Ready for Peak Season?Download the Ultimate Peak Toolkit Here
Unboxing Logistics: An EasyPost Podcast

Ecommerce Cybersecurity Strategies With Iskander Sanchez-Rola From Gen - Ep. 10

October 25, 2023 | 49:44

In This Episode

In case you haven’t heard, October is cybersecurity awareness month! This episode of Unboxing Logistics focuses on the importance of cybersecurity in the ecommerce space.

What are the risks? What responsibilities do businesses have to protect consumer privacy? Iskander Sanchez-Rola, director of privacy innovation at Gen, joins Lori to answer these questions and more.

Web tracking—good or bad?

Web tracking involves monitoring and collecting data about users' online activities. Tracking can have visible results (like targeted ads), but it’s also used in the background for data analysis or data sharing between companies.

So, is web tracking bad? Not necessarily. As Iskander explains, everything comes down to choice and transparency. “I'm not explicitly saying that web tracking is bad, because it's not. What we are saying is that we should allow the users to decide what is happening.”

The consequences of neglecting cybersecurity

Though Iskander is quick to point out that he’s not a legal expert, he knows that neglecting cybersecurity is never a good idea. If an ecommerce store doesn’t protect their customers’ personally identifiable information (PII), they can face major legal repercussions—not to mention a damaged reputation. 

Is your data secure?

Sometimes, business owners aren’t sure if their sites are secure—with cookie ghostwriting, it can be hard to tell if third parties are tracking user data. Iskandar recommends digging deep and looking for signs of unusual activity on the backend of your site.

If bad actors do get away with tracking user data via your site, you could be in trouble. “[The trackers are] not controlled by you, which means they can … attack the privacy of your customers.”



Lori Boyer 00:00 

Welcome back to Unboxing Logistics. I'm Lori Boyer and I am the host of this podcast here from EasyPost where we talk about all of the different issues and challenges facing those in the logistics industry. And today I am really thrilled to have with me all the way from France, Iskander Sanchez-Rola.

Iskander, can you say hi? 

Iskander Sanchez-Rola 00:31 

You said it perfectly. You said it perfectly.

Lori Boyer 00:33 

I did? Okay. You're, he's so nice. I'm sure all of my, my Spanish my Spanish viewers out there are, are grimacing. Iskander is joining us today from a company called Gen, which you may have not heard of, but actually is the parent company for a whole bunch of companies you definitely have heard of.

And that's because our topic today is all about security. October is Cybersecurity Month, and it is the perfect time for us to talk about the importance of security and making sure your ecommerce sites are secure, making sure for you yourself as a consumer, that you are safe and secure.

Iskander, tell us a little bit about your background, where you're from, and who Gen is, and, and how maybe our, our community would have heard of the those companies. 

Iskander Sanchez-Rola 01:29 

Yeah, so actually, so you got it right. So I work for Gen. I'm actually the Director of Privacy Innovation for Gen. And Gen is a global company that is power digital freedom through consumer brands that include things like Norton, Avast, or Livelock, probably you heard about them.

And actually, for the past decade, my focus has been centered on web privacy in general. That was a passion actually that began since I was a kid and continued with my doctoral research in the same very field. And today I'm here just to share my insights and my experiences in this ever evolving landscape of online privacy and security. So I'll be happy to answer any question to discuss anything.

Let's go with it. 

Lori Boyer 02:11 

Okay, that sounds awesome. So, we have such an opportunity today with Iskander here because he is an expert in terms of privacy, but first I want to go back. You said you've been interested in this since you were a kid. How, how did that happen? How were you interested in privacy when you were young?

Iskander Sanchez-Rola 02:29 

That's, that's a great question because I don't know how to answer it to be honest. It's just that even when I was young, so I'm not so young anymore, but when I was, social networks existed also. They were not the things that they are now. They have different names. They are specific all the different features, but they were there.

So since the beginning, I was already seeing the problems that like posting things, talking about things could have, and that was already a problem. Having like impact on my head, like, okay, this, this is public. People will see this. People will represent this. And then already even tracking was not the biggest thing because the Internet was not huge at that moment either, but already was started to get into it.

Right. And people were already discussing this kind of things. So since then. I started thinking about it, and as time passed, I started thinking even more about it, and then seeing how the economy, how the internet growed, and all these privacy risks that were associated with it. And I thought, like, I want to be there.

I want to help people. I want to, like, help all these people. Because at the end, like, we have to think that privacy is a fundamental right, right? So we assist individuals in safeguarding their right to privacy. So that was my desire, and that's what I'm working on. I'm very happy doing it. 

Lori Boyer 03:42 

Okay, awesome. I love that so much.

I, I'm just so grateful that there are super smart guys like you out there working to help us figure it out. But before we get started fully diving into this topic we'd like to get to know our guests just a little bit. And so I'm going to ask you a few this or that questions and you can let us know which you prefer.

And of course, as always, community, feel free to let us know and respond on, on what your thoughts are on these. But okay, Iskander, question number one, would you rather have a surprise party or would you rather know that you're having a party coming? 

Iskander Sanchez-Rola 04:22 

I would go for the surprise party. Surprises are never bad. So let's go with it. 

Lori Boyer 04:27 

Good. Good. Most people I ask say that they don't want the surprise. They don't like to be caught off guard, but that means you're, you're super fun. I love it. Would you rather play, let me ask you first. What is your favorite sport? 

