Data privacy: Collect what you need, protect what you collect

Every time a user opens an app on their device, it seems they are being asked to provide both information necessary to engage with the app and far too often additional information that falls into the nice-to-have or marketing niche. Having CISOs participating in the discussions on what data is necessary for an app to function is table stakes. They should have a say in how that data is parsed to determine how it must be protected to remain in compliance with privacy laws. In addition, CISOs have a role to play in assisting the workforce in remaining safe online as well as protecting their (and the company’s) privacy.

The risks of data over-collection

During a recent conversation with Rob Shavell, founder of DeleteMe, he commented how data over-collection by companies is a rampant problem. The data brokers take what you give them and what they scrape and package and sell it. He notes, “Employers are now helping employees protect their PII [personal identifiable information] as it is in the company’s interest to do so.”

Speaking to what steps CISOs may take, Shavell suggests that they focus on data-collection compliance points and data tagging. In this manner, process and procedure evolve so “data is kept as long as necessary so if an individual wants their PII deleted, it is feasible to do so.“ (Data privacy in the European Union in the form of General Data Protection Regulation [GDPR] includes the “right to be forgotten” requiring companies to delete an individual’s information on demand.)

TikTok the glaring example of data over-collection

One example of an app that causes one to raise an eyebrow would be TikTok. Shavell comments on how “TikTok comes across as a benign app used by kids, teens and adults. Every video interaction is cataloged. Teens become adults.” He continued how over the course of time it is probable that this corpora of “life path data” will be used for predictive analysis to chart future course for individuals.

A recent Gizmodo article dissected a study by Internet 2.0, an Australian cybersecurity firm, titled It’s Their Word Against Their Source Code – TikTok Report. Their research showed that the app does indeed connect to China and requests “almost complete access to the contents of the phone while the app is in use. That data includes calendar, contact lists and photos.” Robert Potter, co-CSO of Internet 2.0, told Gizmodo, “When the app is in use, it has the ability to scan the entire hard drive, access the contact lists, as well as see all other apps that have been installed on the device.” He noted that this was “significantly more” than what am app like TikTok needs access to.

Gizmodo was told by TikTok that the data collection conducted is “In line with industry practices. We collect information that users choose to provide to us and information that helps the app function, operate securely and improve the user experience.”

On September 26, the UK Information Commissioner’s Office issued a provisional finding concerning TikTok, which carries with it a substantive multimillion-dollar fine. “The ICO investigation found the company may have:

• Processed the data of children under the age of 13 without appropriate parental consent,
• Failed to provide proper information to its users in a concise, transparent and easily understood way, and
• Processed special category data, without legal grounds to do so.”

Information Commissioner John Edwards said: “We all want children to be able to learn and experience the digital world, but with proper data privacy protections. Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement.”

ADPPA is on the horizon

In late-June 2022, the American Data Privacy and Protection Act (ADPPA) was introduced within the House Energy and Commerce committee and exited committee on July 22. While it is not a panacea, indeed the state of California notes that if passed as written it will weaken some of the actions taken in California to protect the privacy of individuals, it is a step forward. Given the likelihood that it will take some time to wend its way through congress, there is no need for CISOs to wait to address some of the recommendations contained within the bill, as they make imminent sense from a data protection and privacy perspective.

Violet Sullivan, cybersecurity and privacy attorney who serves as the vice of client engagement at Redpoint Cybersecurity, shares, “Digital transformation has created a very available method of surveillance tracking.” She continues how this piece of bipartisan legislation has great potential to be our first real federal privacy legislation.

The bill includes the areas suggested by Shavell to include the right to delete, right to access and correct, need for companies to designate those responsible for the protection of the data (CISOs take note), and duty of loyalty. Sullivan explains, “Duty of loyalty in theory would require organizations to act in the best interest of the individual when processing data and designing services.” She adds, “What this means for cybersecurity on the technical side – multi-factor authentication, network management, access control, vulnerability assessments, data retention and incident response process and procedures.”

In sum, CISOs should be pushing to ensure that data collected is data protected.