Monday, May 17, 2010

The Erosion of Privacy on Facebook: Read the News and Audit Your Account

Could Facebook have grown its community to hundreds of millions of users so quickly if it had not promised to protect the privacy of its users? I suspect the answer is "no." Users trusted Facebook, and they signed up in droves.

Evidently, the company feels it has grown big enough that it can rescind its earlier promises about data privacy and weather whatever micro-storm of protest ensues. As has been much reported, the company is changing its privacy policies and—just as importantly—its UI for controlling privacy settings.

The policies now lean toward disclosure rather than containment. The new UI controls require one to click, click, click with the perseverance of a busy switchboard operator to regain most of the privacy one enjoyed a few months ago. Alas, it's impossible to regain all of it.

Facebook wants to ensure that it and its partners have access to as much personal information as possible. That's how they'll make money.

Their loosey-goosey manner of opening the floodgates leaves users vulnerable to all sorts of hacks, exposing private data not just to Facebook and its partners, but also to any hacker or marketer with sufficient diligence and cunning. (See Wired Magazine's article, Rogue Marketers Can Mine Your Info on Facebook.)

Users, understandably, are unhappy. Fifteen organizations have banded together to file a complaint to the FTC. User defections are becoming more common and well publicized. Facebook management is scrambling to the respond.

For a quick summary of what's changed, what's new, and how exposed your own Facebook account is, consult the following.

Analysis

Electronic Frontier Foundation


Facebook's Eroding Privacy Policy: A Timeline

Updated: Facebook Further Reduces Your Control Over Personal Information

Quote from this second article:

Today, Facebook removed its users' ability to control who can see their own interests and personal information. Certain parts of users' profiles, "including your current city, hometown, education and work, and likes and interests" will now be transformed into "connections," meaning that they will be shared publicly. If you don't want these parts of your profile to be made public, your only option is to delete them. . . .

But even for an innocuous interest like cooking, it’s not clear how this change is meant to benefit Facebook's users. An ordinary human is not going to look through the list of Facebook's millions of cooking fans. It's far too large. Only data miners and targeted advertisers have the time and inclination to delve that deeply.


New York Times

Facebook Privacy: A Bewildering Tangle of Options (a chart showing the hierarchy of Facebook's new privacy settings)

Office of the Privacy Commissioner of Canada

Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act (2009)

Wired Magazine


Public Posting Now the Default on Facebook (December 2009)

Quote:

Facebook estimates that 80 to 85 percent of its users have stuck with the default privacy settings, which means hundreds of millions of users will soon be publishing to the entire net, by default when they type into their status box. The previous defaults for status updates were “Friends of Friends” and networks, including geographic ones with millions of users, while photos defaulted to everyone.


Audit Tools


Profile Watch: Scans your privacy settings and rates your exposure on a scale of 1 to 10.

ReclaimPrivacy.org: Scans your Facebook privacy settings and provides detailed analysis of your exposure, along with links to the Privacy Settings page on which you can make adjustments for a particular score.

If you know of other useful audit tools, please let me know.

Thanks to Sarah Evans for the link to Profile Watch and to Chris Marino for the link to Reclaim Privacy.

Photo credits:

Monday, May 3, 2010

A Gentle Critique of McAfee Product Marketing

Fifteen-second summary of the marketing lessons discussed in this post:

1. Write, chat, and speak in plain English.
2. Don't put populating fields in your CRM system above serving your customers.
3. Create demos that really demonstrate.
4. Build Web sites with tiers of information, so if customers want to dig for details, they can.

If you've already practicing what these lessons preach, feel free to click away and find useful instruction elsewhere.

But if you harbor a sliver of a doubt about your own organization's ability to do all the things I've listed above, then read on . . .

The Story

One of my systems needs to go into the shop for repairs. It's an old system, and it's got a ton of files on it. Some of the files are confidential, so I'd like to encrypt them. I don't need to encrypt the whole disk, just certain files and folders.

I know that there's disk encryption software out there, and I'm sure that David Strom (a writer I know and like) has written about this sort of thing, and I thought about digging up his old columns. But I'm a customer of McAfee's. Their AV software came installed on my laptop, and I'm pretty happy with it. So I decided to start there. Actually, I decided to look at McAfee, Symantec, and PGP.

