[BreachExchange] Before using third-party tools, publishers should ask themselves these questions

[Audrey McNeil]

http://www.poynter.org/2016/before-using-a-third-party-tool-publishers-should-ask-themselves-these-questions/406359/

Datensparsamkeit is a German word that refers to collecting only the
minimal amount of information necessary to complete a task.

I learned about datensparsamkeit from a colleague who was creating a
confidential survey tool. I thought about it again recently while
considering what information news organizations may collect and store from
users, either through themselves or third-party tools.

March brought a particularly egregious example of poor data collection.
CNBC put up a tutorial to teach visitors about secure password creation,
but the passwords were collected and then sent without encryption to a
Google spreadsheet, which means anyone in an individual users' Wi-Fi
network or CNBC's network with the correct permissions could see it. The
tutorial was also set up so that the 30 or so advertisers whose ads
appeared on the page could also see the passwords.

CNBC took down the tutorial, but they’re not the only news organization
that routinely collects data about users through quizzes or survey results
or apps. Some news organizations then transmit this collected information
to advertisers or third-party tools. Should news organizations ponder the
ethical considerations of transmitting personal information like IP
addresses to third-party tools or advertisers without asking for explicit
permission?

Some more questions: What are the ethics that help publishers think about
the types of information they're gathering with third-party tools? What
does ethical consent for users look like? As a user of a news website, what
expectations do I have of privacy? And should those expectations be
different on a news website vs. other sites? Should there be journalism
review boards that assess data-collecting stories before they go live?

I’m not sure of the answers to these questions, but I am concerned that the
people making decisions about partnerships or third-party tools in
newsrooms don’t necessarily have the technical (or legal) chops to properly
evaluate the software partnerships that they’re making with other
organizations.

So, I’ve come up with a lists of questions that news organizations could
ask before integrating third-party tools or collecting information from
users through apps. These lists are not comprehensive, and I would love to
see you build on them, either in the comment section or in an essay of your
own. I see this list as a start to what I hope is a much larger discussion
in the news industry

For data visualizations and other apps:

What is the minimal amount of data that needs to be collected to complete
this task?

Who should have permission to view this data? Everyone in our newsroom?
Some people in our newsroom? Advertisers? Third-party tools that are on our
site?

Will some of the above-mentioned groups have exclusive access to data that
the news organization collects but doesn’t share with all groups?

How do we let users know who has permission to see their data?

Do users have to grant explicit permission to news organizations for data
to be stored?

Do users have access to what data is stored? For how long?

How long will we store this data?

How will we make sure the data we’re storing is secure?

Is there another way to tell the same story without collecting this data?

Is there an institutional review board or other editorial review before the
app goes live?

For third-party tools or platforms:

Has my newsroom properly vetted and assessed other options before deciding
on this tool? Have we considered all of the ethical implications?

What data is the third-party tool or platform allowed to collect? If that
changes, who makes that decision? How long is the data stored?

How does a third-party tool or platform support a publisher who no longer
wants to use the tool?

How does the third-party tool or platform share data back to my news
organization?

If the third-party tool or platform works with many news organizations, is
my data secure or is there a chance it is being shared with others? If so,
am I being informed?

Can I adapt or modify the privacy policy of the third-party tool or
platform? Do I need to put their privacy policy on my website? How will I
inform users?

If there is a data breach of the third-party tool or platform, how does my
news organization inform users? How would we be informed?

Is the third-party tool or platform sharing data with other parties? What
if it’s sold?

Will my organization be compensated for bringing additional business or
users to the third-party tool or platform? Should I inform my audience?

How do we report on the third-party tool or platform itself as a user of
the tool?

Do I want my brand to be featured in advertising for the third-party tool
or platform? If the third-party tool or platform has advertising, am I
allowed to say no to certain types of advertising with my content?

Can the third-party tool or platform send push notifications to my users?

What does informed consent look like for users of my website?

If the third-party tool or platform folds, who owns the data and content?
What happens to it?

Have I gotten an outside opinion from someone informed about the software
we’re thinking about using?

What is the minimum amount of data that I would feel comfortable sharing?

Is this something my users really want or need?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160412/53cc461e/attachment-0001.html>