There’s a reason why Data Privacy Day pisses me off.
January 28 was the annual “Hallmark holiday” for cybersecurity, ostensibly a day devoted to promoting data privacy awareness and staying safe online. This year, as in recent years, it has become a launching pad for marketing fluff and promoting privacy practices that don’t hold up.
Privacy has become a major component of our wider views on security, and it’s in sharper focus than ever as we see multiple examples of companies that harvest too much of our data, share it with others, sell it to advertisers and third parties and use it to track our every move so they can squeeze out a few more dollars.
But as we become more aware of these issues, companies large and small clamor for attention about how their privacy practices are good for users. All too often, companies make hollow promises and empty claims that look fancy and meaningful.
Take smart home camera maker Arlo, which used Data Privacy Day to email us about how it puts privacy “front and center” with a new “privacy pledge.” The company has largely escaped criticism for its practices, unlike rival Ring, which has cozied up to law enforcement and offers lackluster security. The company’s pledge says, among many things, that it claims to be able to protect your home “without human monitoring” and that videos are encrypted “to protect against malicious intent.”
But in the same email, it claims to require a search warrant or a court order to “turn over videos to law enforcement,” which would seem to contradict the company’s claim that it does not access users’ videos. Worse, the company told TechCrunch last year that it still doesn’t have a public transparency report, so we have no idea how many demands for user data the company receives.
If Arlo used a zero-knowledge approach to store users’ data — in which data is scrambled and only the users themselves have the decryption key — much of its pledge wouldn’t collapse under basic scrutiny.
Otter.ai is another classic example of a company that promises privacy: two years ago, it was an up-and-coming transcription app startup. The media went nuts for it and even TechCrunch wrote about it at the time. But its privacy policy left a lot to be desired. Eventually, Otter admitted that it has access to user audio and transcription data and changed its privacy policy after the story published to make it more clear.
Like many startups, mistakes can be made, and they do happen. But what changed? Nothing. Since then, Otter has grown in size but its ability to access user data remains the same, despite a recent tweet attempting to wiggle out of an exchange with a customer by claiming a news article was based on “speculation” (and neglecting to say that Otter was interviewed for the original story).
Given the sensitive information transcriptions and recordings can contain, users would rightly want to know if anyone else can access their data. Rivals like Rev have found this out the hard way. Ring, too, also recently fired staff for peeking into users’ video feeds.
End-to-end encryption — which ensures that only the sender and receiver of a message can access that conversation — and zero-knowledge approaches to data privacy are the gold standard when it comes to ensuring a third party can’t access that data. That means no one at the company can, either, including hackers. But there are trade-offs when companies design systems that lock them out of their own customers’ data. It makes it more difficult to obtain, mine for keywords and sell ads; it’s also more difficult to respond to law enforcement requests (which companies may decline if they do not have access to the data).
In other words, the users retain their privacy and only the companies lose out.
All too often, promises by tech companies don’t hold up. Just this week, Noonlight, which provides a “panic” button for Tinder users, vehemently denied sharing data with third parties. Lo and behold, Gizmodo found that wasn’t true, either.
Tech companies break promises all the time. The only way to hold them accountable is to use technologies and embrace ideas that make it technically and feasibly impossible to break them.