Cross-posted on IAPP
https://www.privacyassociation.org/publications/its_complicated_the_social_lives_of_networked_teens_does_not_shy_away_from
How often have we heard or uttered the refrain that the newer generations—“Millennials” or “Generation Zs”—have no concept of privacy, that they live a life online devoid of personal restraint? I confess I have had that thought myself. So when asked to review danah boyd’s new book It’s Complicated: The Social Lives of Networked Teens, available through Yale University Press, I was delighted to do so.
This book was 10 years in the making and is dedicated to boyd’s friend, mentor and former professor, Peter Lyman. It is obvious throughout the book that boyd discusses some technological aspects that society may consider outdated, such as the social network MySpace, but boyd addresses this upfront. She disclaims early on, “The technical shifts that have taken place since I began this project—and in the time between me writing this book and you reading it—are important, but many of the arguments made in the following pages transcend particular technical moments, even if the specific examples used to illustrate those issues are locked in time.”
Boyd does not shy away from the tough subjects. It is apparent that she observed teenagers in their natural setting over a period of time. She also observed those people around teenagers and drew observations not only on the behavior or expectations of the youths but also the behavior and expectations of other youths and adults who interact with teenagers. In this book, boyd combines her personal observations with her research into technology, the Internet and social media to present a broad and insightful view of teenagers that might clash with the generally held belief about youth.
This book contains eight chapters, along with a hearty introduction. The chapters are presented topically and boyd skillfully weaves certain characters throughout the book, which provides a stabilizing effect. The chapters, which are bold incursions into topics many shy away from truly contemplating or speak about without true knowledge, are presented in a logical order.
Boyd first discusses teens’ search for identity online, which does not differ from their need to find their identity—only nowadays, a teen’s world is technology. She draws us into a world where teens’ identities are taken out of context because they do not necessarily create identities to satisfy all possible audiences. boyd writes, “Unlike face-to-face settings in which people took their bodies for granted, people who went online had to consciously create their digital presence.” She skillfully introduces us to the world of creating identities and managing impressions.
Next, boyd tackles the topic of privacy. Adults seem dismissive of teens’ awareness of the need for privacy, and, boyd writes, teens “have little patience for adults’ simplistic views about teen privacy.” She instructs us that teens achieve privacy by controlling their social situations and describes how they have learned to live with surveillance. boyd explains the concept of “social steganography,” in which teens conduct conversations and send messages in plain sight encoded to hide from adults or other teens. This segues nicely into the next chapter on social media, which boyd titles “addiction,” yet explains it is more of a necessary outlet that adults view as an unhealthy addiction due to its time demands.
Moving beyond the first three chapters, which provide a foundation upon which to explain and explore teens and social media, boyd examines the more controversial topics of teens online: dangers of being online, bullying and social inequality. She discusses these dangers frankly, without shying from the realities. She recommends that to keep our youth safe online, society needs to patrol digital streets with the same determination that is used to patrol real streets.
The last two chapters of the book are dedicated to understanding the world that teens now live in. She starts with examining the concept of “digital natives.” Boyd exhorts us all to be media-savvy, writing, “Learning is a lifelong process.” She concludes the book with a caution that media is not bad, it is a technology. It merely “mirrors and magnifies” the world we live in; it does not create it.
It’s Complicated: The Social Lives of Networked Teens was easy to read, applicable to the privacy field and full of interesting, well-considered research. The material was presented well and would appeal not only to those of us in the privacy profession but to some of the general public. I do not feel that it would appeal to all of the public, but what book does? My perspective stems from the depth of the material into which a reader sinks until some readers may be over their heads. But the material is so smooth that some readers might not realize they are over their heads until they turn a few pages and realize how deep they have gotten. However, as a past youth counselor, mother of teens and current privacy professional, I found the book riveting. And even I had to read it twice because the material is so rich. I did find the conclusion to be a little too cavalier given the seriousness that came before it. Agreed, our world is a technological one and we should approach its dangers and its benefits with our eyes wide open, but online there are challenges that require different approaches to those dangers and benefits. Yet, it is a remarkable feat boyd accomplished to link tangible experiences to digital ones and to enable us to relate teens’ current experiences with those of our youth. This takes the book to a new level of triumph.
I can do nothing less than highly recommend this book for those who have an interest in such fields—whether teens’ issues or privacy.
K Royal, CIPP/US, CIPP/E, is privacy counsel at Align Technology and has over 20 years of professional experience in the legal and health-related fields.
Read more by K Royal:
Book Review: The Future of Privacy
Tuesday, February 25, 2014
Thursday, February 20, 2014
How to Brew the Perfect Privacy Officer
Cross-posted to IAPP
https://www.privacyassociation.org/privacy_perspectives/post/what_makes_a_good_privacy_officer
Recently, as I was speaking to a talented group of law students, I was asked the above question. This has also been a related theme underlying some of the recent posts on the IAPP Privacy List. I’m not sure if this list is what those who want to enter the privacy field should cultivate in themselves, what current privacy officers are like or what we should be aiming for as a profession.
To build this list, I searched online for the top 10 traits or characteristics of compliance officers, salespeople, CEOs and managers. In essence, I could stop this blog entry now—that is what we are and should be: compliance officers, salespeople, CEOs, managers and let’s include janitors as well. In fact, let’s look at it that way: What job skills does one need to be an effective privacy officer? If we were to brew the perfect privacy officer, what career fields would we throw into the kettle?
Compliance Officers: In effect, this is what we are. We have a law, rule or regulation that we need to follow. We make sure the company follows this certain law, rule or regulation. We are a cost center. We do not make a profit for the company. We do, however, save the company lots of money. Please do funnel those horrible headlines past your executive committee to show them what you are worth.
Sales: We sell. We sell compliance. We sell the need to do the right thing, even if there is no law, rule or regulation stating what we should do. We sell Privacy by Design. We sell having us in the opening bid of a project. We sell our benefit to the company. We identify the needs, the underlying support, the future benefit and our allies as well as our antagonists. We bring our persuasive skills to the table and close the deal.
CEOs: I borrowed material for this one from Stephen D. Simpson’s “Top Qualities of an Effective CEO.” A good privacy officer runs the department like a successful CEO. S/he needs vision, execution, organization, candor with compassion and pragmatism. S/he needs to be in the right markets at the right time, to drive hard bargains—but not too hard—and to manage for the future, not the mirror. If we as privacy officers are not in the right market at the right time, we miss the privacy boat. We get stranded on the privacy island or get voted off it.