Let's take these in reverse order. PGP emphasizes whole disk encryption and encryption for email (not something I'm looking for at the moment). Their disk encryption software, which I'm sure is very good, starts at $99 (though that page is a little hard to find; looking for it just now, I ended up on a page for a similar product costing $149). Not egregiously expensive, but more than I was looking to pay. After all, I just want to encrypt a few folders.

A quick glance at Symantec's Web page describing their security products for Home systems leads me to conclude that they offer a bunch of nice features, but not disk encryption.

Which brings us back to McAfee. Of the three vendors, McAfee's positioning for the home computer market seems to be the strongest. Their Web page design is bright and clear, and Web copy doesn't suggest that you need to place an order of 100 units or more to begin to be interesting to their sales organization.

Here's their Web page for their encryption product, which it turns out is called McAfee Anti-Theft.



I think this page is well done. (None of my quibbles concern McAfee's UI design but rather their UX design.) To call attention to just a few things I like about this page:

  • It's clear and legible. There's a product shot and a check list of key features.

  • There's a bright "Buy Now" button with a legible footnote explaining exactly what it is you're buying.

  • The ribbon-like design treatment in the upper right reinforces the suggestion of trust conveyed by the gold badge. It looks like they've won a badge for merit.

  • More technical details, such as the fact that the product supports AES encryption, appear below. (As they should. Headlines up top. Details down below.)

You'll notice that below the photo of the box, there's a View Demo button. That's where my trouble with trying to purchase McAfee Anti-Theft began.

The demo animation runs for roughly 2:30 (two minutes, thirty seconds). Of that, 1:30 is a slide presentation basically recapitulating the information that appears on the Web page. OK, fine. I realize you're selling to the home market, and you need to spell things out really clearly. The last minute presents a demo showing how to set up a "vault," assign it a password, and drag files into it.

The last minute of the demo—the real demo part of the "demo"—is good as far as it went. But it only showed a file or two being dragged into the vault. I wondered if I could drag whole folders. I mean, yes, almost certainly in 2010, I would expect that a product like this would accept folders, as well as files. But the demo didn't show any folders being dragged in. The Web copy doesn't mention "files and folders"; it repeatedly just says "files." The 2-page data sheet, which I opened as a PDF, does not include the word "folder." Which made me wonder: can you drag in whole folders? Wouldn't that have been an easy thing to show or mention, if it did?

Every now and then you buy a product assuming it will do X and Y, and you discover that no, it only does Y.

OK. This is a pretty straightforward question. Can I drag whole folders (preferably a multi-layer hierarchy of folders) into a McAfee Anti-Theft Vault. Yes or no? Yes, folders, or no, just files?

I click around the site. Suddenly there's a chat window popping up on my screen. OK, fine. I'll start a chat. This should be easy.

Here's a transcript. (With names changed: I have no interest at all in impugning any individuals here; I'm simply concerned with site architecture and process. I have a great deal of sympathy and admiration for people who work in call centers and help desks, and my admonition to myself [which I admit to sometimes failing to heed] is to always be unfailingly polite.)

Chat ConversationCommentary
Please wait while we find an agent to assist you...
Hello, welcome to McAfee Chat. My name is John Doe. Please briefly describe your goal or question so I can connect you with the best resource to meet your objectives.
Wow. Who wrote that? It's so stilted. It reads like it came out of a committee that drew a diagram on a white board analyzing customer requests ("some of the users will have goals and others will have questions, so our copy should reflect that"). It reminds me of a story a tech-writer friend told me about starting at a company where a fellow writer greeted her with the words, "I'll be happy to show you the supply cabinet where you can obtain all the supplies which you'll utilize." And it makes me admire companies like eBay who make a concerted effort to make their Web copy clear and friendly.

McAfee's chat greeting is a cold bucket of corporate-ese splashed on a user who on the Web site was treated as an ordinary home computer user trying to protect his tax returns or pictures of favorite grandchildren.

But this opening copy, though awkward, is important. The person I'll be chatting with is not someone who has answers; he's not even someone who is supposed to have answers. He's less of a support rep and more of a concierge who will direct me to someone who really does (supposedly) have answers.

