Kiva's Privacy Policy needs work

[Guest]

.

[Peter S]

Sam Mankiewicz, Kiva's Chief Technical Officer, said at the end of May, here in Ingvar's Risk and Due Diligence thread

I'm taking to heart the suggestions for more explicit statements on the website about security, and hope to get something together in the next month or so

While Sam is still dealing with that, I wondered what form such statements might take, and where on the Kiva site they should be. Having looked at what other companies doing business on the internet say about security, and where on their sites they say it, it seems fairly obvious that the place for such statements would be Kiva's Privacy Policy, which although a free-standing document, is linked to Kiva's Terms of Use and incorporated within it - see the end of the first paragraph of the ToU where there's an injunction to read the Privacy Policy as well as the rest of the ToU.

This is what Kiva's Privacy Policy consists of right now:

   1. Kiva will not rent or sell your personal information to third parties.

   2. By default, you will receive update emails on your loans that are sent by our field partners through the Website. Kiva will not disclose your email address to our partners in any case -- these emails are sent through a webform without any third party learning your address. You can choose not to receive these emails through a preference on the Website.

   3. By default, you may receive periodic newsletter emails from Kiva. The frequency of these newsletters may vary but will be no greater than once per month. You can choose not to receive these newsletters through a preference on the Website.

   4. Kiva will not disclose your personally identifiable lending activity to any third party without consent. Kiva reserves the right to record and display anonymous lending activity on the Website and display the general regions where our lenders are located.

   5. We take privacy seriously and we value yours.


Finding explicit statements and reassurances about security invariably involves looking at a company's Privacy Policy.  I looked at the policies of a few companies who can reasonably be assumed to be doing it more or less right: Google, Amazon, eBay, Microsoft, IBM, Wal-Mart, and Yahoo.

Having read through those privacy policies (it's OK, I don't easily get bored..) I think it's fair to say that Kiva's current Privacy Policy doesn't really stack up in terms of what a privacy policy normally does. In fact it's pretty puny.  This isn't a criticism of Kiva -- I recognize that it's probably a long way down the list of priorities -- but by looking at what the big guys do, they could see what the privacy policy framework tends to be, and re-write theirs accordingly, on the monkey-see monkey-do principle. Or, to dignify it a little, indulge in a little judicious emulation...

The privacy policies of Google, IBM etc, tend to follow a basic pattern, some more systematically than others, but in essence they all state in relation to users' personal data:

• what is collected
• how it is collected (web forms, cookies, web beacons etc)
• how it is used
• whether and to what extent it is shared with third parties
• what security measures are in place to protect against unauthorized access

Some of the privacy policies I've looked at go slightly further than the framework outlined above, and comply with California Business & Professions Code 22575 et seq by being dated, and by providing links to archived copies of previous versions of the privacy policy.  Some of the companies doing business in the more heavily regulated environment of Europe (notably, Google and Amazon) are members of the U.S. Department of Commerce's Safe Harbor program and adhere to that program's privacy principles of "Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement".  Again, many of those companies are signed up to the TRUSTe Web Privacy Seal program, which provides independent verification of statements companies make on their websites about privacy and security of personal data.

Although membership of TRUSTe and/or Safe Harbor might be a little advanced for Kiva at this stage (of the two, TRUSTe certification would be easier to achieve), I suggest that Kiva's privacy policy could use that kind of systematic approach evident in the privacy policies of the big players, and it would certainly I think be the right place for Sam to make those statements he's still mulling over about security.

Peter

[Dagfinn]

I can just add that, working with IBM, their dealing with personal data is first rate!   AND that I feel ok with Kiva even though they are mediocre in that department - I gues it goes with the territory and I basically trust them Peter

Be well, Dagfinn A.

[redstarr]

While maybe it isn't worded as fancy and specific as some big companies, I think the policy itself is doing an awesome job.  There's a lot of charitys and organizations that as soon as you get involved get you on the mailing list to be solicited by every other charity and organization under the sun.  It's as if they put a great big target on your forehead that says "Hey!  She's got a soft heart and a loose grip on her wallet!  Everybody ask her for money!".  I haven't received ANY extra solicitations that seem to coincide with becoming involved with Kiva.  Not from any other charitys.  Not from any companies.  Not from Kiva itself.    It's been spam free.  Kiva is doing a TERRIFIC job of keeping my info private.   

[AccountAbility]

Peter -  Thanks for bringing this up as a valid issue.  As Kiva grows it also needs to deal with more issues than "how do we get loans up on the website".

A Privacy Policy is regretfully a necessity in this day and age, especially when Kiva is getting to be of a size to play with the big boys.  It may not be yet on the front burner, but like having a thorough and workable Terms of Use, it is an important piece of becoming fully established.

In the meantime, we do trust them because their heart is in the right place.

Dan

[Peter S]

Hi Dagfinn & Redstarr (and I see now on preview, Dan as well)

Just to clarify, I wasn't seeking to bring into question Kiva's practical policies in relation to users' privacy -- I absolutely agree with both all of you that Kiva can be trusted in this regard.

The point of my post was merely to suggest that the Privacy Policy as a document which is referenced in the Kiva Terms Of Use, could do with some work, and could usefully be structured more logically and systematically along the lines of those examples provided by the bigger outfits.  And, that more systematic approach would give Sam Mankiewicz the opportunity to give expression to the explicit statements about security that he said he was mulling over, because a better-structured Privacy Policy would be the right place for those statements to appear on the Kiva site.