Managers: I borrowed this one from Jacob Morgan’s “5 Must-Have Qualities of the Modern Manager.” As privacy officers, we must be good managers. We need to follow from the front and make sure our employees succeed—when we yell jump, jump with them. We must understand technology—especially in our digital world. We must lead by example, embrace vulnerability and believe in the collective intelligence. Rarely do people comply with a mandate because it is a mandate. Foster understanding in order to foster compliance.
Social Workers: Social workers serve an incredibly valuable role in our society—often dealing with vulnerable populations. To be an effective social worker, one needs empathy, dependability, patience and a slew of efficient, effective and inexpensive resources. S/he must be creative and open-minded yet willing to take on the challenges, including the drudgery of paperwork. Know when to walk quietly, carry a big stick and know when to run in the other direction—calmly and with authority.
Investigators: Investigating is a natural fit for our job as we frequently are investigating complaints and breaches. But what traits do we need as investigators? We need to be perceptive, stubborn, questioning and detail-oriented. We need to keep good notes and be able to connect seemingly unconnected events and facts. We need to be inquisitive and not hesitate to ask the hard questions—out loud—sometimes just to hear how ridiculous they are.
Inventors: “Necessity is the mother of invention.” But it takes someone who is willing to think beyond preset boundaries and create something new. Perhaps it’s an easier way of doing something, or it involves making a program more streamlined and efficient—a little tweak that makes something much easier than it once was. Some privacy officers create a program from nothing, and others have nothing with which to run the program. Regardless, we all hope to see a return on investment.
Mechanics: Mechanics run the gamut of the shady-tree mechanic to the luxury jet mechanic, and so do privacy officers. Some have elite background and training, while others learned the trade organically and grew up with it. Neither one is better than the other. They’re just varied in credentials and background. But like me taking my car into the shop and duplicating the dinging it does when I take a left turn, colleagues don’t always know something is wrong with their data practices. It just sounds wrong. Privacy officers are left to identify what is broken, trusted to fix it and expected to keep the cost down—oh, and have it ready for pickup this afternoon with a full body detail and the tires done.
Airline attendants: Let’s be friendly, attractive and provide excellent service while keeping everyone safe. Smiling, yet firm. And yes, you have heard this a hundred times before: The plane may be different; the law is not. Just do what you need to do, correctly, when required, and we will make sure you get where you need to be. Oh, and don’t sit in the exit row unless you are willing to help everyone else. Coffee, anyone?
Janitors: Same garbage, different day. But if we weren’t here to clean it up, the world would be in a rough place.
This list is limited to 10 because 10 seems to be the magical number for such considerations, but I bet there are lots of others. What career field would you choose to compare to being a privacy officer? Picture yourself explaining your job to a bunch of six-year-olds … What do you say?
https://www.privacyassociation.org/privacy_perspectives/post/what_makes_a_good_privacy_officer
Recently, as I was speaking to a talented group of law students, I was asked the above question. This has also been a related theme underlying some of the recent posts on the IAPP Privacy List. I’m not sure if this list is what those who want to enter the privacy field should cultivate in themselves, what current privacy officers are like or what we should be aiming for as a profession.
To build this list, I searched online for the top 10 traits or characteristics of compliance officers, salespeople, CEOs and managers. In essence, I could stop this blog entry now—that is what we are and should be: compliance officers, salespeople, CEOs, managers and let’s include janitors as well. In fact, let’s look at it that way: What job skills does one need to be an effective privacy officer? If we were to brew the perfect privacy officer, what career fields would we throw into the kettle?
Compliance Officers: In effect, this is what we are. We have a law, rule or regulation that we need to follow. We make sure the company follows this certain law, rule or regulation. We are a cost center. We do not make a profit for the company. We do, however, save the company lots of money. Please do funnel those horrible headlines past your executive committee to show them what you are worth.
Sales: We sell. We sell compliance. We sell the need to do the right thing, even if there is no law, rule or regulation stating what we should do. We sell Privacy by Design. We sell having us in the opening bid of a project. We sell our benefit to the company. We identify the needs, the underlying support, the future benefit and our allies as well as our antagonists. We bring our persuasive skills to the table and close the deal.
CEOs: I borrowed material for this one from Stephen D. Simpson’s “Top Qualities of an Effective CEO.” A good privacy officer runs the department like a successful CEO. S/he needs vision, execution, organization, candor with compassion and pragmatism. S/he needs to be in the right markets at the right time, to drive hard bargains—but not too hard—and to manage for the future, not the mirror. If we as privacy officers are not in the right market at the right time, we miss the privacy boat. We get stranded on the privacy island or get voted off it.
Managers: I borrowed this one from Jacob Morgan’s “5 Must-Have Qualities of the Modern Manager.” As privacy officers, we must be good managers. We need to follow from the front and make sure our employees succeed—when we yell jump, jump with them. We must understand technology—especially in our digital world. We must lead by example, embrace vulnerability and believe in the collective intelligence. Rarely do people comply with a mandate because it is a mandate. Foster understanding in order to foster compliance.
Social Workers: Social workers serve an incredibly valuable role in our society—often dealing with vulnerable populations. To be an effective social worker, one needs empathy, dependability, patience and a slew of efficient, effective and inexpensive resources. S/he must be creative and open-minded yet willing to take on the challenges, including the drudgery of paperwork. Know when to walk quietly, carry a big stick and know when to run in the other direction—calmly and with authority.
Investigators: Investigating is a natural fit for our job as we frequently are investigating complaints and breaches. But what traits do we need as investigators? We need to be perceptive, stubborn, questioning and detail-oriented. We need to keep good notes and be able to connect seemingly unconnected events and facts. We need to be inquisitive and not hesitate to ask the hard questions—out loud—sometimes just to hear how ridiculous they are.
Inventors: “Necessity is the mother of invention.” But it takes someone who is willing to think beyond preset boundaries and create something new. Perhaps it’s an easier way of doing something, or it involves making a program more streamlined and efficient—a little tweak that makes something much easier than it once was. Some privacy officers create a program from nothing, and others have nothing with which to run the program. Regardless, we all hope to see a return on investment.
