The Seven P’s of Crowdfunding

(Excerpt from EDCO Bend Pubtalk, Feb 26 2015)

Thanks very much for the invitation to speak tonight about the insider experience of a crowdfunding campaign. Because I love a snappy aphorism, I came up with an expression that I hope you will take away with you, and use as you plan or evaluate future crowdfunding campaigns.

Let me explain. My Dad’s name was Pete. Pete was a Navy man, and a firm believer in the principle of continuous improvement; and he passed along to me his formula for getting a job done, and getting it done right the first time. Lauren, he said, never forget the 7 P’s: Proper Prior Preparation Prevents Piss Poor Performance. Repeat. Now those seven words could not be more applicable to the task of running a successful crowdfunding campaign. No amount of preparation is too much, because once the ball drops and that 30-day clock starts ticking, there’s nothing you can do but react.

But I realized I could go old Pete one better, and came up with the Seven P’s of crowdfunding, which go like this: Pitch, Promise, PR, Premiums, Process, Performance, and Passion. We’ll talk through those seven elements now, and I’ll illustrate their impact with some pithy comments from several successful crowdfunding veterans.

1. Pitch – This is the whole package, the website and video, the thing that you hit the “Go” button on and hold your breath. It better be good, because you are competing for eyeballs even before you start competing for money, and there are a lot of other worthy projects out there at the same time. And that doesn’t take into account competition from Reddit, Buzzfeed, and whatever championship game is on that day.

So what makes a successful pitch? It’s hard to predict, and honestly sometimes the big winners and surprising losers seem totally random. But I think the winners have a few things in common:

  • A focused pitch, driving toward a single outcome, that
  • solves a problem, and
  • is offered at the right place and time (especially if the product has an element of seasonality), and
  • appears to be likely to succeed – that is, shows signs of being a quality project.

Your pitch contains multiple signals about the quality of the effort in its totality, which can result in a network effect: signals of a high-quality project attract early backers who act more like investors (assessing team, market, barriers to entry, etc), and these people act as influencers of later, more casual, backers. Your pitch has to succeed with these early assessors before it can gather viral steam and generate social success. So investing in high-quality video and copywriting is likely to pay off.

The most important element of your pitch that is under your control is the video, so I wanted to pass along this wisdom from Mitch Daugherty at Built Oregon, whose Kickstarter video is just so beautiful it could make you cry:

Take your time, script it out, and do it right. Seriously. Your video is what people will watch, especially if you have a long page of copy. We could have just shot the video primarily in PDX and use stock video snippets of other parts of Oregon, but by scripting out the vision first, we realized immediately that what we want to build on kickstarter and beyond needed a more in-depth and compelling story. So we took our time, drove the state, and got 40 people and 30 companies into the video. That video will define you so make sure what you show is what you are going to deliver.

2. Promise – Unlike other ventures, in a crowdfunding campaign the learning about what it takes to deliver follows, rather than precedes, the promise to deliver. And since you don’t know what you don’t know, how can you tell if your promise is grounded in the real world? Do you know the cost to manufacture/create/deliver the goods? How quickly can you pull the production trigger, and what are the upfront costs to do so? Can you handle storage and shipment of the goods? Can you scale your process if your campaign blows up? (This can be significant, as we’ll see in a later section).

Lynn Le from Society Nine had this to say about the Promise:

Make SURE you have your product development process going already. It is okay if you still have just protos, or phases of protos; if you have your final sales samples done and all it literally takes is the push of a button to go on a production order, great – but whatever the case, product development needs to already be going. That way you can manage transparency with your backers, AND they feel like they are on this journey with you.

Even the Kickstarter handbook strongly suggests that you underpromise, and overdeliver – and give yourself some breathing room besides.

3. PR – Press and Social

When you see the amount of press that a hot Kickstarter campaign generates, it’s easy to think that “if you build it, they will come.” But in reality, the process of pre-loading press has to start months before the campaign launches. Bloggers and mainstream writers in every domain are completely inundated with press releases every day, and it can take multiple contacts and inside networking to get their attention. And once you have their attention, you have to fit in their editorial schedule, which may be planned well in advance. Then once you launch, you have to keep the ball in the air so they will write about you again. All this takes so much more time than you ever think it will, and can be white-knuckle to the finish.

Adam Smith from DIY Floral Grid had this to say about press:

Don’t assume that early press will lead to more press. The first day of my campaign, I achieved nearly 35% funding.  I was pretty confident that with recognizable names already promoting the campaign + a decent amount of early funding, that I’d be able to drum up a lot more press once the campaign was live.  I was very wrong!  The rest of the month was a slow and grueling march to the finish.  I did get some smaller outlets to promote the campaign, but nothing very substantial.  All the other outlets I approached either already had promotional calendars planned out, or they weren’t interested in promoting a campaign that was partially started (bottom line – don’t underestimate a PR person’s desire to ‘break news’).

And Matt Stormont from Togetherfarm said:

 I took time prior to launch to ask key supporters for help if need be.  I called upon these strategic supporters at plateau points during my crowd funding project to help keep the momentum moving forward.  At the time, I didn’t know if this strategy would work, and it did!

Now let’s talk about Social Media, especially Facebook. A Wharton study from last year found a strong correlation between the number of Facebook friends in a founder’s account linked to a Kickstarter campaign, and the success of that campaign. So it’s no surprise that Coolest Cooler’s Facebook page has 84K likes, and very active updates. Exploding Kittens’ Facebook has 109K likes, and Ouya’s has 102K. These levels correlate closely to the number of backers each project ultimately signed up, but the process of building that Facebook presence started long before the crowdfunding campaign launched.

Adam Smith again: I learned the hard way that not all press is created equal.  I actually pushed my launch date forward because I had commitment from a major magazine to promote my campaign. I didn’t want to miss out on their offer, because I was sure that this single bit of promotion would be my biggest driver of backers.  Ultimately, they promoted the campaign via Twitter, which in my opinion (now) is worthless in actually driving action and traffic.  Even with a huge audience, I didn’t get more than a handful of click throughs from Twitter.  Almost all of my traffic came from Facebook and Blogs.  If I had to do it over again, I would focus specifically on getting featured blog posts which would then be shared via Facebook. Luckily, I got big bumps in traffic thanks to Vern Yip from HGTV and the Beekman 1802 Boys.  Their fans not only supported my campaign, they shared it with their networks robustly.

4. Premiums – rewards should offer some kind of value or connection to the project, be cheap and simple to source and fulfill, and offer an opportunity for multiple contacts between the campaign and its backers. Wacky rewards may even lead to additional press, which can drive traffic to your campaign. But beware of complicated rewards or too many premium levels.

Mitch Daugherty from Built Oregon had this to say about premiums:

Sure, make them fun, but also know how much you want to raise and which buckets you foresee getting the most support from and create rewards to drive those buckets. Also, make sure you can deliver your rewards in a timely manner. This is super critical.

5. Process:

So what are those 30 days really like? Do you just sit around and boggle at the dollars rolling in to your Kickstarter account? I read about one company that rigged an air horn to sound every time they received a pledge – can you imagine a worse price to pay for each incremental success? I guess they dropped that after a little while.

Matt: I look at a crowd fund project a little like riding a bull.  The rider thinks he has a certain amount of control, but the bull disagrees.  A crowd fund project has a mutually agreed starting point, but the end destination is always a surprise.  Hang on tight and enjoy the ride!

Adam: One other major lesson I learned is the value of teamwork.  I did everything in my campaign myself.  Product design, my video, setting up PR, responding to backer emails, fulfilling orders…literally everything.  And it was exhausting and insanely stressful. Looking back, I know many of my friends and family would have loved to be a part of it, and I probably missed out on some great talent to help in areas that aren’t my strongest.

6. Performance – this ties back to Pitch and Promise – did you have real visibility into what it would take to deliver the goods when you launched your campaign? Did you raise enough money to fulfill your premiums as well as perform whatever you promised in your pitch (see how that all ties together?). Keep in mind that your platform plus your billing processor will take a chunk of the proceeds – do you have enough left to perform and still turn a profit?

