Privacyscape

Information Privacy 1-Baseline

Last modified on 2012-03-21 21:05:47 GMT. 1 comment. Top.

Is Privacy an Illusion?

by Heather Bussing and John Sumser

“We have this illusion that each of these bits of information is separate, that the companies collecting the information don’t share it. So we are the only ones who really have the whole picture about what our lives are like.”

First, it’s important to understand that before you even log onto Facebook or Google, there is a tremendous amount of personal information that is public record and that is collected in your daily transactions.

Public Records

The real estate you own, how much you paid for it, and the terms of your mortgage are all public records available at the recorder’s office and often online. These records may also show whether you are married, singe, or divorced based on how the title to the property is held. Other public records include the names of any business you own, along with what type of entity it is, and where it does business. Court records show who you have sued and who sued you. Some family law and criminal records are also public. So are tax liens, judgements, birth records, death records, and political party registration.

Other Information About You.

In addition to public records, there is information that you provide and information that an observer can collect about you. What you do in public is generally considered public. But information collected about you is neither public, nor exactly private.

Loyalty Cards

When the barrista slides your gold Starbucks card, you tell Starbucks where you are, what you are drinking and eating, and how often. In exchange, they give you free drinks, which is nice.

You probably have loyalty cards for groceries, books, pharmacies, office supplies, bakeries, restaurants, airlines, car rentals and hotels.

All loyalty cards are designed to collect information about what you buy, where you spend, how often you buy it, when you change brands, and how much you spend.

Recently, Target’s data collection efforts were exposed when it figured out a teen was pregnant before her family did. They didn’t appreciate getting the news from Target via coupons for cribs and baby clothes.

Surveillance Cameras

When you go into any public building, store or mall, there are surveillance cameras watching you shop, walk, consider items, yell at your kids . . . .

There are cameras at stop lights to see if you run the light, cameras at toll boths, in parking lots and attached to buildings.If you are too late on the yellow, someone looks up your license plate, name and address, and sends you a ticket along with a lovely invitation to talk to a judge.

Credit/Debit Cards

Your bank and credit card companies also watch where you go, what you are spending money on, and keep track of patterns. They claim they are protecting you and preventing fraud. It’s mostly about preventing their own losses. They are also trying to figure out if you are having financial trouble, so they can adjust spending limits before you are broke and can’t pay them, or worse, declare bankruptcy.

Credit card issuers also use your spending habits and payment records to figure out which of their “partners” should send you advertisements and information.

Your Phone

Every cell phone behaves like a GPS tracking device. It’s part of how you check-in on Four Square. So your phone company can figure out where you are, or at least where your phone is, at any moment and follow your every move. They also know who you talk to, for how long and on what days.

(In the next piece, we’ll cover the information that gets collected when your phone is also connected to the internet.)

Your Car

Your license plate tells everyone what state you are from, and depending on whether you have special plates, whether you work for the government, whether you are a veteran, and what causes you support. If you have a GPS in the car, it will tell the rental company or service provider exactly where you are, how you got there and where you go afterwards. Many cars are also equipped with onboard help systems that track your location. The year, make and model also tell people about your taste and finances. Depending on the size, number of seats and accessories attached, a casual observer can learn how much you care about brand and image, whether you have kids and pets, what sports you like, whether you park in a garage or outside and what the birds have been eating lately.

Your Face and Appearance

It is perfectly legal to take pictures of people in public places. If someone uses those pictures for commercial purposes, they should at least get your permission and probably compensate you. But anyone can take your picture and put it online for others to see where you are, what you are doing, and with whom.

The clothes, shoes and jewelry you wear tell people information about what you do, whether you are married, your finances, and how much you care about fashion.

Is Privacy an Illusion?

So even before Facebook and Google start counting clicks, a tremendous amount of information that gives intimate details of your life is being collected, stored, and used.

We have this illusion that each of these bits of information is separate, that the companies collecting the information don’t share it. So we are the only ones who really have the whole picture about what our lives are like. But it’s an illusion.