Mechanics: Mechanics run the gamut of the shady-tree mechanic to the luxury jet mechanic, and so do privacy officers. Some have elite background and training, while others learned the trade organically and grew up with it. Neither one is better than the other. They’re just varied in credentials and background. But like me taking my car into the shop and duplicating the dinging it does when I take a left turn, colleagues don’t always know something is wrong with their data practices. It just sounds wrong. Privacy officers are left to identify what is broken, trusted to fix it and expected to keep the cost down—oh, and have it ready for pickup this afternoon with a full body detail and the tires done.
Airline attendants: Let’s be friendly, attractive and provide excellent service while keeping everyone safe. Smiling, yet firm. And yes, you have heard this a hundred times before: The plane may be different; the law is not. Just do what you need to do, correctly, when required, and we will make sure you get where you need to be. Oh, and don’t sit in the exit row unless you are willing to help everyone else. Coffee, anyone?
Janitors: Same garbage, different day. But if we weren’t here to clean it up, the world would be in a rough place.
This list is limited to 10 because 10 seems to be the magical number for such considerations, but I bet there are lots of others. What career field would you choose to compare to being a privacy officer? Picture yourself explaining your job to a bunch of six-year-olds … What do you say?
Saturday, February 15, 2014
HIPAA encounters of the Personal Kind
I wish today's post to be light-hearted, but realize in the end, there may be some lessons learned....be careful. You, too, may become conscious of your own privacy.
My cell phone rang the other day and I answered it "hello." What follows is the gist of the conversation. I could be partially wrong in the exact wording, but the meaning remains the same. I have changed Paul's name to protect the unknowing.
K: Hello
Bob: Hi. I'm calling to speak with K Royal about an emergency room visit to blah blah hospital on this past Saturday on February 8.
(please note - at this point, he has disclosed my protected health information if someone other than me had answered the phone).
K: this is K.
B: Hi, this is Bob, an RN at blah blah hospital. Before I go any further, I need to confirm your identity to maintain confidentiality. What is your date of birth?
K: (really?! you've already blown it, mister) Hi Bob, can you confirm your identity to me before I provide you with my date of birth?
B: Uh, no.
K: So there is nothing you can do, at all, to prove you are calling from the hospital? (I was expecting him to say - sure, call the hospital and ask for me or my extension)
B: No. can't think of anything. I just want your date of birth.
K: Okay, let's try this - tell me if you are calling to survey me on how well your service was or if you want to discuss something of a medical nature.
B: Ma'am, I can't tell you that. It violates HIPAA.
K: Actually, it does not. I am not asking you to give me any personal or protected information. I am just asking for the general nature of your call.
B: Ma'am that does violate HIPAA. HIPAA won't let me tell you the purpose of my call.
K: Bob, I am a privacy attorney and very familiar with HIPAA, I can assure you that it does not. How about this...are you calling to survey me about your service? cause if you are, it was fabulous and I felt everything went smoothly.
B: Ma'am, I cannot answer that question because it would violate HIPAA. And if you won't give me your date of birth, we seem to have a problem. I know HIPAA very well - and it won't let me continue without it.
K: Bob, I actually seem to know HIPAA better than you do ... at least in this instance ... because HIPAA would not stop you from answering that question.
B: So what do you want to do?
K: I guess we're at an impasse, Bob. You cannot verify who you are or where you are calling from, you want me to provide you with even further personal information, and you won't tell me the purpose of your call. Sooooo, I think we're done here - and I truly hope you were not calling to tell me something popped up on the tests and I am dying. Feel free to call me back when you either learn more about what you can say under HIPAA or can provide verification of who you are. Have a good afternoon. Bye bye.
I called the privacy officer and left a message to call me. Nothing.
So what did we learn here (other than stupid stuff like this brings out my snarky side)?
1) It is a HIPAA violation for a covered entity to give out information before verifying the patient's identity - as in his opening statement.
2) When people ask for personal information, verify who they are.
3) Not all health care personnel in the US really know and understand HIPAA rules.
4) Patients need to be vigilant about their health care AND their personal information.
My cell phone rang the other day and I answered it "hello." What follows is the gist of the conversation. I could be partially wrong in the exact wording, but the meaning remains the same. I have changed Paul's name to protect the unknowing.
K: Hello
Bob: Hi. I'm calling to speak with K Royal about an emergency room visit to blah blah hospital on this past Saturday on February 8.
(please note - at this point, he has disclosed my protected health information if someone other than me had answered the phone).
K: this is K.
B: Hi, this is Bob, an RN at blah blah hospital. Before I go any further, I need to confirm your identity to maintain confidentiality. What is your date of birth?
K: (really?! you've already blown it, mister) Hi Bob, can you confirm your identity to me before I provide you with my date of birth?
B: Uh, no.
K: So there is nothing you can do, at all, to prove you are calling from the hospital? (I was expecting him to say - sure, call the hospital and ask for me or my extension)
B: No. can't think of anything. I just want your date of birth.
K: Okay, let's try this - tell me if you are calling to survey me on how well your service was or if you want to discuss something of a medical nature.
B: Ma'am, I can't tell you that. It violates HIPAA.
K: Actually, it does not. I am not asking you to give me any personal or protected information. I am just asking for the general nature of your call.
B: Ma'am that does violate HIPAA. HIPAA won't let me tell you the purpose of my call.
K: Bob, I am a privacy attorney and very familiar with HIPAA, I can assure you that it does not. How about this...are you calling to survey me about your service? cause if you are, it was fabulous and I felt everything went smoothly.
B: Ma'am, I cannot answer that question because it would violate HIPAA. And if you won't give me your date of birth, we seem to have a problem. I know HIPAA very well - and it won't let me continue without it.
K: Bob, I actually seem to know HIPAA better than you do ... at least in this instance ... because HIPAA would not stop you from answering that question.
B: So what do you want to do?
K: I guess we're at an impasse, Bob. You cannot verify who you are or where you are calling from, you want me to provide you with even further personal information, and you won't tell me the purpose of your call. Sooooo, I think we're done here - and I truly hope you were not calling to tell me something popped up on the tests and I am dying. Feel free to call me back when you either learn more about what you can say under HIPAA or can provide verification of who you are. Have a good afternoon. Bye bye.
I called the privacy officer and left a message to call me. Nothing.
So what did we learn here (other than stupid stuff like this brings out my snarky side)?
1) It is a HIPAA violation for a covered entity to give out information before verifying the patient's identity - as in his opening statement.
2) When people ask for personal information, verify who they are.
3) Not all health care personnel in the US really know and understand HIPAA rules.
4) Patients need to be vigilant about their health care AND their personal information.
