Many facets of Internet privacy must come together to provide the best possible protection for users, and it all starts with each application and platform doing its part. According to Curtis Simpson, a chief information security officer at the cybersecurity platform provider Armis, organizations protect their users based on what kind of data they provide.
Simpson said that understanding user data is the first step to proving strong privacy and security. “We’ve got to be looking at what personal information is flowing through our environment unprotected,” Simpson explained. “Gaining visibility to that clear tech data that are linked to the landscape and first and foremost understanding that.”
Suppose applications and platforms users rely on for protection understand the personal data they are entrusted to protect. In that case, it will make it exponentially more accessible for them to do so. Simpson, though, cautioned: “Unfortunately, in most environments we see, a lot of that data is not encrypted. It’s flowing through networks, going outside of the company, and can be intercepted and stolen by anyone,” he said. This can be a scary thought for many users. It is common to browse the internet, assuming a certain level of anonymity will be provided. That is why it is so essential for organizations to take crucial steps to grant users protection.
However, understanding data goes deeper than encryption. Simpson said there are many levels to personal user data, and platforms should strive to have a clear picture of them. “What we should be doing from there is taking a step back and looking at things like where this data comes from. Who is it being shared with? And taking action,” he began.
Simpson explained that an excellent way to learn these things is for organizations to create data flow maps. These maps provide a physical representation of how data is created, who starts it, where it goes, and who needs access to it, making it easier for companies to protect their users securely. “We’ve got to do that legwork because what we have to do is set a standard, monitor the standard, and continue to build controls around the standard,” Simpson explains.
The burden of internet privacy doesn’t fall solely on organizations; users also hold some responsibility. According to Simpson, a one-sided approach to privacy will never be enough. He says that keeping track of and hiding passwords is the first thing users should be concerned with online. “There’s a lot of things users can do, but one of the first things I recommend is using a password management or password vaulting service where you can centrally manage passwords in one application,” he explained. With so many different applications and services requiring unique login passwords, keeping track can be challenging. Being overwhelmed with too many passwords in too many locations can result in carelessness and sometimes leave a metaphorical window open for hackers that may allow them to gain access to user data and information more easily. According to Simpson, storing passwords in a centralized and secure place helps combat this and provides users an extra layer of protection.
On top of this, Simpson also stresses the importance of enabling multi-factor authentication when it is available. “It’s essential in email because you think about when you hit a password reset button on almost any website, that password reset is going to that email address,” he began. “If someone gained access to that email account, they can access anything associated with it.” According to Simpson, this is how most user information becomes compromised regularly. However, his most important tip to users looking to up their internet security is to think about what they share. “If you don’t need to share the information, if it’s not a required field, don’t share it.”
According to Sri Mukkamala, senior vice president of security products at the IT automation platform Ivanti, the responsibility for internet privacy falls on both the organization and the consumer equally. “It’s a combination of both because, as an individual, if you give up information, you’re almost signing a waiver,” he began. “There’s something that says ‘I accept,’ and you don’t even read through it… and I wouldn’t fully blame the consumer because, at the same time, a company should not just throw in legalities and take that waiver and do whatever they want,” Mukkamala said that this is a crucial reason why we see regulations coming into play more and more now. Relying on consumers and organizations to provide proper protection is no longer enough.
In recent years many applications have opted for biometric identification in place of passwords to pursue a more secure platform. According to Simpson, this has worked in many cases, but not to the scale necessary. “It’s helped, but it’s not consistently implemented on a widespread basis that would provide it with the material impact it could have.”
Simpson accredits this lack of widespread adoption to the diversity we see in devices. Creating a standardized biometric identification has proved incredibly difficult, with many users employing various technologies. “Everyone is concerned about the business impact as well and the impact that [biometric identification] can have within the organization, so these types of things can be scary,” he added.
Another critical aspect of implementing this technology is ensuring organizations do it correctly. While Simpson believes that software like this, paired with universal adoption, would be a significant step in the right direction for internet privacy, he also believes that taking shortcuts with such important technology will do more harm than good.
There is another side of the shift towards biometric identification, however. According to Mukkamala, using facial recognition or voice identification instead of passwords could result in hackers becoming savvier and gaining access to arguably even more personal information. Mukkamala explained, “The personally identifiable information has just expanded its scope… if I started collecting biometrics, whether that’s facial or voice recognition, where will that data go?”
This is an exciting point to look at. Suppose organizations opt for this kind of identification. In that case, the data they are collecting from users becomes almost more personal and, thus, has to be protected accordingly, which brings us right back to the initial question of how organizations can ensure the best protection for users.
Google has announced that it will ban third-party cookies from the search engine in the name of internet privacy and protecting user data. According to Curtis Simpson, CISO of the cybersecurity platform Armis, this move away from third-party cookies will have a tremendous impact. “If you look at this whole acceptance model built around third-party cookies, that’s generally a joke,” he explained. According to Simpson, most users are hitting “accept all” when pop-ups prompt them to do so, regardless of whether or not they understand what they agree to. Once users allow cookies to access their data, it becomes easier to fall into the wrong hands. “In most cases, they’re collecting more information than you want or need to share with them,” Simpson warned. Google’s push away from third-party cookies will provide users with better privacy because they will no longer worry about what outside sources have access to their personal information.
