Designing Tomorrow’s Privacy

Privacy expectations are changing. How will companies change with them?

Photo courtesy of Tobias Tullius
Change is coming to how tech companies handle privacy. Everyone is going to have to adjust, but new startups are caught in the middle: Be as useful as the companies built in the old world, while following the new rules.

Today’s dominant tech companies don’t care much about privacy. Many of their businesses couldn’t exist if people were careful with their data. Facebook only survives if people are willing to share widely and publicly. Google’s ad engines feed on reams of public data.

Privacy will matter far more to new companies. Google has taught companies the cost of sharing their data publicly. Consumers are slowly waking up to how pernicious Facebook’s data practices are. And the laws themselves are changing.

Regulation is already happening at the state level, and internationally. You might not want federal legislation, but state by state rules would strangle growth of new startups.

I know some say government can only create problems, not fix them. I am not so cynical. The creation of the EPA is a great example of government taking industry in hand and making the world better. I am eager for Congress to take privacy as seriously.

The Business of Privacy

But I’m not a legislator. I’m a builder. I’m more interested in understanding how people’s behavior will change, and what that means for the products I’m creating.

For some, the future of privacy is already here. DuckDuckGo is thriving (despite its silly name) on promises of providing great search without all the tracking. The Brave browser is growing for similar reasons.

But how big is this change? Will the average person in the next decade expect to retain privacy, demand companies respect their data? (I originally wrote “computer user” here instead of “person.” With the smartphone, there is no difference.)

Or will privacy concerns continue to be like security concerns have been for the past decade: the domain of the few, the nerds?

This starts as a moral question. Privacy is a fundamental right. We deserve applications whose business model requires it, rather than neglects it.

But it’s also a business question. What kinds of companies thrive in the current privacy framework? Will they thrive in ten years? What about a world with little privacy? Which companies might do better if people cared more about it?

It’s worth elaborating on what I mean by privacy. Google and Facebook have very different definitions, for example. Facebook’s business is built on promising as little privacy as possible, and delivering even less. They share your data with pretty much everyone. Google just uses your data internally. They don’t share your browsing history; they just use it to market ads.

There are far more companies out there like Google than Facebook. Everyone shouting “data is the new oil” is advocating for Google’s business model: Collect a ton of data and profit off of it. It might start as your customers’ data, but if you collect enough it, and tie it all together, it becomes your data.

By policy, these companies (usually) care more about privacy than Facebook does. They rarely sell or share your data. This is better. But privacy isn’t restricting data to only a few trillion-dollar companies. It’s sharing my data with people, not companies.

It’s instructive to look at one company offering less privacy today than in the past: Microsoft. In the old days, all of my documents sat on my computers. My email ran through servers run by corporate. Microsoft could never have gotten to any of them.

Now it’s all “on the cloud.” What does that mean? Microsoft has it. They might not be sharing it with others, but they’re certainly looking at it. Oh, maybe individuals aren’t. But their programs are.

This can be good. Usage data can help vendors improve their software.

But mostly, it’s bad. These promises of better software tend to be hollow. I don’t want better ads. I don’t want your algorithm picking what I see. And I certainly don’t want machine-learning recommendations based on a statistically average user.

People are beginning to see the downsides of handing all of their data to companies. They know that Facebook, Google, Microsoft, Apple, and Amazon have too much power. They are changing their privacy expectations. Not just the nerds, but average people.

But how much? How fast?

The Cloud Conundrum

Privacy in the modern era is a special quandary. The cloud is pretty great. No synchronization. No management. Easy sharing.

No one wants to give that up. Yet today, cloud usually brings severe privacy compromises.

Do I try to build without the cloud, enabling more privacy, and try to compete with what might be less functionality? Or do I build on the tools everyone else uses, where a lack of privacy means there’s little limit to what I do?

Is there a world where you get all of the benefits of centralization, of the cloud, of being online, but don’t have to sacrifice your privacy? Can you be in the cloud, but keep your own data instead of letting a company put it all into one bucket?

I think so. For many cases, I don’t even think it will be that hard. It will just require thinking differently. It will require new answers, maybe slightly harder ones. But not whole new forms of math or science. Something attainable and reasonable today.

As a founder and investor, there still might be big downsides. It might mean you can’t be the next Google. The next Facebook. Or even the next Salesforce.

It might be that a company is worth less if it does not exploit your data.

What if ethical, privacy-conscious companies stay small, and unethical privacy-destroying companies get to keep growing? There is precedent. Prior to the creation of the EPA, an industrial plant would be committing fiscal suicide to spend money reducing pollution.

I worry about this. I’d sure love to see better behaved companies get rewarded with growth. But that’s certainly not the world right now.

Of course, this is partially why we need new regulation. The rules need to change. There was a time when big business just dumped all of its waste in the local rivers. It was cheap. Why should they care if it killed people and ecosystems? Gotta protect shareholder value! But then the rules changed. Nixon (!) created the EPA, and now we take it for granted that industrial players are forced to protect the air and water at least a bit.

The rules will matter less if enough people change. If you stop buying from companies who abuse your data, they’ll stop doing it. If the next Facebook can’t be built off of your data, then someone will need to find a new way — and hopefully a better one! — to meet your needs.

But maybe those businesses won’t be quite as big. Or get there quite as fast.

Are you ok with that? Is that a reasonable trade off?

It is for me. Facebook didn’t make me a billionaire. I’m not at risk of some other data-centric company making me rich. I’m not investing in companies that collect and exploit your data.

But a lot of people are. A lot of our industry is built on the idea that access to this data is good. Many companies could work without it, but choose not to.

Take the smart home, for example. My smart thermostat is in my house with me, right next to my phone. On the same network. But how does my phone configure it? Not by talking directly! No. My phone contacts cloud services, which then contact my thermostat. Why? Partially because it’s easier. But mostly it’s about data.

There’s no chance Google would have bought Nest for $3.2B if that data weren’t available.

Maybe Nest would be a better company if it were more concerned with making better devices instead of extracting our data. But I don’t think Google would be as excited about that other company. Investors like the multiples that all that data gives them. And product people like what the data allows.

Like industrial effluent, this data is toxic. Dangerous. I’m afraid of what’s being done with what leaks out. I’m afraid of all of the bias. I’m afraid of businesses built on my lack of privacy, my lack of boundaries.

My Bet on Privacy

My new company assumes people will care more about privacy than they have. I expect I’m giving up some long-term potential by doing so. There are things we can’t do as a result. Things that our competitors might find easy to do.

But we’ll be able to make promises no one else can. And we’ll find new ways — hopefully better ones — to solve our customers’ most important problems.

Even writing this frightens me a bit.

I’d love to believe that promising privacy would make my company more valuable, make it easier to raise money. I know it will make it easier to hire people.

Some users will choose us specifically because of our privacy model. But how many? And will it be enough?

I know the bet I’m making.

But I also know it’s a risky one.