Fluffy are Kitties
Fluffy are Kitties!
Wednesday 3C
Convener: Sarah S., Justin R.
Notes-taker(s): William Kim
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Inverse of ‘Kittens are Fluffy’ sessions held at previous IIW’s
As opposed to someone using their corporate identity to express potentially controversial opinions not representative of the company but still linked to the company since the person uses their corporate account, what happens when someone, e.g. Secretary of State, uses personal channels of communication to do their professional work?
Discussion was mainly in the context of corporate email and calendar.
Talked about challenges of trying to manage personal and work contexts on mobile devices.
Calendaring, separating work and personal spaces as different accounts or different identities
Crossover of personal to work, and vice versa
You own your identity, but when you get fired, you lose your corporate identity
What about sensitive information in textual content of the calendar events?
Free/busy calendar information cross over
DLP voodoo magic solution? Protect corporate-specific calendar information within the firewall – once user is fired or quits, no longer has access
What about offline or remote access?
Having access to corporate calendar only on the network leads some to forsake using it at all.
Corporate email policy around email retentions. Personal workarounds to archiving email, i.e. run own mail server.
ENFORCEMENT (or loose nature of it) is what allows this kind of situation to happen. Mostly self-enforcement: “Don’t be an idiot”.
Email is still viewed as ‘technology’
Sunshine laws/transparency vs. Classified/Confidential information
Data retention for liability or to mitigate liability
Defining a ‘record’ for technology
Self-enforcement (“Don’t be an idiot model”) is a practical solution response to a complicated policy system that may not be understood or tractable otherwise. No policy system is perfect though.
Software systems (email and calendar), and hardware systems (BYOD)
Software/hardware stack on client device Vs. Server
Weird BYOD stuff kinda acquiesced by corporations, but Cloud is a different story.
Isolation of environments using VMs, user experience issues?
NDA’s with a customer while using Gmail
Using paid service transfers some liability? As opposed to free service or hosting your own service
American view of identity is highly fragmented? Expectations to act certain ways in certain contexts. “Roles”
Socio-normative controls
What are the consequences? Why is there no real crackdown? Because expectations are still emerging.
Where to shape the privacy bubble around people and around digital identities
Alignment to privacy expectations, in corporate sense NDAs/IPRs, but perfect alignment not desired. We still want whistleblowers and whatnot.