How compliant are Privacy policies?

Whatsapp, Twitter, Facebook, Microsoft, Zoom, UBEEQO, Tim Hortons - all of them share a common problem, their products had a privacy issue either in the code or in their privacy policies leading to hefty fines or regulator scrutiny. Be it source code or privacy document, privacy always seems to be lost in transit.

As companies build out technical privacy programs to tackle these issues, the go-to solution is to rely on Personal Data discovery tools & work backwards to find data use/purposes. This creates a false sense of maturity as you know where your data is stored but you don’t know the use of your data, don’t know the sharing of your data and don’t know the collection of your data. All of this information is in your product’s code that never gets touched by data discovery solutions, leading to privacy violations & fines.

Generally we see that there are three common sources of code privacy violations, i.e sensitive data sharing, excessive data collection and illegal data use. Lets deep dive into these buckets.

A. Sensitive Data Sharing: This has been the most common privacy violation, where location data, health data, or financial data ended up being shared with third parties like Meta Pixels, Google Analytics, etc. This happens because usage data sent for analytics discloses sensitive data. For an e-commerce site, search history is not sensitive but becomes sensitive if your machine learning algorithms can predict your personal choices that is vital for targeted ads. Another reason for these leaks is that instead of sending specific variables to these third parties an entire object is sent which contains more information than intended. Following are some of the examples of how this could happen:

• Sharing data related to user interactions on social media platforms : Instead of sending specific variables to these third parties an entire object is sent which contains more information than intended.
• Health-related apps sharing search queries with third parties : Usage data sent for analytics discloses sensitive data. Information about specific posts liked or shared could reveal personal preferences, opinions, or affiliations.
• Dating apps sharing precise location data with external services : Constant sharing of real-time location information could compromise the safety and privacy of users.
• Credit Card management apps sharing transaction details with third-party services : Sharing specifics about individual transactions, especially for sensitive categories, might pose a privacy risk.
• Business analytics tools revealing detailed employee performance metric : Sharing data on individual productivity or performance reviews may breach employee privacy.

Have any companies done any of these you might want to ask. It is a whooping yes. Yes and how! In January 2021, Meta released a new data-sharing policy for WhatsApp, mandating the transfer of your information between WhatsApp and Facebook. After users complained, the company then noted that it would limit WhatsApp’s features for anyone who doesn’t opt-in.

WhatsApp, which was bought by Facebook in 2014, had until 2016 kept the data of WhatsApp users separate from that of Facebook users. But in 2016, WhatsApp and Facebook changed their privacy policy so that meta-data (details like phone number of users) could be shared between the two apps. This allowed Facebook to do limited profiling of WhatsApp users and then can help the company show targeted advertisements when these users are using Facebook and Instagram. On Feb 2023, Whatsapp told Supreme court that only some data of WhatsApp users is shared with Facebook and if users wanted absolute privacy, they should ideally use WhatsApp without having an account on Facebook. How bizarre !

Consider a leading Indian bank, buried in its privacy policy, is a user consent that is vague, ambiguous with no clear affirmative actions. The language used in the policy grants the bank the liberty to share your personal data with various entities, for purposes not just limited to marketing. In simpler terms, it implies they can share your personal information with any company without explicitly seeking your approval. Not only does it embrace such unclear consent, but it also seeks protection against potential consequences of any wrongdoing. Surprisingly, this trend isn't exclusive to one bank. In fact 8 out of 10 major banks in India employ  similar tactics in their privacy policies.

B. Excessive Data Collection: A common violation is related to permissions in mobile applications. For example, using Precise Location over Coarse Location, and if you need Precise Location, do you need to collect precise location continuously or on-demand when someone is trying to use your application?

Following are some of the examples of how this could happen:

1. A messaging app requesting access to a user's entire contact list : The app might not require access to all contacts for its core functionality, posing unnecessary privacy risks.
2. An app requesting continuous access to the device's microphone : Unless essential for specific features, persistent microphone access can be an invasion of user privacy.
3. An app collecting precise location data even when the app is running in the background: Continuous tracking of location without clear user consent can lead to excessive surveillance.
4. A non-camera-related app requesting unrestricted access to the device's camera : An app not primarily focused on photography or video should justify the need for constant camera access.
5. An app requesting permission to read and analyze personal messages on the device : Unless directly related to the app's functionality, access to private messages may be considered excessive and invasive.

C. Illegal Data Use: When data processing in code does not match the promises made in your privacy policy. This violation can happen in user-facing products like mobile apps or your backend systems like micro-services, data pipelines, etc. An example is the FTC's fine of $150 million on Twitter this year for using Phone Numbers collected for purposes of Account Security or Authorization and using them for targeted ads.

1. E-commerce Purchase History for Third-Party Marketing: An e-commerce platform promises to use your purchase history for personalized recommendations but sells this data to third-party marketers.
2. Banking App Utilizing Transaction Data for Credit Scoring: A mobile banking app using transaction history for creditworthiness assessment without explicit consent and cross-selling credit cards and other credit related products.
3. Finance Management App Sharing Investment Portfolio : A financial planning app selling user investment data to external investment advisory services without explicit consent.
4. Tourism Website Disclosing Travel Preferences to Advertisers: A tourism website guarantees privacy for travel preferences but shares this information with ad networks for targeted promotions.

Despite these promises and misconduct by many such companies, instances of data misuse are unfortunately common. Consider the case of Twitter. In 2013 began asking users to provide either a phone number or email address to improve account security. For example, the information was used to help reset user passwords and unlock accounts the company might have blocked due to suspicious activity, as well as for enabling two-factor authentication. Two-factor authentication provides an extra layer of security by sending a code to either a phone number or email address to help users log into Twitter along with a username and password.

From 2014 to 2019, more than 140 million Twitter users provided their phone numbers or email addresses after the company told them this information would help secure their accounts. Twitter, however, failed to mention that it also would be used for targeted advertising. Twitter used the phone numbers and email addresses to allow advertisers to target specific ads to specific consumers by matching the information with data they already had or obtained from data brokers. Consumers who share their private information have a right to know if that information is being used to help advertisers target customers.

Just how persuasive was Twitter’s security pitch? More than 140 million users gave Twitter their email addresses or phone numbers for security purposes. Would that same number of people have given Twitter that information if they knew how else Twitter was going to use it?

A similar trend is seen in Indian companies as well. For instance, a leading insurance aggregator's policy lists several purposes for utilising personal data, yet conveniently omits details about unsolicited phone calls and targeted advertising on websites and social media. The lack of transparency in these policies raises significant concerns about the undisclosed and potentially intrusive use of personal information.

‍

‍