In April of this year, Mark Zuckerberg was in a congressional hearing hot seat, answering questions about Facebook and data privacy. One of the many items discussed was what happened with Cambridge Analytica, the political data firm used by the Trump 2016 campaign. In 2013, an online personality quiz application called “This is Your Digital Life” was created. This quiz was used in 2014 to collect a massive amount of information from Facebook users. The application took advantage of an overly-permissive-at-that-time Facebook Application Programming Interface (API).

This API collected information from the users who ran the application and also from their friends (and apparently also friends of friends based on the numbers). There were approximately 270,000 people who ran this application which harvested information from 87 million users! A breach of information on this scale generally indicates a software problem, which is what happened here. In late September, another Facebook breach was announced followed by an announcement about a Google+ problem (Google’s failed attempt at a Social Media application that is now being shut down). These are serious concerns, but this issue also highlights the more routine, but critically important issue of how you grant access to your data by using various applications.

When you install an application, you are generally granting the program access to information. Applications that are installed on PCs generally run using your permissions and have access to whatever information you yourself have access to. This is why it is important to perform due diligence and be confident that what you are installing is good and safe. When you purchase software, you are purchasing a product, but with free applications, commonly you are the product. While advertisements are the most common means of monetization, some software may be taking a more nefarious approach, so caution is always advised.

When installing an application on your smartphone, you are typically interrogated. You must decide if you wish to agree to the permissions that the application is requesting. Access may include things such as access to your camera or your location. It is important to read these requests, ensure that they make sense, and understand what you are agreeing to. If it doesn’t make sense, just say no! If you install a game on a phone that has business information on it, and the game requests access to your contacts, you probably do not want to approve that permission. If this were to happen, you probably do not want to run that game at all.

Applications may request information at any time, not just upon installation and very conspicuous pop-up requests should be presented on your phone whenever a new type of permission is requested. There must be a good reason for you to grant the access that you do. Additionally, when access is requested, you must be comfortable with the application and the company behind that application. The company’s privacy policy and any terms of service may help you in making your determination. Always consider the source of any software you install and why the developer makes this software.

Additionally, there are various applications that integrate with services such as Office 365, GSuite, or Gmail. These applications should result in interrogations that deserve careful consideration. There may be a good reason to grant access to your contacts, calendar, and email if you trust the software and the company. However, if you have any doubts, don’t approve the permission request.

You may want to review applications where you have already granted access from time to time to ensure that you still need to grant that permission. Revoke permissions from applications you are no longer using.

screenshot of Office 365 security settingsFinally, you may want to review the policies for your overall firm within Office 365 or GSuite. Office 365 and GSuite provide some ability to report, review, and restrict the granting of permissions to integrated applications throughout your entire firm. An ounce of proactive planning and prevention is worth more than a pound of data breach cure.