Online Privacy: Paradoxes And Untold Truths by INVT CEO Milenko Tosic

Roberto Popolizio
Updated on: July 24, 2024

Whatever you know about cybersecurity, cybercriminals probably know that too and are already finding new ways to breach your defenses and steal your sensitive data.

How can you always stay on top of the latest threats, vulnerabilities, and emerging trends to effectively protect yourself or your business as cyber threats grow in number and sophistication?

In this new interview series by Safety Detectives, I am talking to cybersecurity experts and business leaders who share untapped insights from their experience and expertise that will help you be more aware and effective in protecting your sensitive data.

This time I had the chance to talk to Milenko Tosic, co-founder and CEO of INVT from Novi Sad.

Milenko started his journey in 2010 to become a solution architect and software engineer focused on IoT systems, machine learning and innovative IT services. His company, INVT is now a team of engineers, designers, managers and leaders providing software development, design and project management services to clients and partners.

They also develop their own software, like Pro Se, the first and only app able to read and analyze privacy policies for you and let you know what data is collected by an app, by whom, and why. It has recently received a 60,000 euros grant from EU program Elise for advancing AI component.

To start, can you please introduce yourself, share the story of what inspired you to pursue your career path?

My career in IT started in 2010 after receiving my MSc degree in microelectronics and telecommunications. At first, I was working in the domain of wireless networks with focus on advanced routing protocols, software defined networking and access management. Next, I have shifted into the area of Internet of Things where I was working on challenges for efficient resource utilization, smart sensing and actuation. Further on, I have shifted to high performance data management platforms and application of AI in various domains from smart grids and smart cities over agrifood to legal tech.

In 2018 I founded INVT together with my long-time friend and colleague Ognjen Ikovic. We wanted to work on a couple of pet projects and build products around them. I was, and still am, very active in research projects, especially those funded by the European Commission. This is where most of the ideas for our own innovations came from.

One of such ideas gave birth to our flagship service – Pro Se. We wanted to bring the online privacy protection awareness to the masses and to address the failing approach of the online privacy policies and consent collection.

When the GDPR came into effect in the period between 2016 and 2018, all tech companies had to adjust their practices for handling private data. The media coverage brought attention of the wider public to the importance of online privacy protection and possible repercussions of misusing the private data. The GDPR brought forward many more national regulations. Finally, the end users had the means to protect their online privacy and companies started collecting and using private data in a responsible way. The future looked bright, or so it seemed.

I have witnessed firsthand that the privacy protection practices, privacy by design, conservative usage of data and other concepts were heavily overlooked or ignored by companies developing end-user facing services and apps. Slowly and surely the online privacy protection matter became the neverending battle between regulatory bodies and big tech companies. End users were left behind once more.

With Pro Se, our main goal is to empower every single person to make informed decisions on whether or not to start/continue using an online service or mobile app based on how their private information is being managed.

What are all the pain points you solve and for whom? Explain it in simple terms.

The only way end-users can know for sure what is happening with their private data when using an online service or a mobile app is to read and understand an associated privacy policy or notice. But the mechanism behind privacy policies is broken. Users are not reading them. And why should they? The policy texts are overlong and written in hard to understand legal language.

The tech companies, especially tech startups, are also struggling. Regulatory fines are constantly on the rise. For example, all the GDPR fines until June 2024 totaled more than 4.5 billion EUR. Proper positioning of their privacy policies and consent collection became a big hurdle with little room for innovation and engaging UX (remember Twitter’s privacy notice game?).

The Twitter Data Dash played like a vintage video game.

When a company chooses to be more transparent about their privacy practices, they risk losing their user base in favor of less transparent options which market themselves as privacy preserving (with little to back that up). In the era of AI, losing access to data means losing a business.

To help with this, we have developed Pro Se. It applies AI to read privacy policies on users’ behalf, providing them with key takeaways needed to make informed decisions on continuing to use a service/app and limiting access to certain private information. Users can also create privacy protection profiles indicating what is important to them when it comes to online privacy protection, while the service educates them about their rights and different risks they might be exposed to.

Pro Se also offers a B2B solution we are calling Sandbox that allows businesses to test user acceptance of their privacy protection practices before going live. It is like a living lab of privacy aware individuals for testing user friendliness of privacy protection practices.

