The comments in this post are my own personal opinions. They do not necessarily represent the opinions of my past, present (or future) employers.

Privacy is dead. Long live Trust!

I’ve been thinking a lot about privacy lately. It’s been in the news, and I’ve just come back from a privacy conference. I’ve been involved in the privacy industry for close to a couple of decades now (including over a dozen years at Microsoft, as a privacy champion), and hold a CIPP qualification from the IAPP, so feel qualified to comment on this subject. Focussing on privacy, is focussing on the wrong thing.

You can’t put the genie back into the bottle

Whilst it might sound a little controversial, I think there’s been a bit of an overreaction on the issue of privacy. Gosh Nick, how can you say that, you, an ambassador of privacy? Well, the truth is we are now living in a hyper-connected society. Different rules (and expectations) should apply. You can’t harness decades old rules and expectations to modern society.

Whilst put incredibly undiplomatically, the hyperbole of Scott McNealy “You have zero privacy, get over it!” has a lot of truth. Our expectations need to adapt to reflect how information moves.

Two hundred years ago, photography was invented: “Please don’t take my picture, you’ll steal my soul” As crazy as it sounds, that’s partially true. Part of your soul is captured in a photograph. It’s not stolen, it’s just frozen for all time. At the time you could understand people’s concerns and fear over this witchcraft. It was scary technology. For countless millennia previously, people had been able to come and go as they pleased, leaving nothing but their shadows and their memories, then wham, there was a device that captured any moment for all time. No longer were you able to say “I was never there”, or “I’ve never met him”, or “it’s his word against mine”. Now there was the concept of photographic proof. Damn you George Eastman you are the devil! The camera was the beginning of the end of privacy in the modern world.

You can't un-invent the camera. You can't un-invent the internet.

With early cameras, sure, there were often only a limited number of copies of any image, but thanks to Guttenberg and the printing press, it didn’t really matter; one is all that is needed. If your photograph was taken, even if you didn’t want it taken, well there is not much you could do about it. If someone wanted to share this snapshot of time, they were more than able. In the early days, publishers and printers had vastly asymmetric powers. As an individual you had little-to-no negotiating power to refute, rebut or repudiate, hence the quote “Don’t pick fights with people who buy ink by the barrel”. These days, with the power of the internet, social networks and connectivity, everyone has the power to make even their tiny voice scream. Progress has benefits. Today, anyone can publish to the World!

Fast forward to this century and the proliferation of digital cameras, and now the ubiquity of smart phones (the vast majority of which have two cameras!), and web cams, and security cameras. Unless you live in the Antarctic, it’s practically impossible to go through a day without multiple images of you being captured (most of which you are oblivious to).

At the conference there were people on stage demanding the “right to be forgotten”. It’s a nice Utopian dream, but being realistic, it’s impossible. Paradoxically, the people who were onstage pitching this concept were being videod and photographed by at least a dozen people. I’m sure many of the photographers uploaded the images taken to facebook and tagged the speakers with their names. Sure the speaker could make a request to facebook (or use tools) to be untagged and ‘forgotten’, but what happens when someone re-uploads that image (or a different image) the next day? Ironically, does the speaker have to be remembered by facebook in order to be forgotten by facebook ?!?!

Also, what happens if the uploader doesn’t tag the image with the speaker’s name, but still uploads the photo? Everyone who views the image can see it’s the speaker (many will know his name even without the tag), everyone can see what he’s saying and doing, everyone can see who he is shaking hands with, who he is on stage with, maybe who he is laughing about. If there is video, they can hear what he says, and how he acts. Is his privacy protected by his right to remove the tag of his name? If he does not know that he is tagged, will he be any the wiser? How many photographs of you are there on the internet that you have no concept even exist?

Privacy Policies

Another big conversation topic at the conference was the (farce of) privacy policy statements (or data use disclosures as they are now sometimes being referred to). Everyone jokes about how crazy it is that they are dozens of pages long, and that nobody ever reads them. Do you read them? “They should be short, easy to read, and easy to understand”, the privacy advocates demand! I’ll let you into a secret: I’m sure companies would love to write short privacy policy statements. But that’s adjusting things for the wrong audience. The privacy policy is not written for the end user! You see, a privacy policy statement is written by a lawyer , to defend the company against other lawyers . It’s a binding agreement; In a privacy policy, you are making a declaration of what you collect, and how you use it. If you don’t make the statement accurate you get into serious trouble. They are written as they are to help protect a company from being sued.

Companies employ clever people. They employ word-smiths, and marketers, and designers and people with degrees in communication. These people write compelling adverts, users manuals and press releases. If given the task, I'm sure these people could craft privacy policies that enumerate the uses of data and be written in a compact way that an educated 13 year old could comprehend. They could probably even turn them into catchy jingles!

The problem is, however, because of their simplicity, these compact policies would be written as the spirit of the law, not the letter of the law and could be pushed over by any competent opposing council with a proverbial feather. They would offer no protection to the company.

