Nearly every application, appliance, and IoT device track user interactions. When you connect to a WiFi network, when you change your password or enter your credit card details—every digital event generates application logs.
These logs are extremely valuable to understand end-users, how they interact with products, and how technologies perform.
Application logs are one of the leading causes of privacy violations. The software that generates these logs is written by developers once but executed by computers a billion times. Developers are focused on shipping products and—while they try their hardest to respect your privacy— the amount of data is so overwhelming that security is often overlooked.
Logs end up being stored, analyzed, and archived even if they contain privacy-sensitive data that are illegal under privacy laws such as the EU’s General Data Protection Regulation (GDPR)—that includes specific guidelines for log data.
The most recent examples include GitHub, Facebook and Twitter. In 2019 alone, these three companies were found to have stored privacy-sensitive data in their logs.
We should ask ourselves, what's the cost? And what’s the risk for companies?
Privacy: a growing concern for consumers and organizations
We live in a data-intensive society, where consumer information is precious. However, numerous data breaches within the past couple of years have proven difficult to protect data.In the first half of 2019, there were 4.1 billion records exposed in data breaches.
Consumers are fully aware that their personal information is sought after by third-parties. They are demanding full control of their data and the backlash will only increase for organizations that are not proactively addressing these concerns.
Consumers' concerns about privacy are pushing a company like Apple to reposition as a privacy company. Tim Cooks emphasized how the company does not monetize users' information.
Governments are taking actions
Consumers believe that governments should play a greater role in regulating how companies handle user data.
The UE responded implementing the General Data Protection Regulation. GDPR fines start at 4% of a company's global revenues and it impacts companies that do business in the EU—whether they are European companies or not.
Google has already been hit by a $57M GDPR fine and according to Gartner, $1B+ in sanctions will be issued by 2021.
The California Consumer Privacy Act (CCPA) passedin June of 2018 and will give California residents specific privacy rights related to their online activities starting January 1, 2020.
Following in the EU's GDPR footsteps, many other nations are implementing similar privacy legislation. This evolving patchwork of privacy laws will continue to challenge organizations in the way they interact with customers and society at large.
Companies have to change mindset
To avoid conflict and promote trust, organizations must take a proactive approach when storing consumer information and when logging data into their internal systems.
Shifting from privacy to ethics moves the conversation beyond “are we compliant” towards “are we doing the right thing”
—Gartner
Ultimately, switching from compliance-driven enterprises to ethics-driven enterprises will be key.
Companies that misuse personal data lose the trust of their customers—and trustworthiness is a key revenue and profitability driver. A study on the Facebook / Cambridge Analytica caseshowed the negative impact of privacy leaks on consumers' trust in Facebook:
Building customer trust in an organization is diffcult, but losing it is easy
Gartner expects that by 2020 companies that are digitally trustworthy will generate 20% more online profit than those that aren’t.
A 2017 survey indicates that 87% of consumers say they will take their business elsewhere if they don’t trust that a company is handling their data responsibly.
So prioritizing privacy and cybersecurity is key for companies because:
- Compliance costs can be really high -- GDPR fines: €20 million or up to 4% of annual global revenue
- Companies lose customers’ trust when privacy leaks happen, costing them millions in revenue
- It’s the right thing to do.
Organizations focus on protecting their databases—but logs are often overlooked. GitHub, Facebook and Twitter reported privacy leaks in their logs in 2019 alone.
What are you doing to ensure your company is not storing privacy sensitive information in your logs?
About Measurence
We believe privacy is a fundamental human right.
In the four years our team has worked together, we’ve always built products designed to protect users’ privacy and our technology has been validated by legal teams at companies like Zurich Insurance and Mercedes-Benz.
We also co-founded the Future of Privacy Forum— a nonprofit organization based in DC that develop privacy protections, ethical norms, and workable business practices.