We hear of issues between Apple & the FBI, Facebook & the Brazilian authorities.
I think this is an issue that will determine how we look at our users’ privacy protection as software entrepreneurs going forward.
I also think it concerns members of this community more than we wish to admit. More so because we never know when our local authorities will require us to allow them hack our platforms to “aid investigations”.
I’m starting this thread mainly to educate myself, as I envisage potentially useful advice from members of the radar community, on how we can ensure we are covering our bases as providers of software-as-a-service or marketplaces.
I was going to start a tread on the issue between Apple and the FBI. The consequences of Apple hacking the phones has serious implications. If they should agree to the government’s demand it will likely put millions of iPhone users at risk.
To be honest, I don’t think there are short term threats for Nigerian startups arising from this. Mainly because our government are largely incompetent when it comes to this sort of things. Do they have enough technical people to even use the data? Of course they could always do what they do best in situations like this, hire a foreign firm to do it.
The likely reason any Nigerian govt will push in this way wouldn’t be for national reasons (e.g security) but for political self survival (e.g elections). So they’re still likely to need to lean on FB, Twiiter, Whatsapp etc. Not our specific problem.
Of course there are some risks. Eg platforms with millions of eyeballs like LIB, Nairaland have potential. So if they ask them to provide the IP address of user xxxx, I don’t know if they can resist. Also local server companies might be on the firing line. Eg ‘shut down that website now!’ the answer might be ‘Yessir!!!’. In all, chances of any of this happening is low. Not because govt doesn’t have the power, but because they’re clueless. And I’m being generous when I say ‘clueless’.
However @ImagelessBean the end of question referring to our role as SaaS or marketplaces is good
Because our ecosystem is still developing, best practices for security is still in its early stages. This is of more present threat than govt. Let’s pick one area which is hot right now as an example; fintech.
Because I’m generally a good guy, I will just talk generally without mentioning names. But there are horrible examples of firms in this space not even doing the simple basics. Stuff like https, relevant PCI compliance, money laundering checks etc are not done. That’s borderline insane for firms not to consider this stuff. Why is this even important? Because there’s more risk of some hacker stealing people’s money than govt telling you to provide data.
Then as an ecosystem we need to look closely at micro privacy protection risks within our startups like; is data anonymised, access rights within the organisation, keeping/deletion of data etc. If you look at the fiasco with Uber’s god view or even Bloomberg using their terminals to spy on Goldman’s traders, then is easy to see how privacy protection is a big deal.
I’m not even sure IP addresses have any value whatsoever in tracking anyone down in Nigeria. Our internet access is pretty much 100% wireless, and unless you’re surfing from an office on a fibre link, all they can get from the IP is oh, the guy who posted that lives in Lagos. That is unlike the US where pretty much everyone is on cable and IP addresses can resolve to a block of flats.
This is both accurate and worrisome. Even more so when everyone arounds you seems so lackadaisical about it when you share your concerns. At least Uber had to create a god view into their admin backend, pretty much every[1] Nigerian company deep dives into production databases (phpMyAdmin, etc) like it’s a right, thus rendering whatever audit logs they may have coded into their application moot.
[1] I say every because I am yet to find one who doesn’t. Feel free to counter this if proper policies are put in place to effectively prevent this in your organization.
For us, what we did is have a lot of debate about what’s right. We had to consider what’s ‘right’ not just for us, but from the customer’s angle and best practice.Then document what we’ve agreed.
A practical example of privacy dilema we’ve faced is ‘how do we get access to a customers store’. We were faced with 2 choices:
The customer should have right to absolute privacy and we can’t access it without prior permission.
But if we don’t have unrestricted access, how do we proactively resolve issues before the customer even notices.
We settled for no.1. And yes, we ran into hiccups as it meant we couldn’t get around as we would like (trying to workaround this - see screenshots). But this was ‘right’ for the customer.
IMHO, if the top people in a startup don’t see privacy as important, especially when small, it creates all kinds of issues, when they get bigger. So this should be approached from self preservation angle. It’s a pain in the short term, but worth it long term.
Everybody definitely doesn’t have admin access to data. That’s totally ‘over my dead body’ type of scenario. We’ve restricted to a few people on a ‘needs to know’ basis.