Iskander Sanchez-Rola 04:39 

Well, actually this is unexpected as I'm a European, but I would say American football or football.

Lori Boyer 04:44 

Oh, American football. I love it. Okay. Would you rather play sports or watch sports? 

Iskander Sanchez-Rola 04:51 

In that case, I would say, watch it. 

Lori Boyer 04:55 

You don't want to get hurt, huh? Do you, are there any sports you like to play? 

Iskander Sanchez-Rola 04:58 

Yeah, actually, I climb, but to practice, then actually watch it. But American football, I prefer to watch it.

Lori Boyer 05:05 

Yeah, me too. I love American football, but yeah, I don't play it either, so, okay. If for the rest of your life, you could have no cell phone or no computer, which one would you pick? 

Iskander Sanchez-Rola 05:20 

Oh, that's a difficult one, and I have to think for a second on that one. I would say computer, because again, it's very associated with my work, and I love it.

So yeah, cell phones are fine, but computer is the main thing that I use in my day to day, so I would say computer. 

Lori Boyer 05:35 

Yeah, we would be sad without our cell phones, but I think definitely without a computer we'd be, have a very difficult time, so I agree with you on that one. Are you a morning person or a night person?

Iskander Sanchez-Rola 05:46 

Hmm. I wouldn't know how to answer. It depends on the day, I guess. Like it depends on the day of the week and the number of meetings, I guess. So I will adapt. I don't have any problem to be both. 

Lori Boyer 05:57 

You, you do both. I know Iskander works crazy hours because he works with lots of people in California, and he's over in Europe.

So he, he's, is hitting both morning and night. And whenever, right? 

Iskander Sanchez-Rola 06:11 

Whenever is needed. I'm happy to do it. 

Lori Boyer 06:13 

You're awesome. Okay. Would you rather be too hot or would you rather be too cold? 

Iskander Sanchez-Rola 06:20 

As I'm originally from the north of Spain, the Basque country, I would say I'm very fine with being cold. You can just have an extra jacket and then, problem solved.

You cannot remove your skin if it's too hot. So I would go with the jacket. 

Lori Boyer 06:34 

That is exactly what I say all the time. There are so many people who love being hot, but I do not. I always think I can get blankets and pillows and whatever, but yeah. You get too hot, there's not much you can do. Is it warm in the Basque country or cold up there in northern Spain?

Iskander Sanchez-Rola 06:53 

Like, it's normally warm, cold, like, it's definitely not too hot, but it's beautiful. It's very beautiful. The landscapes are amazing, food is amazing, everything, like, extremely green because it quite rains, so, so, everything is very green, it's very beautiful, it's full of mountains, surrounded by mountains, so it's amazing.

Lori Boyer 07:13 

Okay, I totally have to go visit there now. I was telling you earlier I've hosted two exchange students from Spain. Shout out to Ari and Diego, Ariadna and Diego. I want to visit Spain so much, so. Okay, final question. Would you rather live in the big city or kind of in the countryside? 

Iskander Sanchez-Rola 07:30 

Hmm. That's also a difficult one because I think that like depends on the time of your life.

So right now I'm happy in a small city, like actually I live in Antibes, which is a small town next to Nice in the French Riviera. But I would be happy to go also to a big city because I don't know that difference, no? Like the grass is always greener on the other side, depending on the situation. So some days you will prefer to be alone, close to the coast and just enjoying, but then sometimes it's good to have in the city, like there are like so many plans and so many things to do.

So I guess it depends on the day. 

Lori Boyer 08:02 

Okay. You seem like a super cool person to hang out with because you are very adaptable to whatever your situation is. You can, you can be happy in the morning or the night and you can be happy in the city or the country. So I love that so much. Okay. Let's talk specifically, we're going to talk security now.

So let's think about our audience for a minute. We have in our community here, lots of people who work in logistics, but lots of ecommerce people who run businesses and obviously privacy can become a big deal. We see in the news all the time, you know, privacy breaches and that, and, and those big impacts.

What do you feel like are the biggest challenges facing ecommerce businesses when it comes to maybe privacy and security? 

Iskander Sanchez-Rola 08:52 

I think actually one of the main thing that happens is that webs are complex as sometimes even if we think like nowadays, a website is a simple thing that is just like a monolithic thing that is there.

And yes, one thing actually is extremely dynamic and it includes things from many places, which means that if you are an ecommerce website, and then you want to include code from different places. What happens is that you lose control of what you are including on the website. We generate the situation that then at the end, you have tons of people in your website, executing code and doing the stuff that you are not even aware of.

And this could be dangerous. So when you want to care about your privacy and the privacy of your customers, you have to think about this. And you have to be like extra careful when you implement your website and when you handle everything, because also ecommerce website handle payments. And this is also important because again, those scripts or all this code that is executed from other people. How can I have access to this kind of things, for example, or even if they are not malicious per se, maybe you're including many. So it's also like some supply chain attack, for example. So they end up having some script that is malicious because one of the scripts that was included there was actually compromised.

So even if the main page was never compromised, that script specifically can be compromised. And then they can do an attack like what they are called phone jacking, like stealing credit cards, for example, in the payment forms. 

Lori Boyer 10:12 

Okay. What are some of the big differences you see? So you've been around, as you said, 10 years or so.

You've loved security and privacy since you were young. What were the kind of attacks happening 10 years ago and how are those different to what we're maybe seeing today? Or are they the same still? 