Monday, February 10, 2014
Why are the people in the U.S. so blase' about Privacy?
So this was the question I received today about privacy: "Why are people in the U.S. so blase' about privacy?"
Frankly, my dear, I don't know.
I do have some theories that my mind is sorting through as I write - and if you have some thoughts (yes, you, the one person who is reading this), please do write me and let me know your opinion.
First, I do not think it is related to the fact that we do not have an explicit right to privacy guaranteed to us in the U.S. Constitution. However, I do think it is related to what rights we are guaranteed and how those rights have been enforced over the years. Most importantly, I think the freedom of speech as personified through the freedom of the press has been a huge factor in how blase' we are about privacy. As citizens, we are allowed to say what we want to say (in general), do what we want to do (shy of breaking laws), move where we want to move, live how we want to live, love as we desire - and act on that love. Freedom of speech includes our actions, our apparel, and our writings. And this freedom comes with a price - that we are ever so willing to pay - the lack of privacy.
Next, the American dream reinforces the lack of privacy. To achieve our dreams - or at least for those ridiculously mega-rich people to achieve their dreams, they take chances and go where no one has gone before, with information, brazenness, and wild willingness to use any tools at their disposal. Information is mostly free and can be used in ways that the average person would find mind-boggling.
Additionally, most Americans have not suffered atrocious crimes and deeply personal invasions like countries with currently strong privacy laws have in the past - where thousands of people were tortured and killed based on information, like their race, religion, or even just their name.
Thus on one hand, we see benefits in the freedom of information and on the other hand, we see no penalties in the misuse of information. I have often been told that if a company treats personal information with the respect other nations require, the company would lose its competitive edge. So what would motivate us to care? When I posted previously questioning why we are not outraged at the NSA, one of the responses I got was that once the PATRIOT ACT was enacted, any person who read it or watched the news knew that we now had no right to privacy. In a way, I agree. Not enough people were outraged then - and you cannot let the exploding holes in the dam go unnoticed and then complain about a flooded home.
We need a fundamental shift in our thinking. Information is a power tool. And it can be dangerous in the wrong hands. It can be dangerous in the right hands - if those are not your hands holding your own information. We need to be stingy. For example, unless you are on a government health insurance program or workers' comp, your doctor does not need your social security number. Such a simple thing. But try telling your doctor he/she does not need it and they freak out - they are so used to getting it, they just want to fill the blank. So I just pretend not to know it. "Ooops sorry. Don't carry the card either, but I'll really try to remember to bring it the next time." Not.
Frankly, my dear, I don't know.
I do have some theories that my mind is sorting through as I write - and if you have some thoughts (yes, you, the one person who is reading this), please do write me and let me know your opinion.
First, I do not think it is related to the fact that we do not have an explicit right to privacy guaranteed to us in the U.S. Constitution. However, I do think it is related to what rights we are guaranteed and how those rights have been enforced over the years. Most importantly, I think the freedom of speech as personified through the freedom of the press has been a huge factor in how blase' we are about privacy. As citizens, we are allowed to say what we want to say (in general), do what we want to do (shy of breaking laws), move where we want to move, live how we want to live, love as we desire - and act on that love. Freedom of speech includes our actions, our apparel, and our writings. And this freedom comes with a price - that we are ever so willing to pay - the lack of privacy.
Next, the American dream reinforces the lack of privacy. To achieve our dreams - or at least for those ridiculously mega-rich people to achieve their dreams, they take chances and go where no one has gone before, with information, brazenness, and wild willingness to use any tools at their disposal. Information is mostly free and can be used in ways that the average person would find mind-boggling.
Additionally, most Americans have not suffered atrocious crimes and deeply personal invasions like countries with currently strong privacy laws have in the past - where thousands of people were tortured and killed based on information, like their race, religion, or even just their name.
Thus on one hand, we see benefits in the freedom of information and on the other hand, we see no penalties in the misuse of information. I have often been told that if a company treats personal information with the respect other nations require, the company would lose its competitive edge. So what would motivate us to care? When I posted previously questioning why we are not outraged at the NSA, one of the responses I got was that once the PATRIOT ACT was enacted, any person who read it or watched the news knew that we now had no right to privacy. In a way, I agree. Not enough people were outraged then - and you cannot let the exploding holes in the dam go unnoticed and then complain about a flooded home.
We need a fundamental shift in our thinking. Information is a power tool. And it can be dangerous in the wrong hands. It can be dangerous in the right hands - if those are not your hands holding your own information. We need to be stingy. For example, unless you are on a government health insurance program or workers' comp, your doctor does not need your social security number. Such a simple thing. But try telling your doctor he/she does not need it and they freak out - they are so used to getting it, they just want to fill the blank. So I just pretend not to know it. "Ooops sorry. Don't carry the card either, but I'll really try to remember to bring it the next time." Not.
My review of the book: The Future of Privacy posted on IAPP
https://www.privacyassociation.org/publications/book_review_the_future_of_privacy
January 28, 2014
By K Royal, CIPP/US, CIPP/E
Being a strong believer in taking a pragmatic approach to compliance, I was incredibly pleased to read The Future of Privacy by Eduardo Ustaran, CIPP/E, published by DataGuidance. In general, I find the books available through the IAPP to be thorough, on point and useful to privacy professionals. This book went the further step and was actually fun to read and useful to those of the general public who have an interest in privacy.
Ustaran writes in a manner that is easy to comprehend and practical, yet steeped in substantive law. It’s like sitting comfortably with an expert who shares his insight and expertise as a conversation—at times relaxed and sometimes highly animated. And the timing for this book is perfect. At no other time in recent history have privacy and its challenges been at the forefront of global news.
The Future of Privacy is divided into three parts: “Catalysts,” “Policy Making” and “Compliance.” “Catalysts” provides a simplistic yet robust summary in three chapters covering of the evolution of technology, the value of data and data globalization. We start with the terminology: Information Superhighway, the Internet of Things, the cloud, cookies, social networking and the mobile ecosystem. This foundational coverage continues with analytics, Big Data and behavioral targeting.
Part I segues into Part II, “Policy Making” with frank coverage of the globalization of data. Ustaran clearly believes that the prohibition on data exportation prevalent in many nations’ laws is exasperating. It is also naïve in the technological age in which we live and function. Part II discusses regulating technology, policy-making, interoperability and incentivizing compliance. Ustaran recommends “just in time” regulation that is lean and consistent. Within these three chapters come the concepts of Privacy by Design, a global privacy blueprint and mutual recognition.
