← All Episodes ← Prev Next →
EPISODE 0100 - OCT 13, 2020 Privacy

Privacy Scavenger Hunt

with Mark Asquith, Hana Habib, Kaitlin Maud, and Ryan Jones
Listen now

Imagine a corporate privacy policy on a website that was actually comprehensible and written by and for human beings. We talk to companies who have done just this, and what it means to build a business that has respect for privacy baked in from the outset. We also talk to a researcher who’s witnessed the difficulty of navigating online privacy settings.

Transcript

Wailin: (00:00:00) Hi there. If you’re listening to this, you probably downloaded this episode. And you would have downloaded it from a podcast host. Not me, a different kind of podcast host, a company that provides the technology to host the audio file.

Mark: (00:00:13) Anytime you listen to a podcast episode, basically what happens is that an mp3 file is downloaded.

Wailin: (00:00:21) Mark Asquith is the co founder and CEO of a company that makes podcast technology, including a hosting platform called Captivate.fm.

Mark: (00:00:30) So what happens is that what the servers that a podcast host like Captivate will do is they will just essentially track all these bits of download. Where’s this come from? What IP address has this come from? And what user agent. Essentially, what’s the type of device. These two pieces of data map together with timestamps and a couple of other bits of information, what kind of OS, usually what kind of app. Whether you’re listening on a web app, or whether you’re listening on, you know, something like Apple podcast. We basically collect all that data and we pass that data through. We basically say, look, this looks like one person trying to listen to this podcast. And we can see that this constitutes one legitimate download of your audio file. And and that’s pretty much how a podcast download works.

Wailin: (00:01:14) If you go to the website for Mark’s company, Captivate.fm, you’ll see this laid out in plain English in their privacy policy. It even explains what an IP address is. It says, quote, “This is a 12-digit number, from which it is possible to work out your approximate location, often down to your suburb, and the name of your ISP or mobile provider. Sometimes it’s possible to work out your employer or school from an IP address.”

Mark: (00:01:40) We always wanted the brand to be very clear. Those that hosted podcasts and the other podcasting hosting companies that have been out there for a long time. They kind of liked it being complex, because it gave them this sense of authority. So when we created our privacy policy, and when we started doing all of our legal stuff, you know, Ts and Cs cookie policies, actual you know, platform privacy policies, everything was really, really clear.

(00:02:03) Broken By Design by Clip Art plays.

Wailin: (00:02:03) Welcome to REWORK, a podcast by Basecamp about the better way to work and run your business. I’m Wailin Wong.

Shaun: (00:02:09) And I’m Shaun Hildner.

(00:02:11) Privacy is something very near and dear to our hearts here at Basecamp. You’ve heard us talk about it on this show. Today we’re delving into one aspect of privacy, and that’s privacy policies. You know, that wall of text on every website that you’ve never read. That’s because privacy policies are often confusing and overwhelming, and that leads to end users feeling helpless about their privacy options.

Wailin: (00:02:31) On today’s episode, you’ll hear from some small businesses about how they crafted friendly, understandable privacy policies. And more importantly, how creating those human-centric privacy policies comes much more naturally when respect for customers is baked into a product or company from the beginning.

(00:02:48) But first, we’re going to kick things off with an academic study that was published in the spring.

Shaun: (00:02:53) Yeah, drop some science on me.

Wailin: (00:02:55) [Laughs]

Hana: (00:02:55) My name is Hana Habib. I’m a PhD student at Carnegie Mellon University and my research focus is on usable privacy and security. I look at the usability of different types of privacy controls.

Wailin: (00:03:09) How much of usability is mandated by legislation like GDPR or the newer CCPA legislation in California? How much do those regulations have to say about usability, however they choose to define that?

Hana: (00:03:26) The quick answer is not much. They both require that the controls that they mandate are conspicuous and usable. But they don’t really define what that means. And I think this is where research like mine can kind of play your role.

Wailin: (00:03:42) Hana and her team had 24 participants do an in lab study where they had to complete different privacy related tasks on websites like the New York Times, Food and Wine Magazine, Wordpress.com, and the University of Colorado. The tasks involved opting out of email newsletters, opting out of targeted ads, and requesting the deletion of personal data.

