“I need to know your mother’s weight, in order to provide good service to you.”
That sounds ridiculous, right? Well, it is. But it’s not unlike the agreements we strike with most web services and applications, which essentially tell us: “Provide us with all your personal data and we will deliver a great service to you.” Most tech companies want you to think this is a fair trade.
Their idea is simple. When you register for a new service you’re asked to provide information about yourself, and then depending on the purpose of the service, some (or all) of your data and actions are stored for later access and use by them. This is how most consumer web products work and this is what we here at Dashlane challenge today. Is it really necessary to have constant and complete access to users’ personal data in order to deliver a quality product? I would say sometimes yes, but more often than not no.
Let’s take an example. On Thursday last week, we released Dashlane’s point system so users can unlock premium features. They can earn points by simply using Dashlane or by referring people to use the app as well. We think it’ll be fun, engaging, useful, and will also help us grow sustainably. During the development of theses features, we faced the following question: How are we going to keep a record of our users’ actions so we can award them the points they earn while staying true to our promise that we won’t ever have access to their personal data or the history of the actions they’ve taken on Dashlane?
We could have stored the information in an unencrypted manner on our servers in order to make it easier to sync and then to compute it — this is what most services you use do. Instead, we decided not to choose this option because it would have meant that we could store a lot of information about what our users do on the web and it would have been possible to link it to their identity which is obviously something we want to avoid.
Alternatively, we could have stored only the total amounts of points each user had without any history but this would have been far from flexible and we were looking for a solution that did not detract from the user experience.
After investigating many options, there was only one that seemed ultimately relevant. We decided to treat the data about our users’ activity as sensitively as we do all the personal data they already enter on Dashlane — everything from ID numbers to addresses to credit card information. We have elected to encrypt all the data related to earning points and unlocking bages in this same ultra-secure way and to compute the points locally, on each user’s device, like all other data managed by Dashlane on our users’ behalf. It keeps us true to our philosophy, which is that personal data should be accessible to the user and the user alone — not us, or anyone else.
This solution is good for us but has some limits. For instance, by computing points and badges locally, it’s harder to implement social-sharing around unlocking badges and upcoming premium features. And if, say, we wanted to have a Facebook-style timeline, we could not — because it would require access to users’ personal data even when they aren’t logged in, which is exactly what we want to avoid, particularly as we’re helping people organize and manage their most important personal data. The approach we’re taking is not for every consumer-facing tech company, of course. It’d be difficult to do for a company like Dropbox since they need to access all their users’ data in order to optimize the cost of storage on their servers by never storing the same data twice, even if it is owned by two different users. (Which, by the way, is why you probably shouldn’t use Dropbox for sensitive data.)
In an ideal world, tech companies should differentiate between two types of data. Data that really needs to be available when the user is not logged in and all the rest. This second group of data should be encrypted with the user’s password, which, like our users’ master passwords, shouldn’t be stored anywhere.
To be clear, I’m not saying that websites should not store any data at all. Everyone that works in tech knows that having data is important in order to improve services, whether it’s for A/B testing purposes or to see what’s working and what’s not. What I’m saying is that data used for analysis purposes should be totally anonymized. And as users, we should always remember that every bit of unencrypted data we provide online — read: most data we provide online — is potentially accessible to people who work for the companies that are providing the service, not to mention hackers and legal institutions.