‹ Back to beginning of report

The four principles

User Identity

People want to know that companies look after their data responsibly, but the root concern for people is protecting identity. To put it simply, people don’t want their personally identifiable information (PII) to be exposed. This goes for the companies we buy goods and services from as well as the ones that employ us.

Some of the most successful modern tech companies have built their entire business models around the collection of data, going to the nth degree gathering information and building profiles on users so they can profiteer from advertising.

In 2018, 98% of Facebook’s total revenue stemmed from advertising, and 85% of Google’s, giving us and understanding of how important data is to these companies.

We provide stacks of information about ourselves, both implicitly and explicitly, in exchange for discounted or free services. This has been under the assumption that our data, and subsequently our identity, would be properly protected.

The recent slew of data breaches has caused public faith in data privacy practices to dwindle — to the point where the demand for privacy-related products and services has surged.

  • The VPN market is set to be worth $54 billion by 2024
  • In 2010, the privacy search engine DuckDuckGo had 33,000 queries a day; in 2019, queries reached 35 million
  • One in four US internet users (roughly 70 million people) say they block ads

At Wandera, we’ve observed a 95% increase in privacy-related app installations across Wandera-managed devices over the past 6 months:

Companies have the means to collect substantial amounts of information on their employees, perhaps more so than they can on consumers. CVs, background checks, social media audits, HR and employee benefit data, emails, browsing history — the list of data points is extensive. And so, the principle of data minimization needs to be applied.

According to the UK Information Commissioner’s Office, under the data minimization principle:

“personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

“Identity and access management is an important part of securing corporate assets. When granting access we can reduce the risk by accurately establishing identity and leveraging relevant contextual factors. In doing so, we need to ensure that any personal information we utilize is either minimized or used in a privacy enhancing manner, thus protecting the privacy of the user.”

– Paul Simmonds, CEO at the Global Identity Foundation

What does this mean in the context of mobile security?

It’s widely recognized that password-based authentication is not enough to protect companies, nor is it a good enough method of authorizing access. Login credentials simply mean someone has access to those credentials — they do not confirm a person’s identity.

Companies need to use Multi Factor Authentication (MFA) to accurately determine who is requesting access. MFA can be deployed in a variety of ways, but anything requesting PII should be avoided. Data minimization needs to be considered throughout the entire cybersecurity process.

Best practices for protecting identity information:

Collecting

Require no more personal information than necessary

Storing

Ensure that all collected personal information is encrypted

Using

Use opaque identifiers in place of personal information to hide identity

User Activity

Tracking employee behavior with productivity gains in mind is by no means a new practice. Henry Ford did this to great effect, but the level of detail granted by modern technology is worrisome to many. Companies are so focused on the optimization of everything that privacy is often sidelined.

There have been multiple incidents in recent years that have possibly impinged on employee privacy, including:

  • The Telegraph, along with many financial services companies, installed under-desk sensors to detect when employees were at their desks. Needless to say, this received much criticism before stopping the productivity program.
  • There are data analytics companies that scan employee emails and messaging platforms like Slack to assess company morale.
  • Hitachi sell a “happiness meter” to measure how employees interact and work. The device measures movement, speech, body language and more.
  • A company called Crossover has a productivity tool called Worksmart which logs keyboard activity, application usage, screenshots, and webcam photos to generate a timecard every 10 minutes.

In cybersecurity, monitoring network activity is undeniably important. Companies need to understand who is accessing corporate resources and from what devices, as well as determine ‘normal’ parameters so that anything unusual can be detected and flagged for greater inspection.

But employees inevitably have concerns around too much visibility. In Company Owned, Business Only (COBO) device ownership environments, there is an understanding that these devices are for business use only and come with all the necessary corporate applications and configurations.

However, in Company Owned, Personally Enabled (COPE) and Bring Your Own Device (BYOD) environments, what behaviors are okay for businesses to monitor?

Again, the principle of data minimization needs to be applied in the collection of behavioral data, limiting it to only what is needed for the intended purpose. This can mean:

  • Only collecting user information on the work profile of a device or when a user is using corporate applications.
  • Not continuously collecting location data
  • Not monitoring the access of applications which would be considered exclusively personal (e.g. social media, email, messaging, photos)

User activity also needs to be decoupled from identity within the system. This can be achieved by ensuring that identity information is stored separately from activity information.

Businesses need to think about how the personal information they hold can be further fragmented and anonymized. Can the payroll system operate with anonymous IDs? Does an employee’s home address and emergency contact information need to be stored in the same database as their contract and employment information? Separating the data reduces the possibility of misuse, malicious or otherwise, and ensures that any unfortunate data breach does not compromise the identity of the user.

Principles to ensure that activity information does not reveal personal information:

Collecting

Collect data based on role and function per employee

Storing

Decentralize data, start by divorcing identity and activity information

Using

Aggregate statistics so that personal information is protected

Policy

With the intention of increasing productivity or, in some cases, complying with industry regulations, companies typically collect data to understand their employees.

  • Life Time Inc, a fitness chain, uses natural language processing to read communications between club managers to understand how they solve problems.
  • Ramco Systems, a software developer, reduced training time for its sales team by analyzing emails to understand leaving employee’s the strongest client relationships so that the replacements got up to speed faster.
  • Microsoft reviews data on the frequency and types of interactions between its employees to understand productivity, management effectiveness, and work-life balance.

