You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: _layouts/home.html
+1-3
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@
7
7
<h1class="page-heading">{{ page.title }}</h1>
8
8
{%- endif -%}
9
9
10
-
<pstyle="margin-top: 0px; padding-top: 0px; padding-bottom: 20px;">Transparency Matters is a blog about transparency, privacy, and incentives. It's written by <ahref="mailto:johnny@lockdownprivacy.com">Johnny Lin</a>, an ex-iCloud engineer who is a co-founder of<ahref="https://lockdownprivacy.com/" target=_blank>Lockdown Privacy</a> and the <ahref="https://openlyoperated.org" target=_blank>Openly Operated</a> standard.</p>
10
+
<pstyle="margin-top: 0px; padding-top: 0px; padding-bottom: 20px;">A blog about transparency, privacy, and incentives. Written by <ahref="mailto:johnny@lockdownprivacy.com">Johnny Lin</a>, an ex-iCloud engineer who co-founded the<ahref="https://lockdownprivacy.com/" target=_blank>Lockdown Privacy</a> app and the <ahref="https://openlyoperated.org" target=_blank>Openly Operated</a> standard.</p>
And sure, in the 90’s, when the internet was just starting to get big, this might have been what happened. But somewhere along the line, someone figured out how to profit from user data, and so now here’s what *actually* happens:
14
+
And sure, in the 90’s, this might have been what happened. But somewhere along the line, someone figured out how to profit from user data, and so now here’s what *actually* happens:
And that’s just sending one photo. In 2019, you give apps access to your camera, location, microphone, contacts, browsing habits, even your medical records. After you tap “Allow” once, an app can even upload your entire photo and video library to their servers in the background while you’re sleeping.
18
+
And that’s just sending photos. Today, you give apps access to your camera, location, microphone, contacts, browsing habits, even your medical records. After you tap “Allow” once, an app can even upload your entire photo and video library to their servers in the background while you’re sleeping.
19
19
20
20
The Internet is facilitating an [insane](https://theintercept.com/2017/04/24/stop-using-unroll-me-right-now-it-sold-your-data-to-uber/) [free-for-all](https://www.theverge.com/2018/4/24/17275994/yahoo-sec-fine-2014-data-breach-35-million) [for](https://www.forbes.com/sites/kashmirhill/2014/10/03/god-view-uber-allegedly-stalked-users-for-party-goers-viewing-pleasure/#75ddf2383141) [our](https://www.npr.org/sections/thetwo-way/2017/03/14/520123490/vibrator-maker-to-pay-millions-over-claims-it-secretly-tracked-use) [personal](https://www.reuters.com/article/us-facebook-privacy-firing/facebook-employee-fired-over-bragging-about-access-to-user-information-idUSKBN1I334E) [data](https://www.clickondetroit.com/news/concerns-over-misuse-of-childrens-online-data-grow-as-apps-illegally-collect-sell-information), with potential consequences getting [worse](https://www.nytimes.com/2018/03/04/technology/fake-videos-deepfakes.html). Apps even exploit this data with [behavioral science](https://www.ibtimes.com/how-uber-other-digital-platforms-could-trick-us-using-behavioral-science-unless-we-2791467) to squeeze every [dollar](https://clark.com/shopping-retail/mac-users-being-fed-pricier-hotel-searches/) or [minute](https://www.businessinsider.com/how-app-developers-keep-us-addicted-to-our-smartphones-2018-1) out of their users, when it’s [clearly](https://www.washingtonpost.com/news/monkey-cage/wp/2018/08/06/its-no-accident-that-facebook-is-so-addictive/?utm_term=.1058706f817b) against the [users’ best interests](https://www.vox.com/the-goods/2018/10/30/18044678/kids-apps-gaming-manipulative-ads-ftc). Today, companies have every incentive to exploit our data for profit, and no incentive to protect our privacy.
21
21
22
22
Since we’re only going to rely more on apps over time, the critical question is:
23
23
24
24
## **How do you know if you can trust an app?**
25
25
26
-
### Trust Through Privacy Policy
26
+
### Trust Through Privacy Policy?
27
27
28
28
When you ask a company about protecting your data, they respond by telling you to read their Privacy Policy, which is a document they wrote (or [copy-pasted](https://duckduckgo.com/?q=privacy+policy+generator)) that promises they’ll protect your data.
29
29
30
30
But wait, isn’t that circular logic? I should trust that they’re protecting my data because… they have a document that says they’ll protect my data? How do I know they’re doing any of the things they claim in the Privacy Policy?
31
31
32
-
It turns out it’s impossible to know if an app company is violating their Privacy Policy (or violating privacy regulations in general), because there’s literally nothing stopping them: they’re Privacy *Policies*, not Privacy *Proofs.* Not only that, they’re actually not [legally binding](https://ir.lawnet.fordham.edu/iplj/vol27/iss1/5/), and in the rare cases when companies actually *do *get caught, [the](https://www.abine.com/blog/2012/facebook-privacy-violated-by-new-ads/) [penalties](https://www.theverge.com/2018/4/24/17275994/yahoo-sec-fine-2014-data-breach-35-million) [are](https://uk.reuters.com/article/us-facebook-france/facebook-fined-150000-euros-by-french-data-watchdog-idUKKCN18C10C) [unbelievably light](http://www.consumerwatchdog.org/blog/google-ruling-shows-need-do-not-track-and-strong-antitrust-action). And as recent government (in)action on [data breaches](https://www.reuters.com/article/us-usa-equifax-cfpb/exclusive-u-s-consumer-protection-official-puts-equifax-probe-on-ice-sources-idUSKBN1FP0IZ), [ISP privacy rules](https://www.npr.org/2017/03/28/521831393/congress-overturns-internet-privacy-regulation), and [net neutrality](https://www.cnet.com/news/net-neutrality-is-now-really-officially-dead-open-internet-congress-now-what/) show, often there are no penalties at all.
32
+
It turns out it’s impossible to know if an app company is violating their Privacy Policy (or violating privacy laws), because there’s literally nothing stopping them: they’re Privacy *Policies*, not Privacy *Proofs.* Not only that, they’re actually not [legally binding](https://ir.lawnet.fordham.edu/iplj/vol27/iss1/5/), and in the rare cases when companies actually *do *get caught, [the](https://www.abine.com/blog/2012/facebook-privacy-violated-by-new-ads/) [penalties](https://www.theverge.com/2018/4/24/17275994/yahoo-sec-fine-2014-data-breach-35-million) [are](https://uk.reuters.com/article/us-facebook-france/facebook-fined-150000-euros-by-french-data-watchdog-idUKKCN18C10C) [unbelievably light](http://www.consumerwatchdog.org/blog/google-ruling-shows-need-do-not-track-and-strong-antitrust-action). And as recent government (in)action on [data breaches](https://www.reuters.com/article/us-usa-equifax-cfpb/exclusive-u-s-consumer-protection-official-puts-equifax-probe-on-ice-sources-idUSKBN1FP0IZ), [ISP privacy rules](https://www.npr.org/2017/03/28/521831393/congress-overturns-internet-privacy-regulation), and [net neutrality](https://www.cnet.com/news/net-neutrality-is-now-really-officially-dead-open-internet-congress-now-what/) show, often there are no penalties at all.
33
33
34
34
Privacy Polices and regulations do not create real trust, and they only serve to provide a false sense of security or privacy.
35
35
36
-
### Trust Through Pricing
36
+
### Trust Through Pricing?
37
37
38
38
It’s a common saying on the internet: “If the product is free, then you’re the product.” And while that’s sometimes true since revenue must come from somewhere, some people make the [logical fallacy](https://en.wikipedia.org/wiki/Denying_the_antecedent) of thinking the inverse must also be true: “If the product is not free, then you’re not the product.”
