Last week, the Internet caught fire when Evernote changed their Terms of Service privacy policy to explicitly allow them to read user content. After a very vocal and rightfully negative response, Evernote recanted their position and will only read user content if users opt-in to a new service they are creating for the platform.
In reality, they’ve always been able to read a user’s content. In fact, just about every service on the Internet can do that. Always could, and always will. Most services’ business models, like Facebook, Twitter and Google, depend on reading user content, so their Terms of Service explicitly allow it. Because Facebook’s terms also give them a license to the photos users post on their service, they not only can (and do) have access to this content, they also kind of own it.
So why is this a surprise? Because most users don’t actually read a Terms of Service agreement before using an app. According to a social science study at the University of Connecticut and York University, 74% of individuals skipped reading privacy policies before signing up for a service, and 98% missed “gotcha” clauses that included giving up first born as payment and turning over all of your data to the NSA.
How did the web services and application industry get to this place of at-will access to user content, with next to no consequence or accountability?
Built-in features of application architecture.
Web apps are designed to read a user’s stuff all the time. Take, for instance, the feature of “Search” in any web service, such as Evernote, Slack or SalesForce. Once a user types a search term, that text is sent from the browser to the application’s servers, where they look through all of a user’s content to find the items that match, then list the results. On the contrary, when searching for a Word document on a computer, the search only happens on that device and Microsoft never knows about the file or what term was searched. Search is a valuable feature, but users shouldn’t overlook what it means for the privacy of their content or conversation.
The need for business models to monetize.
The predominately funded business model of Silicon Valley and beyond is one that monetizes users. That can be done by selling data about customers to advertisers, partners, data brokers – whomever will pay money for it. A good example of this is when a user is shopping online at Amazon and drops something in their cart, but doesn’t purchase it, they will likely begin to see ads for those same products appear on Facebook. Service companies have postured this behavior as “creating a better experience for users,” but with all of the sophisticated technology that makes web services work, their business model is as simple as a small town’s 17th century newspaper.
Relaxing attitudes around privacy.
Our parents’ generation preferred cash over checks, because what you bought was your own business. Today, everyone pays with credit cards, some of us even forgoing cash for the cheapest of services. With convenience—and rewards—driven transactions a priority for many consumers today, there’s less awareness about security and reliability implications, even though users expect this protection from banking and retail institutions. However, we’ve been told, “the people who care about privacy are those who have something to hide.” This browbeating comes from many of the executives running companies mentioned in the previous paragraphs, as their business’ livelihood depends on users not caring about privacy.
Software development is generational, too.
Most developers learning to build applications today do so for web services, not desktop applications. Web services, by design, share resources across user domains, which makes keeping things private pretty much impossible. Why create new tables and maintain meta data in the database for every customer when it’s far easier to have just one table with everyone in it? My father’s generation coded on mainframes, I did it on personal computers, and now my son does it on the web. With little demand from students or the industry to teach future developers how to write COBAL or C++, most of the code is now JavaScript, CSS, and either PHP or Python. It’s practical, in a sense, but not the most sensible when it comes to building protection in from the ground up.
Only recently have more people begun to challenge the anti-privacy cartel controlling how we live online. There are a few players out there building services that only use and store encrypted text, not “plain text”, and those are the role model service providers users and the industry alike should support for their own security and privacy benefits.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.