The nightmare of easy and simple

The instrumented waste bin I predicted at the San Francisco Personal Data meetup a couple years back is now a thing.  While researching GeniCan I naturally had to go read their privacy policy.  It was there that I stumbled onto a service that lets you generate a privacy policy from a workflow.  You fill in some data and select from several options, it generates a custom policy from an inventory of templates that it fills in and assembles.  It can make policies for your web site, Facebook app or mobile app. Easy. Simple. Free.

Sounds awesome, right?

You were waiting for the “but”?


Genican’s privacy policy is pretty straightforward:

They collect an email address.  That’s it.
They use it to communicate with you and provide the service.  That’s it.

Problem is, the service used to create the privacy policy also hosts the privacy policy so to merely view GeniCan’s privacy policy binds you by reference to the privacy policy of that service – iubenda.

So what is the privacy policy of iubenda?  You can read it here.  It too seems straightforward at first glance.  Iubenda collects cookie and usage data. But if you drill down into the various sections of the document, they incorporate by reference the privacy policies of:

  • Mix Panel
  • Cloud Flare
  • Google

So, no matter how benign GeniCan’s collection of your data, by virtue of their use of the iubenda service, their privacy policy is the union of their own plus those of iubenda, Mix Panel, Cloud Flare and Google.  I know that Google incorporates 3rd party services and references their privacy policies, and I expect that CloudFlare and Mixpanel probably do as well. That’s at least three and possibly more degrees of separation for what started out as one of the simplest privacy policies in the world!

What the hell were GeniCan thinking?

SKIP TO THE BOTTOM NOW if you get heartburn easily, and just ponder the notion of a “simple” privacy policy with at least three degrees of separation.  Seriously, the rest of this post contains quotes from actual privacy policies.  You know, those things nobody reads?  By reading further, you expressly agree to hold me harmless and indemnify me from any personal or 3rd party claims made against me due to loss of your personal sanity.

Of course, I’m a glutton for punishment so I kept drilling down.

Cloudflare
https://www.cloudflare.com/security-policy

From time to time, CloudFlare may notify you about an offer from one of our promotional partners (e.g., Apps Marketplace partners) via our website or email. While we may target particular types of users for these offers, we will do all of the targeting within our system. Our business partners will not have any access to the targeting information, including the names of the people who may be interested in a particular product or service. Until you affirmatively respond to a promotional offer, we will not reveal any identifying information about you to any of these partners.

If you install an App from one of our third party partners, CloudFlare may provide your email address to that partner for account creation and communication with that partner.

Note that in both cases, these partners may have their own Privacy Policies and may not be covered by CloudFlare’s policy.

…we will post changes on this website along with the effective date of those changes.

Mixpanel
https://mixpanel.com/privacy/

For information about the data we collect on behalf of customers who use our analytics platform, please visit our terms of use at https://mixpanel.com/terms/ (“Terms”).

OK, I’ll bite.  Here’s the text from http://mixpanel.com/terms

By using any of our Services, you agree to be bound by, and use our Services in compliance with, these Terms of Use. IF YOU DO NOT AGREE TO THESE TERMS OF USE, DO NOT USE OUR SERVICES.

As if you would know when a web site uses Mixpanel???  I see it all the time in NoScript but almost never in a privacy policy. Certainly, it isn’t in GeniCan’s privacy policy unless you count having to drill down the tree to find it.

We may make changes to these Terms from time to time. When we do, we will revise the “last updated” date given above. It is your responsibility to review these Terms frequently and to remain informed of any changes to them. The then-current version of these Terms will supersede all earlier versions. You agree that your continued use of our Services after such changes have been published to our Services will constitute your acceptance of such revised Terms. These Terms contain the entire understanding of the parties on the subject matter hereof.

…Mixpanel does this in part using a first party cookie placed on your User’s device from your server. Some information is automatically collected from or about your Users when you use our Services. If you integrate an official Mixpanel iOS, Android, BlackBerry, ActionScript or JavaScript library in your product it may by default collect the following: the time of an event, how a User came to your site, what search engine and search keywords Users may have used to get to your site, information about the device your User is on such as their Operating System, and browser, as well as the city/country location of Users, tokens and IDs for push notifications.

To track opt-outs we use a persistent opt-out cookie placed on your Users’ devices. Our opt-out cookies will not stop you from sending other data about that user from your servers to Mixpanel, nor will it prevent any other data collection methods.

You agree to provide appropriate notices to your Users about, and if required by applicable laws obtain appropriate consent from Users for, your information collection and use practices relating to your use of our Services and your use of cookies for tracking purposes. Appropriate notices may include notice in the form of a privacy policy posted on your site, in your mobile application, and/or, if you use Mixpanel Notifications in the emails you send through our service. You also agree to include a notice about the Mixpanel opt-out for your site and the Mixpanel opt-out link in your privacy policy or in a notice on your Web site(s). You will also inform Users that if they get a new computer, install a new browser, erase or otherwise alter their browser’s cookie file (including upgrading certain browsers) they may also clear the Mixpanel opt-out cookie.

