
Trust is Fragile - jaxonrice
http://37signals.com/svn/posts/3078-trust-is-fragile
======
flyosity
If the 100,000,000th uploaded file was actually named Startup-Revenue-
Forecast.ppt or 2011-Tax-Return.pdf I'm fairly certain that the name or
contents wouldn't have been mentioned. I think the fact that it was cat.jpg
spawned the idea of referencing it at all, and honestly if I were in their
place I would have made the same joke. I think most people would have. But
good on them for pulling a reverse Streisand Effect
(<http://en.wikipedia.org/wiki/Streisand_effect>) which frames the discussion
in a positive light ("how can we change and do better?") instead of a negative
one.

~~~
mike-cardwell
I wonder what they would have done had it been named "Basecamp Competitor
Business Plan.pdf". Would have been awfully tempting to take a peak. Exactly
why they shouldn't even be looking at filenames.

~~~
corin_
Ultimately a company storing files is almost certainly going to require its
staff to look through directories, log files, database tables. And it is
certainly going to require staff to have the ability, even if they never have
to use it.

By giving them your files you are trusting them not to screw you over.

~~~
sunir
Unless explicitly authorized by the customer, or for the purpose of providing
the service, your staff should not be allowed to look at customer data, and
what data they look at should be limited to what's necessary to perform their
function.

If you do want the right to spelunk through customer data, you need to declare
that in the privacy policy. If you declare otherwise, you're breaching the
contract with the customer.

The problem is that incidents and attitudes like this make the market lose
trust with the cloud services industry, which is poison to everyone.

~~~
jmtulloss
I'm not sure I understand what you're saying here.

The only contract with the customer is the privacy policy. The privacy policy
is just a promise from a site to abide by certain rules. In the case that
there is not a privacy policy, then whatever you tell that site can and will
be used against you. From tracking cookies to the most sensitive of files, if
you are providing information to a site then you have to assume that it will
be used in any way the company sees fit unless they promise otherwise.

Ethically there may be different obligations, but to say that there is some
implicit "contract with the customer" is simply not the case.

~~~
sunir
Since 1890 in the United States, the tort law has had concepts of invasion of
privacy and breach of trust. Further on a state by state level there may be
laws, such as COPPA 2003 in California, which required a privacy policy to be
published. Canada and the EU have even more protective laws if you trade
there.

I feel it is safer and more realistic to presume the first paragraph I wrote
is the case and cover yourself with a privacy policy if you want to do
otherwise as I mentioned.

As always, ask a lawyer if you want professional advice.

------
3pt14159
Honestly, people are decisional if they don't think this happens everywhere.

I've seen tens of thousands of pieces of private data across all the companies
I've contracted for. Data guys need to explore, they need to learn what types
of customers use what type of features and why.

Heck, I talked to a guy online (didn't know his real identity, or I would call
him out personally) that wrote a script that automatically checked his
employer's database against outstanding warrants in the US (fuzzy matching
first name, last name, city, age) and pulled in 2 to 3 times his salary just
by the rewards. That is how bad some people are.

What you _can_ trust is that a company almost certainly won't intentionally
leak your data to the public, but rest assured that they _do_ flip through it.
Some awesome companies will obfuscate the email addresses or company names so
that it is much harder to back calculate who owns what, but honestly unless a
company is promising full encryption on their side I would just assume they
can see everything.

If you want real privacy use encryption (or some other zero trust protocol) it
really isn't that hard to use.

~~~
sunir
There's this small, harmless incident from 37signals and then there is this
attitude. Some questions:

* Should it happen everywhere?

* As a data guy, do you have professional obligations to uphold the privacy policy and operate within the law?

