We must end the era of adjunct surveillance

Companies are collecting and sharing user data with impunity

As consumers, most of us don’t mind providing companies like Google, Facebook and Twitter with our personal data, as long as we get access to the services and solutions we want to use. However, many people don’t realize that these companies function as data-collecting surveillance organizations, integrating data collection into their business models in clandestine ways.

Unbeknownst to users, many companies allow third parties to place embed codes on their websites, capturing user behavior to either harvest or sell to other parties. This practice of “adjunct surveillance,” as Zoho Chief Evangelist Raju Vegesna describes it, has become common practice given a lack of resistance from users, investors and other business leaders.

To anyone paying attention, it has become painfully evident that the surveillance pendulum has swung too far. Companies are collecting and sharing user data with impunity. In fact, adjunct surveillance has become so egregious that a wave of data privacy laws has sprung up in recent years: the EU’s GDPR, California’s CCPA, New York’s SHIELD Act and Brazil’s LGPD, among others.

It’s time for tech leaders to take a stand by formally, and visibly, taking a privacy pledge.

Due to increased government regulation and public awareness, business leaders are starting to see the writing on the wall. However, it’s not enough to rely on lawmakers and regulators’ activity. It is also not enough to be legally compliant, burying the notices in legalese or fine print. Such Machiavellian maneuvers may technically be legal, but they’re certainly not moral.

It’s time for tech leaders to take a stand by formally, and visibly, taking a privacy pledge.

Don’t let advertising companies track your users without their knowledge

Even if your business depends upon selling user data to third-party advertisers, it is vital that you inform your users about what you’re doing with their data. In some cases, it very well may be legal to withhold such information from users; however, that doesn’t make it right.

Since its inception in 1996, ManageEngine — then doing business as Zoho — has refused to allow any third-party advertisements on any of its websites or products. In an effort to block all adjunct surveillance, they don’t allow the embedding of any third-party tracking codes anywhere on their sites. Although social media share buttons may seem innocuous, they should be removed as well, as the buttons can essentially function as Trojan horses.

Inform your customers about any third-party integrations that may track their data

If your enterprise is financially reliant on such activity, it needs to be transparent about it. Take Google as an example: Many of us don’t have a problem using Gmail because we value the service enough to provide the search behemoth with our data. However, when Google leverages our user data to enter into partnerships with credit card and healthcare companies on the sly, that is a different story entirely.

Google partnered with Ascension hospitals back in 2018 on “Project Nightingale,” a data-sharing initiative that was not revealed to Ascension patients. Although subsequent investigations found that Google had not technically violated HIPAA, or any other laws for that matter, it is likely that the public wouldn’t even know about this initiative had it not been for this scoop. Also, it’s highly unlikely that this type of surreptitious health data partnership is an anomaly.

As another example, Google also secretly partnered with Mastercard in an effort to compete with Amazon and capture consumer retail spending data. After an exposé revealed the clandestine partnership, both companies claimed that they didn’t have any personally identifiable information for any customers. According to Google, they utilized double-blind encryption technology that protected all user data, which had been aggregated and anonymized. Despite this frequently made argument that all the users’ personal data had been “de-identified,” at no point were Mastercard or Google users made privy of the deal. In all likelihood, this Mastercard partnership is not a one-off for Google. Through an AdWords blog, Google claims to have access to 70% of all credit and debit card users’ activity.

The moral of the story? Don’t be like Google.

Use encryption tools to protect customer data transmitted over public networks

If your business sends user data over public networks, ensure all server connections use encryption with strong ciphers. Follow the hypertext transfer protocol secure (HTTPS) and the transport layer security (TLS) protocols to ensure there is always a secure connection between web browsers, your corporate server and all third-party servers. Not only does the TLS protocol allow both parties to be authenticated, but it also encrypts the data, ensuring that no third parties can eavesdrop or otherwise interfere with the data transfer process.

Consider investing in internal data centers

If economically feasible, companies should store customer data in self-owned data centers, or own the servers inside these data centers. By not relying on third-party data centers and public cloud offerings, not only will you bolster your data privacy initiatives, but you’ll also likely save money over time. Additionally, your company will benefit as more and more users begin to value companies that go out of their way to protect user data.

As a private company, ManageEngine has never been beholden to external shareholders, which has allowed executives to look at things through a philosophical lens as opposed to a financial lens. From the outset, they’ve always placed a premium on user privacy, which is why the current surveillance landscape has garnered such ire within their organization. To be sure, they’ve left some money on the table by taking such a hard line on privacy.

However, as Vegesna frequently asks, “What’s the point of being financially profitable if your business is morally bankrupt?”