As website publishers bring themselves into compliance with the Cookie Law, the implications for location-based services are starting to be realised. Ramsés Gallego, international vice president of ISACA and security strategist at Quest Software, explains what effect the need for consent is having.
If you are involved in designing, maintaining or managing a website, then you should have noticed the EU-wide amendment to the Privacy in Electronic Communications Regulation as it relates to web browser cookies and consent. While much has been written about the failure of many portals to adhere to the new cookie rules - which have been subject to enforcement in the UK since the end of May - the reality is that all EU sites, no matter how large or small, will eventually have to adhere to the new rules.Some sites will be better placed to amend their cookie administration than others. But my observations suggest that the new rules will be a potentially major headache for those portals that make use of location-based (geolocation) information on their visitors.
In a nutshell, the EU rules mandate that the placement of cookies onto the user's device requires consent from a user, unless they are "strictly necessary" for a service requested by the user. It appears that these exceptions to the rule will be narrowly interpreted by the Information Commissioner’s Office (ICO) in the UK, allowing short-lived cookies, for example, that permit Internet users to shop online easily and quickly.
Actions required by publishers to become compliant have been usefully spelled out by the ICO in its guidance notes. These centre on the need for sites to perform a cookie audit, a user-impact assessment and an action plan. Since the new law is device and channel agnostic, cookies used for geolocation need to be considered in the same activity.
Geolocation is a discipline that is firmly on the modern Internet-savvy business agenda as it can bring tremendous marketing rewards to the site concerned, in the form of geo-marketing activities, targeted messages and so on. The introduction of the new cookie legislation presents a number of risks to portals that use geolocation. These risks can potentially outweigh the rewards because the site is required to interpret a lot of the data on the user “in the clear”, including location, time and web-browsing habits.
Therefore, organisations need to be cautious when embracing mobility and all the features that come with it. They also need to include mobile devices within their corporate security strategy and integrate the devices within the business asset management programme. The issue here is that a growing number of mobile devices have corporate information stored on them and are used for enterprise activities.
The amended EU regulation obliges service providers to explicitly indicate that the browsing session on a given set of web pages is being tracked or recorded. This directive is here to stay and its implications and resulting implementations pose difficulties from a security perspective.
However, implementing the cookie law on a secure and effective basis is essential as the data involved is both high-risk and personal. Sensitive data that could be leaked typically includes information on gender, age and other attributes that could allow a user’s “digital persona” to fall into the wrong hands.
This leads us neatly into the privacy aspect of the new legislation. As a result of the Internet, we have few barriers and fewer secrets. Many think that is now cool to post where they are, what they are doing, with whom, when and even why. In fact, according to an April 2012 survey conducted by global IT association ISACA, 32 per cent of individuals in the US are using location-based services more now than they did 12 months ago. (Worryingly, 43 per cent don’t read the agreements associated with location-based apps, so most aren’t even sure of the information they’re providing to organisations.)
Clearly, those organisations need to address how they are gathering location-based information and what they do with it. This business security process is about defining a security posture around classification of information, data collection practices, etc, that can identify a person's present location - and equally important, past and future locations. Organisations must clearly indicate the methods of collection, the retention policies, when - and how - the information will be destroyed.
Failing to comply with the new EU cookie directive will certainly have ramifications such as cost, as well as legal and reputational consequences. While the financial implications can leave a big impact, the cost of reputational damage is likely to be far greater. The concept of privacy, when dealing with personal information, centres on the individual's trust in an organisation and its information systems. It is that trust that allows us - as individuals - to make a judgement call on whether we are happy to release the kind of information that we do to that organisation.
Unfortunately, we have seen several examples recently of well-recognised brands suffering data/information breaches. Based on the fallout from these breaches, it should be clear to any manager that companies must communicate the technical and organisational mechanisms they have in place to protect user information, such as encryption, processes and procedures.
Businesses using geolocation applications and methods of data collection have a responsibility to behave ethically and protect the consumers’ information and rights. And while there are clear differences in how the US, Europe and other regions of the world treat the explicit consent of their Internet user, businesses around the world should provide opportunities to opt-in, not by default, but with an explicit consent from the user.
Companies also need to include geolocation data as one of the priorities within their audit governance strategy. The definition of governance, by the way, is "setting strategic direction, and achieving corporate goals, ascertaining that risks are managed and that resources are used responsibly." The governance of geolocation data should be addressed using these facets of the definition.
ISACA can assist greatly in the planning process that is central to the task of meeting the EU regulation’s governance requirements. Earlier this year, the association released the COBIT 5 framework (available as a free download at www.isaca.org/cobit.) Created for business and IT professionals, the guidance helps enterprises to bridge the gap between IT control requirements, technical issues and business risks. Just this month, ISACA published COBIT 5 for Information Security, which provides additional guidance on the enablers within the COBIT framework and equips security professionals with the knowledge they need to use COBIT for more effective delivery of business value.
The bottom line is that, if properly governed, geolocation is a tool that can be very effective for both consumers and businesses. The EU cookie law will, in the end, protect both of these parties.