In the first of a six-part series about the issues founders face when building technology start-ups, Tim Grimsditch reflects on how he dealt with the problem of interminable privacy policies.
An investor asks: “74 per cent of daily of Facebook users don’t worry about their privacy, so why are you so hung up about it?” In the early, pub-based planning of my current company, Six3, a couple of big themes emerged that we kept coming back to. Privacy is one of them.
If you’re building a mass-market video communication service, you need people to trust you with their most personal, private messages. But of course communications and sharing services often make money by finding ways to exploit and sell personal data. That’s why so many companies have highly complex policies, which users are generally complacent about checking.
So how does a 3-person startup balance the needs of users and the business while moving as fast as possible?
The above investor continues: “Why not monetise by selling data about those people, their friends and the message content to advertisers and partners?” The simple answer? We wouldn’t feel comfortable using a service like that.
The other reason we’re hung up on privacy is that 26 per cent of Facebook users do worry about their privacy. That’s a sizeable market in itself, and there are signs that it’s growing. In the US and Europe politicians, regulators, the media and activists are all raising the profile of privacy issues, questioning the ability of the industry to regulate itself.
What is privacy?
Big privacy scares are a fact of life. Many in the industry were shocked by the revelations about Carrier IQ tracking private browsing and location on millions of devices. But the more insidious practices occur when services bury detail in privacy policies and permissions, giving users the choice of either reading endless pages of privacy policies, or simply joining in blissful ignorance.
Would female Facebook users be surprised to see ads for bridal wear if their relationship status is “Engaged”? Probably not. Are most Facebook users aware that by default their pictures can be viewed by on average 18,520 people? (by default, photos are viewable by friends of friends, the average Facebook user has 135 friends). Maybe.
While Facebook has made privacy settings easier to find and change, the general impression is that policies are quietly set for the benefit of the business, while users remain in the dark.
Here’s a simple example: we wanted to give users full rights to their message content, without reserving any rights to the content at all. But this was deemed impractical. By serving the content on different devices and screens, Six3 would be “modifying a copyrighted work”, which requires the creator’s approval. At almost every turn, our efforts to create a set of reduced, simplified terms was countered – rightly, we came to understand – by the need to protect the business.
Just as we felt inclined to park our principles, Evernote chief executive Phil Libin published the company’s Three Laws of Data Protection. Evernote’s solution is elegant. They’ve kept the lengthy terms of service, but prefaced them with three simple, definitive statements about what they will and will not do with their users’ data. 471 words, readable in less than two minutes.
Often, in a start-up, you worry about how you’re allocating time and resources. Was it worth our focussing so much on user privacy? Well, shortly after we had upgraded our policy, a competitor emerged with a video messaging service.
During testing, we found something surprising. Users’ video messages could be viewed on public, unsecured URLs. Maybe this was the concept of minimum viable product being taken too far, or maybe they really don’t feel that privacy is important.
Shortly afterwards, we received an email from one of our beta testers: “How private is Six3?” We were glad to be able to give a straight answer.