Privacy is the new purpose: why all brands need a chief hacking officer
February 01, 2016
High-profile hacking cases and daily bombardments of unwanted marketing interventions in personal browsing and leisure time are forcing consumers to rethink what data they share and with whom they share it. Marketers have to reframe the data issue, writes Rebecca Coleman.
Privacy – a word that sets alarm bells ringing for marketers and consumers alike. From TalkTalk to Ashley Madison, as threats and concerns escalate at pace, and growing calls for legislation threaten to drown out the potential value, to all parties, of data-sharing, we are beginning to see a seismic shift in attitudes and behaviours relating to privacy and security.
"To have the right to access consumer data is a privilege not to be treated lightly"
In a recent Guardian review of Alexa, the name given to the Echo device, Amazon’s voice-controlled personal assistant, author and computer programmer Ellen Ullman asserted that, with the dawn of the Internet of Things and in-home, in-car and on-body AI, we’re looking to a world of ever-more blurred lines. "The boundary between the outside world and the self is penetrated," she said. "And the boundary between your home and the outside world is penetrated."
Despite this, the article’s writer, Rory Carroll, concludes that, for him, the service offered by Alexa outweighs any breach of personal privacy. "I bow to the god of convenience. A day will come when I’m alone in the kitchen, cooking with sticky fingers, and I’ll need reminding how many teaspoons are in a tablespoon."
He may be a sample of only one, but Carroll clearly felt there was a worthwhile value exchange in place. He was happy to let this connected device listen in to his conversations, without knowing what might be done with this intelligence, in return for the ultra-convenience of a personal assistant at his command 24/7.
This idea of value exchange is one that has permeated marketing conversations about privacy for years, and yet the rise of ad-blocking – or, to use the term of the moment, ‘adblockalypse’ – proves that people still don’t think the industry is being helpful enough to warrant excessive intrusions into their personal time.
As Fern Miller, chief strategy and insight officer at marketing and technology agency DigitasLBi, explains: "When people realise that they’re powering a machine, that’s when all the joy is taken out. People need to feel part of your business model. There needs to be a fair value exchange. We’re starting to understand our value and other people’s value."
There is indeed a rising consciousness, perhaps due to recent high-profile hackings; however, the prevailing feeling is one of confusion, according to a new study from JWT.
"People are aware that their data is being collected," explains Marie Stafford, the agency’s director of consumer intelligence, trends and insights. "But they’re unclear to what extent, or to what end.
In a sense, people are a little bit torn – they’re excited about using technology to make their lives easier, but some are unsure about what they are giving up in return."
According to this research, only 10% of people in the UK take additional measures to protect their data. Stafford cites encryption tools or no-track search engines as examples.
She believes this low take-up is most likely due to ignorance of what they can do or perceived hassle, rather than laissez-faire attitudes.
"We found that a majority of people in the UK think companies aren’t concerned enough about consumer privacy. There’s also healthy support for regulation around data privacy, with 85% saying they are in favour," she adds.
This fusion of heightened awareness of the issue and bewildered attitudes to personal security presents a big opportunity for brands and marketers. It is an area ripe for innovation and disruption. For established businesses, the onus is on putting security first and making sure people know you’re the safest option. But there are also several start-ups capitalising on the desire to go ‘off-grid’ and, as people gain more understanding, and hacking intensifies, these may well be the new ‘unicorns’ on the block.
New companies are springing up, marketing themselves as virtual knights in privacy armour, ready to crusade against all that is ‘holey’ in our online security.
Ghostery says its app and browser extension "empowers consumers and businesses globally to create safer, faster, and more trusted digital experiences" by alerting users about web bugs, ad networks and widgets on the web pages they visit.
JWT’s Marie Stafford cites CitiizenMe."It is an app that acts like a personal data repository: it allows people to gather all their personal data in one place and then, if they wish, to share it with brands," she says.
Then there are the phones, such as Silent Circle’s Blackphone and the Blackberry Priv, which have been designed to make enhanced privacy simple and primary, rather than a difficult-to-implement afterthought.
Another innovation is Dojo, a device that looks rather like a decorative pebble, but is in fact consistently monitoring for potential online threats penetrating your future smart-home. Dojo highlights the fact that privacy issues will only soar as every device becomes connected alongside the rise of the IoT.
The growing threat lies behind MasterCard’s decision to put privacy and security high on its business and marketing agenda. It is something you would hope all financial-service and payment-system providers are doing, but, unlike MasterCard, not all are making their approach to safeguards public knowledge.
