Online Privacy in a World of Third-Party Services How to Protect Your Customers and Your Business
Today’s online marketers understand that a website needs to do much more than simply convey information from a company to its customers. And today’s web developers know that achieving the various goals defined by those marketers does not require reinventing the wheel.
As a result, today’s major websites rely heavily on embedded thirdparty services. This way, a company can bolster its website with cutting-edge software to achieve its marketing goals and improve its user experience – without taking the time to build and maintain this software. That can create a win-win-win scenario for companies, their customers, and their software providers.
However, this approach to web development creates some serious risks, both for the businesses that take advantage of third-party services and for their individual customers. That’s because, in many cases, the vendors that provide these services gain access to sensitive customer details including personally identifiable information (PII). Even if a vendor has no malicious intent, the chance that bad actors will hack its platform can endanger the companies whose websites rely on its software.
Moreover, the code that drives third-party online services is typically updated multiple times each month, creating the risk that a software update could expose sensitive information belonging to a company’s customers without that company’s knowledge. And making the stakes even higher, legislation such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) continues to increase the penalties for noncompliance.
All of that makes it especially important for companies to ensure that their websites are not putting their customers’ sensitive information – and, by extension, themselves – at risk via third- and fourth-party service providers.
This eBook will teach you how to navigate the waters of working with third-party providers of online software – so that you can enjoy all of the ways this software can help you achieve your business objectives, while also keeping your website safe. In the following pages, you will learn:
- The key benefits of integrating third-party software into your website, why this model has become so prevalent, and why that trend is likely to continue.
- The major technical and legal risk factors that should concern companies when using third- and fourth-party software within their websites.
- How major companies have fallen victim to these risks, what consequences they have faced, and what you can learn fr om them.
- How AI-driven, cloud-based solutions can help you address these risks in order to protect both your customers and your company.
How Did We Get Here?
In the early days of the first major internet boom, websites consisted exclusively of HTML. This allowed for webpages to be designed using rich text and some visuals, but design options were limited. Bandwidth was a precious commodity in those days of dial-up modems, and websites were relatively light and static.
The Impact of Third-Party Services
Still, there is every indication that the market for third-party services will continue to boom for the foreseeable future. Bandwidth continues to become more readily available as hardware improves, and there are ways for developers to structure a webpage so that it can be used while it loads. Moreover, the continuing development of third-party software offers advanced functionality for consumers, ever-improving marketing and monetization tools for website owners, and profitable opportunities for service providers.
This process can involve any number of interactions between the user’s browser and the third-party software. Over the course of these interactions, various details about this end user may be sent to the service provider.
How Data Daisy Chains Take Shape
In addition, in many cases a third-party service will itself rely on an external service provider. In these situations, the end user’s browser will interact not just with third-party services (directly), but also with fourth-party software (indirectly).
To make this software work properly, the end user’s browser may be required to send information about that individual to the third party, which in turn passes it on to the fourth party. This can create a data daisy chain in which details about a consumer may be passed from one vendor to another.
PERSONAL DATA EXPOSED
Adding to the potential for data daisy chains to emerge, each time a developer places a third-party script on a webpage, by default the provider of the corresponding service has access to any data from that page – including the page’s URL, storage, and any cookies. Even if much of this information is irrelevant for any given service embedded into a webpage, the provider of that service would be able to access this information if they chose to do so.
For example, when a consumer visits a certain page of an eCommerce website, that page may display a popup that relies on a third-party service to recommend products based on the user’s demographic data and activities they have performed. To make this happen, the webpage must give the service provider access to these details about the user. But if, for instance, that page also features buttons for sharing a product description on specific social media platforms, those platforms will also have access to the same user details as the recommendation engine.
An Ever-Changing Ecosystem
Not only does this contemporary approach to web development create the potential for many service providers to gain access to sensitive information, but it does so in a very dynamic way. It is common for service providers to update their code frequently – in many cases, three or four times per month. Each time such an update occurs, there could be changes to the data collected by a service, to the way it is collected, or both.
