Privacy and Security as a Brand Differentiators
Big brands are getting hacked, while other brands tout privacy and security as their strategic differentiators.
There has been a shift in our culture recently around security and privacy. How can there not be when these topics are in the news constantly. Hardly a week goes by without a large news story about government surveillance, or private security breach.
This shift started in 2013 when Edward Snowden leaked classified NSA documents that exposed what we long suspected: governments are spying on all people, domestic and international. In 2014, the back to back hacks of the computers running the point of sale systems for Home Depot and Target forced the credit card industry to implement chip cards in the United States and also awoke public interest.
Privacy and security are such popular topics that it has been picked up by the entertainment industry. In film, Oliver Stone adapted the story of Edward Snowden for the movie: Snowden. In television, Mr. Robot follows hacker, Elliot Alderson, as he disrupts society with large scale hacks; nothing out of the realm of possibility says creator Sam Esmail. Mr. Robot has become USA Network’s greatest success and won the Golden Globe for Best Television Drama in its inaugural season. In gaming, Watch Dogs 2 is a video game where Marcus, the protagonist hacker, furthers the brand of the hacking organization Dedsec. The games predecessor, WATCH_DOGS, sold 9 million copies out of the gate making one of the top 10 best selling games of 2014.
Data breaches of big brands.
Society has traded the security of our personal data for ease of use; we have traded the security of our credit card information for ease of commerce. Countless companies have our credit card numbers on file to pre-populate that field in the form when purchase. These caches of data companies hold are constant temptations for thieves in the form of hackers. Many hacks have been perpetrated against large enterprises, some seeking addresses or passwords, but most seeking credit card data.
|JP Morgan Chase||2014||76 million|
|Home Depot||2013||56 million|
|Sony Pictures||2013||10 million|
|Sony PSN||2010||77 million|
|TJ Maxx||2007||94 million|
Source: World Biggest Data Breaches on Information is Beautiful.
Do these hacks hurt a company’s brand?
For large businesses, the answer is no. Bloomberg has a great visualization of how the stocks prices of companies have reacted to data breaches. Stock prices aren’t a great measure of the value of a brand, but they do give a look into public perception and sales.
The stocks do not even take a temporary dip; the stock market does not seem to think data breaches affect a company’s ability to generate commerce in the future, and if you have read our definition of brand, then you know that the brand is all about future sales. People just don’t change their shopping habits with big retailers in the wake of hacks.
For small companies, a hack could be devastating. Thankfully, small businesses hold less data than larger companies and would take the same time to hack, so small businesses aren’t targets. But if you are a small business, it is important to know that the liability of credit card theft lies with the person in the transaction chain with the least security. So if you have old terminals, or are not accepting chip cards, you could be on the hook for damages of stolen credit card numbers. I am not a lawyer, and this is not legal advice; I encourage you to hire one and look into regulations in your region.
A basic lesson on security.
The most important security concept you need to understand is encryption. The act of encrypting data is scrambling it in a controlled way that makes the data appear like noise. The data is scrambled using a number called a cipher. That cipher is made by multiplying two numbers, which we will call keys. One key is the public key, and it is usually held on the server or device, and it is viewable by anyone looking for it. The public key being exposed does not matter, because the cipher will only reveal itself with the other key, the private key. When the public key and the private key come together, ie. are multiplied, the cipher is revealed, and the data can be unencrypted as quickly as it was scrambled.
Encryption can be applied data on a hard drive; the data on your iPhone is encrypted before you unlock it, the private key is generated from your password. Data can be encrypted for transmission as well. When you go to a website that is https://, then the data being transferred to and from that site is encrypted; your browser handles the keys for you. Either way, if a third party looks in on the data, then all they will see is random noise. Otherwise, they could sift through to find passwords, credit card numbers, addresses, or whatever they want.
Some very responsible companies, like LastPass, store only encrypted user data. Other very responsible companies, like WhatsApp, only transmit encrypted data from user to user. Either company could not read the data generated by their users even if they wanted too; the data is all noise to them. User data encryption is robust because if a hacker or the government comes into their system, there is nothing to see.
Facebook’s vice president of Latin America, Diego Dzodan, was jailed for a few days by the Brazilian government (Fortune) because parent company Facebook could not give WhatsApp messaging data because it was encrypted. The Brazilian government was allegedly investigating a drug trafficking ring.
The downside is that the data cannot be mined to learn things about your users. Data mining may sound nefarious, but this is how many companies help their users in ways they didn’t ask for. For example, the Google Now app can look at your email and location data and pop up your boarding pass on your Android phone before you get on your flight. These features are only going to get more powerful with advancement in artificial intelligence.