Iskander Sanchez-Rola 10:30 

There are some things that, that are still there, but obviously many things change. Like, in the past, I would say like, if we think about the 90s or early 2000s, when you were thinking of a computer, we're just thinking of the operating system.

Now you have to think about the operating system also, but also about the browser. Because the browser executes many of the things that you do in your day to day life, right? So you have to protect against both attacks. I think the past browser was not so important. There were not so many protections. Now it's extremely important because there are many things happening in the browser.

And when I say browser, it can be browser on your cell phone. It can be a browser on your computer. It can be whatever, even in a tablet. This is like the thing that opens the door to the internet. So we have to protect users in those kinds of things. So the attack to go there. So we have to also focus on that thing when we are protecting things.

Lori Boyer 11:22 

Interesting. So if I had an ecommerce business and so what you're saying then is that when somebody is accessing my website from a browser, there are also security concerns there that are different than just on the website itself. 

Iskander Sanchez-Rola 11:40 

Yeah. So what I would say is that there are difference, for example, in ecommerce, you can have apps or you can have websites like normally.

Yes, normally, but not always apps tend to be more controlled because again, there is things that your load that websites tend to be much more dynamic. Is just part of what allows to be so dynamic, have a lot of benefits. So it's not a negative thing to be dynamic. It's actually positive. It's just that opens the door to many more attacks.

So when you are implementing things, you'll have to be more careful in this kind of things because scripts are loaded, code is loaded, and they are dynamic, so even if you trust one thing, they can load another thing that you don't trust and you are not aware of. So, you have to be careful. Like when you have your partner, for example, that you just don't take a random person from the streets.

You know someone, you trust someone, you should trust a lot what you are doing, and you have to control what is happening at all times. 

Lori Boyer 12:32 

Okay, I see. That makes sense. So when you're using an app or if you have an app, that's going to probably be a little more secure than when you're just on a browser.

There's more opportunities, but also more risks. Is that what I was hearing? 

Iskander Sanchez-Rola 12:47 

I mean, still, I wouldn't say that just the app was always super secure because apps can also be compromised. So I know that I am looking like a bit negative in this. I am not, that I don't want to, like, make the people feel like an app is extremely secure and just the website is insecure, like both are, it's just that, that could be both super secure and both zero secure at the same time.

So we have to be careful when we are doing this kind of stuff in any point. They say that in websites, they come, the idea of dynamic is much more dynamic. So, I would say that developers would be much more careful in that kind of things because they tend to include codes from other things. And in our apps, it's not so common to load resources from external parties so much.

So we have to be careful when we are doing websites and when we are analyzing websites. 

Lori Boyer 13:35 

Yeah, that makes sense. Okay, so I want to go over some of the more common kind of challenges or attacks or however we want to talk about them. And I'd love for what I'm gonna ask you, knowing my audience probably doesn't necessarily know a lot about these, I'd love for you to explain what it is and then maybe how they could address it, both as a consumer and as a business owner in an ecommerce site.

Does that work for you? Okay, perfect. So let's start with web tracking. Can you explain to me what web tracking is? And and what kind of impact it has on our audience. 

Iskander Sanchez-Rola 14:13 

So in a nutshell, like, web tracking is the idea of, they track you online, that's very obvious, the name already said, but what they normally associated with is with identifiers.

So the idea is, you go to a website, there is an identifier associated with you specifically, so then you are on website A, and then you go to website B, and then they can say that you are exactly the same person. Why? Because this identifier is present in both. 

They can do this with things like cookies or digital fingerprints like browser fingerprinting, which is the idea of creating identifiers based on how you have your browser or your computer. So they can identify you. So even if you delete the cookies, they will still be able to track you. So the idea is associating your browsing history through every website that you visit, like I'm not only website, but a specific actions that you take on websites.

For example, you are buying something or you are searching for something or you interacted with someone, any interaction that you are doing online. The idea of a tracker will be to try to obtain as much information that will be able to understand better. 

Lori Boyer 15:20 

Okay, so this is why when I go and search something like, oh, new exercise equipment, or I go to a website where I am trying to research, you know, some new gym equipment that then I'll suddenly get ads or suggestions all around that in different places on social media, in my email, things like that.

Is that what we're talking about here? 

Iskander Sanchez-Rola 15:45 

Definitely. Like, this is the most visual part of web tracking, like targeted advertisement. This is definitely one of the ones that are visible for a customer. The other things that happen in the background, such as analytics, or sometimes the data sharing between companies, that they are not visual, like.

Like the user will never see them, but they happen, but target advertisement is something that you can definitely see that is happening and definitely that's web tracking. 

Lori Boyer 16:11 

Okay, so what kind of impacts? Why should this matter to our audience? Is it a problem? Is it, you know, I don't mind getting those ads.

Some people might. Where is this become a challenge and a problem? 

Iskander Sanchez-Rola 16:25 

Yeah, so at the end, from our perspective, and the perspective of also myself is the idea is, to allow the users to choose. Like, again, we're talking about privacy being a fundamental, right? So the idea is we are not explicitly and I'm not explicitly saying that web tracking is bad because it's not. What we are saying is that we should allow the users to have the right to decide what is happening.

And this is what laws like CCPA in California or GDPR in Europe are doing, like letting the people choose. And then if they want to be tracked, that's fine. Or if they want to be tracked by certain companies, they can do it. So at the end is like, letting the user choose. So if they want to do something and they want to be tracked, they're going to be tracked.

