Fluffy are Kitties

From IIW

Fluffy are Kitties!

Wednesday 3C

Convener: Sarah S., Justin R.

Notes-taker(s): William Kim

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Inverse of ‘Kittens are Fluffy’ sessions held at previous IIW’s

As opposed to someone using their corporate identity to express potentially controversial opinions not representative of the company but still linked to the company since the person uses their corporate account, what happens when someone, e.g. Secretary of State, uses personal channels of communication to do their professional work?

Discussion was mainly in the context of corporate email and calendar.

Talked about challenges of trying to manage personal and work contexts on mobile devices.

Calendaring, separating work and personal spaces as different accounts or different identities

Crossover of personal to work, and vice versa

You own your identity, but when you get fired, you lose your corporate identity

What about sensitive information in textual content of the calendar events?

Free/busy calendar information cross over

DLP voodoo magic solution? Protect corporate-specific calendar information within the firewall – once user is fired or quits, no longer has access

What about offline or remote access?

Having access to corporate calendar only on the network leads some to forsake using it at all.

Corporate email policy around email retentions. Personal workarounds to archiving email, i.e. run own mail server.

ENFORCEMENT (or loose nature of it) is what allows this kind of situation to happen. Mostly self-enforcement: “Don’t be an idiot”.

Email is still viewed as ‘technology’

Sunshine laws/transparency vs. Classified/Confidential information

Data retention for liability or to mitigate liability

Defining a ‘record’ for technology

Self-enforcement (“Don’t be an idiot model”) is a practical solution response to a complicated policy system that may not be understood or tractable otherwise. No policy system is perfect though.

Software systems (email and calendar), and hardware systems (BYOD)

Software/hardware stack on client device Vs. Server

Weird BYOD stuff kinda acquiesced by corporations, but Cloud is a different story.

Isolation of environments using VMs, user experience issues?

NDA’s with a customer while using Gmail

Using paid service transfers some liability? As opposed to free service or hosting your own service

American view of identity is highly fragmented? Expectations to act certain ways in certain contexts.  “Roles”

Socio-normative controls

What are the consequences? Why is there no real crackdown? Because expectations are still emerging.

Where to shape the privacy bubble around people and around digital identities

Alignment to privacy expectations, in corporate sense NDAs/IPRs, but perfect alignment not desired. We still want whistleblowers and whatnot.