10 January 2016

Privacy Engineering: Mobile Standards for Digital Trust...

The landscape for software engineering standards within corporate organizations, is now on the radar of Operational Risk Management (ORM) experts.  What are the privacy and security related engineering design standards, that are being utilized at JP Morgan Chase, Citibank or Paypal for mobile App development?

Effective and standardized "Privacy Engineering" of mobile applications at organizations in Critical Infrastructure sectors such as Finance and Banking is just one example.  It is soon to be a greater focus of the Federal Trade Commission (FTC) and other U.S. regulators.  Why?

"Trust Decisions" are being made by consumers each day, as millions of of mobile banking customers download an application to their Android or iOS smart phones.  The consumer then has immediate exposure to the quality of the software engineering, by the UX/design and developer of the software App.  The standards being utilized by each organization for designing and engineering those Apps with privacy and security, may vary by who developed the application and for what particular operating system.

So what?  U.S. financial institutions software engineering departments and other highly regulated industries will be a continued and concentrated focus by the Federal Trade Commission (FTC).  Standards for privacy software engineering and disclosure of the rules will become even more of a critical factor.  Why?
As a result, to act within the time constraints of deadlines, the presence of fiercer competition, and the looming threat of higher lost-opportunity costs, you have no choice—you must presume the trustworthiness of the information you acquire to make decisions. Deciding now requires you to acquire the information you need from the most accessible source, with zero time to ask the important questions: “Where did this information come from? Who put this report together? Has the data been confirmed to be accurate? Who actually authored the analysis? Does this bank statement reflect all of our deposits?”

Answering these types of questions is inherent to how we make good decisions. You seek information that serves as fuel for your decision. You work hard to validate that the information can be trusted. You calculate toward your decision, constantly evaluating whether the information holds up its reliability. But in today’s 24/7/365, wired decision-making landscape, there is no time to ask those questions. Those controlling the information you need understand that pressure and require you to presume their digital information is trustworthy and reliable for making your decisions. Thus, to gain control of digital information is to succeed in imposing an enormous handicap—removing your ability to challenge its trustworthiness by asking the right questions.  Source:  Achieving Digital Trust by Jeffrey Ritter.
Is it possible to redesign mobile banking Apps, so that all Android or iOS software engineers must adhere to privacy and security engineering standards of practice?  The human-based "Trust Decisions" about whether to trust an application with personal identifiable information (PII) is currently buried in legal disclosures.  The privacy disclosures are written by lawyers, all different and in most cases never read, by the consumer prior to downloading the App.  Opt-in or Opt-out?

The future of mobile App Privacy and Security Trust engineering for consumers will be in the hands of government regulators soon and in concert with other laws associated with information security, such as the GLBA Safeguards Rule.  "Cyber Trust" indicators or other vital warning systems may be in the works.  Buyer Beware is the theme.

For years consumers have been looking at FDA Nutrition Labels and other Federal oriented tools, to provide more visible and rapidly effective disclosure.  Since the human being is making "Trust Decisions" on whether to download a software application to their computing device, they also may desire a method to quickly ascertain if the App is "Trustworthy."

Can they trust the application according to their particular appetite for risk?  What information will be shared with 3rd parties?  How will your information be used and collected while you are using or not using the application?  Here is one example of how a future warning "Privacy Label" may look before a consumer is permitted to download an application to their computing device.

What does the consumer experience today?  As one example, currently when you visit the App Store on an iOS mobile device such as the iPad, and then search for "Chase", the top choice is an App named Chase Mobile.  When you click on the "Get" button, it changes to "Install".  When you click on "Install" it prompts you to Sign In to iTunes Store.  Once you sign-in, the Chase Mobile App downloads to your device, the button then changes to "Open."

When you open the Chase Mobile App, it opens the first screen to "Log On".  There is a small "Privacy" button in the top left corner of the screen, however there is not an easy to understand Privacy Label that is visible before you actually "Log On" to Chase.  In the case of selecting the Privacy button in the upper left corner, it then reveals dozens of pages of legal documents explaining online privacy policy and U.S. consumer privacy notices.  There is however one easier to view grid, under the privacy notice that is helpful in understanding whether Chase shares personal information and whether as a consumer, you can limit this sharing.

The Critical Infrastructure sectors of the U.S. economy, that has a daily interface with consumers through mobile software Apps are now on notice.  Chief Legal Counsels, Chief Information Officers, Chief Privacy Officers and Software Engineering personnel, must address the reality of human behavior and how "Trust Decisions" impact legal risk and the ultimate perception of the corporate brand.

No comments:

Post a Comment