Tag Archives: privacy

HSBS UK – Mobile-friendly security from the start

It goes without saying that we are all using mobile more and more to manage our lives. To support this transformation, businesses need to do more than just design mobile browser-friendly pages and smartphone apps: they need to make all of the customer-facing business processes “mobile-friendly.”

eavesdroppingOne process often over-looked is answering those “account security questions” required to gain access to (or assistance with) your account. Too many businesses manage this is a way that completely falls apart when you are likely to need this most (in an airport, department store of other busy place far from your home or office).

The routine model of most companies is to ask you to provide personal identifying information (PII), such as your mother’s maiden name, social security number. Verbally sharing the answers to these is fine when you are in the privacy of your home or office. Sharing them in public, where you can be easily overheard, is an invitation to identity theft. Typing them over a smartphone is also less than ideal, especially when you are holding bags or waiting at a checkout counter.

Some companies try to get around this by using strong passwords. However this too is an item that you would never want to speak out loud in public. It is also likely be something hard to type on smartphone keyboard or flip-phone keypad.

The answer is to consider the mobile use-case from the start and to design a process that works equally well anywhere: at home, in public, on your PC or on any telephone. HSBC (United Kingdom) does a really good job with this. This is not a surprise as HSBC is a very global company and use of mobile for business transactions is much more widespread in Europe in Asia than it is in the US. HSBC uses a two-part system for authentication, where both parts are completely numeric (enabling easy entry anywhere by keypad or voice recognition) AND both are items that are completely useless to anyone who overhears them in public (a magic combination):

  • The first item you use is your account number. This is fully numeric and it is the same number you give others who need to give money to you (i.e., it is something you are not afraid someone else will hear).
  • The second item is a numeric PIN (Personal Identification Number). However, it is a PIN that is never used in its entirety. The IVRS, computer or call centre agent speaking to you over the phone will never ask you your PIN: they will only ask you a series of questions like “What is the third digit of your PIN? What is the sixth?” As a result, anyone overhearing you (unless you are silly enough to have your phone on speaker) will not gain any information they can use to crack your account (before triggering a fraud alert and security lock).

This simple design works really well everywhere (it even translates well across multiple languages). It is not only easy to use. It is something that you feel comfortable using in public.

We need more solutions like this to make our mobile lives easier.

It’s time for a Location Data Code of Conduct: Four Needed Policies

Article first published as It’s Time for a Location Data Code of Conduct: Four Needed Policies on Technorati.

Later this month the European Union’s “Article 29 Working Party” is likely to issue new rules requiring mobile and smartphone providers to treat location-based data as Personally Identifiable Information (PII). Last week, Apple, Google and others testified on the Hill regarding their use—or misuse—of consumer’s location data from smartphones.

minority-report-monitoring_280px-sqWhat is driving the speed and intensity of this regulatory response? A simple fact: location-based data links mineable information context about what you are doing, when and where, in a manner that is explicitly tied to your identity. This is a watershed threat to privacy we have not seen since the commercialization of the Internet (when we had to pay for Internet access).

Providers of smartphones and mobile applications need to realize and proactively manage this. If not, life could quickly become much harder for them. This would not just be bad for providers; if would curtail innovation enjoyed by consumers.

Now is the time for industry to get out in front and establish a Code of Conduct guiding use of location-based data (just as the Mobile Marketing Association did years ago for text messaging). Not only could this head off costly regulation; it could also set the standard for a trusted consumer experience, significantly expanding the location-based service market.

An effective Location-based Data Code of Conduct should include the following policies:

1. Enable users to turn location services on or off easily and transparently

Location-based tracking and promotion is great when people are gift shopping. However, sometimes it is simply an invasion of privacy. This applies equally to the enterprise, as companies don’t want their mission-critical staff to turn off corporate mobile phones to protect their private lives when they are out of the office. Smartphone and mobile app providers need to enable people to turn location-based services on or off. Those who make this easy and transparent will establish market leadership.

2 Manage location-based data with the same fidelity as billing data

Yes, mobile phones have tracked where you were (and when) for years. However, smartphones now combine this with data about what exactly you are doing—in a format that can be mined for targeted marketing, legal discovery, and more. Providers need to treat these data as sensitively as they do with billing data: asking for consent before collection or sharing, encrypting it, guarding it behind firewalls, and anonymizing it for marketing analysis. Those who fail to do this will lose customers and face lawsuits or worse.

3. Require mobile app providers to adhere to the code of conduct

Right now people are “up in arms” because a few very visible, publicly traded companies are keeping their location-based data. Imagine what this will become when hundreds of “fly by night” companies exploit location data for identity theft, targeted burglaries and more? Industry needs to create an App Store-agnostic, straightforward certification program for location-based app providers. This will create the same trust needed for location services growth that similar self-policing programs did for eCommerce and mobile marketing.

4. Let customers request anonymization of their location data

Consumers are already worried about their online data be stored forever in search engines. However, search engines can only crawl data actively posted. Location-data is collected passively; removing the conscious “should I post this” moment. As a result, consumers face a Hobson’s Choice on consumers: do I forgo location services or permanently lose privacy? Providers need to enable customers to request anonymization of all stored location data. This process can be balanced (e.g., linked to continued service use). However, it must exist.

Location-based services are enormously exciting and present an unimagined range of applications for commerce, logistics, medicine and more. A smart Location Data Code of Conduct will enable all of use to exploit this innovation safely, profitably and effectively.

Article first published as It’s Time for a Location Data Code of Conduct: Four Needed Policies on Technorati.