Since 2017, the Mozilla Foundation has maintained a guide called Privacy Not Included (in free translation, “privacy not included”), which assesses the degree of security and privacy of products launched on the market and then signals to the public those who did not offer conditions minimum for use.
The guide has 7 product categories: toys and games, smart home, home office, entertainment, wearables, health and exercise, and pets.
After mapping the main products on the market with the support of a research company, the foundation sends a series of technical questions to the manufacturing companies by e-mail. In parallel, it accesses the manufacturers’ websites and privacy policies to investigate the rules for the treatment of personal data and then dives into the analysis of available mobile applications that are related to the products, finally dedicating special attention to the possible use of artificial intelligence.
As a result, after the evaluation, the foundation inserts the product in the guide and presents the relevant information in the form of answers to various questions, such as: “can the product snoop on my activity?”, “what data is required to create an account ?”, “what is the manufacturer’s history regarding data protection?”, “does the product meet the minimum security requirements?”, “does artificial intelligence use personal data to make decisions about me?”, among other questions .
There is also a section entitled “what could happen if something went wrong with the product”, in which, after an exercise in imagination, the worst possible scenario is described, albeit extreme, related to security and privacy issues and their consequences to consumers.
Finally, the reader can assess whether the product is little, average or very scary, as well as checking the evaluation of others and sharing the results on their favorite social network.
It goes without saying that it is not pleasant for the manufacturer to have their product stamped on this shelf. This is because this exposure potentially generates damage to the image and reputation, which, despite intangible values, are essential to attract business opportunities and to maintain high confidence among consumers, investors, suppliers and employees.
So, knowing this, it might be a good idea to simulate a tabletop test, when developing the product, imagining how it would be evaluated for the purposes of the mentioned guide if it were already on the market. Going further, still in the design of the product, it is very valid to reproduce the exercise of imagination in the worst possible scenario, causing the business team to think that catastrophic situations could arise from the use of the product and to think, from there, what are the solutions to be embedded in the development process to avoid chaos. These tactics can be embedded in the so-called privacy by design process, which is nothing more than the injection of privacy throughout the entire process of ideation and development of activities, products, services and new systems.
The keynote is prevention. It doesn’t hurt to remember the words of Warren Buffet: “it takes 20 years to build a reputation and only 5 minutes to destroy it”.
Paulo Vidigal, TecMundo columnist, is a partner at Prado Vidigal, specialized in Digital Law, Privacy and Data Protection. Certified by the International Association of Privacy Professionals (CIPP/E), he has a postgraduate degree in an MBA in the area of Electronic Law from Escola Paulista de Direito. It has an extension in Privacy and Data Protection from Universidade Presbiteriana Mackenzie and in Privacy by Design from Ryerson University.