Most of us have a collection of apps on our phones and find them useful in getting from point A to point B, keeping tabs on the weather, or messaging friends and family, among many other activities.
But how much do you know about the data that’s collected on you every day from these same apps, and then passed on to brokers, companies or even governments who use that information in a variety of ways?
Jordan Wright, Senior Security Architect at Duo Security, now part of Cisco, wanted to find out what info data brokers had about him. So, he began a journey into the world of data location tracking.
Ahead of his presentation at this year’s Black Hat 2020, I talked to him about his findings in a lively discussion with Harvey Jang, Cisco’s VP & Chief Privacy Officer.
Q: Jordan, can you tell us about your research and why you felt it was important?
Jordan Wright: I wanted to better understand what kind of visibility and control an average person has into seeing what data is collected about them, and also to show just how impactful and personal this data can be.
I requested my data under the CCPA (California Consumer Privacy Act) from fourteen different companies that specialize in collecting and processing location data.
Note, that I don't live in California where this regulation applies, and that put a different spin on the research. As someone who has no other options, how can I better understand how my data is being used?
Q: What did you learn?
Jordan: I got multiple responses back from companies. Anything from, “you're not in California,” to “we don’t have any data about your device.”
The most common answer I got back from most of the companies was, “there's no way for us to properly verify your identity according to regulation requirements based on the information that we have.”
There are a few different sides to this. On one hand, I can appreciate that they don't want to give my data to someone else who may be requesting it. On the other hand, it's frustrating as a consumer to feel like this data could show me going back to my house in the evenings, and I don't have visibility to see what that is.
Q: What should consumers know about this?
Jordan: The information that I did get back from one company shows this data is sensitive. It tracked me as I was going about my day. In some cases, it tracked me as I was visiting work in different areas, when I went on vacation, and as I was going around town with my family. That, to me, is invasive. As a consumer, it's not what I felt the agreement was whenever I started using some of these apps.
The research highlights that we have a long way to go when it comes to giving consumers visibility and control over their own data. We can continue to do more and do better in that space.
Q: What can the average person do?
Harvey Jang: I know this is not going to be a popular answer, but people really do need to read privacy policies and try to understand how their data is being handled. Laws like CCPA in California, GDPR for the EU, and other privacy laws around the world require companies to be transparent about what’s going on with data, so the information is out there and available to consumers.
If it seems odd or like the data the app is asking for isn’t necessary for the app to work, think twice about downloading and using it. For example, some flashlight apps want your precise geo location over time. Why? Probably to build a marketing profile. If you’re ok with that, fine, but I’d be wary of non-essential data collection.
Also, be careful with “free” apps. If it’s a temporary free trial, that’s one thing, but in some cases, you’re paying with your data. Again, nothing inherently wrong with that business model, you should just be aware of the bargain you’re entering into – data for services.
Jordan: One of the things that, in this case, consumers can do is opt out of targeted advertisements on their mobile devices. To be clear, they’ll still get advertisements, but they won’t be associated with their unique device, so they won’t be as customized to that consumer.
Q: What does this research say about the state of privacy?
Harvey: This research confirms the findings of our own Consumer Privacy Survey -- consumers care about privacy and will take actions to protect it. Consumers want companies to be transparent, fair, and accountable in their data practices. They will only do business with companies they trust.
Jordan: One thing that both consumers and companies want is consistent regulation that's applied across the board. After all, it’s a win/win! Companies wouldn’t need to worry about state-by-state differences in regulations, and consumers would have clear guidance on what control and visibility they have to their data.
Harvey: If privacy is a fundamental human right, protections and respect for personal data should apply to all people – no matter where they are located.
Q: What can lawmakers or companies do to make sure privacy is at the forefront of what they do?
Harvey: Privacy has already moved to the forefront for businesses because customers care. The threat of a 4% fine under GDPR got executive, board level attention. Understanding your data and being transparent about what you do is critical.
At Cisco, our privacy program is anchored on three core principles -- transparency, fairness, and accountability. We believe in being transparent and public about our data practices. The market and stakeholders will judge and ensure that our practices are fair. We have internal governance, oversight, and policy enforcement teams to drive accountability and to confirm we have controls in place to live up to our promises.
For law makers, we’d like to see the continued efforts to ensure laws around the world are interoperable. We're already starting to see more harmonization and countries using the GDPR as a template when writing or amending their own laws. It was particularly encouraging when the EU and Japan entered into a mutual “adequacy” agreement indicating that their laws provide “essentially equivalent” protection for privacy.
Q: Why does Cisco believe privacy is a human right?
Harvey: Respecting privacy as a fundamental human right is not new or unique to Cisco. The UN’s Universal Declaration of Human Rights from 1948 was among the first international recognition of privacy as a human right.
Respect for individuals and their privacy is essential to Cisco’s corporate purpose to Power an Inclusive Future for All.
Jordan: So, Cisco standing on the three principles above, that's why consumers are going to trust us.
We welcome the re-use, republication, and distribution of "The Network" content. Please credit us with the following information: Used with the permission of http://thenetwork.cisco.com/.