, pp1152-1221.<br />
Wiener, Norbert, Cybernetics or Control and Communication <strong>in</strong> <strong>the</strong> Animal and <strong>the</strong> Mach<strong>in</strong>e,<br />
New York: Technology Press/John Wiley & Sons, 1948.<br />
Wiener, Norbert, The Human Use of Human Be<strong>in</strong>gs: Cybernetics and Society, Boston: Houghton<br />
Miffl<strong>in</strong>, 1950.<br />
Williams, Christopher, ‘BT and Phorm: how an onl<strong>in</strong>e privacy scandal unfolded’, The Telegraph,<br />
8 April 2011.<br />
Wilson, Jennifer Fisher, ‘Health Insurance Portability and Accountability Act Privacy rule causes<br />
on-go<strong>in</strong>g concerns among cl<strong>in</strong>icians and researchers’, Annuls of Internal Medic<strong>in</strong>e, vol 145, no 4,<br />
2006, pp313-6.<br />
YouTube, Terms of Service, available onl<strong>in</strong>e.<br />
Zuckerberg, Mark, ‘From Facebook, answer<strong>in</strong>g privacy concerns with new sett<strong>in</strong>gs’, Wash<strong>in</strong>gton<br />
Post, 24 May 2010.<br />
98 Bibliography
The ICAEW is a founder member of <strong>the</strong> Global Account<strong>in</strong>g Alliance, which<br />
represents over 775,000 professional accountants <strong>in</strong> over 165 countries<br />
worldwide, to promote quality services, share <strong>in</strong>formation and collaborate<br />
on important <strong>in</strong>ternational issues.<br />
ICAEW is a professional membership organisation, support<strong>in</strong>g over 136,000<br />
chartered accountants around <strong>the</strong> world. Through our technical knowledge,<br />
skills and expertise, we provide <strong>in</strong>sight and leadership to <strong>the</strong> global accountancy<br />
and f<strong>in</strong>ance profession.<br />
Our members provide f<strong>in</strong>ancial knowledge and guidance based on <strong>the</strong><br />
highest professional, technical and ethical standards. We develop and support<br />
<strong>in</strong>dividuals, organisations and communities to help <strong>the</strong>m achieve long-term,<br />
susta<strong>in</strong>able economic value.<br />
Because of us, people can do bus<strong>in</strong>ess with confidence.<br />
ICAEW<br />
Chartered Accountants’ Hall<br />
Moorgate Place<br />
London EC2R 6EA UK<br />
T +44 (0)20 7920 8100<br />
E <strong>in</strong>formationsystems@icaew.com<br />
icaew.com/<strong>in</strong>formationsystems<br />
l<strong>in</strong>ked<strong>in</strong>.com – ICAEW IT Faculty<br />
twitter.com/icaew_itfaculty<br />
facebook.com/icaew<br />
£45.00<br />
©ICAEW 2011 TECPLN10756 11/11