This information is sold, traded and transferred among companies. Many mergers and acquisitions are really about acquiring a company’s data rather than its product or business.

The fact that information exists somewhere means that the government, police, courts, ex-spouse or an opponents in a lawsuit can probably get the information. A “reasonable suspicion” is all it takes for a search warrant in a criminal investigation. “May lead to the discovery of admissible evidence” is all it takes for a subpoena.

If you really want privacy, you’ll have to move to a remote place, never spend money, give up traveling, driving, and using phones or computers.

Maybe the better approach is to understand how the information about you is collected and used. That way you can decide what is and isn’t important to you.

Next, we’ll look at how information is collected and used online.

Informational Privacy 2: Online Data & Social Media

Last modified on 2012-03-21 21:05:33 GMT. 3 comments. Top.

Companies track your data to match your information with ads from the companies, politicians, and interest groups that pay them for advertising.

When the website or online service is free, chances are the product being sold is you.

by John Sumser and Heather Bussing

In our last post, we looked at public records and the data that banks, stores, cell phone and credit card companies collect. With Google’s new privacy policy, Twitter selling tweets and privacy concerns with Facebook, it’s important to consider what information is being collected online and what are companies doing with it.

The short answers are:

Who is collecting information? Every site collects some information.

What is being collected? Every site collects your IP address, the site you came from, time between clicks,  where you go to when you leave, any information you give them. Sites also may collect additional information.

What are they doing with it? Figuring out what you like, so they can give you more of it, in the way you want it.

Here are some examples of additional information that is being collected or monitored. There is almost no limit on what information that could be collected.

Google

Search Engine: What you search for and which search results you pick.

Gmail: Your contact information, your address book, and who you contact. Although we don’t know exactly what Google looks at in the content of your mail and attachments, the words you use affect which ads you see on your gmail page.

Google+ Profile: Your contact information, location, education, work history and any other information you fill in about relationships, birthday and bragging rights.

Google+ Who is in your circles, who has you in circles, what you post, how often, what you click on, what you give +1, which circles you publish to, who you interact with, and how much.

Picasa: your photographs, the date they were taken, the metadata about your camera, exposure, aperture and information you give in location and tags, including facial recognition.

Google Maps: Maps and direction you search for. If you use it through your phone to give you travel directions, it also collects information about your route and how long it took you.

YouTube: what videos you watch and search for, and which suggested videos you clicked.

Google Checkout: What you buy, from whom, for how much, when and where you had it delivered.

Google Voice: What your phone numbers are, who you call, who called you, how long you talked. There is a new box on google voice that asks you if you would donate the message so that Google can compare the voice recording with the text message, presumably to improve the accuracy of the texts.

Facebook

Your name, email, photo, and depending on how complete your profile is, your birthdate, religion, political affiliation, music, books, movies, quotes.

Who your friends are and the same information about them.

Who you consider family, and the relationships.

All your status updates and notes about where you go, what you do, what you are thinking about.

Who you regularly interact with through comments and likes, and how often.

What you link to.

Your photos, including tags and facial recognition.

What companies and organizations you like.

How much time you spend on the site.

What links you click.

What ads you click.

Your games and other applications you have connected and how you use them.

Foursquare

Your name and contact info.

Everywhere you check in.

The duration between check ins.

Who is there with you.

How often you go.

Who you are connected to.

How often you check in with the same people.

Twitter

Your name, email and bio.

Who you are connected to.

What you link to.

All the applications you sign into through twitter like Klout.

How often you tweet, when, and what days.

The topics you tweet about.

Who clicks on your links.

Who you interact with.

Who and what you mention.

They’re Not That Into You

Search engines, internet companies and social media sites don’t really care that much about who you are as an individual. They aren’t really stalking you.

Some of the data is personalized and actually connected to your name or email. Some of it is just connected to your computers IP address. You are just one of millions of accounts that they are collecting data about. The analytics department at Google doesn’t really care about who you are dating, whether you look drunk in the conference photos, or how many cats you have.

First, these companies are trying to improve their products and your user experience. By figuring out how you use their sites, they try to make it better for you. That way, you’ll continue to use it.