The Wharton study I mentioned earlier found that, while most campaigns do end up fulfilling their promises to backers, nearly 75% of successfully funded projects experience some delay in fulfillment. It’s interesting to note that, according to the study, the degree to which a project is overfunded often predicts the likelihood that fulfillment will be delayed.

Let’s take Coolest Cooler as an example. The campaign raised 26,000% of its goal, pre-selling its product to 62,000 backers. The product was originally promised for February 2015, but recently announced that it would slip to July. The company has justified the delay by adding a lot of improvements to the product, which is great for people who got in at $185. But certainly the Bill of Materials has gone up – the post-campaign price was originally targeted at $300, but is now $399, a 30% increase at retail – so whatever margin the product had at $185 has been eaten into by increased cost of goods, outside management fees, expedite costs, etc – all times the 62,000 pieces that the company needs to deliver ASAP. And this doesn’t factor in the reputational cost of having such a high-profile campaign run into performance problems.

Coolest has done a great job of communicating about their delay and offering a lot of transparency into their process, even posting a “countdown to delivery” on their webpage. Since the majority of crowdfunding projects experience some sort of delay in fulfillment, Coolest is in good company, and once they deliver their amazing product, all will be forgiven. But I imagine these are some heart-pounding times at Coolest HQ.

And since we’re talking about heart, let’s talk about #7, Passion – the most important element of your crowdfunding campaign.

Why is passion, genuine passion, so important? Because you’re not just asking people to give your product a try, or support your cause, or help your company make its next payroll – you’re asking them to have faith in you, and that requires authentic devotion to your cause and the kind of powerful communication that can only come from the heart.

Here’s Lynn from Society Nine again:

You *have* to know the heart of your brand – because the heart of your brand connects to your consumer. That is the key reason why we got so many allies in different communities – real women, real fighters both pro and non-pro, who were ready to step up to help us succeed. I’m not just talking pro fighters, but allies EVERYWHERE. The heart has to be defined by core values, and a key mission. You have to live and breathe by this credo. The first product I ever created for Society Nine was actually our brand manifesto. Whatever we created – a hoodie, boxing gloves, doesn’t matter – it needed to ooze this.

I don’t know what I could possibly say to improve on Lynn’s words, so I will leave it at that!

My heartfelt thanks to the Kickstarter vets who told me their stories to help prepare for tonight, to you for coming and hearing them, and to EDCO for providing this wonderful forum for learning, connecting, and giving back.

So go forth and crowdfund, have fun, and never forget the Seven P’s!


You need a Privacy Action Plan. Start here.

Need a handy acronym to keep on track with privacy planning? Try this: your policy needs to be Adequate, Accurate, and Authentic. Customize, implement, and revisit as necessary.

If you own or manage a business of any kind or size, you have almost certainly realized by now that you need to be responsive to privacy concerns. Your employees, customers, and investors all want and deserve assurance that you are treating their personal information with due care and respect, and that you aren’t using or selling their information in ways they wouldn’t expect or approve of. You need a privacy policy (internally) and a privacy notice (externally) that really capture and communicate your organization’s values.

But where to start? Is it enough to go to your competitor’s website, copy their privacy notice, and cut-and-paste your company name in place of theirs? Uh, no. For one thing, copying material from someone else’s website is probably a copyright violation. Also, realizing that this notice operates as a contract between you and your customers, are you absolutely certain that you want to, and can, be bound to the obligations in this unexamined pilfered document? (And really, if this other business is so similar to yours that you can rely on the same, exact terms that they do, should you be running this business in the first place?)

Maybe you can avoid the issue by not posting a privacy notice at all. You run a clean and respectable business, and you do take reasonable care managing the personal data that you hold, so why make trouble for yourself by publishing a privacy notice?

Unfortunately, the old ostrich approach doesn’t work if you are in regulated industry like healthcare, education or finance; if you sell to customers in California; if you sell some kinds of apps through the Apple iTunes Store; or if you want to buy cyber insurance. All these playing fields have a published privacy policy as a cost of entry. And given that 89% of consumers in a recent survey agreed with the statement “I avoid doing business with companies who I believe do not protect my privacy online,” do you want potential customers to walk away when they discover that you don’t offer any information about your privacy practices — or worse, don’t have any privacy practices at all?

It’s important to note that we’re not just talking about privacy notices here — those unwieldy, outdated, and unread word salads buried at the bottom of websites. Privacy notices are incredibly important, because they form a kind of contract between you and your customers that can create all kinds of legal and regulatory obligations. But these notices represent only the external components of your organization’s core privacy values and operations – for example, you wouldn’t put your employee privacy protection policies, or your building security measures, in your outward privacy notice, but they are important components of your overall privacy policy.

Rather, your privacy policy is an internal manifesto, memorialized in document form and widely shared in your organization, that captures your core values around privacy in a manner that can be shared across functions and respond dynamically to changing business conditions. From the earliest stages of product brainstorming to daily front-line customer service, a privacy consensus lets everyone in the organization — and by extension your customers and partners — make independent decisions that reflect these core values. When you know your goals and beliefs internally, it’s a lot easier to carve out the customer-facing portion of the document and present it to the world as your privacy notice.

So, let’s start crafting a privacy policy that works for your organization. When complete, your policy will capture your company’s core values, educate your employees, and communicate with your customers as the basis for your privacy notice. It will be Adequate for the kind of business you are in; Accurate as to how you carry that business out; and Authentic so that it can be acted on by everyone who works with you and your customers. You’ll need to work with internal stakeholders, and possibly outside legal and security consultants, so give yourself some space to work and a reasonable schedule to work through the steps!

1. Is your privacy policy Adequate? Does it meet the minimum requirements for the marketplace where you operate?

Adequacy is primarily a legal question, and can be broken down into two main analyses:

Sectors: what commercial sectors do you operate in, and are they subject to state and/or federal regulation? Is your sector additionally subject to self-regulation? Examples of regulated sectors include finance, healthcare, utility, education, and products for kids. Self-regulatory bodies include PCI, DAA/NAI and certification programs like TRUSTe. All of these sectors and regulators offer baseline privacy and security requirements that you must meet in order to maintain compliance.

Geographies: where is your company located, and where do you sell your products? Most US states have data breach notification laws for companies located in their boundaries, and many have comprehensive regulation requiring companies to implement controls that protect their customers against data breach in the first place.

Additionally, you must consider the regulations of the states where your customers are located. If you sell to customers who reside in California (and it’s hard to imagine the online business that doesn’t) you are subject to the California Online Privacy Protection Act (CalOPPA) and possibly several other state-specific rules. The penalties for noncompliance are significant (at $2500 per download, for example, a good first day selling your new app could cost you a couple million dollars).

Similarly, sales, marketing, and data transfer operations conducted outside the US may be subject to very different regulations and likewise incur significant penalties for noncompliance.

2. Is your privacy policy Accurate?

Accuracy is primarily a design and operations question, looking at how your products and marketing activities implement your business model.

If you tell users “we don’t share your personal information with third parties,” but you use free tools like Flurry or Google Analytics, your privacy policy isn’t accurate. If you accept credit cards, online or in person, and don’t keep up to date on your PCI compliance, your privacy policy isn’t accurate. If your registration process offers a method for users to opt out of data collection, and you collect and share users’ information regardless of user choice, your privacy policy isn’t accurate. If your privacy policy says that you rigorously control employee access to customer data, and your employees are keeping track of customers’ one-night-stands, your privacy policy definitely isn’t accurate!

An inaccurate privacy policy can lead to brand catastrophe and user lawsuits. Worse, it can attract the attention of the Federal Trade Commission, which has broad enforcement powers when it finds “unfair or deceptive” tactics used in commerce. You didn’t really mean to invite the FTC to stop by the office for a friendly audit, every year for the next 20 years, did you?

