There I said it. I’ve been meaning to say it for a long time but could not bring myself to because I hate being wrong. Hate it. But the time has come to just get over it. Paul was right. I was wrong. And I bet you didn’t know Paul had an opinion about privacy. Well, he did in 1998. He probably does now too, I imagine. Let’s all get in the way-back machine for a moment.
June 1998
Yahoo! bought ViaWeb from founders Paul Graham and Trevor Blackwell in June 1998. ViaWeb was an easy to use platform for online commerce that became the basis for Yahoo! Store. Here’s what ViaWeb looked like in 1998. Coincidentally, June 1998 happened to be the month the Federal Trade Commission issued their report about kids’ online privacy to Congress. It was also the same month I joined Yahoo!.
I wish I could say that I was a remarkable technology savant and could see that digital privacy was going to be an important issue to focus on. I didn’t. I came to Yahoo! from a research economics background. At the start of 1998, I was doing charts and graphs for George Shultz about global demographic change. I was the one ready for a change.
Early in 1998, my friend Dave Nakayama emailed me and asked if I was interested applying my mad skills for numbers and charts to data mining at Yahoo!. Four11 was acquired by Yahoo! in October 1997, so the Rocketmail product Dave worked on morphed into Yahoo! Mail. With all the online registrations that Yahoo! was generating from Mail and My Yahoo!, there was a lot of data coming in. Some folks in operations thought maybe someone should look at it and maybe, you know, do something with it. Dave wondered if I would I be interested in being on that team? Um, YES. Yes, I would. Thank you!
Thing #1, Thing #2
I landed at Yahoo! in June 1998, as data miner #2. Data miner #1 was the guy I called the “Crazy Russian” - Elliot Yasnovsky. The two of us were the entire data mining team. Just us. I was employee 480. We arrived just a short time ahead of Paul and Trevor. I think by maybe one or two weeks.
Elliot and I began by interviewing product managers about what kind of data analytics they were looking for to improve their products. Funny enough, the resounding response we got was that they weren’t interested in talking to us. In 1998 we were all drinking from the audience firehose. No one needed to understand traffic to refine a product. The notion was “if you build it, they will come.” And they did. And things were good.
Elliot continued on his quest to build data-driven products. But increasingly, I was drawn into the regulatory debate surrounding privacy inside and outside of Yahoo!. The FTC report issued in June of 1998 quickly resulted in the Children’s Online Privacy Protection Act which was passed into law in November 1998, when it was attached to a budget bill. It was, and remains, a singularly awful piece of legislation. I can go on and on about it but that’s fodder for another post. Somebody had to get on top of privacy as an issue for Yahoo!. That turned out to be me.
40% girl
In October 1998, Yahoo!’s general counsel John Place called me into his office. I was very junior at the company and was frankly terrified to be called into to talk to the general counsel. I figured I had fucked up big time - on what, I was still unsure. But it had to be bad. Very, very bad. Turns out, I hadn’t done anything wrong - yet - but he was about to tell me that the stakes were about to be a lot higher if I did fuck up.
John, at the time (and maybe still?), seemed to me to be what you would get if you put Wilford Brimley in a blender with Jerry Garcia. You could imagine his morning Quaker oats being laced with some THC-based substance. I say this all lovingly because he really was a great guy to work with and I came to really dote on him. John was a bit brusque because he carried the position of official company grown-up/gray-hair. I think he was perhaps the only person on staff over age 40 at the time. He wore a big, silver mustache and was a burley fellow. He had presence, particularly as he barreled down my cube row down to Jerry’s cube by the windows next to TK and Mallett. I remember him doing this. Frequently and with great vigor.
Late that summer, John had seen GeoCities go public and watched the stock soar. Then he, like the rest of us, watched the stock plummet just after the IPO. Why? Because the FTC had investigated a complaint against GeoCities that resulted in a privacy settlement. The first big Internet privacy settlement. That settlement was announced a scant 2 days after the IPO. Rut-roh.
So John wanted to talk to me about privacy in his office because that was an issue that I was covering as part of my role working on data tools. The only offices in the entire company were reserved for a handful of people and they were all lawyers. I sat down and John leaned across his desk. He looked somber.
