Online privacy is one of those polarising topics. For many people it’s the hot button that triggers all their feelings of mistrust against what companies do online. For others, it’s no big deal – they just don’t care. Me? I’m somewhere in the middle.

Exclusive: Online Privacy Breach Shocker!

One thing is guaranteed: privacy issues make for good headlines – whether it’s the seamlessly never-ending speculation about what Facebook actually knows about you, Twitter ‘outings’ to circumvent legal injunctions, Google’s new privacy policy or Path uploading users’ address books.

Too much information?

One way or another, most major sites collect information about us when we visit. As developers working on these sites, we need to make judgments about what information to collect, why we’re collecting it and what we’re going to do with it when we’ve got it.

It’s all too easy to think of this data as just another set of 1’s and 0’s – abstract information that’s somehow divorced from the real world of actual people. It’s not the case of course (as any of the stories mentioned above clearly shows). And, considering the fallout from any breach of user privacy, it’s a pretty fundamental thing to get right.

Out of control

To be clear, for many people, it’s not so much that a site collects information about them that matters, it’s the loss of control that really counts. If they’re asked for their details and it’s explained why the site needs them, people tend to understand the trade-off they’re making.

So, if I go to a site where, in return for them knowing a bit more about me, I’ll get a tangibly better experience as a result, I’m utterly cool with that. However, if I go to a site that harvests every last bit of information it can about me just because it can (and because it might come in ‘useful’ later on) then that’s just not on.

Don’t stalk, it’s just creepy

Even in terms of personalisation, sites can go too far. There’s a difference between helpful time-saving and creepy stalking. So when a site like Google+ makes it clear that it knows where I’ve been and shares where others I know have been, it simply highlights how much they know about everybody’s day-to-day lives. Now, of course, the argument is that because we all want to be social these days, this simply enhances the social nature of the experience. Well, not for me.

We may see changes in how sites and developers need to look at privacy with the incoming EU cookie directive. This lays down far stricter rules for informing site visitors about exactly what information you are collecting and why. So unless the information is crucial to the operation of the site (eg to enable a transaction) users will need to give explicit consent to a cookie being set.

Privacy questions for developers

Beyond the legal constraints, the question remains: what should we, as developers, do to ensure privacy is given its proper place in the sites we build. Here are my starters for 10 (let me know yours in the comments):

  • Collect as little data as you need – too often developers simply grab everything they can (just in case).
  • Only share what is required – If you are writing an API that shares user data, only share the data that is required. If a service needs to know First Name and Last name don’t expose a user object that contains more than those fields. This idea is based upon the Principle of Least Authority. Fundamentally never give more than is needed.
  • Make sure you comply with the EU Cookie Directive – it’s only a matter of time until we see governments enforce the new rules. And £500k is a lot of money to pay for getting it wrong.
  • Build your terms and conditions into the UX – don’t bury your information gathering policy on page 86 of a never-ending form (these days someone will go through it and happily tweet the result).
  • Be explicit about what you’re collecting and why – if you can’t do this without blushing, chances are you’ve stepped across the privacy line that users will accept.

Ultimately, this is all about developing sites in the interests of the user. Yes, sites often have to make money. But sites make money from people and those same people will happily go elsewhere if you give them an excuse.

As in every part of life, trust takes time to build but it can be squandered in a moment.

Further reading