Friday, July 16, 2010

How can product managers show leadership on privacy issues?

By Mark Helfen

It's scary out there, and Phil Burton has the stories to prove it. Customer profiles and data put at risk by poor design, poor testing, and just not caring.

Burton is Principal Consultant and Trainer at the 280 Group, who bill themselves as "Product Marketing and Product Management Experts." Burton has been with them for four years, and has a 25-year career in product management and product marketing focused on information security, data communications and networking.

The problems come from three source - policies that the company decides on, or maybe ignores making a decision. Operations that don't work well, and customers that aren't educated. In the end, product manager will need to provide leadership in all three areas.

At Monday's (7/12/2010) SDForum combined Marketing and Security SIG meeting, Burton discussed a long list of companies where poor decisions and operations about privacy put their brand image at risk.

Facebook is in a class all of its own, maybe because of its size. If you were alive and breathing over the last 90 days, you couldn't have missed the huge controversy over their new (and newer again) privacy settings. According to Burton, the privacy policy reflects Facebook's long-standing strategy to "monetize their customers private information.

In Burton's estimate, Facebook is "cavalier" about sharing users private data. "Its astonishing how much information they consider public."

In a famous speech, Facebook's founder said, "the age of privacy is over."

Blippy is another example. The company lets their users share limited information about their credit purchases with their friends, who can see what their friend's latest purchases are. But in an example of an operational failure, the system exposed information it wasn't supposed to - the credit card numbers of their users.

ATT  When the iPad was released, ATT accidentally released the phone numbers and cell phone identifiers of thousands of their customers.

Problems in user education could be illustrated by phishing attacks - emails that look like something official, but a click on a web link takes you to some place malicious. Maybe a simulation of your banks web site. Or maybe to a page that will do a "drive by download" of damaging code to your system.

Phishing is only one of a large variety of scams that can be attempted over the net. Because of the combination of anonymity, geographic freedom, and the almost zero cost of sending out huge volumes of bogus information, it's an easy way to make money. While no astute Marketing SIG member would be so uneducated to fall for such a fake, cyber crime is really big business.

"International cyber crime is bigger than international drug trade," said Burton.

In the internet space, damage to the reputation of your brand can be quick and long lasting. Large companies like Facebook or Google will probably recover. Smaller for companies, the effect can  be fatal.


So what's a product manager to do?

Your job is to exercise leadership in making the product a success. There is always a battle between time to market, and privacy and security concerns. The product specification, whether in an MRD or another format needs to help strike the correct balance.

Both privacy - the policy, and security - the technological implementation, can be quite complex, and product manager specialized in other market areas may not feel they have the expertise to develop privacy requirements.

Burton suggested a checklist to help product managers get the right privacy requirements for the product:

  • Specify privacy requirements, both for you and your partners.
  • Insist that someone other than the people who wrote the code test security and privacy.
  • Work with a specialized security vendor on emerging threats.
  • Make it easy for customers/users to remove their own information.
  • Simplify the data sharing options. Quoting Steve Jobs, "customers should know what they are signing up for."


Privacy and security requirements are only going to get more critical as "things" that currently are stand-alone become networked and connected to the internet. This "internet of things" will become widespread and pervasive.

For example, to control energy use, your houses electrical metering system will be on-line. This will allow electric utilities to vary their charges by time of day. In areas in California serviced by PG&E, this has already begun, with the installation of "smart meters." These meters are network enabled, using a radio system to send your usage data to a local access point, and eventually back to PG&E. There have been complaints that the information is not sufficiently secured, allowing someone driving by to read the information. Among the possibilities are that people could cheat the utility out of money, or infer the times and days you are not at home.

Burton supplied another example of heart pacemakers where settings can be changed by an external signal. Heart rates could be sped up or slowed down.

"Imagine if the information is not secure," said Burton. "If I know someone has a pacemaker, I might use that information to blackmail them."

"Imagine this in a worldwide cyber crime sense."

Privacy issues are going to play an ever-larger role in the design of products in a connected, Web 2.0 world, and product managers can't avoid their part in attacking the problem.


Mark Helfen is a freelance writer, journalist, and marketing consultant. He can be reached at:



follow me on Twitter:


No comments: