Security and Privacy Privacy in Web 3.0: Living in a Glass House?
The digital world offers us many conveniences. But to take advantage of them, we share a lot of our personal information. While privacy used to be as natural as permanent networking is today, it is quietly but quickly going to pieces and becoming a scarce resource.
It's a familiar situation: You subscribe to a newsletter and it requires a unique password. You know you won't remember it but neither can you write it down and leave it lying around. So you turn to the next best alternative, social login. You use 'Facebook Login' or 'Google Sign-in' for various websites so you only need to remember one password. And since these centralised logins can be protected by two-factor authentication or risk-based security measures that react to unusual user behaviour, it's safe. Sounds like a win-win situation.
Everything comes at a price
While using social logins doesn't cost you a cent, you do "pay" by providing your profile and usage data. This information is also of interest to the providers of the websites that you access. Today, you can control what data (e.g. profile photo, age, list of friends, etc.) is shared with website providers but comprehensive collection of usage data is still possible. On the other hand, sharing such personal information can benefit you, since the data collected can be used to help detect unusual user behavior by means of behavior analytics, and thus prevent unauthorized access to an account.
In mobile payment, balancing security and privacy is also an issue. Mobile payment not only allows for convenient payment by cell phone or real-time peer to peer transfers, but it also offers security features such as a fingerprint sensor for payment approval. It can also fix well-known security problems since unlike traditional credit cards, copying and cloning of credit card data is not possible with Apple Pay anymore. But new questions arise: Who exactly has access to which data? Is this data exclusively used for payment processes or also for profile generation, marketing and research purposes?
Fitness tracker – chasing one's own data?
The little helper on our wrist also collects your personal data. It records your activity, position, heart rate and even the type of exercise. By doing so, it helps you achieve our health and fitness goals. If you also use apps to record additional details such as your sleep and diet, the fitness device eventually becomes an indispensable personal trainer. The downside? Due to data correlation, it provides a precise picture of you and your daily life to everyone who has access to the data.
Therefore, you and similar users should always ask yourselves: Who has the right to access my data, who owns the data, how is it protected, who might use it and for what purposes? Users need to inform themselves and assume responsibility, particularly in areas where data privacy laws may lag behind. Legislation is catching up at least in the European Union. As of May 2018, the General Data Protection Regulation (GDPR) will take effect in the EU. It clearly defines the rights and duties of both end users and organizations. For the sake of compatibility, Switzerland will most likely take the GDPR into account in the revision of its data protection act.
Security does not necessarily imply privacy
Organisations need to identify opportunities and risks during the early stages. They need to provide answers to questions: what technologies do we rely on, what dependencies are involved, what are the regulatory requirements and the reputation risks? Organisations may help educate their customers by clearly defining their services and quality levels in terms of privacy. Swiss companies in particular may advertise their privacy policies in addition to quality, and security. After all, what is the benefit of a secure solution if the customer's privacy is not protected and he is left living in a glass house?
This article was published in Netzwoche in February 2017 and in ICTjournal in May 2017.