Classifying Privacy Concerns

on June 18, 2015

Privacy has been in the news a lot recently but, for once, not because of some egregious breach. Rather, it is Apple executives’ repeated statements of the company’s commitment to user privacy and the way in which it seeks to set itself apart from its competitors on this point. I thought it would be useful, by way of background, to walk through a classification of the major privacy concerns we as consumers seem to have and how each of these is (or isn’t) relevant to the different companies that compete in this industry. I’ve done quite a bit of research into major privacy stories covered in the news over the last few years, and most of them fall into one of these categories.

1. Sensitive personal information being exposed to other people

Description: One of the greatest fears people have is information they consider particularly personal or sensitive being shared with people they don’t want it shared with.

Examples:

  • I’m a school teacher who also has an active personal life. But I don’t want pictures of me drinking or partying exposed to the students, their parents, or perhaps even the other staff at the school where I teach
  • I’m gay but, for the time being, have chosen only to share this information with certain people and definitely do not want this information shared with others – whether family members, colleagues at work, or neighbors
  • I’m divorced and have recently started dating again and I don’t want my ex to know anything about my new life

The list could go on, but you get the picture – this fear is about personal information being shared with other individuals (not corporations or advertisers) beyond those I’ve chosen to share it with, especially in situations where I have chosen to share some of this information with specific groups or individuals but not others.

Companies most likely to cause this concern: In general, the companies most likely to commit breaches of this particular facet of privacy are those through who and with whom users proactively share certain information with other groups, which for the most part limits it to social networks such as Facebook, Google+, and the like. Facebook has certainly had several periods when its users were exposed in this way, often because default privacy policies were set too open or when policies or settings changed without due notice to users.

The vast majority of the privacy stories concerning Facebook over the last several years have been in this category, with relatively few other companies affected in quite the same way, at least not frequently. However, Google has occasionally been guilty too, as when its Buzz service first launched a few years back.

2. Personal information being “read” by computers

Description: We fear our personal information is being “seen” or “read”, not by other human beings, but by computers used by companies to personalize services, to serve advertising, and so on.

Examples:

  • My email provider has computers which view the contents of my emails to filter them into appropriate categories
  • My search provider sees all the searches I enter, and which results I click on, and slowly builds a profile of which search results are likely to be most relevant to me
  • My photo service performs machine analysis of my pictures to make them searchable.

In this case, the fear isn’t that human beings are seeing the personal information we’re sharing (though sometimes misunderstandings do occur on this point, or there may be skepticism that human beings really can’t see this information if they want to), but a vague sense of creepiness that machines are delving into some very personal information.

Companies most likely to cause this concern: On this point, it’s hard even to come up with examples that don’t sound like they’re talking about Google, which feels like the ultimate symbol of this kind of computer snooping. There’s no true breach of privacy here from a human perspective, but these types of services can create a vague sense of unease among at least some users.

3. Fear of one company knowing too much about us

Description: We fear that, even though many services may collect personal information about us, more and more of this information seems to be consolidating with just one or two companies, which are coming to “know” an awful lot about us.

Examples:

  • My email, calendar, contacts, photos, search history, and so on are all hosted by a single online service provider
  • My call records, email, calendar, contacts, phone search history, text messages, music, and books are all on my phone
  • The vast majority of my news and video consumption, most of my social connections, my interests, and my political views are all known by the social network I use.

In this case, some users may be genuinely uncomfortable about this enormous amount of knowledge held by a single company — a worry in its own right — which fits to some extent in the same category of vague unease as the previous concern on this list. However, in other cases, it may be a factor in other worries listed below.

Companies most likely to cause this concern: As a broad concern, this issue could affect any one of a number of companies, from Google to Apple to Facebook to Microsoft to Samsung. Any company which either provides a very broad range of services or provides smartphones and other devices is at least potentially in a position to “know” an enormous amount about its users. However, much depends on how data is collected, stored, and used. This is one area where Apple seeks to set itself apart from competitors, by focusing on its tendency to keep personal information on the device itself rather than on cloud servers. However, even then, there is potential for some exposure of this data, as discussed below. Companies which gather and store this data for the explicit purpose of building profiles of their users for purposes other than personalizing their services may also foster some of the other concerns listed. Google, in particular, has seen a number of stories about this aspect of its business, and especially about its decision a couple of years ago to unify its logins and data across all its services, over which several European jurisdictions are still pursuing legal action.

