Consumers know that companies track their internet interactions, and they can often identify when it’s happening. According to Pew Research, 83 percent of consumers frequently or occasionally saw ads that appeared to be targeted based on their browsing history. While some customers are demanding better data privacy protections, organizations are finding out the hard way that increased data privacy forces a tradeoff with cybersecurity.
Why is Data Privacy Such a Big Deal?
Data privacy keeps personal information from falling into the hands of criminals that might use it to steal someone’s identity. Historically, it referred to information like names, addresses, and credit card numbers, but now, businesses are also storing users’ browsing histories and purchase information to improve their marketing campaigns.
Businesses want to protect this data because it gives them a competitive advantage over other vendors in their industry. Plus, businesses that don’t take data privacy seriously may quickly alienate their customer base. The problem is, many people feel some of the tracking that companies do is invasive, and they aren’t getting full visibility into what those organizations are using their data for.
Bryan Oliver, Senior Analyst at Flashpoint, says, “There is nothing wrong with browser fingerprinting or cookies, but the fact that third-party advertisers also use them to build a unique profile of your device and track your browsing activity for use in advertising can be a privacy concern.” This data, too, can fall into the wrong hands and cause problems for users.
Oliver explains, “Now, because fingerprinting has become more common, threat actors are realizing that a username and password are no longer enough to compromise an account; therefore, malware has begun to steal all sorts of information about a victim in order to construct a fingerprint. Threat actors can use this data to emulate a victim’s device, mimicking its operating system, installed software, and other information to trick fingerprint detection systems.”
How Does Increased Data Privacy Affect Cybersecurity?
For some cybersecurity measures, increased data privacy procedures can actually make security more difficult. Device fingerprinting, for example, allows an organization to match user credentials with devices and locations, so a login from an unfamiliar device would trigger an alert. Sam Crowther, CEO of Kasada, explains, “The more data you can collect about someone and the more cookies you can put on a device, the better you can fingerprint, the better you can watch behavior, and the more data points you have to make a decision.”
Crowther goes on to say, “It becomes problematic from that standpoint when you remove it because now there are two very, very valuable data points that are usually quite reliable to make decisions on that are gone. So legitimate customers look the same as an illegitimate hacker when they come in, in a browser that you can’t use either. The result of that is usually organizations trying to force other ways to identify like two-factor authentication or stronger passwords, which usually has some sort of negative impact on user experience.”
When user experience is bad, that’s when employees and customers look for workarounds for security measures and can create new vulnerabilities.
How Can Companies Protect Users Without Tracking Data?
Some cookies are necessary to verify devices, but there’s a lot of data tracking that should be optional. Oliver says, “Cookies are generally needed for authentication, and fingerprinting is needed for anti-fraud, but neither poses much of a privacy concern if it’s only used for identification and authorization. By informing users about the ways in which cookies and fingerprint technologies might be used for advertising and giving them the option to opt out of these uses, companies can keep a positive user experience and protect data privacy while still mitigating fraud.”
Crowther says bot mitigation tools help ensure traffic is legitimate. “Bots take advantage of this exact feature, where it is more and more common that people don’t have device fingerprints because it makes them look more legitimate,” he says. “A bot is typically just going to be a new browser that’s never been used before. It has no cookies, and now that we’re in an environment where that’s more common, it definitely makes it much harder to distinguish.”
Should Businesses Prioritize Data Privacy?
Businesses should always prioritize data privacy, but they don’t have to sacrifice cybersecurity to do so. Organizations that collect data in order to improve their advertising need to give their customers opt-out options and only gather the information that will help them identify illegitimate traffic. They should also rely on other security measures, like multi-factor authentication and SSL certificates to keep their customers’ personally identifiable information secure. Additionally, a bot mitigation program can help differentiate between legitimate and illegitimate traffic to further protect users.
Read Next: Data Security: Tokenization vs. Encryption