The Privacy Iceberg

More years ago than I care to remember, I came up with an analogy to explain the fundamental dilemma of revenue assurance. Leakage was like an iceberg. Focus just on dealing with what you see, and you fail to appreciate how much is hidden from view, under the surface. But whether you see it or not, invisible leakage hurts the business just as much as visible leakage. So you have to motivate businesses to do comprehensive RA through a process of inference: “if we’re finding such-and-such leakage where we currently look, then we also need to spend time and money at looking for leakage elsewhere, because that might be worth even more.” These days, I tend to think some of the RA world has swung too far the other way. To continue the analogy, some people seem to believe we should buy submarines to go hunting for every last ice cube. So after years spent trying to persuade people to look harder for leakages, I find myself now arguing for balance – and saying there are some leakages too small to be worth looking for.

From the perspective of a risk manager, the argument for not chasing down every little leak is straightforward: it means money is diverted away from where it provides most benefit to the company. In other words, spending too much effort mitigating some risks inevitably leads to sub-optimal performance, and defeats the original purpose of risk management. If visibility was a problem for RA, it is more of a problem for risk management in general. Think of this way: how do you know you ‘see’ all the risks, and even if you do, how do ‘see’ the economic impact, which may be near impossible to measure? From this perspective, other icebergs loom into view. Take a look at this quote from the summary of a research paper on managing subscriber data:

[We expect] mobile operators will overcome privacy concerns and move forward with using subscriber data for targeted mobile advertising in such a way that protects subscriber data and complies with subscriber preferences and regulatory constraints

Hoorah! It sounds so simple. Deceptively simple. The thing with privacy violations, like revenue assurance, is that they may be ‘invisible’. Private information can leak without you knowing about it. So if you ask me, one of the biggest dangers facing telcos is the privacy iceberg: the accumulation of a great mass of personal data coupled with an overconfidence that you not seeing any leaks means there are no leaks. The experience of RA tells us leaks occur – even small leaks – because we do not look for them, and they are hard to spot. Why should we be optimistic that telcos will do so much better at keeping personal data private? And how hard do we look for the leaks before we conclude that it is not worth looking any harder? When the problem is revenue leakage, the cost vs. benefit argument is simple: how much does it cost to prevent a leak compared to how much is lost through the leak. Now consider a cost vs. benefit argument based around the privacy of your data. How much is your privacy worth, and whose measure do we take? If a telco overbills you, then the error can be refunded, but how do you recompense someone for the harm caused by a privacy violation?

Drawing on the experience of RA, I can only feel that the glib quote given above reveals a complacent attitude that runs right throughout the telecoms world. The same complacency existed in the 1990’s, when you tried to explain the potential for revenue leaks. In a connected world with lots of competition, customer trust and loyalty is worth an enormous premium. Just ask Apple, who benefit from the loyalty of their customers, and Sony, who must fear the backlash after the hacking of personal data on the Playstation network. Did Sony think they had done everything necessary to protect their customers’ data? I am sure they did. It was not enough. The privacy iceberg looms large, if we look at it properly. For those that choose to look the other way, it could sink them all the same.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.