Mean Tweets: Privacy Edition

Alex Su (00:00):

Hi everyone. Welcome to Mean Tweets. We have about half an hour, so I'm going to go through this pretty quickly. We're going to talk about some tweets that we've seen online that relate to privacy, and I, as someone with no privacy experience, will give a general reaction. Please don't laugh at me too much, I don't understand a lot of this stuff, but what Justin will do is then he'll respond with some of his analysis and his thoughts on these tweets. Let's see if we could jump ahead here to the first tweet. I'm going to stand up, I can't really see it here. This is a tweet about White Castle, "Looks like White Castle was collecting burger slinger’s fingerprints and it looks like it was a $17 billion mistake." It sounds like they were collecting everyone's fingerprints, all the workers. I mean, that sounds crazy to me. I can't believe they did this. What do you think about that, Justin?

Justin Olsson (01:12):

Yeah, this is definitely one of those things where little to no thought went into anything at all. And it's a good reminder because a lot of us spend a lot of time assuming that business to business issues, either employee privacy rights or otherwise don't actually matter in terms of the context because you're always focused on having the FTC or a DPA in the EU come after you for privacy related issues. But employee rights can also burn your burger. I think... See, there we go. An actual laugh. I love it. But I think the real takeaway here is be really, really thoughtful about whether or not you actually need to be collecting something. Obviously having your employees have to retinal scan every single time they walk into the office to go fry some fries and flip a burger, just probably not a great idea.

Alex Su (02:07):

Yeah, I could not imagine if I went to work and they were collecting my fingerprints.

Justin Olsson (02:13):

But I guess the nice thing though is they've got those really hot irons, so if you don't want them to know who you are, just stick your fingers right on the iron.

Alex Su (02:20):

There's no excuse. It sounds like we're aligned on this one, Justin. Let's take a look at the next one. All right, let's see. I could read it now. It says, "So Instagram is refusing to let me use its service without providing my date of birth. The FAQs state that they need to know it if you're under 18, 16 or 13 and under GDPR, you should only collect the information you need. For this they only need a date range and age range, not date of birth."

Justin Olsson (02:48):

Wait, someone on Instagram is bitching about someone collecting too much private information? Seems a little silly, but this is one of those examples, you can't make anyone happy. There's probably a reason they're collecting the actual date of birth. For instance, your date of birth is when you are changing how old you are from 13 to 14 or from 15 to 16. If they need to know those ranges, they need to know what day it happens 'cause otherwise, you've got an entire year ahead of you.

Alex Su (03:21):

Justin, I feel weird about having to give my birthday information on a social. I have like 10 social media accounts.

Justin Olsson (03:29):

That's what you're worried about giving away?

Alex Su (03:33):

I'm going to post what I'm going to post, but I don't want to give my birthday. It just feels wrong.

Justin Olsson (03:41):

I think pretty much everyone, when you walk in to go buy liquor, whatever you're doing, showing your birth date every day. I think these are maybe not our biggest issues to be worrying about.

Alex Su (03:52):

You mentioned it, I think I probably posted pictures of my house. I might've posted pictures of things at my home that... I don't know. I post a lot of things online so maybe date of birth is not-

Justin Olsson (04:04):

Remember to remove those geotags before you post your pictures.

Alex Su (04:07):

That's right 'cause you never know where it's reporting you posting from. Speaking of scanning, you were talking about scanning. So this one's about Target. It says, "It made me scan my driver's license to buy DayQuil." I don't know why you do that. Do you need to do that for NyQuil? What's the thinking behind this? Why would you need to scan someone’s driver's license to buy DayQuil?

Justin Olsson (04:35):

Yeah, no, this one's a tough one, right? Because there actually is a law that essentially requires the company to not scan the license, but it requires them to check your license so you don't go cook meth in your backyard. DayQuil obviously has pseudoephedrine in it. NyQuil does not 'cause otherwise it wouldn't put you to sleep.

Alex Su (04:55):

I knew that from that documentary, Breaking Bad.

Justin Olsson (04:57):

Yeah, it was definitely a true to life, no fiction, no humor or anything at all, just absolute documentary. But this really does bring up the issue that you need to be really careful when you do need to ask for something to make sure you're explaining to people what you're going to do with it, right? Because the only reason Target's actually collecting the driver's license and thank God, Target is one of those companies that really protects your data, would never have a big data leak. In all seriousness, if you do need to collect something because you're required by some regulation or some statute to do so, this is maybe the only time, there was an earlier talk today where one of the panelists was saying that being really transparent about what you do is a positive for your consumers.

