Less human = more secure? How customer security shaped Expend’s development
Regulations such as GDPR and increasingly wordy privacy policies (for which a quick search reveals over 1bn results) are a testament to this. Certainly, stories seem to crop up almost daily of data hacks and privacy breaches of all sizes in diverse industries - for example credit agencies, transport services and now - receipt scanners.
Naturally, as Expend is a processor and handler of financial data, we take security very seriously. It’s one of the reasons we decided from an early stage to remove the human from the Expenses process as much as humanly (!) possible.
What?!? I hear you cry! There are other humans involved? Well, sometimes. For instance, there are many (honestly, excellent) receipt scanning software options. Truly, we admire them - and they have been universally found to be an excellent tool for companies and enterprises that don’t want to fully digitally transform their processes. However sometimes there can be pitfalls inherent in a process where you don’t necessarily know what it is happening behind the app.
To continue the analogy, many of these services offer the magic of OCR (Optical Character Recognition) capability which is designed to augment ease of use by recognising the text on a document captured in your photos.
However, this technology is yet to be perfected (is perfection even possible?!?) and can occasionally fail to fully identify the information required.
This is when the extra human steps in, and this could be in the form of a Mechanical Turk, a low cost “Human Intelligence Task” solution.
Admittedly, the ‘HITs’ can be valuable in this situation - many of the errors occur due to the poor quality of the image itself. Pages get crumpled, light is bad, and text can be hard to decipher sometimes - leave a receipt in your pocket for a week and you’ll see!
But the real issue is why it should be an outsourced human in a potentially unsecured format - when it could be the original user directly in-app. Why pretend the problem didn’t occur and jeopardise security in the process?
Your Security, Our Mindset
We debated long and hard about the intersection of user experience and security at Expend, consulting many stakeholders in the process. Ultimately we believe that while users may be comfortable with anonymous data being seen by random people (more so when they are non-paying), this is likely for two reasons.
1) Either they don’t fully understand what is happening to their data, or,
2) they don’t understand the potential consequences of a breach of privacy. Ultimately, the more places data is shared, the more vulnerabilities there are in its protection.
I wonder if Expensify SmartScan users know MTurk workers enter their receipts. I’m looking at someone’s Uber receipt with their full name, pick up, and drop off addresses.
— Rochelle (@Rochelle) November 23, 2017
We also decided that to reduce the potential for error, why not step in before a human gets involved? Our solution therefore expanded to an end-to-end approach, through a smart payment card, connected app, management dashboard and full integration with popular accounting software.
We make sure users get an instant notification of their transaction and a prompt to attach a receipt (reducing the chance it will be crumpled & forgotten), we also make sure it is the dashboard admin - not an untrusted third party - that has final review of the data and receipts.
— Barclays UK (@BarclaysUK) November 3, 2017
There are many resources available to help you learn how to protect yourself.
On the back end, our CTO Rudolph Van Graan, says:
“Security is a mindset. We employ layers upon layers of algorithms and encryption to keep customer data secure. On top of that, it is anonymised. So even if the data was obtained you’d still not be able to do anything with it”.
What’s more, this allows both our users and ourselves to sleep a little easier at night!
Above all, we also realised we’re all human. So even if the system is occasionally less than perfect, if you’re making people’s lives a bit more effortless and simplified overall, perhaps they’ll forgive the (rare) occasion we don’t.
To learn more about protecting your data online see 101 tips on doing so here.