Once again on my long and arduous morning commute the radio brought me a news story that prompted me to write. There was an NPR news story, and oddly enough I can't find a reference to it anywhere, about how many mobile phone apps borrow, steal, or leak your privacy info. My initial thought was 'hey, big software companies that attempt to understand issues of privacy have a tough time with this. It must be a serious problem when it comes to a boutique firm or garage programmer that doesn't care about anything other than getting their app to work and to market.'
So, obviously with a complicated issue such as this, there were many examples, old and new, of what I call questionable behavior. In the camp of those that favor social behavior apps, privacy is of little concern, but here's the rub: Maybe my friend doesn't care if their contacts are sent to the app vendor, but my contact info is in their contact database and I *do* care. How can *I* opt out? What if the data is leaked and not overtly taken? Informed consent is one thing when I make the choice, but extending blind trust in the good security judgement to every person that I know (and all of their friends) is entirely another. Most people that I know think I'm a real piece of work when it comes to security thinking, so how likely are they to share my values regarding protection of personal privacy information? Yeah, right!
My concerns with privacy melt away if I am clearly informed of what you or your app are doing
with regard to my privacy information and I opt in. Unfortunately many people don't know or don't care to control what their apps do or take the appropriate steps to protect my data. Another curious issue is that privacy law doesn't accept ignorance of the law as an excuse. Lawyers looking for some easy and fertile ground for lawsuits, are you listening? If you don't recognize my data as being at risk or even what such risk might look like, you obviously can't inform me and give me the choice to opt in or out.
Some are perpetrators of this kind of information collection are far worse, insofar as they collect your data and simply don't believe that they are not allowed to have it. The issue with that is that in their arrogance, they are not responsible data custodians. If they feel they have every right to have it and it was free to acquire it, they will put little to no value on the risk assessment process necessary to create appropriate controls to govern what protections make sense to have. Worse still, if that organization is subject to petition via a freedom of information request that many governmental organizations are obliged to comply with, your info can be exposed because no one ever thought that they really don't need this info. Let's not talk about the secret collection of information for 'just in case' purposes. That would be another article entirely.
Corporate Data vs Apps
Many companies are struggling to keep up with these same issues when dealing with Bring Your Own Device (BYOD) service model that employees so love (as do the corporate accountants that don't have to pay for all those devices) and the protection of corporate data. Security in cloud services is in its infancy at best, but when you combine that with uncertain to non-existent security policies of any number of apps on an employee's mobile device, you have challenges of nightmare proportions. You can just read that as 'you might do just as well to throw your hands up, because you've already lost.'
So Where's the Next Big Idea?
This problem is really screaming for the next 'big idea.' We have data in more places today than we could have ever imagined when the imperfect, not-concerned-with-security constructs were invented that form the backbone of the internet and today's connected society. How can I ensure that my data adheres to my security values as it travels the information superhighways and byways? I would be happy to simply to start with a solution that keeps my friends from leaking my email address via random apps on their phone and keeps my inbox free from the spam circuit.
I firmly believe that some amount of legislation and regulation will need to be involved in whatever the solution may be, because no one will care about complying unless there are monetary consequences to violations. Businesses of all sizes understand money. Information is money. Being cavalier with my information against my will should have monetary (and punitive) consequences in the same way that stealing money from my pocket does.