By Bhaskar Maheshwari
Safeguarding personally identifiable information (PII) from unauthorized individuals and companies is a major challenge in this digital age. While there are regulations, such as the European Union’s General Data Protection Regulation, that legally protect a person’s privacy, the ultimate responsibility of protecting PII lies with end users. Without education, that reality can open your customers and their employees to a world of problems.
Let’s face it: Data collectors often gather up PII – including name, phone number, email address and more – that is not even relevant to the purpose of the transaction in question. Another issue is that the purposes for such data collection are often either not shared with the individual whose PII is being collected or, if it is mentioned in terms and conditions, it is done so in a barely readable font. It’s a rare end user who actually puts in the effort to wade through such soporific documents to find this information. Those who do may find a surprise — that their PII will be shared with various third parties across the globe.
These data collectors know that individuals do not make it a priority to be diligent about who has access to their PII, so they do not hesitate in adopting such malpractices. Inadvertently or knowingly, we provide consent for our PII to be exploited for data analytics and digital marketing purposes. If you haven’t been creeped out by an ad served after you made a tangentially related search or download, you’re not paying attention.
Data Is the new oil that corporations are mining. And mobile phones are one of the easiest channels in which to collect, process and distribute that “oil.” Some applications ask for permission to read, modify and collect data from a mobile phone, and the user often grants such permission, as the perceived experience quotient from these applications is higher than protecting nonessential personal privacy in the digital world.
In other cases, the end user might be completely unaware of the consequences of granting such permissions and is only interested in providing explicit consent to the opt-in boxes, which can be obstacles to using the application. For these users, it is improbable that they would even be aware of the fact that, even if such applications are deleted, a backdoor can be created to access information without their knowledge.
Usually, it is lesser known or newly launched applications that cause privacy and data security problems. Along with the principles of privacy by default, data minimization and purpose limitation, mobile device users should also adopt the principle of application minimization and permit information to be collected only for the specific purpose for which the app has been installed.
You may be thinking that educating customer end users isn’t your job as a consultant or MSP. I’d argue that you’re wrong. Rampant distribution of PII for a customers’ employees can lead to successful phishing and other cyber attacks that cost them and you time and money to put right. If you have a mobility consulting program, PII is in your purview.
And the problem is only getting worse. Neglect of privacy during the design or architecture stage of mobile application development is rampant, especially if the development organization considers user privacy a burden. For example, after an Indian consumer goods company recently launched a messaging application, security researchers easily found multiple security and privacy concerns in the application. As a consequence, this application had to be taken off the market within a day of its release. While the company is planning to launch a safe and secure version of this application soon, should prospective users …