Hana: (00:04:03) When participants came in we gave them a Gmail account. It already had accounts on the websites that we had people visit. We described the test that participants did using scenarios. So for example, suppose you just got the 10th email update from this website, and you want to stop receiving them.

Wailin: (00:04:26) The participants are asked to think out loud as they navigated around these websites to complete their tasks. And they were also interviewed before and after. Hana and her team charted all the different paths people took through the websites, looking at how many clicks or hovers or scroll downs it took to complete a task, and the participants had a rough time.

Hana: (00:04:46) A lot of privacy controls are offered through the privacy policy. And that’s probably not a very intuitive place where most people would look. Or if they did, the policies generally are pretty lengthy and we hypothesized that it would be hard to find the choices, even if people did think to look in the privacy policy.

(00:05:08) And that’s something we actually confirmed in the study. None of the participants who we assigned a test that required them to go to their privacy policy actually looked in the privacy policy without us giving them a hint.

Wailin: (00:05:20) Oh, interesting. So if they were running into trouble, you would give them a hint, that was also part of the study?

Hana: (00:05:25) Yeah, we didn’t want people to just sit there and spin their wheels.

Wailin: (00:05:31) Which probably does happen in real life every day, right? Like you… you’re like, oh, I want to take care of this task. And then 10 clicks later, you’re like, ugh, I give up, right?

Hana: (00:05:40) Yeah, exactly. Yeah. So that was… figuring out when to give the hint was kind of interesting. So we actually did a couple of pilot sessions to figure out that really, around the eight minute mark was when we should probably give a hint.

Kaitlin: (00:05:56) There are definitely times when you have to design privacy policies or terms and conditions into an experience seamlessly so that they can be accepted and that the user can move on and do the thing that they’re actually trying to do.

Wailin: (00:06:11) Kaitlin Maud is the co founder of Rain or Shine Recruiting, a recruiting firm for creative positions, like designers and copywriters.

Kaitlin: (00:06:18) My background is actually in UX, in design research, and I run the operation side of Rain or Shine. But by day, I’m actually a strategy consultant.

(00:06:28) Companies want you to accept the privacy policy and the terms so that they are protected from liability, whether that’s what they decide to do with the information that they collect, or if the experience doesn’t work. And they design it such that people don’t read it or accept it really quickly, because they want to move on and do a thing.

(00:06:49) But ultimately, in the face of recent regulatory changes, those experiences continue to be degraded by companies needing the user to opt into things. And so, I am not a web designer by trade. I think about the end user experience but any project I undertake comes back to what information you need from the end user and why.

Hana: (00:07:16) A lot of participants mentioned seeing these cookie consent banners, a lot of them said that, yeah, I just exit out of there, say okay, and whatever. There really isn’t a choice but to do that.

Kaitlin: (00:07:29) People know they don’t have a lot of privacy when it comes to their experience online. But they don’t necessarily know how or why that is, or what the companies are doing with all of the information that is collected on them. And so it’s very easy to just say, yes, I accept that you’re going to collect cookies from me, and you start browsing through the website, and doing whatever it is that you need to do.

(00:07:55) Let’s say that site is an e-commerce site where you want to buy something. Maybe you abandon your shopping cart, you decide not to buy something, or maybe you decide you’re going to go check a competitive website, but then you keep getting ads for the things that you were looking at on the original website when you go to other websites. That’s what it meant when you accepted cookies. When you accepted the cookies, you said, it is okay for this company to monitor and record and track my browsing behavior within the website.

Wailin: (00:08:28) But how often is this made clear? And if, let’s say, you accept cookies and then you want to change your settings later, how do you do that? It’s not very easy.

(00:08:37) The title of Hana Habib’s paper was, It’s a Scavenger Hunt, which is something one of their study participants said about trying to find an advertising opt out on Wordpress.com.

(00:08:47) Kaitlin Maud has also studied user privacy, and knew that she wanted her recruiting firm to be set up differently than what else she’s seen in the industry.

Kaitlin: (00:08:56) When we were thinking about how to really have a human business. We thought that empowering the humans who use our website would be an important gesture so that they know what that information is. I mean, one of the first things we thought about is, for example, job searching is incredibly personal. If you have a job, for example, someone might be on the IP address of their employer, or they might be logged in or in an authenticated state of some websites associated with their employer.

