What Tech Companies Are Missing In Privacy
“Regarding social media, I really don't understand what appears to be the general population's lack of concern over privacy issues in publicizing their entire lives on the Internet for others to see to such an extent… but hey it's them, not me, so whatever.” Axl Rose
Yes, that quote is really from Axl Rose.
As in Axl Rose, the lead singer of Guns N’ Roses.
When the frontman for the “most dangerous band in the world” starts talking about data privacy, you know the issue is part of the cultural zeitgeist.
Tie it in somehow
Big tech companies have a big problem
Machine learning happens when software programs “teach” themselves by using algorithms to extract and analyze a lot of data. And you may not realize it, but advances in machine learning have changed everything about our digital experience.
Voice-recognition assistants like Siri and Alexa use machine learning to recognize commands.
Social media and streaming platforms use it to recommend connections and content.
Banks rely on machine learning to detect fraudulent activity and identify scams.
Machine learning allows educational software to customize sessions for each student.
Basically, machine learning makes our lives markedly easier. But this ease comes at a tremendous cost.
Because machine learning requires a tremendous volume of incredibly detailed and frequently updated user data, technology companies tend to conveniently “forget” about privacy, leaving discussion of their privacy policies and programs until the last afternoon of a weekend retreat at the end of the year.
And so, often without even realizing it, technology leaders set themselves up to fail.
Privacy (by Design, that is.)
Were you thinking about privacy when you founded your startup?
It’d be great if the answer was a wholehearted “YES!” but even if you’re just now joining the party, there’s still lots of ways to make privacy a guiding light for your tech company. Where do you start? Consider Privacy by Design.
Privacy by Design, a concept originated by the former Information and Privacy Commissioner of Ontario, Ann Cavoukian, operates on seven core principles:
- Being proactive, not reactive
- Making privacy the default setting
- Embedding privacy into design of all things
- Fully functional privacy
- End-to-end security
- Visibility and transparency for all stakeholders
- Respect user privacy
While Privacy by Design is actually required for website developers under the EU’s General Data Protection Regulation, it’s also important for tech companies to consider. It provides the opportunity to refocus products, operations, services—really, anything in the scope of their business—on their user’s right to privacy. It doesn’t need to be any more complicated than having an finance department that handles payroll or a marketing department that sends out email.
When done correctly, it’s just part of the process.
Social media section
You’d think after watching Mark Zuckerberg get hauled into a Congressional hearing after the Facebook/Cambridge Analytica scandal that other social media CEOs would make privacy a priority. But so far, they seemingly haven’t.
Clubhouse, the newest social media app taking the world by viral storm, is a prime example of tech companies putting profits before privacy.
Clubhouse is a free, audio-only app that is kind of like an old-school conference call, except that anyone in the world can join in on conversations hosted by experts on topics ranging from cryptocurrency to Real Housewives to immunology. Going from two million users in January 2021 to 10 million by February 2021, Clubhouse is so popular you have to be invited by a current user to even access the platform.
At first glance, Clubhouse seems like it would be a privacy dream. No video. Nothing is recorded. Hosts can kick trolls out of their rooms, block people from joining, keep people from speaking…it feels like Twitter and Facebook had a baby, gave it a flip phone instead of a smartphone, and set strict house rules for inviting friends over.
But the reality is much more complicated.
Right now, Clubhouse allows new users to invite two friends to join the app. But to invite those two friends, users have to give Clubhouse access to all their contacts.
All of them.
Let’s say you, a privacy-savvy consumer, decide to join Clubhouse but are smart enough to protect yourself and your friends by not sharing your contacts. You don’t invite anyone. That doesn’t mean you’re safe lurking anonymously in the back of Clubhouse chat rooms. Once you sign up, Clubhouse notifies everyone who has you in their contacts that you are there, even if they aren’t in your contacts.
Facebook has updated their privacy settings and given its users more options for protecting their profile. Instagram now allows ‘Grammers to manage which and how many photos the app can access. Twitter allows you to change the privacy settings for each tweet. All three apps require an email address, and while they offer phone number verification, you don’t have to give them your phone number to use the platforms.
Clubhouse has none of those options.
You have to give Clubhouse your phone number. They say they’re working on it, but the app also doesn’t have great options for moderating/removing hate speech and dis/misinformation. On February 24, 2021, Clubhouse confirmed their security had been compromised and hackers had figured out how to live-stream feeds from multiple rooms. According to Business Insider, the Stanford Internet Observatory (SIO) found some of Clubhouse’s back-end infrastructure was transmitting audio and data traffic without encryption.