4. Fear of data being sold to advertisers

Description: We fear that not only do the companies whose services we use collect lots of data about us (see 2 and 3 above), but they sell this data in some form to advertisers.

Examples:

  • My search provider uses information from previous searches to allow advertisers to reach me when I make future searches
  • My smartphone vendor uses broad profile information about me to provide targeted advertising from companies who want to reach people like me
  • My social network uses information about my interests which I have provided explicitly and information gathered through my other actions on the service to serve up ads which seek to reach people with my demographics and interests

The reality is few of the companies we’re talking about here really do “sell” data to advertisers. What they do sell to advertisers is the ability to target their advertising to users based on their interests (whether explicit or implicit), and/or their demographics. The data itself is not shared with the advertisers except perhaps in an aggregated form as an indication of the size of target markets, for example. There are companies that do sell this kind of information, but they exist outside the world of consumer technology providers.

Companies most likely to cause this concern: This is a tricky one to define, because these companies don’t technically sell the information to advertisers. However, the very act of allowing advertisers to target users causes the same unease among some users as some of the other items I’ve described. There’s no breach of personal information per se, just as with 2 and 3, and unlike number 1 on our list. But there’s a sense our privacy is being invaded because advertisers are being allowed to reach us based on the profiles our providers have built up about us. This is obviously particularly true for companies which are heavily dependent on advertising business models, such as Google and Facebook, but it also applies, in a narrower way, to companies like Apple which have advertising products like iAd that allow for targeted advertising.

5. Fear of an accidental breach of security

Description: We fear that, because service providers and device vendors collect the information described in the various points above, there is always the potential this information is shared with third parties through no deliberate action on our part or on the part of the provider or vendor.

Examples:

  • My social network provider is hacked, exposing my personal information
  • There is a bug in the privacy settings on the online service I use which allows people I have no connection with to see personal information I store in the service
  • My device collects information about me which should be private but can be exposed through a loophole in the security settings

In none of these cases did the provider deliberately share information with anyone else but, in some cases, the argument can be made the provider should have done more to protect sensitive data, either to ensure its software was bug free in the most important security aspects or to protect it against malicious attacks.

Companies most likely to cause this concern: All companies are to some extent vulnerable to these issues, but those that collect the most data (even if for entirely legitimate purposes) have the most at risk if there is a breach. Google, Facebook, Apple, and others have all been the subject of stories along these lines over the last few years, whether as a result of bugs, hacking or other factors (such as rogue employees). These stories often say more about the desire of malefactors to access valued information than they do about security policies but, in some cases, they reveal shortcomings in company security that can build into a narrative over time (Apple has seemed at risk of this outcome at various times).

We’re not all the same

There are undoubtedly other facets of privacy concerns that aren’t completely captured here, but the vast majority of concerns we have, and the headlines about privacy issues, tend to revolve around one or more of those outlined here. The reality is we’re all different – each of us has a different tolerance for these different categories of privacy risk. Some of us care deeply about all of them, and are inherently distrustful of many service providers and device vendors for this reason. Others care only about some – likely 1 and 5 (or possibly just 1) but not the rest. And many more are in the middle, perhaps most concerned about a couple but also somewhat uneasy about the others. There’s likely a segmentation in any given population that could apportion users among these different groups, with the size of the various segments differing by company and culture. For example, users in China and other oppressive regimes and users with particularly sensitive personal information are likely to be more cautious on privacy than those who live in relatively free societies and those who are able to show their full personalities openly without fear. As Apple and other companies seek to stake out privacy positions they need to be aware of these different classifications and the various segments that exist. Apple’s remarks about privacy are likely to land hard with certain segments and entirely bounce off others, whereas Google’s stance is likely to turn off some users while attracting others. Each of these companies needs to bear this in mind to ensure they don’t risk alienating users who might otherwise be attracted to their products and services.