elevenM collaborates with IPC NSW for PAW 2022

elevenM is excited to be collaborating with the Information and Privacy Commission NSW (IPC) for Privacy Awareness Week 2022 to help NSW government agencies in the management of privacy risks. 

We’ve partnered with IPC on the development of a new Privacy Impact Assessment (PIA) questionnaire that NSW public sector agencies can use to assess their websites for privacy risks. By using this tool, NSW Government agencies can draw on industry best practices to more efficiently assess privacy risks and identify remediation actions. 

The new IPC tool draws from elevenM’s PIA and privacy tooling suite. Anyone that’s done a PIA will know that PIA tools come in many shapes and sizes.  

There are tools for specific industries and business contexts and for individual jurisdictions and legal frameworks. Some tools function primarily as questionnaires, others offer guidance and recommendations. There are tools designed to be used by privacy experts, while others bake-in expert knowledge so they can be used by anyone in the business. 

elevenM’s privacy experts have worked with all these kinds of PIA tools, using them with many business clients and in a variety of contexts. We’ve drawn on this collective experience to create a library of PIA and privacy tools that is most useful and practical. 

If you’d like more information about our PIA tools, please contact us at hello@elevenm.com 

For more information about our collaboration with IPC, please refer to their PAW 2022 webpage.

When it’s all by design

elevenM Principal Arjun Ramachandran reflects on the explosion of “by design” methodologies, and why we must ensure it doesn’t become a catchphrase.

Things catch on fast in business.

Software-as-a-service had barely taken hold as a concept before enterprising outfits saw opportunities to make similar offerings up and down the stack. Platform-as-a-service and infrastructure-as-a-service followed swiftly, then data-as-a-service.

Soon enough, the idea broke free of the tech stack entirely. There emerged CRM-as-a-service, HR-as-a-service and CEO-as-a-service.

“As a service” could in theory reflect a fundamentally new business model. Often though, simply appending the words “as a service” to an existing product gave it a modern sheen that was “on trend”. Today, you can get elevators-as-a-service, wellness-as-a-service and even an NFT-as-a-service.

A few days ago, I came across a hashtag on Twitter – #trustbydesign – that gave me pause about whether something similar was underway in an area closer to home to me professionally.

For those in privacy and security, the “by design” imperative is not new. Nor is it trite.

“Privacy by design” – in which privacy considerations are baked into new initiatives at design phase, rather than remediated at the end – is a core part of modern privacy approaches. In a similar way, “secure by design” is now a familiar concept that emphasises shifting security conversations forward in the solution development journey, rather than relegating them to bug fixes or risk acceptances at the end.

But could we be entering similar territory to the as-a-service crew? For those involved broadly in the pursuit of humanising tech, on top of privacy by design and secure by design there are now exclamations of safety by design, resilience by design, ethical by design, care by design, empathy by design and the aforementioned trust by design.

Don’t get me wrong, I love a good spin-off. But as we continue to promote doing things “by design”, it’s worth keeping an eye to its usage and promotion, so it doesn’t become a hollow catchphrase at the mercy of marketing exploitation (for a parallel, see how some security peeps are now vigorously standing up to defend “zero trust”, a security approach, against assertions that it’s “just a marketing ploy”).

Doing things “by design” is important and valuable. It speaks to a crystalising of intent. A desire to do things right, and to do them up front. In fields like privacy and security, where risks have historically been raised late in the piece or as an afterthought (and sometimes ignored as a result), the emergence and adoption of “by design” approaches is a welcome and impactful change.

As “by design” catches on as a buzzword, however, it’s vital we ensure there’s substance sitting behind each of its variants. Consider the following two examples.

Privacy by design
Privacy Impact Assessments are a rigorous, systematic and well-established assessment process that provides structure and tangible output to the higher intent of “privacy by design”. Regulators like the OAIC endorse their use and publish guidance on how to do them. At elevenM, we live and breathe PIAs. Whether undertaking detailed gap analyses and writing reports (narrative, factual, checklist based, metric based, anchored to organisational risk frameworks, national or international), training clients on PIAs or supporting them with automated tools and templates, we’re making the assessment of privacy impacts – and therefore privacy – easier to embed in project lifecycles. 

Ethics by design
The area of data ethics is a fast-emerging priority for data-driven businesses. We’ve been excited to work with clients on ways of designing and implementing ethical principles, including through the development of frameworks and toolkits that enable these principles to be operationalised into actions that organisations can take to make their data initiatives more ethical by design.

At a minimum, a similar structured framework or methodology should be articulated for any “by design” philosophy.

A final consideration for businesses is the need to synthesise these “by design” approaches as they take hold. There’s some risk that these various imperatives – privacy, security, data governance, ethics – will compete and clash as they converge at the design phase. It’ll be increasingly vital to have teams with cross-disciplinary capability or expertise who can efficiently integrate the objectives and outcomes of each area towards an overall outcome of greater trust.

We leave the closing words to Kid Cudi: “And the choices you made, it’s all by design”.

If we can help you with your “by design” approaches, reach us at hello@elevenm.com

Photo by davisuko on Unsplash

elevenM’s submission to the Privacy Act Review

In its current form the Privacy Act is not fit for purpose for the modern digital economy – as has been widely observed, including in our previous posts

It doesn’t adequately support consumers to understand how their information is to be handled or give them assurance that they have any control over such handling.  

It doesn’t aid consumers to make informed and impactful decisions.  

Its cornerstones of consent and notice are outdated and no longer effective.  

That’s why we are grateful to have the opportunity to contribute to the current review of the Privacy Act. 

