freshidea - Fotolia

Tip

Who wins the security vs. privacy debate in the age of AI?

When trying to maintain balance between security and privacy in an AI-enabled world, who decides which side should tip and when? So continues the security vs. privacy debate.

Imagine AI embedded in a car that can alert an Uber passenger that he's about to exit the vehicle forgetting his bag. Or a self-driving car that switches to autopilot when AI notices the sleep-deprived driver's eyelids are drooping. In another scenario, AI-powered cameras could tell if a weapon is being taken out of a car in a school parking lot and, if paired with a smart lock system, could automatically lock down the school building for security.

The above examples from a Wall Street Journal article highlight the opportunity for vendors to use AI-powered systems to create a more secure environment for their customers. While contributing to a safer world, however, AI is also contributing to the ongoing security vs. privacy debate -- and forcing organizations and users to consider when privacy should tip to security and vice versa.

While there is no one-size-fits-all approach, security and privacy greatly depend on organizations earning their users' trust. Yet, trust of an organization is no longer the sole responsibility of a CISO. Because it has a direct effect on a brand's reputation, business and longevity, trust must be imbibed and embedded into every corner of an organization. In fact, Cisco's "2020 Data Privacy Benchmark Study" found that for every dollar spent on privacy, $2.70 worth of associated benefits were reaped by the organization -- beneficial to be sure. But how can trust be achieved?

Gaining users' trust

Research firm Morning Consult's "The State of Consumer Trust" report highlighted three areas where brands can win users' trust:

  1. Protecting customer data. Organizations should invest in people, processes and technology for data security. By being vocal about why they protect customer data, organizations can build trust with existing customers and attract new ones. Security can never be 100%; forward-leaning organizations must be bold enough to state this while doing their best to get close.
  2. Being transparent. Transparency goes a long way in the eyes of users, whether it is options on cookie use or how upfront organizations are -- i.e., not hiding important security and privacy information in the fine print.
  3. Treating employees better than the letter of the law. Netflix has a core principle it uses to empower its employees called "freedom and responsibility." As the name suggests, it grants decision-making autonomy while expecting accountability for actions in return.

Security vs. privacy is a fine line, and it's one that must be constantly maintained. Boiled down, three elements strongly affect the perfect balance.

The triad to balance security and privacy

To build an enterprise framework that balances security and privacy while simultaneously enabling customization based on end-user preferences, organizations must consider transparency, demonstrate value and provide options to their users.

When it comes to transparency, consider the German airline Lufthansa. It adopted an easy-to-understand framework that offers visitors to its websites three choices under the categories of statistics, comfort and personalization. These choices range from anonymity to personalization, and the company provides a clear articulation of how each choice impacts privacy, from ultra-private to more intrusive data collection.

Lufthansa's cookie settings
Cookie settings on Lufthansa's website

To adopt a similar data-collection approach, organizations must ask themselves if data collection is used to build highly customized user profiles. If so, are users aware of this and do they have an ability to opt out? If not, data should be anonymized so it does not contain user identifiers. Organizations should transcribe this information in easy-to-understand language for their users.

Credit card companies consistently demonstrate value to their users. Consider fraud alerts that warn a user his card is being used at a location he has never visited. A quick reply to an email or a text can verify if the card is being abused. Credit card companies have demonstrated the value of constantly and consistently tracking their users' every physical and online move, using AI-based security analytics to alert deviations from the norm. This is an example of less privacy in exchange for more security.

Companies harvesting data and utilizing it for their own business purposes must showcase how their cyberintrusion can lead to more secure digital outcomes. When considering the value they are providing customers, organizations must ask themselves if there is a highly customized user profile for each customer. If so, is the profile being used for more targeted customer offerings only? For example, take the credit card company that may offer credit monitoring services. If the answer is yes, organizations should consider investing in how insights can be translated into ongoing basic awareness offerings for the customer.

Optionality is a clear way to extend transparency into action that offers end users choices they can control. Take note-taking app Evernote's three laws of data protection, shown below.

Evernote's data protection choices
Privacy options in Evernote

"Your data is yours" demonstrates clear data ownership -- the user can delete it at any time and it cannot be sold or transferred to a third party. "Your data is protected" highlights that the organization assumes responsibility for protecting user data. "Your data is portable" means the user has the right to take all the data that has been amassed by the organization and transfer it elsewhere.

Putting the balance in action

Honoring the fine balance in the security vs. privacy debate will engender consumer trust, enabling the business to conquer new heights.

Embodying this culture starts at the top. Don't wait for regulations to dictate corporate policy. Instead, ask questions upfront about what the right thing to do is for customers, employees and shareholders. Then, do it.

One company that has done this is Craigslist. It has not updated its privacy policy since 2015, which proves that if organizations take the time to understand and implement the right security-privacy approach for their customers, they can be ahead of the game -- and even futureproof -- by being compliant with laws that may be enacted afterwards, such as GDPR or the California Consumer Privacy Act.

Dig Deeper on Data security and privacy