It has been reported that legislation introduced yesterday could require consumers to click through a warning before downloading software or an app originating from countries deemed a national security risk, including China and Russia. It’s the latest congressional measure to target popular apps like the Russia-based FaceApp and TikTok, owned by the Beijing-based ByteDance, over privacy and security concerns.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
With globalization at an all-time low, and the United States being more and more a connected, digital nation, attention is now turning from basic security online to national security and the importance of privacy data about Americans collectively and individually. Most consumers still don’t understand the importance of their data to themselves, let alone to the wider communities to which they belong: corporate, local, state, national and even digital tribes and interest groups, This data matters, though and it’s important for consumers and the public to become more aware of this. In approaching any legislation here, let’s keep in mind that laws and regulations must be above-all pragmatic.
We need to know the likely human behaviour of the users when faced with a click-through. Companies must not be able to bury the notification and approval in walls of text that basically say “blah blah, do you want this or not” as they did with EULAs from the spyware era or with the useless click-to-continue popups of early personal firewalls. We should also not seek to bayonet the wounded: we can’t demonize users of social media who choose to use them knowing the risks or not. No one should be called out as a traitor for clicking “I agree” on any popup. Informed consent, personal or national, isn’t solved with a popup and companies can find devious ways to follow the letter of the law if not the spirit.
Finally, let’s make sure that we solve the real issue of basic civic education in a connected world and don’t make this another example of tit-for-tat in a the new geopolitical landscape. There’s no substitute for having people really understand their privacy, domestic or foreign-influenced, and for practicing good online hygiene and behaviour.
Transparency is key to any data protection strategy. While placing a warning on apps based on their origin can help control unexpected data spread, it only works if applied equally and with an understanding of how data management works. For example, if a warning label clearly states where the app was developed, the name of the organisation and location where it’s based, the type of data collected and where the servers processing the data are located along with a link to the organisations privacy policy, then individual users are in a position to vet whether they wish to download the given app knowing their personal risk tolerance. If to that warning label additional awareness of the security risks present within the country of origin or the country where data is processed are then added, users can make a more informed decision as to whether they wish to use the app. Of course all of this presumes the person downloading the app cares about protecting their personal data, but it is a start and is in-line with other global initiatives surrounding the security of IoT devices and routers.