When individual users are required to first accept usage policies and then interact with the website/application/tool by allowing it to collect information, both the user and the enterprise for which the user works are put in a position of risk. Why? Because the likelihood that he or she will read the policy is slim to none.
A little less conversation
Privacy and terms of service policies appear on every website, every app with which users interact. Enterprise- and consumer-focused tools alike include equal amounts of legalese. When individual users are required to first accept usage policies and then interact with the website/application/tool by allowing it to collect information (either automatically or through manual input), both the user and the enterprise for which the user works are put in a position of risk. Why? Because the likelihood that he or she will read the policy is slim to none.
In a social experiment, the aforementioned researchers created a fictitious social networking website similar to Facebook. The terms and conditions of the phony website stipulated that users must agree to give up their first-born child and that all entered data would be sent directly to the NSA with consent. Ninety-eight percent of users clicked “agree” and began using the site.
This experiment is hardly the first to slip whacky or outrageous terms into policies; these researchers are not the first to watch and shake their heads as people blindly click “accept” without reading what they’re agreeing to.
A little more action, please
Now, a cynical person could argue that end users must be responsible for their own online data, much in the same way people must be responsible for their own healthcare. This theory only holds water to an extent. Much like doctors and nurses who gain years of education and training which allow them to analyze a person’s health in a way that reading WebMD.com does not, companies collecting data should employ sufficiently trained and knowledgeable staff to advise on terms, conditions, and privacy policies. Some of those experts are security practitioners.
Security practitioners span both sides of the coin as users and protectors, and they know firsthand that lengthy terms and policies are ineffective. Whether users should be more aware of how their data is being used, the fact is that they’re not and it’s security responsibility to help educate non-security people and to protect end user data when it becomes part of an enterprise-owned database. Even if the user isn’t manually inputting enterprise data to an external service, internal security teams need to be concerned with what information is being silently collected as the user browses across a site or through an app.
The amount of data collected from digital usage everywhere is astounding. Organizations depend on it, so the tracking and/or collection is never going to stop. In fact, it’s likely that even more sensitive data will be collected in the future (as amazing as it seems when you think about what else is left to collect).
A little more bite and a little less bark
Security professionals have to become part of the solution and help organizations revamp Ts&Cs of online use. The overly lengthy, CYA from a liability perspective, pages upon pages of verbiage isn’t helping protect anyone, really. If you work for an organization that lists interminable policies, even if those policies say that your organization is zero-percent liable if anything goes wrong, data is lost or stolen, or data is used in an inappropriate way, court cases overriding those terms are already surfacing. If you work for an organization that has end users who might agree to long-winded terms without scrutinizing the details (who doesn’t), and you’re concerned about security and privacy of your organization (you should be), it’s time to get involved.