Two thoughts here: First, McAfee should make this process quick. This hand-off provides no direct value to the user; it's simply an implementation detail for McAfee. Second, let's explain this role in a friendly way. Something like: "We have a lots of different groups at McAfee. First we're going to connect you to a Customer Service Concierge who will find out what you're looking for, then transfer you to the right group. We'll make this quick."

But for now, I need to describe my goal or question. Then I'll be connected to the best resource.
John Doe(the name I'm giving the rep in this blog post): How can we help you today?That's better. "How can we help you?" Friendly and to the point.
Customer: Quick question. With the Anti-Theft product, do I have to drag files into the vault one at a time, or can I drag entire folders and subfolders?
John Doe: Were you considering purchasing protection today?
Uh-oh. To answer my question, you shouldn't need to know whether or not I'm about to purchase. I'm happy to talk to a sales rep at some point, but a lot of inside sales people don't know technical details. But OK, fine. I'll go along with this.
Customer: Yes.
John Doe: Ok, what I can do for you is transfer you to one of our Sales Agents and they can assist you in processing your order and make sure you get the appropriate product
Customer: Before I buy it, though, I'd like an answer to my question.
Customer: I'm comparing it to PGP's product, which apparently lets me encrypt folders.
John Doe: A Sales Agent will be able to assist you with your questions as well
John Doe: My purpose is to direct you to the best resource that can help you with your inquiry. By asking a few questions I can determine what kind of assistance you need, in this case our sales team
Customer: OK.
John Doe: OK, I will need to collect some information in order to manage your request appropriately. Can you please provide your first and last name email address and your phone number
So I'm in a chat session in which a customer service rep needs to collect more contact information so McAfee can answer a question about a basic feature of a product. Chat sessions imply instant service; that's why users join them. If I had wanted to get talk to a salesperson on the phone, I would have called Sales. But already we're talking about "processing my order." I still don't have an answer to my question.
Customer: I don't want a phone call. I just want an answer to my yes-or-no question. You can email me at [ email address ].
John Doe: As per your question you have to simply drag the files to the vault. Is anything else I can do for you?
Customer: I know I can drag individual files. Can I drag entire folders?
Customer: If I have a folder hierarchy with 120 files, do I have to drag them all individually? The demo on the Web site is pretty cursory, and it shows only individual files being placed in the vault.
John Doe: If you need assistance with that you have to contact tech support, as I mentioned I am only an operator to direct you to the appropriate department to assist you. You can visit www.mcafeehelp.com or contact them at 1866-622-3911
They won't answer my question by email or by transferring me to another chat agent. They have to have a phone number. Or I can call Technical Support. What's wrong with email? Why offer the chat session at all? Why not just post numbers for Sales and Tech Support? Somewhat stunned.


Oh, if only that 2:32 video had been 2:37 and showed a folder being dragged. Unless, of course, it couldn't.

So I called McAfee sales. I spoke to a service rep. She asked if I was a customer. I said I was, but that it shouldn't matter: I was calling about a different product, and I just had a simple question. She said she needed my email address before she could continue. I gave her a valid email address. It turned out not be the one in their records. I asked her if she could direct me to someone technical who could answer my question. It's a yes/no question, I reminded her. She told me to look for technical information on the Web site. I told her I wasn't going to buy her product and said good-bye.

As I mentioned earlier, I was almost certain that David Strom had written about disk encryption products for personal computers. I surfed to his site, www.strominator.com, clicked on a few tags, found the relevant article, saw that he uses PGP Disk but also recommends some free open source products.

I found an open source product that supports AES encryption of files and folders. Installed it. Encrypted my files. Yes, the interface is not as friendly as the interface to the McAfee product, but it's the end of the day now, and my files are encrypted. I still don't know if the McAfee product can encrypt whole folders in addition to individual files.

And now, nor do I care. I've solved my problem. And my biggest expense was time dealing with McAfee marketing and customer service.

A Lesson

I understand the temptation of sales and marketing folks to capture every interaction in a CRM. Budgets are tight, and accountability is more important than ever.

But workflows shouldn't put collecting CRM data over fast, friendly service. A single rep with a good, old-fashioned FAQ or knowledgebase would have made my day more pleasant and McAFee $29.95 richer. That's chump change, I realize, but I wonder how often interactions like this play out across all the various call centers at McAfee.