Editor’s note: In September 2015, David Fowler, Act-On’s head of digital compliance and privacy had a conversation with Craig Spiezle, the executive director of the Online Trust Alliance, about the role trust plays in marketing today. What follows is an edited transcript of that conversation.
DAVID FOWLER: In the last few years we’ve seen massive online security breaches with attendant personal damages for millions of people. We’ve also seen the explosion of digital marketing which lets us emphasize the customer experience partly through personalization in near real time. People like to be on the receiving end of personalized marketing; it does raise response rates.
The other side of that coin is that personalization is based on customer data that companies collect every day – since having your personal data stolen because of something a company did or didn’t do to protect your data is about the worst consumer experience you could possibly have. These things are tightly tied together in this digital DNA economy that we currently operate ourselves in.
We’re here today to explore the issues and the role every CMO and vice president of marketing can play in keeping customer data safe and keeping trust levels high. I’m here with Craig Spiezle, the executive director of the Online Trust Alliance. The OTA is a nonprofit with a mission of enhancing online trust especially in the convergence of privacy, security, interactive marketing, and brand stewardship. Welcome, Craig.
CRAIG SPIEZLE: As we talk about customer engagement, whether it’s responding to an email, clicking on an ad or completing a transaction through a shopping cart, trust is the foundation of all these interactions. More importantly, the lack of trust can significantly impact your reputation and your bottom line.
DAVID: Craig, tell us more about the OTA and the genesis of the organization.
CRAIG: The genesis of the organization was the problem of trusting email.
In mid-2005, we were trying to advance best practices to address spam including the forging and the spoofing of email. As we moved forward, we built upon that as a foundation for similar discussions on “Can we trust a website, is it legitimate?” Can we trust an ad?
We have come to the conclusion that we need to look at respect for the customer and consumer protection. We need to look at security of the website that you’re interacting with, and privacy, how are you treating that privacy. It’s almost like two sides of the same coin. And we need to look at those things long term. The fear is today if we continue to operate and focus on the minimum requirements compliance) without a focus on stewardship, consumer trust as we know it will be tarnished and greatly impact brands and business objectives and innovation in the marketplace.
Should business-as-usual include expected data breaches?
DAVID: Let’s start with data. In the digital marketing sphere, that’s really where most companies begin with: the data they hold on consumers and how they treat that. So let’s talk about data breaches a little bit. Is that just a part of doing digital business today, do you think?
CRAIG: Well, we’re a data-driven society and economy. The data is a new gold rush for many places and people. Done right, it’s a tremendous value to businesses and consumers. That said, not unlike the criminals chasing the stagecoaches in the Wild West, criminals have evolved and they too recognize this data has a lot of value.
I think we need to recognize the likelihood that all organizations will experience a data breach or a data loss incident. And recognizing that, you’re going to then have better steps in place to help prevent, to help detect, and help mitigate and remediate the impact of that. Failing to recognize that, you’ll be caught flat-footed. And I believe you’ll have irreparable harm in both the reputational as well as the legal aspect of the issues.
How to protect your buyer (and your digital reputation)
DAVID: Can you elaborate on what brands can do today to sort of protect their digital reputation in today’s market?
CRAIG: I would say this is not only for brands, it’s every organization, service providers, brands, election campaigns, anyone that is collecting, holding or processing data.
There are some certain fundamentals, if you focus on the security of the data. The reality is when we actually investigate it – and we’ve looked at this over the past five years, and the data is very conclusive – 95 plus percent of data loss incidents could have been prevented. if simple things were done. This includes simple patch management. This includes simple use of off the shelf software to prevent things, as well as restricting and revalidating user access to systems.
So we look at all these things combined. As a result of that we’ve published a data breach readiness guide annually. We also host workshops. The goal is to help equip businesses to understand those simple things that lead to the majority of breaches and how to best respond.
The flip side of that is recognizing you will have a breach. You need to be prepared. This is no different than having a fire drill in school, you need as an organization to have a plan to address having a breach and having a fire drill, how to respond, and every element of response from notification of the affected parties, working with law enforcement, internal communications, and related areas there. Again, it’s about prevention up front, and then on how to communicate and resolve it going forward.
DAVID: Taking that one step further, what can brands do if you’re, for example, an online retailer or any kind of organization that is interacting with consumers on a regular basis? What can we do to help protect our consumers further than the things that you’ve mentioned?
