There are many facets of internet privacy that must come together in order to provide the best possible protection for users, and it all starts with each application and platform doing their part. According to Curtis Simpson, chief information security officer at the cybersecurity platform provider Armis, the way organizations protect their users comes down to what kind of data the user is providing.
Understanding user data is the first step to proving strong privacy and security, Simpson said. “We’ve got to be looking at what personal information is flowing through our environment unprotected,” Simpson explained. “Gaining visibility to that clear tech data that’s linked to the landscape and first and foremost understanding that.”
If applications and platforms that users rely on for protection understand the kind of personal data they are entrusted to protect, then it will make it exponentially easier for them to do so. Simpson, though, cautioned: “Unfortunately in most environments we see, a lot of that data is not encrypted. It’s flowing through networks, going outside of the company and can be intercepted and stolen by anyone,” he said. This can be a scary thought for many users. It is not uncommon to browse the internet assuming a certain level of anonymity will be provided and that is why it is so important for organizations to take crucial steps to grant users protection.
However, understanding data goes deeper than encryption. Simpson said there are many levels to personal user data, and platforms should strive to have a clear picture of all of them. “What we should be doing from there is taking a step back and looking at things like: where is this data coming from? Who is it being shared with? And really taking action,” he began.
Simpson explained that a good way to gain knowledge on these things is for organizations to create data flow maps. These kinds of maps provide a physical representation of how data is created, who creates it, where it goes, and who needs access to it, making it easier for companies to more securely protect their users. “We’ve got to do that legwork because what we have to do is set a standard, monitor the standard, and continue to build controls around the standard,” Simpson explains.
The burden of internet privacy doesn’t fall solely on organizations though; users also hold some of the responsibility. According to Simpson, a one-sided approach to privacy will never be enough. He says that keeping track of and hiding passwords is the first thing users should be concerned with online. “There’s a lot of things users can do, but one of the first things I recommend is using a password management or password vaulting service where you can centrally manage passwords in one application,” he explained. With so many different applications and services requiring unique passwords for login, it can be challenging to keep track. Being overwhelmed with too many passwords in too many locations can result in carelessness and sometimes leave a metaphorical window open for hackers that may allow them to more easily gain access to user data and information. According to Simpson, storing passwords in a centralized and secure place helps to combat this and provide an extra layer of protection to users.
On top of this, Simpson also stresses the importance of having multi-factor authentication enabled when it is available. “It’s particularly important in email because you think about when you hit a password reset button on almost any website, that password reset is going to that email address,” he began. “If someone gained access to that email account, they can gain access to anything else associated with that email account.” According to Simpson, this is how most user information becomes compromised on a regular basis. However, his most important tip to users looking to up their internet security is to simply think about what they are sharing. “If you don’t need to share the information, if it’s not a required field, don’t share it.”
According to Sri Mukkamala, senior vice president of security products at the IT automation platform Ivanti, the responsibility of internet privacy falls on both the organization and consumer equally. “It’s a combination of both, because as an individual if you give up information, you’re almost signing a waiver,” he began. “There’s something that says ‘I accept’ and you don’t even read through it… and I wouldn’t fully blame the consumer because at the same time a company should not just throw in legalities and take that waiver and do whatever they want.” Mukkamala said that this is a key reason why we see regulations coming into play more and more now. Relying on just the consumers and organizations themselves to provide proper protection is no longer enough.
In recent years many applications have opted for biometric identification in place of passwords in pursuit of a more secure platform. According to Simpson, this has worked in many cases, but not to the scale necessary. “It’s helped but it’s not consistently implemented on a widespread basis that would provide it with the material impact that it could have.”
Simpson accredits this lack of widespread adoption to the diversity we see in devices. With so many users employing a number of different technologies, creating a standardized kind of biometric identification has proved to be incredibly difficult. “Everyone is concerned about the business impact as well and the impact that [biometric identification] can have within the organization so these types of things can be scary,” he added.
Another key aspect of implementing this kind of technology is assurance that organizations are doing it the right way. While Simpson believes that software like this paired with universal adoption would be a major step in the right direction for internet privacy, he also believes that taking shortcuts with such important technology will do more harm than good.
There is another side of the shift towards biometric identification, however. According to Mukkamala, using facial recognition or voice identification in place of passwords could result in hackers becoming savvier and gaining access to arguably even more personal information. Mukkamala explained, “The personally identifiable information has just expanded its scope… if i started collecting biometrics, whether that’s facial recognition or voice recognition, where will that data go?”
This is an interesting point to look at. If organizations opt for this kind of identification, the data they are collecting from users becomes almost more personal and thus, has to be protected accordingly, which brings us right back around to the initial question of how organizations can ensure the best protection for users.
Swallowing third-party cookies
Google has announced that it will ban third-party cookies from the search engine in the name of internet privacy and protecting user data. According to Curtis Simpson, CISO of the cybersecurity platform Armis, this move away from third-party cookies will have a tremendous impact. “If you look at this whole acceptance model that was built around third-party cookies, that’s generally a joke,” he explained. According to Simpson, most users are hitting “accept all” when pop-ups prompt them to do so, regardless of whether or not they understand what they are actually agreeing to. Once users allow cookies to access their data, it becomes much easier for it to fall into the wrong hands. “In most cases, they’re collecting more information than you want or need to share with them,” Simpson warned. Google’s push away from third-party cookies will provide users with better privacy because they will no longer have to worry about what outside sources have access to their personal information.
