The Facebook/Cambridge Analytica fiasco did not happen overnight or by “mistake”, as Facebook wants users to believe. The price of “free” services and apps online means the loss of data protection, privacy and transparency.
This isn’t a new phenomenon, it’s not limited to Facebook, and it should not be a surprise to anyone. Venture investment in companies building businesses around “eyeballs” and “clicks” had to convert to hard cash at some point, and that point is the monetization of user data.
In contrast, Authentic8’s cloud browser Silo was built on the trust of its users. How do we honor that trust? We think you have a right to know what we do with your data. But first, some background.
Did it change anything that these CEOs (two of which are now ex-CEOs) bowed their heads in contrition and began the walk to Canossa? Not really. These are just the latest to get caught. And for ever yone one of them, there are others hoping you don’t make the connection to their data sharing practices.
The nature of the data broker ecosystem and targeted advertising tools has allowed political operators from abroad to target Americans with a pinpointed campaign in the run-up to the U.S. presidential election. Something that the firm in question bragged about doing in other elections.
How did we get here?
The most recent Facebook #fail did not happen just by “mistake”, as Mark Zuckerberg wants us to believe. It happens by design with free services, such as social media networks, webmail providers and web apps.
The pithy quote “You’re not the customer, you’re the product” has an interesting history, dating back to 1973 (worth a read…) While clever soundbites may pique our interest, they rarely drive change.
Academics have called these “free service” businesses the protagonists of “surveillance capitalism”, and while it might lead to interesting conversations in the hallowed halls of HBS, it didn’t prevent users from signing up for such services in droves.
What we might have found alarming in some instances, like when government surveillance programs were disclosed, we were okay with in others because we got free services. And after all, “it’s just advertising”. It sounds almost casual.
Societal trends have reinforced this development – remember Blippy? The well-funded startup that posted your credit card transactions to the web? Whether narcissism or naivety, there’s really no concept of privacy online anymore. Mark said it himself in 2010. Privacy is no longer a social norm.
Where online advertisers and marketers foot the bill, user privacy and data protection fall by the wayside. Even apps and plugins that supposedly protect user privacy online are not exempt from this rule, as we have described on this blog here and here.
The writing has been on the wall for a long time. Could the Facebook/Cambridge Analytica affair finally cause change in users’ attitude about how online services handle their personal data?
Cambridge Analytica and GDPR: the perfect storm for data hogs?
The #DeleteFacebook hashtag campaign is picking up speed on Twitter, reports the Wall Steet Journal (“Next Worry for Facebook: Disenchanted Users”) and there are more indications that the general attitudes about data security and privacy are shifting.
With more than two billion subscribers clicking Friend and Like, a hashtag movement probably won’t move the needle. But another development has digital service platforms on edge, and this one comes from government.
European governments have, for the most part, been more skeptical of businesses collecting user data. Individual countries established their guidelines even before the internet. In the 1980s, the Organization for Economic Cooperation and Development released a set of recommendations on how the handling of personal information should be regulated. In 1995, the EU Data Protection Directive, or Directive 95/46/EC, was codified as a pan-EU set of data privacy regulations.
What happened next resembled the mayhem in a Marx Brothers movie. Everybody chimed in – U.S. and EU press, big social media companies with global user populations, the U.S. Department of Commerce, citizens, dogs and cats… In 2000, The Department of Commerce finally agreed with the Directive and acknowledged the legitimacy of the underlying principles, establishing a Safe Harbor status.
While ratified, the bureaucrats still had their questions, particularly about a company’s ability to self-regulate. They were undeterred by arguments to the contrary, and with a user-first mentality, GDPR, or the General Data Protection Regulation was adopted in April of 2016. As of May 25 of this year, GDPR takes effect. GDPR is explained in a bit more detail here.
The regulations are getting significant attention now, even in the states. And while much of the discussion in the media covers how companies must comply, what happens next will be more important.
GDPR puts the control of personal data back in the hands of the user. Firms must provide a business justification for their collections, users must agree to participate, and if they change their mind, users (yes USERS) can opt out and have their data deleted.
Organizations must comply, or face significant fines. GDPR covers any organization collecting personal data for any EU citizen or resident, regardless of where they are. The ramifications to the data aggregation ecosystem will be profound.
A cloud browser built on trust, privacy and data protection
Authentic8 cannot speak for others, but here’s what we do. As a company, we were founded on the idea that accessing the web through a browser should be secure and private. We have not changed our privacy disclaimer in more than two years now – as you can see for yourself.
Whether you search the web, mingle on a social network, or check your webmail – we believe that you, the user, should be the one to control your data. You should be the one to decide who gets to share what, if at all, with other services. Of course, if you do so willingly, we respect that. And once you’re logged in to a service, that service will collect your data per its EULA. That’s between you and the other provider(s).
But the right to privacy on the web is an integral part of the foundation Silo was built on: Authentic8 will not monetize user data. This is why we don’t deliver a free service. Instead, Silo is a security service that stands on its own and has proved, from its inception, unmatched value in keeping our customers’ data secure and private.
With hundreds of organizations and nearly 100,000 users around the world using it every day, we’re confident in our approach. And our renewal rate shows that customers see the value in paying for the service, in large part due to their ability to control their data.
As a company, we take pride in the strength of the solution we provide, and in the trust that users place in Silo. Our success depends on us maintaining that trust.
What happens to the data of Silo customers?
We honor your trust with transparency, and by keeping user data stored and processed to the minimum required to provide the service. Specifically:
- We maintain tight control over who has access to your data. We never share any of our users’ data with third parties, and only allow a small group of authorized employees to access it. We audit all employee actions in compliance with NIST guidelines and consistent with our underway FedRAMP certification process.
- Your uniquely identifiable usage data is automatically deleted on a 90-day basis; some anonymized usage data is preserved for capacity planning reasons – read more here on what type of data that entails).
- If you’re a business, you can encrypt your data with public keys you provide us with. We can’t access your log data, but you can via authenticated APIs.
- If you choose to leave our service, you can delete your data, or we will do so for you.
With user rights come responsibilities. Our terms of service state that our users are responsible for how they use the service. If you’re out to break the law, using our cloud browser would not be a wise pick. Authentic8 will cooperate with law enforcement when sufficiently compelled.
Users have asked: But what if Authentic8 gets acquired? It’s a fair question, given the growing interest that cloud browser solutions attract recently. Our answer is as straightforward and simple as possible:
The privacy philosophy behind Silo, in a nutshell
We believe that all digital service and app providers need to do a better job of maintaining data security and respecting the privacy of their users. Not just because it’s required by laws and regulations like PCI, HIPAA or GDPR, but because it’s the right thing to do.
This is also true from a monetization perspective. We believe that running roughshod over users’ privacy and data security needs is not a sustainable business model.
At Authentic8 and other companies that share our philosophy, putting the privacy of our customers front and center is part of the corporate culture. And with Silo, our cloud browser, it’s also built into the product.
Tired of being the product? Be the change. Demand better from your web app providers or take your business elsewhere.
This is a Security Bloggers Network syndicated blog post authored by Scott Petry. Read the original post at: Authentic8 Blog