Privacy is Like an Elephant

The story of the blind men and the elephant tells a visual story of how humans can perceive the same thing very differently based on their individual perspective.

In the tech industry today, we talk a lot about privacy and how certain companies or products violate said privacy. One thing that is missing from these arguments is that privacy is multi-faceted and people care about different types of privacy. In discussions about privacy in the industry I see people regularly conflate

  1. protecting their information from other users
  2. protecting their information from the government
  3. protecting their information from the company providing the service
  4. protecting their information from other companies with whom the service provider may share their information

When companies talk about protecting your privacy they usually mean one or two of the above but rarely do they do all well. This is important since there is a lot of industry discourse that confuses but people, journalists and lawmakers by creating the perception there’s only one kind of privacy we need to worry about.

People take actions in private which they may not want other people to know about. A typical example is web searches or browsing the web which has led to lots of humorous memes about being asked to clear a friend’s browser history as their dying wish.

A recent example of a company failing to do this and then having to retrofit their product to do a better job is Venmo making it impossible to hide your list of friends who you’ve likely paid money through the service.

Both repressive and democratically elected governments want as much access to everything their citizens do online typically argued as a way to prevent crime or people who foment dissent. Many online services give governments the ability to request your “private” data if they believe the government has a legitimate need for this data.

The same company can have different rules in different countries based on those laws. For example, Apple fought against the FBI’s request to unlock a mass shooter’s iPhone but complied with the Chinese government’s rules that require storage of Chinese user data and encryption keys used to encypt the data in the country.

Most services process user provided/owned data stored on their services to either provide the service (e.g. email) or for safety and legal reasons (e.g. photos, videos, files, etc). Ensuring that a services cannot read and process your data is itself a form of privacy usually provided by encryption. Examples of services that provide such guarantees via encryption are Protonmail and WhatsApp.

It should be noted that this is different from category 2 since a service can choose protect your data from the government separate from whether the data is encrypted such that they cannot understand the data.

This form of privacy has been in the news most recently due to Apple’s app tracking transparency and prior to that due to legislation like the GDPR and CCPA.

In online advertising, apps and websites usually share information with ad networks or data brokers about your activity in the app. This is how websites know that you have a lawn mower in your shopping cart because the retailer shared that information with their ad network.

This last form of privacy is not wanting the company you’re doing business with to share information about your activities with advertisers, ad networks, data brokers or other partners. This sort of data sharing is legal in most contexts in the U.S. as long as there’s user disclosure and powers a lot of the economy (think credit history which requires landlords, banks, etc to report on your commercial activity). There’s also a humorous anecdote about how a Victoria’s Secret catalog begat some of the few consumer protections in financial privacy laws.

"Everything you touch you change. Everything you change, changes you" - Octavia Butler, Parable of the Sower