The book concludes with Part III on “Compliance,” perhaps the most critical section for privacy professionals. In Chapter 7, we start to see more of Ustaran’s European roots. He discusses the evolution of transparency in the use of an individual’s data, recognizing the debate about whether individuals have true control over the use of said data, anonymization, privacy and security by default rather than design and finally, the role of safe processors. He continues this discussion in the next chapter from the perspective of data as an asset—which may be controversial to some privacy professionals. He is clear that irrespective of a privacy professional’s belief in the idea of data as an asset, our roles depend on managing this idea and being committed to finding the right approach. The concluding chapter of the book addresses accountability in an era of competing regimes, uncertainty of law and the cost of consistency. He supports privacy within an organization as a team effort and advocates for the use of privacy impact assessments. He tackles the topic of global privacy compliance and advocates for the EU’s Binding Corporate Rules as a corporate framework. Ustaran concludes with two sentences: “We just need to get cracking because the future is here. Now.”
Generally, I read privacy and/or compliance books because I must in order to do my job. It’s rarely amusing or captivating, even when the book is well-written by a noted expert in the subject matter. Yet, this book is different. And the difference is in the presentation and writing style. The law is provided through thoughtful analysis wrapped in delightful examples and honest opinions. Whether you are new to privacy law or already immersed in its depths, this book is one that you should have—and not just on the bookshelf. Take notes in the margins, because you are just as likely to find yourself disagreeing with various points, questioning their validity or simply taking a deeper look into certain elements. This is the challenge of such a book; rather than merely absorbing the law dryly and reciting it back iteratively, it initiates thinking processes. It dares you to skim across and engages you in thought-provoking analysis.
Ustaran presents his beliefs without hesitation, but in his forthrightness, the reader responds with the same honesty—whether in agreement or not. This is the power of such a book, defining one’s own professional and personal belief system about privacy and forming a foundational understanding of technology and policy-making. I do not know if a global compliance program is truly achievable, but like many other privacy professionals, I have to attempt it. I agree with Ustaran in that the future is here and we need to stop playing catch-up and develop a workable regulatory framework where there is a basic understanding of the role data plays and how to be transparent in that use. I highly recommend this book for privacy professionals and anyone else with an interest in data handling.
January 28, 2014
By K Royal, CIPP/US, CIPP/E
Being a strong believer in taking a pragmatic approach to compliance, I was incredibly pleased to read The Future of Privacy by Eduardo Ustaran, CIPP/E, published by DataGuidance. In general, I find the books available through the IAPP to be thorough, on point and useful to privacy professionals. This book went the further step and was actually fun to read and useful to those of the general public who have an interest in privacy.
Ustaran writes in a manner that is easy to comprehend and practical, yet steeped in substantive law. It’s like sitting comfortably with an expert who shares his insight and expertise as a conversation—at times relaxed and sometimes highly animated. And the timing for this book is perfect. At no other time in recent history have privacy and its challenges been at the forefront of global news.
The Future of Privacy is divided into three parts: “Catalysts,” “Policy Making” and “Compliance.” “Catalysts” provides a simplistic yet robust summary in three chapters covering of the evolution of technology, the value of data and data globalization. We start with the terminology: Information Superhighway, the Internet of Things, the cloud, cookies, social networking and the mobile ecosystem. This foundational coverage continues with analytics, Big Data and behavioral targeting.
Part I segues into Part II, “Policy Making” with frank coverage of the globalization of data. Ustaran clearly believes that the prohibition on data exportation prevalent in many nations’ laws is exasperating. It is also naïve in the technological age in which we live and function. Part II discusses regulating technology, policy-making, interoperability and incentivizing compliance. Ustaran recommends “just in time” regulation that is lean and consistent. Within these three chapters come the concepts of Privacy by Design, a global privacy blueprint and mutual recognition.
The book concludes with Part III on “Compliance,” perhaps the most critical section for privacy professionals. In Chapter 7, we start to see more of Ustaran’s European roots. He discusses the evolution of transparency in the use of an individual’s data, recognizing the debate about whether individuals have true control over the use of said data, anonymization, privacy and security by default rather than design and finally, the role of safe processors. He continues this discussion in the next chapter from the perspective of data as an asset—which may be controversial to some privacy professionals. He is clear that irrespective of a privacy professional’s belief in the idea of data as an asset, our roles depend on managing this idea and being committed to finding the right approach. The concluding chapter of the book addresses accountability in an era of competing regimes, uncertainty of law and the cost of consistency. He supports privacy within an organization as a team effort and advocates for the use of privacy impact assessments. He tackles the topic of global privacy compliance and advocates for the EU’s Binding Corporate Rules as a corporate framework. Ustaran concludes with two sentences: “We just need to get cracking because the future is here. Now.”
Generally, I read privacy and/or compliance books because I must in order to do my job. It’s rarely amusing or captivating, even when the book is well-written by a noted expert in the subject matter. Yet, this book is different. And the difference is in the presentation and writing style. The law is provided through thoughtful analysis wrapped in delightful examples and honest opinions. Whether you are new to privacy law or already immersed in its depths, this book is one that you should have—and not just on the bookshelf. Take notes in the margins, because you are just as likely to find yourself disagreeing with various points, questioning their validity or simply taking a deeper look into certain elements. This is the challenge of such a book; rather than merely absorbing the law dryly and reciting it back iteratively, it initiates thinking processes. It dares you to skim across and engages you in thought-provoking analysis.
Ustaran presents his beliefs without hesitation, but in his forthrightness, the reader responds with the same honesty—whether in agreement or not. This is the power of such a book, defining one’s own professional and personal belief system about privacy and forming a foundational understanding of technology and policy-making. I do not know if a global compliance program is truly achievable, but like many other privacy professionals, I have to attempt it. I agree with Ustaran in that the future is here and we need to stop playing catch-up and develop a workable regulatory framework where there is a basic understanding of the role data plays and how to be transparent in that use. I highly recommend this book for privacy professionals and anyone else with an interest in data handling.
Friday, February 7, 2014
Privacy in the Toilet
So I cannot help but take a cue from all the mimes and stories going around about the toilet conditions in Sochie at the Winter Olympics. Talk about a lack of privacy...
I don't know if the pictures and/or stories are real, but they sure are fun. And like most online authors, I plan to make the most of it, perpetuate the myth, and basically exploit the heck out of it. oo rah.