CRAIG: One of the first things is to revalidate the business purpose of the data you’re collecting. A lot of times when we’ve actually gotten involved in reviewing a breach incident, questions are raised, such as “Why are we collecting this data in the first place? Is this data still relevant to our business? How are we storing it?” It’s a simple idea: if you don’t store it, you can’t lose it. So that’s one of the first things to think about.
The other element is revalidating user access. What happens typically in the organization is that someone’s job changes, but we fail to revoke permissions or access to data. It’s not that they’re a bad employee; it’s about reducing the risk or threat footprint. So if David’s email or David’s passwords are compromised, it’s going to limit the exposure or that risk of that. Think of it as putting firewalls in a building. With a firewall, if there’s a fire in one apartment, it doesn’t spread to the other. The same thing is if you have broad user privileges, and they compromise one area, they can then compromise other systems. Again, it’s the model of containment of your data, but also of revalidating user rights access.
Email as an attack vector
DAVID: Let’s shift gears a little bit and talk about email authentication. As you mentioned earlier, really that was the genesis of the OTA. And I know that you’ve done a tremendous amount of outreach and work supporting and getting that message across, no pun intended, in terms of email authentication. Can you give us a quick state-of-the-state in terms of how the industry is faring in terms of authentication adoption?
CRAIG: I appreciate this opportunity, because ultimately email is one of the primary, if not the primary, attack vector today. It’s very easy to spoof and forge an email to convince a user to open a mail that has malicious links or malicious malware to compromise a user device and then execute a breach.
That’s exactly how the whole Target breach happened. A vendor received a mail, opened it up, their system was compromised, they have access to other systems at Target, and it was this domino effect. That speaks to the importance of validating your mail, both in the inbound side of the organization, but as importantly to your consumers or constituents that you’re mailing to.
What email authentication does is, it helps the ISP or receiving party to validate that the sender is authorized to send on behalf of the domain owner. There are various technical protocols or standards to do that, but they’re very complementary. SPF [sender permitted from] and DKIM [domain keys identified mail] are the leading two, and they’re very complementary. I always think of it like a Reese’s Peanut Butter Cup. They’re good separately, but significantly better when working together. They cover each other’s use cases or fringe cases to help validate the authentication.
The good news is we’ve had great adoption. The bad news is it’s inconsistent between subdomains. That’s an area that needs more managerial focus within companies of all the subdomains they may be managing or delegating to others. Are they all authenticating 100 percent? Once you get to that assurance that you can authenticate, you can have published what’s called a DMARC [Domain-based Message Authentication, Reporting & Conformance] policy, another technical standard that provides the receiving network or the ISP clear instructions on how to handle a mail that fails.
So you combine SPF and DKIM, again authenticating the mail that purports to be coming from your domain, and DMARC providing a policy assertion back to the ISP, you can very easily prevent the majority, if not all, email spoofing attempts.
That said, SPF and DKIM have grown a great deal. DMARC is right now very, very limited in its adoption process. We need to double down on our efforts to drive adoption in that area.
DAVID: If you were to have a scorecard or a report card, how are we doing in this industry in terms of implementing authentication?
CRAIG: We actually do have a scorecard. And David, as you may know, recall that annually the OTA publishes what we call an online trust audit. We evaluate the top 500 ecommerce sites, the top 100 banks, and such. For example, if you look at the top 500 ecommerce sites, 78 percent of them adopt both SPF and DKIM. And that’s great. Last year was 74 percent. 2012 it was 43 percent. So we’ve increased 35 percent since 2012. So we’ve had great growth in the adoption by leading retailers. The banking industry lags slightly at 63 percent, which is concerning because again so much of bank takeovers and such. Those are key areas to be aware of there.
The DMARC area is a bigger concern. Again we’ve got the foundation of SPF and DKIM being implemented. But only 22 percent of the top 500 retailers have adopted DMARC. So we have a long way to go to really help advance the protection and integrity of email as a channel.
DAVID: I couldn’t agree more, Craig. It’s obviously extremely important to build your digital reputation by publishing authentication in some form, because that’s really the first space in beginning to send any type of email out, not only commercial, but certainly corporate mail as well.
The state of privacy legislation
Let’s shift gears a little bit. I’d like to talk about some privacy initiatives as they relate to the US and potentially international privacy initiatives. There’s been a lot of privacy legislation in play on the books at the state level for several years now. Obviously California is the poster child for all things privacy as it relates to state initiatives.
But do you see any kind of unilateral national privacy legislation in our near future? And if so, do you have any sense as to what that may be?