Then, they are also looking for patterns and how to match your information with ads from the companies, politicians, and interest groups that pay them for advertising. This is how Facebook and Google can provide you with free services.

Some companies, like Twitter, are also selling the data to other companies so that they can also figure out how to sell you things.

But with so much information available, it isn’t hard to imagine how governments, law enforcement, insurance companies, your ex, hackers, and crooks might be interested in knowing what you are up to. And that is where important privacy issues arise.

Next, we’ll look at privacy rights and legal issues.

Further Reading:

Here are some great articles about how data is being used, and what people are trying to figure out by looking at it:

How Companies Use Your Secrets by Charles Duhigg, NY Times, Feb. 16, 2012

How Companies Are Using Your Social Media Data by Leah Betancourt, Mashable, Mar. 2, 2010

Data Mining: How Companies Now Know Everything About You by Joel Stein, Time Magazine, Mar. 10, 2011.

Information Privacy 3: What Are Your Privacy Rights?

Last modified on 2012-03-20 17:25:59 GMT. 5 comments. Top.

When information is private, you generally need to agree to reveal it, or there has to be a really good reason for the disclosure.

Legal Basis for Privacy

In the US, privacy laws are a mishmash of Constitutional principals, cases, and statutes. The United States Constitution does not contain a specific right to privacy. Yet, several amendments give rise to concepts of privacy. The 4th Amendment prevents the government from searching you and your property without a warrant.The 5th Amendment prevents the government from requiring you to disclose information that would be self-incriminating. And the 9th Amendment says the people have rights beyond those specifically listed in the Constitution.

Based on these provisions, the Supreme Court has recognized “penumbra” rights of privacy in our personal lives. Many states, such as California, have an express right of privacy in the State Constitution that provides broader privacy protections.

The specific kinds of privacy recognized by law are:

1. The right to be left alone. This is the essence of the right to privacy. But it really just applies to your home and property. When you are in your home, you have a right to seclusion that others can’t intrude on without your permission or invitation.

2. The right to your name and likeness. This is both a privacy right and a property right. People can’t use your name or your image for their own benefit without your permission. Yet, many people have the same names. So there is no exclusive right to be the only person in the world with that name. And you can be photographed and recorded when you are in public for noncommercial purposes. So it’s really just that other people can’t make money using your name and image without your permission and giving you a share. But if you are a public figure, you give up that right since people are going to recognize you and talk about you as a matter of course.

3. The right not to have your private life made public if it would be highly offensive or if there is no legitimate public concern. This is the fundamental basis of informational privacy. Both statutes and cases generally acknowledge that certain information is private: images of our naked body, our sex lives, our finances, and our medical information.

Most other things are a balance between what we reasonably expect is private against whether there is a good reason to disclose it.

An example of this balance is the current dispute about the TSA body scanners at airports. The scanners reveal your naked image. The alternative is they frisk your genitals. Both are definite invasions of privacy. But this is then balanced against the public safety concern of not getting blown up in an airplane. So far, not getting blown up has prevailed. But how you feel about the issue depends partly on how invasive it is for you to be scanned this way, and whether you think they actually work better or the old metal detectors were just as effective.

4. The right not to have people saying offensive and untrue things about you.

This privacy right is the basis for claims of defamation and its various flavors of libel and slander. For a comprehensive education in defamation law, do some searches about whether Sandra Fluke has the right to sue Rush Limbaugh for calling her a slut.  There are good legal arguments for yes and no.

Privacy is Not Absolute

It’s important to understand that no privacy right is absolute. For example, we don’t have a right to be left alone all the time–even in our home. People can come to your door to talk to you or sell you things; and FedEx can deliver packages–but not at 2 am.

In addition, almost every privacy law permits the companies or people who have the information to disclose it when the government demands it (usually with a search warrant) or as part of a court proceeding. Some information is allowed to be used anonymously for research or analysis.  And with medical information, health care providers can get information in emergency situations to save your life.

But when information is private, you generally need to agree to reveal it, or there has to be a really good reason for the disclosure.