I love to say otherwise, but that’s the reason privacy policies are so long and cumbersome. If you wrote a simple, easy-to-digest policy, by its simplicity, it would not capture the subtle nuances, edge cases and loop holes that other lawyers would exploit to sue you. And, if you wrote two (one understandable by people and one by lawyers), well, what is the point of that? Some progress has been made in the adoption of a “layered approach”, but at the end of the day, a legal contract has to be technical and complete.

So what to do?

Privacy is the wrong description of the problem. What companies should worry about is Trust.

Trust is measured by perception, behavior and the (lack of) surprises. If you ask people if they trust a company, they will often be able to give you an answer right away. “Tell me, do you trust American Express?” (or whoever) “Yes, I do.”

If you ask them “Why do you trust American Express?” I think it’s pretty fair to say the answer will not be “Well, I read their privacy policy statement from cover to cover and I agree with the trade-off of utility I get for providing my data. I found their description of fair information privacy practices detailed and descriptive, and I fully understand how they will collect, store, use, share and destroy the various categories of sensitive, personal, financial, pseudonymous and anonymous data they collect about me. Overall I trust them.”

Instead, you might get answers like “They have not done anything wrong so far” or “I’ve heard no bad stories in the press or from my friends” or “They seem very responsive and helpful over email/Twitter/facebook/phone to my questions”, or simply “I just trust them” or “They treat my data with respect” and “They seem like an ethical company”.

“You are judged on how you behave, not how you tell me you will behave” Trust is based on reputation and perception (and personal experience). Trust is nebulous, hard to define, but like so many things “You know it when you experience it” or more strictly, “You know it when it is breached”. Like I keep telling my kids; You are judged on how you behave, not how you tell me you will behave.

Trust

Successful companies will be successful by building trust. They will build trust, not through telling people they are trustworthy in some privacy statement, but by actually doing things that build trust.

How do you build trust? I’ve hinted about this already, but there are three things you can do to earn (or lose) my trust:

Give me no surprises

Explain to me the value proposition of trade (and notification of this). What am I getting in return for sharing my data with you?

Give me control

Surprise!

No surprises is a key to building trust. The first time I used LinkedIn, it freaked me out a little. What I did not know was, if I was logged in and navigated over to the profile of someone else, that person received notification I had viewed their profile! I had no idea that was going to happen! It was a surprise! They lost my trust, and I’m still wary to use their site. In addition to surprise, they did not give me good notice about what would happen, nor give me a choice to accept this (maybe they did – if they did, it was certainly not in a clear, conspicuous and obvious manner), so I had no control. Even if something is done legally, if it is creepy, it is creepy. Companies should wake up and understand this. Creepy is bad for trust. Creepy is bad for business.

The average user of the web does not know what an ad-network is, nor what it does. They are unaware of cross-domain sharing of information. If they visit one site and search for a pair of pants, it’s creepy to see adverts for the same pair of pants five days later on a totally different site. This is a surprise. They were not expecting that to happen. Surprise erodes trust. (They also push most of the blame onto the collector of the data and ding that site, not the consumer of the data, the ad-network and the sites served by that). We’re starting to see slow progress on this front as some targeted adverts are now support logos and phrases about “Why am I seeing this advert?” It’s no longer a mystery, and this should help attenuate some of the issues about the surprise.

I'm all for transparency in advertising. People should have the option to know why they see what they see.

Value proposition!

Giving up data is a trade. It should be a fair balance. You give up something and you get something in return. This is all about transparency. People want to give data if it helps them, but they want understand what they are getting from it (or what they lose). “Tell me your birthday, and we’ll send you a 20% gift card on that day to help you celebrate.” The value proposition here is clear; yes, you're giving up my birthday, but you're getting something in return. Each person can decide if they accept the terms of the contract. Different people will have their own comfort levels, that's fine. You've explained the trade, and they can accept or decline. Some guidelines here:

It’s all about giving notice (in advance), then giving choice (accept or not)

Say what you do, then do what you say (Don’t change the rules)

Tell them when they care (at the time of collecting the information)

Give context “We are asking for this because …”

Use the data for the primary use only (ask/remind/request before using it for a secondary purpose).

You lose credibility if the request seems out of context and not sensible. (You can understand a boot store asking for your shoe size to notify you about special deals, but if an airline asked for your shoe size it would appear bizarre and creepy).

Control

As mentioned above, this is part of the value proposition. It’s about notice and choice. I only want to provide data if I am comfortable with the contract. I’ve heard different estimates from different people, but some claim over 20% of people might be using cookie blocking technology because they don’t feel they have control of their data (Of course, the sad thing is that this is become less important because browser finger printing technology is getting mature enough to allow pretty targeted identification without the need for cookies - cookie blocking is giving the illusion of privacy).

Control can also mean control after I’ve provided data to you. Do I have to right/option to adjust how it is used later?

Bark worse than its bite?