With Pro Se, we aim to level the field of online privacy protection and shift it towards a proper negotiation process between those who request and use data and those who are the primary source of private information.

What are the most common or overlooked cybersecurity and online privacy threats that you see affecting end users? Why are these threats particularly concerning?

I would say that the main threat for online privacy protection is the fact that most of the data being collected from end users is not for their benefit, like service personalization and more immersive experiences, but for the purpose of reselling it on the global data market. This leads to practices of private data drainage through all means available.

With industrial revolutions, one of the main objectives was to effectively generate and utilize energy. As a result, now we have more policies targeting energy conservation and a global understanding that being energy efficient is the proper way of doing things. With the digital revolution we are still to collectively understand and pursue data and information conservation.

The regulations like GDPR are postulating that the maximum amount of personal data being collected from end users is that which is required as a minimum for a service or application to run as envisioned. If you offer your users a mobile card game, you probably do not need access to their location. If you offer a service for tracking exercise routines, you do not need access to the user’s contacts.

I strongly believe that tech companies must approach private data collection practices much more conservatively and to demonstrate to end users that they really need collected information to keep the service running. Even if that means to be open about reselling collected data to data brokers so that the service can remain free for users. The privacy policies must become more precise and avoid ambiguity with claims that something might or could happen to end users’ private data.

Can you share any real-world examples of when such risks materialized? What damage did they cause?

Most users are informed about privacy protection challenges through mass media channels. Only when a data breach or a major privacy related scandal becomes mainstream news, end users are reminded that there are risks of leaving their private information online.

Also, the regulatory bodies present themselves as defenders of the common people and often the regulations are presented in a way that the public gets the impression that tech companies are forbidden from collecting data from them and especially reselling it on the data market. But the fact is that regulations are there to regulate and not necessarily to prevent or protect.

Prevention is solely in the hands of end users. When end users are scared, they completely shut off access to their private data. Consequently they lose personalized experience and features of the services in the process, or render certain services useless. For example, the major mobile operating systems offer more and more functionalities to manage what private data streams certain applications can access to. This is an important feature for prevention, but all choices must be made in an informed way. If you shut down access to location data for Google Maps, you render the service mostly useless.

The providers of the operating systems have the power to shape how users perceive privacy protection. If a user is presented with a button and a message whose meaning renders to “Do you want to protect your privacy?”, all of them will click on it. One example of this relates to the iOS prompt to “Prevent this app to track your activity across other apps”. Everybody in their right mind would opt out from being tracked. The result was that many cross app features were lost and users started complaining that services are not working as they used to.

Again, users were not informed about the consequences of their choices. In the AI era when all service providers are racing to offer more personalized and immersive experiences, end users are starting to question what is the price of such features. There is no AI without data provided by end users, and the massive progress in the field can be stopped in its tracks with a single scandalous mainstream news that will scare end users into cutting off access to their data.

Can you please share your top things everyone needs to know to properly store and protect their customers’, personal, and/or company’s data?

1. A privacy policy is the only regulated source of truth about privacy practices. The privacy sections on App Store and Google Play for example are not checked or confirmed in most cases. Our experience is that there are major mismatches between information about privacy practices within the privacy policies and these app store sections.
2. If a privacy policy says that something might happen to your personal data, it most certainly will happen.
3. Every service and app has an alternative. Seek the ones that satisfy your privacy protection requirements.
4. Companies are being sold, merged and shut down every day. How your data is being handled in the process is usually not transparent and can have serious repercussions. Be on the lookout for this news and act proactively.
5. If you require your employees to use certain online services you must understand what are the privacy protection implications for them as persons and for your business. If you require your remote workers to use online meeting platforms while working from home, you must understand that you are exposing them and their families to third party data collectors that you have no control over.
6. If you collect data from your users and they request that you delete it in accordance with their rights, go ahead and truly delete it. Do not anonymize it or dereference it. Data breaches happen and when they do, data that you said you deleted can surface, leading to complete loss of trust from the user base.

What common beliefs about cybersecurity and online privacy do you passionately disagree with? Why?

