One Thing To Do Today: Institute “Beyoncé Rules” for vetting apps
TL;DR: An app or service you don’t have can’t spy on you. Be choosey.
From all of the previous work I’ve been able to create a targeted ranked list of recommendations, topped by actions to reduce attack surface. Let’s jump right in.
If you don’t want random employees rifling through your location data as the ones at Uber did to Beyoncé’s, have standards. You’re worth it. It shocks exactly no one that normal people with access to that kind of data spied on their romantic interests and famous people. If Uber execs had spent one second talking to Santa, they could have thought of this scenario. The thing is, they probably did. But Travis Kalanick is just not that into you. Into your money, yes, your safety and well being, not so much. For many tech companies users are barely better than Non-Player Characters. That’s the normal. It’s time for some pushback.
So what to ask of an App, or really any technology, standing on your doorstep with flowers waiting to take your data for a spin?
- Is it open source?
- Is it 3rd party audited?
- How often is it updated?
- Are you downloading a verified build?
- How many apps does the developer publish?
- Is the developer from a country where their gov’t can force backdoors?
- How often is the developer/app mentioned in industry publications that spend money on long form journalism?
- Follow the money, who’s the real customer?
- Who are the VC’s? i.e. is the business model all about the exit?
- Is there an active user community? Is it well supported?
- Are privacy settings granular or more “love us or leave us”?
- Do they only collect the minimum amount of data to provide functionality?
- Do they explicitly mention the encryption used in transmitting your data to their servers?
- Do they explicitly mention the encryption used in storing your data on their servers?
- Do they mention who has the keys to said encryption and how that’s enforced?
- How does the company treat it’s employees? (Why? To say the very least, disgruntled employees represent a security risk. This includes subcontractors and factory workers overseas)
- Are the employees diverse? (Again, to say the very least, there will be more points of view looking for threats)
- Is the app or service designed to fail gracefully when there is no internet connection?
- When they were hacked in the past, were they open about it?
- When they were hacked in the past, did they learn from it?
Each of these questions can be backed by a full post of justifications for its inclusion, but a check list scans more quickly while vetting. If you don’t like the answer to any of these question… Well, imagine your data as the diva-est of divas and walk away from the Angry Birds. You deserve so much better.
UPDATE: Atlantic Monthly article on Apps stealing data and FTC information on 71% of apps not having privacy policies that need one via @profcarroll