Let's compare the supposedly lack of privacy of Sochi Olympic toilets to the sanitary conditions of some countries. Sochi has toilets. Some countries do not. Are we as a leading world power spoiled? We have indoor plumbing, filtered water, sophisticated waste management, and private commodes almost everywhere. Is there some reason why Olympians cannot tolerate something less than the best? Is there some reason why our Olympians cannot see what it feels like to live on the other side? We have antibiotics, right? Is privacy required to take a poop? As a nurse, we often had to deal with a patient's inability to urinate on command - hesitation. It's prevalent in pre-employment physicals and drug screens as well. Some people simply cannot perform with an audience.
So let's transfer some of these same considerations over to privacy. In the U.S., we are horrified of being asked to use the restroom in front of someone, but we don't consider personal information to be private. Bowel movements, yes. Date of birth, no. So that's our scale of privacy need. We don't flinch at sharing a lot of information or categories of information. We expect that companies who possess our information in certain contexts to be using that information to gain a business or competitive edge or to use it in some way that is advantageous to them. Thus, when there is a breach, fewer than 10% of people contact the company or take them up on mitigation offers (anecdotally and my own experience dealing with breaches - seriously was closer to 3-5%).
Yet, in the E.U., people have other expectations. They expect privacy. They expect their information will only be used for the purpose it is collected and nothing else. Nothing else. And once the purpose is achieved, the information should be deleted. Deleted. So they are horrified at U.S. citizens' and businesses' cavalier attitudes towards privacy.
This would be a different world if we were as horrified at our information being gathered, shared, used, and kept as we are having to poop side-by-side with someone else. Take that and flush it.
I don't know if the pictures and/or stories are real, but they sure are fun. And like most online authors, I plan to make the most of it, perpetuate the myth, and basically exploit the heck out of it. oo rah.
Let's compare the supposedly lack of privacy of Sochi Olympic toilets to the sanitary conditions of some countries. Sochi has toilets. Some countries do not. Are we as a leading world power spoiled? We have indoor plumbing, filtered water, sophisticated waste management, and private commodes almost everywhere. Is there some reason why Olympians cannot tolerate something less than the best? Is there some reason why our Olympians cannot see what it feels like to live on the other side? We have antibiotics, right? Is privacy required to take a poop? As a nurse, we often had to deal with a patient's inability to urinate on command - hesitation. It's prevalent in pre-employment physicals and drug screens as well. Some people simply cannot perform with an audience.
So let's transfer some of these same considerations over to privacy. In the U.S., we are horrified of being asked to use the restroom in front of someone, but we don't consider personal information to be private. Bowel movements, yes. Date of birth, no. So that's our scale of privacy need. We don't flinch at sharing a lot of information or categories of information. We expect that companies who possess our information in certain contexts to be using that information to gain a business or competitive edge or to use it in some way that is advantageous to them. Thus, when there is a breach, fewer than 10% of people contact the company or take them up on mitigation offers (anecdotally and my own experience dealing with breaches - seriously was closer to 3-5%).
Yet, in the E.U., people have other expectations. They expect privacy. They expect their information will only be used for the purpose it is collected and nothing else. Nothing else. And once the purpose is achieved, the information should be deleted. Deleted. So they are horrified at U.S. citizens' and businesses' cavalier attitudes towards privacy.
This would be a different world if we were as horrified at our information being gathered, shared, used, and kept as we are having to poop side-by-side with someone else. Take that and flush it.
Tuesday, February 4, 2014
Happy Birthday, Facebook!
So today is Facebook's 10th anniversary or birthday...
What were you doing 10 years ago? It was 2004...I was graduating law school. I recall hearing about the new service for college kids and some scandal about posting pictures. My daughters were in junior high, so they were on the infamous MySpace (where is that now, anyway?). That proves that first-to-market is not always market leader.
Facebook has faced (pardon the pun) many challenges in the U.S. and globally about their privacy practices, which seem to change daily without notice. Which is not true, by the way. Facebook does not change its policies daily. On the other hand, since they eliminated the public voting process last year or so, now we as users don't know when it is changed.
Much of the controversy over Facebook has been based in its for-profit side - we, as users, don't provide it any money directly so they have to get it from somewhere. They get it from ads. You may recall how users' likes were used as product endorsements at one time. Now, we get served targeted behavioral ads in our newsfeeds. You can report these as spam.
But let's move away from the negatives and look at the positives. There are people I have not even thought about in over 25 years...and now, through Facebook, I see what they are doing in their lives - pictures of them and their children, families, colleagues, and friends. It is kinda cool. Many people who I love that I do not get to see for years, now I am a permitted peeping Tom in their lives. It's wonderful.
Facebook made our 25th high school reunion a huge success - cause we could find people!
Facebook let me know when some older family friends passed away - I could send flowers and/or make it to the funeral.
Facebook sometimes provides me more of a look into lives than I wish to have - don't need to know when someone has a bowel movement or is mad at the cashier at Wal-Mart. But in general, I like Facebook, which is why I use it. Under my real name. I also get to "like" the pages of actors and writers I like and they frequently have contests and cool information. It's fun.
So Happy Birthday, Facebook - may the next decade see you enjoy even more success and more maturity in your practices.
What were you doing 10 years ago? It was 2004...I was graduating law school. I recall hearing about the new service for college kids and some scandal about posting pictures. My daughters were in junior high, so they were on the infamous MySpace (where is that now, anyway?). That proves that first-to-market is not always market leader.
Facebook has faced (pardon the pun) many challenges in the U.S. and globally about their privacy practices, which seem to change daily without notice. Which is not true, by the way. Facebook does not change its policies daily. On the other hand, since they eliminated the public voting process last year or so, now we as users don't know when it is changed.
Much of the controversy over Facebook has been based in its for-profit side - we, as users, don't provide it any money directly so they have to get it from somewhere. They get it from ads. You may recall how users' likes were used as product endorsements at one time. Now, we get served targeted behavioral ads in our newsfeeds. You can report these as spam.
But let's move away from the negatives and look at the positives. There are people I have not even thought about in over 25 years...and now, through Facebook, I see what they are doing in their lives - pictures of them and their children, families, colleagues, and friends. It is kinda cool. Many people who I love that I do not get to see for years, now I am a permitted peeping Tom in their lives. It's wonderful.
Facebook made our 25th high school reunion a huge success - cause we could find people!