Moreover, a service provider can make these kinds of changes without coordinating or even informing the companies that rely on its services. As a result, significant changes affecting end users’ privacy can be made without the knowledge of either the end users or the company.
FREQUENT CODE CHANGES
The Risks Associated with Third-Party Online Services
Recent years have seen the convergence of several new developments that have increased the risk associated with using third-party online services. The most notable of these trends include:
- Major websites’ increasing reliance on third-party services, which tend to be updated frequently without notice.
- The tendency of online service providers to themselves rely on external software – making their clients’ websites reliant on fourth-party services and creating data daisy chains.
- The growing sophistication of hackers seeking to exploit consumers’ personally identifiable information, including credit card numbers.
- The regulation of the collection, transfer, and use of PII – exposing companies to the risk of major lawsuits resulting in significant legal fees, massive fines, and negative press coverage.
- The public’s expanding awareness of large-scale data breaches and cyber-attacks, increasing their concerns over personal privacy.
Because of the combination of these trends, companies whose websites rely on third-party services face increased risk – as do their customers. Because of legislation like the GDPR and, soon, the CCPA, these businesses could face serious fines for actions (or failures to act) that until relatively recently would have been perfectly legal. Meanwhile, they risk accidentally giving vendors access to their customers’ PII by leaving it exposed within a webpage’s cookies, storage, or URL. And the worst-case scenarios for these companies and their customers include major data breaches that can result in identity theft and/or credit card fraud.
The Increasing Danger of Repercussions
When a company does suffer from noncompliance, a data breach, or a cyber-attack, the most easily quantified damage consists of any fines imposed on the company as a result. In case of a newsworthy breach or attack, the company is also likely to see its brand reputation suffer significantly, as prospective customers become afraid to enter their credit card digits into a platform that they know has already been compromised once.
Moreover, that company may well need to pay a variety of professionals to mitigate the damage – including IT personnel to fix the technical problem, lawyers to handle the legal fallout, support professionals to manage customer queries and complaints, and possibly even a public relations firm to weather the ensuing storm of bad press.
To understand the scope of the legal risks, it is important to consider two of the most important sets of laws regarding the collection, processing, transfer, and use of individual consumers’ information: the GDPR (which went into effect in 2018) and the CCPA (most of which is slated to go into effect at the beginning of 2020). While there are significant differences between the laws – including which businesses the laws apply to – they both share the general goal of expanding individuals’ rights regarding their personal information.
Some of the key similarities between the two laws include:
- They restrict the ways companies can use individuals’ PII.
- They require companies to take steps to protect individuals’ PII.
- They require companies to allow individuals to make certain decisions regarding the use of their PII (such as having their PII deleted).
- They require companies to provide individuals with specific information regarding the use of their PII.
Because of these laws’ requirements and many websites’ reliance on third-party services, ensuring legal compliance is an ongoing process. Not only must companies first receive consent from individuals in order to gather and maintain their PII, but these businesses must continually verify that they are only allowing this information to be used in the specific ways that users have consented to. As a result, these companies must ensure that third- and fourth-party service providers do not implement legally problematic changes in the ways they gather and use PII.
Finally, perhaps the most important similarity between these laws is that companies found to violate them risk potentially devastating penalties. In the case of the GDPR, a company that commits an especially serious infraction could be fined up to 4% of annual turnover or 20 million euros – whichever is higher. Under the CCPA, fines could be far less predictable: While the law will only require violators to pay up to $7,500 for an intentional infraction or $2,500 for an unintentional one, it will also allow consumers to file either individual or class-action lawsuits, for which businesses could be required to pay between $100 and $750 for each individual violation.
The Growing Threat Posed by Hackers Including Magecart
For today’s eCommerce companies, one of the biggest security threats comes from Magecart, a series of loosely affiliated groups of hackers. Magecart has carried out some of the most alarming and expensive cyber-attacks of the past several years, exploiting thirdparty services to steal individuals’ credit card numbers.