(05:55):

I don't think so by the way, unless all you're saying is we do nothing but good things. There's a reason lawyers love to drown shit in legalese and it's not because we want people to be able to understand things, but this is one of those cases I think is an exception. It's like if you're really only taking the license because you need to prove to the folks who bring the dogs and the guns that you've actually not been cooking meth. Then why don't you just tell your consumers that, "The only thing we do this for is to validate it in our system that we have been shown the ID so that we can legally sell you the thing." But it's Target so most likely they were doing it to send you something on your birthday. How can they send a present to you when you're turning 21?

Alex Su (06:45):

Everyone wants to know my birthday. That's the theme I'm getting from this.

Justin Olsson (06:48):

Yeah, well, some of us enjoy being aged. Let's jump to the next one here.

Alex Su (06:58):

This is from someone named Thomas. "This is not what I would call being able to take control of my own personal data. I doubt this is conforming to CCPA. It surely does not conform to GDPA. Privacy fail."

Justin Olsson (07:12):

Wait, GDPA, huh? I'm glad that the person points out that they're an EU citizen, so we are happy that they don't know their own laws. But maybe they're both acts and they really want to be an actor or something like that. But in all seriousness, what happened here is almost certainly when pre-GDPR and pre-CCPA in the data protection directive, and then once GDPR originally came out. You were essentially just required to notify people of something and so all you had to do was say, "Hey, we are doing these things." So a whole bunch of people put these things up on their website that obviously do nothing good. Even the ones that allow you to actually make choices, pretty much I feel like do nothing other than make you take longer before you can read the TikTok or watch the TikTok or whatever.

Alex Su (08:07):

I never understood these. I mean, if you look at this, what does it say? It says, "You accept the use of cookies and other identifiers by clicking accept or-

Justin Olsson (08:13):

Or dismissing the notice.

Alex Su (08:14):

"... or dismiss this notice." There's only one button here.

Justin Olsson (08:20):

I don't know? Alt F4 if you're on a pc, just fuck it.

Alex Su (08:22):

What about that x? I don't know. I don't know. This looks like everything... I just click accept when I go to websites. Just click accept, accept, accept. I just need to get past it so I don't really see a choice here. That's my take on this.

Justin Olsson (08:35):

Totally. In all honesty, I'm surprised it doesn't say, "By also continuing to scroll on the page, you also accept." This really is about the sort of dark pattern method of collecting this information. The more confusing you can make it, the more you're going to get all the data that you want to be able to use and collect for whatever reason it might be. But honestly, of all of the privacy risks that we have facing us, like people knowing about your birthdate, the fact that some website is using cookies is probably not actually going to change your life all that much.

Alex Su (09:10):

Yeah. All right. Let's go to the next one, which is from YNot Web, "I love how the Do Not Sell My Personal Information page for T-Mobile hasn't actually worked any day in the month since they notified us we could set our preference. Not on desktop, not on mobile. It's almost as if they don't want consumers to use it." I don't know what this experience is like, but maybe you click it and it goes to one of those 404 not found things. It's like a hide the ball thing. This is terrible.

Justin Olsson (09:46):

Yeah, I'll give you that. But maybe the reason that it said, "Do not sell my personal information," is because they always just allow it to be breached anyway and just people can take it. They don't have to pay them for it. Yeah, again, it's all about dark patterns. Whether or not this, and I obviously have no idea on this particular pop-up, whether it was actually functioning or it was just so completely confusing that no one could actually make it work. One of the things, if we care about this at all, that you do actually have to care about is whether or not what you're doing is going to be a net positive or negative for your consumer experience.

(10:25):

Obviously, this was enough to get someone incensed enough to send out a tweet and when you're trying to get the information, if you can make people think they've gotten the rights that they want, even if you're not giving them what they want, hence dark patterns. You're probably going to be a whole lot better off than something that crashes and fails every single time you interact with it. Whether you're a company that's trying to do right by privacy or whether you're a company that's trying to make sure you don't get in trouble for doing wrong by privacy, pissing people off and getting them to complain is probably the least good strategy you can adopt.

Alex Su (11:04):

I'm sure they were trying to do something nice, but I think if you do this and then you have a page that doesn't show up, then that makes it 10 times worse.

Justin Olsson (11:14):

Nothing to say there. Couldn't agree more.

