privacy

Security VS Privacy: in search of a fair balance

How long have you not been online today?

Since 2007, humanity stood on the path of Internet addiction.The famous “We have reinvented the phone” sounded 12 years ago on the presentation of the first iPhone. That phrase marked the beginning of a new era. The attitude towards information as well as the entire service industry have been changed and reinvented alongside with the possibility of unlimited and permanent Internet connection. Everything happens online today as every even a little self-respecting company should have a solid and functional website, complemented by a mobile application. Wi-Fi-networks development, the connection quality, and speed improvement provide the continual contact with customers.

But the wonderful new world brings up new problems, which started bothering both users and business every day. For example, few minutes of being online lead to user data availability in the web for a much longer time. As the result, users became focused on their Privacy. At the same time, financial institutions and the online business in general began paying more attention to their Security.

These two things seemed to have simply improved the lives of both business and users. But pursuing their own needs, the financial institutions security and end-user privacy do not always correspond, and often contradict each other.

Why is it happening?

Let’s try to figure out what we mean under“Security”.

Financial services are closer than ever today. In the very beginning, financial institutions expanded their office network to almost every location. Within a number of years this approach gradually converted into expanding the business via online through developing fully operative personal online accounts. Any financial transaction can be made today via constantly improving mobile applications. Common day-to-day operations have become more intuitive and effortless with every newly appeared features of smartphones. We are assured that banking is easy. Those who do not not have at least one bank-app on their phones are left far behind the progress or at least complicate their lives.

As the result of this we have got the illusion that loans (as one of the main financial services provided) are easily accessible. You can get “vacation”, “car”, “smartphone” or some other advertised goods by just one finger snap. Active and attractive marketing campaigns demand attention from even an apathetic client who more and more often replies to such demand. In addition to that, the true hunt for user’s information is always hidden behind these bright images or clips. In order to successfully “offer” a loan, lenders are collecting any possible data regardless how much they really need it; their systems receive all necessary information with every credit application. Analytics and risk policies are based on every new personal and sensitive data requested via questionnaires and other similar stuff. In some cases personal data becomes a separate source of revenue and always becomes a source of additional risk for both the organization and the data owner.

Gigantic questionnaires and forms are compiled and used for data collection; all this information needs to be stored. As the result additional data increases the infrastructure overload, complicates internal and external processes and operating costs. Similar to a demanding child who needs thorough attention and care data security requires even more costs and restrictions. The attitude towards data becomes either pragmatic or extremely cautious; data storage becomes the most protected and inaccessible part of the business, hidden behind many locks.

The process is also complicated due to methods of data storage and security. Data hashing is thought to be one of the most common ways to provide data security. In this case data is depersonalized, converted into an alphanumeric code and stored in a hashed form. Seemed to be convenient and reliable this method may lead to data and business damage. At first, depersonalization algorithms (no matter how sophisticated they are) have a chance of a collision. For example, different data lines may receive the same combination of letters and numbers which will lead to an innacuracy of carefully protected personal data. Secondly, there is always a possibility of a reverse conversion even for hashed data. There is no need to be Turing to break this code. With basics in mathematics and server capacity is is possible to convert hashed data to personal again.

Despite all efforts, the most successful and protected companies’ databases suffer from hacks and leaks. Unfortunately, recent scandals with Marriott, Facebook and Google+ will be replaced by new ones very soon. Despite all protective measures and efforts taken to secure the data it remains a valuable commodity on the shadow market. Publicity of such scandals brings enormous company brand risks and makes people scared every time they hear about such cases. It becomes clear to users that they have to take Privacy in their own hands as personal data cannot be always entrusted to businesses and IT companies.

Human is being an owner by his nature. Being protective of their personal and sensitive data becomes just one of the aggravated behaviors, especially in the 21st century. Dislike for unnecessary questionings, suspicion of the Internet and great efforts to make the stay on the network as invisible to third parties as possible are the results of protective reaction and privacy thirst. People’s mood is also worsened by stories about the “dark side” of the online existence. A simple distrust of the open Internet transforms into excessive protective actions. My home is my privacy. Hundreds of private browsers, firewalls, anonymizers, VPNs and other services aimed to make online presence private (or create such impression) grew and disappeared within last 10 years. The TOR-browser, which theoretically allows hiding actions on the network, in fact, can lead to getting busted and feeling all the consequences of this “privacy”.

As a result, privacy subsequently became a barrier: turning location phone function off while calling an Uber is minor issue. Financial organizations begin to consider the clients at the stage of their visit on the web-site and everything they have to consider are the “guests” without any information about themselves.

Due to excessive privacy a potential client is considered risky by a financial machine, striving for “cleanliness” and openness. Organizations are not ready to accept additional risk acquiring users who hide themselves without any “understandable” reasons or some reassuring markers; company’s immune system triggers and declines a client at the application stage, baring a direct loss to the business.

Here is a paradox: end-users seek for Privacy in order to save their personal data and companies controversially have to increase the level of Security to protect the business. Everyone would like to receive better conditions for themselves. Both sides are not ready to meet each other’s needs in the current circumstances. Mainly because of the reason that data has to be collected at certain point of time by the financial institutions.

* * *

Within the last several years Juicy Score has been successfully used a solution based on alternative data. This solution allows avoiding personal and sensitive data collection. We process the alternative non-personal data that is many cases sufficient to make a decision on applications for a loan or insurance. So there is no need to start talk to a customer via a questionnaire.

This is only one of many steps. In any new world a code of laws or a code of conduct (even Jack Sparrow … captain Jack Sparrow had a code) is sooner or later arisen. Therefore, we suggest looking at our points, which, in our opinion, will help to establish a mutual understanding between the applicant and the lender. This should help to reduce useless accumulation of personal and sensitive data, which in many cases can be considered excessive in the 21st century.

  1. Personal Data
  • To reduce the use of personal data to the necessary minimum and to enhance alternative solutions which may simplify the decision-making system and risk policies;
  • To stop collecting, storing and transmitting personal data without meaningful need and without user notification, freeing up resources and unloading business processes;
  • To develop, maintain and switch to using alternative data that is not valuable for fraudsters and less risky for users.

Sensitive information (for example, disposable income, religion or other socio-demographic data — data that does not carry a material threat to a person, but can cause social damage)

  • To form a commonly accepted definition and make a list of such data, recognizing its status;
  • To regulate the use (at least at the level of a gentlemen’s agreement or code of ethical online-business conduct) of the data in order to exclude uncomfortable situations for customers and reduce risk.
  1. Security & Privacy Balance
  • To manage finding a balance between the necessary security of businesses and comfortable end-user privacy;
  • To maintain and regulate balance in a dynamically changing online world, responding to changes in the activities of both groups;
  • To reach a new level of friendly service, where security does not contradict to respect for privacy.

Having made these small but very important steps, it is possible to transform the businesses and to create a new approach to security: the personal data will no longer be the weak link. The main thing is to start and to remember that this is a goal, that can be achieved only by joint efforts.

We are ready to assist and to support on the way to this transformation, and we invite you to try our service, and will be happy to disclose our capabilities and advantages.