(00:09:33) So we could collect that information and say, oh, there’s a lot of people from Tech Company A that are submitting their portfolios to our site. There must be something bad going on at Tech Company A that we should be poaching all of their marketers and creatives. And we don’t want to do that. We want people to be able to be vulnerable in their job search and have some semblance of privacy. And so that is why disabling a lot of those tracking and cookies within our site was so important to us because we understand what it’s like to be on the other side and be the person applying for a job.

Wailin: (00:10:13) As I was thinking through what data a recruitment firm would need in order to be successful, I was thinking, gosh, you know, there’s a few things kind of as personal as a job search, right, like as personally identifiable as the information you furnish as a job seeker. But that scenario you outlined didn’t even occur to me and that’s quite a frightening scenario as well.

Kaitlin: (00:10:35) Absolutely. And I mean, there’s even more. So things like buying or selling the data of applicants. With everything that has been going on this year, since the pandemic started, a lot of the independent recruitment firms have not been able to withstand this because jobs are going away so you don’t need recruiters to recruit for jobs. And so it’s been consolidated into a lot of these much, much bigger staffing firms, they’re called.

(00:11:03) So it’s these companies who are really focused on numbers and volume of candidates versus necessarily finding the right candidate, especially in an area, like Creative Services where we work with designers and copywriters. And we wanted folks to know that we’re not buying the lists of candidates or HR professionals that we’re going to reach out to, and we wanted them to know that we’re not buying or selling their information either.

(00:11:29) Because, again, it’s sort of like, any way that the data could be used, it could be used. And so we want to let folks know, we’re not doing it this way but it’s possible that you’re exposing yourself to that with the information that you’re giving all of these sites that you’re applying to jobs on.

Wailin: (00:11:48) Here’s an excerpt from the Rain or Shine privacy policy. “Squarespace uses font files from Google Fonts and Adobe Fonts. To properly display this site to you, servers where the font files are stored may receive personal information about you, including information about your browser, network, or device, and/or your IP address."

Kaitlin: (00:12:08) In our privacy policy, we included a link to Squarespace’s documentation on what they require for the site to be functional. And then of the things that we do collect, we just made sure to share why it is that we collect that. So, for example, we remember throughout the site, if you dismiss something called an announcement bar. So if you land on our homepage, and it says, hey, we have a big rec open with this company, apply here, and it’s not relevant to you and you X out of it. Well, we don’t want to keep serving it to you every time you click a new page within the site. And so for us to remember that preference, it requires us to keep a little bit of information on your site experience. And so we told people that we’re monitoring these functional and required cookies, but it’s sort of a bold assumption that they know what that means. And so wherever possible, like I said, we linked to Squarespace’s documentation of what that means. Or we gave very specific examples of what we needed that for.

Ryan: (00:13:09) The companies that have plainly written privacy policies, really, it starts kind of at the core, as they say.

Wailin: (00:13:15) Ryan Jones is the founder of Flighty, a flight tracking app for iOS.

Ryan: (00:13:20) The four of us that work on Flighty, we came together over Twitter, actually. We had all kind of had similar product instincts. So we all really fit into the kind of culture of people who really value privacy and the type of people who actually read these things, before we hop into a product.

(00:13:37) We all knew we weren’t going to put in privacy invasive SDKs. And we weren’t going to have a database of all of our customers and where they’re flying and stuff like that. So it was really foundational from the beginning that this kind of stuff wouldn’t be built in.

(00:13:51) The privacy policy… In a way we kind of looked at it like a feature. So like, this is going to be a thing that people are going to look at, what do we do in our product now so that when we get to that point, it says what we want it to say.

Wailin: (00:14:05) Being thoughtful about privacy from the beginning means that companies aren’t forced to come up with convoluted legal language to justify invasive policies after the fact.

Ryan: (00:14:13) We want as little PII, as they say, which is Personally Identifiable Information. We want as little of that as we can possibly collect, because if we don’t collect it, then we don’t have to have all these crazy security measures about it. And then we don’t have to have all these policies about when we disclose it. And, to start, we don’t even really want it. We wouldn’t want the app to have that about us.