If You Tell, It’s Not Private

Private also does not mean that people can’t ever find out. Like any secret, the minute you tell it to someone who doesn’t have any requirement to keep it confidential, it’s not secret anymore. So even though the law recognizes general categories of “private information,” if you disclose it, it’s not private anymore.

Privacy Statutes

There are specific statutes that protect how information is collected and used that are based on the concepts of informational privacy. The UK, Europe and Canada have much more comprehensive and restrictive laws on how information can be collected, stored and used.

Here are some of the privacy laws in the US.

HIPAA protects how your personal health information is used and shared.

The Right to Financial Privacy Act of 1978 (Gramm-Leach-Bliley) protects how financial institutions can share or disclose your personal and financial information.

COPPA , COPA and CIPA, all laws aimed at protecting children from seeing inappropriate content online, and protecting the use and disclosure of information about children. The provisions relating to controlling content or forbidding the transmission of certain content have generally been struck down as illegal restrictions of free speech.  But the restrictions on how information about users under 13 is handled and disclosed, notice requirements and required privacy policies are in effect.

The Computer Fraud and Abuse Act protects you from unauthorized access or use of your computers, and from people obtaining information from your computers without authorization. The main problem with this law is that you have to show at least $5000 in damages to sue. The courts are not permitting people to claim that an invasion of their privacy is the same thing as economic losses. In a case against Facebook, internet users tried to show that Facebook’s use of their information deprived them of the use and value of their data. But the court held they did not show how Facebook’s use caused them actual monetary losses. In a case against Amazon, users claimed they could be harmed if Amazon sold their personal data to credit card companies or employment background agencies who could then use that information to deny a loan or refuse to hire them. The court found that the damages were speculative–you are not damaged until it actually happens.

And this is exactly the trouble with asking courts to handle these issues, you can only bring a court case after it’s too late.

The Stored Communication Act, and The Wiretap Act each prevents electronic communications service companies from revealing the content of your communications. Basically, they can send the communication to the people it’s addressed to. Then both the sender and the recipient can consent to further disclosure. In another case against Facebook, a user claimed that Facebook revealed information about users through its targeted advertising when users clicked on a banner ad. Not surprisingly, the court found that clicking on the ad was effectively consent to contact the advertiser and be directed to its website.

For more details on some of these laws, and citations to the statutes and cases, see Gerry Silver’s excellent article “Do Not Track”: The Outlook for Online Privacy Litigation at Law Technology News, March 14, 2012.

Unfair Trade Practices

Where Facebook did get tripped up, was under the California unfair trade practices statute. Many states have laws against deceptive or unfair business practices that basically require companies to do what they say they are doing. That usually also means not changing the deal without telling you and getting your agreement.

Unfair Trade Practice statutes often do not require a showing of monetary damages–just that the company’s words and actions did not match. So Facebook’s privacy policies said one thing, but they were rolling out new technology and changes so fast that they way the site worked no longer matched the policies. As a result Facebook has agreed to a privacy review by the FTC every two years to make sure that when users set their privacy settings, they actually work.

Summary

The US is still grappling with what data is private, who owns it, who gets to use it and for what purposes. It depends on what information is or should remain private and to what extent people have knowingly consented to its use. More troubling, is whether online data should be sold or transferred to third parties or the government, and what they can use it for.

We’ll explore some of those questions next when we look at Do Not Track legislation, the White House privacy report and Opting Out versus Opting in.

Information Privacy 4: New Laws and Issues

Last modified on 2012-03-21 21:05:16 GMT. 2 comments. Top.

by Heather Bussing

Maryland and Illinois just introduced bills to forbid employers from asking for candidate’s social media passwords.

While internet users are trying to figure out what information is being stored and how it’s used, governments are also struggling with how to regulate online data.

Pending Legislation

Maryland and Illinois just introduced bills to forbid employers from asking for candidate’s social media passwords.  Some companies have started demanding usernames and passwords during interviews, so they can look behind the candidate’s privacy settings. Others are requiring that the applicant “friend” someone in the HR department for the same purpose.

