End the era of secondary surveillance | GLM

About the author: Vijay Sundaram is the CTO (Chief Strategy Officer) of Zoho Corporation, the parent company of ManageEngine. He directs / is responsible for multiple areas, from corporate strategy and execution to channel management, business development and corporate sales.

We consumers don’t mind providing personal data to businesses such as Google, Facebook, and Twitter when accessing the services and solutions they want to use. But many do not understand that under the hood, these companies integrate data collection into their business models and act as a data collection and monitoring organization.

Although not known to users, many companies allow third parties to place embed codes on their websites, which are used to capture, collect, or sell user behavior. Has been done. As pointed out by Zoho’s chief evangelist Raju Vegesna, this “secondary oversight” has become a common practice without resistance from users, investors and business leaders. I came.

The pendulum of such surveillance has been swayed too much, which has been taken seriously by thoughtful people. In short, there are concerns that companies will collect and share user data without any restrictions. In fact, regulations on secondary surveillance have become stricter, and data privacy legislation such as the EU’s GDPR, California’s CCPA, New York’s SHIELD Act, and Brazil’s LGPD have been enacted one after another in recent years.

With tightening government regulations and growing social awareness, corporate leaders are beginning to look at this issue. But relying on the movements of politicians and regulators is not enough. Moreover, even if the law is complied with based on the notification document filled with legal terms and small letters, that is not enough. This kind of Machiavellian approach may be formally justified, but it is not moral.

It’s time for tech leaders to be in a position to formally and explicitly adhere to their privacy pledges.

Don’t let advertising companies track you without notifying them

If your company is doing business by selling user data to third-party advertisers, it’s important to let users know what the data will be used for. In some cases it may be legally permitted not to disclose such information to users, but this is not appropriate.

Since its founding in 1996, ManageEngine (which was doing business as Zoho at the time) has refused to run third-party ads on its websites and products. We do not allow any third-party tracking code to be embedded within our site to prevent any secondary monitoring. The share button on social media may seem harmless, but it should be eliminated as well, as it can essentially act as a Trojan horse.

Notify customers if integration with a third party could lead to tracking of user data

If a company is financially dependent on such activities, it needs to remain transparent. Taking Google, for example, most people realize that using Gmail is okay, because users find it worthwhile to provide data to search giants. But if Google uses user data to secretly partner with credit card and healthcare companies, that’s a completely different story.

In 2018, Google partnered with medical organization Ascension to launch a data-sharing project, Project Nightingale, that was unknown to Ascension patients. Subsequent investigations revealed that Google did not violate HIPAA or other laws in practice, but without the scoop the public would not even know about the plan. Also, this type of informal health data partnership is likely to be widespread.

As another example, Google secretly partnered with Mastercard to compete with Amazon to collect consumer retail spending data. When this secret partnership was revealed, the two companies claimed to not share any of their customers’ personal information. According to Google, it used a double-blind encryption technology that consolidates and anonymizes user data. The two companies have repeatedly claimed that all of their personal information is “unidentified,” but the deal has never been published to Mastercard or Google users. Perhaps this partnership with Mastercard isn’t a one-off deal for Google. Through its AdWords blog (now integrated into the Google Ads community), Google has stated that it has access to 70% of credit and debit cardholder information.

What is the lesson of this story? It shouldn’t be like Google.

Use cryptographic tools to protect customer data transferred over public networks

Whenever a company sends user data over a public network, it must use strong encryption on all server connections. Hypertext Transfer Protocol Follows Secure (HTTPS) and Transport Layer Security (TLS) protocols to ensure that there is always a secure connection between web browsers, corporate servers, and all third-party servers. The TLS protocol not only allows both to authenticate, but also encrypts the data, preventing third parties from eavesdropping or interfering with the data transfer process.

Consider investing in an in-house data center

If economically feasible, businesses should either store customer data in their data center or own a server in the data center. By not relying on third-party data centers or public clouds, not only can data privacy initiatives be strengthened, but costs can be reduced over time. In addition, it would be beneficial for businesses to increase the number of users who value companies that are striving to protect user data.

Since ManageEngine is a private company, it does not depend on external shareholders, and management can see things from an ideological perspective rather than a financial perspective. Although it has maintained a stance of emphasizing user privacy since its inception, the current surveillance environment has caused considerable opposition within the organization. Certainly, the company may have missed some business opportunities by taking such a hard line on privacy.

However, Mr. Vegesna asks: “If a company succeeds financially but fails morally, is it worth it?”