Google
This one is basically summed up as “we own your ass” but there were surprises nonetheless.  Such as that Google sells the ability for business partners to place their own cookies using Google’s servers. That makes sense. If 3rd party cookies are blocked, just simulate 1st party cookies and pass them back and forth between the back end servers of the various collaborating companies.

Say…I wonder if this approach is also used to work around scripting’s “same origin policy”?  No, don’t go there. Do NOT go there.  Some things you do NOT want to know.

http://www.google.com/intl/en/policies/privacy/
We and our partners use various technologies to collect and store information when you visit a Google service, and this may include sending one or more cookies or anonymous identifiers to your device. We also use cookies and anonymous identifiers when you interact with services we offer to our partners, such as advertising services or Google features that may appear on other sites. Our Google Analytics product helps businesses and site owners analyze the traffic to their websites and apps. When used in conjunction with our advertising services, such as those using the DoubleClick cookie, Google Analytics information is linked, using Google technology, with information about visits to multiple sites

We allow trusted businesses to use cookies or similar technologies for advertising and research purposes on our services.

Our Partners
For example, we contract with measurement companies, who use cookies and other anonymous identifiers to learn about the audience of our services, such as the demographics of users who view a YouTube video or an advertisement. Another example is merchants on our shopping pages, who use cookies to understand how many unique users see their product listings.
(From: http://www.google.com/intl/en/policies/privacy/example/our-partners.html)

 

Stop! Pleeeeeeease!
I just wanted an instrumented waste stream, for Grid’s sake!  For that I was willing to drop some money on the crowdfunding campaign and test the web site’s security and account recovery like I normally do.  And, as usual, I fully expect to find a device I would not put n my home network and a service I would not entrust with my data. Who knows, perhaps this is the time I’ll be surprised by a truly user-centric data model and privacy-by-design architecture.  Hey, don’t laugh.  It could happen.

But my research won’t get that far so long as I am haunted by the nightmare that is iubenda’s decidedly anti-privacy privacy policy generation system.  If your web site does as much or more tracking than iubenda, then at least they do not make matters worse.  But why take on all this baggage when your privacy policy is summed up as:

We collect an email address.  That’s it.
We use it to communicate with you and provide the service.  That’s it.

I repeat: GeniCan, what were you thinking?

Herd of elephants in the room
You may be wondering, as am I, “what about all the product data collected by the device?”  No idea. The policy doesn’t yet include the primary source of data the device is built to collect: the line-item granularity of data from your waste stream. GeniCan tells me the current privacy policy is for the web site and not the app. One wonders whether the back end servers that host the data are considered part of the web site, part of the app, or both.  We will have to wait until September to find out, assuming the project delivers on schedule as per the Indiegogo campaign.

At that time I’ll be curious whether the UPS code on a can of beans is considered PII.  It will be correlated to an email address, correspond to the line-item purchases at the grocer grocer, and can be thus correlated to credit card, address, name and so forth.  Your unique fingerprint of purchases is as unique, probably more so, than your actual fingerprint and the definition of “personally identifiable” includes identity derivation through correlation.  At this point, the line that defines what is and isn’t personally identifiable is simply the break-even point of cost versus value.  Given enough value or sufficient funding, it’s pretty much all personally identifiable.  So where do you draw the line?  More importantly, where does GeniCan draw the line?

The VRM Version
There is a possible version of this device that I’d actually use.  It would be the one with the VRM-y, personal cloud architecture.  How does that work?  Same architecture I described in San Francisco:

  • The device emits signed data over pub/sub so that secondary and tertiary recipients of data can trust it.
  • By default, the device talks to the vendor’s service so users don’t need any other service or device to make it work.
  • The device can be configured to talk to a service of the user’s choosing instead of, or in addition to that of the manufacturer.
  • The device API is open.

I hope GeniCan goes down that road.  Given the IoT track record so far though, I’m not holding my breath.  No matter how pure the intent of the founders, all the devices I’ve looked into so far easily qualify as surveillance data portals designed for deployment inside boundary of the last private domain you have left on Earth – your home.

Assuming the current IoT architecture, by the time you deploy half a dozen wearables, instrument your switches and thermostats, receive the smart meters from your utilities, buy a smart TV that reports on your watching habits, switch your music to Pandora or Spotify, move your library to Kindle, and instrument your appliances and trash can, will you really be able to look a judge in the eye and claim with a straight face that you had any expectation of privacy in your own home?

If the devices use a VRM/Personal Cloud/Privacy By Design architecture, the answer is “yes.”  This is the IoT 2.0 architecture and when the time comes that you can choose between this and the current IoT 1.0 spyware, which will you choose?  What will happen to all your IoT 1.0 devices and subscriptions when an IoT 2.0 replacement is available?

Vendors would do well to consider their customers’ answers to these questions and plan accordingly.  Don’t mess about with the butterflies and daffodils that are IoT 1.0. Start with IoT 2.0 and lasers.  Eight o’ clock.  Day one.

Comments

  1. iubenda says:

    Hi T.Rob, I commented via Twitter before and I’m going to follow up on this via email to make sure you get the full picture. Thanks for the thoughts, they’re valuable for both iubenda and more so for GeniCan given the product’s specifications.

Leave a Reply