The recent news stories surrounding the NSA programs that collect phone data and track overseas email have stirred up a lot of controversy. No matter what side of the issue you fall on, the take-away no one in the software application world should ignore is just how touchy people are about privacy and transparency. One of the main arguments being played out in the media about the NSA leak – and even mentioned by some top ranking officials – is that the public should have been given more information about the existence of these programs. Something can be confidential without being so secretive. This is the argument you, as an application developer, tester or brand owner, need to be paying attention to.
We’ve seen this issue come up time and again – users notice changes in privacy policies and start spreading the word about the “nefarious” practice. Petitions are created, people call for boycotting the offending application, rumors abound, false “security steps” are spread and users generally complain and call for a redaction of the change. This can be sparked by the smallest, most insignificant change. All it takes is a misunderstanding of the new policy or a “secret” change that users weren’t notified about. Catch users off guard or be vague and confusing and you’re asking for trouble.
Take January’s Instagram debacle for example. The service did notify users that a change was coming, but the updated policy was confusing and lead people to believe their photos could be used in advertisements without their knowledge or permission. Instagram scrambled to clear the air.
Earlier this week, we introduced a set of updates to our privacy policy and terms of service to help our users better understand our service. In the days since, it became clear that we failed to fulfill what I consider one of our most important responsibilities – to communicate our intentions clearly. I am sorry for that, and I am focused on making it right.
Even after that post, the policy left something to be desired in the “communicating clearly” category. When legal experts took a look at the policy, they were just as unsure about what it allowed the service to do – which doesn’t bode well for transparency. From The Washington Post:
But the updated language was not immediately available, leaving many users still skeptical about Instagram’s intentions. Legal experts said the “terms of use” document was remarkably expansive. Elements would apply to users as young as 13.
Privacy is still an evolving field and we’ll be creating new standards and best practices for years to come. But the one thing we can do now and continue doing as privacy standards change is work on transparency. If users are presented with changes and understandable terms of service and notified when an application is accessing or storing extra features or data they can make a more informed decision and are far less likely to feel blindsided and violated.
In a lot of situations, notifying users (in a clear, understandable way) about your privacy practices, what data is being tracked and how it’s being used is legally mandatory. The California Online Privacy Protection Act (which also applies to mobile apps) requires that “an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available.” The policy has to notify users about “the categories of personally identifiable information that the operator collects … and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.”
A lack of transparency (among other things) has landed Facebook in hot water more than once. In 2011 Facebook was forced by the FTC to adopt more transparent privacy practices – and to stick to them. From Macworld (emphasis mine):
Facebook is barred from making further deceptive claims about privacy, and it is required that the company get consumers’ approval before it changes the way it shares their data. The proposed settlement also requires Facebook to obtain periodic assessments of its privacy practices by independent auditors over the next 20 years, the FTC said.
The social media site also found itself in trouble outside the US for similar reasons. Strict European standards forced the company to address further transparency issues. From Reuters (again, emphasis mine):
[Facebook] was told by Ireland’s Data Protection Commissioner last December to overhaul privacy protection for its users outside the United States and Canada, after a probe found its privacy policies were too complex and lacked transparency.
Looking to actively avoid controversies like that, Google has taken vocal precautionary steps regarding privacy concerns with Google Glass. The company has set its own, clear standards around the wearable tech and outlined expectations for how Glass developers will handle privacy and transparency. From VR-Zone:
Google just recently posted an important notice to its Google Glass channel on G+ that puts to rest all privacy concerns. Many people, which includes the U.S. Congress, had privacy concerns with the prototype eye-ware. Google is trying to calm these fears by saying they are rejecting any ‘Glassware’ that would jeopardize any individual’s security and privacy until all proper protections are set in place. …
The search giant also updated their policies on the Glass developer site, and they added a new clause that clearly says the camera and microphone are not to be used to cross-reference data on individuals other than the user.
It all comes down to making sure users know what your policies are. The clearer you are, the less likely you are to stir up unwanted – and sometimes unwarranted – controversy. If you feel like a practice might upset users you have one of two problems: 1) You’re not adequately explaining what your doing, why it’s important, how it will benefit your users and how you’re keeping user data safe in a way that will put users at ease with the policy; 2) You’re doing something that your users won’t like, or that’s generally shady, and you know it.
Users like convenience and they’re willing to give you access to a lot of information if they understand why you need it and trust that you’ll keep it safe and under their overall control. Be sneaky about your privacy policy and you destroy that trust. Destroy that trust and you have a PR nightmare on your hands at the slightly hint of privacy confusion.