A couple of weeks ago Facebook founder and CEO Mark Zuckerberg came before the U.S. Senate and House of Representatives for two days of Congressional hearings. The focus of the hearings was to address the recent concerns for consumer privacy, in light of the Cambridge Analytica scandal. Questions from the senators and representatives ran the gamut from privacy to the building blocks of the internet.
Though the focus of the hearing was clearly on Facebook’s privacy errors, the hearing has much broader implications for all companies. This is one of the first times in recent years that the legislature has taken very serious steps to create new internet regulations, and we can expect to hear more about privacy and data regulation in the near future. That being said, there are two big takeaways from these hearings that apply to all companies.
We are in the information age, where user data is king. Many companies are seeking to provide a custom tailored experience to every user. This requires that companies gather data on their users to tailor their content. Facebook repeatedly came under fire for two key areas related to privacy: unclear disclosure/controls for user data and overexposure of user data through APIs:
Unclear Disclosure/Controls for User Data
Companies need to make sure their users have a clear understanding of what data is being kept and how to control that information. This can seem like a daunting task, but a good place to start would be to evaluate the applications against an existing set of standards.
Outward facing APIs are at the core of many companies’ business models. Many of the fears associated with regulating a company’s APIs are the impacts on innovation within the development team and the impact on the consumers of those API’s. In a previous post, Jason Goth, Partner and VP at Credera, helps to outline how to not only govern API development, but also enable it, showing that innovation and governance don’t have to be at odds.
2. Response Time
Another central theme of the hearing was the time it took Facebook to take action after they discovered they lost user data and publicize the information. A company’s ability to respond to data breaches and be able to communicate these breaches to the affected parties is vital. At this point in time it is not if a company will come under attack, but when. Having systems to respond rapidly and take stock of the damage is a must have for all companies.
One way to implement and test response time is for a company to attack itself. Netflix likens this practice to changing a tire:
“… One way to make sure you can deal with a flat tire on the freeway, in the rain, in the middle of the night is to poke a hole in your tire once a week in your driveway on a Sunday afternoon and go through the drill of replacing it. This is expensive and time-consuming in the real world, but can be (almost) free and automated in the cloud.” (Sharma, Sanjeev. The DevOps Adoption Playbook)
Netflix will regularly pop its own tires, by using its open source tool Chaos Monkey, a tool that will randomly bring down areas of the application, in production. Thereby testing their application for the worst-case scenario while their developers are able to respond quickly and address the most vulnerable areas of the application. By “changing the tire” regularly, Netflix has the confidence and know-how to address issues head-on and the ability to identify affected areas and users.
Tech companies need to be aware of privacy and response time and be prepared to answer uncomfortable questions in the public spotlight if something goes wrong. Ideally, tech companies could prevent an issue entirely, but even having good answers will help minimize any potential fallout.
Please feel free to contact us at firstname.lastname@example.org if you have questions or would like more information on any of the topics discussed above.