Privacy Policy Ideas and Other Privacy Matters

We run a monthly cybersecurity meet up and at our last meeting we focused on privacy policies. While they’re not the most glamours things too look at, we wanted to share some privacy policy ideas and other privacy matters that popped up in the conversation. The first of which we’ll touch upon relates to consultants/contractors that have long term working relationships with their clients.

For those that consult with organizations who require remote access, and it’s a long term working relationship, the client should provide updates to the consultant of changes in vendors/policies every six months.

Another thing that popped up was having very granular opt-in privacy settings that map to a business’ privacy policy. As of current, there are sites that allow you to manage some cookie settings when you visit them, but this doesn’t go far enough as these are mostly in the form of opting out of the collection of data, or monitoring of activities.

For example, if someone is signing up for an online account for a service, we understand that an email address, a name, and a date of birth(sometimes) are required to create/access an account; password withstanding. The account holder should be able to opt-in for other uses of their email such as marketing, which this exists, but can we take this further? For social media platforms, there should be an opt-in setting to allow the platform to analyze your text/videos/audio/images for targeted marketing, let alone what a user posts for others to see. While decentralized social networks exist like Mastadon and diaspora*, that allow a user greater control over their data, mass adoption isn’t there yet. We’re stuck with Facebook, Instagram, Twitter, LinkedIn, Snapchat, TikTok, and the myriad of others where we aren’t afforded greater control over our data.

Then there’s the can of worms we’re about to open regarding people search engines, which are in dire need of regulation, but that’s a whole other issue. Credit due to these search engines that make it a breeze for someone remove their data from their sites. But then you have those that we’ve encountered that bury their removal tool, for lack of a better term, in a hyperlink mapped to a single word, like “here,” multiple pages down in their privacy policy. Worse still are those that resort to extortive practices to get this data removed from their platforms, meaning you have to pay x amount of money to remove information you never consented to them collecting in the first place, regardless if it’s publicly available. While we do leverage some of these tools in our OSINT research, we recognize the danger of them in the wrong hands and how it affects peoples’ privacy and physical safety.

Perhaps the most interesting thing that one of our group members came up with deals with app permissions listed in an app store. The idea being that each permission listed is labeled with what it’s specific use is. An example permission is “Read your contacts.” The “label” information would state something like “This is to allow you to invite your contacts to use the app and it allows you to communicate with them.” If the developer that makes the app is using your contact list to market to others, the label must state that too.

These were some of the interesting conversations that popped up that we wanted to share that happen in our group. If you would like to join in on our discussions, we meet virtually the second Thursday of each month at 8PM EST. To get the event registration link for our monthly meeting, sign up for our newsletter https://bsquaredintel.com/newsletter-signup/

We also post this information to our socials, so also make sure to follow them:

• Facebook: https://facebook.com/bsquaredintel
• LinkedIn: https://www.linkedin.com/company/bsquaredintel

What are your thoughts on privacy policies? What do you see that needs changing? How do we set these changes in motion? Send us your thoughts in the contact form below.