In the 21st century, data is the new oil. Every single organization, whether for profit or non-profit, covets your personal and sensitive data. Governments want their citizens’ data for varied reasons such as security, policy formation, planning, and more. In academia, a professor legitimately needs data for research purposes. On the other hand, business enterprises mine their customers’ data for devising new marketing strategies or launching new products.
In recent decades, companies such as Facebook, Instagram, and Google have built their business empires around data. Facebook, for example, has evolved from mere a web application that enables people to connect and collaborate online to a platform that enables and hosts third-party applications.
Facebook’s architecture significantly enhanced its appeal for a huge ecosystem of developers plugging their apps into the platform. The company did not, however, change its privacy and security policy in line with this development to prevent data leakages. This is how Cambridge Analytica (CA), which used quiz app ‘thisisyourdigitallife’ to collect information about the personalities of Facebook users in exchange for money, also collected the personal data of people on their friends list without their explicit consent.
CEO Mark Zuckerberg has acknowledged the data breach scandal and the massive trust deficit problem Facebook faces today. The core problem is that the apps that are hooked into the platform are not rigorously tested for their privacy and security compliance. According to Facebook, since the apps belong to third parties, the onus is on them to comply with its terms and conditions.
The company has responded to the CA scandal by enhancing its bug bounty program. First started in 2011, the program incentivizes researchers who detect vulnerabilities in the platform. The enhancement includes measures such as an in-depth review of the platform, rigorous policy terms for B2B apps, and full audit of suspicious apps.
The enhanced program will now cover data-related issues as well. All this will make users stakeholders in the enforcement process. Recently, Facebook also announced changes in its Application Program Interface (API) usage and said it would disable features that may be prone to misuse by app developers.
Figure 1: Organizational Data Usage Policy and Enforcement
The protection of personal and sensitive data is the key to sustaining the ecosystems organizations are trying to build around data. Many organizations today face the same issue Facebook is trying to cope with. A possible solution to leaks and other misuse would be a stricter data usage policy that is stringently enforced. Figure 1 depicts one such high-level solution to enable safer hosting of apps and appropriate data use by organizations. Any app using the sensitive data maintained by another organization should have to comply with such policies.
The ideal situation, of course, would be for organizations to automate the entire enforcement process, with a dedicated security team equipped with program analysis (PA) tools to pinpoint potential data and security vulnerabilities in the apps. PA tools are good at tracing the flow of information within applications. With a little help from users, they can distinguish between secure and non-secure information flows.
Such analysis tools can be deployed to scan app codes and trace the flow of information from data sources (a file or a database, for instance) to data sinks (UI screens or files). The tools can then generate a report and alert the end user about any potential (sensitive) data leak and/or misuse of information.
Of course, if an organization exposes its data for use by third-party APIs, it is necessary to confirm whether those APIs are being used for their intended purposes or not. Obviously, this is more complex a task than to locate non-secure information flows within an app. However, PA tools can be combined with human intervention to make them robust and fill this loophole.
By using security teams to fill gaps in enforcement and providing privacy certifications, organizations can try to restore some of the user trust that has been eroded in the light of recent data leaks. This erosion of trust is a clear takeaway for all the companies that have profited from user data so far. This is a significant loss, and we feel that proper policies, transparency of actions, and rigorous enforcement are the only way to correct it.