Last year, both the House and Senate in Congress introduced Do Not Track legislation that would require online service providers, including mobile applications, to allow users to “simply and easily indicate whether the individual prefers to have personal information collected.”  An exception is made for information required for the service to function.  The law leaves it to the FCC to define “personal information” and how such a law would be implemented.

Another bill called the Do Not Track Kids Act of 2011 is also pending in the House. It adds extra protections for users under 18. All three bills are have been sitting in committees for about a year while various reports on economic impact and constitutionality are prepared.

White House Privacy Report

In mid February 2012, the White House issued a report called Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy. The Report calls for a Consumer Privacy Bill of Rights designed to protect user information, create consistency across platforms, websites and countries, all while not restricting economic development. It’s a tall order.

The White House summarizes the principles of the Consumer Privacy Bill of Rights as:

− Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.

− Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.

− Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.

− Security: Consumers have a right to secure and responsible handling of personal data.

− Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.

− Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.

− Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

The President has recommended that legislation enacting the Consumer Bill of Rights be introduced into Congress, that Do Not Track legislation be passed, and that the laws be enforced by the FCC.

Opting Out or Opting In?

The UK and Europe generally have more stringent rules about collecting, keeping and disbursing data. The philosophy there is that consumers should be able to find out what data is being kept, get copies of it, and ask that some or everything be removed–the right to be forgotten. Consumers in Europe generally expect privacy unless they specifically opt in. At the beginning of 2012, revisions to the Data Protection Directive were proposed that unify a series of privacy laws into the Data Protection Regulation. The new law would also require US Companies to comply anytime they collect or store data about European citizens.

The US and its companies take the opposite view. The default is opt in, unless a consumer expressly opts out. There are currently no requirements that consumers be notified about how their information is being used.

This difference has been the trouble Google is having with it’s new privacy policy. The EU recently asked Google to answer specific questions about exactly what information is collected, how it is used across various services, and how it is stored.

In the meantime PC Magazine reports, Explorer, Chrome, Firefox and Safari are all experimenting with Do Not Track or Opt Out mechanisms.

What is the Government Collecting?

While the White House Report declares: “Never has privacy been more important than today”, Wired Magazine reports the US Government is building a giant spy center.

The “Utah Data Center” is purportedly designed to intercept and collect every digital communication, including all emails, phone calls, messages, search history, tweets and every other digital record or communication sent over phones or the internet.

It is not clear from the article, or from my research, how the government would be able to legally collect, view, and use these records without a search warrant under the 4th Amendment of the US Constitution.

Here is further discussion of the legal issues involved with the government, rather than a private company, searches data. It is a federal case involving the government’s use of cell phone location data.

Enforcement of Privacy Rights Will Be Difficult

In Information Privacy 3, we discussed how attempts to sue websites like Facebook and Amazon under Federal laws didn’t work. Those laws require that users show actual economic losses due to the invasions of privacy. That is difficult to do, since using information about you does not necessarily mean you lose money.

Privacy laws involving defamation don’t require a showing of loss–only the invasion of the privacy right. So I wonder why the privacy statutes impose the additional requirement of economic damage.

The new Do Not Track Legislation and presumably any Consumer Privacy Bill of Rights will be enforced only by the FCC or a State Attorney General. At this point, there is no ability to bring a private lawsuit.

Even you could bring a lawsuit, technology is moving so fast, neither the legislatures nor the courts will be able to keep up with it. Civil lawsuits usually take a couple years. The Do Not Track legislation was introduced a year ago and is in no danger of being acted on anytime soon.

In two years, Apple has rolled out 3 versions of the ipad, several version of the iphone and Apple TV. Facebook doesn’t look or work the way it did 2 years ago. So almost the minute you bring a lawsuit, the technology will have changed making the issue moot.

Also, the way legislation works is that Congress introduces bills to address current issues and technology. If they make the language too broad, the law becomes unenforceable–either because it is unclear, or because it may infringe on other constitutional rights of speech or association. If they make it too specific, it will be outdated soon after it is introduced– either because the technology has already surpassed the problem, or the coders will start working on it as soon as the bill is published.

