The Value Exchange of the Digital Age | Part 2
Privacy: The Business Perspective
By Anna Jacobson, Hanna Rocks, and Jay Venkata
A business’s perspective on the value exchange it has created is often expressed through their approach to privacy policies and privacy risks. A third approach, their internal security strategy, is relevant but not available for external analysis for obvious reasons. In addition to reviewing the privacy policies and risks, a survey targeting product managers and user experience specialists helped in obtaining the business lens of improving customer experience and providing customized product offerings.
Privacy Policies
Social Media: Instagram
In signing up for Instagram, the service’s users agree to its three policies: Terms of Use, Data Policy, and Cookies Policy. Instagram’s Data Policy[2] covers the information that Instagram collects, how it uses it, and how it shares it. In practice, it is hard to imagine what data collection or usage is not allowed by this policy. There are no limitations on the collection of data generated on the site, nor any explicit protections related to data quality. There is no requirement for purpose specification at the time of the data collection, and purpose specification is not described in detail in the Data Policy. The potential uses for the data given are vast and vaguely defined, and openness is enacted only in notifications of changes to the policy, not through transparency about how specific data is being collected and utilized. Notably absent from this policy is any discussion about security safeguards, including any duties to notify users if their data has possibly been compromised.
Intentionally or not, Instagram does not particularly encourage the user to read the Data Policy. Other than the link provided at initial account creation, it is difficult to navigate through the site or app to get to the Data Policy. Once there, its format is uninviting; it is a long, plain page of black and white text, its only graphic relief an oddly low-resolution Instagram logo in the header. The language used is reasonably clear and free of legal jargon, but there is a lot of it, with no outline or other tools to facilitate easy navigation through or search within the document. A recent analysis by the New York Times found that Instagram’s policy required a college education and a 12-minute reading time in order to be understood.[3]
Between the principles that Instagram’s policy fails to address and its seeming attempts to obfuscate the policy itself, Instagram creates the impression that it is not a good steward of its users’ data — an impression that is only strengthened by its massive recent data breaches.
Hardware Devices: Fitbit
Fitbit’s privacy policy[4] is clear and standardized policy and covers all key aspects of the data privacy lifecycle. It is known to be one of the most robust privacy policies in the wearable devices industry.[5] It’s clear that the nature of the service provided by Fitbit requires extensive personal information, most of which is highly sensitive. A detailed review of the Fitbit terms and conditions reveals that the company’s terms and conditions fairly align with the services it provides post the consent of its users. Fitbit can provide more details around the collection of device and computer information, data sharing with third-party service providers, and measures it has taken to protect user data from legal or illegal government demands.
e-Commerce: Stitch Fix
Overall, Stitch Fix’s privacy policy reflects the company’s mission of being a good steward of customer data. It is clear, easy to read and a reasonable length. Stitch Fix may benefit, however, from providing more specific information around how it defines personally identifiable information. This area has caused significant issues for companies in the past due to lack of transparency and consensus on what constitutes identifiable information.
Stitch Fix has also shown dedication to protecting its customers outside of statements made in the company’s privacy policy. The company is extremely transparent about its extensive use of customer data — it is how the organization is able to differentiate itself from other, similar services. This transparency brings data to the forefront of conversations on how Stitch Fix conducts business. It is not a topic from which the executive team shies away, thus creating a culture of responsibility to Stitch Fix’s customers. This culture paired with a comprehensive, open privacy policy minimizes Stitch Fix’s risk exposure related to its customers’ data while delivering a unique, personalized service.
Privacy Risks
Scandals concerning unauthorized use or release of customer data can quickly lead to the demise of a company. Court-ordered damages can reach billions of dollars, signaling the severity of harms inflicted on consumers when these incidents occur. The following sections detail past and potential future privacy issues for Instagram, Fitbit, and Stitch Fix in order to analyze vulnerabilities across and within the related industries.
Social Media: Instagram
In the first half of 2019 alone, Instagram data has been exposed in at least three major security breaches. Most recently, a database of Instagram data compiled by Mumbai-based social media marketing firm Chtrbox comprising 49 million records was made publicly available online in May 2019, exposing an estimated 1 in 20 Instagram users. Just prior to that incident, in April 2019, 540 million Instagram account records were exposed through Latin American digital media publisher Cultura Colectiva.[6] In March 2019, Instagram admitted that millions of Instagram users’ passwords had been accidentally stored in a readable format on its servers. In the case of Chtrbox, it is still unclear whether the company was even authorized to have the information that was exposed. In both the Chtrbox and Cultura Colectiva cases, the data was improperly stored in unprotected AWS cloud buckets, in contravention to security best practices. These incidents highlight the vulnerabilities of Instagram’s “third-party partners”. However, the password incident was due to Instagram’s own negligence, and its seriousness was exacerbated by the company’s lack of forthrightness in their handling of the matter.[7] Furthermore, in July 2019 Facebook awarded a $30,000 “bug bounty” to an India-based researcher who discovered a vulnerability in Instagram’s security controls that enabled him to hack any Instagram account using a brute-force attack.[8] Had this vulnerability been discovered by a real hacker with malicious intent, it could have led to a much more serious security breach.
