Recently, through the Facebook hearings and the General Data Protection Regulation (GDPR), the subject of your privacy in the online world has come back into the world's conversation. The basic premise of who owns your Profile, your likes, and dislikes, where you go, what sites you see, when you see them, why you chose them, and how you got there, is the heart of the ongoing privacy war. Today, we are looking at identity and access management, privacy, and what we can do to have access, but not lose privacy.

Before we start looking for solutions to the privacy problem, we have to define a few terms:

The first part of the puzzle is identity management. When you create a profile it usually consists of a: first name, last name, maybe a birthdate, password, and some characteristics which are unique to you. Your identity is very important. Sometimes, it contains a unique government ID (like a Social Security Number). A profile can contain your likes and dislikes, items that you've linked to. or pages that you like. That's why a profile and the information that it contains, is very important.

Advertisers want your profile information.They want your likes (dislikes), pages visited, and demographic information to target goods and services in a favorable light. Companies want that information as well to fine tune their products so you consume more of them. 

There are two ways profiles can work with other systems. One is a centralized way of development where you create a profile on a company's system, they retain the rights to anything you put on that system.That's why like laws like the GDPR are important. The identity management system and the access management system usually reside on the same servers.

The other option is to have a decentralized way of handling identity management. This means that you are responsible for protecting your identity. This reminds me of the Department of Defense's Common Access Card (CAC) program. Each driver's license-sized card contains two certificates: 1) for your identity, and 2) for encrypting email. This method uses public key infrastructure (PKI) to ensure the person you are dealing with (or the email you receive) is authentic. Verisign and other companies offer PKI certificates, but very few (if any) allow those certificates to be used on Facebook, Google+ or Twitter to establish your identity and keep you safe.

Access Management

The whole reason that you create a profile on a computer system is that you want to use their services. It could be the bank's website to look at your account balance, or your cable company to pay your bill. We give out a little bit of our privacy to get something in return, the ability to use the functions on a website. It used to be that a company will ask for the minimal amount of information in order to let you in. Now, not only is your profile information filled with personal questions, but they track all of your activity on their site. Think about that for a second. Also, as we move from site to site, how much of that personal information do we leave behind. For example, you post your resume to a job posting site, but when you get a job, do you go back to those sites and deactivate your account?

This is a tricky subject as each app asks for a specific set of permissions: "The purpose of a Permission is to protect the privacy of an Android user. Android apps must request permission to access sensitive user data (such as contacts and SMS), as well as certain system features (such as camera and internet). Depending on the feature, the system might grant the permission automatically or might prompt the user to approve the request."

Link: https://developer.android.com/guide/topics/permissions/overview.html

Android looks at the app permissions as different permission levels:

1. Normal permissions
2. Signature permissions
3. Dangerous permissions
4. Special permissions

Each of the "permission levels" is hyperlinked to the developer documentation.

The best thing to do is look at what permissions each of your apps needs and put them on a spreadsheet. "You can view all the permissions currently defined in the system using the Settings app.

To use the Settings app, go to Settings > Apps. Pick an app and scroll down to see the permissions that the app uses."
Link: https://developer.android.com/guide/topics/permissions/overview.html#viewing

Apple has a security guide which goes into great detail about their permissions (https://www.apple.com/business/docs/iOS_Security_Guide.pdf)

The document goes into great detail about all of the Apple products, their security protocols, and certifications.

Conclusion

Every day, we are putting out information on websites to manage bank accounts, get tickets, pay bills, or simply to order a pizza. Know what you are giving up by creating all of these web-based profiles and apps. Lockdown un-used accounts. Remove your profile from sites you no longer use. Cyber-criminals are out there looking for ways to get your data. Don't make it easy for them. Thank you for reading this blog!