It is often assumed that privacy and security fit together like a hand in a glove. Because after all, confidentiality is vital to information security.
However, when it comes to securing to your web apps from bot traffic, the fit isn’t quite as clear cut.
When detecting and managing bots, people often focus on trying to identify who is a real user and who is not. So, what do you do about all those clever bots that go around deliberately mimicking human behaviour? Or what about those good bots that promote your website? Maybe you are asking the wrong question.
Are you human?
I once overheard a frustrated DevOps engineer joke, that they wanted the ability to turn on a webcam to verify when their site visitors were real people.
While this is an extreme example, it does neatly illustrate the very real challenge. How do you verify the legitimacy or humanness of a user, while respecting their privacy?
Are you asking the right question?
Not only is the approach flawed but with consumer privacy concerns growing, the idea of injecting additional third-party code designed to track their every move is not always palatable. Even if we put the privacy angle aside in favour of security, there remain some clear technical challenges.
Bot operators can reverse engineer and successfully pass the tests by simulating human responses, or even harnessing human click farms for real user behaviour. This results in vendors adding more invasive tests which again over time are bypassed and an unwinnable game of cat and mouse ensues.
On the flip side, just as in Blade Runner, there are also good bots with a vital part to play in promoting websites and automating services that you risk blocking.
Does anyone respect your privacy?
These same user fingerprinting features are being used by sites to track users across the internet without cookies and bypass privacy settings. To address this, browser developers are beginning to limit the ability to fingerprint users to protect the user’s privacy. Over the last few months, Safari, Chrome and Edge have all announced new privacy and anti-tracking features that will give consumers better protection from invasive tracking and fingerprinting techniques.
In a recent blog, Google stated:
“Because fingerprinting is neither transparent nor under the user’s control, it results in tracking that doesn’t respect user choice. This is why Chrome plans to more aggressively restrict fingerprinting across the web.”
On mobile devices the privacy vs security problem deepens as bot management vendors often require SDKs to be included, that monitor all kinds of device information like location and movement as well as a variety of other sensor data just to determine if the user is real. Suddenly, a once simple mobile app is requesting an alarming number of permissions that ultimately puts a dampener on adoption.
Can privacy and security work together?
Yes. At Netacea our smarter bot management solution respects the privacy of our customers and their end users.
Our Intent Analytics engine, powered by machine learning, is designed to ask the right question. By consuming log data we uncover the intent of the traffic to detect what visitors are doing on your applications to identify bots and bad actors. This means our customers don’t need to deploy additional code that effects user privacy or experience, instead they feel secure that our single solution covers the entire attack surface of browsers, mobile apps and APIs.
Take back control over your system.