Hardware Devices: Fitbit
In late 2015, Fitbit suffered its only known security breach, in which one or more hackers used leaked email addresses and passwords from third-party sites to log into accounts in a string of attacks. Once inside the accounts, the attackers changed the details and attempted to defraud the company by ordering replacement items under the users’ warranties. Users said when they tried to log in, their account email addresses had been changed to addresses such as “threatable123” and that some usernames had been changed to “vile” words. Users criticized Fitbit’s response to the attacks, accusing the company of failing to act quickly and appropriately and of blaming the users for the security issues.[9] However, the breach involved just a few dozen accounts, which pales in comparison to the 2018 breach of competitor Under Armour’s MyFitnessPal, which affected 150 million users.[10] In both these scenarios, usernames, email addresses and passwords were exposed. However, the data at stake is far more intimate including personal health data, sleep cycles, and GPS location history. Hence the risks of potential harm with wearables or hardware devices are significantly higher compared to other industries.
e-Commerce: Stitch Fix
Stitch Fix has had no publicized data breaches in its eight-year history. However, in 2017 Securities and Exchange Commission filing section titled “Risks Relating to Our Business”, Stitch Fix admitted, “[O]ur use of open source software may…present additional security risks because the source code for open-source software is publicly available, which may make it easier for hackers and other third parties to determine how to breach our website and systems that rely on open-source software. Any of these risks could be difficult to eliminate or manage and, if not addressed, could have an adverse effect on our business and operating results.”[11]
Product Manager Insights
In addition to reviewing privacy policies and assessing privacy risks to business, we also solicited the opinions of product managers for an “insider” perspective. The product manager survey aimed to collect data from those who are tasked with setting the strategy, managing the development, and defining the features of technology products. This survey was industry- and product-agnostic, instead seeking to understand the mindset and priorities of product managers in general (respondents reported working in Healthcare, SaaS, Technology/Semiconductor, Tech, Fintech, and Marketing Analytics, and some declined to provide their industry). We asked respondents to answer six questions related to their opinions about their products’ use of personal information and the importance of privacy within their organizations. The results informed our overall analysis of how industry approaches customer privacy.
We received a total of 12 product manager survey responses over a two-week period in July 2019. Figure 5 summarizes responses to select questions from this survey. Overall, the respondents reported that their users’ privacy was of very high importance to both them personally and their company’s leadership (both averaging slightly over 8 out of 10 on the Likert scale). Personalization was also reported to be of high but slightly lower importance (with an average response of 7.5 out of 10). The respondents rated their products as very well-balanced between privacy and personalization.
Figure 5: Product manager survey results
Some of the privacy scandals outlined in the privacy risks section above have led to profound shifts in how organizations think about their data privacy and security. Revamping their privacy policies and making their cybersecurity practices best in class have become strategic priorities in a very short amount of time for C-suites. This shift is clearly reflected in the product manager survey where user privacy has been given a higher importance on the Likert scale than personalization or improving the product.
For more of this series, please follow the links below:
Part 1 | Defining the Terms of the Value Exchange
Part 3 | Privacy: The Consumer Perspective
Part 4 | The Changing Terms of the Value Exchange
[1] Daniel J Solove. “Taxonomy of privacy”. University of Pennsylvania Law Review 154.3, Jan 2006.
[2] “Data Policy”. Instagram, 19 Apr 2018.
[3] Litman-Navarro, Kevin. “We Read 150 Privacy Policies. They Were an Incomprehensible Disaster.” The New York Times, 12 Jun 2019.
[4] Fitbit Privacy Policy. 18 Sep. 2018. 20 Jul. 2019.
[5] Charara, S and S Charara. “Your fitness app’s privacy policy may be about to change — and that’s a good thing.” n.p.: n.p., 25 Apr. 2018. 19 Jun. 2019.
[6] Ikeda, Scott. “Instagram Breach Exposes Personal Data of 49 Million Users.” CPO Magazine, 3 Jun 2019.
[7] Doffman, Zak. “U.S. Authorities Target Zuckerberg As Facebook ‘Buries’ Huge Instagram Password Breach.” Forbes, 19 Apr 2019.
[8] Muthiyah, Laxman. “How I Could Have Hacked Any Instagram Account”. The Zero Hack, 29 Jul 2019.
[9] Spary, Sara. “Online Criminals Are Targeting Fitbit User Accounts.” BuzzFeed News, 6 Jan 2016.
[10] Lindsey, Joe. “Is Your Health Data About to Get Hacked?” Outside, 19 Apr 2018.
[11] Amendment №1 to Form S-1 Registration Statement, Stitch Fix, Inc.. Filed 6 Nov 2017 with the U.S. Securities and Exchange Commission.