John started by telling me that it was good I was working on privacy. He said to me, “That’s an important issue for the company. Real important. You know that right?” I nodded. Then he said, “It’s important that we have someone dedicated to this issue. Would you be interested in doing that full time? As your sole focus?” I nodded again. Then he said, “You sure? You really sure? Because it’s a hard job. Real hard. You know that right? GeoCities stock was doin’ great and then this FTC shit hit the fan. Thank god that wasn’t us. You know that coulda been anybody right?” I nodded more fervently this time. Then he said some words that stuck with me –
“GeoCities stock went down 40% in one day because some asshole over there fucked up on privacy. If our stock drops 40% in one day because of something you did or didn’t do, you won’t be real popular around here. You got that, right?”
My eyes widened but I nodded. Perhaps a bit more emphatically this time. Certainly, a bit more nervously than before. Then his voice softened and he said, “You won’t do that, though. You’ll be great. Congrats on your new job.”
And that’s how I got to be in charge of privacy at Yahoo!. I vowed never to be the 40% girl. And thus far in my career, I’ve managed to avoid such a fate.
Disclose! Disclose it all!
In 1998, the FTC and privacy advocates were lamenting the fact that few websites had privacy policies or any disclosures at all about what information was being collected and used on websites. This point was evident in their report to Congress published in June. Endless studies were published on the astonishingly low percentage of popular websites that had privacy policies. Or if they had them, the studies focused on their brevity. The Internet was new and most people were distrustful. Many played on these fears of the unknown. Industry self-regulatory and seal programs sprung up overnight to give consumers comfort that horrible things were not happening to their data and to assuage regulators that we could keep our noses clean all by ourselves.
I made the focus of my job to ensure ample and accurate disclosures. The thinking was, if you disclose it - you can do it. Yay us! But if you don’t disclose, you are going to get in a heap of trouble if you do the thing that you didn’t say you were going to do. Okay, well, that probably works if you have an idea of what you are doing or how you are going to monetize a product. Most web companies then, and many today, have no clue about either of those things. So folks give themselves wide berth. Further, every time folks thought of something new that they probably, maybe wanted to do, that would just get tacked to the bottom of the privacy policy. So policies were getting LONG. And technical. Because now that the FTC and plaintiffs’ attorneys were getting into the fray, everyone got their legalese on. A document meant to be a consumer-friendly document to tell a consumer what was going on, became a tome written by lawyers, readable only by lawyers.
And just as we were getting our arms around what we were doing, some regulators called to ask a few questions about practices that we weren’t disclosing because of things we weren’t doing. Now, ponder that for a moment. Just think about it.
How many things are you currently not doing that you have to disclose you aren’t doing and aren’t going to do? I can think of a few. Like, I’m not going to kill furry little puppies. I am not going to light my hair on fire. I am not going to jump off the Golden Gate Bridge. How do you disprove a negative?
The impetus in all this was a paper that accused Yahoo! of sharing data with a service provider because the branding was ours but the underlying URL where data was collected was not. We explained, when asked, that we were not disclosing any sharing of data because none was occurring. The URL just represented the domain of a partner who was an agent of ours. Our contract preserved our rights to own and use the data subject to our policies, thus our privacy policy applied. But the staff at the regulatory-body-that-shall-not-be-named wanted us to disclose that the company – that no consumer could readily see – wasn’t getting any data. I’m still scratching my head over that one. Why would I freak out my customer by telling them that the company they really didn’t care about in the first place, that has no rights to their data and that they can’t see, isn’t doing anything with their data?
Regulators had us all in hyper-disclosure mode. It was a dark time. This is where Paul Graham called me out. And where he was right.
Post a privacy policy. No one will read it. But go right ahead.
Since Yahoo! owned ViaWeb, we were hosting thousands of little merchants. And some really big merchants. I thought it would help position us as a friend of privacy if Yahoo! could encourage our hosted merchants to post privacy policies since the crux of the debate was still about disclosure.