"The number of connected devices will rise 600% in the next five years, to 30bn," says MasterCard’s Paul Trueman, a marketer who switched to the role of group head of enterprise security solutions in 2014. "We will see more change in the next five years around digital services than we have in the previous 50. MasterCard advocates a multi-layered approach to ensure adaptability to the changing threat of the challenge is maintained."
Part of this approach includes Digisec-Labs. According to a MasterCard promotional video, this secure research facility in a secret UK location is where "a team of brilliant minds come together every day to solve problems most of us don’t even know we have". Their methods include using similar techniques and equipment to potential hackers to identify where there are weaknesses, and thus develop more robust solutions. MasterCard is effectively trying to hack itself, and it’s not the only company doing so.
Several corporations are hiring the very hackers who might otherwise be a threat to them. This is perhaps why brand attendance at hacker conventions is on the rise, fighting the tech industry and governments for the best talent. Last year, for example, Nike threw a party for attendees at the Black Hat USA event in Las Vegas – was it seeking recruits? Meanwhile, a recent job ad for a role at PepsiCo listed "certified ethical hacker (CEH)" certification under "preferred qualifications". ‘White hat’ hackers, as they are known, are hot property. It may not be too long before we see the role of chief hacking officer added to the ever-expanding boardroom roster.
As Trueman says: "Reputational risk through data loss or misuse is among the more concerning topics in boardrooms, as it can have an immediate impact upon the credibility of the business. It’s going to be a necessity that marketers protect their customers’ data and don’t just assume that it is safe. To have the right from the consumer to access their data is a privilege that should not be treated lightly."
While many companies realise they are at risk, few seem to be publicising the fact that they are concentrating efforts on cybersecurity. This in an area prepped for clever communication and could even be a strategy for regaining loyalty among an increasingly promiscuous consumer cohort. In the near future, we may be choosing which brands we interact with based on how secure our data is in their hands.
The alternative solution to the data debate could result in consumers pressing delete. As people live ever-more on-demand lifestyles, will they not start to ask that their data be as real-time and ephemeral as their in-app interactions? Or insist that companies let them decide exactly how their data is used?
"We have a responsibility to remember the basics of good communication, and make things clearer and simpler for our customers"
Andy Duncan, Camelot CEO
"We may see some brands handing over the reins to their customers and letting them have control of their data," says JWT’s Stafford. "In a world where consumers have control of their data, the onus will be on brands to prove themselves worthy of having access to it." She believes that by making both sides of the exchange clear and transparent, brands can start to build proper relationships with customers. "Increasingly, brands are vaunting their privacy credentials: for example, Apple now has a whole section on its site explaining how it protects customers."
"We have a responsibility to remember the basics of good communication, and make things clearer and simpler for our customers," says Camelot CEO Andy Duncan, who, in his role as president of the Advertising Association (AA), has made privacy a top priority. "Longer-term, we have to work with the Information Commissioner’s Office, but also together as industries, so that the principles of responsible data-use are understood by everyone."
The AA’s thinktank, Credos, found people are most turned-off by "bombardment, intrusion, poor creative, irrelevance and being treated like they are stupid", says Duncan.
Every marketer has a duty to create communications and experiences that are the opposite of these. Be straightforward, creatively engaging, super-relevant and transparent to make sure customers don’t opt out of sharing.
Which brings us back to the value exchange. When consumers are deciding which brands are worthy, they will pick those that are most secure, transparent and flexible with their data, and use it to provide the most personal, convenient, entertaining and/or useful experiences, services and products.
A founder member of Scotland Yard’s undercover unit in the 1980s and star of Channel 4’s Hunted, Peter Bleksley explains how it’s almost impossible to truly go under the surveillance radar – and why every company should hire a hacker.
"Even if you go onto the ‘dark web’, even if you use end-to-end encrypted smartphones, whose manufacturers won’t breach privacy (in fact they don’t have the ability in some cases, where they’ve encrypted the phone above their own capabilities), every time you log onto that device or use the phone, you create an electronic footprint. Your phone has to go through a phone mast, for example, which creates a trace.
So, if the number of the phone you’re using – albeit an encrypted handset that they wouldn’t be able to get into if ever they sought to – is known to the people trying to track you, they would be able to monitor the phone traffic between that phone and another.
I applaud companies who hire hackers. [During] my time in law-enforcement, we used burglars, robbers, drug dealers – all manner of former criminals – to help us catch other criminals.
It’s right and proper that businesses should do likewise in employing hackers who might otherwise be targeting them. You don’t want to be held to ransom by them, so bring them in from the dark side, out of the cold, give them a decent salary and use their expertise.
As time moves on, these experienced and resourceful hackers, who are currently in their teens and early 20s, will get promoted in companies and end up in executive positions."