If they don't want to, they are not tracked. So at the end is letting the user choose and then be transparent what you are doing, because also this is associated with privacy policies and this kind of banners that they saw on the website is. We have to be transparent and companies need to be transparent of what is happening.

So then the user can consent this tracking or not, depending on that. So the idea is make it simple and clear to allow people to make decisions, inform decisions. 

Lori Boyer 17:32 

Okay, that makes a lot of sense. So let's say that I have a company and I've got a great website and I might want to track people so I can retarget my ads or do some of the other things that you were saying.

What, what do I need to do to make sure that I'm being safe? And to make sure that I'm being within the legal bounds. What, what should our audience do? You know, are there very specific things that they are required to do, that they should be doing, I guess, even for best practice? I, I'm thinking things like privacy policies or let people opt in or, or what, what are the things that they should be aware of?

Iskander Sanchez-Rola 18:07 

Yeah, I mean, definitely these two that you say are like very important, like one is to allow users to read the privacy policy and try to be as detailed as you can, because also sometimes some privacy policies are very generic, so they are not saying much, so they are not actually helping the user know what is happening in the background, so it's important to be as transparent as possible, as clear and not try to make it much more complex.

I mean, still, we cannot forget that privacy policy is a legal document. So it still is not gonna be super ideal. That's why also you can have an additional approach to solve the users more specific details of what you are doing without having to read the full policy. Again, this shouldn't be a technique that you use in order to hide what you are actually doing in the policy.

In a banner, for example. The banner is fantastic, but it has to be clear. Also, when you are doing these banners, you should try to. For example, not do it like this, what they call sometimes dark patterns. This idea of trying, like, for example, the yes is like huge. And this no is so small that you can't even click it.

I mean, sometimes they do this kind of stuff. And this is definitely something that as a company you shouldn't do. And you should be as clear as possible. Also, like by default, it has to be opt in. Not opt out. So people doesn't have to say, I don't want, they should say, I want to be tracked. And this is things that GDPR is actually pushing and other laws that are in the same approach that are doing the same.

And I think it's the right approach. 

Lori Boyer 19:28 

Okay. I love that. So absolutely. You guys, I know it's a big temptation to try to give yourself as many advantages as you can. But in the long run, it really doesn't pay off. You'll end up getting bad reviews. You'll end up having people complain. You may even get lawsuits like Iskander was talking about, the legal issues.

So please make sure you're asking people if they want to opt in. Please make sure that your privacy policies are transparent. Transparency is so, so, so critical in our industry, in ecommerce and specifically in general, people want to feel like they know what you're doing. So I think that's perfect. I had some questions about cookies, Iskander.

So are cookies inherently a bad thing? Are they a good thing? Just, I guess, when it comes to businesses, do you recommend always asking people if they want to have cookies? Is there a reason that they would maybe never want to? Just tell me more about cookies. And I guess start by explaining what the difference is between a cookie and just general web tracking.

Iskander Sanchez-Rola 20:35 

Yeah. So actually the cookie per se is not created. It was not created for web tracking. The cookie was just created to say a settings. Let's say, so initially you could say something like, Oh, I want my background to be like red, so then the Google will say background red. So the next time you go to the website, that background will be there.

This is one simple one, but there are many things that we actually use cookies for that will always be there. Such as logging, you log in email provider, and then you don't want to log every single time that you open an email because you are being redirected to a different page. So what will need to happen is they will need to ask for the login again, and we don't want that.

So we need the cookie that will tell you, Oh, this is Lori. So the next time you will not happen, or also when you are buying in an ecommerce website, and then you have to put products in a cart. You need a cookie. Because the next time you go there, your products will still be in the cart and you will not need to put it again.

So cookies per se are not bad. They are used for all these things and they will still be used for other things. There is a problem that happens is that we sometimes associate cookies as a general thing. And there are different types of cookies. So there are cookies that are considered first parties, which are the website itself is creating these cookies for these cases that I was just explaining.

And there are what they are called third party cookies that are cookies that are created by third parties, as the name says. And these are the ones that normally, not always, but normally are used for these identifiers that we're talking before to track people around. So we have to really know that there are two different types of cookies and when we're talking about cookies and normally the people talk about cookies and tracking, they tend to talk about third party cookies, not first party.

Lori Boyer 22:18 

So third party cookies are part of the web tracking? 

Iskander Sanchez-Rola 22:22 

Don't need to but but generally they are. 

Lori Boyer 22:25 

They can be so generally, though, a general cookie is kind of remembering all the settings and everything in the website. Web tracking itself kind of follows you from all over the web, wherever you go. Am I making it really simple, but kind of right?

Iskander Sanchez-Rola 22:41 

Yeah, it's kind of I mean, actually, I would like to clarify one thing that we can just like talk about it. Because the thing is that I was saying this first party and third party, but I was not saying one thing that I would say now, which is they are what we were calling also cookie ghost writing. So it's like ghost writers when someone writes the book of someone else in the name of that person.

This happens with cookies too. And normally when they do this, they tend to do it with first parties. So the idea is this is a new tracking approach actually that relates to cookies that are set for a party, let's say mine the website, but then are actually written and created and controlled by a script that can be loaded from an advertiser for example.