(00:14:36) A lot of decisions we made were about, well, do we really need to know that? And almost always, the answer is no. So like one good example is a lot of apps in this space, when you start searching for an airport, it will pull up airports that are nearby you. And in order to do that feature, obviously they need your location access. So we’ve built that out and as we were using it, we all kind of were talking to each other. And we’re like this isn’t that useful?

(00:15:05) Like, no question. It’s helpful. But is it worth someone giving up their location access all the time for it? No, it’s not. So we pulled that out. And we don’t even have or requests or know people’s location now. And we think that that’s a good balance between the feature that they would get, which is nice, but not necessary, versus giving up their location access in order to have that.

Wailin: (00:15:27) Were there examples of other bits of data you could, that you had the option of collecting, where it merited some deeper discussions around trade offs? Like in this kind of app in particular that you’re building out? Where are the really hard trade offs?

Ryan: (00:15:45) I think that the biggest one is going to be in analytics, or what I would call product analytics. So how many launches are people doing? How often are they coming to the app? How many flights are they doing? How many flights have they completed? What features are they using? A lot of products will tie that to an email address, so that they can contact users who are their super fliers, as we would call them, or people who abandon the app and don’t use it as much. And you know, obviously, that has huge benefit, because you can talk to your main core customers and say, “What are you liking? What do you not? What can we do more for you?”

(00:16:25) And then kind of even more important, you can talk to the people who have abandoned, quote, unquote, and have left the app and say, “Why didn’t it work for you?”

(00:16:33) But what we decided was, we didn’t want to even have that capability of anyone on the back end to even look up and see where someone’s email address was flying to or flying from or flights that they were entering. So what we did is separate those two things. And we kind of did it in a pretty rudimentary way. In the app itself, there’s no place where you can enter your email address that it will even get put into our analytic system. All of our users are identified with a basically a random token, so 64 random digits and characters. And that’s all that we really know them as.

Wailin: (00:17:10) Ryan and the Flighty team wrote their privacy policy themselves. Here’s how it opens. "There is no code or tracking from Facebook in the app. There is no code or tracking from Google in the app. We do not require any PII (personally identifiable information) to use Flighty. If you enter PII to enable certain features we store it securely and never sell it.”

Ryan: (00:17:30) When I looked at this, maybe a year and a half, before we launched, I went and I looked out at our competitors. And then I looked at people in the community or apps in the community that I respect, and I basically hodgepodged and merged it on my own. And then we just looked at it critically, as a team. We had a conversation about, let’s get this in front of a lawyer and make sure that would actually protect us from this and protect us from that. And that we’re saying these things clearly incorrectly.

(00:18:03) It kind of fell into that, we’re a startup, we just got to get stuff done. And this is the right thing to do. Let’s move on to the next thing.

(00:18:12) We’re four guys, bootstrapped, kind of funding it on our own. I don’t really know if I know a lawyer or know where to find a lawyer that would give me advice in that world that I would feel like made the right balances there. I feel like they’re so built around making things complicated and protecting yourself. And we kind of wanted to go the other direction of giving you reassurance that we’re on your side.

(00:18:40) It was how can I write this in such a plain language, that anyone who comes to it can read it and know what I’m saying? And I practiced that age old tech thing that people talk about. Is, I practiced on my mom. And I was like, look, let me try to explain this to you and let’s keep going until you get it. And then I used those phrases and kind of further distilled them down and worked with our other co founders to try to get it into really common language that anyone can understand.

Kaitlin: (00:19:10) We had a lawyer approved privacy policy, but it read very much like a lawyer approved privacy policy. And so that language was incongruent with how we were running our business, what we decided we wanted the tone of our website to be. If the gripes we have about recruiting or that it’s impersonal, spammy, we wanted every aspect of our website to be a reflection of how we’re doing things differently.

(00:19:39) So it was really important to us that we used plain English in the privacy policy. So we just adopted this boilerplate lawyer approved privacy policy line by line by line, making it more human, taking out things that weren’t relevant to the site that we had designed. I think so much of this, too, people put information in their privacy policy for like these potential future events. And I think that’s a lot of why people collect data in the first place, too. It’s like, they’ll potentially use it one day. It’s like this digital hoarding, like, well, I need to have something in this privacy policy in case one day, I have ecommerce.

