Microsoft claims compliance with ISO data privacy standard

Microsoft says its compliance with a data privacy standard set by the International Organization for Standardization (ISO) means customer data in its Azure cloud will be safer from prying eyes.

The ISO/IEC 27018 standard aims to establish “a uniform, international approach to protecting privacy for personal data stored in the cloud,” Microsoft General Counsel and EVP Brad Smith wrote in a blog post.

A third-party, the British Standards Institute (BSI), has verified that Microsoft Azure as well as Office 365 and Dynamics CRM Online meet the ISO criteria, Smith noted.

Compliance means that the vendor’s customer controls her data and will know what’s happening with that data down the line. It also requires the vendor to implement strong security and restricts how data can be handled on public networks, transportable media etc. And, it means that data will not be used for advertising — which means that [company]Google[/company] is unlikely to climb aboard this particular bandwagon.

This is not an academic exercise for [company]Microsoft[/company] which is fighting U.S. court order to turn over customer data residing in its Dublin data center to U.S. authorities.

Cloud competitors are likely to call this a PR stunt — a concept that Microsoft is familiar with — but a security expert said ISO/IEC 27018 certification could become a major selling point to privacy obsessed consumers who balk at the notion that Google, because of its advertising business, uses customer data to sell stuff.

Said this expert, who requested anonymity because he works with both Google and Microsoft:  “Google would never agree to this since advertising is everything to them … Personally when I pay someone for a service, I expect my data to be private. When I use a service for free I accept that it is being paid for by sacrificing my privacy.”

For more on Microsoft’s data privacy stance, see Smith’s talk at last year’s Structure show below.


Oracle paid north of $1.2B for Datalogix, says WSJ

Right before Christmas, when [company]Oracle[/company] announced plans to buy Datalogix it didn’t detail price. Now, The Wall Street Journal, (paywall)  is filling in the blanks, reporting that the price tag is $1.2 billion, according to two anonymous sources “familiar with the deal.”

Oracle did not comment for this story.

Datalogix collects consumer sentiment by the truckload via agreements with [company]Facebook[/company], [company]Twitter[/company] and other sources. In its press release, Oracle said Datalogix “aggregates and provides insights on over $2 trillion in consumer spending from 1,500 data partners across 110 million households to provide purchase-based targeting and drive more sales.”

Also it said that Datalogix has more than 650 customers including “82 of the top 100 US advertisers such as [company]Ford[/company] and [company]Kraft[/company].” and, it said that 7 of the top 8 digital media publishers including the aforementioned Facebook and Twitter use Datalogix to “enhance their media.”

Hmmm. Given the tremendous amount of money, time and effort companies spend to better target marketing and ad pitches, that consumer info is probably worth a pretty penny.  But the fact that Oracle, the database market leader and a power in enterprise software, is now buying up consumer data, raised more than a few eyebrows, especially coming as it did after a number of other deals that seem to be consolidating vast troves of consumer data in a few powerful hands. Oracle made this move after having already acquired Bluekai, a Cambridge, Mass. startup that parses inforamtion about what consumers are looking to buy both online and in the real world.

In particular, watchdog group The Center for Digital Democracy has asked the FTC review this deal with an eye as to whether it gives Oracle too much access to too much customer data. The CDD also cited Axciom’s buy of Liveramp in May; [company]Adobe Systems[/company]’ purchase of Neolane in June 2013, and Oracle’s acquisitions of Eloqua in December 2012 and Responsys a year later, as signs that data aggregation is becoming a problem.

The Datalogix-Facebook tie in is of special note since under an existing settlement with the FTC, Facebook agreed to obtain consumers’ permission before sharing their data. The specter of that agreement surfaced when Facebook bought WhatsApp.

The consolidation of data aggregators is a topic we can bring up next month with FTC Commissioner Julie Brill who will speak at Structure Data.

For what it’s worth on the pricing issue, public companies do not have to disclose purchase price of a private company unless that price is “material” to their business. The definition of materiality is a bit loosey goosey, however. If you want to delve into the niceties, check out concept statement 2 from the Financial Accounting Standards Board.


