Free Newsletters for the Channel
Register for Your Free Newsletter Now
Too much personally identifiable information is being collected because end users are providing consent.
October 30, 2018
By Bhaskar Maheshwari
Safeguarding personally identifiable information (PII) from unauthorized individuals and companies is a major challenge in this digital age. While there are regulations, such as the European Union’s General Data Protection Regulation, that legally protect a person’s privacy, the ultimate responsibility of protecting PII lies with end users. Without education, that reality can open your customers and their employees to a world of problems.
Let’s face it: Data collectors often gather up PII – including name, phone number, email address and more – that is not even relevant to the purpose of the transaction in question. Another issue is that the purposes for such data collection are often either not shared with the individual whose PII is being collected or, if it is mentioned in terms and conditions, it is done so in a barely readable font. It’s a rare end user who actually puts in the effort to wade through such soporific documents to find this information. Those who do may find a surprise — that their PII will be shared with various third parties across the globe.
These data collectors know that individuals do not make it a priority to be diligent about who has access to their PII, so they do not hesitate in adopting such malpractices. Inadvertently or knowingly, we provide consent for our PII to be exploited for data analytics and digital marketing purposes. If you haven’t been creeped out by an ad served after you made a tangentially related search or download, you’re not paying attention.
Data Is the new oil that corporations are mining. And mobile phones are one of the easiest channels in which to collect, process and distribute that “oil.” Some applications ask for permission to read, modify and collect data from a mobile phone, and the user often grants such permission, as the perceived experience quotient from these applications is higher than protecting nonessential personal privacy in the digital world.
In other cases, the end user might be completely unaware of the consequences of granting such permissions and is only interested in providing explicit consent to the opt-in boxes, which can be obstacles to using the application. For these users, it is improbable that they would even be aware of the fact that, even if such applications are deleted, a backdoor can be created to access information without their knowledge.
Usually, it is lesser known or newly launched applications that cause privacy and data security problems. Along with the principles of privacy by default, data minimization and purpose limitation, mobile device users should also adopt the principle of application minimization and permit information to be collected only for the specific purpose for which the app has been installed.
You may be thinking that educating customer end users isn’t your job as a consultant or MSP. I’d argue that you’re wrong. Rampant distribution of PII for a customers’ employees can lead to successful phishing and other cyber attacks that cost them and you time and money to put right. If you have a mobility consulting program, PII is in your purview.
And the problem is only getting worse. Neglect of privacy during the design or architecture stage of mobile application development is rampant, especially if the development organization considers user privacy a burden. For example, after an Indian consumer goods company recently launched a messaging application, security researchers easily found multiple security and privacy concerns in the application. As a consequence, this application had to be taken off the market within a day of its release. While the company is planning to launch a safe and secure version of this application soon, should prospective users …
… trust products from an organization that has to force-fit privacy only after being shot down by the global guardians of privacy and security?
While applications in the marketplace are rated for content and the experience they provide to their users (fit for purpose or utility parameters), an explicit rating or indicator on its security and privacy posture (fit for use or warranty parameters) should also be provided. This would assist in either sunsetting a lesser secure app or ensuring that the next version releases with augmented and ameliorated security and privacy controls.
Considering the societal importance of privacy, the day is not far when privacy and information rights will be formally introduced to the education system, probably as a subject in secondary schools. It is important for the next generation to know how to manage their reputation, build trust, create appropriate social and cyber boundaries, and respect others’ privacy.
Not only would these nascent adopters of social media and smartphones be able to apply what they learn to set the default privacy and security controls of their mobile devices and platforms like WhatsApp to an optimum level, but they can also help family members and others do the same. Privacy can then be imbibed holistically into the fabric of our society and into the mindset of future generations.
Until that happens, however, partners should incorporate awareness around PII collection when selling customers with lucrative unified endpoint management programs, and don’t neglect your own apps or marketing campaigns. When data is secure, everyone wins.
Bhaskar Maheshwari is responsible for the GRC practice at Happiest Minds and carries a rich professional experience of 10 years in the fields of audit, cybersecurity, GRC and BCM. He has played an instrumental role in augmenting GRC posture of clients across the globe while working for HCL, KPMG, Cognizant and MetricStream. Bhaskar has been awarded first class BE and MBA degrees. He is a CISA, MBCI, ITIL, BS25999LA, CPISI, COBIT F, PMP and TOGAF 9 certified professional.
Read more about:Agents
You May Also Like
CrowdStrike, SonicWall Cyber Threat Reports Highlight Attacks, Popular TacticsFeb 21, 2024
Zscaler, Juniper, Cato Launch New B2B Tech ServicesFeb 21, 2024
Meet Channel Futures' 50 Channel Influencers for 2024Feb 20, 2024
The Gately Report: Menlo Security Tackling Browser Attacks, AI ThreatsFeb 19, 2024