Major Risks Concerning Big Data
The concern over whether governments are illegally collecting big data about their citizens reminds both organisations and individuals to consider the delicate balance between the benefits that big data analytics bring, and the ethical and privacy risks they pose. Individuals are not without responsibility by offering their personal data for free Internet services. Yet organisations should initiate an internal debate on the limitations of big data analytics and guidelines to avoid public embarrassment, mistrust and liability. Big data, like most innovations, is a double-edged sword. It brings huge benefits. It allows organisations to personalise their products and service on a massive scale; it fuels new services and even business models, and can help mitigate business risks. At the same time, allowing data scientists to run amok can harm individuals and institutions in unanticipated ways. In particular, we predict that through 2016, 25 per cent of organisations using consumer data will face reputational damage due to inadequate understanding of information trust issues, and 20 per cent of chief information officers in regulated industries will lose their jobs for failing to implement the discipline of information governance successfully.
Real Concerns
There is a subtle balance between improvements in operational risk and strategic risk by using big data techniques and increased reputational risk if (inadvertently) overstepping certain legal or social boundaries. There is an equally subtle balance between improvements in customer service and business operations by, for example, accurate customer profiling based on a variety of data sources, including social media and mobile phone data, and knowing so much that customers experience a ‘creep factor. ’ For example, if a pharmaceutical company analyses DNA data, lifestyle data and socio-demographic data, on the lowest level of granularity, and draws interesting conclusions about health perspective then shares this data. But not sharing those insights could be unethical as well.
Being responsible with big data are broader than addressing privacy concerns. In an emerging field with so many possibilities, and where technology limits have shifted so dramatically, the consequences of use cannot always be foreseen. More than guidance and rules, a debate about what is principally right and wrong is needed. The following risks highlight what organisations must consider to protect their constituents, and themselves, from the impact of big data.
Risk 1: anonymisation and data masking could be impossible
Large data sets are often subjected to an ‘anonymisation’ process to enable the data to be used for marketing or scientific research, without the potential of leaking information about the individuals. However, no useful database can ever be perfectly anonymous. Furthermore, for several decades, the information security research community has recognised that bodies of low sensitivity data, when they can be correlated, can often result in a set of data that has much higher significance than any of the original data sets. When done with malicious intent, this is referred to as an inference attack, or slightly the more neutral term ‘reidentification. ’ The ‘triple identifier’ of birthday, gender and postcode is all that someone needs to uniquely identify at least 87 per cent of US citizens in publicly available databases. The individuals who might have given permission to have their data used in what they believe to have been an anonymous fashion might have no idea that reidentification is even possible. This can lead to harmful results, revealing information on medical history, personal habits, financial situation and family relations that most people would classify as private.
Risk 2: protecting people from themselves
Not everyone cares enough about their own privacy. Many consumers use social media or Internet-based services carelessly, allowing others to make use of information in unintended ways. Consider the following examples: Publicising on Twitter that you are on holiday or “checked in” somewhere with the whole family shows you are not at home. Consumers almost never read the ‘terms and conditions. ’ To receive a promotion, consumers often need to provide some personal information. Even though people are expected to know what they are doing, and there may be no legal issues after consumers consent to providing information, there is reputational risk to companies if consumers feel their trust and confidence was breached. What consumers trust you to do (or not do) doesn’t necessarily equal what is legally allowed to do.
Risk 3: it’s easy to mistake patterns for reality
Mass shootings, for example, in the US, have generated interest in attempting to determine which individuals are likely to act out on violent impulses. These clues are believed to be available in Facebook and other social media.
Institutionalising this type of activity could result in a sort of ‘Minority Report’ phenomenon. Governments are already conducting data mining of cash transactions to infer the activities of terrorists and other organised criminals. Police forces use advanced predictive analytics to predict a higher chance of crime rates in certain areas on certain days or times in the day. Surveillance cameras in streets are connected to analytical software that is engineered to detect behavioural patterns indicating trouble. This may easily lead to “fishing expeditions, ” where authorities conduct mass analytic exercises, in which any person fitting a certain pattern becomes a suspect. For crime prevention purposes, there is a direct issue with the constitutional presumption of innocence. In business, a pattern doesn’t necessarily equate to behaviour.
