Hear Ye! Since 1998.
Please note: This post is at least 3 years old. Links may be broken, information may be out of date, and the views expressed in the post may no longer be held.
27
Mar 11
Sun

Color: a privacy analysis (Part 2)

This is part two of a two-part post about the launch of Color.  The first part talks about the business and is available here.

The privacy practices of Color

Several things struck me about Color after I had used it for a while.  The first is that Color gathers a lot of data.  This data is highly personal (a picture is worth a thousand words and all that).  If I see your photo stream, I can determine not only where you are at a given time, but figure out who your friends are, what places your frequent, and even your routines and habits over time.  The second is that Color automatically shares your photos with anyone, instantly.  Most of those people will be strangers.  Your next door neighbor can see what’s happening in the party you’re holding at your place. (“I really hate my neighbor right now because of all that noise.  Wait, is that a person doing blow in the corner?  Let’s call the cops.”)  This is different to media sharing tools like Facebook, Foursquare, YouTube or whatever, because they are either shared with people you actually know (or their acquaintances), or are shared on a very deliberate basis by the media owner.  Color is just a firehose of information… and it can contain information which is far more revealing than a Tweet.

The privacy issues are totally obvious.  If you take a sick day from work and you’re not actually sick, you better be careful about using Color, because if your boss uses it, he can probably automatically see your photostream.  If you’re snapping photos in an office building, you better make sure you don’t inadvertently snap anything that’s confidential, or your competitors three floors above you might get wind of it without you even knowing.

As a lawyer at a small tech company, I spend a lot of my time thinking and worrying about consumer privacy.  After reading all of that, it’s totally obvious that if you use the app, nothing is private and you have no control over where your photos go.  If you don’t like it, don’t use it.  Well, that’s all fine and good, but for an app that is completely invasive of privacy, it does what is, quite frankly, a bad job of informing the user about it.

Let me say here that there’s nothing wrong with an app that is completely invasive of privacy as long as people know exactly what they’re getting in to, and have some choice over the matter.  And as long as you comply with the law, which may be pretty difficult in some European countries which tend to rachet up compliance requirements the more invasive your privacy practices are.  Color is a U.S. company and will soon be registered under the U.S.-EU Safe Harbor Framework, but despite the Safe Harbor, some European countries’ privacy laws can impose additional obligations that have what is effectively extraterritorial reach (I’m looking at you, Spain).

As soon as you start the app for the first time, you are asked to snap a photo of yourself.  Before you know it, that photo is broadcast to everyone around you.  There is no warning.  You have to figure the last part out later, as you learn how to use the app.  (The app is pretty confusing as well – it uses icons I’m still trying to figure out the meaning of.)

I went looking for the privacy policy.  After literally 5 minutes of pressing everything in the app, I still couldn’t find it.  I checked on the app, and on the website.  In the end, Google came up with the goods.

Let’s do some analysis

The privacy policy is actually not bad.  I like the tone – it’s not only written in plain English, but it’s written colloquially.  This dispenses precision for comprehension and concision, which I think is appropriate in this context.  The formatting could use some work, however – it’s still a glob of text that you have to go hunting through to find out information you’re interested in.

A good privacy effectively communicates answers to three key questions: What info are you collecting from me?  How are you going to use that info?  Who are you going to give that info to?  However, I believe the most important question to be answered is: How are you going to handle my data in a way I’m not going to expect or know about unless you tell me?

There are a few other ancillary things as well: What control do I have over the info you collect- can I get it deleted or updated?  Are you going to tell me if you change your privacy policy?  How do I contact you?

Probably the best way to look at a privacy policy is to pick out all the bits and pieces of information being collected about users and seeing what happens to that information.  I’m looking at the March 21, 2011 version which covers both their app and their spartan website.

Contact details (name and email)

  • How Color uses it: In the second section of the policy, Color only says that it “stores” your data, but doesn’t mention at this point how else it uses the information.
  • Who Color shares it with: The second section also says they won’t disclose this information to anyone, except to courts.  However, this is contradicted later on in the third section, which says that they do share users’ names with other users (which is obvious in the app).  It’s also contradicted by the general disclosures section (the sixth one), where it turns out that they will disclose your name and email to others besides a court.  More on the general disclosures section below.
  • Notes: These are collected right at the start, when you register with the app.

Mobile device unique ID

  • How Color uses it: Color doesn’t mention for what purposes it uses this piece of info.
  • Who Color shares it with: We are told that this info is going to be given to certain unnamed others for “advertising purposes”.  This is ambiguous.  Is Color using it for its own advertising purposes, or are they giving it to third parties who can use it for their own purposes?  Is Color selling this information?  All we know is that marketers won’t contact us directly as a result of this disclosure.
  • Notes: After the privacy firestorm and lawsuit that Apple found itself in after the WSJ broke a report about mobile device identifiers being disclosed without users’ knowledge, companies are going to want to tell their users if they are getting their mobile device’s unique identifier.  However, Color doesn’t really do a good job of explaining what it’s doing with this identifier.