(00:20:22) You need so much more legalese in your privacy policy, if you are selling tangible goods to people, because you have to collect their credit card information, you have to collect their address. And same thing with data. People are like, well, I want it all turned on because one day, I might learn something from that. Or one day, I might use it. And where we made the decision that we weren’t going to do those things. Knowing that that might change in the future, we decided to just take those things out, because they’re not relevant.

(00:20:55) Most smaller businesses like ours, don’t have analysts on staff. They don’t have people that do UX research and strategy like I do. They don’t have folks that would even know how to go through this data. So people only know that the data is valuable, but they don’t know why and they don’t know what to do with it. So I wonder why it is that everyone is so keen to collect this data, if they’re not going to use it.

(00:21:26) People that are small businesses are also users of the website and of the websites of these big tech companies and of their services. And so if they have trained you to see data as so valuable, they have trained you to be so willing to give over that valuable data to them so that your experience with them is so much better. And so it is like this never ending cycle where now everyone is under this, I think, illusion that data is the most valuable thing that we have. But it’s only as valuable as it is useful. And I have high suspicions that it’s not being used even close to the amount that it’s being collected.

Wailin: (00:22:14) But as we’ve been talking about, it’s an uphill battle to educate people on privacy and help them feel empowered to do something about it. Hana Habib’s study revealed that participants felt both confusion and skepticism when it came to their online privacy.

Hana: (00:22:27) We did note that people were kind of skeptical about whether or not the choice that they used on the website would be effective. And this is especially the case related to data deletion control. A lot of people who were assigned a task that had them request their data to be deleted from a website didn’t actually think the website could do that, or would actually honor it.

Wailin: (00:22:50) We started this episode by looking at what information is collected about you when you listen to podcasts. We’ve talked about privacy and targeted ads in podcasting before and there’s been some interesting developments on this front. Like, both Shaun and I use the app Overcast to listen to podcasts. Overcast has a new feature where for each show, you can click to see what kind of tracking that show does.

(00:23:12) Mark Asquith, of the hosting service Captivate.fm wants the podcasters on his platform to disclose this information. He introduced a feature for podcast creators called Full Transparency Mode.

Mark: (00:23:24) What you do is you basically go into your podcast settings in Captivate and you tick a box that says enable Full Transparency Mode. And what that does, is it will append to your show notes so that your listeners can see hey, you’re listening to this episode. By the way, rather than just tracking the analytics on this episode, this podcast creator has decided to use these prefixes, these other external companies, to route their RSS feed through it, and maybe track other stuff. And, A, we’ve worked with these companies and here’s a link to their privacy policies.

(00:24:01) So what they’re trying to achieve, ultimately, is attribution. What does this person do after they’ve heard your thing? And your thing might be an ad, or it might be your show, but they’re trying to understand how and why you do what you do, where you do it, and how long it takes you to do it from hearing that ad. We’re just talking data that any advertiser would love to have, and that they can probably get from every other medium. That’s what we’re trying to do in podcasting, through prefix companies, and so on right now. And that’s why there’s this real nexus point happening because some want it and some don’t.

(00:24:34) We created this Full Transparency Mode, and we urged every other host to take it up. It’s slow adoption, inevitably development schedules and so on mean that it’s very difficult to get other people to adopt things very quickly. But we made it open. We announced it, we urged other podcasters to do it.

(00:24:50) I’ll tell you—this is a slight digression—but we actually turned down a lot of prefix companies. So we had one a couple of weeks ago that came to us and said, look, we want to integrate with you. But we don’t have a privacy policy. We said no, we can’t do that. Unless you can prove to us there’s a solid, conscientious, and publicly available privacy policy, I’m really sorry, but we can integrate with that. And we can’t, not only can’t we integrate, we simply will not allow our podcasters to use your prefix.

Wailin: (00:25:14) Mark says that not a lot of podcasters have taken advantage of Full Transparency Mode. In a similar vein, Kaitlin Maud of Rain or Shine Recruiting says she hasn’t seen much interest in their stance on privacy, either.