Our submission to the Privacy Act Review Discussion paper has recently been published by the Attorney General’s department. You can read it in full here

We welcome any feedback. Please get in touch at hello@eleven.com

Has the cookie crumbled?

elevenM’s Chaitalee Sohoni dives into the what and why of third-party cookies, Google’s plan to phase them out and what this means for businesses and individuals alike.

By 2023, Google Chrome will phase out support for third-party cookies as part of its Privacy Sandbox Initiative with Stage 1 set to start by late 2022.

Google first announced its intention to eliminate third-party cookies from its Chrome browser in early 2020 and made it explicit that they ‘will not build alternate identifiers to track individuals as they browse across the web‘.

If you have been on a website in the last couple of years, you might have encountered an annoying pop-up inviting you to read the company’s ‘cookie policy’ and review your cookie preferences. Chances are you clicked ‘agree’ without reading it and moved on to the content of the page, mostly because privacy policies are tedious to read. The cookie policy on any website is essentially notifying you that a cookie is downloaded to your computer to ‘enhance’ your browsing experience each time you visit the website.

But what exactly are cookies and how do they affect you?

A cookie is a piece of data in the form of small text files that are unique to each user. When you visit a new website, cookies are created to identify you and personalise your experience based on your browsing history.

While cookies aren’t bad, what we choose to do with them is problematic because it raises concerns about data privacy.

Cookies were invented by Lou Montulli in 1994 and have since been the backbone of internet browsing experience. Cookies are created to remember and recall information that is useful while browsing, such as log in information or the previous page on a website. Without cookies, browsing the internet would be an extremely frustrating process — imagine adding an item to your cart when you shop online, and having it disappear each time you go back to add more items. Think Dory from Finding Nemo.

There are two kinds of cookies: First-party cookies and third-party cookies. First-party cookies are created and downloaded from the primary website you are visiting.

Third-party cookies, however, are generated and saved on your computer by multiple websites whose information is embedded on the primary website you browse. For example, when you visit a website, it’ll most likely contain advertisements or images from other websites or even a Facebook ‘like’ button. Even if you don’t click on them, cookies from their websites are created and stored on your system.

If you have ever had an advertisement follow you around on the internet, it is because of third-party cookies. Based on the websites you visit, cookies gather a great deal of information about you such as your age bracket, gender, location, interests, personal preferences etc. Advertising companies use cookies to track your activity on the internet by building a profile of your interests based on your browsing history to send you personalised advertisements. Cookies allow companies to make more money by helping them find the right audience for their products. Platforms such as Facebook and Google are heavily incentivised to ensure advertisements from brands reach the targeted users.

With its Sandbox Initiative, Google aims to withdraw support for third-party cookies. At first glance, this move appears to be a step in the right direction for data privacy, but Google is a tad late to this party. Mozilla’s Firefox, Apple’s Safari and Brave blocked third-party cookies years ago, making them more privacy robust browsers. There’s also DuckDuckGo, a more secure search engine that also offers a browser for mobile phones.

Google may not be the first to ban cookies but Chrome is the most popular browsing platform with a global web browsing market share of 64.4% as of January 2022, which is significant when compared to Safari or Firefox, which only account for 16.9% and 3.9%, respectively. And so, Google’s plan to phase out cookies is a big deal in the world of internet.

With Google hopping on the bandwagon, does this spell the end for third-party cookies? Maybe. Does it mean that your browsing history won’t be tracked anymore? The answer is not that simple.

Eliminating third-party cookies does remove the power advertising companies have in terms of tracking individuals, but it places that power directly into Google’s hands. With Chrome not relying on third-party cookies to collect data about users, Google will no longer support companies in selling targeted web advertisements to individuals. This move will give Google an upper hand in collecting first-party data from users including collecting data from mobile applications to which the cookie ban doesn’t apply.

Google’s move will have a drastic impact on businesses and advertisers as they will need to rely heavily on first-party data or find alternatives to reach their audiences. In a joint statement, the Association of National Advertising and the American Association of Advertising Agencies have pointed out that ‘Google’s decision to block third-party cookies in Chrome could have major competitive impacts for digital businesses, consumer services, and technological innovation.’

Proposed legislative changes in this area will also have a bearing on businesses. In the review of the Privacy Act currently underway, one of the proposed changes includes replacing ‘about’ with ‘related to’ in the definition of personal information in the Privacy Act 1988. The purpose of this change is to explicitly bring more technical identifiers such as IP addresses or unique, persistent identifiers used in cookies within the scope of the Act. Under this new definition, unique identifiers are very likely to be considered personal information and this change will therefore have a bearing on the use of cookies by websites that depend on unique identifiers to track individuals.

Google initially wanted to replace third-party cookies with Federated Learning of Cohorts (FLoCs). FLoCs was designed to track individuals based on their web browsing to group them into cohorts that were defined by similar interests. However, in January this year, Google announced that it was replacing FLoCs with Topics. Topics is also built on the idea of interest-based advertising where the browser determines top interests for users based on their browsing history stating ‘it provides you with a more recognizable way to see and control how your data is shared, compared to tracking mechanisms like third-party cookies.’

Google is still exploring options to fulfil its promise to phase out the use of third-party cookies by 2023, a delay from its initial plan to phase them out by 2022. We may have to wait a little longer to see how third-party cookies will be replaced by Google.

[UPDATE: An earlier version of this post stated Google intended to replace third-party cookies with Federated Learning of Cohorts (FLoCs), however it has now opted to replace them with Topics.]