Great (Privacy) Expectations

Publish date:

Hewlett-Packard chief privacy officer Scott Taylor spoke with Multichannel News Washington bureau chief John Eggerton
after a recent hearing on online privacy and data security. The computing giant backs what it calls a “chain of accountability,”
which includes baseline federal legislation to “articulate expectations for all organizations.” It supports the
underlying goals of the trifecta of privacy and security bills being floated in Congress: data-security breach notification,
do-not-track legislation (with some caveats) and a privacy “bill of rights.” As Congress, the Federal Trade Commission
and the Commerce Department all prepare their government responses to the pressing issue of protecting online privacy, as well as
the online-advertising business model that supports all that free content, Taylor spoke about HP’s support for government action.

MCN: At the June hearing, you seemed very
supportive of government oversight of privacy.
Is that accurate?

Scott Taylor: Yes, it is true that for many years
we have been calling for omnibus federal legislation,
and as time has gone by, we actually
believe that workable legislation has become
even more important.

MCN: So, you don’t believe industry can selfregulate
privacy on its own?

ST: I would say that it is a combination. Legislation
plays a critical role in setting the foundation
of expectations. An example would
be applications providers, who are critically
important to HP [which bought smartphone
maker Palm in 2010].

There is nothing in this country today that
actually establishes a requirement that an organization
that may be interacting with tens of
thousands of individuals has even a basic privacy
policy. And that creates a real issue as more
and more services are delivered by multiple parties.
It would certainly be nice to know, both for
us as companies and consumers, that there is a
level of consistent expectation that all organizations
have to follow.

MCN: Are there limits to what the government
ought to be able to do?

ST: The approach that the Kerry-McCain bill
[privacy “bill of rights”] is taking is clearly
based on fundamentals in fair information
practices, principles-based expectations that
have lasted through most of the technology
changes we’ve seen. So I think most people
would argue that fair information practices
are a pretty good foundation of a very highlevel

There are three additional innovative concepts
introduced as part of that bill. One is the
expectation that organizations put some kind
of privacy-by-design program in place. It does
not specify exactly how you do that. It sets an
expectation that scales from incredibly sophisticated
tools like we have at HP, because
we have hundreds of thousands of employees,
to as simple as a spreadsheet of a checklist. But
I really do believe that incenting companies in
legislation to be thinking about privacy in the
earliest stages of design and development is
something that is going to benefit everyone.
[Businesses] themselves because, certainly,
business-investment risk can be a problem if
they don’t think about privacy or data security,
but the consumers themselves so that we are
doing a better job of not surprising the consumer
and potentially meeting their expectations
even if they may not understand that
expectation if it is a new product or new type
of service or a business model.

To me, that is very prudent advice that the
legislation would set forth.

Another innovative area is the concept of
accountability. As you look at the legislation,
it really does nothing more than to set expectations
that an organization is going to not
just say what they do, but have mechanisms
in place to do what they say.

Again, it does not prescribe specifically
how that would be done, but it certainly sets
a baseline expectation that organizations will
have people responsible, that they will have
commitments that are clearly articulated,
that they make transparent, and that they are
going to have programs that put those commitments
into effect and, to a certain level
have some kind of oversight and assessment.

Does it concern you that Sen. Jay
Rockefeller (D-W.Va.)’s idea of do not track
appears to be the ability to say, ‘Do not
track, period?’

ST: I think that is one of the areas that we
want to work with Senator Rockefeller and
his team on. At the end of the day, consumers
should have the choice when they
come to an online presence to understand
whether their information is being tracked
at a personal level or just aggregate statistics
that can’t be tied to them. I believe that
with a little more clarity around that distinction,
it would become acceptable to the

I don’t think consumer activists have an issue
with truly aggregate information where
any personal identified [information], such as
an IP address or in a cookie, if they are truly
disaggregated and made unusable. I think it
really comes down to, ‘Am I being tracked at
a personal level?’