#Opinion Invasion of Privacy or data vulnerability? Let’s call it plain stupidity

Facebook data scandal

Rahul Vengalil shares his take on the recent Facebook data scandal, shedding light on how tools, brands, and agencies can contribute in achieving data security.

Ever wondered why the DND doesn’t work? Or why you get to see the ad of a rare product on Facebook, within 24hrs of you discussing that offline? How many times have vendors reached out to marketers on LinkedIn in with the message “6 million verified phone numbers for as low as INR 10000?” . Ever wondered how they got those 6million numbers? Inadvertently, everyone in the marketing-tech space is responsible for the data leakages. You can call it data breach, invasion of privacy, data vulnerability, etc. I call it plain stupidity & oversight.

Before getting into the technical aspect, let us understand how lax we are as companies & Individuals about our data. My colleague & friend, once did an interesting experiment to understand how his mobile number is being sourced, sold & resold. As an advertising & media professional, he used to meet clients on a regular basis. As part of the entry process into any company, he used to fill his phone number at the Gate as well as at the reception. What he did do was give an alternate number, which not a single friend or acquaintance of his ever had. Lo and behold, he started getting promotional calls on that particular number, which not a single soul had, within 3 months.

Data breaches have been common for a long time, not just in India, but globally as well. 9/10 users on LinkedIn were asked to change password couple of years back, same story with Twitter, 90% of the mail accounts on Yahoo were hacked & personal data leaked. Nobody really cared when one should have. There was no tangible impact on any of these on both the consumers as well as the brands. The one story that really got nasty though was Ashley Madison leak in 2015, when millions of adulterers’ data was hacked & leaked and the whole world went berserk. It impacted individuals directly and that’s the primary reason it was a big deal. Avid Media Life, the parent company finally settled two dozen lawsuits for $11.2 Million dollars.

Also Read: Ashley Madison and the naked truth of social media data

The irony that I have found in the last 12 months is that it’s easier to get a brand’s customer data when compared to its marketing data.

Moving on to what is actually happening in the world of data, and how companies are often clueless on how the data is being used misused. Let us look at some use cases first

  • An advertiser, directly or via their media agency gives the 1st party data to Facebook, Google and the likes to create custom audience, lookalike audience, retargeting. What they often forget is that these advertising platforms are in turn cultivating the data that you are sharing with them. The question is “WHO IS RESPONSIBLE FOR THE CUSTOMER DATA?”
  • An advertiser gives the 1st party data to its media agency to send a mailer campaign, which is further sub-contracted to a third party. The campaigns are done; the data still remains with the third party. “WHAT IS THE LIMIT TO WHICH THE 3rd PARTY VENDOR CAN USE THE DATA?”
  • An advertiser gives the 1st party data to an employ in the marketing team. His/Her laptop is stolen in a conference on data security. “WHAT HAPPENS TO THE DATA, AND WHAT ARE THE PROTOCOLS DEFINED IN SUCH INSTANCES?”
  • An eCommerce website has got the wrong integration and throws up error that showcases the path of the directory of its data stored. “WHO SHOULD TAKE CORRECTIVE STEPS IN SUCH INSTANCE, THE CDO, CMO, CIO?”
  • An advertiser website’s backend is attacked and all the data is stolen by hackers and sold to vendors and dark web for pittance, who in turn sell the data to the same advertiser. “WHO HAS THE RESPONSIBILITY OF SAFEGUARDING THE DATA, HOW OFTEN IS VULNERABILITY ASSESSMENT & PENETRATION TESTING (VAPT) DONE, WHAT IS THE PROTOCOL, WHO IS DOING THE VAPT?”
  • As a user you ask your browser to save your password as well as CREDIT CARD details. Imagine that browser leaks the data to a third party. “WHO IS RESPONSIBLE HERE, THE CONSUMER, THE BROWSER, OR THE COMPANY WHERE YOU HAVE STORED THE CREDIT CARD DETAILS?”
  • You are using connected devices, owned by different companies. Your data is vulnerable as it is passing between companies and the wrong implementation or handshake, puts your data at risk and we have seen that happen.
  • An advertiser runs a campaign inviting images to be uploaded, the backend if hacked and data leaked can pinpoint the location where the image was taken using meta tags, leading to an increased concern on safety/stalking and the likes. “DO ADVERTISERS TAKE THE OWNERSHIP OF THEIR CUSTOMER’S SECURITY?”
  • Also Read: 3 things about Facebook that will have a bigger impact on our lives than Cambridge Analytica scandal

    As a marketing audit firm, our recommendation to companies and advertisers is to first understand the impact that data breach can have on your business. It is not tangible only until it surfaces. Once it does surface, all hell will break lose. Facebook lost over $100BN in 10 days, and that loss alone is than India’s biggest company Reliance’s market cap. The top activities that any company who is serious about customer data should do are:

    1. Understand the flow or handshake that happens to the data, both incoming & outgoing. This will help you in understanding all the participants who would be handling your customer data
    2. Create rules & guidelines specially for data, with every vendor that the advertiser directly or indirectly shares with
    3. Always encrypt or encode sensitive data while it is stored in server
    4. Check for vulnerability periodically, especially after any new builds
    5. Use a third party who understands the importance of data security to assist you in this endeavor

    Comments

    VOTING LINES OPEN NOW - BSMB