Facebook let me know when some older family friends passed away - I could send flowers and/or make it to the funeral.
Facebook sometimes provides me more of a look into lives than I wish to have - don't need to know when someone has a bowel movement or is mad at the cashier at Wal-Mart. But in general, I like Facebook, which is why I use it. Under my real name. I also get to "like" the pages of actors and writers I like and they frequently have contests and cool information. It's fun.
So Happy Birthday, Facebook - may the next decade see you enjoy even more success and more maturity in your practices.
Sunday, February 2, 2014
When can Employers share your Information?
My daughter, Dazlin, asked this question on privacy..."Under what circumstances can or should my employer share my information?"
What a brilliant inquiry.
And I have no brilliant, quick responses, yet I am forcing her to wait for the answer on here even though I am currently comfortably ensconced in her apartment, sitting across from her.
First, for me, the easy answer is about medical information. Any information in the medical context, whether as part of disability accommodation, employment prescreening, genetic information, employer medical coverage, or workers' compensation must be kept confidential. This means, generally, in HR, there are two files for each employee or a bifurcated file where the health information is kept separated from discipline, hiring and firing, pay, etc.
Can they ever share it? Of course they can. They can share it with people and entities who have a need to know, such as benefit managers, health care professionals who are treating you, risk management, and so forth. But in general, the information should not be shared anywhere without a legitimate reason. Most of the protection here is federal - EEOC (disability, genetic information), OSHA (injuries on the job) - but there is also state law that applies (workers' comp, HR law, data breach law).
I am not going into a terrible amount of detail here if for no other reason than it is a blog and not a legal treatise. Some factors also depend on whether your employer is a public or private entity and/or what job you hold. But if anyone is curious, write me and let me know that you have questions. I'll see what I can do.
Now, for the sharing...in almost all laws, there are exceptions and privacy law is no exception to that. In general, the exceptions are around subpoenas, law enforcement, public health, emergencies, and business operations that require disclosures. Business operations could include mergers, account houses, and other entities that are contracted to perform some duty on your employer's behalf, like mailing 1099s. To do so, the other entity has your information. Do you also remember all the stories about how many subpoenas and requests for information are being served on internet service providers? If information is part of an investigation, your employer will likely give it up.
Other than medical information, employers are required to keep certain information secure - like your date of birth and social security number. In countries other than the U.S., who have data protection laws, certain information is considered sensitive information. Sensitive information includes ethnicity, political views, member of professional organizations, etc. Now here in the U.S., race, age, gender is also considered confidential, but mainly because an employer can be sued for discrimination if negative decisions are based on race, gender, being over 40, disabled - things that make you a member of a protected class. Also, credit reports and background checks must be performed and retained securely. In fact, after the financial troubles of 2008, several states placed background check laws in place - mainly either the employer could not ask certain questions in an application or could not do a background check before meeting the person.
Many states have laws protecting certain information, although Massachusetts with 17 CMR 201 is the strongest. In Massachusetts, if you have information on their residents, to include name (either first name/initial with last name) plus some other elements (SSN, driver license number, or financial account number), then you are required to have a security program in place and provide certain data protections.
Mainly states have data breach notification laws, meaning that if your data is breached somehow, your employer must let you know (these are general law not employment laws, but apply to entities that collect certain information). Thus, if your employer wants to be excluded in most of these states from notification provisions, then they need to encrypt and take precautions with your information. Not all states recognize encryption as an exception, but most do - and of course, this only applies to electronic information.
Speaking of electronic information: analyzing whether employers can access your electronic communications such as email, texts, and social media is a full blog on its own. Morality consideration is another - think of teachers fired for posting naked party pictures on their own facebook or sports figures who get into scandals and lose endorsements. And last, lifestyle (which includes morality) is also a very deep discussion of law.
So this is part of her answer. In reality, not all employers follow the laws - and certainly not all employees of your employer will follow the law. Training and awareness are huge for data protection and training is not generally a high budget item for many employers, especially towards protecting their employees' data.
So my advice point coming out of this is to be careful of your own information in the workplace. It is not necessarily a good idea to friend people on social media that you work with - you just may have information disclosed to your employer that you wish was not - and if a negative action is taken towards you based on this information, then you likely will have a very hard time proving it.
What a brilliant inquiry.
And I have no brilliant, quick responses, yet I am forcing her to wait for the answer on here even though I am currently comfortably ensconced in her apartment, sitting across from her.
First, for me, the easy answer is about medical information. Any information in the medical context, whether as part of disability accommodation, employment prescreening, genetic information, employer medical coverage, or workers' compensation must be kept confidential. This means, generally, in HR, there are two files for each employee or a bifurcated file where the health information is kept separated from discipline, hiring and firing, pay, etc.
Can they ever share it? Of course they can. They can share it with people and entities who have a need to know, such as benefit managers, health care professionals who are treating you, risk management, and so forth. But in general, the information should not be shared anywhere without a legitimate reason. Most of the protection here is federal - EEOC (disability, genetic information), OSHA (injuries on the job) - but there is also state law that applies (workers' comp, HR law, data breach law).
I am not going into a terrible amount of detail here if for no other reason than it is a blog and not a legal treatise. Some factors also depend on whether your employer is a public or private entity and/or what job you hold. But if anyone is curious, write me and let me know that you have questions. I'll see what I can do.
Now, for the sharing...in almost all laws, there are exceptions and privacy law is no exception to that. In general, the exceptions are around subpoenas, law enforcement, public health, emergencies, and business operations that require disclosures. Business operations could include mergers, account houses, and other entities that are contracted to perform some duty on your employer's behalf, like mailing 1099s. To do so, the other entity has your information. Do you also remember all the stories about how many subpoenas and requests for information are being served on internet service providers? If information is part of an investigation, your employer will likely give it up.
Other than medical information, employers are required to keep certain information secure - like your date of birth and social security number. In countries other than the U.S., who have data protection laws, certain information is considered sensitive information. Sensitive information includes ethnicity, political views, member of professional organizations, etc. Now here in the U.S., race, age, gender is also considered confidential, but mainly because an employer can be sued for discrimination if negative decisions are based on race, gender, being over 40, disabled - things that make you a member of a protected class. Also, credit reports and background checks must be performed and retained securely. In fact, after the financial troubles of 2008, several states placed background check laws in place - mainly either the employer could not ask certain questions in an application or could not do a background check before meeting the person.