So in this schema that I was saying before saying third parties are tracking, first parties may not, is not fully true because right now in order to avoid this, oh third parties are tracking so they block third parties. Some browsers, for example, then they create them as first party so that they look legit and they think that they cannot delete them because they're first parties, but in reality are also trackers.

So it's, as you see, it's like, it's very complex and there is like this intrinate intricate connections between this kind of thing. So it's not an easy task also. That's why I know that it's not easy even for websites to handle this. That's when have to be like people that try to help and understand this process the best possible.

Lori Boyer 24:00 

Yeah, so, cookie ghost writing then. Is there a way that maybe somebody could be, you know, could it impact your ecommerce website without you knowing? 

Iskander Sanchez-Rola 24:13 

Yeah, I mean, sometimes it's complex to detect this kind of situations because, as I was saying before, there is this intricate network of connections between tracking actors that exchange information between each other and actually include each other in websites.

And sometimes this happens without even the web page owner knowing. Like they are not aware that this is happening. This is what I was saying at the beginning, this thing of dynamic, right? So as is dynamic, the thing that they can do is like this tracker is in this website and he has some kind of deal or agreement with another tracker.

And we say, when I'm this website, you will be in this website too. And you will do the same in the website that you are, and I'm not. So these kinds of things happen and this happens many times without the owner knowing that this is happening, they are not aware of it. 

Lori Boyer 25:00 

So if we have somebody listening right now, and they're wondering if this is happening to them, you know, how, what do you recommend that businesses specifically do to make sure that their websites are secure, that they have, you know, that they're not having maybe cookie ghostwriting taking place that they're unaware of?

Iskander Sanchez-Rola 25:18 

Yeah, again, I'm sorry to say that it also is not an easy task, like it's something that they will need an expert that will need to analyze their website specifically, or if they have someone in the in the website that knows what are the things that were expected by them, they can make a diff, for example, and see like, oh, this is what I was expecting.

This is what is happening. Okay. There is a difference, which means that I didn't do that. So someone did it for me. And then they can say, Okay, who did it? And then they can trace back the analysis on the website and say, This was it. And then they can say, Okay, so then they can talk to that tracker, for example, that they legitly included in the website.

But then he's doing that and talk to them and say, No, you cannot do this in my website, for example, or okay, you stop that tracker from the your website directly, for example. 

Lori Boyer 26:02 

Okay. So what could the potential problems be? Could, you know, if somebody was doing this to your website, what, what impacts might it have on you?

Are, are we talking about maybe the information is stolen or, you know, your customers, you know, find out and, and don't trust you? What, what are the, the bad problems that could happen to you? 

Iskander Sanchez-Rola 26:26 

Actually both of them, like it could be like these additional trackers. Again, they're not controlled by you, which means that they can do whatever they want that you don't expect, and then attack the privacy of your customers without your control or anything.

So your customers are gonna be impacted directly because then they can resell this data to another tracker or to a broker or something. So they can, you, you can be impacted from the customer point of view, but also from your side you could be impacted and. This is not related to privacy, but it's something that people that work creating website care about, which is performance.

And as you are loading all these kinds of scripts and all these kinds of things, the website will go slower. So you will actually, the website that you were like fighting for to be so fast that people like the interaction is so clean, everything is fantastic because of this thing, it can actually stop being so fantastic and you are not aware even why, so it has like impacts in both sides.

Lori Boyer 27:22 

That's great. So that was my next question was how can we maybe be aware? Are there any signs or symptoms that that something might be going on. And so it sounds like one of those could be that if your website is suddenly not performing as well. Are there any other signs that people could be on the lookout for?

Iskander Sanchez-Rola 27:44 

Yes, as I say like checking the cookies that are created on the website and seeing that the number of expected by you was like I don't know ten cookies and then they are like I don't know, 100 cookies like the numbers seem crazy and I'm saying something completely crazy, but it's not like many times these numbers are very big and they create tons of cookies and they share between a lot of people. Multiple actors are involved. 

So at the end, there are a lot of cookies. So then if you see when you are analyzing your website and then you go in a browser, for example, in the dev tools, and then you see, oh, this is the website that we're creating this website and then you analyze it and say, oh, there are much more than what I was expecting.

Then you can see, okay, this is not the expected thing. And that's more from the side of the website because the customer doesn't know which ones are expected by the user, though they can also do it. Why? And we go back to the thing that we were saying before, which are banners. So if you allow the user to say, I don't want to be tracked and they reject everything, but then they analyze the website, what happens and that is full of tracking, then they will say, okay, there are two options.

Like they didn't do anything. They didn't like fulfill the promise. Or actually they are ghost trackers that they were actually included and they were doing it without the knowledge of the website itself. And again, we have to be careful because sometimes depending on the laws, the website can still be liable for this.

Because it's his duty to be sure that the website is following all the rules. So, not being able to do it also can have legal repercussions that, that website developers have to think of. 

Lori Boyer 29:14 

Okay. So, how often do you recommend that companies go in and check? Should they be going in each week and kind of looking at their website, looking at the code, having somebody, is it once a quarter?

How often would you recommend that people are, are monitoring this? 

Iskander Sanchez-Rola 29:32

So. What I will recommend is something automatic that analyzes, like, or if you do it, like, or if it's something manual, you should have like some extension, for example, that is helping someone doing the manual analysis. Maybe some initial automatic thing that analyzes one side and then more deep analysis on the ones that there is a diff.