* What are the mechanisms available to the market and the industry to prevent the deterioration of customers' trust with us?

~~~
3pt14159
> Should it happen everywhere?

Yes. The market has spoken. People find terms of use acceptable, which
includes looking at personal data. The alternative is to restrict your data
team to the point where conversions would be half or a third of what they are.
Are most people willing to pay triple just to remove the off chance that some
random data guy comes across their info? Probably not.

> As a data guy, do you have professional obligations to uphold the privacy
> policy and operate within the law?

Any person, employee or not, professional or not, has obligations to uphold
just laws; certainly including measures of privacy.

Here is a typical privacy policy:

"We use personal information in the file we maintain about you, and other
information we obtain from your current and past activities on the Site, to
provide to you the services offered by the Site; resolve service and billing
disputes; troubleshoot problems; bill any amounts due from you; measure
consumer interest in our products and services, inform you about online and
offline offers, products, services, events and updates; deliver information to
you that, in some cases, is relevant to your interests, such as product news;
customize your experience; detect and protect us against error, fraud and
other criminal activity; enforce our Terms of Use; provide you with system or
administrative messages, and as otherwise described to you at the time of
collection. On occasion we use email address or other contact information to
contact our Users to ask them for their input on our services, and to forward
to them media opportunities.

We may also use personal information about you to improve our marketing and
promotional efforts, to analyze Site usage, to improve our content and product
offerings, and to customize the Site's content, layout, and services. These
uses improve the Site and better tailor it to meet your needs, so as to
provide you with a smooth, efficient, safe and customized experience while
using the Site."

That bottom paragraph is fully communicating the nature of the relationship.
Outside any law that would render the above unlawful, it is well within the
law for an employee to "SELECT * FROM users WHERE created_at > 2010-02-01" or
to "SELECT * FROM todos JOIN users ON todos.user_id = users.id WHERE
users.profession = 'developer'". There are perfectly valid reasons to do these
types of things. Anti-fraud measures, site optimization, etc.

> What are the mechanisms available to the market and the industry to prevent
> the deterioration of customers' trust with us?

This is a problem of mismatched expectations and priorities. It's a lot like
politics. In an ideal world a politician would be able to say something like
'I think the American people acted irresponsibly financing homes and that is a
good part of the reason for the financial crisis' because it is the truth and
it would help people in the long run to hear it, as well as help any policy
formation in response to it. But practically they can blame others and get
away with it.

Unless the industry is willing to educate politicians, site users, etc. There
is no reason to go out shouting that this happens. It's already in the terms
of use and the privacy policy. Do you think people _want_ to know what Air
Miles does with their data?

The only mechanism besides general silence (as well as inclusion in the
privacy policy and/or terms of use) would be full, 100% truth when asked. But
why make an issue of it? The netizens don't really care. If they did there
would be competition around this angle of the market.

dhh hides behind: "I don't think it has to be this way. We often run internal
reports on usage of certain features, but it's always aggregated, and never
looks at the individual data. I feel bad enough looking at a customer's
account when they've specifically asked me to do so from a support request.

I would certainly terminate any account with a company that willfully was
reading my private data and opening files for the mere sport of it."

That carefully worded bullshit. Internal reports are not exploring. Internal
reports are what you show at the monthly marketing or board meeting. C_Os get
internal reports. Data guys test recommendation models. Data guys find out the
interesting patterns to include in custom reports.

Also, His last paragraph is ridiculous. Obviously we don't read data for
sport. In fact it is boring. You go through data for trends.

------
sunir
I'm not really worried that 37signals are maliciously going through customer
data, because I honestly believe they aren't.

However, I'm disgusted by the number of people in this thread that justify the
violation of customer privacy because it's what's normal.

As an industry, we all face in our sales cycle the fear from customers that we
will violate their privacy. Self-regulation by holding each other to account
is the cheapest and best way to address the issue.

While I would be stupid to believe software vendors don't look at my data
because I know better, that isn't my expectation.

It's not my expectation that my lawyer, my accountant, my doctor, my
therapist, my social worker, or my librarian trade on or reveal or delve
through my private information. That's why they as professionals are licensed
and self-regulated by their professional colleges.

As information professionals, we should act professionally with information as
well. This is not crazy talk. We also see credit card numbers and personal
information stolen every month. Last year over 100 million credit cards had to
be reissued due to data theft. That's why the card industry created PCI
compliance to self-regulate the industry, as imperfect as it may be.

~~~
scrod
No, as information professionals, we should be building tools that enable
users to store and manage their data privately, without asking them to trust
some anonymous system administrator. Allowing them to become complacent and
implicitly accepting of remotely-hosted services does users and society as a
whole a great disservice.

------
untog
While the tone of the post is fantastic, I can't quite believe that anyone
would be as offended as they suggest. I would _like to believe_ that people
can apply common sense to this situation and realise that they disclosed
'cat.jpg' exactly because the name was entirely inoffensive and anonymous.

~~~
jasonlotito
You miss the point. The point is with regards to privacy. If I'm paying them
for their service, and I upload files, I can limit who sees them. If that can
be circumvented, this is disconcerting. What if I had a file named "How to
beat 37Signals.docx"? Or "Next iPad Specs - Official.pages" uploaded? And then
someone reviewing the logs happens to see that. And they get curious.

The idea isn't that cat.jpg is bad. It's that over at 37Signals, someone was
browsing the logs, reviewing the file uploads, and did see "2011 Financing
Report for X Public Company - Unreleased" or something akin to that.

I understand your point of view. But the people offended by this are in the
right. It's not what happened, but that it happened, and what it shows.

~~~
billpatrianakos
You almost have my opinion changed to agree with you that the people who are
offended are right to be offended. But honestly, isn't it a little naive to
think that the company holding your data won't have _some_ access to it? I
tend to believe that unless it's on a machine you own then someone else can
and will look at it in some way. They may not look at the contents but they
most certainly will check out the file type, size, name, date created, etc.

Now if you upload "HowToBeat37Signals.docx" to Basecamp you should probably
assume two things. There's the possibility, however remote, that someone not
authorized will see it (that possibility exists on every farmed out service,
no server is hacker proof despite GoDaddy's little badges) and if someone does
see it and it gets leaked or used against you, you'll have a damn good chance
of suing the bejesus out of them.

The word trust is the key word here. Whenever you use a service to store
sensitive material there has to be some level of trust. I think it's a mistake
to trust that no one within the company or as a result of a security breach
will absolutely never ever see what you've stored. What you do trust is that
the odds of that happening are supremely low and if someone were to see your
data (at least within the company) that they won't use it against you or share
it. History has shown us that no web service is 100% secure and reliable so if
you aren't comfortable with your odds then you shouldn't use the service. I
for one assume everything I've ever put online is not secure. I'm comfortable
with my odds though and bank on the fact that no one will take something
written or created by a nobody like me very seriously or care at all.

~~~
count
If the app is written appropriately for this sort of thing (see Tarsnap), then
no, the company has no access to any of your data.

~~~
Timothee
Can you actually make that work for a collaborative app?

User A uploads file_a.txt and you want to encrypt it. What key do you use for
that? It can't be attached to User A (e.g. their password or password hash)
only otherwise User B won't be able to decrypt it. How would you set that up
in a way that's still reasonable considering Basecamp use-case? (meaning: one
of their goals is to make project collaboration simple)

~~~
count
I dunno, maybe generate a keypair to en/decrypt the content, then encrypt
multiple copies of that keypair with per-user keys? A key-getting-key or
something like that.

There's probably some huge issues there, but it's a start to answering the
question.

------
tghw
This is why our policy at Fog Creek is to explicitly get permission from users
before accessing their data. It's enforced by the sys admins (which we screen
more extensively during the hiring process), who give temporary access to the
person who needs it once the user has given their permission. When we're done,
the sys admins remove access to that account again.

It's a pretty painless process (we have snippets to ask permission from the
user and shortcuts to request access from the sys admins) and it helps prevent
both willful and accidental leakage or modification of our users' data.

~~~
jonknee
Is there anything stopping the sys admin from doing the snooping?

~~~
tghw
Ultimately, someone needs to have the keys, and they do, which is why they go
through additional screening. Since there's a whole team, they would either
have to collude or cover their tracks very well. Considering a major part of
their job is keeping our data and our users' data safe, a breach like that
would not be taken lightly.

So ultimately, it may be possible for one to snoop on our users, but it's much
easier to trust (and keep tabs on) a small, well screened team than the entire
company.

Speaking personally, I can say that I would (and do) absolutely trust my own
data to our sys admins.

~~~
dhh
What additional screening do you put your system administrators through? Are
we talking security clearances and background checks? Definitely curious to
hear the specifics.

~~~
tghw
I've not been directly involved in the hiring of a sys admin, since I'm a dev,
but I do know that we at least do background checks.

~~~
dhh
Can you ask? I'm curious to learn what these background checks entail. Also,
if they actually do prevent bad apple's from joining, why not do them to
programmers as well (given that they have the power to program backdoors etc
into systems).

------
tomkin
37signals really doesn't want to be the bad guy. They're not. And this whole
thing is ridiculous. If you were to evaluate 37signals on a 0-to-9 scale,
based on how "evil" they are, you might give them a 0 or a 1. What if the
scale went the other way as well? There isn't just _evil_ , there's
_apologist_. And it too can lay the groundwork for unfruitful results.

37signals' target demo is smart, well-to-do, logical. They shouldn't have to
apologize. As their _logical_ demo, we should know better. We know that if the
filename was _MyBossIsAnAsshole.docx_ or even _MyWeddingPhoto.jpg_ that
37signals wouldn't have had to think for a second on the appropriate thing to
do. As logical thinkers, we know why cat.jpg is funny as it pertains to our
demographic. We know that MyWeddingPhoto.jpg wouldn't be funny.

The whole _burn 'em at the stake_ routine is asinine.

------
dugmartin
Well done. I wish more companies would own up to mistakes instead of weaseling
out of them.

To DHH if you are reading these comments: Since 37signals is such an industry
leader why not take this opportunity to release a "trust manifesto" that other
SAAS companies can learn from instead of just updating your privacy policy?
Present it as a few straightforward bullet points instead of paragraphs of
legalese.

~~~
dhh
I'd be very happy if we come up with a good privacy policy that it could help
others revisit theirs. Most policies, including ours, talk about shit people
generally stopped caring about 5 years ago (what do you do with my
COOKIES?!?!).

These days people care much more about the privacy of the data that they
actively share through uploads etc and much less about the tracking. At least
on apps like ours.

------
lukev
The real lesson here is that if you _really_ want your data to be private, you
have to take responsibility for encrypting it or not uploading it _anywhere_.

Even in the best-case scenario, at least some employees can access data as
part of their jobs. This has been true of every job I've ever worked at.

------
scrozier
This post and comments has made me reconsider the word "trust" entirely.

"Trust" is an emotion-laden, rhetorical word used by a someone who wants you
to do something. "Just trust us."

Trust is not fragile, trust is an illusion.

Replace the verb "trust" with the word "assume" or "take a calculated risk"
and you're closer to reality.

Instead of "trust us," how about, "Look at our record. Note that we have had
not a single incident of data disclosure in 6 years. Decide for yourself if it
is likely that we'll have one now, with your data."

Instead of "trust us," how about, "Think about our business: imagine the
consequences if we were found to have looked at our customers' data, and see
if that disincentive allays your concerns sufficiently."

Instead of "trust us," how about, "Here are the ways we are protecting your
data. Consider whether they meet your requirements or not."

I'm voting "trust" off the island.

------
nopal
I think this post highlights a missing component of the IT ecosystem -- a
professional code of ethics.

Many companies, especially large ones with lots of lawyers, have developed
policies and procedures relating to what's acceptable and what's not. But most
smaller companies and startups don't seem to have time to formulate these
policies.

A professional code of ethics, specially with regard to privacy and user data,
would be very useful.

Right now, most developers operate on a "do unto others" philosophy. While
this may be good intentioned and work well a lot of the time, it's highly
subjective -- as evidenced by the comments on this thread.

------
joshontheweb
When I was in college and working for a bootstrapped startup I was handed an
unprotected thumb drive with an excel spreadsheet containing all the credit
card numbers, expiration dates, address, social security numbers, etc of all
the clients (thousands) and told to take it home for when I was working out of
the office. I was too ignorant to realize how terrible, and I'm sure illegal
this was. Of course I never abused it but it definitely makes me wary of my
data these days. I imagine this happens much more than people think. Don't
worry, the company I speak of was localized and failed now I think. It's
prudent to cancel your cards once or twice a year and be careful who you
trust. Some companies value convenience over security and put way too much
trust in the employees.

------
screwt
There is a strong case to be made that 37signals should have access to this
data for debugging purposes or similar. And as others have suggested,
customers trusting 37signals with data should expect this at some level,
unless the customers are encrypting everything at their end first.

But should everyone in the company have that level of access, or should access
be restricted to the minimum necessary? What I don't see in others comments
here (except tghw's [1]) is any recognition of that. It's all very well saying
you want to give your devs access, and that you can be trusted, but over time
and as your company grows you're exposing yourself to the risk of a rogue
operator. And it only takes one person to do something bad to severely damage
the trust your customers hold in you.

It's a balance, to be sure, but I'm inclined to think a blanket "we trust our
devs, so they have the access they need" could be exposing yourself to a large
risk you don't need.

[1] <http://news.ycombinator.org/item?id=3471338>

------
davidw
FWIW, there's an Italian startup called Iubenda trying to do something around
privacy policies, so that it's easy to have a good one:

<http://www.iubenda.com/en>

------
aangjie
Reminds me of my somethin' my ex-colleague came up with in a discussion over
lunch.. Trust is a complex variable. it has some real part/value that both the
parties involved can be secure about, and an(two??) imaginary part where both
the parties have a guess about what else they will/can trust the other about..
In this case, i think the filenames would count as imaginary part. Not to
imply, it's not private, but would be surprised if it had been in the terms of
service..

------
torontos
HN Discussion of the incident a few days ago:
<http://news.ycombinator.com/item?id=3456819>

------
shasta
Seems reasonable, but can adults stop boasting that they're behaving like
adults? Unless 37 signals is being run by children, in which case: good job
kids.

------
BadassFractal
At any large organization with million of customers and public opinion
affecting stocks, even mentioning to the that random people on the dev team
have access to customer data can be pretty career altering. The fact that
you're even looking at confidential information is generally highly frowned
upon.

What if Mint.com celebrated their 1 "billionth" processed transaction by
posting what it was? Wouldn't that cause outrage?

------
dennisgorelik
I routinely look into my customers' data and didn't really have second
thoughts about it.

I even automated process of looking into customer's data. The main goal is to
catch spam and scam and delete such accounts.

May be it's specific of my business (job board), but isn't scam and spam is
risk in any business to at least a certain extent?

