What is it like to be a startup in a post-Edward Snowden world, I often wonder? The safety and security of users and their data feels more precarious than ever before. And when intelligence agencies can tap into Internet cables and private corporate servers, seemingly at will, how do you possibly defend against that? According to many in the field, you don’t. Not until you have to. Despite the revelations, little has changed within the startup community in the last year when it comes to crafting privacy policies, anticipating government and law enforcement requests, or adjusting to the reality of mass surveillance.
“It is in my experience very rare that an entrepreneur leads [with] or even has much of a concept as to what privacy is all about,” says Jonathan Latsky, the founder, CEO, and chief privacy officer for Envirolytic Insights Inc., and volunteer advisor with MaRS Discovery District’s venture services. “What they’re coming to MaRS for, typically, is connections to capital, customers, employees and peer networks. [...] But I think it’s very rare that there are upfront requests as to how privacy – the handling of user information – how that plays into it.”
At the very least, privacy and security are not as fundamental concerns in the early stages of a founding a company, especially as compared to acquiring funding, patents and developing minimal viable products. And so perhaps it shouldn’t come as a surprise that the immensity of Snowden’s revelations have failed to convince many founders and developers that smart approaches to privacy and surveillance matter, when they weren’t top of mind before.
A spokesperson for the Waterloo, Ont.-based accelerator Communitech said that privacy issues are not yet part of the program’s curriculum. And Marcus Daniels, managing director for Extreme Startups in Toronto, said that issues relating to privacy, surveillance and law enforcement requests aren’t typically an area of focus for companies of his accelerator’s size.
“I think one of the challenges [for] most accelerator or incubator-stage companies is just getting basic awareness that the company is even alive or even exists,” said Daniels in an interview. “When you get to a certain scale and you have a lot more data, then this becomes a bigger concern. You’re definitely more on the radar of government bodies and other authorities, specifically if there’s potential risk factors of violations.”
Years of prizing growth over privacy seems to have lead to a complacency that is too systemic for the weight of past months’ revelations to spur change. Many startups and young technology companies have been caught playing fast and loose with the privacy and security of their users’ data. In 2010, a Foursquare loophole allowed one well-intentioned hacker to capture a whopping 875,000 instances of user locations, or check-ins – including the check-ins of those who had chosen to keep their location history private.
The mobile-only social network Path was fined a paltry $800,000 by the U.S. Federal Trade Commission in early 2013 after it was discovered the company had "illegally collected personal information from children without their parents’ consent," according to the FTC, and also required to conduct privacy assessments every other year until 2033 for uploading entire copies of users phone books to Path’s servers, unencrypted and without permission.
And perhaps the most egregious example in recent years was a 2010 era browser extension called Firesheep that enabled other users on the same wireless network to snoop on your online activity – and only because services such as Facebook and Twitter didn’t enable a protocol called SLL, which ensures login credentials are transmitted securely, by default.
“If you’re a Facebook or a Google, this is when you get the police knocking on your door because there’s a big volume of information available. People are using your product,” suggests Éloïse Gratton, partner and national co-chair of law firm McMillan LLP’s privacy practice group. “For startups, when you talk about police knocking on their door to have the identity behind an IP address or a customer ID number or user name, it doesn’t affect them as much because they’re not necessarily at the stage where they’re commercializing their product.”
Even for established companies, the development of good policies doesn’t happen overnight. Ben Uretsky, CEO of Digital Ocean, an increasingly popular web hosting company, said in an email that his company’s “official policy took shape over time, to ensure it was as specific to our users as possible.” Uretsky’s company, which graduated from the U.S.-based TechStars accelerator program in 2012, “formalized this policy around Q2 of last year.” (Full disclosure: I host my personal website with Digital Ocean.)
But whether such accelerator programs as TechStars play a role in educating participants on issues relating to privacy, as well as government and law enforcement requests, is unclear. David Cohen, founder and managing partner of TechStars had initially agreed to speak with The Globe and Mail, but ultimately declined to comment.
Ann Cavoukian – Ontario’s former Information and Privacy Commissioner and now a distinguished visiting professor at Ryerson University – argues that proper privacy practices are a business issue deserving of early-stage attention, and not merely a regulatory headache to dealt with later. However, she admits that she doesn’t yet know how best to educate founders or integrate strategies such as Privacy By Design into startup curriculum.
“It’s not that startups don’t care about privacy – they don’t know how to do it, how you embed this stuff into the design,” she said in an interview. “People have to talk to them and show them that this isn’t that complicated and this is what you can do and things of that nature.”
The question, then, is how to impress upon young founders and entrepreneurs that these are issues that are important to consider earlier in the development process – an especially hard task if the founders themselves aren’t motivated, and the people in charge of incubators, and accelerators prefer a more laissez-faire style of curriculum with informal office hours and meetings that might not place these issues front and centre.
“Compared to the cost of a data breach,” Cavoukian warns, “the potential loss to your reputation, to your brand – the cost of embedding this at the start is minuscule to what you’ll invariably have to address after the fact.”
Back at MaRS, Latsky says that motivating entrepreneurs to do things that will avoid potential fines isn’t easy.
“Convincing them that invoking best privacy practices will be good for business is really, truly what I’m trying to do.”
Correction: An earlier version of this story misidentified the offense responsible for a fine that the Path social network paid to the U.S. FTC.