The Facebook and Cambridge Analytica scandal took the world by surprise but am not surprised, Facebook has been too open in the data access it gives to third-party apps. Data is the new currency and measures should have been put in place to adequately protect users data. Often users agree to share their data with third-party apps without knowing what range of data they are sharing because the checklist for the list of data exposure is hidden in a collapsed list, this is one of the critical factors in the Cambridge Analytica data bridge. Google has a better approach with its Android OS; where each app before installation shows you clearly in large fonts (with icons) what aspect of your data and hardware the app will access and from time to time you get a prompt to confirm those access again and again. This approach enforces Non-repudiation and data integrity.
A good information security policy will clearly define third-party engagement and ensures that such engagements do not violate or compromise users data. It is time we start taking information security seriously. Information Security also known as, IT Security is the process of implementing measures and systems designed to securely protect and safeguard information (business and personal data, voice conversations, still images, motion pictures, multimedia presentations, including those not yet conceived) utilizing various forms of technology developed to create, store, use and exchange such information against any unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby preserving the value, confidentiality, integrity, availability, intended use and its ability to perform their permitted critical functions(sans.org, nd).
The Information Security Triad(CIA) shows that users needs for information security and trust in a system can be described in three major requirements: Confidentiality, Integrity and Availability. The CIA Triad is a venerable, well-known model for security policy development, used to identify problem areas and necessary solutions for information security. Confidentiality can be archived by clearly informing users (in readable and clear fonts) of the range of data third-party app will access and establishing boundaries of data usage. Integrity can be archived by ensuring users reauthorize the continual use and access of such data by the third party on regular bases and availability can be complemented with an easily accessible one click rights revocation.
While Facebook is not the only platform guilty of this kind of practice, others can take a cue from this and make amends. We don’t have to crucify Facebook but Facebook on its part should show due-care and due-diligence in the protection of users data and use this incident to demonstrate that the company has a good data leakage and information security policy.