Overview
Some users may have experienced a forced sign-off from their Workspaces company account and associated services. This was caused by a security change that was required to secure and protect company and user data.
More Information
A growing security concern is the unintended sharing of user and company information without the users full understanding of how that information is used by 3rd party service providers. In addition to the privacy concern, having data cached/stored in multiple locations increases the risk of data compromises since now 3rd party service providers become yet another vector for bad actors to exploit.
Privacy Risks with 3rd Parties
Let’s be honest. Most of us never read the T&C’s when signing up for a new service. The reality is that you may be inadvertently granting a 3rd party rights to collect and utilize any private information you agree to share with them for their business purposes.
As an example, some users have connected with services like Alignable, a site designed to help promote you and your services. Upon signing up, Alignable gives you the option to login with your email provider or social media network login. Upon selecting this option, the user is provided with an access request screen like the one below:
The request access screen indicates what permissions the 3rd party service provider would like to have to your connected account. In the screenshot above, the App or 3rd party service provider name is in blue at the top, with two permission scopes requested: Contact Access and Calendar Access. Specifically, the application wants read and write permissions to both of those scopes.
Once a 3rd party provider has been granted permissions such as the ones above, the 3rd party provider can download a copy of, and utilize that information for whatever purposes were granted in their terms and conditions. In many cases, users are unaware that their contacts will begin receiving additional advertisements or invites from this service provider without their explicit consent or knowledge.
What’s Changed
RavenTech has implemented policies to secure customer information by restricting access to certain services such as email, cloud storage, contact/address books, calendars, and tasks.
The restrictions help secure customer information from untrusted 3rd party service providers and ensure that customer data is protected against unintended sharing.
Trusted 3rd party service providers will still be able to access customer data. Examples of trusted 3rd party providers include: iOS (Apple Mail and MacOS), Microsoft Windows and Outlook, Mozilla Thunderbird, and Dropbox.
How Does This Affect Me?
If connecting to a 3rd party service provider not currently registered or trusted by your organization, the 3rd party provider will be restricted from accessing company data. You may see limited functionality with certain service providers as they will be unable to obtain information required to use certain features. Examples include, displaying address books and pre-filling addresses, viewing and/or saving to cloud storage locations owned by your company account.
Was My Information Shared Without My Permission?
No. No information was shared without the user explicitly allowing that information to be shared with a 3rd party service provider. Without providing that explicit consent, the provider would not have the ability to access user information.
What if I Want to Share Information with a 3rd Party Service Provider?
All data contained within your company owned account is property of and controlled by your organization. Organizations can request access exceptions to unregistered 3rd party service providers. These exceptions can be applied to the entire customer organization or to specific groups of accounts. Please contact us for more information on creating an exception.
What if I Already Shared Information With a 3rd Party and Didn’t Intend To?
All reputable 3rd party service providers provide users with data deletion options. These can be usually found by navigating to the service providers ‘Privacy Policy’ section on their website. Depending on your state and country of residency, privacy laws provide varying requirements that 3rd party providers must abide by. Most providers give users a simple method to select and request data deletion, while others may require a multi-step process to confirm your data deletion request. Ultimately, the provider must delete your data upon request if the laws governing data privacy where you reside provide those protections.
Can a 3rd Party Service Provider Refuse My Data Deletion Request?
Depending on A) where you reside and B) where the vendor or 3rd party service provider is based, varies on whether they are required to abide by your data deletion request.
Users should be aware of sharing information with and doing business with providers outside of their State or Country and how their right to privacy is affected as well as any governing export regulations regarding data exchange.
Can a 3rd Party Service Provider Cancel My Services for Requesting Data Deletion?
Yes. Depending on the service providers terms & conditions of service, the data collected may be a requirement to enable and provide their services.