Do you know where your data is?
When most people think of data security, they are concerned about hacking and breaches — ill-intentioned thieves actively violating security measures to access user data. What they probably don’t realize is how many parties actually have access to their data through much more legitimate means.
A recent class action lawsuit involving four banks, seven insurance companies, and four credit card companies is shining a much-needed spotlight on consumer data privacy in Israel. The ten plaintiffs who filed the claim are protesting the practice of sharing private user information with third parties, like Google, without the users’ consent.
These institutions were using Google Analytics, a free and widely used third-party service from Google that gives companies the ability to evaluate their own performance. Yet the tradeoff comes in the form of data—data that these companies now no longer control, and which Google can easily use in combination with other data it collects to personally identify and target users. The plaintiffs’ anger stems, in part, from the fact that their data, privacy, and trust were violated.
This is only the latest in a series of data privacy-related class action lawsuits. Just last year, a class action suit was filed against four banks over a similar issue. Of those, one bank stopped using third party plugins, losing out on the benefits they provided in order to protect consumer data. A second bank enlisted QPrivacy to implement a system to manage and dictate their own privacy policy to the data-communication of third-party tools and open source scripts, maintaining those benefits while securing their clients’ data. The other two banks that chose not to act? They’re back in court.
Where is user data going? Data and consumer trust
It’s no secret that, as consumers, we often trade our data for services. In the case of free services, it’s even expected. When we make the choice to use a service or company, whether it’s a bank, a dating site, or a photo app, we’re doing so with the understanding that that specific company has access to the data we provide. Sometimes that data is a username and password; sometimes it’s our height and weight; sometimes it’s information about our income, the loans we’ve taken out, and the savings we’ve accrued. But when we use a service, there’s a reasonable expectation that the data we relinquish will be used only by the company we’ve relinquished it to. Unfortunately, as the plaintiffs in the class action suit learned, that’s often not the reality. Frequently, when we hand over our data to a company, that data then goes to third parties such as Google or Facebook in exchange for that company using their services.
This is a problem for three reasons. First, consumers often aren’t aware that their data is being shared at all. Second, many companies do a poor job of preventing clearly sensitive information such as medical or financial data from being passed along. And third, once a company shares user data externally, it can no longer control where it goes from there.
By sharing the data they’ve collected with third parties, companies are engaging in a blatant violation of trust. As consumers, we should be demanding a greater degree of transparency over which data is being shared and with whom, as well as a greater degree of choice in how our data is shared.
The challenge of sensitive data
While some data, such as clothing purchases or music streaming may seem innocuous, others—such as loans and banking information or data entered into health apps—are more sensitive. In fact, financial and health institutions are guided by regulations that stipulate how they must handle that data. This is in large part because such data can be misused by bad actors for undesired purposes, or used to identify specific individuals. While most third-party service providers say that they require companies to eliminate or encrypt financial and health data when using their services, the reality is that this often falls through the cracks. The companies who have the data either don’t know they need to encrypt it or don’t know how, and the third party providers often do little more than announce that they shouldn’t receive sensitive data. If it gets sent anyway, well, that’s just how it goes sometimes. It is a game of “Pass the Buck” between companies and third parties, and the loser is the consumer.
How the problem with shared data multiplies
Imagine you run a company that gets breached. Working with a team of experts, you can work internally to understand what data was compromised, and how. You can reach out to your users and let them know, and you can take measures to ensure that data isn’t further compromised.
Now, let’s say you’ve shared sensitive information with a third party that gets breached. That data, and the response to the breach, is no longer in your control. You can’t know exactly what information was compromised, you can’t know which of your users were affected, and you can’t know that the proper measures are being put in place to ensure it doesn’t happen again. Even worse, when you share sensitive information with third parties, you don’t know for what purpose they use it and who they are sharing that information with. In other words, a breach three degrees down the line can suddenly become your problem. Which is why your users should be able to expect that any data they share with you remains in your control.
Taking responsibility for user data
The class action lawsuit against fifteen financial institutions over the sharing of sensitive data shouldn’t come as a surprise. In fact, class action lawsuits of this kind have begun popping up regularly. What is surprising is that most companies haven’t yet taken the necessary steps to ensure their user data is secure.
The data security buck should stop with the companies — after all, they’re the ones being entrusted with it — and it’s time they start doing what’s right for their users. At QPrivacy, we know that consumer trust and third-party tools do not need to be mutually exclusive. It’s why we think companies should be responsible for their user data, and why we’re also offering them the solution to take back control.
