Online security and privacy have a love/hate relationship. We need security measures to protect our online privacy. However, complete online privacy (anonymity) can defeat security measures by giving cybercriminals an undetected place to operate. And we often sacrifice data privacy in the name of security – the NSA Prism project being one visible example.
The strange relationship between privacy and security is perfectly illustrated in the story of Tor, a software program for online anonymity. According to last week’s BusinessWeek article on Tor, much of its original funding came from the Department of Defense. Now the NSA is spending a huge amount of time and energy trying to defeat Tor in the name of security. Security and privacy would appear to be on opposite teams.
I don’t think that has to be true. It’s possible to respect the online privacy of your customers while protecting the security of their data and your applications. Striking the right balance is something that every business has to do for its specific customer needs and use cases.
In honor of Data Privacy Day, here are some thoughts on how businesses can and should balance privacy and security.
Stop Asking People to Give Up Privacy for Security
As I wrote in a previous blog, be wary of asking people for more personal information in the name of giving them better security. The more of their personal information you hold, the greater your obligation to guard that data – and the more attractive target you become for identity thieves. Even credit bureaus and identity data aggregators have been breached and hacked, so even outsourcing data collection to third parties is problematic.
Consider Context When it Comes to Privacy
People have many ways of trying to operate anonymously online, from disguising IP addresses or true location to cookie wiping. Many people want to escape the scrutiny of marketers tracking their movements. Businesses need to look for indicators of people obscuring their real identity in those situation that represent risk of identity takeover.
Let’s say someone is disguising their IP address online – should that be a concern? It depends on the business and online context. When connecting to a social network, someone might legitimately want to disguise their IP address or use a VPN connection. For example, they might be traveling in a country that bans the network. The social network might detect the activity but not deny access unless there were other behavioral factors.
However, if someone tries to create a credit card account while disguising their IP or geolocation, that should be a red flag. The context of the transaction or online interaction is a critical factor.
Honor the Customer’s Trust
Ultimately, striking the right balance of security and privacy comes down to honoring the customer’s trust.
• Don’t collect personally identifiable information unless you need it. Use behavior-based and data anonymization to prevent the need to share data with third-parties about your customer’s personal lives.
• Whatever information you do gather for security reasons, you should only use for protecting the customer identity and data. Do not share it or sell it for marketing purposes. Partner with companies that are in the business of protecting trust, not monetizing identities.
• Protect customer identity in use – during the point of a transaction or at the moment of login. As I wrote in the blog Let’s Do Something Different for Data Privacy Day, online businesses need to be accountable for protecting the customer identity when it is used on their site – even if the identity was stolen elsewhere. By preventing account takeover you can maintain customer trust.
For more information, see the press release, “ThreatMetrix Shares Strategies for Walking the Tightrope Between Consumer Online Privacy and Security.”