The use of data to make decisions is commonplace, and this is no different in cybersecurity. Reporting and analysis are part of every technology suite and having more data increases visibility, enabling security professionals to better protect their organization. But end-user privacy and security don’t have to be mutually exclusive, and trade-offs don’t need to be made.

In a pure on-premise world, the privacy-security debate was less of an issue. But as work styles have changed and employees are increasingly using personal devices for work, privacy-security concerns have arisen. While threats to security have evolved significantly, control over assets has diminished.

57% of enterprise data usage is mobile. Many of your personal habits can easily be gauged if your employer (or anyone else) has access to your location, private browsing habits and apps installed.

“Your employer controls your livelihood and if they say ‘give me this data,’ it’s very hard to say no.”

– Ben Waber, Massachusetts Institute of Technology

The previously discussed principles of ‘who, what and when’ with regards to accessing personal data provide clarity. But to maintain privacy, a ‘need-to-know’ principle for reporting must be established:

  • As few people as possible should have access to personal information. For example, what can administrators see in their console? Do administrators need to know specifically that John Doe in finance is on a risky hotspot, or who user8675309 is? Identifiable information of this nature does not necessarily aid the situation.
  • They should only be able to see what is necessary. All other information should be hidden — if you need to update an employee’s mailing address, do you also need to see their salary information?
  • Personal data, in any form, frequency or volume, should be accessed as minimally as possible.

The application of anonymization or pseudonymization can conceal the identity of an end user, but behavioral data should be viewed in aggregate form so that patterns can be understood by the business — without being linked to specific employees. However, the best policy for personal data is to delete it if it’s no longer in use.

It seems simple, but in practice there are many opportunities for information to be accessed inappropriately. In March 2019, Facebook announced that thousands of its employees had access to data containing hundreds of millions of users’ unencrypted passwords.

It’s not only employees that might have access to personal data held by a business. The use of artificial intelligence also needs to be considered. There are concerns that AI trained using personal information and past decisions may reinforce discrimination, affecting the hiring, promotion, and firing processes.

Businesses should include these elements in their consumer and employee privacy policies:

Collecting

Only track data that is needed to complete business objectives

Storing

Hold personal information for no longer than necessary

Using

Govern access using clear user roles and permissions

Transparency

Companies shouldn’t collect user data without consent. People need to know why companies want their personal data, how they’ll use it, and the methods of collecting it. Being transparent about data collection is incredibly important when it comes to privacy. Without transparency, it’s difficult for individuals to trust companies, especially given recent privacy breaches.

Consider app permissions on mobile devices. Do we know why certain apps need access to particular features and information on our devices? For the large part, no. The table below shows the percentage of iOS apps that have access to personal information. Do you know which of the apps you have installed can access this information? Or why?

Permission Percentage of apps
Location Always 25%
Microphone 23%
Contacts 16%
Health Share 3%
Health Update 3%

Regulators have taken an active role in ensuring that individuals have the information they need to make decisions regarding their privacy. However, the devil is in the detail, and regulations often use vague language that leaves some elements unclear:

  • GDPR contains numerous examples of undefined terms such as “undue delay” and “disportionate effort,” which set no definite expectations for organizations because individuals, markets and contexts could cause these terms to be interpreted very differently. Additionally, there is no definition within GDPR as to what “reasonable” protection means for personal data. A business’ definition may differ from a court’s, leading to fines for organizations that thought they were playing by the rules.
  • The California Consumer Privacy Act (CCPA), the regulation that grants the right to request that data be deleted, is also vague in some areas. However, to prevent another party from requesting data be deleted, the CCPA states that businesses should “promptly take steps to determine whether the request is a verifiable request.” There is no guidance as to how businesses should determine if a request is genuine and what reasonable steps to take might be.

The problem with the lack of clarity in regulations is that the majority of people don’t wholeheartedly know what their rights are. In a GDPR questionnaire, many respondents misunderstood concepts such as the right to erasure, but this shouldn’t allow organizations to abuse the legal gray space. Overall, there is a severe lack of transparency around how data is collected, stored, processed and used.

The key principle here is transparency. A business should clearly articulate the details of its data collection and usage for its employees in some form, such as in its company policy handbook. A checklist of relevant considerations for an employee’s personal information across its (i.e. the information’s) life cycle is given at the end of this report. In addition to articulating the policies, organizations should ensure that there is adequate training and communication of those policies during onboarding of new employees. And if there are any changes to how the data is being handled, they should be clearly communicated to employees.

In the UK, employees have the right to know what information their employers hold on them, and businesses may not hold that information for longer than necessary. However, a Harvard Business Review survey found that 58% of people trust strangers more than they trust their own boss. With a quarter of workers in the UK having quit jobs because of distrust, there are tangible benefits to providing clarity about how employee data is managed.

Providing a comprehensible and transparent policy to employees will ensure that your business is compliant with regulations and help build trust.

Best practices for how employers should be transparent about personal information:

Collecting

Let employees know what information is being recorded prior to or at the time of collection

Storing

Be clear on why you are storing personal data and how long you will hold it

Using

Inform users if there are any changes to how their data is being used