MIT researcher on internet misogyny and programming for privacy

Jean Yang is a Ph.D. candidate at MIT and the creator of a language called Jeeves that automatically manages privacy policy in software programs. In 2013, she presented on Jeeves at Gigaom’s Structure conference, as one of 10 young trailblazers in cloud computing. In December, she and two other female Ph.D. students at MIT did an Ask Me Anything session on Reddit that was supposed to be about computer science but quickly devolved into a litany of misogynistic comments (the three subsequently published an opinion piece on Wired about the experience).

This week, Yang came on the Structure Show podcast to talk about her work, her future, Jeeves’ future and the unfortunate realties of sexism. Her are some highlights from a very interesting interview.

[soundcloud url=”″ params=”color=ff5500&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false” width=”100%” height=”166″ iframe=”true” /]

Why Jeeves matters

Essentially, Yang explained, projects like Jeeves matter because privacy policies are becoming an integral part of applications, but managing them is still a task most programmers would like to do without.

“Right now, if you change the policy or if you change the code, you have to go through and update this spaghetti of policy and code and cross your fingers and hope that everything’s happening right,” she said. “. . . If someone else wrote that code and you’re just maintaining it, well, good luck.”

She continued: “The idea is, with our model … if we’re starting from scratch, we want to be able to specify the policies here, the stuff that uses the policies over there. So if programmers want to make a change to the policies, they can just go update the policies and rely on the enforcement do do everything else, and if they want to change the code they don’t have to touch the policies.”

Speakers: Jean Yang - Ph.D. Candidate, MIT CSAIL

Jean Yang

Is it ready for primetime?

Right now, Jeeves is a fine research project and even has a Python library that rewrites code into Jeeves on the fly. There’s also an extension for the Django web framework works with both the application and database code. But it’s probably a few years from being ready, hopefully, to be pushed into industry and readied for production workloads, Yang said.

“Right now, we’ve run a small conference management system using our web framework,” she explained. “But, you know, it’s a small conference management system — we’re not building Facebook with it. I think in order to build a more realistic system using it, we’d have to really look at the scaling issues, and there are some good research issues there. … It turns out that carrying the policies around with the data is pretty expensive.”

Confronting the trolls on Reddit

Yang said she was warned about the risk of sexist comments when she told people she’d and her peers would be doing the AMA, but she wasn’t about to let fear — or the trolls — win. And beside, she still wanted to interact with the kinder community members and answer legitimate questions about computer science education.

“I think it’s kind of bogus that women are kept out of certain physical and online spaces because of the threat of harm,” Yang said. “And I think that there’s this perception that if a woman goes out into the internet she’s going to be harassed or something like that, and I really wanted to test it for myself and show people that it’s not that big of a deal.”

Jean Yang

Jean Yang

When misogyny hits home

While some warned Yang and her cohorts about sexism and against doing the AMA, however, others didn’t seem to think it would be a problem. She said they seemed surprised, after reading the piece on Wired, that people would act that way.

Certainly they had heard about “Gamergate,” she said, but “maybe they think, ‘Oh, gamers, that’s not part of our culture’ or something like that — ‘That’s a subculture.’ But to see it affect people who they didn’t see as part of some niche subculture maybe hit them differently.”

Data privacy isn’t dead with the internet of things, just different

Even as websites, wearable computers and, increasingly, every piece of technology we touch gathers and analyzes our data, there’s still hope that privacy will survive. Making that case, however, might mean working from a different definition of privacy than we’re used to.

One cold, hard fact about data privacy is that the data-collection ship sailed long ago, never to return. With limited exceptions, consumers can’t really stop tech companies from collecting data about them. When we log into web services, make phone calls, play our favorite apps or buy the latest in connected jewelry, we’re giving those companies the right to collect just about whatever information they please about who we are and how we use their products.

The situation isn’t wholly good or bad — data analysis is behind lots of user experience improvements as well as targeted ads, for example —  but understanding it is critical to understanding what the future of data privacy might look like. There’s not much point in debating what companies can or should collect (because doing so is too easy and regulating it is so hard), but there is an opportunity to put some limits on what companies do with data once they have it.

This why the White House, as part of its new consumer privacy push unveiled on Monday morning, is talking about how student data is used and smart grid data is secured rather than what’s collected. It’s why Federal Trade Commission chairperson Edith Ramirez, speaking about the internet of things at last week’s Consumer Electronics Show, spoke about how long companies should store user data and not whether they should collect it.


