It's Time for Web Companies, Users to Face Facts About Data Privacy

NEWS ANALYSIS: Web service providers and their customers have diametrically opposed views about the privacy of customer data. It's about time that both sides face reality about the lack of real privacy for personal information.

Online Privacy

The Guardian newspaper recently reported some pretty shocking allegations about the anonymous messaging app Whisper.

In summary, the paper called out Whisper for tracking users, especially "newsworthy" ones, often capturing and recording the locations of users who have not opted in to the app's location feature and sharing user data with third parties, including the U.S. government and military.

Whisper denied all accusations, but then radically changed its privacy policy and threatened the Guardian. Whisper editor-in-chief Neetzan Zimmerman said "the Guardian made a mistake posting that story and they will regret it."

Wait, editor-in-chief? Why does a messaging app need a news organization? (It turns out Whisper collects and shares user data with various publications.)

The Guardian's attack and Whisper's defense mostly boils down to a disagreement about the question of whether aggregated data, or data not associated with specific names or phone numbers, isn't really "personal data" and therefore no privacy violation has taken place.

The biggest conflict in technology between the companies that provide certain kinds of products and services and their customers is over privacy. The emotional, intuitive belief by many is that personal data-harvesting companies are "evil," exploitative or, at best, apathetic about the concerns of users.

But that view is clearly false. Technology companies don't require incoming employees to pass a sociopath test. Morally, they're regular people and that fact is obvious and self-evident.

The whole those-people-are-bad-people knee-jerk reaction won't get us any closer to resolving the crisis. So I have an alternative view.

I believe the experience of spending all your time solving the problems of how to survive and succeed in the online application and service businesses engenders a set of beliefs that the public at large doesn't share.

In other words, the fundamental problem with privacy is that the companies who make the choice to violate or not violate our privacy hold one set of beliefs in direct contradiction to the beliefs of their customers.

Here are the questions the industry and their customers have completely different answers for:

1. Who does user data belong to?

2. Can the company be trusted with that data?

3. Does the user agreement and privacy policy communicate the intended, actual or potential use of user data?

4. Is personal data without personally identifiable information like name, phone number or email address really personal data?

If you're in the industry, the answers to these questions are 1) the companies in possession; 2) yes; 3) yes; and 4) no.

If you're a typical end user, the answers are 1) the people who generated that data; 2) no; 3) no and 4) yes.

And this disagreement is the fundamental problem that needs to be solved.

Let's look at each of these four points of disagreement individually.

1. Who does user data belong to?

When a user thinks about the data an app collects—say, the user's home address, current location, age, where they went to school, or whatever—they naturally think that that collection of data together belongs to them.

But when a company builds a site and tool to harvest such information in aggregate, they naturally think it's theirs to do what they want with. That's why the public is shocked by revelations about what the companies are actually doing with data and why the companies themselves are shocked by the public outrage.

People tend to blame the user for this discrepancy. (I'll get to user agreements and privacy policies in a minute).

2. Can the company be trusted with that data?

Everybody trusts themselves, but when it comes to personal data nobody should. Users shouldn't trust their ability to create or remember passwords, for example. They shouldn't trust their systems as being unhackable, because they're not. And they shouldn't trust themselves with other people's data, either (say, sent to them via email).

Likewise, companies shouldn't trust themselves with user data and assume that just because their intentions are good that anything they do is OK. Companies can't assume their data will never be hacked, stolen, compromised, subpoenaed or abused by employees.

3. Does the user agreement and privacy policy communicate the intended, actual or potential use of user data?