Privacy in Software
I have always been a bit more paranoid when it comes to security regardless if it is related to software or in real life. Maybe it has to be because my parent's house was robbed twice when I was a kid and that became a trauma to me. Either way, privacy, and security is something that I value.
I have been working on the software industry for, well, far too long now and today there is a concept of what is private and secure a lot more than what we had 20 years ago.
I recall that when a software issue was mentioned back then it was something related a windows user not having its network private and fully open to the public or not having an anti-virus to avoid emails that promised exotic photos for someone famous.
Today is different, there are discussions on what is private, what is secure, how to make this secure, how to ensure that we are not liable, how to ensure that the user data is secure.
When we are developing a new application today, all of these aspects are taken into consideration. Take for instance the new wave of SSL only that is taking on every single web application out there, or, by hashing passwords instead of encrypting.
If everything that is being done today is to ensure the security of the user data, why privacy is such a big issue?
Well, the issue lies in who owns the data and what the person/company can do with that data.
Suppose that you go to an e-commerce site and decide to buy a t-shirt. Like many other sites, you will be entering your delivery address, your form of payment (usually a credit card) and, in some cases, you might as well create a username and password and register on that website.
At this moment the site is creating a record of your order and creating a record of your address, name, etc. When you purchased the product you agreed with the site terms and conditions (that I know for sure that no-one reads) and it’s privacy policy and everything should be safe and sound.
Now comes the question who owns that data that was saved to generate the order? You or the e-commerce site? If it is the e-commerce website then are they on the right of using that information to further improve their business? Are they on the right of selling your information, even that limited, to another company? Can they use that data to email you or to send you a letter or to perform other charges? All of that is defined on ToC and the Privacy Policy that, like me, you haven’t read.
Now, if the data is stored on their servers, even if the ToC and the Privacy Policy didn’t state, does that company still have the right to use the data that you submitted or even deeper on the weeds, what if the data was stored on a server that is in Japan? Are those ToC and Privacy Policies valid in Japan?
Let’s expand this a bit further. Suppose that you really don’t trust computers at all and because of it, you are going to that doctor's office that keeps everything in a paper. All your data, every single medical record, credit card information, address, names, surnames, all of that, stored within cabinet files on that office. There are no ToC and Privacy Policies for those pieces of paper so is the Doctor allowed to use your information in benefit of his office? Can the Doctor sell that information, even that limited?
The difference between the Doctor’s office and the e-commerce site is volume and where the data is located. In both cases, your information should be kept protected at all times and in both cases, the use of the information is a discussion about abuse and not privacy.
This was first highlighted with Facebook and the issues about user privacy in Europe that generated GDPR and now it is being highlighted with employees from Amazon being able to hear conversations and get to your address through Alexa.
For the issue to be mitigated, and the word is really mitigated, here in the US, it is necessary for laws similar to GDPR to be passed. California is the first State here in the US that has passed a similar law.
At most your online privacy can be protected but the use of the data has to be a discussion about companies abusing the data that they hold and furthermore a more in-depth discussion of who really owns the data, the company or we.
Rule of thumb, read the ToC and Privacy Policy and only give your data to companies that you trust. The best security for your privacy will always be you.