Mukkamala, senior vice president of security products at the IT automation platform Ivanti, puts this into perspective. “If someone walks up to you on the street and says ‘show me your driver’s license,’ you’re going to ask why,” he explained, “It’s the same thing online, and you don’t even hesitate to give that personal information away.” This comparison drives the point home. When websites like Google ask users to allow third-party cookies, and they do, it is essentially the same as giving a stranger on the street your information. The user does not know what websites will do with that information or where it could end. The internet should operate the same as the natural world in this way: question why websites want users to grant access to cookies and respond in the same way you would if this were interaction in the real world.
In the last few years, many organizations have taken internet privacy very seriously. In 2016, the European Union announced the General Data Protection Regulation (GDPR), designed to protect internet users better. According to Simpson, GDPR is the first set of internet privacy laws enterprises took seriously.
“In many cases, enterprises see it’s cheaper to be non-compliant than compliant, but GDPR changed all of that due to their findings,” Simpson explained. He believes that this widespread compliance with the regulations GDPR put into place is why it has been so effective. However, that does not mean that every organization follows these rules. Simpson explained that GDPR was effective because many companies were enforcing these laws because they feared repercussions if they did not. Unfortunately, this kind of fear-based acceptance may not be a sustainable model. “If we don’t continue to see penalties due to inaction, I think we’re going to see a slowdown around some of those privacy elements,” he said. While Simpson believes that if organizations become more lenient with GDPR, it could lead to stricter enforcement and more fines, he also predicts that privacy issues may fall to the back burner until penalties become more consistent and more public,
On the bright side, though, Simpson also predicts that i.e., will increase regulations like GDPR being implemented nationally. Shortly, “Whether it’s [an adoption of GDPR] or other similar regulations, we’re going to see across the globe that everyone’s going to care and mandate minimum standards,” he said. We will see a real change once organizations care more about internet privacy and put regulations to protect users. “As we’ve seen, this does have a general impact on society as we continue to see these breaches at scale affecting hundreds of millions of people,” he began, “We can’t continue to have that happen because it’s disrupting services, and capabilities within countries because when this happens at scale, it has a much larger impact.”
California was the first state to go the extra mile regarding internet privacy when it enacted The California Consumer Privacy Act (CCPA). This set of laws used GDPR as a guide to help better implement and enforce these regulations. According to Simpson, while CCPA operates on a smaller scale than GDPR, it is still generally effective. CCPA striving to meet GDPR requirements has caused many organizations to look at their private guides and adjust them. “In many cases, companies are just finding the lowest common denominator,” he explained. These companies and organizations are looking at GDPR and CCPA regulations and trying to enact similar standards on a smaller scale, which will ultimately be a positive for users.
Mukkamala said that one-way companies and organizations could ensure user privacy outside of enacting new laws is to collect less information and be more careful with what they collect from users. “Companies collect way too much information,” he began, “The company should be cautious about what they’re collecting, why they’re collecting it, and how they plan to use it.” If companies took a step back and reevaluated how much personal user information they collect, they could rid themselves of what they deem unnecessary. Doing this would make for more secure platforms because organizations would collect and store users more intentionally.
Collecting personal information from users requires proper guidelines for housing, storing, and sharing said information, whether at a company, state, or global level. Mukkamala referred to the excessive amount of personally identifiable information (PII) websites and organizations collect and the possible misuse of said info as private debt. In recent years this has become a bigger problem as companies incur more and more personal debt. “Because of privacy debt, during transactions, during IPO, during their SEC disclosures, privacy is becoming a significant risk factor to be considered,” Mukkamala said. All this is to say that organizations taking more information than needed from their users while not taking the best steps to protect consumers may end up paying the price for it in the long run.
Disposing of user data
Lisa Plaggemier, interim executive director at the National Cybersecurity Alliance, said that she believes one of the biggest challenges facing internet privacy today is the issue of disposing of user data once websites no longer need it. “What happens in a lot of companies is there will be a particular initiative, and when that program is over, nobody thinks about what happens to that data,” she said. According to Plaggemier, this is one of the most prominent blindspots organizations face in user protection. If companies take data and personal information from consumers with no proper disposal plan, it can become a real risk. User personal data can easily fall into the wrong hands if stored or disposed of improperly once it is no longer needed.
Plaggemier spoke explicitly about a data breach involving Mercedes-Benz and a third-party company. According to Plaggemier, the data compromised was from years before the breach, long after Mercedes had stopped working with the third-party company. “It brings the question to my mind: are you still using that data? Why is it still out there?” she said. This breach left many consumers vulnerable, and if the proper user protection and data disposal systems had been in place, it might never have happened. When consumers give online companies their personal information, they are placing their trust in them. If organizations don’t properly dispose of this data when it is no longer needed, they betray that trust.