39
39
40
40
Due to this mistake, some people use price as a criterion when choosing apps to use, by looking for apps that aren’t free and making the false assumption that non-free products will not exploit their data for profit.
41
41
42
42
Of course, it’s very possible and just as likely for a company to both charge you for an app while also profiting off of your data or having poor security. Therefore, pricing is a bad criterion for finding an app that you can trust.
43
43
44
-
### Trust Through Aesthetics
44
+
### Trust Through Aesthetics/Design?
45
45
46
46
Woah, those app screenshots look so sleek! And their website is so colorful and tastefully designed, with beautiful animations that you simply can’t resist. Why would an adorable cartoon bear lie to you? Is that even possible?
47
47
48
48
Well sadly, yes — cartoon characters lie all the time. Since they were created by a human and their dialogue is written by a human, an adorable cartoon bear is not less likely to exploit your personal data for profit. It might look cuter while doing it though.
49
49
50
50
The aesthetics of a website might tell you that that they spent $20 on a SquareSpace theme (or pirated it), but say nothing about how trustable an app or service is — it‘s even possible that the company skimped on data security in order to spend more on their website’s design and animations.
51
51
52
-
### Trust Through Popularity
52
+
### Trust Through Popularity?
53
53
54
54
If all your friends jumped off a digital bridge, would you? At one point, Yahoo had over three billion accounts, and in 2013, they broke the world record 🎉for biggest data breach ever, by a [very long shot](https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html). Since then, there have been many more breaches of tens or hundreds of millions accounts of other companies. And these are only counting disclosed and known breaches — nobody knows what the real numbers are.
55
55
56
56
Popularity isn’t a reliable proxy of how trustworthy an app is. In fact, there are even scam apps that make it into the [top charts](https://medium.com/@johnnylin/how-to-make-80-000-per-month-on-the-apple-app-store-bdb943862e88?source=friends_link&sk=6880a1d40db8c1019257c7a417840d27) of the App Store.
Apps should have to *earn the trust of its users*, especially when there are such strong financial incentives for companies to simply lie and abuse user data.
63
61
64
62
To earn user trust, apps should be fully transparent— the public should be able to see everything the app and its servers are doing, so that anyone can verify that there’s no negligent, dishonest, or even malicious activity. In other words: trust through transparency.
@@ -93,11 +91,11 @@ Unlike the earlier examples, the Openly Operated [certification process](https:/
93
91
94
92
This lets everyone participate in “trust through transparency”: users who are more technical can perform verifications themselves by diving into the nitty gritty details in the Audit Kit, while less tech-savvy users can read the independent Audit Reports and summaries. Openly Operated’s transparency is the opposite of the status quo, where apps simply tell users to read their totally unproven and unverifiable Privacy Policy.
95
93
96
-
[Openly Operated](https://openlyoperated.org) is a free certification. [Our mission](https://openlyoperated.org/about-us) is for all apps to earn trust through transparency, so all [documentation](https://openlyoperated.org/how-to) is available at no cost, and companies pay nothing to license the certification. We’ve even [built examples](https://openlyoperated.org/reports) to show that Openly Operated apps are possible. These are more than proof-of-concepts — they’re in production, fully functional, and are operating at scale with real users.
94
+
[Openly Operated](https://openlyoperated.org) is a free certification. [Its mission](https://openlyoperated.org/about-us) is for all apps to earn trust through transparency, so all [documentation](https://openlyoperated.org/how-to) is available at no cost, and companies pay nothing to license the certification. We’ve even [built examples](https://openlyoperated.org/reports) to show that Openly Operated apps are possible. These are more than proof-of-concepts — they’re in production, fully functional, and are operating at scale with real users.
97
95
98
96
## Everything Should Be Openly Operated
99
97
100
-
Companies have been blatantly dishonest with how they handle and secure user data for too long. Since its creation until now, Facebook has had a privacy setting for user wall posts labeled “Only Me”. To any regular person, “Only Me” has a simple meaning: one person, themselves, and literally nobody else.