User-generated Content (pics, videos, comments, actions)

  • How Color uses it: Obviously to make the app work.  Color are silent on exactly how they use it in ways that aren’t readily visible – you have to go to the Content license grant in the Terms of Service for that (Color gets a perpetual, irrevocable, world-wide license to “use and reproduce any of your Content … for any reason or no reason, without notice” and “copy, analyze and use any of your Images and comments … for purposes of debugging, testing and/or providing support services”).  That stuff should really alos be in the privacy policy.
  • Who Color shares it with:  Pretty much to anyone.  It notes social networks in particular.  Can we say “viral”?
  • Notes: UGC is, of course, the meat of the app.  Color calls it “Content” so that’s how I’m going to refer to it here.  Traditionally, privacy policies have focused on personal information (variously referred to as “personally identifiable information” or “personal data” depending on which part of the world you’re from).  Personal information is basically any information which could reasonably be used to identify someone (including when used in combination with other information which has been collected).  The thing is, you don’t need a lot of information about someone to be able to identify them.  Netflix recently copped a lot of flak for wanting to release what they thought would be an anonymized data set about their customers (containing their genders, ages, zip codes and movie watching habits).   “Researchers have known for more than a decade that gender plus [5-digit] ZIP code plus birthdate uniquely identifies a significant percentage of Americans (87% according to Lant[y]ana Sweeney’s famous study).”  Lantanya Sweeney is known for her work with anonymization of data sets and her paper on k-Anonymity.
  • Related to this realization that anonymized data is not as anonymous as you’d think is a recent trend in privacy policies to take a more holistic view of what needs to be covered in them.  TRUSTe recently updated its privacy seal requirements to recognize this after the FTC released its report on consumer privacy: “Companies need to be transparent about all consumer data collected, not just those it considers personally identifiable or ‘PII.’”  Users don’t only care about personal information, but they care about all the other information that they give to a company.  Information that is not “private” in the privacy sense, but in the confidential sense.  For example, my photos of my attic (if I had one) are generally not personally identifiable, but I still could regard that information as private, especially if I have some weird stuff in there.  So, privacy policies should not confine themselves in scope to personal information (as legislative requirements generally do), but should cover all types of information gathered from users.  With Color, while not all Content is personally identifiable, it’s still information which people could regard as “private,” so it’s important for Color to mention how it handles this.
  • I wonder if they preserve metadata on Content?  Probably, yeah?  I’m too lazy to check right now.

Location information (some of which is attached to Content)

  • How Color uses it: To show you and others relevant Content.  The services uses your physical proximity to others to determine whose Content you can see.
  • Who Color shares it with:  Pretty much to anyone, just like user-generated content.
  • Notes: Geolocation information is pretty topical among the privacy crowd these days.

Audio recordings

  • I’ve read that the app takes recording of ambient noise, which is another way it tries to determine if you’re interacting in the same environment as those who are near you (people may be 50 feet away, but they may be in the building across the street).  This feature has led some people to make references to Echelon.  Interestingly, the privacy policy doesn’t make any mention of this.

Server log file information and cookies

  • As Color says, this is the “usual stuff”.  I’m not going to dwell on this much.  Color does mention that they don’t have a logon system for the website yet, but one may be introduced in the future.  This is in line with the CEO’s aim of keeping the website as sparse as possible – the focus is on the mobile app.

Mobile phone number

  • How Color uses it: Mainly for the user’s benefit.  If you lose your phone (or whatever mobile device you’re using), you can get Color to reassociate your account with your new phone so you don’t lose all your stuff.  Conversely, this allows Color to permanently ban any device or account they want.  But they won’t use your number to call you.
  • Who Color shares it with:  No one, apparently – subject to the general disclosure section (see below).
  • Notes: Strangely, Color tells us they collect our mobile numbers in the fifth section of the policy, which is kind of duplicative with the second section, where I think it should be.

Your mobile phone’s address book

  • How Color uses it:  Basically to show you relevant Content, and also to facilitate the use of SMS.  “We think you might be interested in seeing your friends’ Content,” Color writes.  Even if you’re not physically close to your friends, Color will still hook you up with them.
  • Who Color shares it with:  Not mentioned, but I hope it’s no one (subject to general disclosures).
  • Notes: This immediately reminded me of Google Buzz’s privacy woes.  If my photo stream is not only shared with those physically proximate, but also anyone in my address book… anyone from my boss to my grandmother could see my Content (as Color points out in its TOS).  For anyone who wants to keep their professional and personal lives separate – especially those who make it a rule not to friend colleagues on Facebook… this is not the app for you.  But I don’t think people are going to realize this.  Color calls the people with whom your Content is shared your “elastic network.”  And it’s super elastic.  There are no privacy controls on anything – it’s just one black box algorithm at work figuring out who to push your Content out to.  That said, iPhones do alert you from the get go that Color is trying to access your address book (scant protection).

