Placebo buttons and privacy

  • by Arlo Gilbert
  • · posted on November 17, 2022
  • · 4 min read
Placebo buttons and privacy

Ever heard of a “placebo button”? 

You’ve almost certainly come across one, whether wittingly or unwittingly. Most commonly, you’ll find one in elevators—often, the “close door” button isn’t connected to anything and exists merely to give passengers a sense of control.

Similarly, many thermostats in commercial buildings aren’t actually connected to the buildings’ HVAC system. The building manager sets the temperature and gives their tenants a non-functioning thermostat to make them feel like they’ve done something when they’re freezing their butts off.

Placebo buttons feed into our illusion of control, a psychological term that refers to our tendency to overestimate our ability to influence events. We all need and like to feel in control, and we’re biased toward thinking we are in control, even if we are demonstrably not. So, when we see that colleague who doesn’t shower regularly turn the corner and head toward the elevator, we feel better if we’re able to repeatedly jam a non-functional “close door” button on the elevator, even though it doesn’t actually seem to make the doors close any faster.

A placebo button is relatively harmless when it “closes” the door of an elevator, but when it comes to data privacy, placebo buttons are grossly negligent at best and outright malicious at worst. 

Consider two stories in our newsletter from Apple and Google this week. Both Apple and Google received fines in the hundreds of millions of dollars for deceptively tracking users after they interacted with UI elements explicitly meant to stop such tracking. 

In Apple’s case, researchers discovered that multiple built-in apps sent data to Apple—such as what users tapped on, which apps they searched for, what ads they saw, and so on—even after users toggled off a setting meant to explicitly block such transfers.

Try Osano Free!

In Google’s case, it continued to record location data even when devices’ location tracking was turned off. Google then sold that data to advertisers.

When a user interacts with a UI element, they expect it to work. And it should work—human beings may not have a fundamental right to pick who they do or do not ride the elevator with, but they do have a fundamental right to privacy. When a placebo button violates that or any other fundamental right, it strays from the innocuous to the malicious. 

Best,

Arlo


Senior members of Twitter's privacy, security teams exit after warning about Elon Musk
As a slew of Twitter employees exit the company, the social media giant has lost senior members of its privacy and security teams. The departure of these employees appears to be in response to Elon Musk’s (Twitter’s new owner) perceived unwillingness to comply with FTC orders following a $150 million penalty. It was claimed that Alex Spiro, Musk's lawyer and current head of Twitter's legal department, said "that Elon is willing to take on a huge amount of risk in relation to this company and its users, because 'Elon puts rockets into space, he's not afraid of the FTC.'"
Read more

Is Elon Musk’s Twitter about to fall out of the GDPR’s one-stop shop?
Under the new ownership of Elon Musk, Twitter is no longer fulfilling key obligations required for it to claim Ireland as its so-called main establishment under the GDPR. With the departure of key privacy personnel, including the GDPR-mandated data protection officer (DPO), Twitter no longer qualifies for the so-called one-stop shop. Previously, Twitter only had to contend with Irish data protection authorities, making Ireland its “one-stop shop.” Now, Twitter may need to contend with authorities from across the EU. Ireland has been criticized as being too lenient with Twitter, so the change may bring harsher scrutiny against the social media company.
Read more

Curious about privacy? Find out how Osano automates compliance & saves you time! Learn more

 

Apple sued for allegedly deceiving users with privacy settings
Even when the iPhone’s Analytics settings explicitly turn off data transfers, researchers discovered that the multiple built-in apps continue to send Apple analytics data. Days later, a lawsuit was filed on the grounds that Apple is violating the California Invasion of Privacy Act.
Read more

First verdict under Illinois Biometric Information Privacy Act a sign of things to come
A jury in the Rogers v. BNSF Railway Co. case recently rendered the first verdict under Illinois' Biometric Information Privacy Act (BIPA). The BNSF Railway Co. had been illegally collecting fingerprint data from drivers entering railyards without first obtaining consent, resulting in a $228 million judgment. 
Read more

Google pays nearly $392 million to settle sweeping location-tracking case
In a settlement with 40 states, Google has agreed to pay nearly $392 million after it was discovered that they continued to track individuals through their devices even after location tracking had been turned off. "Until we have comprehensive privacy laws, companies will continue to compile large amounts of our personal data for marketing purposes with few controls," Oregon AG Rosenblum noted in a statement.
Read more

Exclusive: Russian software disguised as American finds its way into U.S. Army, CDC apps
Thousands of smartphone apps contained code developed by Pushwoosh, a Russian company that presented itself as a U.S. company in social media and regulatory filings. The code enabled software developers to quickly build functionality for profiling and sending tailor-made push notifications. Centers for Disease Control (CDC) and U.S. Army personnel believed the software company was based in the US, and they removed apps that contained the code upon discovering the company’s actual nation of origin.
Read more

Listen to the BBB National Programs and Osano’s Privacy Abbreviated Podcast
On Privacy Abbreviated, Osano and the BBB National Programs dive into different data privacy issues facing the world today. On the most recent episode, the hosts spoke with Cobun Zweifel-Keegan, managing director of the Washington, DC office of the International Association of Privacy Professionals (IAPP) to break down this recent executive order on U.S.-EU data transfers, what comes next, and what this all means for businesses. 
Listen

Interested in working at Osano? Check out our Careers page! We might have the perfect opportunity for you.

About The Author · Arlo Gilbert

Arlo Gilbert is the CEO & co-founder of Osano. An Austin, Texas native, he has been building software companies for more than 20 years in categories including telecom, payments, procurement, and compliance. In 2005 Arlo invented voice commerce, he has testified before congress on technology issues, and is a frequent speaker on data privacy rights.