Should we worry about user privacy?

By Tim Grimsditch on January 10th, 2012

An investor asks: “74 per cent of daily of Facebook users don’t worry about their privacy, so why are you so hung up about it?” In the early, pub-based planning of my current company, Six3, a couple of big themes emerged that we kept coming back to. Privacy is one of them.

If you’re building a mass-market video communication service, you need people to trust you with their most personal, private messages. But of course communications and sharing services often make money by finding ways to exploit and sell personal data. That’s why so many companies have highly complex policies, which users are generally complacent about checking.

So how does a 3-person startup balance the needs of users and the business while moving as fast as possible?

The above investor continues: “Why not monetise by selling data about those people, their friends and the message content to advertisers and partners?” The simple answer? We wouldn’t feel comfortable using a service like that.

We would want a service that either didn’t use any personal data, or would at least make it abundantly clear that it was using it – and no, burying permissions in a 5,000 word privacy policy doesn’t count.

The other reason we’re hung up on privacy is that 26 per cent of Facebook users do worry about their privacy. That’s a sizeable market in itself, and there are signs that it’s growing. In the US and Europe politicians, regulators, the media and activists are all raising the profile of privacy issues, questioning the ability of the industry to regulate itself.

Finally, as an unknown brand and service, we need to build trust very quickly with our users. On all counts, having a clear-cut and simple privacy policy will help us grow faster.

What is privacy?

Big privacy scares are a fact of life. Many in the industry were shocked by the revelations about Carrier IQ tracking private browsing and location on millions of devices. But the more insidious practices occur when services bury detail in privacy policies and permissions, giving users the choice of either reading endless pages of privacy policies, or simply joining in blissful ignorance.

Would female Facebook users be surprised to see ads for bridal wear if their relationship status is “Engaged”? Probably not. Are most Facebook users aware that by default their pictures can be viewed by on average 18,520 people? (by default, photos are viewable by friends of friends, the average Facebook user has 135 friends). Maybe.

While Facebook has made privacy settings easier to find and change, the general impression is that policies are quietly set for the benefit of the business, while users remain in the dark.

Doing background research, we were strucky by how unwieldy most privacy policies are. Skype’s relatively straightforward effort still weighs in at 4,679 words, which would take the average person about 20 minutes to read. But, as with many sharing and communication services, you’ll find that lots of material pertinent to privacy is squirrelled away within the Terms of Use. In the case of Skype, that’ll be another 10,000+ words, or 40 minutes.

The first line of Skype’s Terms of Use document is: “Please read carefully before downloading the software or using the product(s) or Skype websites.” Unlikely. Of course, this isn’t a Skype-specific issue. The reality is that most services are protected by policies which consumers rarely read and therefore don’t understand.

Reality Check

Armed with values and a few ideas, we originally approached our lawyer with a – we thought – bold and revolutionary idea: a simple privacy policy and terms of use guide. We demanded a masterpiece of brevity, in plain English, that users could quickly read and agree to with confidence. The response was a reality check: those thousands of words are there for a reason – to protect the business.

Here’s a simple example: we wanted to give users full rights to their message content, without reserving any rights to the content at all. But this was deemed impractical. By serving the content on different devices and screens, Six3 would be “modifying a copyrighted work”, which requires the creator’s approval. At almost every turn, our efforts to create a set of reduced, simplified terms was countered – rightly, we came to understand – by the need to protect the business.

Just as we felt inclined to park our principles, Evernote chief executive Phil Libin published the company’s Three Laws of Data Protection. Evernote’s solution is elegant. They’ve kept the lengthy terms of service, but prefaced them with three simple, definitive statements about what they will and will not do with their users’ data. 471 words, readable in less than two minutes.

With this as our example, we followed suit and we now have a three statement summary of our Terms of Use. Without burning much time, and without spending much cash, we had a privacy policy we could be proud of.

Often, in a start-up, you worry about how you’re allocating time and resources. Was it worth our focussing so much on user privacy? Well, shortly after we had upgraded our policy, a competitor emerged with a video messaging service.

During testing, we found something surprising. Users’ video messages could be viewed on public, unsecured URLs. Maybe this was the concept of minimum viable product being taken too far, or maybe they really don’t feel that privacy is important.

Shortly afterwards, we received an email from one of our beta testers: “How private is Six3?” We were glad to be able to give a straight answer.