Privacy Should Be Important To Companies


The Setup

Yesterday, I had the opportunity to speak with someone working for a new startup doing, at the moment, a little web application for IM. The details of the conversation aren’t important (nor is the particular company, as this attitude exists in many different companies), but I wanted to explore a concept I found interesting.

“Users don’t have to create accounts, so we don’t have any information we need to protect; we don’t need to worry about identity issues yet.”

Oh dear.

So let’s think briefly through the workflow of a web-based instant messaging system, and see if there’s anything a user might think was important enough to bother protecting.

The Problem

  1. Logging in.

    Well, it’s very nice that since this service (one of many web IM services to do this) doesn’t require users to create site-specific accounts, we don’t have the “one more credential I’m going to forget” problem (that OpenID was created to solve, among other things). We do, however, have important identifying information here; namely, the username and password for whatever IM account you’re trying to use. Users might think that’s important; certainly, since I keep in contact with many of my UWC friends exclusively through IM (it being difficult to get good phone calls on a regular basis from, say, the DRC or IDF), I consider keeping those credentials in reasonably good shape to be a goal worthy of protection.

    But wait– there’s more! There are many ways to take one IM account and obtain much more identity data from it– in ways that (ostensibly) might be quite helpful to a user, and (really) might have significant privacy consequences. For instance, if users have put their AIM/MSN/Yahoo ID on websites that use XFN (my front page, http://ussjoin.com, does this, but lots of online profiles do as well, for many good reasons), it’s just a simple query away to find other profiles they have. One of the newest tools (released just a couple of weeks ago) is the “Other Me” query on Google’s Social Graph API; with this, one simple query can show that the person who owns http://profiles.aim.com/ussjoin (the profile for my AIM ID) is the same person who owns http://www.facebook.com/people/Brendan_OConnor/5409777, which is my Facebook page; while clicking through to it doesn’t work as I’ve disabled it using Facebook’s privacy settings, it doesn’t matter; if the IM service is getting a kickback through Facebook’s Beacon service, they’ll go tell Facebook that I’ve logged in so that they can sell ads with my picture. Quite a feat, just by having tried out their service; note that I never need to use their service again, for them to do this– indeed, I never even need to finish logging in! If they get my username, they can do all this and more.

    Somewhere in there, I feel like there might have been an identity issue that needed consideration. I can’t quite remember where that is, so that exercise is left to the reader. :-)

  2. Buddies.

    Assuming I’ve taken the plunge and logged in, the IM service gets another burst of personal information; in this case, my friends.

    Now, portability of friends and the concept of “ownership” of friends has been discussed extensively. When you move to a new social network, should you be able to spam all your friends with emails to make them join as well? Plaxo evidently thought so, which caused a lot of backlash (one of many, many articles; this started happening in 2004, but continued for a very long time). An IM service could, as soon as you log in, IM every one of your friends with a message appearing to be you, asking them to join you on this “hot new IM client” you just found. That’s what Plaxo did with email (and why there’s so much resentment toward them today).

  3. Conversations.

    Let’s say that despite all these worries, I actually go ahead and IM one of my friends. At this point, we’re past merely multitudes of privacy consequences, into the point where we need special numbers to be able to count them all. So I’ll just mention two that occurred to me. One: just like everyone gets a bit frightened by GMail electronically reading your mail so they can target ads (even though no humans ever read your email), people might get a bit touchy when even a computer is monitoring their IM conversations to show them ads on their screen. A slightly more advanced form of this: every so many IMs, the service could attach a little ad “signature,” the way Yahoo did until quite recently. There wouldn’t even necessarily be a way for you to know you were spamming your friends as you spoke, unless your friends started getting annoyed and asking you about it.

    Alternately, using the same technology as in #1, the IM service could send Beacon updates to Facebook– now featuring not just you, but your friends as well. “Alice and bob hooked up in IMiverse! You can joint them!” could appear in the Facebook news feed– with disastrous consequences, but it’s already too late by the time they’ve gone into the feed. The information is, naturally, out there.

The Conclusion

Oh, really? You thought I could solve this? Nope, not today. These are, unfortunately, all easy to do with current technologies– and understand, technologies which can do a lot of good for users, if used properly, and with respect for privacy.

My only concern, when I speak to people or corporations about things like this, is when they don’t see the bigger picture. It’s OK not to have a solution to every problem from the outset; it’s not OK to say that the problems don’t matter, or that you “don’t need to worry” about them. It’s certainly not OK to lack a privacy policy clearly explaining how you’re going to use personal information.

The real solution to technologies like this, of course, would be technology allowing for minimal identity knowledge to be sufficient– but that’s a story for another day.