3. Is your privacy policy Authentic?

Authenticity is a cultural  and communications question. Authenticity means that your company’s privacy policy is pervasive throughout the organization, accessible and frequently discussed. An authentic privacy policy can be applied cross-functionally, wherever people come in contact with personal or sensitive information, or design or implement processes that will collect, retain, analyze, or disclose such information.

This is where the rubber really meets the road. Do you view and monetize customer transactions as quid-pro-quo economic exchanges, or solely as information-gathering opportunities? Either way, the privacy policy discussion is your opportunity to make sure that your privacy ethos pervades your organization.

And remember, privacy can’t be outsourced. Even when you work with vendors and third-party processors, the buck always stops with you. It’s your brand, reputation, and insurance policy on the line!

Once your privacy policy is complete, you will want to revisit it regularly, and particularly when planning a new product, entering a new market or geography, or contemplating a sale or acquisition (more on that in an upcoming post). Having an adequate, accurate and authentic privacy policy is more than good corporate citizenship, it is a fundamental cost of doing business – get started on yours today!

Privacy is So Money

For technology companies, privacy and security investment isn’t just about protecting against downside any more — new products and venture money mean it’s finally possible to deliver on the upside by developing privacy-enhancing technologies. 

I attended another cyber security seminar last week, where a panel of distinguished security experts succeeded in scaring the bejeesus out of a group of business owners about the dangers of being underprepared for the inevitable breach headed their way.

No doubt, the costs of recovering from breach can be staggering. Here’s how Home Depot described the realized and anticipated costs of dealing with its breach earlier this year:

“cost(s) to investigate the data breach, provide credit monitoring services to customers, increase call center staffing, and pay legal and professional services…liabilities to payment card networks for reimbursements of payment card fraud and card reissuance costs; liabilities related to the company’s private label credit card fraud and card reissuance; liabilities from current and future civil litigation, governmental investigations and enforcement proceedings; future expenses for legal, investigative and consulting fees; and incremental expenses and capital investments for remediation activities.”

And a company doesn’t even need to get breached to suffer the harsh consequences of having an inadequate or inauthentic privacy policy. Safe to bet that the managers and investors in Whisper aren’t too pleased about Senator Rockefeller’s looming Congressional investigation; or that the people running TinyCo aren’t excited about the prospect of 20 years’ oversight by the FTC. The $16.5 million fine that Positive Singles is staring down for revealing the “confidential” STD status of its subscribers will probably put a significant ding in its quarterly results. And do we really need to talk about the social capital costs of Uber’s latest revelations?

Certainly, companies can and should take steps to avoid the kind of negative ROI associated with breach, and should examine their internal policies and behaviors to avoid the embarrassment and brand damage that can accompany even non-breach privacy mishaps. Many traditional insurers are now offering comprehensive breach management as part of their cyber policies, which can protect against both the economic and reputational costs of breach. And it’s never a bad time to make sure that your company’s customer-facing policy notices are compliant with California’s notice requirement, and that you are actually making good on the promises that notice contains.

But it’s more fun to talk about companies that are targeting positive ROI by embracing privacy as a core value, and by developing tools and products that put privacy control in the hands of mainstream consumers. These are companies like Abine, whose Blur and DeleteMe tools offer subscription-based programs for reclaiming your online identity; Wickr, Threema, and Sicher, each offering different flavors of secure private messaging; Xpire and Ello, private non-ad-supported social networks; SurfEasy and ZenMate’s private browsing solutions; private search from DuckDuckGo; and Avatron,* whose upcoming Everydisk software is a private alternative to third-party cloud storage.

It remains to be seen how these companies will turn their virtuous goals into gold – but it’s a fair bet that the big venture money behind some of them (Mark Cuban, in the case of Xpire; T-Ventures with ZenMate; Atlas and General Catalyst behind Abine) is looking for more than social capital in return.

This month’s Pew report on perceptions of data privacy shows that consumers are well aware of the excess collection and disclosure of their private information, so the market should be ripe for easy-to-use tools that deliver control back to the data owners. While work continues at the FTC and elsewhere to drive legislative change that will force organizations to treat private data with transparency, care, and accountability, companies like these can move faster to deliver data control back to consumers, and make some money at the same time.

