Co-founder and CEO of Skyflow, a data privacy vault that allows B2C companies to secure all sensitive customer data.
getty
Nobody wants their company featured in news stories about the latest data breach. But, if keeping sensitive data private is a manageable problem, then why have some large companies lost the personal data of millions of customers? Data privacy is hard because you have to be right 100% of the time, but hackers only have to get through your security once. It’s asymmetric warfare — and sometimes it’s literally that since nation-states can get involved.
It doesn’t matter if your bank protects your SSN in 80% of cases; if it’s sometimes stored or transmitted in plain text, that’s enough for hackers to get their hands on it. And once you lose your SSN, your data privacy is compromised — and it can’t be fixed retroactively with a security patch.
So, is data privacy a problem that’s beyond the scope of all but the largest, most technically sophisticated companies? Or is it something that even startup companies can address with the right technology and approach? And what can we learn about these questions by looking at which companies manage data privacy well?
So, who is good at data privacy?
Google And Zero-Trust Architecture
Google developed zero-trust architecture to provide its employees with frictionless security. Zero trust is based on the idea that you can’t rely on an intranet for security. Instead of trusting specific users and devices, with zero trust you authenticate everyone. This might sound complicated, but Google’s comic explains it beautifully. It started as an infrastructure solution, but zero-trust architecture turns out to be key to effective data privacy.
Applying zero-trust architecture to the problem of data privacy gives you the zero-trust data privacy vault, the best technical solution for data privacy. With this approach, sensitive data is safe, even if hackers gain access to your intranet.
More recently, Google provided enterprise users with data protection features like ownership of encryption keys for enterprise Gmail (bring-your-own-key, or BYOK). BYOK helps enterprises to ensure the privacy of sensitive data in Gmail.
So, to build a company that does data privacy well, you can start with Google’s zero-trust approach and BYOK support.
Apple And Proactive Privacy By Design
Better than any other company, Apple shows that you can build data privacy and security into your architecture, rather than adding it as an afterthought. It’s an approach called privacy by design, and Apple is one of the best examples of it.
Starting With Privacy
I could say a lot about Apple’s approach to data privacy, but the key point is: They “think different” at the inception of the product life cycle. Apple sees data privacy as a comprehensive feature, not for just one data type or interaction. As a result, they build data privacy into multiple facets of every Apple product and service offering.
Here are a few examples of Apple’s approach to data privacy:
• Give End Users Control: Users have an easy way to control device privacy settings like which apps can access cameras and microphones.
• Never Touch Sensitive Data: When designing their Wallet credit card solution, they asked, “Can we do this without storing payment card data?” As a result, they’re the only payments company that doesn’t store credit card numbers on its servers. Instead, they store the card number on your phone in the Secure Enclave SoC — a microchip built to store sensitive data.
• Privacy-Preserving Interaction Design: When Apple launched their Wallet driver’s license, they designed user interactions in detail. They asked themselves, “How can users show their license to the police without compromising privacy?” Because they asked this question, they designed Wallet to let the police verify your ID without touching your phone.
Apple sees data privacy as a first principle and differentiator, whereas many other companies treat it like an afterthought — until after a data breach.
Signal’s End-To-End Messaging Encryption
Signal is a nonprofit that provides end-to-end encrypted messaging, letting users communicate with confidence that their messages aren’t intercepted by third parties. Because it’s a nonprofit that’s funded by donations and grants, users are confident that Signal’s incentives are aligned with their interests.
Uber: From Anti-Pattern To Innovator
You might remember headlines about Uber drivers harassing women with unwanted phone calls after dropping them off. When Uber launched, they hadn’t yet figured out how to encrypt phone calls between drivers and passengers. More recently, they developed phone number encryption to let passengers receive calls for Uber rides while keeping their phone numbers private.
What’s Next For Data Privacy?
Zero-trust architecture, privacy as a first principle, encrypted messaging, phone number encryption and more — you could use these building blocks to build a company that ensures data privacy. This hypothetical company would act early to protect the personal data of customers and wouldn’t lose customer data to hackers.
Improve Privacy Planning
With privacy, security and identity, the gap between concept and execution really matters. If you get the concept right, but the implementation is slightly wrong, it’s as bad as working from a false concept. Apple thinks through these issues from day one and gets the implementation right. So their data privacy “edge” is in how they think and approach product design. You don’t need billions of dollars to do the same.
An Edge For Startups
What about startup companies — can they ensure data privacy? Startups have an advantage if they’re proactive. This is partly because we now have privacy-preserving APIs, but it’s also because startups have less infrastructure and data to manage. A large company with sensitive data replicated across dozens of databases has a big project to fix pervasive data privacy issues. A startup using a zero-trust approach and privacy-preserving APIs from day one can skip all of that cleanup.
Apply More Privacy Pressure
Finally, remember that as a consumer you can improve the data privacy ecosystem by buying from companies that preserve data privacy and demanding better data privacy from those that don’t. Your demands can help them make privacy a priority.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