CRAIG: Unfortunately, my enthusiasm and optimism on national legislation is not that high. That’s very disappointing, because I think the business community would actually benefit from it. But again you have some very strong lobbyist organizations whose view is there’s no real harm and get over it, and so not to advance it. But ultimately legitimate businesses want to know, they want to develop products, they want to have innovation. Having a universal or at least a national framework I think would benefit businesses as well as consumers.
Same point on data breach legislation. You would think after the Titanic type breaches that we’ve experienced with major retailers would be enough to move the ball forward. But today we have 47 different state levels of legislation on data breaches. So we’re challenged in those areas. And two years ago President Obama introduced a privacy bill of rights at the White House. It was great, I was there. In 24 hours the major trade groups said they weren’t going to support it. That’s a challenge. I think a call to action is: let’s look at the long term benefit here, recognize privacy and a consumer’s right to privacy as an asset, no different than the environment.
We need to look at this because again if we continue to disregard privacy, it could become like a toxic spill that over time takes a long time to rebuild and reinvigorate the environment. And that’s the challenge that we have today in privacy.
DAVID: Having gone through the early days of CAN-SPAM legislation and opt in versus opt out and the debates around that, it was quite clear that we were heading down an opt-in route until some lobbyists got involved at the very last minute. And now we have this opt out law that we have to operate under. So yeah, it’s interesting to see the wheels of government working. And obviously being in an election year next year, there’s probably no appetite to drive any kind of sufficient privacy legislation as it relates to the consumer’s benefit in the near term.
CRAIG: One of the things that we just released was an audit of the 23 presidential candidates,. What was incredible is effectively six of them had no privacy policies, or policies that didn’t address any of the privacy fundamentals. It’s kind of scary to think that one of these candidates could be the next President of the United States, and that their campaigns and their staff really are not focusing on consumer data and privacy from the consumer perspective. And that’s concerning as we move forward. So we’re hopefully moving the ball forward, raising that awareness, and also raising awareness of what consumers should be thinking about of the sites they frequent.
The privacy implications of the Internet of Things
DAVID: We are hearing a lot about the Internet of Things and those types of initiatives. Do you have any sense of the privacy implications around the Internet of Things? And what do we as businesses need to start to think about to prepare for when the Internet of Things becomes mainstream?
CRAIG: The Internet of Things producing a tremendous amount of innovation, a tremendous amount of products and services are being introduced, but there is a somewhat systemic failure of looking at security and privacy holistically.
We’ve developed a framework, what we call a trust IOT framework, an Internet of Things framework. This looks at sustainability, in terms of the long term impact. How will my garage door be updated or patched? How will I know? What data is being collected over time, how is a consumer notified? And whether this is a baby monitor, a digital streaming service within the home, or a garage door opener, or a wearable technology, these devices are collecting tremendous amount of data. Are we really thinking about how is that data stored, how is it being transmitted, and again what are the privacy policies? Do we know how that TV manufacturer is sharing the data? Do consumers have the transparency, and the ability, to opt in or opt out?
So that’s the landscape that we have today. Literally thousands of devices are coming out daily. Everything from light bulbs to baby monitors, as we mentioned, to appliances. We need to look at this. The positive side is device manufacturers are looking for this leadership, not unlike the challenges of not having data breach legislation. Today there’s no legislation or even a code of conduct or best practices. Over the last eight months the OTA has assembled a very broad group of stakeholders to come together and help develop this framework so we can better understand and address the security, the privacy, and the sustainability issues of IOT devices and the data they collect.
DAVID: There are a tremendous number of issues that come along with everything being connected and things being on the grid. I have this vision of my refrigerator at home breaking down and not talking to the coffee maker or the toaster. I think I have to go home and check that. But there are definitely a lot of issues around that.
What sort of additional digital threats should we be thinking about now? That’s a loaded question because we don’t really know. But what do you think is coming, from what you see trending-wise within the digital ecosystem?
CRAIG: Consumers are realizing tremendous benefits. We’re going from multiple PCs from our homes, to readers, to mobile devices. These devices are with us all the time. Sometimes that’s good, sometimes that’s bad. The ability to track a consumer from the one device to another can be great if it remembers where I was reading an article, and next time I open it up on the plane it remembers the same thing. There are a lot of positive aspects in cross-device tracking. The converse of that is how else it is being used – which may not be within the expectations of a consumer.