Risk 4: the data becomes reality itself
In business, unintended behavioural influence happens as well. Based on advanced analytics, retailers provide customers with personalised offers. Confronted with perceived endless choices in online and street retail and a lack of ability to compare with other offerings, customers are likely to welcome such offers. The acceptance of the offer refines the profile, leading to an even more targeted offer, leading to higher conversion rates again. Through this closed loop, the profiling and associated prescriptive analytics start driving customer behaviour, rather than the other way around. This is commercially interesting, but ethically debatable.
Risk 5: don’t worry about bad people; worry about the ignorant ones
Big data analytics distinguishes itself through the use of automated discovery techniques, presenting potentially interesting clusters and combinations in data. This is a powerful tool when dealing with high volume and high velocity data with a high degree of variation, but also potentially dangerous. Customer segmentation and profiling can easily lead to discrimination based on age, gender, ethnic background, health condition, social background, and so on. These are limitations known to analysts, but not to technology. Knowledge, once gained, cannot be undone. Even deciding not to do anything with the knowledge is a decision with consequences already.
To guide big data analytics, it makes sense to also consider what data and analytics you would like to have, and equally important, what not. One bank, for instance, removed face recognition algorithms from its set of analytics, because it didn’t even want to be seen as being able to use it. Organisations need to evaluate the value of knowing the answers to specific information-driven questions, analysis and models before they develop the model. Intent becomes the precursor to big data analytics. “Why do you want to know it” becomes the gateway before “what do you want to know. ”
Initiate debate by posing ethical dilemmas
To assess these risks, organisations should embark on an ethical debate of the arguments for and against certain actions with big data. By analysing either their own initiatives or real world case studies such as the Snowden affair or Google’s StreetView collection of data from private wireless networks, they can analyse multiple points of view on what is right and wrong. Here, context is really important. What is acceptable for one organisation might be unacceptable in another context. For example: Is it acceptable that a municipality, responsible for administering unemployment benefits analyses social media data to check for fraud? Most people would agree to that, even without the consent of the people receiving the benefit. Should an employer set up big data analytics to monitor social media on staff behaviour? More people would object, and staff would at least have to give consent. Is it a good idea for an insurance company to profile customers based on their social media data, analysing communications on their sports activities, dieting and smoking habits, and using the information for individualised premiums? Many people would object. Ethical debate is about determining what is ‘appropriate’ and what is ‘not appropriate’ for your organisation and for others. This is normative and subjective in nature. People have different values, principles, beliefs and convictions. There are differences between cultures and age groups. Fundamentally, an ethical debate forces an organisation to take a stand, and determine what it believes itself to be – good and bad – instead of relying on regulatory compliance and industry best practices. The outcome should be implemented and repeatedly communicated and enforced.
Develop a code of conduct
As a result of this ethical debate, information leaders should, together with their marketing and legal departments, develop a code of conduct for big data analytics. This code of conduct should contain the list of principles that describe what the company finds appropriate and inappropriate, a process that describes the ethical checks and balances when conducting big data analytics, legal implications, whether the intended use of the data matches how it is actually being used, and if the organisation would be comfortable if the results of it became public. Experimentation has its risks. The more the analytical use of data are removed from the original goal of measurement, the higher the chance data are used in a questionable way. Use data in the way that its original measurement was intended for. Invest in metadata that describes the origin of data, the purpose of data and limitations for its use. And keep communicating the code of conduct. Ethical guidelines require regular attention and reinforcement. Make sure they are part of every business case and proposal and are part of a checklist when running campaigns or other analytical activities, send out reminders to critical staff, and solicit feedback from people involved on how the principles have been helpful. Guidelines are only effective when they are top of mind and enforced.