Alex Su (11:18):

Okay. It looks like this one's very similar. Somebody named Kai said to Source Chain, "I received an email from you and I don't know how you know me. So I've tried to exercise my GDPR rights of accessing my data from the address you mentioned in your privacy policy. The mail bounced."

Justin Olsson (11:36):

You mean the one that said, "Do not reply," @sourcechain.com?

Alex Su (11:41):

I'm going to tell you, I think I speak for everyone when I say sometimes I respond to those. Just, you never know if someone's on the other end, right?

Justin Olsson (11:49):

It's true. Maybe they're just trying to bait you into replying. But no, the funny thing is, we actually looked into this one because I just assumed it was user error, but it turns out this company has gone out of business and in fact, it looks like their last Facebook post was, I think on December 10th, 2019. So this person complained and the day they complained, the company ceased to exist. But in reality, I think the reason that you probably end up getting these things is you go and put your email address down with someone you're buying some product. They make you sign up, have an account, and then they're selling that information to a third party data broker. This is actually maybe one of those situations in which the companies really were trying to do the right thing and they had a bug or something like that.

(12:46):

But more often, there's no effort that goes into these. You ask a marketing team, "Hey, put this link in the thing," and then you forget to actually check whether the website actually has a receiver for the links being clicked. It's just, again, anything that gets you in a situation where someone is pissed off enough to make a public comment, unless you're one of the six companies that first presentation had up on the board. The only way generally speaking that either the FTC or DPA is going to come after most of your companies, is when it generates a bunch of complaints. I think the takeaway really for all these Mean Tweets as some real actual practical advice is make sure that the thing that you are looking like you're doing, at least has the veneer of the right thing. Because the moment you've got one, maybe one you'll get away with it, two, 10, a 100 people sending messages to the California AG or to a DPA in Ireland or something like that.

(13:50):

That's going to be the thing that's going to attract their attention and no one out here wants to have a situation where you get a dawn raid because they think that you've done something so malicious with someone's personal data. Yeah, take a little bit more effort, try to see if you can at least make your website work when someone clicks on something. If you tell someone to send an email to [email protected], when you set up the Google group, there's a button that says allow anyone on the web to post. It's not the default. Make sure you add that piece in before you make the address. I've fucked that one up myself.

Alex Su (14:25):

This makes me think of something else I do, which is sometimes I'll send emails to people and I'll say, "Let me know if you have any questions." You don't really want anyone to ask you a question, you don't want a response. Maybe that's what these companies are doing.

Justin Olsson (14:38):

Perhaps.

Alex Su (14:39):

I don't know. Let's take a look at this one. This one's from Alasdair. It says, "This is a terrible idea JetBlue." Wait, let's take a look at the other screenshot. It says, "Hi, Seth." It looks like it's saying hi to you personally. That seems pretty nice. If I sat down in an airplane and it said, "Hi, Alex," I would feel like... I don't know. It's pretty warm. It's a pretty warm feeling. It's like they're talking to me personally and then maybe I can look over to my neighbor and see what their name is and then I can start talking to them. This sounds like a great idea. I don't know what Alasdair is saying here, "This is a terrible idea JetBlue. An absolute horrible privacy fail. Please think again." I don't know, Justin, this one doesn't bother me so much.

Justin Olsson (15:20):

Well, that's probably because you're flirting with all of the random people who don't want to talk to you on the airplane.

Alex Su (15:25):

Wait, when they take out a book, that means they want to talk to you, right?

Justin Olsson (15:28):

Totally. Particularly when they show you which book they're reading, they stick it up in front of their head so you know what to talk about during the conversation. 'Cause how else are you going to know how to have a conversation? They could be reading Don Quixote or they could be reading Harry Potter.

Alex Su (15:42):

That's another thing for us to talk about. It's like a really friendly idea. I don't know. I like it.

Justin Olsson (15:46):

Yeah, so we were talking about personalization during one of the sessions earlier, and this is a good reminder that personalization is just creepy. It's just a different word for saying creepy so be really thoughtful when you are personalizing something. The example that came up earlier about them knowing that you're pregnant before you've told your family or you've told your spouse or whatever, people get freaked out when you go to a point where they're like, "Wait a minute, I didn't tell you that piece of information. Why would you want to show that to me?" You really need to balance the pros and cons on making Alex feel warm and fuzzy on an airplane and creeping out the neighbor next to him when all of a sudden Alex won't stop flirting with them.

