While cyber security measures have traditionally focused on protecting systems and networks, privacy-preserving checks are essential to address concerns surrounding personal data for clients and customers. The proliferation of cyber threats poses a significant risk to privacy in the digital age, and this has been seen mainly with bot traffic.
Some of these battles are particularly high-profile: in entertainment ticketing, for example, bot traffic is a persistent problem when it comes to acquiring in-demand concert tickets and serving legitimate customers’ purchase requests.
Fastly senior strategist Guy Brown said the reality is that varying degrees and sophistication of bot traffic are seen across all Australian industries and sectors.
Bots have steadily increased in their sophistication, such that they can mimic humans really closely, making it progressively harder for website or app owners to determine whether traffic, account creation, or login attempts are genuine or not.
“Established ways of doing this require an understanding of what human patterns of behaviour look like. This usually requires access to a range of signals and data attributes from users, and over time, collecting more of these signals more regularly has become necessary,” Mr Brown said.
“This often includes the use of client identifiers that track individuals across the web. While this provides a more detailed insight into their regular patterns of behaviour, a looming flashpoint for the internet industry is that these methods are not as privacy-preserving as today’s world demands.”
Mr Brown said attitudes towards privacy have shifted in Australia, particularly over the past year, as many people have become caught up in multiple data breaches.
These breaches have exposed weaknesses in data collection, storage, and permissible use and have given internet users pause to rethink how they interact with and hand over data to web-based properties generally.
“People are generally more concerned now with who collects and holds data about them and where that data ends up,” he said.
“They’ve indicated a willingness to make app and website choices based on the privacy-preserving posture of those properties. These heightened concerns are also likely to spill over into Australian legislation, notably changes to the Privacy Act that emphasise consent for data collection and a higher bar for privacy generally.
“It is against that backdrop that more privacy-preserving methods of separating human and bot traffic are starting to make inroads.”
Private Access Tokens see growth
Though a number of options have emerged in recent years, one in particular – Private Access Tokens or PATs – has garnered attention and increased use, according to Mr Brown.
It is also increasingly an option being tested by Australian website and app operators, particularly those with an e-commerce presence.
PATs address the fundamental problem that bot mitigation techniques available today have, which is that they treat all traffic as suspicious and rely on user action and browser data to assess risk.
Mr Brown said they rely on a familiar pattern that holds that a trusted third party can do a better job of verifying the details of an unknown party in a transaction. It is similar to showing an ID to prove your age – a third party knows some kind of information about you, and the other party in the transaction trusts that third party.
“At a more technical level, when a user (via their browser or device) tries to connect to a particular part of a website or application – a login page, for example – the browser may be presented with a new HTTP authentication challenge of the type PrivateToken,” he said.
“The application includes any additional context it wants verified in the challenge, such as user location, and then asks an attester (currently an Apple device) to verify that the user is on a valid Apple device and has an iCloud account in good standing for that verification.
“Assuming everything checks out, the attester then asks a trusted issuer to issue a token that is cryptographically signed to verify that the client was able to pass the attestation check. The token then gets passed back to the application, which it can use to verify passing attribute check – and therefore, the likelihood of the client being human is high.”
Given the current heightened state of awareness about privacy and user data treatment, businesses are encouraged to familiarise themselves with PATs, receive awareness training and trial how they can be used to meet the needs of operating web or app-based services while keeping user privacy at the front of mind, according to Mr Brown.
“PAT challenges are being actively trialled by website and app operators wanting to make their bot detection more privacy-preserving,” Mr Brown said.
How we help
Ready to protect your business? My Business Cyber offers a complete solution to test, train and measure awareness, reducing the risk of human error. Protect your business from cyber scams and attacks with automated staff training, phishing simulations, tools, and resources.