For example, so you don't see any difference between day one and day two, then no one will analyze it manually. But then if you see something that's happening, you have to take care of it. So it depends on how you want to do it. Also, when you are implementing the website, you can try to make blockers of how, like allow things to load other things, load things in iframes, which are like isolated environments inside the website.

And you can like try to do things to avoid those kinds of things. 

Lori Boyer 30:16

Okay, so just use technology. There's just tracking software that you can use to, is that fall under the Norton or the Avast, those kind of options? 

Iskander Sanchez-Rola 30:28

We actually have analysis, like we have privacy solutions, so Antitrack, for example, that we offer that can analyze what is happening on the website and can actually even tell you situations like, okay, this script is not only there and it's a tracker, but it can tell you this script is actually here and it's doing fingerprinting, which is this advanced method that I was talking before that actually, like, identifies your specific laptop or browser.

Or a combination of both of them. So we can even say that. So if you go to your website and you analyze with our Northern Antitrack, for example, that is actually accessible for users, that they can use it just for blocking, for example, you can understand these kinds of things like this was not expected. This tracker, I don't know.

And then you can, for example, create a report, send it to the developers and say, this is not what we're expecting. Right? So we do have solutions on privacy that analyze this kind of situations, analyze websites and block this kind of tracking behaviors if the user wants to. 

Lori Boyer 31:24 

Okay. That totally makes sense. So technology, you can still have somebody looking in on the systems, but you should have something that's kind of continually monitoring.

Let's talk about the digital fingerprint that you were just talking about. Can you explain a little bit more about what the digital fingerprint is and, and how it plays a role? 

Iskander Sanchez-Rola 31:43 

Yeah, it's very important. And actually now with this, new laws that are like, again, some of these third party cookies, this thing could get even bigger.

So it has been growing in time and can get even bigger in the following years, which is this digital fingerprint, or sometimes I would say browser fingerprinting or device fingerprinting. They are like similar names. It's just a way to specifically indicate the specific case. But the idea is that they generate these identifiers based on what you have. 

For example, they can take, I don't know, the language on your laptop. The screen size. They can detect, I don't know, things that they are associated with the GPU of your computer or the CPU of your computer, specific identifications of this, like, for example, at some time we're working on detecting physical imperfections in the clock crystals of the computer, and we were able to actually create identifiers.

Then we reported this because it's something that definitely process will stop. And now this thing is stopped and doesn't work, for example. So the idea is to create these identifiers that even if you delete all the cookies or you delete everything, your browsing history, whatever, this identifier will auto generate every single time because your computer is the same.

So every time I do the same calculations, I will get the same result. So I will be able to identify you, whatever you are doing. So this, this is what is called this digital fingerprint. The thing is that this thing that I'm saying, you may think something like, okay, then this is only doing for tracking, right? The answer is no, it's not only for tracking.

These digital fingerprints are actually used also in benign ways, which is using, for example, for authentication, so situations that are actually provided to a login. So, for example, they detect that your device is different, right? So this device is different. So now you should make 2FA, for example, 2 factor authentication.

Like, I don't know, an SMS or some code that you are generating on an app so you can get it, right? And these are the uses that normally are acceptable to use in this kind of legal requirements. And when, when I was saying benign, it's not because the process of doing it is not benign at all, you can use it.

It's just that there are many restrictions on how you do it. So if the user wants to allow these kind of things and opt in to this kind of stuff, that's totally fine. It's just that sometimes it doesn't happen and they use it for tracking without actually saying it. So this is where the problem happens.

Lori Boyer 34:04 

Okay. Interesting. So the digital fingerprint actually kind of follows you beyond the website, even to your, your CPU itself. 

Iskander Sanchez-Rola 34:13 

Yeah, yeah. It depends on techniques. There are multiple techniques. So some techniques are associated with specific browser. Sometimes they are, what they are called cross browser.

So it doesn't matter the browser because at the end they are getting some identifier of the device that you are using, like, I don't know, a MacBook, for example, a specific MacBook or something. So it depends on on the technique. There are techniques that are more associated with the browser or the techniques that are more associated with the device.

Lori Boyer 34:37 

Okay, that makes sense. So we've talked about some of these different challenges. What responsibilities, either legally or even just you know, to create a good user experience. What responsibilities do these ecommerce companies have to safeguard and protect their, their customers' information?

Iskander Sanchez-Rola 34:58 

Well, I have, the first thing I have to say is that I'm not a legal expert. Of course, I know, it's about legal. So, so because I've been working on privacy, so it's impossible to completely associate these two topics that are strongly correlated. But there are implications of this kind of stuff. Because again, like we've seen many times, like they are leaked that they are happening.

There are attacks that they are happening. And then all this information that you have, if you. For example, if your protection is not proper. So for example, everything is not hashed properly. It's not sold that is not properly encrypted in your, in your servers. Then that means that when this is public, all the data for customers are going to be fully public.

Then there will be legal repercussions because that's not the way data should be because it's considered PII is information important to the user. Maybe sometimes, if you collect information that you shouldn't collect, it's also problematic because you are collecting things that you shouldn't be collecting in the first place, so that's also a legal problem.

And if you do it constantly and you are obtaining all this PII and then storing it in your servers and doing all these kind of things, there can be even more dangers if you don't protect it properly. So, at the end, there are legal repercussions. I would not like to say specifics because, again, like I'm not a lawyer, like, but there are.

