Privacy and security: Two sides of the coin

Published by Phil B on January 28, 2013

Privacy-Day-2

Smartphones like the Nokia Lumia 920 spend all day sending data back and forth. This is obvious when it comes to things like email and social media, but your handset is a lot smarter than that. Apps send usage data so developers can improve them in future, other apps keep track of your location, and all of your details need to stay private, to remain secure. This is something that’s particularly relevant today, as 28 January is Data Privacy Day.


So what is privacy and security all about on a mobile phone, and how does it affect you as a user? Just as importantly, how does Nokia ensure you can trust its products? We’ve been talking to Janne Uusilehto, Director of Nokia Product Security and Mikko Niva, Nokia’s global privacy counsel to find out.

How does privacy affect Nokia and Nokia users?

Mikko: “Nokia’s privacy policy is all about being open and transparent about our privacy practices, collecting only data that is necessary for our business, providing meaningful choices to our users and taking the security of our user data very seriously.”

“We apply privacy by design to ensure privacy is integrated into our products right from the start. We don’t sell or share personal data without user consent. We don’t give user data to authorities unless we are required to do so by local law. We strive to offer a fair value to users in exchange for their data. We also work actively with regulators and industry.”

Privacy-day-1

So where does security come into the equation?

Janne: “Security is creating certain controls to protect all assets we have in the device. It’s also protecting service providers, it’s protecting the authentication of the user, or even the identity of the users.”

“I have to deliver a functional security platform to Mikko, including a whole framework of processes, people technologies, instructions, standards and more, so he can execute his privacy policy. So Mikko is giving me requirements on what kind of security controls of what levels of robustness he wants me to deliver in order to have good privacy. There’s no privacy without security, although security is also about protecting other assets.”

Mikko: “Close collaboration between our security, privacy and data organizations is of the essence for Nokia to reach its business objectives while respecting privacy and security of our users.”

Nokia Lumia 920

What does it mean for Nokia products and services?

Mikko: “This is about so much more than just telling users that some data is being collected. We are actually applying privacy early into our operations through appropriate privacy engineering and assurance activities. We have dedicated privacy resources in our units who work towards common objectives. In fact, we have a full privacy program with proper executive oversight, policies and processes with a lot of focus on awareness and training activities.”

“Last year we introduced robust privacy requirements to mobile application developers who publish their applications through Nokia Store. This was a major milestone in bringing more and more privacy into the ecosystem. Today, all applications that are published through Nokia Store are subject to these requirements. Non-conformance leads to rejection of the application.”

Janne: “Also the environment for Lumia phones is quite well protected. It’s not possible to download applications from anywhere outside the Windows Marketplace, so therefore there’s a level of control. That’s the whole idea of security; the consumer is having a role to play in the protection of data, we give them meaningful protection in technical terms, but we also give a certain level of freedom to do whatever they want with their devices.”

Privacy-Day-3

How does Nokia compare against other manufacturers when it comes to security?

Janne: “Balance is the thing the whole industry is working on. At one end is Android, with fewer controls, and users can do almost everything. The user is responsible for many of the security related decisions and the consequences. At the other end is Apple, and it’s much more limited to what you can put there without Apple’s approval. They are giving more control but less freedom, and that’s why Apple devices are under heavy attack to be jailbroken as quickly as possible. Our approach is somewhere in the middle.”

“You make a good business with open platforms, but then the user is getting more responsibility. You make good business with a closed environment, but the user is losing their freedom.”

And what about the rest of the industry?

Janne: “Nokia has been very proactive in the security area: we’ve been an industry driver over the past decade. Also in policy forums, and sharing security activities over SAFECode (a software forum for driving security) and security management principles, we’ve found that Nokia has been the leading mobile phone manufacturer, taking this area very proactively.

“Many industry players are more or less solving problems one by one, but we have been pretty good in our proactive internal awareness programs and engineering efforts. Awareness of security and privacy among users will increase in the future, and the industry is responding to that demand.”

image credit: AZRainman, Ssuaphotos, Leo Reynolds

Comments

  • realjjj

    How about Nokia’s Xpress Browser decrypting https? Nobody should mess with that and regulators should stop you if you don’t have any trace of common sense.
    And how about the OS you use,you have no control over it ,how about offering a proper online storage where data is encrypted on the device , Why should the user have to trust someone with their data instead of just making sure the data is not accessible to whoever provides the storage.

    • C38S

      Isn’t that what all those types of browsers do? Opera mini, the blackberry browser, etc. AFAIK it’s called SSL Bridging and is in lots of corporate servers.

  • http://twitter.com/mikk0j MIKK0J

    Just curious, as potentially upcoming Nokia user: You say “We strive to offer a fair value to users in exchange for their data.” – What do you offer then as value for such data?

    As far as I understand there is 2 separate thingys. First, there is data I deliver to you or your e-shops/stores for making transactions, store data within clouds etc. that contains identification information.

    Then there is data containing my personal mobility, application usage, interests per them etc. – that can be defined as personally identifiable information and defines me as a customer for You in more detail.

    I do not see what is the VALUE is offered back based on exchange of my personal info? The value for any service provider is known well, but how this information could create fair value in exchange of the data, how you measure the value of data and its potential re-usability in future?

    Going back to the trust appetite question – I believe Nokia does everything possible to make service as secure as possible and convenient for end user as well.

    Oh – and making sure: Banks did outsource part of the operational security for end users will in some 14yrs ago. Do not implement same idea, please.

    My final question is: how far the trust and mutual understanding of the data in exchange (my personally identifiable information) goes in depth, may I authorize how its being used in future and whom is able to access it?

    :)