Security Sense: Here's why we're So Worried about Data Retention

We're sharing more data than ever either by opting into collection or implicitly through the services we use, but what happens when it all goes wrong?

Troy Hunt

May 15, 2015

3 Min Read
Security Sense: Here's why we're So Worried about Data Retention

Regardless of where you are in the world, your government is considering how much of your data they can store and monitor. We’ve just passed our own rather controversial metadata laws down here in Australia and the same discussions are being had in governments across the globe, because creepy side of siphoning up user data aside, it’s enormously powerful for law enforcement.

Of course data collection is also extremely valuable for commercial entities as well and the more of yours they have, the better they can “tailor products to specific customer needs”. You may also interpret this as “the more money they can make by selling more stuff” and in fairness, both statements are usually true.

But the worry always remains – what are they actually going to do with this data? Could it jeopardise my own personal privacy? Who has access to it? You’ll normally see all sorts of levels of reassurance along the lines of privacy control this and encryption that and “we take security seriously yadda, yadda, yadda” but the fact remains that once someone has this data there’s a chance – even if only a small one – that they’re going to lose it.

And so it was with mSpy, the “#1 monitoring software for all your devices” who according to Brian Krebs has had somewhere in the order of several hundred gigabytes of their customer data leaked online. We’re talking 400,000 customers with IDs, passwords, physical movements, payment info, personal photos, email threads and inevitably, highly personal discussions. It’s about as bad as personal data leakage can get.

Of course collecting these classes of data is mSpy’s entire modus operandi and having the word “spy” in their name should be a good indication of how the software is actually used. People consciously using the product should have been under no illusions as to what data was actually being collected but you have to feel sorry for the “victims” who had no idea of the data collection exercise and are now rather exposed (I suspect that will be in the literal sense too given photos were leaked).

But the point of all this and the relationship to government and more ethical data collection exercises is that mSpy were adamant they had the right security practices in place to protect against this sort of incident. In fact even just this morning using their live chat feature, they told me this when I asked about how the data was stored:

All the information is stored on our server encrypted and secured

Once the app is installed all the data is transmitted to your personal Control Panel/account at mspyonline.com

All the information is secures [sic] and neither mspy staff or anybody else has access

Well I’m glad we cleared that up! “Motherhood” statements about how important your data is abound in this industry not just to reassure prospective customers that the service is safe, but frequently even after the horse has already bolted. “We take customer security seriously” is a near ubiquitous line that emerges in post-breach defence mode when clearly, it wasn’t taken seriously enough in the first place.

Whether it’s government or perfectly ethical big corporate or the shadier side of online monitoring, the fact remains that once data is collected, it can be lost. That’s why we’re worried and rightly so because the only way we can be certain the data won’t be lost, is if someone never has it to begin with.

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like