1. Encryption is the only solution for protecting your data – encryption for data in transit and at rest is a very important measure, but not the only one you need to take. Especially not for companies. Access management, privacy by design, backups and security audits are equally important. End users, on the other hand, must understand what are their rights and how to enforce them even in the case of services and apps which utilize end to end encryption.
2. Regulations like GDPR prevent companies from collecting and selling your private information – their role is to regulate and prescribe mechanisms which must be followed. As long as a private data handling practice is documented in a privacy policy and consent is collected in a proper way, companies can do with your private data nearly anything that they find useful.
3. Apple is advocating and implementing strict privacy protection mechanisms only for the benefit of end users – if the most popular applications like TikTok, Instagram and YouTube cannot collect private data, the companies behind them will lose targeted advertising as a lucrative revenue channel and become forced to introduce subscriptions. With every application sale or in-app purchase, Apple gets up to 30% from the App store. It is in their interest to minimize the number of free apps.
4. Online privacy protection is a universal and global human right – when it comes to the basic human rights all humans should be seen equal. But the practice sadly shows that not to be the case. The same goes for online privacy protection. It is enforced in different ways across the globe. Some users benefit from strict regulations on their side, while others are widely exposed to private data siphoning and even 24h surveillance. Private data crowdsourcing practices target less developed markets so that the same data can be obtained for less investment.cPractices where, if you want to avoid data collection and targeted advertising, you need to subscribe, make the online privacy protection a privilege of the wealthy.

What are some things that people should STOP doing today because it’s damaging the safety of their data, and they don’t realize it?

Practice of “bring your own device” to work should be avoided. It is convenient to have one smartphone and PC for your work assignments and private use. But you risk cross-contamination of the cyber threats which primarily target private and business cyber systems. Do not be the one responsible for the crash of your company’s IT system!

Also, many work related software and work specific account management systems tend to collect various private information of general usage of the devices on which they are deployed. Yes, your boss can know which mobile apps you use during and outside of work hours!

What are some things that people should START doing today that they’re currently not doing to protect their information?

You must start reading online privacy policies for services and apps that have access to your critical private information like health, security, finance, photos etc. Proactive management of access to your private data must become a crucial part of your digital hygiene.

What trends are happening in the realm of cybersecurity and online privacy that will affect people negatively if they don’t adapt?

Many large AI models and systems, like the GenAI, are trained on users’ private data among others available data sets. Even if users manage to delete this private data from a database of services which have collected them, they cannot revert AI model training. Their private information is permanently intertwined with the AI logic. This might not seem relevant at the moment, but in the long run can become.

If the AI models are trained on our past beliefs and behavior patterns, they will not easily adapt to the changes that we as a society are striving for. It is more important now than ever to proactively manage access to your private data.

In your opinion, have tools and technologies improved enough to help end users secure their online privacy effectively? Are there any specific tools you would recommend?

New privacy preserving alternatives for many mainstream services are constantly being introduced. There are “privacy first” versions of web browsers, search engines, messaging apps, online meeting services etc. AI tools are also introduced to help users and organizations protect their data. I have advertised Pro Se as one such solution 🙂

So, yes, the offer is more comprehensive for sure, apart from some mainstream apps like social networks that don’t have alternatives, but protecting privacy on those is a topic on its own. The effectiveness in most critical cases (like web browsing and search engines) is good enough, but there is still an issue of trusting yet another company.

As a seasoned online worker, what cybersecurity practices and habits do you personally follow to ensure your online privacy and security?

1. Have separate work and home devices and accounts.
2. Avoid public WiFi hotspots.
3. Use 2FA wherever possible.
4. Regularly update passwords and use password management tools.
5. Take time to understand privacy risks for new apps and tools. I have actually stopped using Teams, Zoom, Instagram and a couple more apps when I understood their privacy practices while working on the Pro Se solution.
6. I constantly tell scary stories to my friends and family about effects of improper online privacy protection – I am super fun like that 😀

How can our readers follow your work?

Milenko’s Linkedin: https://www.linkedin.com/in/milenko-to%C5%A1i%C4%87-a1a3081b/

Company website: https://www.invt.tech/

Pro Se website: https://prose.biz/

Pro Se Linkedin: https://www.linkedin.com/showcase/pro-se

X: https://x.com/ProSe_Privacy