And companies should know this and then they should try to protect the data of them and their customers as much as they can. 

Lori Boyer 36:22 

Okay. So what would you recommend are the first things somebody should do to make sure that they're protected, that their website is protected for their customers? 

Iskander Sanchez-Rola 36:33 

So the first thing, as I was saying, is this full analysis, like full analysis of what is happening on the website.

This is very important to be sure that website doesn't do things that you don't expect them to do. Also, you have to be careful of the data you are collecting for tracking. If you are doing it your side, how you are storing any information, even if the user opt in, you have to realize that this information is very important and it has a lot of information that is private to the user.

So you have to say that this is, have to be fully encrypted, that you cannot see some specific information, maybe like this data has to be properly protected on the server. So not only on the website itself, but when you are collecting the information, that information should be protected on the server side also.

Lori Boyer 37:14 

Okay, perfect. So number one, make sure you're doing an analysis. Number two, make sure you're protecting in all the different ways the data that you've got. How? How do you recommend communicating to your customers about data management and what you're doing with our information? Do you send actual emails?

Do you simply have a banner on the website? What? What? What are your recommendations for customer communication that way? 

Iskander Sanchez-Rola 37:39 

Or customer communication is First, Privacy Policies. This is the first way that users communicate, the user has to have access to Privacy Policy. Banners are fantastic. Again, because they simplify, banners are not legal.

Documents, policies are, so this simplifies, allows the user to take decision, allows users to choose. So these two things, you definitely should have them. But also if you having a specific information, including an email, for example, could be nice because again, now legally you have the requirements. If there is some kind of leak of any data, you have to inform the user that this happened.

You cannot just not say anything and then expect like no one will hear and the future they will realize. This information needs to be, like, informed. The people should be informed through an email or through any way that you have, you can contact your customers. So you should have also in your head that if something happens, you should inform your customers at all times.

You shouldn't just wait and say, Oh, I'm not sure. No, you have to contact also government and you have to contact also your customers. 

Lori Boyer 38:40 

How do you recommend balancing you know, working as hard as you can and doing everything you can in your ecommerce site to be successful and making sure that your customer's data is private and secure.

How do you recommend ecommerce companies kind of balance that out to make sure they're still being profitable and still being able to get information that they want and would be helpful for them, but also making sure that they're aligning with proper security processes? 

Iskander Sanchez-Rola 39:10 

Yeah. I mean, I think that something's in the past now, I think this is changing.

And the idea before was like, okay, let's do the website first. Let's obtain the, make the business grow. And then we'll think about privacy, but this is bad because they already saw in many websites in the past that when this happens, and then there's a problem in privacy or security, then everything you wrote from CDO to what you are now can disappear in a blink of an eye.

So, suddenly because you didn't do things properly since the beginning, there are repercussions later that can make your business disappear, for example. So at the end, we have to think of this privacy by design since the beginning. So then it will simplify all the process because since the beginning, you were thinking about it.

So you are designing everything with privacy in your head. So all of the systems, then in the future as much easier, like you want to increase something, fine, because we're doing this like this. So it allows like future updates much more easy than if you didn't do anything since the beginning. And now you have to do everything.

Like your website is already up. Everything's already designed. How I change it is a nightmare. But if you start at the beginning, then changing and updating things as much easier. 

Lori Boyer 40:18 

Yes, I absolutely agree. I see that myself. I am sure all of us working with data and business, you know, things can get really messy with your data if you don't do it right from the beginning.

So great opportunity for people who are just starting. Please make sure you're being super transparent, that you're putting everything into place right from the beginning, and that's gonna create an awesome future. If you haven't done that, so let's say they're 10 years in, Iskander, and they didn't set it up from the beginning.

What should they do now? 

Iskander Sanchez-Rola 40:52 

The first thing, don't postpone it. Like, if you are hearing this podcast right now, and you are hearing me saying this, don't say, I will do it in a week, I will do it in a month, I will do it in a year, next fiscal year I will do it. No. Just decide that you have to do it right now.

Start like, analyzing your website, checking your policies, updating, talking with lawyers, talking with engineers that will help you to improve it. Like, Don't postpone it. That's my thing, like, because every time you postpone it, it's even worse every year because every time it's more complex. So, yes, don't postpone it.

If you are hearing this right now, go for it. Call whoever you need to call and start moving. 

Lori Boyer 41:28

I love it. I feel like you're, you're calling me out because I'm the kind of person who's like, Ugh, I'll deal with that later. Don't deal with it later. Deal with it now. Later it's just going to be a bigger problem.

Okay, we're, we're I, I love that discussion on ecommerce. I actually want to hear a little bit from the consumer side. I'm a consumer. I'm a mom. I have seven kids. I shop online like a crazy person. I like to do everything online.

What are recommendations for me to be safe? Do you accept cookies when you go to websites? Any recommendations you have for me as a consumer? 

Iskander Sanchez-Rola 42:11 

Yeah, I mean, I would say I'm not the average customer or the average person. No, I will not say the things I do because probably I was going to be difficult to replicate. The idea that we do, for example, in in our companies like Norton, for example, is trying to help simplify all this process.