When I asked Paul what we could do, he told me that he thought privacy policies were basically stupid. No one reads them, no one ever will. I pressed him. Maybe a link? Could I get a link or maybe something to show that we were encouraging others to do the right thing? Fine, he said. About an hour later I got an email that he had done what I asked for. Feeling victorious, I went to the page and this is what I found there –
Basically, Paul said “Fuck you, very much.” At least that’s how I saw it at the time. Although in retrospect, this was probably one of the more cordial exchanges I had with him then. It irked me so much that I printed out the page and I kept it pinned to the wall of my cube until I left Yahoo!. Above is a photograph of that page that I made the day I left Yahoo! in 2011. That piece of paper was in my cube for 12+ years.
Initially, I kept this to remind myself that no matter how tough a day I was having, I had had worse and dealt with people who obviously held me in low regard. I lived to tell the tale. #winning! But the longer I was in the job, the more I came to appreciate that Paul was right. Disclosures, at least the way we were doing them, were a piss-poor consumer tool. No one read them. No one cared. They just represented one more way a company could get themselves into trouble. God, I hate being wrong.
Paul wasn’t the only one to note this absurdity, he’s just the one I remember fighting with about it. And the one who was clever enough to give me what I asked for *technically*, but by doing so in that oh-so-snarky way that I appreciate to the present day. Because he was being a jerk. But I would have too if I were in his shoes.
Speaking of the present…
I fast-forward to today in a world filled with apps and devices of varying sizes and complexity, and all I can think of, is what on earth were we thinking? The very regulators who screamed at web companies for not having privacy policies and enough disclosure are now telling us all how crappy privacy policies are and that we say too much, too legalistically. Yes, they are, yes we do. You know why? Because we’ve done what we were told to.
When regulators start designing websites, run. Run far away. And when they start designing apps - run for the hills. Shit’s about to get real. Real ugly.
Earlier this year, the Attorney General of California issued a 22-page list of privacy guidelines for app developers. Overall, the guidelines are thoughtful and well-intentioned. But they include such nuggets as this:
Another important step is to make an app’s general privacy policy easy to understand and readily available before a mobile app is downloaded. It is widely recognized, however, that in order to make meaningful choices, consumers need clearer, shorter notices of certain privacy practices.
Being concise, rather than verbose, is always a virtue. Always. But whenever anyone tells me something has to be shorter for the sake of being shorter, I always think of that scene in Amadeus where Emperor Joseph II tells Mozart that his piece is awesome, it simply has too many notes. He says, “Just cut a few and then it will be perfect.” To which the composer replies, “Certainly, emperor. Which ones would you have me remove?” Companies developed a culture of over-disclosure because we were told to by regulators. Now we are told to cut a few notes. Which ones? What do you put forth as the most important? That 22 pages were necessary to convey it says something in and of itself, no?
If you look at other efforts of regulators to dictate how websites are designed for privacy purposes, you get the cluster that we are seeing in the EU right now. This is a great site for understanding how the EU Privacy Directive has played out vis a vis cookies. It’s a mess.
So where do we go?
So, what’s the grand take-away? Um, yeah. I don’t have one. Yet. If I had a panacea, I’d be selling it. It’s going to take work to figure things out. We are in the age of wearable computing. How do you provide a privacy notice at a party if you are wearing Google Glass? You don’t. You can’t.
Privacy is complicated because it means different things to different people. Especially in a global marketplace. Was Mark Zuckerberg right about privacy? Yes, in large part. Technology is changing societal norms. You’re crazy if you dispute this. As a mom of 3, I see this every day. Stuff is different than it was.
Technology has created the problem but I also believe it can help solve it. Are disclosures the answer. No. Disclosures are a CYA solution. We all have to do it but it doesn’t move the needle with consumers or have meaningful impact. Which was what I believe Paul was telling me back in 1998.
Much of my career has been about checking the boxes. I’m not doing that now. Oh, I’ll make sure that companies I work with are doing what they need to do to satisfy all audiences, meaning consumer and regulatory, but I think we have a lot to learn from the design community about how to create beautiful, meaningful experiences that convey necessary and useful information when it’s necessary and useful. Particularly when it comes to creating awareness in a way that enhances a user experience.
Sign me up for creating awesome experiences that build trust. Not fear. Like the ones Create with Context is developing. Designing for trust is not about checking a box, or unchecking a box.
Thanks, Paul Graham. Shoulda listened sooner. I know, I know. Better late than never. Right?