Peter

[Peter S]

Just to clarify, I wasn't seeking to bring into question Kiva's practical policies in relation to users' privacy -- I absolutely agree with both all of you that Kiva can be trusted in this regard.

I now, unfortunately, have to actually bring into question Kiva's practical policies in relation to users' privacy.  I just received an email from Kiva CS which reads like this:

Hello,
 
We wanted to let you know that Kiva’s system sent out duplicate refund payments on loans to the Andina Group and the Anonymous Group when the loans expired on November 30, 2009. Our engineering team has already reversed these duplicate payments and your accounts should now reflect accurate balances, but we wanted to make sure you were aware of the issue just in case you noticed any changes in the amount of credit available in your account.
 
We apologize for the error and for the inconvenience this may have caused you. Please feel free to reach out to me if you have any questions about this!
 
Best wishes,

...followed by the salutation of the person in Kiva Customer Service who sent the email

The breach of users' privacy is that each of the 154 recipients of the email can see the email address of every other recipient of the email. 

Peter



(And by the way, Kiva's privacy policy as written *still* doesn't adhere to the State of California's specific legal requirements relating to online privacy policies.)

[Mona]

The somehow funny thing is that I never got the original email but only the answer of another lender who was also complaining about the same thing than you, Peter. 

[Diane R]

I received that email also, and immediately wrote back to its sender, noting what a troubling error it was.  A breach of privacy to say the least.

There's nothing that can be done about it now, but it's not the sort of thing I expect from a professional organization.  Many of us go to great lengths to avoid our emails becoming publicized, and it's quite troubling that this mistake occurred.


--Diane.

[wthepoo]

The breach of users' privacy is that each of the 154 recipients of the email can see the email address of every other recipient of the email. 

This really, really, really shouldn't have happened, and I am pondering sending them an e-mail, too, just to help reach a critical mass (though I am feeling a little sorry for the person who sent that mail). Why haven't they simply posted a journal update to the two loans in question? I imagine that should even have been easier than adding the 154 e-mail-addresses. (Yes, some lenders might have opted out of receiving journal updates by mail - but that's their decision...)

Shockingly enough, though, it doesn't even - in my case - necessarily seem to contravene Kiva's privacy policy...

Kiva will not rent or sell your personal information to third parties.

They didn't.

Kiva will not disclose your email address to our partners in any case -- these emails are sent through a webform without any third party learning your address.

The other 153 recipients aren't (field) partners in that sense.

Kiva will not disclose your personally identifiable lending activity to any third party without consent.

OK, you could argue that by seeing the e-mail addresses of the other lenders, I can identify them as lenders to one of these two loans... but in the case of 138 of the lenders that's basically what's out in the open on kiva.org, anyway, and rather not covered by this policy (?). That will be different for the 16 anonymous lenders, though.

We take privacy seriously and we value yours.

Thanks. Much appreciated.

Best wishes,
Wolfgang.

[AccountAbility]

... but in the case of 138 of the lenders that's basically what's out in the open on kiva.org, anyway, and rather not covered by this policy (?). That will be different for the 16 anonymous lenders, though.

But even though those lenders could be identified from the loan page, their email addresses are not "out in the open".

Dan

[tomgray]

Good point, but, it happens.  People occasionally make mistakes, even in professional organizations (I know from personal experience making them).  I didn't write back myself, because I was confident many others would.  Over time, I have gotten very good about using bcc and not cc, but it took some time to really get the habit ingrained.  I counsel patience.

I received that email also, and immediately wrote back to its sender, noting what a troubling error it was.  A breach of privacy to say the least.

There's nothing that can be done about it now, but it's not the sort of thing I expect from a professional organization.  Many of us go to great lengths to avoid our emails becoming publicized, and it's quite troubling that this mistake occurred.

[David2051]

I'm sorry to see this happen, especially on a loan that was supposed to be special for you, Diane.  And this was Ian's fun loan too, wasn't it?  I had heard before that he had problems remaining anonymous...

I get a lot of messages with many email addresses, passed around messages from my mom or the lady that runs the neighborhood association.  I'm always tempted to invite them all to Kiva! 

I've never gotten one from Vanguard or ING Bank, etc.

[YowieFreak]

And this was Ian's fun loan too, wasn't it?  I had heard before that he had problems remaining anonymous...

Yes, they have switched back to publishing my address to the site every time I add credit from PayPal and, although I can get around the problem by just putting dummy data into the address details fields, I shouldn't have to put dummy data in to the system just to avoid their bugs - especially when there is an equally simple fix that Kiva can implement at their end that will eradicate the bug for me and all other lenders.

The big question is whether they will fix the bugs up in the "100% funded" email (which was what was making this a "fun" loan for me) before or after the next "Anonymous" group appears on the site.

[wthepoo]

But even though those lenders could be identified from the loan page, their email addresses are not "out in the open".

Dan

True, Dan, but the Privacy Policy is not referring to "information" but to "personally identifiable lending activity" that they would not disclose.

My whole point is that I agree with Peter: The Privacy Policy needs some work.

Best wishes,
Wolfgang.

[AccountAbility]

True, Dan, but the Privacy Policy is not referring to "information" but to "personally identifiable lending activity" that they would not disclose.

My whole point is that I agree with Peter: The Privacy Policy needs some work.

Best wishes,
Wolfgang.

The "will not disclose" section does only refer to lending activity (what a pity).

But based on the first section, they apparently can give out our "information" willy nilly so long as they don't "rent or sell" that information.  So I guess Ian is out of luck that his PayPal details keep getting exposed to the world--after all, it's only information-and they are giving it away free. 

Dan