The internet of things, in fact, is a prime example of why we’ll probably never be able to put a lid on data collection: because many people actually crave it. The whole point of connected devices is that they collect our data and do something with it, presumably something that users view as beneficial. If I love my fitness tracker or my smart thermostat, I can’t really be upset that it’s sucking up my data.

What I can be upset about, however, is when the company does something unethical or negligent with my data, or something I didn’t agree to (at least constructively) in the privacy policy. It seems this is where a lot of regulatory energy is now being spent, and that’s probably a good thing. (We’ll also delve into this topic at our Structure Data conference in March, with FTC Commissioner Julie Brill.)

Even if it’s forced on them, companies selling connected devices need a framework for thinking of user data not just as a valuable resource, but also as something over which they’re the stewards. Collect the data, analyze it, make your money — the whole industry is predicated on these things. But know there will be penalties in place if you do something bad, or even just stupid.

The August lock.

The August lock.

Of course, the devil here will be in the details. What constitutes an acceptable use, security protocol or retention period could vary widely based on industry, company, product, cost or any other of a number of variables. A connected car is not a fitness tracker. A smart door lock is not a connected toothbrush.

But hopefully, the attention the internet of things is getting early on means lawmakers and regulators will be able to come up with some workable, flexible and relatively future-proof rules sooner rather that later. The last thing we want — especially when dealing with data about our physical-world activity — is a repeat of the web, where it’s 25 years later and we still haven’t figured out what privacy means.

Watchdog group urges FTC to scrutinize latest Oracle deal

The Center for Digital Democracy wants the Federal Trade Commission to really look over Oracle’s proposed acquisition of Datalogix, announced Monday morning.

The combined consumer data gathered by [company]Datalogix[/company] (via partnerships with [company]Facebook[/company] and [company]Twitter[/company] and other sources) along with Oracle’s earlier buyout of BlueKai, another data broker, may give [company]Oracle[/company] just a little too much consumer data for the public’s own good, according to the CDD.

In a quick phone interview, CDD Executive Director Jeff Chester said the regulatory agency needs to look at data privacy issues when considering the competitive aspects of such M&A activity. The CDD has a list of M&A deals that it says indicate a hastening consolidation of data aggregating companies including Axcient’s buy of Liveramp in May; Adobe Systems’ acquisition of Neolane in June 2013, and Oracle’s acquisitions of Eloqua in December 2012 and Responsys a year later..

Per an earlier emailed statement Chester said:

“Through the data it gathers on what we buy, and with its relationship with Facebook and other powerful marketers, Datalogix consists of a online treasure trove of data on Americans. The Oracle deal announced today follows its recent acquisition as well of Bluekai, which holds reams of information on consumers.”

The CDD also pointed out that under a previous settlement with the FTC, Facebook agreed to obtain consumers’ permission before sharing their data. The specter of that agreement surfaced when Facebook bought WhatsApp.

Chester also said:

“[Given] the FTC’s 20-year consent decree with Facebook, and the role that Datalogix plays with the social network, it also must review whether the deal requires additional safeguards under that decree. The growing consolidation of information on every American and whatever we do — regardless of location, time of day, whether we are online or off — should trigger action, as well as soul searching by both policymakers and the public.”

In August the CDD asked the FTC to look into the practices both of data brokers — including Datalogix and Acxiom as well as marketing software companies like — to make sure they were complying with the Safe Harbor between the U.S. and European Union. That safe harbor provision lets these U.S. vendors “self-certify” that they are adhering to strong data protection standards.

Oracle hopes to use that data to inform its marketing automation software and “data cloud.” In that arena it competes competition with [company][/company], [company]Adobe Systems[/company] and others.

Oracle had no comment for this story.

Note: this story was updated at 11:25 a.m. PST with Jeff Chester’s comment and again at 11:51 a.m. PST with CDD’s list of data aggregator-linked mergers and acquisitions..

Can a market where consumers sell their data actually work?

Two news stories from Wednesday — one about a startup trying to play data broker between user and website and another about a study into what people would charge for their personal data — offer more evidence that there’s an appetite for a market where consumers sell their data to advertisers and website. The idea isn’t new (we wrote about its traction back in 2012) and actually has merit because it puts money in consumers’ pockets and higher-quality data in advertisers’ databases. But monetizing the idea might be easier said than done: Enliken, one of the startups we covered in that 2012 piece, appears to have closed its doors.