January 28, 2014
“But until a person can say deeply and honestly, 'I am what I am today because of the choices I made yesterday,' that person cannot say, 'I choose otherwise.'”
― Stephen R. Covey, The 7 Habits of Highly Effective People: Powerful Lessons in Personal Change
"Privacy is a decision best left in the hands of the professionals."
– Tyler Shields, Senior Analyst Forrester Research
This posting is in reference to the recent Snowden revelations that mobile applications are a conduit for governments to spy on citizens. New York Times article HERE.
OK.. so it's a bit presumptuous to put my quote up there next to a great quote from Stephen Covey. I did it specifically to get a rise out of you. I did it because I expect you to think I'm insane for thinking we should leave our privacy decisions in the hands of others. However, that's exactly what I suggest we do. The consumer had the opportunity to make an informed decision on the privacy of their data in mobility way, way back in 2010 and failed to choose the correct path. The consumer can't be trusted.
In February of 2010 I wrote sample BlackBerry code that stole personal data. I published the code (crippled) as a demonstration of the type of data that could be taken and compromised from mobile devices. This research — received — a lot of — press. In April of 2011 I published research describing how the advertising libraries used in nearly every free mobile application on the market was taking personal and private information from the mobile device and potentially storing it for later use or abuse. This too received — a lot of — press-. Yet, in 2014 it is coming as a surprise to the world that "free" mobile applications really come at a cost and have the potential to compromise sensitive data from consumer and enterprise devices. This phenomenon is specifically why I'm suggesting that we need to rethink how we execute security controls on mobile devices and leave the decisions to the professionals.
When we present consumer users, and in many ways enterprise users as well, with the decision to secure their data they simply say "Just let me fling birds at pigs!" The end user just wants to get their job done. The end user just wants to play their game. The end user doesn't want to have to care about security and privacy. They expect privacy to be "taken care of" and to be provided to them as a natural right. The end user will choose to accept permissions and behaviors that directly compromise their personal data for something as trivial as opening a new level in "Angry Birds" or listening to a new single using "Pandora." Look at the apps on your phone. Are you making safe application choices?
For privacy to be successful we can't rely on the end user to make educated decisions and we can't rely on the government to provide assurances that our data is safe. So what are we to do? I believe that the answer lies within consumer and enterprise security product offerings. To be successful, security products must be transparent and seamless. They can't throw up any hurdles for the end user. A question or prompt as trivial as those shown in the slide above simply causes the end user to click "accept," just to get to their game. Security products will only be successful when they do not require the interaction of the end user and they do not store or compromise the sensitive data of the end user themselves.
I'm not sure we have any products on the market today that can fully combat this privacy and security problem, but I bet there are some on the way to market literally as I type. In the meantime, have a look at my Mobile Security TechRadar document for the details on the technology: "Mobile Application Reputation Products". A product, program, or solution that leverages this data might be the first step to helping consumers be safe.