Since the dawn of digital marketing, people have been asked to provide their personal information in exchange for information online. This "information swap" is still a common digital tactic. However, it isn't just marketing forms that collect data. Contact forms, checkout carts, and digital healthcare forms are all examples of ways data is being captured.
While data privacy hasn't been the biggest priority for many Web applications, there is a reckoning on the horizon. We are seeing a growing number of news stories about companies doing shady things with customer data, litigation popping up over excessive data collection, massive General Data Protection Regulation (GDPR) fines for broad-based privacy policies, and the first-ever fine under the new California Consumer Privacy Act (CCPA) regulations. While there are still very limited privacy standards in the United States, the Federal Trade Commission (FTC) is on the warpath in regard to data privacy, and its reach includes punitive actions against company executives too. It's time for organizations to step up and start getting ahead of these privacy issues.
What Exactly Is the Problem?
Presently, we are facing two major challenges when it comes to digital privacy: data collection without consent and abuse of data collection with consent. Both of these issues stem from the growing level of complexity and third-party code in modern Web applications. Additionally, more application logic and functionality has been moving to the client side (inside the browser), where traditional security tools can't reach. This lack of visibility and protection within the client side is creating the perfect privacy storm for organizations of all sizes.
Let's look a little deeper into the two major issues organizations are facing today.
Stop Stealing My Data (Without My Consent)
This type of data collection may not be the intention of the organization, but nevertheless, inclusion of third-party code makes this invisible data capture a reality. While conducting an analysis of dozens of popular software-as-a-service (SaaS) applications, we found that more than 85% of the time, third-parties are capturing your data before you submit a form. This data capture without consent is reminiscent of digital skimming attacks, which perform very similar types of data capture for malicious purposes.
Stop Sharing My Data (Even With My Consent)
If your data is sent to a dozen third parties when you sign up for an account, the risk of having your data exposed in a cybersecurity incident increases significantly. It's no longer just the company in question that you have to be concerned about but all of the third parties that receive a copy of your data.
How Can We Fix This?
As an individual, the best thing you can do is use a privacy-focused browser extension like uBlock Origin or Ghostery. Both can help automatically filter out third-party digital trackers while adding a layer of protection to your privacy. While it's impossible to account for every single third-party risk, this initial layer of protection is a step in the right direction.
But what about organizations? This is slightly more problematic, due to the complexity of modern websites and Web applications (as I touched on earlier). In order to tackle this privacy challenge, organizations need to focus on two key areas: data asset identification and data access to those assets. In other words, what types of data are you collecting and which third-parties have access to that data.
Since most Web applications don't have a centralized mopping of all input fields, the identification process requires someone (typically from the application security team) to manually inspect each webpage for inclusion of data assets.
Once each data asset is identified, another review of those webpages will be required, this time to manually investigate what third-party code is loaded on the page and which parties have direct access to the data assets.
This entire process is incredibly time consuming and is further complicated by the fact that application security teams don't own the application. This will require multiple teams, such as marketing, legal, development, product, and AppSec, to work together in order to determine what third-party code belongs for critical functionality and what needs to go.
The time and resource cost associated with bringing better privacy protections to your Web applications may not seem worth it at first, but consider the dual costs of a fine (from the Federal Trade Commission) and erosion of trust from your end users. The push for better privacy standards is on the rise, and it's only a matter of time before each state has a digital privacy requirement in place.