Why is Unintended Data Leakage and Third Party Code So Prevalent?

Almost every website, mobile app, and IoT relies on third party code. More often than not, this necessary reliance results in undetected data leakage, which can result in regulatory action, litigation, and/or bad PR.

What is third party code?

Third party code in this instance, refers to code or SDKs that have already been created by other developers. The use of third party is encouraged in order for a company to save time and money in the development of their app, website or IoT.

What is the problem?

Since the vast majority of personal data comes from a consumer’s device (where the mobile app/website is accessed), and not an organization’s own data center, organizations are largely blind to the collection and sharing of this data, despite being responsible for it under laws like the CCPA and GDPR and industry requirements like Apple’s iOS requirements.

For example, let’s say you’re developing a delivery-service mobile app where customers can track drivers in real-time on a map within the mobile app. Rather than create this “map” function in-house, which will take time and resources, your developer embeds third party code for a previously created map within the app that enables this “map” function. Every time your customer views the map within your mobile app, the third party code used to create that map “calls home” to the third party developer and shares the customer’s data with this third party map developer.

The reality is that this app would also likely include a payment option too, where customers can pay for your app’s services. To implement this feature, your developer would likely again rely on third party code in some capacity. Odds are, the third parties that developed the map and payment features also relied on additional third party code, which means even more third parties are introduced to your app. And the cycle continues.

Identifying Data Leakage

The above illustration is just one of many examples of inadvertent data leakage. Through NT Analyzer we are working with clients on a daily basis to help identify and mitigate these problems to help them comply with their data privacy obligations. For example, through NT Analyzer, organizations can see all third parties and data associated with their mobile app or website, enabling them to manage data privacy risk by either entering into relevant agreements or removing the third parties from their mobile app or website.

Steven Roosa

Author Steven Roosa

Steven B. Roosa advises companies on a wide spectrum of technology and legal issues pertaining to privacy and data security. Steve serves as partner in Norton Rose Fulbright's New York office and oversees the firm's privacy compliance tool suite, NT Analyzer.

More posts by Steven Roosa
Steven Roosa

Author Daniel Rosenzweig

Daniel B. Rosenzweig is a lawyer in Norton Rose Fulbright's Data Protection, Privacy and Cybersecurity practice group in the New York office. Daniel is part of the core team that oversees NT Analyzer to help clients navigate the complex data protection and privacy landscape.

More posts by Daniel Rosenzweig
Steven Roosa

Author Wenda Tang

Wenda Tang is a lawyer in the Washington, DC office, where she is part of the Data Protection, Privacy and Cybersecurity practice group. Wenda focuses on drafting and interpreting technology-related contracts, including insertion orders, service provider addendums, DPAs, advertising agreements, and non-disclosure agreements. She also assists clients in complying with data protection and privacy laws, such as the CCPA, GDPR, HIPAA, GLBA, COPPA, CAN-SPAM Act, and TCPA.

More posts by Wenda Tang