For more crisp and insightful business and economic news, subscribe to The Daily Upside newsletter. It's completely free and we guarantee you'll learn something new every day.
The enterprise communications company is seeking to patent a "standard compliant data collection system" for sensitive data. Essentially, this patent offers a way for Twilio clients to be selective about the data they're going to collect by activating what the company calls a "standard compliant data collection mode" when sensitive data needs to be sent.
When activated, this system takes out the middleman: Rather than giving personal or sensitive data to a business's agent, a user is routed to a standard compliant data collection system, where they can directly and securely give out their information. Meanwhile, the agent is placed on hold, and "cannot receive communications transmitted by the client device of the user providing the sensitive data."
For example, if you're going back and forth with a customer service agent and you need to give their system your credit card information and address to process a payment, Twilio's system will switch on only for the time it takes to give that information to its system. Twilio noted that this tool may cover a wide variety of communications, including messaging, SMS and video calls.
Then, if a company wants a record of the user-agent communication for training purposes, a "data anonymization system" kicks in, which fills in the sensitive data that was given as part of the chat with "default replacements."
Twilio noted that keeping up with compliant data collection can be an arduous task, "particularly for smaller businesses that have insufficient resources and technical knowledge and/or when multiple communication channels are used to collect the sensitive data."
With more than 150,000 enterprise clients that operate in dozens of states and countries, including the likes of Twitter, Lyft, and Airbnb, Twilio adding in a feature like this only makes sense. A messaging API with a system that automatically takes into account different regions' data collection policies could save its clients a great deal of time and effort, said Ari Weil, VP of marketing of cloud data security firm Cyera.
Last summer, Twilio suffered two major security breaches from the "0ktapus" hacker group. In August, the cybercriminals pilfered the data of more than 200 customers in an SMS phishing attack. It was later discovered that the group gained access to an undisclosed number of user accounts through a voice phishing attack in June.
With this patent, Weil said, Twilio may be looking to prevent attacks by collecting and storing data in a more secure fashion, while minimizing the amount of data that's collected overall.
"If you'd be stopped from taking the information in the first place, or are taking it and storing it in a compliant fashion, then you're ahead of the curve as far as how you would try to protect that data," Weil noted.
But Twilio's solution is only one piece of a much larger puzzle. While it certainly doesn't hurt to collect sensitive data in the right way, determining what is and isn't considered sensitive remains a big challenge, Weil said. For example, while a single piece of information about a user – such as their first name or IP address – may not be considered highly sensitive, the whole is often greater (and much more dangerous) than the sum of its parts in the hands of a bad actor.
"It's not just about intaking (the data) in a compliant fashion," Weil said. "What Twilio is doing is starting a long journey, involving most likely a lot of education internally about, once you collect data, how you manage it and utilize it downstream."
