Privacy policy for exhibition applications
• Mark Eschbach
I recently got a notice from Google that I need to update my privacy policy…because it doesn’t exist. That wasn’t really by accident. It’s for my Android Application Bite Your Thumb. I’m in a bit of a strange situation. Effectively I’m not really interseted in the user information beyond knowing how to (1) Estbalish their identity, (2) Relay messages for them, and (3) I there is a maximum outstanding message count.
The identity is an interesting one because I use Google’s Identity management system, intregrating over something like OAuth2. Time to see what other policies are out there. An initial search for the terms “play store privacy policy” turned up a whole bunch of ads on the first page. Maybe I should consult the Free Software Foundation first. They are a little fanatical on these subjects but at least I’ll have some decent discourse on the subject. Surpsiing I was unable to find any examples or documentation on their site regarding privacy policies.
Alrighty, after searching for some decent information I’m not able to really arrive at the core values of a privacy policy. From what I can gather the minimum values of a privacy policy are the following:
- How information is collected and used.
- What information is used and analyzed.
- How future changes will occur to the application.
Cookies
It’s really annoying people don’t take the time to understand cookies at all. At their core, Cookies are an approach to create stateful sessions over HTTP. I find it hilarious people freak out over them. There are a handful of information brokers which use cookies to track sessions across multiple sites, but realistically they have probably found additional methods such as service workers, iframes, etc. Too bad most people don’t educate themselves and just label cookeis as malware :-/.
Searching for a valid example
Github’s Privacy Policy is rather interesting. I think it is more detailed than I would bother with, but I think it’s a good template. The mention collection of user information, sharing, and hosting. Interestingly the ensure the jursidiction of the US and compliance with US law. I wonder if this causes problems with cryptographic code written in Canada or Europe.
Free Software Foundation’s Privacy policy has the same basic tenates of: they collect info for anlyatics, although intrestingly they anonymize IP addresess. Makes sense given their activism. Customer information is an intresting problem, I would imagine they have to retain a list of US doners since they are a US based organization.
Facebook’s Privacy Policy is rather intersting. They again use the format of: what is collected, how the information is use, what is shared, process for requesting data deletion, response to legal requests, global operations, notifications of changes, how to contact them.
Reflections on the intent and applicability
The particular application in which I need to update the privacy policy is for sending pre-canned chat messages between users. For this I need to collect a reasonable amount of information about a user, including establishing identity. I also need to collect device specific information (GCM token for sending notifications). Additionally I do check every onece and a while for usage and such. The messages sent are transient and removed upond dispatch.
The system is hosted on Heroku who in turn uses Amazon Web Services. From my konwledge this is all hosted in US East-1. I should probably include a note the system is hosted within the cloud and is subject to data collection by those third parties.
I would love to fight on behalf of user’s privacy rights but I don’t have the financial resources to do so, so I have to comply with requests. The best I can do is notify users when I haven’t been ordered to keep my mouth shut. I don’t forsee any reason how a user could use the system for anything but being cheeky with friends, but who knows.
I’m not global, I live in the US and as far as I know all my systems operate within the US. That includes Heroku, AWS, and Google. I should probably put in the Terms of Service the agreed up Jursdiction to be in Yolo County, California. That way I don’t have to deal with things like some state passing a law about something I’m unaware of.
As for the question of minors, if they are under 18 years of age they probably shouldn’t be using the application. Partially because I don’t want to be responsible for the language they use as a result.
Notifications of change are fairly simple. There isn’t any reason to notify them of minor changes. Major changes I probably would but I don’t see a reason that would occur. Except for maybe the initial set up. I’m not happy with it, but I’ll probably request they check in every once and a while if they concerned about it.
Contact is an interseting one. If they have questions or concerns I’m more than happy to address them. If I’ll probably just have them e-mail me. I’ll answer any questsions I can. Worst case secnario is I have to tell them it’s a free application and they get what they pay for.
Update the eschbachgroup.com
website
I’ll admit it, it’s been a while. A long while. So long I forgot what the pipeline was. Time to begin digging to figure it out. Oh right, I had created a static templating system using NodeJS and Grunt. It transforms the content into static HTMl because there was no need for dynamic elements. I should probably migrate away from that approach and just use something like Jekyll. I don’t really have time to invest in making it resonable. Simple enough though, run a local service and a grunt command then it’s done. The original intent was to allow creative freedom of portions of the pages while allowing for templating of others…it just never came to fruition.
The drawback is now I have to list every file and destination. This goes back to the argument of convention over configuration, which I’m totally for convention as long as it can be overriden by configuration. But being a primitive tool which I had other priorities, the tool feel by the way side years ago. In the future maybe I’ll take a look at it, clean it up, and post it on Github. It’s similar in style to the XML processing approach I used for my website in the mid-2000s, but with more creative freedom.
I feel like those statements are really generic but I couldn’t find better information about what needs to go in there or what people are looking for. I guess I’ll just iterate on it as issues come up.
Deployment
Well, everything but pushing into the target system worked well. I’ve changed from Rackspace to AWS because Rackspace was more expensive and their support really sucked. Anyway, AWS has been more reliable and able to provide the adversisted resources for much less. Additionally I can play with all the other fun things they have released.
I’ve also updated my systems to pull from a git repository instead of pushing out. That greatly simplified my system setup but now I need to ensure the plumbing works as intended. Hmm…apparently I never configured that site for that system. Hmm. I should have really finisehd this arc so it would be seamless.
I’ll have to finish my deployment system. Might move the storage layer from EtcD to CouchDB at some point though, given EtcD is changing to a straight key-value store.