General disclosure exceptions

  • The sixth section contradicts the second section (as I mentioned above) and contains pretty standard exceptions regarding disclosure of data.
  • If they get acquired, the acquirer will get your data.
  • If they are subpoenaed or are otherwise required by law, they may disclose your data.
  • If you engage in illegal activities, they can report you to the authorities.
  • Interestingly, they also permit themselves to disclose your information if they get alerted to “extremely offensive behavior”.  I wonder why they need to be able to do this when they have the illegal activities exception?  The interpretation of what is “extremely offensive” is pretty discretionary.  And why would they need to disclose your information?  To name and shame you?

Other issues

  • As Color continues to develop its product, you can bet this privacy policy is going to undergo multiple iterations (the policy itself alludes to them rolling out “more interesting options”).  Color is pretty ambiguous about how it will communicate changes to the privacy policy – “we’ll update you before our practices change” is all they say.  How will they do this?  (I doubt they will popup messaging in the app summarising what has changed, although that’s what they should be doing.)  How major a change to their privacy practices needs to occur before it triggers the notification requirement?
  • There’s not much information in the policy about deleting your account and whether Color retains your Content.  This is all contained in the TOS under the “Your Content is Public” section.

Terms of Service

  • I skimmed through the TOS and it’s written in the same style as the policy, which is unusual.  I’ve seen Virgin do it once on a credit card application form (which was pretty cool actually).  I was amused to see marketing statements thrown into what is essentially a contract.
  • Some gems: “We think this feature makes us different and exciting.”  “this is our sandbox”  “Unique users can view your Content … Anyone: from grandparents to bosses” (as I mentioned the issue is not so much that these people can view your Content, the issue is that they are among the people who are most likely to be pushed your Content).
  • There’s also this weird statement: “Don’t use our Service for commercial purposes.”  If I open up a restaurant, why wouldn’t I try and advertise it through Color?  This is a great way to alert workers and residents in the immediate area about your new shop.  I could also snap a picture of my sandwich board outside which says, “50% special on soup, today only!” and get it pushed out to everyone in the area.

So how does it all stack up?

The privacy policy isn’t bad.  It’s relatively easy to read, but it could contain more information (and more information means structuring the policy better and highlighting the important bits).  A lot of privacy information is actually contained in the TOS.  Like most people, I never read Terms or Privacy Policies top-to-bottom unless I’m getting paid for it (Color’s privacy policy is the exception).  I’m not concerned about most things: even if a company sells my email address, I get so much spam each month anyway that it doesn’t really matter.  However, I am interested in very specific things: if I sign up to a subscription service and it’s not clear how I can cancel my account, I will check the Terms.  On Facebook, I want to know if an app is going to post something to my wall without telling me first, and I will look up a privacy policy for that.  If you put privacy practices in the Terms, people who are just looking for privacy information aren’t going to find it.  This isn’t much practical help to consumers.

However, the only major issue I really have with Color is that there is pretty much zero notice of its privacy policy.  It’s damn hard to find.  There should at least be a privacy warning as soon as you open up the program.  Instead, the very first two things you get are iPhone notices telling you that Color wants to access your location and your address book.  Uh… what are you going to do with those two things?  We don’t know.  Notice given after the fact is not really notice.

The privacy policy contains a nice section at the end entitled “Respecting Privacy.”  It says: “A picture says a thousand words.  Before you use our App, consider whether you (or those whose image you capture) want the world to see the picture or video you took.  And have fun.”  This notice really should be up front and center, along with “we potentially share your photos with everyone – including your boss who’s sitting 20 feet away from you.”  And they could throw in an example for good measure: “your mother, who is in your address book, will see all your party pics.”  This is a visceral privacy notice (to use privacy lawyer Ryan Calo’s terminology).  It could also be presented a short-form privacy noticeJust put something prominent there.

When interviewed by the press, Color has been upfront that their app should not be used if you’re not willing to let the world see your Content.  But that upfrontness is distinctly missing from the app.

One other issue is that of inappropriate Content.  At the moment, social norms keep the Content in check – I have yet to see any inappropriate photos from the 100+ people whose photostreams I have access to.  However, just wait until the teenagers get a hold of this.  Despite this, I’m actually not very concerned about inappropriate content being snapped.  There is a distinct potential for misuse (snapping photos in restrooms or around schools, for example), but no more so than any other online service dealing with user-generated content.  It’s not a new issue.  The speed at which things could go viral is stepped up a notch, but this isn’t in itself a reason to get your knickers in a knot.  In today’s world, all publicity is good publicity, right? … Right?

 

  10:07pm  •  Internet  •  Law  •   •  Tweet This  •  Add a comment