Users and startups could learn a lot from the Facebook-Cambridge Analytica scandal. For a start, don’t succumb to apathy.
By Putu Agung Wija Putera
It’s been one and a half months since the Facebook-Cambridge Analytica scandal broke, and so far the tech giant seems to be getting away without a scratch. Not only did Mark Zuckerberg survive his two-day grilling by the US Congress, Facebook shares are recovering, too, up nearly 14% from their lows on March 27.
We now know that not only apps connected to Facebook could have been misusing user data, Facebook itself also collected a lot of private data from users through its mobile Messenger app. These included contacts as well as call and messaging history.
Facebook has said that technically, the users gave them permission to do so. But whether those users knowingly allowed the data harvesting is another question. Other Messenger features and gimmicks have similarly come under fire.
Meanwhile, in Asia, the privacy debate has involved some of the region’s own heavyweights.
Baidu CEO Robin Li sparked controversy when he said that Chinese people are “less sensitive” about privacy matters, as long as their data are used “for convenience or efficiency”. Uber, exiting from Southeast Asia, decided they would simply transfer their customers’ data in the region – which included full names, phone numbers and trip histories – to Grab, the buyer of their local operations. Interestingly, that transfer does not mean that Uber customers automatically become Grab users, with Grab accounts (the Philippine operations being an exception).
Yet, and considering all the hubbub in the mainstream media (and at least one memorable parliamentary hearing session), most Asian users seem unfazed. The #deletefacebook hashtag never took off here, where the website remains hugely popular. Users continue to happily post about their daily lives on social media. Grab does not seem to be losing business either.
Baidu’s Li is at least right in saying that some people readily share personal data in exchange for convenience. It’s hard to see it as an exclusively Asian problem, however. After all, Facebook Messenger isn’t exclusive to Asia.
But do the users actually know what Facebook does or will do with their data? Or even, do they understand what the terms of the various privacy policies entail? Many websites and apps use UI/UX tricks to make users give permission or sign up for things they don’t want or need.
To startups: fight for your users
If you’re running a startup, you might be wondering how the current privacy and data debate could affect your business. In some cases, data are absolutely necessary for your service, like how Grab or Uber needs to know the user’s location when they need a ride. In others, data are used to tailor (or target) advertisements to the user. You might use these ads to pay the costs of running your website or app, just like how Facebook keeps its platform free.
In short, user data are an extremely valuable resource to you, and it pays to keep, analyze, and utilize those data. However, you need to think carefully about how much data you actually need to collect. The more data you collect and keep, the more you put that data at risk of theft or misuse. With the recent revelations about Facebook Messenger, keeping more data than you need is also a very bad look.
You also need to be transparent about the type of data you are collecting from your users, and how you use them to deliver your service. (You might also need to let the users know what will happen to their data if the company shuts down or is acquired by another.) If you are going to monetize the data or use them to deliver ads, you need to tell your users as well.
Lastly, you must never be lax about protecting your user’s data. Learn about the best practices for data security in your industry to avoid common mistakes (like storing passwords in plaintext). Conduct regular audits of data protection and privacy in your organization. If something does go wrong and you find yourself faced with a leak or vulnerability, address it professionally. Do not attempt to hide the problem or shift blame. Some users may panic after your announcement, but your honesty and clarity will help you better retain their trust.
If you’re a user, you have a right to demand better policies from the services you use. You should know what types of data are being collected from you, how they are used, and which parties handle the data. Take stock of what data you are comfortable sharing with these services. If a service you are using breaches your trust, you are free to leave.
Of course, you still have a personal responsibility for your data. Think about what data you already have, what you are already sharing, and who is holding your data. Learn about how much that data could be worth. Then, find out about the risks that are most relevant to you. Finally, build your own “threat model” to guide your privacy and security efforts. (The Electronic Frontier Foundation, an organization that champions online privacy and security, has a good guide on this.)
Given the recent revelations about data abuse, it’s easy to be cynical and apathetic about privacy and data security. Or you could go the other way, by going off the grid, for example. Fortunately, most of us don’t need to resort to extreme measures to keep our data secure; with common sense and vigilance, we can stay safe while enjoying the benefits of staying connected.
Meanwhile, if companies show that they are serious about protecting their users and being transparent in their use of data, they will help create a better climate where users can trust the people who are handling their data. In this, startups can lead the way.