98
+
Companies have been blatantly dishonest with how they handle and secure user data for too long. Since its creation until now, Facebook has had a privacy setting for user posts labeled “Only Me”. To any regular person, “Only Me” has a simple meaning: me, and literally nobody else.
101
99
102
100
But over the last ten years, we’ve learned the hard way that Facebook has a very different definition of “Only Me”. To Facebook, “Only Me” means “Me and [All Of](https://www.cbsnews.com/news/facebook-your-personal-info-for-sale/) [Facebook’s](http://content.time.com/time/nation/article/0,8599,1532225,00.html) [Advertisers](http://fortune.com/2017/10/27/facebook-russian-election-ads/) and [Their](https://www.bloomberg.com/news/articles/2018-04-04/facebook-scans-what-you-send-to-other-people-on-messenger-app) [Partners](https://www.axios.com/facebook-whatsapp-targeted-ads-user-privacy-c1e18e9b-ed76-4954-ab74-a64a88647e8c.html) and Some Of [Facebook’s](http://fortune.com/2018/04/03/facebook-videos-delete-personal-data/) [25,000](https://motherboard.vice.com/en_us/article/bjp9zv/facebook-employees-look-at-user-data) [Employees](https://thehackernews.com/2015/02/facebook-acccount-password.html) and Some [Unknown Number](https://www.theverge.com/2019/5/6/18530887/facebook-instagram-ai-data-labeling-annotation-private-posts-outsourced) [Of Contractors](https://www.reuters.com/article/us-facebook-privacy-firing/facebook-employee-fired-over-bragging-about-access-to-user-information-idUSKBN1I334E) and [Facebook Apps That Friends](https://www.rappler.com/technology/news/200508-cambridge-analytica-other-facebook-quiz-apps-brittany-kaiser) or [I Have Used](https://www.cnbc.com/2018/04/08/cubeyou-cambridge-like-app-collected-data-on-millions-from-facebook.html) and [Those Apps’](http://www.latimes.com/business/la-fi-facebook-sells-data-to-chinese-20180605-story.html) [Employees](https://www.theguardian.com/news/2018/mar/20/facebook-data-cambridge-analytica-sandy-parakilas) and [Anyone Those Apps](https://www.cnbc.com/2018/04/16/facebook-collects-data-even-when-youre-not-on-facebook.html) [Share Or Sell Data To](https://www.marketwatch.com/story/spooked-by-the-facebook-privacy-violations-this-is-how-much-your-personal-data-is-worth-on-the-dark-web-2018-03-20)… [Maybe](https://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-ftc-charges-it-deceived-consumers-failing-keep)”.
103
101
@@ -107,6 +105,6 @@ Privacy and security scandals happen every week not because companies are evil,
107
105
108
106
Openly Operated provides a structured way for companies to *prove* their privacy and security claims. Users have nothing to lose and everything to gain by demanding transparency from the apps they give their personal data to. The question shouldn’t be “Why should the apps I use be transparent?” — it should be “Why *aren’t* the apps I use transparent? What are they hiding?”
109
107
110
-
Learn more at [OpenlyOperated.org](https://openlyoperated.org). No matter your level of technical expertise, there’s something for you, whether you’re a user curious about the [many benefits](https://openlyoperated.org/user-benefits) of transparency, an engineer [building apps people can trust](https://openlyoperated.org/how-to), or a company that wants to [win customers while increasing security](https://openlyoperated.org/for-companies).
108
+
Learn more at [OpenlyOperated.org](https://openlyoperated.org). Whether you’re a user curious about the [many benefits](https://openlyoperated.org/user-benefits) of transparency, an engineer [building apps people can trust](https://openlyoperated.org/how-to), or a company that wants to [win customers while increasing security](https://openlyoperated.org/for-companies), Openly Operated has something to offer you.
111
109
112
110
Wouldn't it be nice if "Only Me" really meant "Only Me"?
0 commit comments