Joel Pett created a great editorial cartoon that shows an angry gentleman standing up at a climate summit yelling “What if it’s a big hoax and we create a better world for nothing?”
Well, let’s look at a few points.
One thing you NEVER want to tell someone like me is that “Costs don’t matter.” Yes, yes they do matter. Unless you have an endless supply of money and manpower, they matter. Otherwise i’m going to set up a fully redundant, highly secure system of tiered databases, web heads and monitoring boxes that runs in at least 3 colos on 8 core boxes with max GBs of storage (both online and off). It’ll be the most aweseome blog server you’ve ever seen, can withstand the combined attention of every social media site on the planet simultaneously, and will make your CFO reach escape velocity by soiling himself.
Even Google considers costs.
Where you make your tradeoffs matters, and one of the principal ways one does this is by managing the data you maintain. Storing everything is easy to think of, but absolutely ruinous to do. If you store to flat files, you’ll pay in search costs later. If you store to Databases, you’ll pay indexing costs now. What you want to do is store the absolute least amount of data possible for anything. Don’t try to justify why you should cut something, justify why you need to keep anything. Hard. If there’s any reason to pitch it, do it otherwise you’re going to be drowning in a sea of noise looking for the few bits of signal you can.
This is the hardest thing for a lot of folks to get. One of the running statements for most products is “Ship It!”. Go on reddit or stackoverflow and you’ll see folks saying “Doesn’t matter, ship it!” or some other term.
i hate that.
Let me explain. In my job. “Ship it” is the very first step. What follows is 5-10 years of “keep it running” / “can we improve it?” / “how do we fix that critical bug?” / “how do we transition users to the new service?” / “blah, blah, blah…” If you’re lucky, your product runs on a platform that you can update, otherwise what got “shipped” is what’s going to be live. Period, and anything wrong is your problem later.
This point is generally compounded by the folks who yell “Ship It” and send out their farewell notes a week after it ships. This leaves you with a pile of shippy code from the ship head and some angry users that have just been shipped on, and you holding the shovel to dig yourself and your future paychecks out of this pile of ship.
Privacy requires documentation. Clear documentation. Clear, understandable documentation with histories that outline issues and resolutions. Clear, understandable documentation in well known, easy to find locations. One should be annoyed by how much documentation exists for the code and how often you see references to it from within the code.
You also need that for ongoing maintenance, QA testing, release management, Load testing, etc.
So, if you have a product that doesn’t have that already, you can tell the guys full of ship that they need to rein it in before they ship themselves and you wind up in deep ship.
(well, unless you’re making a one use product that nobody cares about. In that case, you need to seriously re-evaluate your life choices.)
Let’s look at US law for the moment. As it currently stands, the Feds can show up at any time with a love note that basically says “Give us every scrap of all your user’s data, and you can’t tell anyone because Ter’rsts!” This bit of information will be disclosed at the least opportune time with the worst possible framing. It may have lead to Hitler bin Badguy eventually getting that parking citation on his Suppress-o-tron 2000 Battle Tank, but in the mean time, you will have shattered user trust and whatever good faith they may have had in your company. Folks will switch to other services or stop sharing and recommending your product. The paychecks will stop, and you’ll be milking orphan tears for the Suppress-o-tron 3000.
Since the Long Arm of the Law is a bit grabby, it’s better to know absolutely nothing about what your user is doing. When Agent Smith shows up with his pen register, he gets back client side encrypted blocks of useless crap. Ideally, blocks of crap that will take him well past the heat death of the Universe to decode.
Needless to say, if you’re not in the US or plan on doing business outside of the US, you’re going to have to deal with a whole host of privacy laws that will make you and your lawyer cry. In some areas, you’ll have to tender any encryption method you have to the government, which means that even if you only see a key in passing, you’ll have to hand it over.
Feel free to substitute “Ev1l Haxxorz” or other malicious, non-authorized parties, since if you do have to install a “secret back door” for “only authorized law enforcement use”, understand that the credentials you provide will probably be stuck on a post-it on a monitor and flashed across Fox News during some agency promotional piece. Well, that or distributed by a disgruntled former contractor. Feel free to use whatever mechanism you like, because it will probably happen. Do NOT presume that governments have better security than you do.
In short, keeping user data to a bare minimum, and well protected, not only is a good idea, it can save you serious money and hassle. It’s not just good for users, it’s damn good for you.