Product Security And Surveillance Capitalism: Ring And Avast Fumble Privacy, Data Security, And Third-Party Risk
It’s been a rough couple of months for Ring. Multiple security and privacy issues have plagued the physical security device maker, it’s responded poorly by casting blame on users, and following that, the Electronic Frontier Foundation (EFF) identified that the Ring app is littered with third-party trackers. At virtually the same time, a security product company — Avast — got exposed for harvesting and selling “every click, every search, every buy on every site” its users visited.
Avast issued a statement filled with buzzwords and empty promises that, as I tweeted, illustrated the company’s reckless disregard for privacy, fundamental lack of respect for its users, abdication of risk management responsibilities, and a culture that chooses to hide behind legalese to avoid any sense of accountability. On January 30, Avast announced it would shutter Jumpshot after getting caught with its hand in the proverbial data cookie jar. Avast gets no credit for shuttering the subsidiary and putting hundreds of people out of work — at best, the decision is values and ethics theater. If, as the cliche goes, “character is what you do when no one is watching,” the world understands Avast. Clearly Avast knows that this unsettles customers, making this an admission of guilt.
If one believes that personal data has no value, losing access to clicks, searches, and buys on every site that its users visited caused this subsidiary to close! When harvesting user data became a nonviable tactic, the company died.
That’s true. It really is. And that’s the part where hiding behind legalese to avoid accountability comes in. These companies know we can’t understand the language in these agreements. They also know that we can’t NOT click on them. If you downloaded Avast software, or it came preinstalled, you click it at least once. The same with Ring if you want to log in and configure control of the devices. Sure, opt-out exists, when you can find it. We can’t depend on journalists and the EFF to identify all the culprits out there.
Average users don’t understand terms like PII or what can be done with it.
Avast’s statement assures users that its personally identifiable information (PII) has never been sold to a third party, which, according to the company’s spokesman, includes name, email address, or contact details. What Avast is failing to disclose is that sensitive browsing data shared with its subsidiary Jumpshot contains information on users’ search history, geolocation, and sites they visited. In some cases, companies know what you’re doing even when you’re not using their product. And they’re using that information to control your behavior, as eloquently described by Shoshana Zuboff in her recent piece for The New York Times. Couple that with legitimate questions about advertising data anonymization, and companies can’t really guarantee that users are protected.
Imagine If Websites And Boxes Listed Logos Like Race Car Drivers’ Fire Suits
If you follow NASCAR or Formula 1, you know what I mean: when the driver exits the vehicle in a fire suit covered by corporate logos of sponsors and partners. Imagine if Ring and Avast had to do the same on their boxes, websites, and apps!
The reason those images appear on the fire suit: Those companies are proud of their sponsorship. But if they won’t do it in this situation, it means something else: They are ashamed of what they are doing. If every company that might eventually wind up with your data was required to be a logo on the physical box, a dedicated page in the included user manual, a dedicated page of their website, and a dedicated page of their app, then disclosure is unavoidable. Not just the data aggregators and brokers they sell data to . . . nope, this includes the entire supply chain of second, third, and fourth parties that might eventually get that data. What if every Facebook login showed you the same, along with every search you make and every site you visit?
Product Security Requires Transparency
Lamenting that users buy products with poor security that potentially violates their privacy points the blame in the wrong direction. The victims aren’t the problem, and markets struggle to correct pervasive complex issues. From our product security research, “Secure What You Sell: CISOs Must Tackle Product Security To Protect Customers,” we know that other industries have figured out product security and safety, so we can turn to those. When receiving a prescription, a list of side effects is included. In the countries where pharmaceutical companies can advertise on television and radio, they are mandated to list side effects. As Sandy Carielli put it, what if this were handled the same way? “Here are the side effects of these products.” My proposed side effects — “ain’tgotnoprivacy” and “urbeingwatched” — do not lead to seeking medical or legal attention. If consumers only accept the status quo because the information is deliberately conveyed in a meaningless and obtuse way and we have no alternatives, it’s not really their fault.
The answer is forcing transparency from companies that participate in surveillance capitalism, especially when it’s a side effect of the products and services we use.