Many states have laws protecting certain information, although Massachusetts with 17 CMR 201 is the strongest. In Massachusetts, if you have information on their residents, to include name (either first name/initial with last name) plus some other elements (SSN, driver license number, or financial account number), then you are required to have a security program in place and provide certain data protections.
Mainly states have data breach notification laws, meaning that if your data is breached somehow, your employer must let you know (these are general law not employment laws, but apply to entities that collect certain information). Thus, if your employer wants to be excluded in most of these states from notification provisions, then they need to encrypt and take precautions with your information. Not all states recognize encryption as an exception, but most do - and of course, this only applies to electronic information.
Speaking of electronic information: analyzing whether employers can access your electronic communications such as email, texts, and social media is a full blog on its own. Morality consideration is another - think of teachers fired for posting naked party pictures on their own facebook or sports figures who get into scandals and lose endorsements. And last, lifestyle (which includes morality) is also a very deep discussion of law.
So this is part of her answer. In reality, not all employers follow the laws - and certainly not all employees of your employer will follow the law. Training and awareness are huge for data protection and training is not generally a high budget item for many employers, especially towards protecting their employees' data.
So my advice point coming out of this is to be careful of your own information in the workplace. It is not necessarily a good idea to friend people on social media that you work with - you just may have information disclosed to your employer that you wish was not - and if a negative action is taken towards you based on this information, then you likely will have a very hard time proving it.
Saturday, February 1, 2014
What is a Privacy Counsel, anyway?
My name is K and I am a privacy counsel.
Most of the time when people ask what I do, they have no clue when I say "I am a privacy counsel." Confession time, I usually only say I'm an attorney, but sometimes they want to know what I practice. I don't practice. I am in-house. For those that don't know, in-house means that I am not with a law firm and do not take clients. I work for a company as an employee. The company is my client.
And given that I blog about privacy, I have to always disclaim that my views are not those of my employer.
But back to the question, what is a privacy counsel anyway? If I said I was an employment counsel or IP counsel, people would not be confused. I work in privacy. That is what is confusing, because people in the U.S. don't get privacy and I'm a dork.
Working in Silicon Valley does make for a little more acceptance. With the number of global companies here, they all pretty much have people doing what I do. It's kinda cool. There are lots of other privacy counsels.
Okay, Okay - back to the question. It means I make sure that the laws of the nations who have privacy laws are followed. Every other country who has privacy laws at all approach privacy vastly different than does the U.S. We look at data on a sectoral level - health care, education, financial. There is no national privacy law in the U.S. and no national protections for general data on individuals. The states are a little different. 46 states have data breach laws - and they have many commonalities and some differences. The strongest data protection laws are in California, Texas, and Massachusetts.
So in the U.S., I make sure we abide by sectoral laws and state laws. Globally, I deal with the laws of the European Union (28 or so different sets of law for the various countries, if you include the EEA 30 or so), APAC, Canada, Mexico, etc. etc. And I love it.
As stated above, I love privacy law. I caution people not to think of it as privacy, because most people tend to have tunnel vision. Think of it as personal data management - and in many cases, the most sensitive data I deal with (and thus, protect) is that of employees.
But like any area of compliance, it is always an uphill battle. Compliance is a cost center not a money maker. Ensuring certain protections are in place can slow down innovation and development. And especially given that most would prefer to build the house, then add the fence for privacy - we (privacy professionals) would prefer you to bring us the blueprints and make sure you are not building on someone else's property and/or get the right permits. Privacy by Design, or Privacy by Default. Build the product right to begin with. Then I am not a roadblock, I am a roadsign. I can point you in the right direction if you come to me early. If you come to me when you are ready to roll it out...well, I have to come up to speed on the product, check the contracts, vet the vendors, and know every data element you collect, how, when, what, where you get it, share it, and store it, how to send it, back it up, and delete it.
So that is what a privacy counsel does.
It is one of the fastest growing fields in the world.
And when it is me - you get all this personality with the package. fun time, my friends, fun times.
Most of the time when people ask what I do, they have no clue when I say "I am a privacy counsel." Confession time, I usually only say I'm an attorney, but sometimes they want to know what I practice. I don't practice. I am in-house. For those that don't know, in-house means that I am not with a law firm and do not take clients. I work for a company as an employee. The company is my client.
And given that I blog about privacy, I have to always disclaim that my views are not those of my employer.
But back to the question, what is a privacy counsel anyway? If I said I was an employment counsel or IP counsel, people would not be confused. I work in privacy. That is what is confusing, because people in the U.S. don't get privacy and I'm a dork.
Working in Silicon Valley does make for a little more acceptance. With the number of global companies here, they all pretty much have people doing what I do. It's kinda cool. There are lots of other privacy counsels.
Okay, Okay - back to the question. It means I make sure that the laws of the nations who have privacy laws are followed. Every other country who has privacy laws at all approach privacy vastly different than does the U.S. We look at data on a sectoral level - health care, education, financial. There is no national privacy law in the U.S. and no national protections for general data on individuals. The states are a little different. 46 states have data breach laws - and they have many commonalities and some differences. The strongest data protection laws are in California, Texas, and Massachusetts.
So in the U.S., I make sure we abide by sectoral laws and state laws. Globally, I deal with the laws of the European Union (28 or so different sets of law for the various countries, if you include the EEA 30 or so), APAC, Canada, Mexico, etc. etc. And I love it.
As stated above, I love privacy law. I caution people not to think of it as privacy, because most people tend to have tunnel vision. Think of it as personal data management - and in many cases, the most sensitive data I deal with (and thus, protect) is that of employees.
But like any area of compliance, it is always an uphill battle. Compliance is a cost center not a money maker. Ensuring certain protections are in place can slow down innovation and development. And especially given that most would prefer to build the house, then add the fence for privacy - we (privacy professionals) would prefer you to bring us the blueprints and make sure you are not building on someone else's property and/or get the right permits. Privacy by Design, or Privacy by Default. Build the product right to begin with. Then I am not a roadblock, I am a roadsign. I can point you in the right direction if you come to me early. If you come to me when you are ready to roll it out...well, I have to come up to speed on the product, check the contracts, vet the vendors, and know every data element you collect, how, when, what, where you get it, share it, and store it, how to send it, back it up, and delete it.
So that is what a privacy counsel does.
It is one of the fastest growing fields in the world.
And when it is me - you get all this personality with the package. fun time, my friends, fun times.
Subscribe to:
Comments (Atom)