It is estimated by the International Telecommunication Union that the total number of mobile devices in the world has already exceeded the number of people. Mobile devices are becoming increasingly advanced as well. In fact, modern smartphones are as powerful as desktop computers, but “know” much more about their owners: current and past location, contents of their private text messages, photos and other sensitive information, as well as their online banking credentials and other financial data. They are also always connected to the Internet and thus are especially vulnerable to hacking and malware exploits.
Growing adoption of cloud services has brought its own share of privacy concerns: more and more sensitive data is now managed by third parties, so users are losing visibility and control over their information. However, it is social computing that has made the most profound impact on our society. Ultimately, it has led to a significant erosion of public expectation of privacy and made nearly impossible to undo accidental sharing of private information. Some people have gone as far as to claim that privacy is no longer relevant. This, of course, cannot be further from reality: various studies clearly indicate that users value their privacy and strongly object to sharing of their personal data with third parties without consent. However, many users still do not have a clear understanding as to what extent mobile devices can affect their privacy.
With mobile technologies becoming more sophisticated, general public awareness about the associated risks simply cannot keep up with them. Every day, mobile users can easily fall victim to another new method of tracking, stalking or privacy abuse. Stolen personal information has become a valuable product on the black market. It includes not just financial or medical information, but and kind of PII that can be used as a key to your other assets. It’s not just hackers that are after this kind of loot: telecommunications providers, search engines and social network operators are collecting as much of this information about their users as possible to use it for targeted advertising or just to resell it to third parties. And, after Snowden, do we even need to mention government agencies?
For enterprise IT departments, growing adoption of mobile devices has brought their own share of headaches. One of the biggest current challenges for the IT industry is undoubtedly the Bring Your Own Device (BYOD) problem. While technological challenges of the problem are massive, a proper BYOD strategy must address privacy issues as well. Many organizations may easily overlook them, because issues like liability for leaked or lost private data from company-managed devices still vary per country; they are often considered to be in the grey area of current laws and regulations. These regulations are changing, however, and to stay on the safe side companies should always carefully study and address legal aspects of their mobile device policies: a mistake can cost you a fortune. KuppingerCole provides this kind of expertise as well.
However, regulations alone cannot solve the fundamental cause of so many privacy-related problems of current mobile platforms. As mentioned earlier, modern smartphones and tablets have the same computing power as desktop computers. Yet, both consumers and device manufacturers still fail to realize that mobile devices need at least the same level of protection against malware and hackers as traditional computers.
Modern mobile platforms are based on Unix-like operating systems, incorporating various low-level security features like hardware isolation or code signing. Yet, they are still far behind desktop or server systems when it comes to more sophisticated security tools like firewalls or application control. Even worse, no modern mobile platform includes any built-in vendor-neutral security APIs that would allow 3rd party developers to create such tools. Although there are several solutions available on the market now (like Samsung KNOX), they are all limited to a small number of supported devices and have their own security issues.
Modern mobile platforms are much more closed than desktop operating systems, and this is a source of privacy-related concerns as well. Consider a typical situation for iOS: we learn about data leaks or other violations in a standard app, and it takes months for Apple to even acknowledge the problem, let alone to release a patch for it. The open nature of Android’s ecosystem, on the other hand, leads to platform fragmentation and often vendors simply stop supporting old devices completely. Despite of their differences, the result is still the same: because of fundamental deficiencies in their platforms, both vendors fail to provide adequate means of protecting user’s privacy.
Thus, it is clear that long-term solutions to these problems require a major paradigm shift. Privacy cannot be protected by government regulations or “bolt on” security products – it has to become an integral part of any mobile platform and application. Unfortunately, this stands in stark contrast to the goals of many hardware and software vendors, with only a few already realizing the business value behind “privacy by design”. To break the current trend of hoarding as much personal information as possible, consumers, enterprises and government regulators have to join their efforts and bring everyone to a clear realization that long-term losses from violating customers’ trust will always be greater than short-term gains.
For more information and concrete recommendations to enterprises, mobile device manufacturers and application developers please refer to KuppingerCole’s Advisory Note “Dealing with privacy risks in mobile environments”.
This article has originally appeared in the KuppingerCole Analysts' View newsletter.