When does protecting privacy morph into invading privacy?

Employees and consumers are being more careful about sharing information that goes beyond strict need-to-know. We ran into one company that seems to not get that.

big brother privacy eye data breach security binary valerybrozhinsky getty
ValeryBrozhinsky / Getty

Recently, I tried to toy around with some of the better security apps for my iPhone and checked out a very impressive package called Lookout. One of its features seeks to make identity theft a little more difficult. So far, so good.

The service says that it searches the dark web and various databases looking for any leak, quite likely from a breach. That sounds worth doing.

So I start filling out the online forms, and before long my head was filled with the protesting voices of every chief privacy officer I have ever spoken with. Lookout starts by asking for all of your email addresses and phone numbers, before moving on to complete driver's license number, medical insurance card numbers and full passport number. It also seeks full banking account details (routing numbers, too), all credit and debit card numbers and Social Security number, and asks to connect to Facebook, Twitter, LinkedIn and Instagram.

To be fair, I do see what Lookout is doing — and, in an interview, Lookout's senior director of product management, David Richardson, stressed that customers can skip all or some of those questions — but my first reaction was, "Hey! We just met. Why are you doing your best to sound like the most blatant identity thief this side of the North Pole?"

Given that Lookout's goal is clearly stated (I have no reason to doubt the company, at this time), what is the concern? A few things. One, merely having that extensive a range of PII in one place about one individual is dangerous. If a breach against Lookout does somehow happen — no security is perfect — it would be a bonanza for the cyberthief. From a security perspective, this company's marketing about this service could itself make identity and cyber thieves attracted to the site. They might spend extra resources and effort to break in, which is truly not what a customer wants.

Two, it sends the wrong message. Privacy advocates rightly argue to never give anyone or any site more information than they absolutely need ("need to know" is appropriate here). And when the company is directly asking for such a gold mine of PII data (it was probably the passport data request that really sent me soaring), it makes people worried. What, people may wonder, if that page is a phishing page that was designed to merely look like a Lookout page? How is a user supposed to tell the difference?

Three, in 2020 (OK, when we're this close to 2020), no company is an island. What if one of its employees turned to the dark side? What if the company you use for backup gets breached? What if the firm used for disaster recovery gets breached? What if your cloud vendor gets breached?  

Mostly, though, this is a perception issue about privacy. What if a police department offered a service where it maintained an online listing of all of your most valuable possessions, to speed up recovery and insurance efforts should you be the victim of a burglar? Sounds attractive. Then you go to the PD's page and it asks for the cost of your most valuable possessions, where they are located, your safe's combination (in case the police need to quickly gain access, to dust for fingerprints), days and hours when you expect the house to be empty, the nature and passcodes for any security system, where you leave your house keys, the code to access your garage door, etc. Wouldn't it raise more concerns than offer comfort? Even if it's legitimate, wouldn't the sensitivity of the questions (and the fact that it is a wishlist of everything a burglar would want to know) suggest that it's a bad idea?

Privacy is not just a concrete concept. It's also abstract and it needs people to change how they think about PII. It needs an attitude adjustment, to encourage people to be far more cautious and careful. Enterprise CISOs and CIOs want and need this perception change to happen. No matter how excellent an offering Lookout and other similar products and services are, they must support the perception change. Starting the registration process by asking for everything we want people to never reveal except in need-to-know situations is probably suboptimal. Very suboptimal.

Copyright © 2019 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon