Transitive Trust in SaaS

Trusting(?) the SaaS Providers your SaaS Provider Trusts

This post is about Transitive Trust in SaaS (Software-as-a-Service) applications — how as a user of SaaS applications, one gives up control over who all can see the data — one implicitly agrees to trust whoever the SaaS provider chooses to trust.

I had seen people voicing concerns about sites incorporating third-party visitor tracking (Google Analytics), font services (Adobe TypeKit) and social media (Facebook, Twitter) JavaScript snippets that have the potential to track you across the Internet via their cookies (if and when they use cookies).

I had also seen the other camp (pro-JavaScript-snippet) responding with either of the three:

1. They only use aggregated data as per their Terms of Service (Google Analytics), so your privacy is not in danger
2. It’s paranoia. Nobody’s interested to single you out
3. It’s their site. You are consuming their content for free. Their land, Their rules, They decide who they share the data with. If you don’t like it, don’t use the site.

I tend to side with #3 (“If you don’t like it, don’t use the site.”) view more often than not.

However, today, I chanced upon another kind of situation— a SaaS application that I pay for tracking my servers’ application logs, was using a visitor tracking tool and an A/B testing snippet (both loaded from their respective third-party providers’ servers). This, on the main Dashboard that shows my server information (a page only shown when I am logged in).

This changes the equation.

If I were an A/B testing tool company (I ain’t), I would effectively be loading my competitor’s JavaScript snippets on a page that contains interesting information about my servers’ applications. The competitor’s snippet gets the Dashboard URL (HTTP Referrer) and also has access to my browser’s DOM and hence the entire data displayed on the page. Worse, I am paying for this.

Sure, application logs or server Dashboards don’t make or mar a business, though they do have data that you don’t want to share with your competitors (or their JavaScript snippets).

I sent the SaaS provider a note about this. Few minutes later, the A/B testing snippet was gone from the Dashboard page. No confirmation response from them yet though.

I realized I was okay with #3 reason while visiting websites as a visitor (with the option of blocking their tracking cookies using tools). However, as a paying customer sharing who is sharing his servers’ logs with the server, I am finding it hard to trust the SaaS providers transitively. I have been trusting the SaaS Provider, not necessarily the chain-providers it uses on my dashboards.