Everything but the kitchen sink
We’ve gotten so used to companies taking data from us for everything that everyone, from users to Clubhouse engineers themselves, probably don’t even realize the risk this type of sweeping, all-encompassing data collection practice exposes everyone to. Consumers put themselves at risk of having their identities stolen, identifying information exposed, and accounts hacked.
And for businesses, freewheeling data and privacy policies can cause lasting and permanent damage. Take a look at American Express’ list of seven risks every business should plan for:
With increasing privacy legislation like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), companies that don’t give their privacy program the same consideration as their human resource, financial, and legal policies are taking on risk in every single one of these categories.
While the CCPA is the first and most aggressive privacy law in the United States, it definitely won’t be the last. States across the country either have passed or are considering a multitude of privacy laws, including some that are more robust than anything California has enacted. Privacy rights are the wave of the future, and waiting to do something about it increases the risk you’ll fall afoul of regulatory requirements.
Is there another part of your enterprise that you’d leave so vulnerable?
Don’t leave your door unlocked, and don’t expect IT to lock all the doors either
In 2015, Apple CEO Tim Cook gave a speech about privacy and security. It’s a great speech that provides some key insights into a mind that is shaping the world’s tech future. Even five years later, there’s a quote that still stands out:
“If you put a key under the mat for the cops, a burglar can find it, too.”
And since then, he's spoken about the imperative for the digital marketing market to stop horning in on people's privacy. At the Privacy & Data Protection conference in January 2021, he said:
“As I’ve said before, if we accept as normal and unavoidable that everything in our lives can be aggregated and sold, we lose so much more than data, we lose the freedom to be human. And yet, this is a hopeful new season, a time of thoughtfulness and reform.”
With this, Cook is highlighting how mission-critical privacy is for companies. When companies put sales and revenue growth ahead of privacy and security, they are taking on as significant a business risk as leaving their offices unlocked.
Luckily, you don’t have to be a privacy expert or a tech genius to take real steps to protect your company.
Smart companies protect themselves by making their privacy program part of their core operations. Human resources, legal, financial, product and engineering, operations, and IT departments should be working collaboratively on workflows and processes that integrate forward-thinking data privacy policies across the entire organization. If you need help figuring out how to start, check out our privacy strategy, privacy compliance, and fractional privacy officer services.
Train. And then train again.
Going along with the theme that every department should be part of developing your privacy program, it won’t do you any good to create the most amazing privacy program in the world if your employees don’t understand it. Privacy training doesn’t have to be full-spectrum seminars (but it can be!). Weekly email reminders, a quick agenda item in regular staff meetings, and small sections in a newsletter are all great ways to reinforce your expectations.
Less is more
One reason you need every department involved in your organization’s privacy work is you need to figure out exactly what data you need from users and employees to optimize your systems. And then you need to collect exactly that and nothing else. Limiting data collection decreases both your risk and your data storage costs while simultaneously making it easier for you to manage an agile response to changes in privacy regulations and best practices.
For some reason, even though they sacrifice privacy for sales and growth, everyone seems to forget that being privacy-friendly gives you a competitive advantage. You need to use it.
Remember that Tim Cook speech referenced earlier? Check out what else he said:
“I’m speaking to you from Silicon Valley, where some of the most prominent and successful companies have built their businesses by lulling their customers into complacency about their personal information. They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong. And it’s not the kind of company that Apple wants to be.”
Apple doesn’t need privacy to differentiate itself. They launched our modern, smartphone culture, made everyone a photographer, forever altered software development and distribution, and changed the way we access the internet. But they are smart enough to see that while everyone is willing to invest in developing the next generation of big data tech, far fewer companies are willing to put their resources towards protecting that data.
Google Chrome controls 69% of the browser market and has a much higher usage rate than Apple Safari, but Apple was first to eliminate third-party cookies. They require software developers to include privacy labels detailing what type of data is collected for every app sold in the App Store. In short, Apple’s forward-thinking privacy policies have allowed them to continue changing their industry, even as other companies catch up technologically.
Your company can be like Apple. You can go beyond what is legally required to give your consumers maximum control of their personal information. And then, like Apple, you can control the conversation.
Keep your eyes on the prize
Don’t get lost in the race to create and sell the best tech. Make sure you remember that your consumers are not your product. Their trust is the product that will make you perpetually profitable.
If you need expert help matching your privacy program goals to what is actually happening in your company, get in touch today and let Red Clover Advisors show you how easy and affordable privacy compliance can be.