Wake Up and Smell the JavaScript
The SolarWinds attack showed the true meaning of a supply chain breach. And it's the canary in the coal mine for sensitive data on the Web.
Even before the pandemic hit and everyone flocked online, companies were investing significant time and resources in building great online experiences for their users. But all that usability comes with a price tag in terms of risk. Today's websites are essentially a conglomeration of Web-enabled assets, a massive global supply chain that nobody really thinks about in this way. And that's a big data-privacy problem that's about to get a lot bigger.
What do all these connected parts have in common? JavaScript. "Write once, run everywhere" has been the backbone of today's rich Web — but that portability has massive implications for both data security and data privacy. Magecart is driving awareness of the security aspects, but many businesses seem unaware of the growing privacy implications of uncontrolled data sharing by trusted Web applications. The Web has largely been ignored when it comes to understanding data-privacy risks. Enterprises take care of the data in their databases and how they store customers' and other sensitive data, but more often than not, the Web is where data is invoked.
What happens when the same applications and integrations that deliver rich user experience and insights share that sensitive information with third, fourth, or fifth parties outside your organization's control? You can get an idea by looking at dating site Grindr and a pending €10 million fine for sharing user data with advertising companies without the consent required under the General Data Protection Regulation (GDPR).
Are website owners really doing enough to protect users and understand these emerging risks?
Start Caring About Oversharing
Forms found on 92% of websites expose data to an average of 17 domains — climbing to 20 if you happen to be a top mobile service provider in the European Union, where (depending on the country) passport scans and copies of pay slips are among the documentation requested to sign a contract. That's a lot of oversharing. And what about the multiple trusted applications on your site — Google Ads, chatbots, etc.? While many of these applications are set to collect data, many organizations aren't aware of the exact kind or extent of the data they're collecting.
Can you genuinely claim to know exactly where all this data is flowing? Do you know:
Which vendor has access to what sensitive data?
Which vendor reads sensitive data?
Which vendor shares sensitive data with other vendors?
Because if you don't, you should. Regulations, including GDPR and the California Consumer Privacy Act (CCPA), require enterprises to be aware of where sensitive data is flowing, as well as the purpose of these data flows.
Why It Matters
Unintentional data exposure is a significant, unaddressed problem for most of the world's website owners. When we fail to secure data as it's entered into websites, we're effectively leaving it hanging: the only reason it's not being stolen is that criminals haven't taken it. Yet.
Equally, when we overlook the need to understand how trusted applications share data, we run the risk of simply giving it away — without our users' consent.
Everyone talks about security in depth, security beyond the perimeter, and data privacy. It's time to focus on the place where those things intersect: the browser.
About the Author
You May Also Like