Alex Su (16:37):

Not based on a true story. All right. This one... Oh, there's a lot to unpack here. There's an image of a list of emails on the right side with a thumbs up. The Mean Tweet says, "VIT Health, sending out a mass email saying they care about privacy while visibly copying you with loads of other people in the same email."

Justin Olsson (17:06):

Yeah.

Alex Su (17:06):

I don't know.

Justin Olsson (17:07):

Maybe it's sarcasm? Just thinly veiled.

Alex Su (17:10):

Oh, it's like one of those insight, one of those jokes that's like-

Justin Olsson (17:12):

Yes, obviously I don't give a shit about your privacy. I'm telling everyone that you're one of my subscribers all in the same email.

Alex Su (17:21):

Is there any justification for this one?

Justin Olsson (17:22):

No.

Alex Su (17:23):

No.

Justin Olsson (17:25):

Just BCC is your friend, I guess.

Alex Su (17:28):

Yeah. All right. No excuse here. Let's move on to the next one.

Justin Olsson (17:32):

I was going to say just one more actual piece of wisdom on this. If you're sending these notices out, you probably want to keep track of these notices. There are tools that allow you to not just send them from your Gmail inbox. Don't be tempted to just copy paste the list of your recipients into your email. If you do that and everyone unsurprisingly marks it as spam, you're also going to find that every single time you try to email someone about that deal you're trying to work on, it's going to go into their spam box too. Good way to avoid this from happening in an actual situation is don't ever send out these notices just through someone's Gmail inbox. Use a tool that actually handles this thing properly and you won't have the problem.

Alex Su (18:17):

Good takeaway. All right. This one says, "A note to every online retailer. When you asked me to create an account on your site, when I want to buy one item, I immediately move on to find the item elsewhere. You do not need my identity info in your CRM for a sale. Just a valid form of payment." Why do they need all this information? I'm just trying to buy something. I totally get this, by the way. I was trying to buy something the other day and it was like, "Do you want to create an account?" No, I don't want to create an account. Why do I need to create an account? I totally get this one.

Justin Olsson (18:51):

It's easy. Margin on selling the item is maybe a couple of percent. The margin on reselling their data is like 99%. In all seriousness, this is another one of those examples where people want more than anything to be able to keep a consumer. I think this is an unavoidable consequence of the internet honestly, that when people are creating a CRM, they might not even make any money at all in the first purchase. It may be a loss-leader for other purchases, and the only way they actually make money is to send people emails and bring them back so they buy more and more and more things.

(19:36):

I really don't think that this by itself is a problem, but I think that the thing you do obviously have to take care for as a consumer obviously, is be careful who, websites you're actually purchasing stuff from. Amazon and other things like that, are very unlikely to have anything go wrong as a result of creating an account. If you do create an account, make sure you use different passwords for that account and everything else because that is the number one most likely way that you'll personally end up getting compromised is going and buying a soccer jersey off of freeworldcup2023soccerjerseys.com or whatever. Then shocker, their user and password database gets breached.

Alex Su (20:26):

Every time I do one of these things, I always try to sign up as a guest or whatever the guest option is, trying to get around it. Do you think that gets around some of these issues?

Justin Olsson (20:36):

It's easier if you just say you're Mickey Mouse. Just make sure you get a credit card in the name of Mickey Mouse and you'll be good to go.

Alex Su (20:42):

I wonder if I log in as a guest versus creating an account, I'm probably putting in the same info. They probably have the same... I think that sometimes I feel like they're getting the same information if I'm a guest or not.

Justin Olsson (20:54):

Yeah, because you already clicked on the accept or you click the close box and they dropped a cookie when you were there. I At the end of the day, one actual random bit of advice on this is if you do have to do these things, the best thing to do if you use a Google account, you can put a plus sign at the end of your Google email address and add any random string of characters you want. If you buy it from freesoccerjerseys.com, just say my email address plus [email protected], and then when they resell it to a data broker, you know exactly who has completely screwed you over.

Alex Su (21:32):

Good. That's good advice. I got to take some notes or something, but I think... Yep, that's the last one. That's all the Mean Tweets that we have for today. I hope you learned something. I enjoyed reacting to them because they seem pretty terrible, but I'm not from this world, and so I'm so glad to have Justin here with me to explain all of the substance behind them. Any last words from you, Justin?

Justin Olsson (22:00):

No, I don't think so. But if anyone has any actual serious questions, we're obviously happy to take questions as well. I think that's it.

Alex Su (22:09):

All right. If not, thank you. Thanks everyone.