So expecting either the government or the courts to protect information privacy online is probably unrealistic and impractical.

What to Do.

Instead, I expect to see more lawsuits based on unfair or deceptive trade practices or breach of contract. The coders will always be faster than the lawyers drafting the End User License Agreements (EULA’s) and the Privacy Policies, so the problems  Facebook has had will continue.

I also expect to see more enforcement under state rights of privacy. For example, California’s Constitutional right to privacy applies to government, companies and individuals. And, the determinations about what is private and what to do about it are more clearly defined.

I expect legal recognition a “digital likeness” just as we have property rights in our name and physical likeness. So when companies use information about our personal behavior for commercial purposes, a person can demand compensation. The tension will then become how to value the company’s use against the the consumer’s value of getting free products and services.

Legal tactics aside, I expect users to do less running naked in the digital wilds. Pay more attention to what you post, and to the information you volunteer to websites.

I don’t think either companies or the government are out to get anyone. I do believe that if the information is online, or even digital, it can be found by others. So to quote the Zappos Social Media policy: “Be real and use your best judgment.”

Next, The future and upcoming issues in HR.

Information Privacy 5: Futures and Issues

Last modified on 2012-03-22 13:38:54 GMT. 2 comments. Top.

Being creepy is not always against the law. In the business of lead generation, some companies prefer creepiness.

Information Privacy 5: Futures and Issues in HR

For months now, I’ve been being followed around by an ad from Replicon. Ever since I reviewed their iPad like time clock, the add pops up on a periodic basis. This process, called retargeting, feels intrusive but is far from illegal.

Just like creepy guys can stand across the street from your house looking creepy with little fear of harassment; creepy advertisers can follow you around without actually invading your privacy. That’s one of the interesting things about privacy. Being creepy is not always against the law. In the business of lead generation, some companies prefer creepiness.

We are entering a lawless time. Technology moves faster than the law and is gaining speed. As a result, the first thing to change will be the role of lawyers.

Today, great corporate lawyers (particularly the employment types) make their bread by helping their clients maintain a very conservative posture. If you want confirmation that something is a bad idea, just ask a lawyer. In the 20th Century, this made enormous sense. The lawyer’s job was to reduce or eliminate risk. One never asked a lawyer to help with innovation.

Ever.

Today, lawyers have to start helping their clients take advisable risks. Is retargeting, creepy as it is, a good way to get employees to read the new policy all the way through? Is it legal? What’s the risk of implementing the new tool?

By the time legislators even partially understand retargeting, it will have been replaced by a better, more effective approach. The lawyer’s job will be to advise about the likelihood that this new idea will cause problems down the road. Lawyers will have to rapidly shift from operating as defensive players and move to a more offensive role. Technology, particularly on the issue of privacy, forces attorneys to become strategic.

Not all of them are up to the task.

There’s almost no question that the HR Organization. will become the operator of the company privacy department. Already, the most significant privacy related issues are in the hands of the HR team. Medical data, personnel records, background investigations, succession plans, compensation data, employee financial info are all currently under the purview of HR. Privacy is such a bugaboo that the other folks will be happy to dump the problem in HR’s lap.

Who else would you give it to, IT?

Meanwhile, with sensors stuck on every imaginable object, the company’s ability to understand and measure employee performance is going to take on whole new layers of meaning. Just like Target was able to “know” that a customer was pregnant, HR will be able to put 2 and 2 together on a variety of subjects. Large scale data mining will begin to show near-magical correlations between conditions and productivity.

While the line departments are learning how to navigate Big Data in their operations, the HR Big Data problem is all about people and what they think and do. The line between work and life is going to continue to blur as vendors bombard employers with new ways to harness the intelligence embedded in social media.

Until we get a solid handle on the question, tools that are no more than always-on popularity contests are going to try to find their way into the business’s measurement of its worth. The questionable practice of harnessing peer pressure to develop performance appraisals will have a short and damaging existence. For a while, everyone will have the opportunity to deliver ‘feedback’ to everyone.

