Many facets of internet privacy must come together to provide the best possible protection for users, and it all starts with each application and platform doing its part. According to Curtis Simpson, a chief information security officer at the cybersecurity platform provider Armis, organizations protect their users based on what kind of data they are providing.
Understanding user data is the first step to proving strong privacy and security, Simpson said. “We’ve got to be looking at what personal information is flowing through our environment unprotected,” Simpson explained. “Gaining visibility to that clear tech data that are linked to the landscape and first and foremost understanding that.”
Suppose applications and platforms that users rely on for protection understand the kind of personal data they are entrusted to protect. In that case, it will make it exponentially more accessible for them to do so. Simpson, though, cautioned: “Unfortunately, in most environments we see, a lot of that data is not encrypted. It’s flowing through networks, going outside of the company, and can be intercepted and stolen by anyone,” he said. This can be a scary thought for many users. It is not uncommon to browse the internet, assuming a certain level of anonymity will be provided. That is why it is so essential for organizations to take crucial steps to grant users protection.
However, understanding data goes deeper than encryption. Simpson said there are many levels to personal user data, and platforms should strive to have a clear picture of all of them. “What we should be doing from there is taking a step back and looking at things like where is this data coming from? Who is it being shared with? And really taking action,” he began.
Simpson explained that an excellent way to learn these things is for organizations to create data flow maps. These maps provide a physical representation of how data is created, who starts it, where it goes, and who needs access to it, making it easier for companies to more securely protect their users. “We’ve got to do that legwork because what we have to do is set a standard, monitor the standard, and continue to build controls around the standard,” Simpson explains.
The burden of internet privacy doesn’t fall solely on organizations, though; users also hold some responsibility. According to Simpson, a one-sided approach to privacy will never be enough. He says that keeping track of and hiding passwords is the first thing users should be concerned with online. “There’s a lot of things users can do, but one of the first things I recommend is using a password management or password vaulting service where you can centrally manage passwords in one application,” he explained. With so many different applications and services requiring unique passwords for login, it can be challenging to keep track. Being overwhelmed with too many passwords in too many locations can result in carelessness and sometimes leave a metaphorical window open for hackers that may allow them to more easily gain access to user data and information. According to Simpson, storing passwords in a centralized and secure place helps combat this and provides users with an extra layer of protection.
On top of this, Simpson also stresses the importance of having multi-factor authentication enabled when it is available. “It’s essential in email because you think about when you hit a password reset button on almost any website, that password reset is going to that email address,” he began. “If someone gained access to that email account, they can gain access to anything else associated with that email account.” According to Simpson, this is how most user information becomes compromised regularly. However, his most important tip to users looking to up their internet security is simply thinking about what they are sharing. “If you don’t need to share the information, if it’s not a required field, don’t share it.”
According to Sri Mukkamala, senior vice president of security products at the IT automation platform Ivanti, the responsibility of internet privacy falls on both the organization and consumer equally. “It’s a combination of both because as an individual, if you give up information, you’re almost signing a waiver,” he began. “There’s something that says ‘I accept,’ and you don’t even read through it… and I wouldn’t fully blame the consumer because at the same time a company should not just throw in legalities and take that waiver and do whatever they want,” Mukkamala said that this is a crucial reason why we see regulations coming into play more and more now. Relying on just the consumers and organizations themselves to provide proper protection is no longer enough.
In recent years many applications have opted for biometric identification in place of passwords to pursue a more secure platform. According to Simpson, this has worked in many cases, but not to the scale necessary. “It’s helped, but it’s not consistently implemented on a widespread basis that would provide it with the material impact that it could have.”
Simpson accredits this lack of widespread adoption to the diversity we see in devices. With so many users employing several different technologies, creating a standardized biometric identification has proved incredibly difficult. “Everyone is concerned about the business impact as well and the impact that [biometric identification] can have within the organization, so these types of things can be scary,” he added.
Another critical aspect of implementing this kind of technology is assurance that organizations do it the right way. While Simpson believes that software like this paired with universal adoption would be a significant step in the right direction for internet privacy, he also believes that taking shortcuts with such important technology will do more harm than good.
There is another side of the shift towards biometric identification, however. According to Mukkamala, using facial recognition or voice identification in place of passwords could result in hackers becoming savvier and gaining access to arguably even more personal information. Mukkamala explained, “The personally identifiable information has just expanded its scope… if I started collecting biometrics, whether that’s facial recognition or voice recognition, where will that data go?”
This is an exciting point to look at. Suppose organizations opt for this kind of identification. In that case, the data they are collecting from users becomes almost more personal and, thus, has to be protected accordingly, which brings us right back to the initial question of how organizations can ensure the best protection for users.
Swallowing third-party cookies
Google has announced that it will ban third-party cookies from the search engine in the name of internet privacy and protecting user data. According to Curtis Simpson, CISO of the cybersecurity platform Armis, this move away from third-party cookies will have a tremendous impact. “If you look at this whole acceptance model that was built around third-party cookies, that’s generally a joke,” he explained. According to Simpson, most users are hitting “accept all” when pop-ups prompt them to do so, regardless of whether or not they understand what they actually agree to. Once users allow cookies to access their data, it becomes easier to fall into the wrong hands. “In most cases, they’re collecting more information than you want or need to share with them,” Simpson warned. Google’s push away from third-party cookies will provide users with better privacy because they will no longer worry about what outside sources have access to their personal information.
