Posted on April 25, 2011
Data Ethics, Privacy, and Responsibility
We’ve seen a lot of high profile data privacy and data leak issues in the news lately.
- Facebook is constantly under fire, for apparent lapses in securing private data.
- Just today, classified documents from Guantanamo Bay were leaked to the public. In fact, these were leaked by WikiLeakes, who was in the news frequently in the last few years for similar leaks.
- Millions of passwords were stolen from gawker media
- News that credit card data is targeted and stolen appears almost routinely these days.
- Dropbox’s privacy policy has been under attack due to apparently misleading comments about data encryption and security
- Some smartphones are keeping track of where you’ve been either by design or by error, but raising privacy concerns either way
And I’m sure the list could go on and on and on…
What’s the takeaway from this? For one thing, treat any potentially disgruntling data you have very carefully. There are myriad network, physical, encryption, and personnel techniques that can be put in place to avoid these sorts of situations. More so, though, be sure to educate your users on what the potential threat is, and why you’re allowing it. You may need to store credit card numbers to allow people to more quickly check out next time they visit your store, but maybe a simple check box to “save this information for your next visit” doesn’t give the correct impression. Putting the onus on the users to accept the risk in exchange for whatever benefit it provides will help educate people in the first place, which is always a good thing. I’m not going to take a stance on the government-secrets side of the fence, but there will always be groups like WikiLeaks who take an extreme side of this sort of information — I’m more focused on the centric world view here.
The other thing to consider, though, is that there’s always another side to the story. The main complaints around Dropbox’s security center around clauses that it maintains are required by US law, or are made necessary by user requirements. Encrypting files in such a way that the service could not decrypt them no matter what would probably include an inability to reset passwords (which we presume would be the gatekeeper to the encryption keys). It’s almost certain that more users would complain about that than are complaining about the possible privacy issues now faced. Encrypting files would also disallow Dropbox’s ability to consolidate duplicate files, saving their servers storage space and inevitably reducing user costs. For most people that again is more important than the possibility of files being seen or stolen.
Facebook may make questionable decisions, but that is often because their revenue stream comes from 3rd parties who benefit from the otherwise private information and therefore allows Facebook to make money and charge nothing for its service. Would you be willing to pay to subscribe to Facebook or Twitter to ensure more privacy? And it’s not always fair to blame these companies, either. As with Dropbox, Google, Facebook, and others regularly challenge laws which are burdensome on their ability to maintain user privacy. It’s not necessarily that these are selfless acts on the users behalf, sometimes the requirements are simply cumbersome on these companies directly, but still the point is it isn’t always a matter of choice on their part. Internet Service Providers have long argued these points, but there’s always some new type of legislation that needs to be investigated.
In the end, it’s often just important to strike a balance. Many people are willing to give up certain bits of “privacy” for some benefit. Scott Adams recently discussed the idea of a completely privacy FREE imaginary land called Noprivacyville, and raises some valid points. I don’t mind using a loyalty card to track my purchasing habits if I really do get a better discount because of it. I don’t mind targeted advertising based on my Amazon purchases because the alternative is that I get advertisements for things I really don’t want. The other thing to remember is that the people collecting this data are not nefarious… they want to give you things you’re willing to pay for, which means that ultimately they don’t want to annoy you away as a customer. I seem to have a lost a good article I read about how advertisers are aware that their targeted marketing is often too annoying and they’re trying to fix that.
I DO mind when data companies get things wrong. There’s a person with the same name as I in Colorado who is apparently a real-estate agent. This is not me. Still, however, I frequently get ads, mailings, and e-mails clearly targeted at Real Estate professionals to my obviously now un-private addresses. I’m sure this is a mistake in someone’s database, so I don’t mind, but it does make life interesting sometimes.
Don’t forget about Sony’s recent PS3 issues. Nicely written piece 🙂
The Sony PSN issues became a data breach publicly after I’d written this; prior to that it was just downtime and probably a DDOS, but yes, it’s another great current example. I’m sure there will continue to be plenty of them!
Thanks,
—Chip