When you sign up on a cloud service, whether through a website or an application, you’re giving this service information about yourself. At minimum, you’re giving them your email or phone number. And behind the scenes, they might be storing additional information such as your IP address and your device characteristics.
In order to secure your account, you’re providing them with a password and trusting them to store it securely. And once you start using the service, you might be providing them with more data such as payment information, identity information, personal files, …
As you can see, personal information builds up very quickly. Most likely, you can’t even put a number on how many online accounts you have created in the past few years.
Should you trust online services with your data?
As you might have guessed, not all services are created equal. If the service you’re using is designed to mine and sell your data then you’re out of luck. This is the case for most free or ad based services.
❝ If you’re not paying with your money, you’re paying with your data! ❞
This is why it’s important to select the right services from the get go. In a future blog post, we will show you exactly what to look for when creating a new account.
For now, we will stick to listing the risks involved when using an online service (assuming they’re owned by a legitimate business with good intentions towards your privacy):
Insecure Credentials’ Risks
When it comes to online security, the first line of defense is your login credentials. If you use a weak password or if you reuse credentials across multiple services, you’re increasing your risk of getting your account compromised.
It’s especially important if the account in question is an email used as a recovery mechanism by other accounts or a Single Sign-On account that gives access to many other services. This would have a domino effect that would be difficult to recover from.
Of course, it’s always a good idea to use a second factor for authentication when possible.
Application Security Risks
From a security engineering perspective, securing an online service is no easy task. A system is as secure as its weakest point. The more complex a system gets, the more engineers are involved, the more likely for vulnerabilities to be introduced. But in many cases, humans happen to be the weakest point. Both users and support teams could be targets for attacks (phishing, scams, social engineering, …). All this have to be taken into consideration while designing a secure system.
Building a secure authentication mechanism, with strong privacy protections, all while maintaining a good user experience, can be a challenging task. Many companies are willing to sacrifice privacy for example, by using Single Sign-On systems such as ‘sign in with Facebook’. Others might roll their own authentication systems with the possibility of introducing vulnerabilities, thus putting accounts at risk.
Defending against attacks is yet another challenge for security teams, especially when users opt for insecure credentials.
There are countless ways that could lead to unauthorized data access. On top of securing their applications, it’s important that companies minimize the use of data and heavily rely on encryption at-rest to protect user data against security breaches.
Network Security Risks
Online services are usually running on multiple machines that seamlessly work together to provide a service. It’s easy to make mistakes when setting up and configuring these deployments. This could provide bad actors with direct access to internal less secure machines not intended to be accessed by the public. This is definitely very dangerous when it happens.
Backdoors
Some authoritarian governments could request services hosted within their jurisdiction to provide backdoors or to follow certain rules that would reduce the protections of user data. It’s always a good idea to check where your data is being stored.
Other Risks
We barely scratched the surface when it comes to listing the risks. We only considered some security risks without considering any third parties involved that could be tracking you and collecting your data while using the service for example.
Is there any hope for online privacy?
As you can see, privacy is not given in today’s online world. You have to be proactive to protect your personal information.
At Privacy Portal, we aim to help democratize privacy by spreading the knowledge about it and by building privacy-first products for users like you.