~~~
BadassFractal
You can do whatever you want as long as it's explicitly stated in the EULA,
hopefully that's the case in your situation.

------
dpritchett
I'm impressed that this mea culpa ended with a reasonably tasteful plug for
the next 37s product release.

------
8ig8
I'm not too troubled by employees reading file names in the logs, but for some
reason it bugs me that the apology post included a promotion (a link) for
"Basecamp Next." In this context it didn't seem necessary.

------
sunchild
I was one of the people who was vocal about this being a serious gaffe when
the post went up.

This is the absolutely the best response conceivable. Bravo!

------
billpatrianakos
People really got _that_ upset over them knowing the name of the 100 millionth
file? They're not going to look at the log anymore? I don't know how they
operate on the server side of things but if no one is going to look at logs
anymore then why have the log at all? I look up to 37Signals a lot but I think
they were a little too apologetic this time. Why not apologize but explain
that the log files tell you basically nothing about the contents of your
files? How does anyone not make the connection between the cat joke and the
file named cat.jpg? I mean, they even spelled it out in the original post! I'm
not trying to be critical, I'm just kind of left wondering how something like
this offended a single person. Weird.

~~~
tangus
Keep in mind that the original post said "it was the picture of a cat". It
implied they looked at the content of the file.

~~~
billswift
No they didn't. They talked about how sharing pictures of cats was a running
internet joke. All they said about that particular file was that it was
_named_ cat.jpg.

~~~
scott_s
From <http://37signals.com/svn/posts/3076-i-heard-you-like-numbers>:

 _And a Basecamp user uploaded the 100,000,000th file (It was a picture of a
cat!)_

In the comments, they clarify that it was called cat.jpg, and that's how they
knew it was a picture of a cat.

------
sscheper
Sometimes I feel like 37signals should change the name of their blog to "Much
Ado About Nothing"

