SKeyes Center for Media and Cultural Freedom - Samir Kassir Foundation

SMEX: How To Make A Privacy-Oriented Application During A Crisis

Source SMEX
Thursday , 27 August 2020

Over the past couple of weeks, state agencies, international organizations, and local initiatives have launched applications to track housing damage, provide food assistance, and offer health services in the wake of the Beirut explosion. These are incredibly important initiatives, but they should also take the necessary steps to protect users’ personal data. Out of necessity, many of these emerging applications have been quickly developed and deployed. Their quick development can jeopardize personal data, which includes gender, date of birth, religion, and marital status.


When developing an application, privacy implications should be considered from the outset of the design process and re-evaluated during all cycles of application development to avoid excessive data collection and limit the possibility for surveillance. Beyond the importance of protecting the right to privacy, adequate privacy measures help earn users’ trust. Privacy should not be viewed as an obstacle to functionality, but rather a way to reduce these conflicts. We have provided a few suggestions on measures that these burgeoning applications can take to protect user privacy.


Work to ensure the security of users’ information

Developers should draft a clear plan anticipating potential security issues that impact users’ right to privacy. For example, security in transit and data storage policies are necessary during the design phase because they will help developers avoid accidentally storing personal information in a public cloud instead of in an isolated container. Hastily built applications often contain security flaws, which threaten users’ privacy. Therefore, applications should be secure by default to ensure that third parties do not have access to stored data.


Use encryption

To protect users’ personal information from being intercepted by trackers or packet sniffers, you should implement end-to-end encryption. Using HTTPS for web traffic is a first step. When using communication protocols, you should always use the more secure option, such as Secure File Transfer Protocol (SFTP) instead of File Transfer Protocol (FTP) for file sharing, and Simple Mail Transfer Protocol Secure (SMTPS) instead of (SMTP) for email. While end-to-end encryption is not a blanket solution for securing users’ communication, it will help protect data in traffic.


Provide a means for users to view, alter and export their data

Developers should be transparent about the data that they collect and give users’ access to their data as well as the ability to limit it and export it. First, developers should clearly present the user with all the data that the application is collecting. At the same time, users should have the ability to select the type of data that is collected so they can decide whether or not they are willing to share specific information. If the data is not necessary for the application, developers should not request it from their users.

This could be presented in a separate page within your application where a user can see exactly what data is collected, and have the option to limit the collected data. This page should also explain what data is absolutely necessary for the application to function. Providing transparency and visibility over the data will help earn users trust. Trust is key.


Draft a Strong Privacy Policy

Companies and organizations collecting user data should also publish privacy policies that clearly explain the measures they take to protect users’ data. These policies should adhere to the General Data Protection Regulation (GDPR) because Lebanon’s own laws surrounding personal data are insufficient.The general framework of data protection in Lebanon falls under the E-transactions and Personal Data Law, which offers weak protection for personal data and exempts data handled by the government agencies. Thus, the privacy policy should state clearly what data is collected and stored, who has access to the data, and measures taken to protect and secure users’ data. The policy should also mention the laws that govern the services provided and commit to sharing data with third-parties only when absolutely necessary. Additionally, it should clearly state that the developer will not abuse collected data for political, social, or personal interests.


Conclusion

Your users are clients; they make your digital solution work. Respecting user’s privacy should always be a priority. If your digital solution relies on users’ personal data, you must ensure that the data is not easily accessible to malicious actors. There are daily leaks, exploits and hacked accounts. To protect users’ personal data, you should prioritize privacy from the outset of the design and development process, instead of treating it as an afterthought at the end.

Share News