There are many new small and mid-size business start-ups who are offering a wide range of online services, mobile apps, and smart devices. There are also many businesses that have been around a long time that see an opportunity and so are expanding into these areas. I’ve spoken with many such businesses, and they often make two common privacy mistakes:
1) They post a privacy notice or policy that they copied from another website, or from a conference session on privacy, but they never read it, much less follow it.
2) They state there are no privacy risks with these new types of technologies and services because, after all, there are no privacy laws specific to them.
Well, they should consider the recent Snapchat privacy problem and associated 20 years of ongoing compliance obligations and oversight from the FTC.
What’s up with Snapchat privacy?
Oh, you’ve not heard yet? Or, you heard something about Snapchat but thought it was all about teens taking risqué photos that were then captured by screen shots? Those are certainly part of the story, but it goes beyond that. Here is a summary of the Snapchat privacy fiasco:
- Snapchat is a (formerly?) popular app that claimed their messages, photos and videos sent using it would “disappear forever” ten seconds after sending. A bold claim, argued by many who understand technology that it simply is impossible. (Anytime you send a photo/message/video to someone else, or post online, technically it will usually exist forever in at least one, and likely more, places.)
- Snapchat transmitted geo-location information from users of its Android app, despite their claim in their posted privacy policy that it did not track or access such information.
- Snapchat had basically no security for a feature called “find friends,” despite their security claims, which led to a breach that exposed the data of 4.6 million users.
- In fact, it is technically possible for the recipients, and anyone snagging the messages passing through unsecured networks, to save (and share) the photos, videos and messages basically forever in an unlimited number of ways, despite Snapchat’s claims of being able to completely delete the messages. Of course the sender will often never know about those copies…until they come back to bite them at some point in the future.
- Despite Snapchat’s permanent deletion claims, users could (and do) use third-party apps to log into the Snapchat service and make copies since Snapchat’s deletion feature only functions in the official Snapchat app. recipients can use these widely available third-party apps to view and save snaps indefinitely.
- Snapchat stored video snaps unencrypted on the recipient’s device in a location outside the app’s control, leaving them accessible to users that connected their device to a computer and accessed the video messages through the device’s file directory.
- Snapchat promised users that the sender would be notified if a recipient took a screenshot of a snap. However, any recipients using a later model (iOS7 or newer) Apple device can easily avoid the app’s screenshot detection, and the app will not notify the sender.
- Snapchat promised in its privacy policy that it did not track or access geo-location data. However, Snapchat transmitted geo-location data from users of its Android app.
- Snapchat collected iOS users’ contacts information from their address books without notice or consent.
- Snapchat claimed it had security in place for its “Find Friends” feature, when in fact it did not.
- The U.S. Federal Trade Commission (FTC), who have demonstrated many times, and increasingly, over the years that they do not want, and don’t like, organizations that make false and deceptive privacy and security claims, slapped Snapchat with a consent decree when all their misleading statements, chicanery, and basically outright lies, came to their attention.
You can see the full FTC complaint against Snapchat here.
As a high level description, the consent decree prohibits Snapchat from misrepresenting the extent to which Snapchat or its products or services protect the privacy, security, or confidentiality, and requires Snapchat to establish and maintain a comprehensive privacy program with a long list of requirements, and that will be audited at any time over the next 20 years.
Even though these are points about Snapchat, knowing the mindset, and lack of attention to privacy, in most small to mid-size businesses, along with the large ones, these general actions and claims could be attributed to probably thousands of other organizations.
Learn a couple of important lessons from this incident.
You are legally obligated to follow your website privacy notices
The promises you make on your website and within your posted privacy policy and privacy notice are legally binding. They are generally a contract you are making that includes promises you make to your web site visitors, customers, clients and patients, whatever the case may be. You cannot make promises and then not follow through with execution of them without being held liable.
In this Snapchat case FTC specifically indicated more than once that Snapchat had “misrepresented in its privacy policy” their actual security and privacy practices. The FTC has also clearly stated this many times for many other organizations over the past several years, typically citing such instances as unfair and deceptive business practices under the FTC Act.
I’ve done over 300 privacy and security compliance audits, and I’ve found in most where review of the posted website privacy policy was in scope that the employees had never even read the policy and didn’t know what it promised, including the employees who should have been doing business activities to comply with their own policy promises. Often times the website privacy policy is written by an overzealous member of marketing who wants to spin the message in a deceptive way, by a CEO who wanted to save money by simply posting something they found on some other website without backing it up with actions to do what it says, or by someone who found a free privacy policy generator somewhere online and posted the resulting verbiage on their site simply to have the appearance of a privacy policy.
If you make promises within a privacy policy or privacy notice, they are legally binding and you are obligated to follow them.
You must mitigate privacy risks even in the absence of explicit and specific legal requirements
What makes the Snapchat privacy debacle so egregious is that they were promoting their app as a tool to help protect their users’ privacy, which apparently happened to primarily be just a bunch of lip service used as a marketing gimmick to get more users.
Largely because of the reactionary nature of laws and regulations, and the typically long and time-consuming process to get them established, there are no current laws that explicitly cover apps. Or cloud services. Or smart devices. Or Big Data analytics. Or…and I could continue ad infinitum. .
New technologies and services bring new privacy risks that have not existed before. Those providing them must be extra diligent in addressing these new privacy risks, even if there is not an existing law or regulations explicitly requiring such privacy risk mitigation. But unfortunately, with no explicit requirements, many organizations shrug off their responsibilities to protect their customers’ privacy, and simply give any privacy issues lip service as a marketing ploy to draw in customers. At the very least they should do a privacy impact assessment to identify and appropriately mitigate privacy risks.
Even if you think there are no explicit obligations for you to address privacy, the FTC’s increasing actions should demonstrate that you cannot ignore privacy risks.
Bottom line for all businesses of all sizes, from sole proprietorships to multi-national multi-billion dollar corporations…
- You must actually comply with all the promises you’ve made in your privacy policies and privacy notice; or face significant sanctions.
- Don’t make privacy promises, or create so-called privacy tools, as a part of marketing spin, or as a trick to get customers, and then do nothing meaningful to actually safeguard personal information or protect privacy; you will be held accountable.
This post was written as part of the IBM for Midsize Business (http://Goo.gl/t3fgW ) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.
< !– Start of StatCounter Code for Default Guide –>
Tags: data protection, IBM, Information Security, infosec, marketing, midmarket, PIA, privacy, privacy impact assessment, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management