Privacy Protection at the Movies – Oh My!


I just ran across an interview with filmmaker Cullen Hoback that I wanted to share with you and highlight a few things he says.  He will be releasing his documentary on data privacy, Terms and Conditions May Apply, over the next few weeks in selected theaters and digitally this fall.  If you are involved at all in user communities and the privacy of your users, this is a film that you need to put on your watch list.  Here is the trailer and my highlights from the interview.

“Terms and Conditions are designed not to be read”

This was in response to the interviewers position that most people just click yes or agree.  His answer went much further.  He indicts almost every privacy officer at every online community.  I don’t think this is an intentional fault.  It is just who lawyers are.  We talk a different language and we write differently.  Quite frankly, after three years of the socratic method, even the way we think has been altered.  This all leads us to writing stuff that is generally “unapproachable.”

“They can change it in the future … and they don’t even have to tell you”

Again, this is a case of companies not doing something intentionally.  This is a little more nuanced though.  The change management with changing something as pervasive as your privacy policy and informing your registered users is quite staggering.  So instead of incurring an additional expense, most folks just drop in that little bit of boilerplate and move on.  Mr. Hoback calls out reddit as the gold standard.  As to changes, reddit’s terms state that:

We reserve the right to change this policy to meet the changing needs of reddit, or for any other reason. If we make changes, we will notify our users. Where the changes substantially alters your rights, notice will appear prominently on your front page. More minor changes may only be highlighted by the privacy policy link in the footer of our website.

Even this gold standard has some wiggle room.  What is “substantially alters your rights?”  It would be my recommendation that when you build your login routines that you add something to your code that recognizes a policy change flag.  If set to yes, you splash a screen in front of the user.  Tie that flag to the actual text of your privacy policy and whenever it is changed your users will be notified and given a chance to review.  If you collect information from non-logged in users, maybe just doing what reddit does and highlight the ‘privacy policy’ link is enough.

See how privacy protection permeates every part of your user experience.  This is exaclty what the regulators are looking for.  Design privacy concerns into every aspect of your user experience.  Think about what a user wants, and always remember that you are not the average user.  If you are the kind of person that reads the privacy policy on every website that you visit, you are definitely not the average user.

“The bigger solution is the idea of having access to our data and control over our data”

Here is where I think he goes a little too far.  Having access to our data is something that I don’t think is going to be easy for a company to provide.  First off is the problem with what data are you talking about.  Even in the simple case of just information that you got from me, does that include my IP address, my geolocation, my page views, etc.  It is beyond my meager user experience skills to think of a good way to display that to a user that is meaningful.  Now let’s get a more complicated example.  What about data that I gathered from sources other than you?  Going even further, what about when I combine your data with my analytics to generate a conclusion?  Should you be able to see that I consider you a high net worth customer because I believe that your next car purchase will be a McLaren MP4-12C?

Talking about control is where I think we need to be going.  Meaningful controls over the use of the data that we provide to the companies that we deal with.  If you want to combine the data that I give you with other data, the use of that data for that purpose should be disclosed.  Going even further and you should inform me before you sell my data to someone else, unless you let me know about it ahead of time.

Control is one leg of my three legged privacy protection stool, with value and notice being the other two.  Do I believe that most users will use that control?  Actually, no, until an easy to use system to exert that control is given.  Facebook has attempted to give control to the users over their privacy settings and it ends up that most users just choose default anyway.  You can lead a horse to water, right?

For the company, turning off data collection is actually a bit hard, to be honest.  I understand that.  Much like the tree falling in a forest, is there harm in data collected, but never used?  Philosophically yes, but I don’t have to worry about philosophical sounds, either.  The problem here is use.  Your user’s collected information and data is probably held in a sensitive database (if it isn’t, put it there, now).  I would recommend putting a switch on that database that allows you to stop the use of that data immediately.  I may have even used the term kill switch to describe it.

“If you understand the nature of the trade, you may rethink the trade”

Another leg from my stool.  What is your data worth to the companies you deal with.  Facebook’s IPO gave us an idea of how much the stock market valued our data, about $125.  Calculating the value of our information to Google is a a bit more convoluted these days.  Hoback thinks it’s about $500.  Backupify claims that your gmail account is worth on average $3588.85.  Caution here if you go and see what your account is worth.  You are giving access to your gmail account to backupify to estimate it.  Privacyfix has a tool that will allow you to see how much Google makes off of you when selling ads.

Technology Changes Everything – Sort Of

I think we are going to be struggling with these issues for many years to come.  Perhaps until my generation, the digital immigrants, are passed on.  When the first cameras came out there was a privacy outrage at first, but I don’t see anyone worried about that these days.  We have built up good rules on what is acceptable and what is not.  Even when the first books were printed there was some worry that it fundamentally changed the dynamic between author and reader for the worse.

There is something to be said that society does evolve over time.  The mores of our ancestors are different from the mores we practice today.  Is the Internet a whole new society, and will it’s values and mores overlay and eventually replace that of physical society so completely that it will fundamentally change the entire world?  Perhaps.

At any rate, I am putting this movie on my watch list and when I see it I promise to come back and review the movie and update my post with any more information.  For you privacy professionals out there, the thoughts of the filmmaker now should be bouncing around your head.  Think about what his concerns are and critically look at your own processes.


This entry was posted in Mobile, Privacy, Social and tagged , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s