Inside the firewall, the stunning scope of LinkedIn’s knowledge of your human capital supply chain and the way it is networked will become part of the scenery. As HR accepts responsibility for managing the health of the network that is the company, it will make smarter decisions and backstop even smarter things. Understanding how communication and influence flow through the organization will change the face of management forever.

It’s going to feel intrusive.

Work is the opposite of privacy.

In the recent case of an employer asking for a candidate’s Facebook password during an interview, no privacy laws were broken. While the candidate certainly had the right to refuse, the employer had the right to ask. The workplace is not particularly privacy friendly. Employers may engage in all sorts of behavior that feels really intrusive (urine tests, personality assessments) but does not violate privacy laws. Employees will be spending the next decade or so wrestling with the difference between privacy and privacy laws. Great employers will be working hard to manage their expectations.

There are a lot of really smart questions to ask. There are going to be a ton of dumb experiments along the way. In the next 18 months, HR leaders will be flooded with offers to embed tools that allow and encourage employees to rate each other, give badges, express sentiment, network, collaborate and communicate. Usually rooted in mobile-social media mindsets, these tools will promote an always-on, real-time view of work. In the end, this is an improvement over static performance appraisal.

Here are the 7 issues that will be top of mind in HR on the privacy front over the coming months and years:

• The use of social technology in performance management
  Besides actual output, things like state of mind, social activity, workplace interactions and even weather impact employee performance. A host of solutions will emerge that dig deeper into aspects of the employee’s existence that didn’t used to be monitored. HR Departments will become the experts in legal issues and expectations management as both employees and managers come to grips with the new intrusions.
• The internal use of social technology systems for status, communications and collaboration
  The way that technology enters organizations is driven more by what can be done than by what ought to be done. Already, companies are using Twitter to deploy internal status systems. Since social technology usually comes in the front door, there are a ton of jury-rigged projects that are being hard wired into the infrastructure. Somehow, HR has to stay on top of the projects and their implications for internal mobility, compensation, and sound employment practices.
• Managing the health of the network that is the organization
  The degree to which LinkedIn understands who is connected to whom (on a professional basis) is becoming critical organizational knowledge. The social technology providers may well have a better understanding than you do about who is and isn’t redundant, for example. While monitoring interactions around critical network nodes (both inside and outside the firewall) may seem intrusive, the organization needs to understand the welfare of these critical connections.
• Drawing the line between at-work and non-at-work surveillance.
  You’re at a party on the weekend following a trade show. You tweet about what an idiot the guy at one of your partners is. The boss, who is following your tweets from home DMs you to cool it. Is that in bounds or out of bounds. People are going to do stupid things in this arena for years to come. It will be HR’s job to help the players understand the boundaries.
• Buying the best hours
  In the olden days (back in the 20th Century), work began at 8 and ended at 5. Everyone came at the same time because communication could only happen in the office. This way of working overlooked the fact that some people do their best work outside of regular hours. Why should a company be limited to buying an employee’s time during a set window. Instead, monitoring (including metabolism and environmental data) will be used to by the best 8 hours from an employee.
• Tracking and analyzing communications
  Social network analysis, rooted in a view of internal communications, takes on a whole new cast when you add social technologies and collaborative tools into the mix. Communications meta data will supplement the health of the network diagnostics that are coming in from outside. Understanding the real content flow in the organization is the key to unlocking big productivity gains.
• Combining and correlating data
  Soon, the HR Analyst will be a key slot. Responsible for dashboards, data integration, analytics and novel insight, the statisticians in the HR Department will rapidly be a part of the decision making team. This is where Moneyball really meets HR.

It will be decades before privacy regulations catch up with the reality inside the organization. As a result, the HR team will constantly be treading the line between what works, pragmatically, and the workforce’s sense that things have gone too far. If the team is able to utilize lawyers who don’t spend time in CYA maneuvers, they can really advance the organization’s agenda. In the coming year’s HR will have to make decisions well ahead of the law.

That will take some retraining.