We have an environment today in which we have tracking, we have facial recognition technologies that are happening, we have drones. What are the privacy concerns of this? We talk about the right of privacy within your home, but what about the drone that’s flying overhead, how is that data being collected and used? We have these areas that as policymakers, as business leaders, we need to look at, because again the power of the state is tremendous, but also the power of the abuse can be equally significant.
DAVID: I couldn’t agree with you more. I just upgraded my cable at home and one of the new features is my account information. Billing, all my PI [personal information] is displayed on my television, which was really quite surprising, and I was feeling extremely infringed upon when I fired it up yesterday.
The difficulty of preserving anonymity and privacy
AUDIENCE MEMBER: I remember reading a story about collaborative filtering and how few data points it really takes before you can start making pretty accurate predictions. Will you speak to that in relation to data and privacy?
CRAIG: Well, absolutely. A good case in point was this lawsuit with AOL years ago. They asserted that they were basically anonymizing all the information, and it didn’t take that much work to actually say “Well wait a second, here’s a guy, he’s 42, he doesn’t have much facial hair on his head, he’s got an English accent, lives in a specific zip code, and all these things. And all of a sudden you identify with a 99 percent precision that it’s David Fowler.
I view someone’s personal privacy with great respect, whether it’s their political point of view, or their views on contemporary issues. Those become exposed very quickly. It’s frustrating because from a legal perspective the argument is, “Show me the harm, no big deal that I know David’s political point of view, or personal interests. So what’s the real harm?” That’s a problem with the US legal model. It’s a harms-based approach. Whereas the EU believes in this fundamental right of privacy. The fall of Safe Harbor highlights this issue.
It’s incredible to think that here it is a decade later, we’re talking about some of the same issues. I think sometimes we so much focus on the negative so much, and I keep on trying to come back to consumers are getting a tremendous amount of value today. The challenge is that we reach this inflection point where consumers lose trust. We already are seeing that. People respond; more people are using ad blockers than ever more. Why? Because they don’t trust the ads. They’re concerned about the privacy practices they can’t control and the malicious ads being served
DAVID: That was definitely discussed ten years ago; that’s where we were headed: you can’t trust the email, you can’t trust the brand, etc. Obviously in this space it’s a bit more complex, but back when we were focused only on email it was the same conversation.
CRAIG: Again, it’s long term what’s happening. We use the analogy quite a bit of pollution and the environment. A lot of people say, “Well it’s just a little bit of oil that’s going down the drain, it’s not much of a big thing, get over it. And it’s just your home address, someone can get it someplace else.”
But it’s the power of big data and analytics to be able to append all this data with other data sources; what appears to be isolated pixels of information become a very comprehensive composite of someone’s lifestyle. In the right context this can be very powerful; in the wrong context it can harm someone and their education, their employment possibilities, or in other areas. So those are concerns.
Business benefits for joining the OTA
DAVID: Will you talk for just a moment about how a company would benefit by joining the OTA and the organization that you represent.
CRAIG: The Online Trust Alliance is a charitable 501(c) (3) organization. True to our mission, we work with a broad group of stakeholders to develop what we think are principles and best practices that enhance trust, but equally as important that demonstrate a commitment to self-regulation. I think businesses have a significant benefit in every aspect of that. Brands benefit, consumers benefit, and the last thing anyone wants is legislation and regulations that limits our ability to be progressive and innovative.
Companies really have a seat at the table. They help shape this. We work again not just in the US, we work internationally across these issues. When we approach an issue, it’s not on behalf of one company or set of companies, it’s for the ecosystem. We have companies like the Gap and Publisher’s Clearinghouse, Target, major alarm companies, as well as service providers, and companies like Microsoft, Twitter and others. We’re able to bring this thought leadership and this knowledge base, and push out our best practices. One of the other major benefits is companies learn from each other. Peer to peer learning is very effective, and I think joining the OTA would really help accelerate a company in their business planning and their business objectives.
DAVID: I’ve seen the development of the group, and I certainly have benefitted personally and professionally from the knowledge share. So we certainly appreciate you giving us the opportunity to do that. 
Craig, I’d like to just thank you again for your time and your insights. I really appreciate you being a part of the conversation. And I look forward to chatting with you again.
CRAIG: Thank you, and thank you to Act-On for your leadership and making this possible and supporting our vision and our efforts over the past decade.
Get ahead of data protection laws and understand the compliance framework for the EU with Act-On’s free guide – The EU Data Protection Overview.