Managing privacy online is a constant balancing act. On the one hand, we need to provide a certain amount of our personal information to authenticate ourselves. In select environments, we also want to provide some additional information to our friends, family, and peers. On the other hand, we want to withhold that information from those who would misuse it or fail to protect it. Our information could be scooped up in a breach, sold for marketing purposes, aggregated as a doxing effort, referenced by current or potential employers, or even used against us in a violent and dangerous situation. American citizens caught up in the 2015 Office of Personnel Management (OPM) breach are acutely aware of the dangers of our information falling into the wrong hands: China acquired the records of 22.1 million individuals, many of which included 127 pages of extensive background check information for nearly any US governmental employee with a security clearance.1
This is why there are many consumer privacy regulations like the EU General Data Protection Regulation (GDPR) and the California Privacy Rights Act of 2020 (CPRA), which include extensive privacy rules that organizations must follow to enable their residents to retain control over their information. Compliance with the GDPR and CPRA is a great start towards protecting privacy, though many organizations simply check the box on these regulations without adhering to their spirit. Organizations often provide a consumer with a route to redress via a link in the footer at 8-point font, while collecting up as much information as possible in hopes that the consumer won’t ask to have it deleted.
In our daily lives, our privacy concerns usually center on how companies will use the information we provide them. App permissions, trackers, and so-called “personalized experiences” are becoming ubiquitous, and while these developments are not inherently bad, we often see them used in ways that we dislike. This is part of a larger mistrust we have with “marketing” in general: while “good” marketing can be used to provide just the solution you need at just the right time, “evil” marketing is far more often used to try and convince you to purchase a solution to a problem you don’t really have. Since marketing professionals use the same toolset to accomplish both ends, it is natural for our default attitude to be mistrust in any scenario where a company asks for our information.
F5 Labs sits at a sort of nexus among these concerns. As a team of dedicated security professionals, we are always striving to give other security professionals useful information and insights so that we can all do a better job of protecting ourselves—and we provide that information without asking you to tell us anything about yourselves. We distrust “evil” marketing too, and we’re never going to ask you to give us information that we don’t need. For instance, this is why we only ask for your name and email address when you sign up for the F5 Labs newsletter—we really just need to know where to send the newsletter and who to address it to, because our newsletter program isn’t a pipeline to generate leads or to sell information to other companies.
While we all try to balance our concerns with online privacy, companies have an outsized role in protecting the privacy of their users and customers. Companies often want to know as much as possible about their users and customers, but security professionals in those companies need to act as the guardians of those same individuals. We need to help people protect their privacy and allow them to have as much control as possible over how their information is used. When companies do this, it generates trust, which is a long-term benefit to the company. Those of us who are most aware of the importance of privacy and how it relates to security are in the best position to take action on behalf of our users, and to stand up to the internal pressures within our organizations that are always looking for a more complete user profile.