PracticeBetter provides relevant, timely information for law firms and legal technology consultants.
 Follow us on twitter |
|
Who’s Watching You?
Posted in Practice Management
The Carrier IQ news story has illuminated an otherwise unknown privacy issue and the right of entities (corporations and governments) to “watch” our behavior while using their software and/or device. The wireless Internet has served to exacerbate the ease at which this information can be collected, centralized and used to benefit the entities collecting your information.
Software vendors place value on these usage statistics. The most common justification (for collecting the data) is to help the software company learn about usage patterns and user behavior. This agnostically (purportedly) aggregated research helps the service provider prioritize where they spend their future marketing and development resources.
The problem can be significantly magnified by cloud software implementations, especially cloud-based multi-tenant applications (such as Salesforce.com). But even smaller cloud implementations, like those based on Microsoft’s Azure or Amazon’s EC2 platforms, can monitor their customer’s usage statistics as they are tracked through the database and hardware systems shared by thousands of different companies with potentially millions of users.
Microsoft is usually very transparent about the process of collecting information. You may recall the way some of their applications prompt, asking if the software can monitor and report to Microsoft your usage behaviors. To my recollection I have never accepted these terms and always say no when asked.
Another example of transparency is Salesforce.com’s monthly usage analytics. Salesforce.com analytics are delivered to your firm's administrator on a monthly basis and help your firm understand the way you use their service.
At the end of the day you can augment your fiduciary responsibility by understanding the potential exposure of what may be considered "private behavior" to third parties. A good place to start is by asking your software vendor(s) the following questions:
Does your Software/Service monitor my usage in any way?
1. Is the information sent to or kept by the Software vendor?
1.1. Is your policy stated in the software Terms of Service?
1.2. Does your product explicitly require users to “opt in”?
1.3. Can it be disabled? How?
2. Is the information stored locally in log files or logging applications?
2.1. Where is it stored and what accessibility does it have?
2.2. Can I delete the data? How?
3.What specifically do you monitor?
3.1. Do you validate our licensing over the Internet?
3.1.1. Just once or on an ongoing basis?
3.2. Do you implement Session Tracking and/or Login Attempts.
3.2.1. Success/Fail
3.2.2. Date
3.2.3. User
3.2.4. IP Address
3.2.5. License Key
3.3. Usage during session.
3.3.1. Do you have the ability to capture application data?
3.3.2. Do you monitor explicit usage of application functionality?
3.4. Do you have the capability to track usage patterns over a period of time?
3.4.1. How long is the information kept?
3.4.2. How is the information safeguarded?
4. Is the information tied to our license as an entity in your data?
4.1. Can any metrics or data be tied to our vendor account in your system?
5. Is my information combined with other information your company has collected (from other sources) such as court records and financial history?
6. Can my information be sold to a third party? Is it?
7. Is my information used in other departments or divisions of your company?
7.1. With whom is my information shared?
