Privacy by Design - Part 1
The safeguards that Federal Trade Commission (FTC) is proposing are quite reasonable and it is hard to understand why some were not implemented by the vendors in the first place. The approach of building applications and services led by security best practices would help create a safer environment. The safety measures are not just technical ones but include physical and administrative safeguards. The level of security required depend on the sensitivity of data, size and nature of the business operations and type of risks the business faces. So, what are we talking about?
For example, why Google email service is not encrypted by default and it's just an option that the end-user has to set? Google recently announced that they will make HTTPs the default protocol for their email services. The framework by FTC suggests that security controls are defined during the planning stages of an application and are revised during deployment and maintenance stages of the application. Some may argue that Google's gmail took off when cyber criminality was at its infancy, was it? Is it not the same scenario we have with Cloud service providers? How many vendors are building their infrastructure on security best practices? I am pretty sure that there are quite a number of secure cloud setups but we still lack common standards that regulate cloud computing services!
The FTC framework asserts that businesses should collect only the information needed to fulfill a specific legitimate need and nothing more! Typical example is where a local service provider collects information about unsecured wireless networks for the purposes of providing location-based services. During the exercise unintended collection of consumer data takes place, therefore the provider should implement procedures and mechanisms that prevent this from happening or discard safely the additional information collected. For instance, if a mobile application sends weather and traffic information to customers based on their location, it should not collect contact lists and other unrelated info from the customers' devices or disclose their whereabouts!