Mukkamala, senior vice president of security products at the IT automation platform Ivanti, puts this into perspective. “If someone walks up to you on the street and says ‘show me your driver’s license,’ you’re going to ask why,” he explained, “It’s the same thing online, and you don’t even hesitate to give that personal information away.” This comparison drives the point home. When websites like Google ask users to allow third-party cookies, and they do, it is essentially the same as giving a stranger on the street your information. The user has no actual knowledge of what websites will do with that information or where it could end. The internet should operate the same as the natural world in this way: question why websites want users to grant access to cookies and respond in the same way you would if this were interaction in the real world.
In the last few years, internet privacy has been taken very seriously by many organizations. Back in 2016, the European Union announced the General Data Protection Regulation (GDPR), designed to better protect internet users. According to Simpson, GDPR is the first set of laws regarding internet privacy that enterprises really took seriously.
“In many cases, enterprises see it’s cheaper to be non-compliant than to be compliant, but GDPR changed all of that due to their findings,” Simpson explained. He believes that this widespread compliance with the regulations GDPR put into place is the reason why it has been so effective. However, that does not mean that every organization is following all of these rules. Simpson explained that GDPR was effective because many companies were enforcing these laws due to a fear of repercussions if they did not. Unfortunately, this kind of fear-based acceptance may not be a sustainable model. “If we don’t continue to see penalties due to inaction, I think we’re going to see a slowdown around some of those privacy elements,” he said. While Simpson believes that if organizations become more lenient with GDPR regulations, it could lead to stricter enforcement and more fines, he also predicts that privacy issues may fall to the back burner until penalties become more consistent and more public,
On the bright side, though, Simpson also predicts that, i.e., will increase regulations like GDPR being implemented nationally. Shortly, “Whether it’s [an adoption of GDPR] or other similar regulations, we’re going to see across the globe that everyone’s going to care and mandate minimum standards,” he said. Once organizations start to care more about internet privacy and put regulations to protect users, we will see a real change. “As we’ve seen, this really does have a general impact on society as we continue to see these breaches at scale affecting hundreds of millions of people,” he began, “We can’t continue to have that happen because it’s disrupting services and capabilities within countries because when this happens at scale, it has a much larger impact.”
California was the first state to go the extra mile regarding internet privacy when it enacted The California Consumer Privacy Act (CCPA). This set of laws used GDPR as a guide to help better implement and enforce these regulations. According to Simpson, while CCPA operates on a smaller scale than GDPR, it is still generally effective. CCPA striving to meet GDPR requirements has caused many organizations to look at their own private guides and adjust them. “In many cases, companies are just finding the lowest common denominator,” he explained. These companies and organizations are looking at GDPR and CCPA regulations and trying to enact similar standards on a smaller scale, which will ultimately be a positive for users.
Mukkamala said that one way companies and organizations can ensure user privacy outside of enacting new laws is to simply collect less information and be more careful with what they collect from users. “Companies collect way too much information,” he began, “The company should be cautious about what they’re collecting, why they’re collecting it, and how they plan to use it.” If companies took a step back and reevaluated how much personal user information they are collecting, they could rid themselves of what they deem unnecessary. Doing this would make for more secure platforms because organizations would be more intentional about collecting and storing users.
Mukkamala referred to the excessive amount of personally identifiable information (PII) websites and organizations collect and the possible misuse of said info as private debt. In recent years this has become a bigger problem as more and more personal debt is incurred by companies. “Because of privacy debt, during transactions, during IPO, during their SEC disclosures, privacy is becoming a significant risk factor to be considered,” Mukkamala said. All this is to say that organizations that are taking more information than needed from their users while not taking the best steps to protect consumers may end up paying the price for it in the long run. Collecting personal information from users requires proper guidelines for housing, storing, and sharing said information, whether at a company, state, or global level.
Disposing of user data
Lisa Plaggemier, interim executive director at the National Cybersecurity Alliance, said that she believes one of the biggest challenges facing internet privacy today is the issue of disposing of user data once websites no longer need it. “What happens in a lot of companies is there will be a particular initiative, and when that program is over, nobody thinks about what happens to that data,” she said. According to Plaggemier, this is one of the most prominent blindspots organizations face in user protection. If companies take data and personal information from consumers with no proper disposal plan, it can become a real risk. User personal data can easily fall into the wrong hands if stored or disposed of improperly once it is no longer needed.
Plaggemier spoke explicitly about a data breach involving Mercedes-Benz and a third-party company. According to Plaggemier, the data compromised was from years before the breach occurred, long after Mercedes had stopped working with the third-party company involved. “It brings the question to my mind: are you still using that data? Why is it still out there?” she said. This breach left many consumers vulnerable, and if the proper user protection and data disposal systems had been in place, it might never have happened. When consumers give online companies their personal information, they are placing their trust in them. If organizations don’t properly dispose of this data when it is no longer needed, they betray that trust.