As our lives come to depend on internet and apps, it is time we try to introduce the concept of accountability.
Zoom’s meteoric rise to become the number one video-calling-and -conferencing app has been synonymous to its downfall as the most insecure video service in the world. The company, which saw over 1200% growth in daily active users until last month, has been apologizing every week for one mishap or another. First, it was vulnerabilities in the desktop app, then leaking of account information, and ultimately it was the declaration that the company had placed its servers in China.
While Zoom has undoubtedly become the hotbed of activity and an example of how not to go wrong, it is not the only company to do so. Last year, WhatsApp was amidst a controversy, where it was found that the service was not as safe as it touted itself to be. Facebook, as I write this, is wading in another controversy. Reports claim accounts have been breached, and information is being sold online on the dark web.
These are not the only ones to have faulty apps and systems. Apps in the garb of providing free or near-free service are ignoring security altogether. No doubt, companies have been spending more on security, but security spends as a percentage of total spends have been low. A significant reason for this lax has been an absence of government standards/regulation on companies’ security spending. While companies spent $610 billion in 2019 on advertisements as per Group M, only a fifth, $124 billion, as per Gartner went to security.
Besides, there has been limited scrutiny of apps. While app stores like Apple and Google do run security checks, these are basic and only determine whether an app is infected or not. Companies invariably do not conduct vulnerability tests or independent security audits, resulting in data leakages. Despite the exponential increase in user base, companies have been paying less to check for vulnerabilities. An analysis of bug bounty programmes-a proxy for the company’s investment in security-shows limited payouts by some of the largest enterprises. In 2018, for instance, Google paid out $3.4 million, followed by Microsoft at $2 million, whereas Facebook only shelled $1.1 million. More important, Google’s total payout at $15 million has been double that of Facebook.
In contrast, Apple has been mostly silent about such payouts. Indian companies have been worse. Zomato did announce that it has paid over $100,000, Swiggy has no money disclosure on its website. PayTM, which is one of India’s leading financial payment firms, has a bug bounty programme that mirrors Facebook, with a minimum payment of Rs 500. Flipkart, which is the key e-commerce player, says it does not pay for bug reporting. Amazon also has no bug bounty programme listed on the website.
There is a need to urge such firms to spend more on security and affix a responsibility each time there is a data breach, but if governments try to do so, it will throttle innovation. A better way for such firms is self-regulation.
Although the idea has not worked well in advertising and other areas, there is a possibility that it may work to some extent in the app economy. But, for this, platforms like Google, Apple, Microsoft, Amazon, which have their appstores, will need to come together. Google and Apple just announced a partnership to fight corona, so such a consortium is not beyond imagination. Besides, governments can nudge them to do so. After all, they have been nudged to pay taxes on digital proceeds.
Such a consortium can ensure that each new entrant contributes to a fund as per their ability, which can be determined later on the basis of downloads or revenue. This fund will support initiatives that can run security checks, internal audits and make sure that apps are up to a standard. Those that don’t qualify the parameters can stay listed on stores, but with a warning. The best entities to do this would be universities or independent groups that in any case have been doing free third-party audits.
As our lives now come to depend on internet and apps, and more companies will be rolling out products related to health and contact tracing, it is time we try to introduce the concept of accountability in the app economy.