The Privacy War Is Coming

Privacy standards are only going to increase. It's time for organizations to get ahead of the coming reckoning.

Damian Tommasino, Principal Security Engineer, Feroot Security

December 5, 2022

5 Min Read
Privacy concept art
Source: Skorzewiak via Alamy Stock Photo

Since the dawn of digital marketing, people have been asked to provide their personal information in exchange for information online. This "information swap" is still a common digital tactic. However, it isn't just marketing forms that collect data. Contact forms, checkout carts, and digital healthcare forms are all examples of ways data is being captured.

While data privacy hasn't been the biggest priority for many Web applications, there is a reckoning on the horizon. We are seeing a growing number of news stories about companies doing shady things with customer data, litigation popping up over excessive data collection, massive General Data Protection Regulation (GDPR) fines for broad-based privacy policies, and the first-ever fine under the new California Consumer Privacy Act (CCPA) regulations. While there are still very limited privacy standards in the United States, the Federal Trade Commission (FTC) is on the warpath in regard to data privacy, and its reach includes punitive actions against company executives too. It's time for organizations to step up and start getting ahead of these privacy issues.

What Exactly Is the Problem?

Presently, we are facing two major challenges when it comes to digital privacy: data collection without consent and abuse of data collection with consent. Both of these issues stem from the growing level of complexity and third-party code in modern Web applications. Additionally, more application logic and functionality has been moving to the client side (inside the browser), where traditional security tools can't reach. This lack of visibility and protection within the client side is creating the perfect privacy storm for organizations of all sizes.

Let's look a little deeper into the two major issues organizations are facing today.

Stop Stealing My Data (Without My Consent)

Today, when you fill out a form or create an account online, there is an expectation you are going to be marketed to. The privacy policy and terms of services often spell out that your information will be used for marketing purposes, analytics, and advertising. But what happens when your data is sent to third parties before you submit the form? Or worse, what happens when data about you, your browser, and the device you are on is captured before you consent to anything?

This type of data collection may not be the intention of the organization, but nevertheless, inclusion of third-party code makes this invisible data capture a reality. While conducting an analysis of dozens of popular software-as-a-service (SaaS) applications, we found that more than 85% of the time, third-parties are capturing your data before you submit a form. This data capture without consent is reminiscent of digital skimming attacks, which perform very similar types of data capture for malicious purposes.

Stop Sharing My Data (Even With My Consent)

The second problem we run into is when you complete a form, like signing up for a new account, and explicitly agree to the privacy policy. While you are acknowledging that your data is likely to be shared, it is important to understand with whom it will be shared. Often we find that privacy policies for organizations are written in an extremely broad manner to offer the greatest flexibility and liability reduction to the organization, without any regard for the individual.

If your data is sent to a dozen third parties when you sign up for an account, the risk of having your data exposed in a cybersecurity incident increases significantly. It's no longer just the company in question that you have to be concerned about but all of the third parties that receive a copy of your data.

How Can We Fix This?

As an individual, the best thing you can do is use a privacy-focused browser extension like uBlock Origin or Ghostery. Both can help automatically filter out third-party digital trackers while adding a layer of protection to your privacy. While it's impossible to account for every single third-party risk, this initial layer of protection is a step in the right direction.

But what about organizations? This is slightly more problematic, due to the complexity of modern websites and Web applications (as I touched on earlier). In order to tackle this privacy challenge, organizations need to focus on two key areas: data asset identification and data access to those assets. In other words, what types of data are you collecting and which third-parties have access to that data.

Since most Web applications don't have a centralized mopping of all input fields, the identification process requires someone (typically from the application security team) to manually inspect each webpage for inclusion of data assets.

Once each data asset is identified, another review of those webpages will be required, this time to manually investigate what third-party code is loaded on the page and which parties have direct access to the data assets.

This entire process is incredibly time consuming and is further complicated by the fact that application security teams don't own the application. This will require multiple teams, such as marketing, legal, development, product, and AppSec, to work together in order to determine what third-party code belongs for critical functionality and what needs to go.

The time and resource cost associated with bringing better privacy protections to your Web applications may not seem worth it at first, but consider the dual costs of a fine (from the Federal Trade Commission) and erosion of trust from your end users. The push for better privacy standards is on the rise, and it's only a matter of time before each state has a digital privacy requirement in place.

About the Author

Damian Tommasino

Principal Security Engineer, Feroot Security

Damian Tommasino is a Principal Security Engineer at Feroot Security. He has more than 12 years of experience in the cybersecurity industry working with a variety of companies across the public and private sectors. Currently, he is focused on client-side security research and protection.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights