Privacy of a Start Up: Part 3 of Open’s interview with BillMonk. by risa
People have raised questions about BillMonk (in comments on the techcrunch profile, for example) about the smartness of putting increasingly sensitive info onto other people’s servers- How do you answer this concern?
It’s a valid concern! People should be paranoid about their information, and guard it jealously, everywhere. On the other hand, there is no way for services like BillMonk (or MySpace, or Amazon, or Ebay…) to exist without users giving up a lot of personal data. So it’s not really a question about BillMonk per se, it’s a broader question about “should I use things on the Internet?”
You really have to break it down on a per-service basis by asking:
1. How potentially sensitive is the data being collected? What is the worst that could happen if it leaked?
2. How much do you trust the service:
2a. Technically (do they know their computer security?)
2b. As a business (will they just sell my data, or not respect it?)
I really, really want users to think these through before they sign up to use us—or any service. We tried hard to make our privacy policy as clear as possible so people can assess this on their own.
Let’s talk about (1). As for person data, we really don’t collect much more than any other web 2.0 site. Name, email address. Optional phone number, age, zip code, and gender. We do not know (or care) if your name is accurate, we do not have a a mailing address. We collect a password but store it in encrypted form (a one-way cryptographic hash), so not ever we can know what it is.
We do store your bills; the amount, and with whom. We go out of our way to protect this data, and know how important it is to keep private. That’s the reason why all BillMonk site traffic is encrypted (https). However, if in some catastrophic scenario it did leak, what happens? Your spending profile is known; secrets about what you’ve been buying are exposed. That is really bad. But it’s not leaking-your-credit-cards bad or be-scared-of-stalkers bad.
As for (2), it’s all about trust. On the web, trust usually varies in proportion to the company size. We’re small potatoes, why should you trust us? A good question, but I’d flip the question on its head and ask why you’d trust a big company. Corporate IT security is a joke in depressingly many companies (in all fairness, security is hard, especially when you get big, but that’s no excuse). A big company betrays your trust and sells you out—and what can you do besides gnash your teeth? One reason you should believe us when we say that we are rabid about user privacy is that we have everything to lose if our users don’t trust us. Other than that, you should read up on our technical credentials (good) and privacy policy (clear, and very firm), and make your own decision about whether to trust us or not.
There’s a third flavor of privacy having to do with managing the community on the site, to keep one user from doing evil to another user. Our policy so far has been this: you can only interact with someone you can prove that you know, by already having a contact for them (email or phone). You can know the contact of who is interacting with you. We audit every change to a bill. So users can police the site themselves, without getting tangled up by elaborate authorization controls (which could have loopholes, and would make the site harder to use). Some websites that are community-managed do very well and scale nicely, others have serious troubles; we are of course doing everything to make it the former.
Leave a Comment