Tuesday, October 29, 2013

How do we solve falling trust in online services before it becomes critical?

A few days ago LinkedIn launched its latest IOS app, Intro.

The app promises to integrate LinkedIn profile content directly into emails, allowing more rapid connections and helping give email recipients access to a range of relevant information about the sender.

Given both Apple and LinkedIn are well-known brands, many people are likely to trust that this app is safe for them to use, that these two global companies have taken every step to ensure that users are not exposed to privacy risks.

It's also not a big decision. Intro is free and installing the app is a two-click process, done in under 30 seconds. People are unlikely to spend the time to look at the usage policy in detail, or consider the impact of such a simple decision when they trust the brands.

However, in this case, trusting LinkedIn and Apple may not be wise. Global Security Consultancy Bishop Fox released a very compelling post outlining serious concerns with how LinkedIn's new app works.

According to Bishop Fox, the app works in the same way as a 'man in the middle' hacking attack, by sending all of a user's emails through LinkedIn's mail servers. Here they could be read by LinkedIn or, if encrypted, this process could stop the final recipient from ever receiving the email.

LinkedIn states that it will keep information from the emails it captures - and while it states that LinkedIn “will never sell, rent, or give away private data about you or your contacts.” there's no clarification of what data LinkedIn might consider private, nor any solid information on how LinkedIn has mitigated against the type of security breach it suffered in 2012.

This is just a single instance of a situation where the public are being asked to trust a company to do the right thing online, while there's no guarantee they will, and often there's few ways for an individual, organisation or even a government to hold a company to account when they fail to keep their end of the trust bargain.

So the conundrum for the public has become, who can they trust online?

Clearly there must be a level of trust to use online systems, with banks and government clear cases of where trust relationships are critical for transactions and service provision. With no trust in online systems, online banking and egovernment could not exist.

Social networks are also important. As places where people store personal information and share more and more of it over time, there's a clear requirement for companies to appear trustworthy and safe.

Even search engines, which have become the front door to most websites (with Google the dominant player), have a huge trail of data on their users - what you search for helps define who you are, particularly when people use search for medical and personal matters.

The public must implicitly trust all these organisations to both play nice with their personal information and to secure it such that nefarious groups or individuals don't get it. However it has become very clear that they simply can't.

Whether it is commercial providers, who primarily use this data to identify more effective ways to sell, or governments and banks who require this data to validate individuals, the number of reported data breaches is rising - in a global environment where few governments legally require companies to report breaches to the people potentially impacted.

On top of this comes revelations of data surveillance operations by government agencies, such as the NSA, commercial entities such as the example from LinkedIn above, where the data helps them productise their users, or organised crime, who use hackers and insider sources to secure valuable data for use and resale.

However despite increasing concern over how data is secured, who can access it and how it will be used, individuals continue to use many of these online services, either because they simply cannot live their normal lives, or conduct business, without using them, or because of the "it won't happen to me" principle.

If public trust disappears, what does that mean for every organisation using the internet to build its business or to provide more convenient and cost-efficient services?

What impact would it have on government, where a shift to electronic transactions means less investment in other channels and, over time, less capability to meet citizen needs should a collapse in online trust occur?

I don't know how this situation can be resolved, particularly with the low attention paid to ensuring organisations report and rectify data breaches and be clear on how they will secure and use data.

While it is a global issue, individual governments can have an impact, by establishing a robust privacy framework for their citizens and recognising that people own their own data and any organisation allowed access to it should be held accountable for not securing or using it appropriately.

Do we have such a regime in Australia today?

I wanted to finish with an extract from the response I received from the Australian Privacy Commissioner when I reported the LinkedIn app using their email form:

Dear Craig  
Thank you for your enquiry.  
The Office of the Australian Information Commissioner (OAIC) receives a large quantity of written enquiries each day. An representative will be assigned to your enquiry and will be in contact soon. 
We aim to respond to all written enquiries within ten working days. 
If your enquiry is urgent and requires an immediate response, please telephone us on 1300 363 992 and quote your reference number. More complex phone enquiries may require a written response and may still take some time.

A response within 10 working days (14 actual days).

I wonder how many individuals may have their privacy breached, or organisations their confidential data exposed, by a single popular mobile app from a well-known company in this period of time.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.