TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Testing Lab Aims To Look Under the Hood Before It Smells Like Smoke Related reading: A practical guide to making good use of your PII inventory




Researchers at Carnegie Mellon University recently found that turning lawyers into programmers might be the best way to ensure an organization’s privacy policies are being followed in practice. It’s an idea that’s growing legs. Annie Anton and Peter Swire, CIPP/US, wrote in a recent blog post that “your own work improves if you become bilingual” and the “best results come from collaboration” between engineers and lawyers. After all, a law degree does not a technologist make. And how can a lawyer defend a company’s practices or prevent it from practicing those practices in the first place without understanding them?

But that’s a conclusion Chris Cwalina, CIPP/US, and Steven Roosa, both attorneys at Holland & Knight, came to years ago when they opened the “Privacy and Data Security Testing Lab.”

In 2011, Cwalina found himself working for Reed Smith’s privacy practice and representing Skype, E-Trade Financial Corp. and Phillips North America in a class-action lawsuit in which plaintiffs alleged companies used Flash cookies to bypass site visitors’ efforts to delete cookies in violation of anti-hacking laws in Arkansas, the state in which the class-action was filed.

Chris Cwalina

It was Cwalina and his co-counsel’s job to make the case go away, tall order as it may have been. So Cwalina paired with Roosa, a tech-oriented lawyer, and others to come up with a path to get out of the case with an outright dismissal.

“That never happens, that the plaintiffs decide to dismiss all three clients,” Cwalina said. “I used to manage litigation, and it never happens unless the plaintiffs make a mistake and name the wrong party—or at least rarely—hear about it in this context.”

But the team did it, and they did so by understanding how the technology works. Roosa and Cwalina sat down with the computer engineer expert the plaintiffs had hired and described the benefits of the technology and precisely how the defendants were using the technology, eventually convincing the clients to drop their claims.

Steve Roosa

“We were able to show (the plaintiffs) that one of our clients was using Flash for multi-factor authentication, not to target ads to circumvent browser cookies consumers had proactively deleted,” Cwalina said.

And it was then that Cwalina and Roosa realized they had something here: The pairing of Cwalina’s legal expertise and Roosa’s technological expertise made for a great marriage. And, more than that, the service they could provide need not enter the picture once it was already too late. It should happen before the warning bells of trouble go off.

“When that happened, I said, ‘Holy cow, we should really be doing this proactively for clients',” Cwalina said. “We started talking to excited privacy compliance clients and said, ‘Hey, do you want us to look at your sites for Flash technology? Because we can show you what you’re doing'.”

Practically, here’s the way it works: Cwalina and Roosa review the website properties of the client and catalogue all the third parties. To figure out the inner workings of a product, Roosa and Cwalina use a combination of network analyzers and proxy software to isolate the information, determine what’s being collected, who it’s being shared with and how. They do so by setting up a proxy node, or a “weigh station,” in layman’s terms, that receives web traffic before it hits the web. Their evaluation can tell an organization whether information is being shared that isn’t intended to be, such as a user’s name, Carrier ID or phone number. Included in that packet-level view is the ability to decrypt SSL/TLS and read encrypted traffic.

“We find a lot of unexpected things,” said Roosa, who is a former fellow at the Center for Information Technology Policy at Princeton University and spends the bulk of his time conducting network captures, analyzing clients' data sharing practices at a technical level and improving Holland & Knight's in-house tools.

After conducting their testing, they then meet with the privacy compliance, legal or IT departments to give them a review of the big picture and provide a risk assessment. They say things like, “Here’s a statement you make in the privacy policy that doesn’t reflect what’s happening here.”

What’s been somewhat remarkable to the pair as they’ve embarked on this venture, in which they’ve now reviewed hundreds of mobile apps and websites, often for well-known or Fortune 500 companies, is a trend: persistent silos separating legal, marketing and IT teams, which all have different viewpoints on what’s actually happening with data protection and privacy practices.

“One of the fundamental problems as a compliance person or a lawyer is to get your arms around what’s going on,” Roosa said. “It’s a problem with every device and application. But it becomes worse in the case of mobile devices or with the Internet of Things.”

Cwalina and Roosa say mitigating the risk of privacy violations by looking under the hood, so to speak, is worth the cost and time, especially looking at the ways in which hackers or independent consultants might do damage if they’re able to make similar determinations.

“Some feed the news to the press; some tweet their findings; some blog about it or write a paper,” Cwalina said. “These guys are looking for stuff, and if they find stuff, it can cause regulatory action or a lawsuit.”

Besides that, it can be just bad PR, he continued.

“Not only are we identifying law violations, we’re identifying areas where there is no law but there may be corner cases, grey areas, or perhaps even ethical issues,” he said. “We’re helping our clients navigate those issues.”

While there are some technically oriented products, Roosa said, and analysis tools on the market that allow users to make similar technical reviews and determinations, those types of services really aren’t sufficient for anyone but the casual end-user and really don't get to the heart of the matter—assessing legal risk.

“For the purposes of advising an enterprise on liability, you’ve really got to go through and exercise these actions and then test for where you see the liabilities and under what conditions,” he said. “We try not to dump a bunch of technical data on folks without also explaining in detail what it means. We are equipping the CPO or legal person to have the tools and data necessary to go back to the development side with sufficient information as a way to say, ‘Look, here’s what we can’t have going on, and here’s the data that shows it'.”


If you want to comment on this post, you need to login.