Perhaps the most notable Magecart attack to date involved malicious code inserted into a third-party chat service used on British Airways’ webpage for reporting lost baggage. From there, Magecart hackers were able to set up a mechanism for skimming customers’ credit card numbers. The airline took months to identify the data breach, preventing it from quickly notifying authorities and affected customers as required by the GDPR. This resulted in a $229 million fine – the largest fine imposed on a company under the GDPR to date.
As the British Airways example shows, one of the greatest risk factors associated with third-party online services is that it can take companies a long time to realize when something is amiss. Because these services can be updated without notifying the websites that rely on them, there is a very real risk that a company could become noncompliant – or, even worse, suffer a significant data breach or cyber-attack – without quickly realizing it.
Using AI-Powered Technology to Mitigate the Risks
While bad actors continue to grow more sophisticated in their methods of compromising consumers’ privacy via third-party online services, the technology that can reduce the risk for companies likewise continues to progress. Today, online retailers and others can use digital solutions powered by artificial intelligence to protect both their customers’ privacy and their own brand reputations, while also mitigating their own legal exposure.
Helping companies to minimize these risks is all about providing them with the right information, in the right format, at the right time. To be successful, a digital solution should provide comprehensive, actionable information in real time. It should identify any potentially sensitive data left exposed within your website, as well as any changes to the behavior of your third- and fourth-party services. In case of a data breach or cyber-attack, a digital solution should give you the details you need in order to:
- Notify authorities and affected individuals of the incident.
- Pinpoint the source of the problem, so that you can block a risky service from continuing to access your customers’ sensitive information.
- Inform the relevant vendor and evaluate your company’s relationship with this vendor.
How Namogoo Addresses This Need for Information
The goal of rapidly providing businesses with the information they need is at the heart of Namogoo’s end-to-end Customer Privacy Protection (CPP) solution.
This self-learning, client-side platform continuously audits companies’ websites to find any data vulnerabilities or any data accessed by malicious hackers. To help our customers ensure that the vendors they work with only collect data as mutually agreed upon, our technology offers:
- Full visibility into any data collected from a company’s website by third- and fourth-party vendors, including the ability to drill down into the details of this data collection.
- A holistic view of any exposed personal data or other privacy risks within a company’s website (including within each webpage’s URL, storage, and cookies).
- A detailed breakdown of the data a given vendor collects from a company’s website, as compared to the data that vendor collects from other websites – providing benchmarks to highlight any suspicious anomalies.
In case of any suspicious behavior within a company’s website, our CPP solution automatically alerts the affected company in real time. And to help businesses resolve such incidents quickly, the platform automatically ranks incidents by their priority level based on severity and impact.
Should one of our customers suffer from a data breach or cyberattack, our platform will also provide them with the details they need to mitigate the risk posed by the incident and resolve any underlying vulnerabilities. These details include what type of data was collected, when the incident began, on which webpages it occurred, and which audience segments it affected.
But while third- and even fourth-party services are a great asset for major websites, they also pose significant risks – both for the companies whose websites rely on those services and for these companies’ customers. Each time a company embeds one of these services into its website, it cedes some control to an external vendor. In many cases, this means that the website owner gives the vendor access to its customers’ personally identifiable information (PII) – sensitive data that can include credit card numbers. This exposes the owner, the vendor, and individual customers to an increased risk of suffering from data breaches and cyber-attacks. At the same time, increasingly strict laws governing the use of customers’ PII continue to raise the stakes for companies that suffer from such incidents.
Yet, while the dangers surrounding the use of third- and fourthparty online software continue to become more widespread and sophisticated, so do the digital solutions that can be used to mitigate these risks. Today’s companies have the option of using AI-powered technology to automatically identify a wide variety of security risks, data vulnerabilities, and problematic behaviors carried out by a website’s service providers. This way, a company can gain critical insights in real time, enabling its employees to promptly remedy any threats and notify authorities and affected individuals as needed.
By using advanced technology to monitor the services embedded in its website, a business can minimize its own risk by minimizing the risk facing its customers. Most importantly, this allows the company to enjoy all the benefits of working with outside vendors – without needing to worry about becoming the next victim of a major cyber-attack, security breach, or high-profile lawsuit.