Privacy Vs. Anonymity in Location Based Apps
NOTE: this was written months ago and I never got around to post it. Recent news, specifically Yik Yak shutting its door, reminded me of the downfall of anonymity and of this draft. Also, I will refer to an app I worked on called FyFly in this document. The app since shut its door as well for much the same reason as the rest of the players in the anonymous mobile space.
Today we will explore the differences between privacy and anonymity in location based apps.
Let’s do the painful part upfront: expecting reliable digital privacy is not realistic. However, reliable digital anonymity is possible but history shows that it has limited value and eventually it kills its creator.
What is digital privacy?
An app provides with digital privacy when it has personal information (name, age, gender etc.) and the user (that is all of us) trust it to keep part of it hidden from other users and/or the general public. Example: Yahoo, Facebook or Google.
Are you laughing yet? Do you see why 100% digital privacy is not realistic? How many break ins have we experienced as consumers in the last years? Just think of Yahoo “losing” a billion email accounts…
What is digital anonymity?
An app provides digital anonymity when it does not have personal information (no name, no age, no gender etc.). The app has access to contextual information (location, photos, messages) and the user is aware of it. An app that provides anonymous access can usually be identified by the fact that there is no login. Examples: FyFly, YikYak or Waze.
Let’s stop for a moment and observe that, actually, some apps like Waze and many anonymous location based apps do have an optional login that unlocks a number of features. This is important, we will see why in a moment.
Given the above, I am going to introduce two distinct levels of anonymity for the sake of clarity:
- a strictly anonymous app is one that never asks me to enter my personal information, no name, no email, no phone number, nothing, nada, zilch. I get access to pretty much a full experience under those conditions.
- an optionally anonymous app is one that gives me access to a number of features before asking me to enter personal information. I might be allowed to continue to use the app without ever entering said personal information (example: Waze again) but I am locked out of some of the value. In the worst case, like Facebook for example, you actually cannot enter at all unless you login albeit you can search the public facing profiles.
Let’s review the challenges with each of these three approaches (digital privacy, optionally anonymous, strictly anonymous) so we can make educated decisions about what app to use and how we (not the app makers) manage our privacy risks.
app with privacy features
It should be clear that the main problem with this approach is that you are giving your personal information to someone. You are trusting that someone to manage that information according to what you have agreed upon. So far so good.
What you might not know is that when you enter into that agreement, you are actually trusting a lot of people you will never meet. Developers, Product Managers, Dev Ops engineers, IT Manager and IT specialists and a whole bunch of senior managers. Depending on the size of the company you might be trusting hundreds of employees of Foo Inc to do the right thing.
Breathe, it gets worse. Ready? Let’s go.
They all are expected to enforce the EULA that, let’s face it, neither you nor them have ever read and, perhaps more importantly, you are trusting all of them to never make a mistake.
Mistakes made by people and systems are the main causes of data breach. (2013 Cost of a Data Breach Report, Symantec)
This is not blind criticism of digital privacy, it is an objective observation by someone who architects and built industry standard user management modules (in English, login stuff) for Fortune 100 companies and start ups. Someone who fought against data injection, man in the middle attack, brute force attacks and many, many other threats to our data.
Lesson learned: the more you share, the more they can steal and mistake happens, it is a fact.
Respected security experts agree, it is not a matter of if you get breached, it is a matter of when.
app with optional anonymity
By now it should be clear that the moment you opt to register and give away your anonymity, you can virtually be back in the same situation as above. The question is how much are you asked to share and thus how much can you be exposed on a breach or improper use of your data.
i.e.: on Dog Stories, a pet project of mine, we opted for optional anonymity asking users only for their email or third party token from FB or TW so that the risk is limited. That is, I am not without sin. On FyFly, we did strict anonymity, we did not know who you were, period.
Lesson learned: the more you are asked to share upon optional login, the more your are back in the digital privacy scenario so you might as well use that paradigm.
app with strict anonymity
Recall, under strict anonymity, there is no login, no registration. FyFly and Yik Yak were example of this approach. These app did not have your personal data, there was less to steal.
It is that simple. However….
Shall we sing It’s a wonderful world and hold hands then? Well sure but after that let’s discuss what can be done with strictly anonymous data, after all we are nobody’s fool.
Given enough data, anonymous app can infer where you live, where you work and possibly where you go shopping etc. Using this, data scientists can build models of each users and quite possibly take an educated guess as to your identity.
Note that to do the above it takes considerable resources. So the real question is does the app developer really need to know that my name is Joe Provolone in order to provide me with value add? The answer, in most cases, is no, letting me chose a name to show in my public profile is enough for everybody involved.
That is why strict anonymity was gaining popularity for a while.
However Secret, Yik Yak and Fy Fly all suffered the same faith, eventually the interaction did not provide enough value proposition to the end users and active user numbers decreased until they all shut down.
The main reason for it was that shielding user identities from one another also decreases the commitment of users to police the community and preserve its values. While seductive at first, strict anonymity gave a false sense of safety to early adopters, a place where they could be free of judgement and harassment. The truth is that said judgment and harassment can and did happen even under anonymity and once the community becomes aware of it, they start leaving and it’s game over.
so what now?
So you might as well use digital privacy: let the developer ask the user minimal information and use best industry practice to store and safeguard it.
This is in fact the trend today.
When it comes to LBS, what I like to see is a commitment from the developer not to know my precise location. In most cases a resolution of 2 miles should be plenty to provide good value for location based apps unless you are providing turn by turn direction but that is, in my honest opinion, and edge case.
It all goes back to making wise choices as to what location based app you want to use, what value does it provide to you and what are the values of the community in that app. If you are happy with that, enjoy the experience and be mindful of what you are sharing, as we have seen in the opening remarks there is no 100% guarantee of privacy once you are online and strictly anonymous app are gone or on the way out.