The other concept to understand with security is zero-day exploits or zero days. These are flaws in the programming of devices, computers, or servers that unaware to the manufacturer or developer. If they were aware, they would release an update to fix the flaw. These holes for hacking are called zero-days because they are on “day zero” of the awareness of the bug.
There is a commercial market for zero-day flaws. The sellers are black-hat hackers who are programmers who look for poorly written code that someone else could exploit. The buyers are governments and private firms who use the zero-day for use in a system to look into people’s data. The FBI reportedly paid one million dollars to have a private company to bypass the encryption of an iPhone belonging to one of the Nan Bernardino terrorists. The other buyers in the market are the manufacturers or developers themselves, offering “bug-bounties.” Apple recently started offering $200,000 for bugs after long disagreeing with the concept of bug-bounties; they believe that governments and private companies would just out bid them, as ended up happening very quickly. The interesting twist in this market is that there are security research firms and white-hat hackers who will inform the manufacturers and give them time to fix it before they release their findings on the internet to force their hands.
Differentiating on security.
Security is not optional. If your customers are providing data, then any responsible company has an obligation to keep that data protected from third parties.
That being said, some companies differentiate themselves with the lengths they will go to keep their user data private, and proactively try to push their users into more secure behavior.
Blackberry has always associated their brand with security and privacy, but the company has a new problem.
“BlackBerry has a long and storied history of building private and secure mobile solutions,” says Alex Manea, Director of BlackBerry Security. “BlackBerry OS was the first to provide secure email and applications on mobile devices.”
They have struggled in recent years because their operating has lagged in popularity of users and app developers compared to Apple’s iOS and Google’s Android. They have now marked a new era and are leaving the operating system of their phones up to Google to focus on hardware and security.
They inherit the problem that all Android manufacturers have: differentiation. When the market has said they only want slab phones (all touchscreen) and Android, how do you differentiate yourself?
Blackberry’s answer is security. They have leveraged their DTEK sub-brand, and use it as an app that lets you gauge how secure your Android setup is, and guides you to better practices. They offer a suite of apps for Android with better security options. And they host a microsite on their domain called Android Secured, with relevant articles and news. They have also committed to releasing critical security updates as fast as possible, solving a long-standing issue with many of the Android manufacturers.
Apple received an undeserved black eye when private messages and nude photos of Jennifer Lawrence, Kate Upton, and 100 other celebrities appeared on the internet. Perpetrator Ryan Collins gained access to the online accounts of the celebrities phones with a phishing scam: he sent emails posing as Apple or Google asking for the stars to type in their usernames and passwords. The ones with iPhones were particularly hurt because Collins could browse all the photos they took through iCloud.
Phishing and other social engineering hacks are notoriously hard for companies to prevent, and it is up to consumers to practice good judgment and use things like two-factor authentication. But Apple was front and center during all these controversial news stories.
Apple has since been repairing their image by touting privacy in both advertising and PR. You can see this in their Approach to Privacy page. Apple cannot be associated with any more hacks particularly now that Apple Pay is taking off.
Apple drew a big line in the sand when they refused an FBI order to build a custom firmware allowing unlimited password attempts to a dead terrorist phone. One of the terrorists in the San Bernardino had an iPhone that investigators thought had data that could lead to affiliated terrorists. After denying to comply, Apple CEO Tim Cook wrote an open letter, choosing to wage the case in the court of public opinion.
Mr. Cook asserted that what the FBI was asking for was possible but creating it would create a backdoor that could be used to bypass the pin lock of all iPhones. While the FBI and law enforcement would only have access to this capability, there is no way to assure it would stay this way. The backdoor may and probably will get out into the open.
The other reason that Apple is trying to associate themselves with privacy is that it is a strategic advantage over Google. Apple does not look through its users’ data in the same way that Google does. Google looks through data for two reasons. One, by far it’s greatest profit source is from advertising, and they offer advertisers to target people with certain data profiles. Second, Google roots are in finding useful things in big pools of data, and they offer features that tap into this.
Apple believes that searching through its user data would be invasive, and that may speak to some people. (Not to me; I am a big Android guy.) Apple may find themselves at a significant disadvantage when companies like Google and Facebook are using artificial intelligence to tell us fascinating things about ourselves.
Unfortunately, there are no reasons for most brands to differentiate themselves on security and privacy. Security will not sway someone to shop somewhere else. For now, the market implicitly trusts that companies are doing their best on these fronts.
The reasons we see the companies we have talked about (WhatsApp, LastPass, Blackberry and Apple) make a big deal of their choices is because they are in a specific market where big players (Google in most cases) has made other choices that a subset of the market has reacted too.
There are big reasons to be secure: principally regulation and reducing the financial risk of fines and lawsuits. Branding is just not one of those reasons.
ASCII art generated by Glass Giant