Mukkamala, senior vice president of security products at the IT automation platform Ivanti, puts this into perspective. “If someone walks up to you on the street and says ‘show me your driver’s license,’ you’re going to ask why,” he explained, “It’s the same thing online and you don’t even hesitate to give that personal information away.” This comparison drives the point home. When websites like Google ask users to allow third-party cookies, and they do, it is essentially the same as giving a stranger on the street your information. The user has no real knowledge of what websites are going to do with that information or where it could end up. The internet should operate the same as the real world in this way: question why websites want users to grant access to cookies and respond in the same way you would if this were an interaction in the real world.
In the last few years, internet privacy has been taken very seriously by many organizations. Back in 2016, the European Union announced the implementation of The General Data Protection Regulation (GDPR) which was designed to better protect internet users. According to Simpson, GDPR is the first set of laws regarding internet privacy that enterprises really took seriously.
“In many cases, enterprises see it’s cheaper to be non-compliant than to be compliant, but GDPR changed all of that due to their findings,” Simpson explained. He believes that this widespread compliance with the regulations GDPR put into place is the reason why it has been so effective. However, that does not mean that every organization is following all of these rules. Simpson explained that GDPR was effective because many companies were enforcing these laws due to a fear of repercussions if they did not. Unfortunately, this kind of fear-based acceptance may not be a sustainable model. “If we don’t continue to see penalties, due to inaction, I think we’re going to see a slowdown around some of those privacy elements,” he said. While Simpson believes that if organizations become more lenient with GDPR regulations, it could lead to stricter enforcement and more fines, he also predicts that until penalties become more consistent and more public, privacy issues may fall to the back burner.
On the bright side though, Simpson also predicts that in the near future, we will see an increase in regulations like GDPR being implemented on a national scale. “Whether it’s [an adoption of GDPR] or other similar regulations, we’re going to see across the globe that everyone’s going to care and mandate minimum standards,” he said. Once organizations start to care more about internet privacy and putting regulations in place to protect users, we will see a real change. “As we’ve seen, this really does have a general impact on society as we continue to see these breaches at scale affecting hundreds of millions of people,” he began, “We can’t continue to have that happen because it’s disrupting services and capabilities within countries because when this happens at scale, it has a much larger impact.”
California was the first state to go the extra mile in terms of internet privacy when it enacted The California Consumer Privacy Act (CCPA). This set of laws used GDPR as a guide to help better implement and enforce these regulations. According to Simpson, while CCPA operates on a smaller scale than GDPR, it is still generally effective. CCPA striving to meet GDPR requirements has caused many organizations to look at their own privacy guides and adjust them. “In many cases, companies are just finding the lowest common denominator,” he explained. These companies and organizations are looking at GDPR and CCPA regulations and trying to enact similar standards on a smaller scale, which will ultimately be a positive for users.
Mukkamala said that one way companies and organizations can ensure user privacy outside of enacting new laws is to simply collect less information and be more careful with what they do collect from users. “Companies collect way too much information,” he began, “The company should be very careful about what they’re collecting, why they’re collecting it, and how they plan to use it.” If companies took a step back and reevaluated how much personal user information they are collecting, they could rid themselves of what they deem unnecessary. Doing this would make for more secure platforms because organizations would be more intentional about what they are collecting and storing from users.
Mukkamala referred to the excessive amount of personally identifiable information (PII) websites and organizations collect, and the possible misuse of said info as privacy debt. In recent years this has become a bigger problem as more and more privacy debt is incurred by companies. “Because of privacy debt, during transactions, during IPO, during their SEC disclosures, privacy is becoming a very important risk factor to be considered,” Mukkamala said. All this is to say that organizations that are taking more information than needed from their users, while not taking the best steps to protect consumers may end up paying the price for it in the long run. Collecting personal information from users requires proper guidelines for how to use, store, and share said information, whether that be at a company, state, or global level.
Disposing of user data
Lisa Plaggemier, interim executive director at the National Cybersecurity Alliance, said that she believes one of the biggest challenges facing internet privacy today is the issue of disposing user data once websites no longer need it. “What happens in a lot of companies is there will be a particular initiative and when that program is over, nobody thinks about what happens to that data,” she said. According to Plaggemier, this is one of the biggest blindspots organizations face in terms of user protection. If companies are taking data and personal information from consumers with no proper disposal plan in place, it can become a real risk. User personal information can easily fall into the wrong hands if it is stored or disposed of improperly once it is no longer needed.
Plaggemier spoke specifically about a data breach involving Mercedes-Benz and a third-party company. According to Plaggemier, the data compromised was from years before the breach took place long after Mercedes had stopped working with the third-party company involved. “It brings the question to my mind: are you still using that data? Why is it still out there?” she said. This breach left many consumers vulnerable and if the proper user protection and data disposal systems had been in place, it may never have happened. When consumers give online companies their personal information they are placing their trust in them and if organizations don’t properly dispose of this data when it is no longer needed, they are betraying that trust.