So it's very complex. There are many things that happened. People are not aware of what is happening. So what we are trying to do is try to simplify and give them like top notch solutions that actually take into account all of these things that we're seeing, like fingerprinting, even digital fingerprint theft, because it's another important thing, or things like like tracking in general, and all the ghost, ghosted cookies and all this kind of thing that we're talking, and we simplified, you just, for example, install an extension, like such as Norton Antitrack or Avast Antitrack, and solution that will actually help the user and just installing an extension will allow you to do it.

There is a problem that sometimes is associated with this, that people will say, which is, Oh, every time I use one of those, it breaks website. They don't work properly. I don't like it. I end up disabling them. This is also something important that as, for example, as a company, no. So for example, when we do our solutions, we want to offer these top notch solutions that will protect the tracking, but at the same time, doesn't break websites because it's very important because if you get something you end up disabling, you lose all the privacy, so you need to have both things and design things with this thing in your, in your head. 

So we have this kind of solution such as Antitrack. Now we are closely releasing new products in the future of the same topics. So we have to think of all the ways that the privacy of users can be protected. And we are going to give simple solutions to our customers to have this kind of things.

Lori Boyer 43:48 

Okay. So I should consider having an extension, downloading an extension or something to help with anti tracking specifically. 

Iskander Sanchez-Rola 43:57 

Yeah, yeah, I think definitely is a thing like if you care about your privacy and then you want to protect this kind of situations again, you also have the option of disabling it if you want a specific tracking to happen, but by default you have and you have the option to stop this kind of tracking behaviors.

If you have not decided to do this, like the website can also say, Oh, I want to do this kind of stuff. Maybe you will disable it for us. And then if you say, yeah, I agree, then you can disable it. Very simple. Like it's not. Complex at all. We're not making it anything complex to our customers. If they want to do something, they are free to do whatever they want.

We're just giving them the tools to be able to offer them these solutions. 

Lori Boyer 44:33 

Okay, so what about cookies? I know I go on websites and it asked me if I want the cookies and like half the time I say yes, and half the time I say no, because I don't really know what I'm supposed to do. As a consumer, you know, is it safe for me to accept cookies?

Is that fine? 

Iskander Sanchez-Rola 44:51 

If you trust the website, and again, you are having the option or you have the choice to say yes or no. Then if you want some specific products from this website to be recommended or the things that you are here recommended in other places, then you can say yes. For example, if you don't want to, and then you are like, okay, what I want to do is I want to be fully private.

I don't want these companies to know something. Then you can say no. Also like solutions that they exist in the market that they can control this kind of behaviors also. 

Lori Boyer 45:22 

Yeah, that makes sense. I like that because I like the idea of if I trust the website. So if I trust the website then I can feel comfortable going ahead and accepting the cookies.

For those of you who have websites, again, that means making sure you're super transparent, that your privacy policies are there, that you are asking for opting in options, all of that, because that's what's going to help us create that trust. Iskander, so we are out of time, but I have loved chatting with you today.

Before we go, I want to hear, so if somebody is watching today, And let's say they've got a website, they've got an ecommerce site, they're killing it, they've been, you know, business is good. What are one or two things you would recommend that they do today, as soon as they get off, as soon as they finish listening to the podcast what, what would you recommend that they do to try to make sure that their security is, is a little bit better than it was before they listened?

Iskander Sanchez-Rola 46:22 

So the first thing talk with their designers because sometimes it may seem obvious, but sometimes it's not so obvious sometimes are like a split. They are different, completely different things that they don't talk to each other. So, make your teams talk like, and when I say teams are developers, designers, lawyers, like all the team have to be together because otherwise, it's like a football team, like it's not an individual sport.

And this is not an individual sport either. Like creating a website is a thing that is done by multiple people. So these people cannot be separated by walls that they don't see what they are doing. So the first thing that you have to make is these people talk to each other and try to find the place that they can improve things together, because if the lawyer is in one side and the developers in the other side, then things are not going to happen.

So you have to make them talk and decide and improve things. 

Lori Boyer 47:10 

Okay, I love that Iskander. That's like a, I love the idea. Security is not an individual effort. It's a team sport. Security is something everyone needs to work on together. That was super cool line from you. So. As soon as you're done listening, set up a meeting.

That's your, that's your action item here today. Set up a meeting for the right people to get in the same room and, and create a strategy around your, your security and make sure that you're being visible and see where you can improve it. Iskander, if people want to connect with you, are you on LinkedIn?

Is there a way that they can, they can reach out to you? I know that, Our audience is going to have a lot of questions. I wish we were live so they could just be throwing them at us. You're welcome to send them to me. I can find out answers. But Iskander, if people want to talk to you how can they follow you?

Iskander Sanchez-Rola 48:03 

Yeah, I mean, I'm, I'm in LinkedIn and actually I'm also like LinkedIn. There is even the link to my personal website that you can access also. I have also information about me, my contact and everything. So yeah, I mean, if there is something that I can help with, like I will be happy to like try to help us as much as I can.

Lori Boyer 48:21

Perfect. Thank you so much. So we'll include that link. Look in the, the show notes in the description there and you'll be able to see where you can reach out and, and ask these questions to Iskander. I really appreciate this as an area I'm not an expert in, obviously. And so it has been really enlightening and I've learned a ton.

So thank you for being here today. 

Iskander Sanchez-Rola 48:42 

Thank you very much. It was very nice talking with you and I hope I was able to help and then clarify many of the points that these doubt that people were having. So thank you very much for that. 

Lori Boyer 48:51 

I love it. Thank you so much. And we will see you all next time. And have a great day.