This article is a synopsis of John Elliott's keynote at RSA Conference 2023, "Regulation and Risk When Your Customer’s Browser Leaks Data."
When I say that I'm worried we've broken the internet, people often think that I'm perhaps over-exaggerating or worse, a little unhinged. Let me assure you this is not the case. But I am concerned that we've broken some of the security of the internet. And if you can spare me a few minutes, I'll explain.
How the architecture of the internet has evolved
Over the last ten or so years we've changed how the web works. We've moved a large part of the intelligence of the internet from web servers to the web browser like the one you're using now to view this blog post.
Ten years ago, if I had a web page on my site that needed to look up a zip code, or to error check a form, I'd have the user enter the data in their browser, post the data to my web server where I'd do the lookup or validation, then send a fresh page back to the browser. That's not how we do things now.
Where these changes cause security issues
Four JS data-leaking behaviors that cause business issues
1. Covert data leakage
There's been significant research into this type of data leakage in the healthcare industry because it provided advertisers with the ability to target medically vulnerable users with adverts for non-regulated medical products.1
2. Misconfiguration leakage
3. Unintentional leakage
4. Criminal leakage
A new attack surface has been created
To summarize the problem, we've created a new attack surface that can be used by legitimate entities such as advertising and tracking networks and by illegitimate entitles such as hostile nation states and criminals to extract data from web applications. At some stage we're going to have to work out how to secure this.
Review the code to make sure it we understood its behaviours and what data it had access to
This is a hard problem, and because of the potential for data leakage it has not gone unnoticed by regulators. As a direct result of the research into health data leaking to advertising and tracking networks, the US Department of Health and Human Services has made it clear that such data leakage is a clear violation of HIPAA7, and hospitals have had to issue breach notifications to affected patients.
How IT and risk teams can start tackling the issue
The next stage is to work out how scripts get added to the site. That's quite easy for first-party scripts because they do typically go thought your existing change control process. However, third-party scripts are often added to the site by digital or marketing teams using script management platforms such as tag managers which were intentionally designed to defeat change control8. What's important here is to work out who in your organisation owns each script – if hypothetically you wanted to remove the script from the site, who would you ask?
Conclusion: Deal with data leak risks before regulators get involved
As an industry we haven´t really addressed the risks associated with the way we now build web applications by assembling hundreds of small scripts in the customer's browser. Any one of those scripts can leak data, intentionally, accidentally or because they've been compromised by a threat actor. Organisations are going to have to manage this risk in the future, and if they don't do it voluntarily, regulators will enforce it.
1. Health advertising on Facebook: Privacy and policy considerations. Patterns. Vol 3, Issue 9. September 2022. Downing A, Perakslis E. https://www.sciencedirect.com/science/article/pii/S2666389922001726
4. Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission. Proceedings of the 31st USENIX Security Symposium (USENIX). August 2022. Senol A, Acar G, Humbert M & Borgesius FZ https://homes.esat.kuleuven.be/~asenol/leaky-forms/
5. Visa Biannual Threats Report. December 2022. https://cdn.visa.com/dam/visa/vgb/visanotification/PFD-Biannual_Report_December_2022_Public-ACCESSIBLE.pdf
8. https://business.adobe.com/blog/basics/tag-manager : "A tag manager shortens web development cycles. It frees up developer time so they can do other important work instead, and allows marketers to gather, organize, and manage website data better.”
5 keys to successful organizational design
How do you create an organization that is nimble, flexible and takes a fresh view of team structure? These are the keys to creating and maintaining a successful business that will last the test of time.Read more
8 ways to stand out in your stand-up meetings
Whether you call them stand-ups, scrums, or morning circles, here's some secrets to standing out and helping everyone get the most out of them.Read more
Technology in 2025: Prepare your workforce
The key to surviving this new industrial revolution is leading it. That requires two key elements of agile businesses: awareness of disruptive technology and a plan to develop talent that can make the most of it.Read more