News reports about the National Security Agency (NSA) collecting data from tech companies are a reminder for startups to maintain consumer loyalty with a clear privacy plan, and to be transparent about how that customer data is used.
The NSA collects data from the digital networks of nine US Internet companies, including Google and Facebook, through an initiative called PRISM, according to the Washington Post, which obtained a slide briefing about the program used by agency employees. US Director of National Intelligence James Clapper confirmed the existence of the data collection program following those reports on June 6.
If government or law enforcement officials request data from a tech company, consulting an attorney familiar with privacy law can help startups plan how to respond, said Michael Vatis, a partner at the law firm of Steptoe & Johnson.
“It’s important to have someone advise a company on whether a demand is legal, whether it is appropriate, whether it is unduly burdensome, and whether companies can push back in some way,” said Vatis, who previously served as the founding director of the Federal Bureau of Investigation’s (FBI) National Infrastructure Protection Center, which focuses on cybercrime.
Companies sometimes negotiate terms about a data request with government or law enforcement, including how much data they decide to share or whether they can reject the request completely, said Vatis, who also previously served as legal counsel at the Department of Defense (DOD) and the Department of Justice (DOJ).
“The much bigger privacy issue is how companies use customer information, not how it might be shared with the government,” Vatis said. “People want to know whether they have control over personal information.”
Having a strong reputation for privacy can also give a company a competitive edge, said Marvin Ammori, a First Amendment attorney and cofounder of a tech startup called Silica Labs, which designs software for Google Glass.
However, companies often collect user data to improve their product, and sharing data with other companies can help monetize a product that is free for users, said Ammori, who is a Schwartz Fellow at the New America Foundation think tank.
“If you are founding a startup, you have 100 things on your plate, but if you don’t do privacy right, you can alienate all your users, or you can get into legal trouble.” Ammori said. “Keeping in touch with a privacy expert to contact occasionally can be a big help.”
To put customers at ease about data privacy, Dan Hanks, cofounder of photo sharing mobile application SnapDash, said his team worked with legal counsel for months to try to design a transparent, clearly explained privacy policy before launching the social photo game service in February.
SnapDash’s privacy policy includes the company’s process of collecting anonymous data about navigation on the mobile app and then using algorithms to analyze it and make improvements.
The company’s terms of service also promise security for user data, so SnapDash photos are stored on cloud hosting service Appcelerator, Hanks said.
“Using cloud hosting providers is a good idea for startups, since they have expertise and resources to provide security that a small company might not have,” Vatis said.
Facebook and Google would not comment for this article beyond public statements made by their staff. Google sent a letter to the FBI and the DOJ on June 11 requesting the right to publicly disclose the number of classified requests for data they receive from the government. Google already publishes a Transparency Report tallying data requests they receive, but it does not include certain classified government requests, according to the letter. Facebook posted a blog post on June 11 supporting Google’s letter to the government.
Guest author Tom Risen remembers LAN parties and custom-building computers before the rise of the smartphone. He started reporting on the tech stock market at the Medill School of Journalism, and has written about the tech industry for Government Executive, National Journal, Slate, Policy and Regulatory Report, and for newspapers in Maryland and California. He’s on Twitter @TomRisen.