Kaitlin: (00:25:26) You are the first person who has really cared about this. I tweeted about it. And so I have a few thousand followers on Twitter, and I was hoping it would really start a conversation. I definitely worry that people don’t feel empowered in the process. I think people don’t care because they have accepted really awful experiences online. And they see that as the status quo because the big big companies out there have set that tone, and have set a tone that people don’t have a say in how they get to experience the internet.

Wailin: (00:26:09) This group of big tech gatekeepers also includes investors.

Ryan: (00:26:13) In a really simplistic term, there’s kind of two paths to product. There’s acquire users at an incredibly fast pace and that accumulation of users, there will be value in it. Whether it’s, we’re gonna monetize them ourselves, or we’re going to sell them to another company. And then on the other side of the spectrum, there is let’s try to be profitable from day one or as soon as we can. And I feel like that is a real fundamental split in the road, like right off the bat.

(00:26:49) And for us, just the kind of products that we look up to and what we wanted to build, we weren’t looking for acquiring a lot of users. So then, that didn’t make sense to go down the VC route. Hey, we don’t need 25 engineers immediately. And we don’t need to be spending $10 million on Facebook ads every year immediately. So we really went the other direction of let’s be profitable. Let’s try to build the product first, instead of the customer acquisition engine first.

(00:27:23) And that leads you away from VC, which I think leads you more down a road of kind of scrappiness. And you’re gonna win by respecting the user and making great products. It’s not to say that that doesn’t happen on the VC side of things, it absolutely does. But there’s a little bit more of… you know, there’s a lot of money involved, there’s millions of dollars, and those VCs take board seats and are very influential. And if we had done that, I wouldn’t want to make a privacy policy that they were concerned with, like, oh, you’re gonna get sued and lose all of my money. So it really becomes kind of what we’ve been alluding to, I guess the whole conversation, that it’s really built into the company from the beginning,

Kaitlin: (00:28:04) We occupy, and by we I mean Rain or Shine Recruiting, we occupy this tiny, tiny, tiny space within our industry within a tiny, tiny, tiny space of the internet. And even within our website, that gets, you know, very little traffic, it is so important to us that we take a stand and that we do things differently, because it’s a reflection of who we are. It’s a reflection of how we want to run our business. And it’s a reflection of how I think a lot of things in late capitalism need to change. And it extends beyond privacy policies to contracts that we have with clients are not more legal than what you would find on our website in terms of the language use. They are also written in a human language, because really if we’re thinking about human relationships as an experience, as well, like we have the user experience online, but what about the relational experience we have with candidates or clients. We don’t want to put 20 pages of legalese in between us in order to be able to work together. We want to be able to establish mutual trust and establish communication.

(00:29:21) And so I hope that as time goes on, we’re able to find a middle ground where businesses and the people they work with feel protected, but that we don’t feel dehumanized by the process in the contracts and the legal language.

(00:29:37) Broken By Design by Clip Art plays.

Shaun: (00:29:42) REWORK is produced by Wailin Wong and me, Shaun Hildner. Music for the show is by Clip Art. If you’re curious, REWORK uses a company called Transistor to host our audio files. Transistor collects some basic data from you when you download the show so we can see how many people are listening, what apps they’re using to listen, and where they’re from.

Wailin: (00:29:59) Hana Habib’s website is hanahabib.com that’s H-A-N-A-H-A-B-I-B. We’ll link to her privacy scavenger hunt study in our show notes at rework.fm. Mark Asquith is on Twitter and Instagram at @mrasquith. That’s M-R Asquith. And Captivate is at Captivate.fm. You can find Rain or Shine Recruiting at RainorShineRecruiting.com. And Kaitlin Maud is on Twitter and Instagram at @kaitlinmaud. That’s Kaitlin with the K. Ryan Jones is on Twitter at @rjonesy. That’s R-J-O-N-E-S-Y, and you can find Flighty at FlightyApp.com.

Shaun: (00:30:49) We did it. Episode 100.

Wailin: (00:30:51) OMG.

Shaun: (00:30:51) How are you going to celebrate?

Wailin: (00:30:55) Well, I don’t know. Today is a day like any other day, really.

Shaun: (00:31:01) It really is. It really is.

This is an episode title

00:00 / 00:00