I’m proud of working for a company like F-Secure, with a 25-year long history of protecting people’s digital life. But I was especially proud on one day in early 2014. That’s the day when I got green light to write and publish a paper documenting what data our Internet Security 2014 product collects from the customers’ computers. I’m proud of this because this is something I think all software companies should do in the future, and we are probably the first anti-malware company to do it.
Privacy is becoming one of the really big issues in our lives for many reasons. We live more and more of our lives through our electronic gadgets. We communicate electronically and we store our valuable data in the cloud. We do have a real life outside social media, but most of that life is somehow documented and commented electronically too. So anyone who can peek into your personal devices and cloud accounts have a really comprehensive picture of you. And this is exactly what the big data companies and many government agencies want to do.
People are pretty much unaware of this data’s value, and even unaware of how comprehensive it is. Many software and service providers on the Internet play on this ignorance and grab the data like it was free to be taken. Hell, that’s not right! People own the data on their devices and in their cloud accounts. This ownership should be respected and nobody should steal that data without permission. Or with a permission buried deep in some EULA that hasn’t been read by a single human being, except lawyers.
We think different at F-Secure. We don’t see the user data itself as a business potential. For us the business potential lies in the users’ desire to protect this data, and we are sure this potential will grow exponentially in the future. So we stick to a very traditional business concept. We want real money for our product. This is the only feasible business model for people who want to manage their digital privacy. We don’t give products away “for free”, just to secretly take payment in a currency the user don’t fully understand, private data.
But how does the paper about data transfer fit into this? It has to do with a concept of fundamental importance, trust.
We think transparency is a cornerstone when building trust. That’s why we wanted to be more open about how our Internet Security customer’s data is handled. We wanted to give customers a clear list of what data we transfer, why we have to transfer that data and what we do with it. The document had to be fairly short, clear and easy to read. No legal language. We have run into the demand for something like this several times, and after a discussion on Twitter in early 2014 we decided it’s time to act. Hat tip to @cynicalsecurity for that.
So now we are transparent about how we handle Internet Security customers’ data. Great, but can customers trust this data declaration? They do still not have any means to really verify that the document is correct. That is an excellent question and it boils down to trust, once again. You just have to trust us on that.
This is actually a huge fundamental problem in our new digital world. I think the whole software industry must be more transparent and by default declare what data is transferred and how it is handled. This is an inevitable development in a world where people becomes aware of their digital assets’ value. But the question is really what mechanisms there will be to monitor and verify these declarations? A new system of independent tests, audits and certifications? Time will tell.
The document can be found here.
After F-Secure principal security consultant Tom Van de Wiele stepped into the #CyberSauna for the second episode of…
January 19, 2018