Know about another consumer-focused privacy tool or company? Send a link and spread the word!

*Avatron is the only company on this list that I have a personal interest in.

Privacy Policy or Miranda Warning? Big Data and the Age of Self-Incrimination

The Right to Silence protects us against self-incrimination: the use of statements that we make against our own interests, in court and under interrogation. Yet data brokers package the statements we make about ourselves, gathered from our transactions online and in real life, to deliver a profile that can be used against us in commercial transactions. Should there be a “5th Amendment” for consumers?

Everyone loves the 5th Amendment. Relied upon by screenwriters and suspected mob bosses, it’s the only one of our fundamental rights to be reduced to a handy, greeting-card sized sentiment for police to use in the field (the mighty Miranda warning). And why not? The Framers put the 5th Amendment in the Bill of Rights as a defense against tyranny and mob rule, by forcing the government to overcome the presumption of innocence without using compelled testimony from the accused.

The idea that a citizen is “innocent until proven guilty” is one of the oldest and most durable expressions in our shared social code, cited back into Roman times, and reiterated in constitutions and civil codes around the world. Presumption of innocence means that the burden is on the government to prove guilt, rather than on the accused to prove innocence. The 5th amendment enforces this obligation on the government by explicitly enumerating the right to not speak against your own interests, so that a confession that is extracted through torture or compulsion is useless in the government’s case (the exclusionary rule, aka “fruit of the poisonous tree”).

This right against self-incrimination is so urgent, so fundamental, that we require police not only to remind you of it by reading aloud from a card so they get the words exactly right, but also to verbally confirm that you understand your rights before proceeding with questioning. If the police fail to make sure that you understand your rights, they can’t use your own self-incriminating statements against you.

For a right that is so enshrined in our social norms – even that notorious old softie, Justice Rehnquist, said in 2000 that Miranda warnings had become part of our popular culture – we’re shockingly generous about letting data brokers and marketers use our daily transactions and activities to build profiles that will most certainly be used against us in commercial transactions, and could easily be used against us in legal or governmental settings.

We’re not just talking about the personal information that you (more or less) knowingly provide in exchange for “free” services like Facebook – rather, this is the information that is quietly harvested when you tweet a political opinion, purchase a fatty snack or a bottle of bourbon, or drive in a bad neighborhood late at night, in addition to the raft of personal demographics already in your file. Much has been written elsewhere about the staggering quantity of data being collected, the security risks of its aggregation and storage, and the ill uses to which it might be put. And in May 2014, the Federal Trade Commission came out with its own massive report on the state of the industry, with a sobering list of the data being collected and a comprehensive legislative agenda to bolster consumer protection, including the creation of a centralized “opt-out” portal.

Of course, data brokers are not themselves subject to the constraints of the 5th amendment. That would fly in the face of another beloved American principle, Freedom of Contract, which says that you can enter into any damn fool agreement you like so long as it’s not unconscionable, illegal, or agreed to under misrepresentation or duress. So if you want to deliver yourself unto the data brokers for dissection and repackaging, you probably ought to be able to. If you think the incentives offered by marketers match up with how much you love your privacy, you’re free to make the deal. But when the incentives are earned and spent by the data broker instead of the data subject, that’s a bad deal and you should be able to opt out.

The FTC has taken a step in the right direction with its recent efforts to shine a light on this opaque and largely unregulated industry, and the call for a means for consumers to opt-out of personal data collection. But Miranda requires us to affirmatively, knowingly opt-in before we offer up incriminating information about ourselves – shouldn’t we be able to make the same informed decision about delivering our most sensitive and potentially compromising personal information to the data collection industry?

The California Attorney General has published excellent guidance on the list of elements that must be present in a Privacy Notice for it to be effective. Perhaps as a final touch, the Policy should remind us that “the information you enter, provide, or imply by your mere presence on this site can and will be used against you in future transactions and in countless perturbing ways from here forward. Do you still wish to proceed?”


Public Opinion, Privacy, and the Courts

Under Common Law, rules are formed by reference to previous cases and dominant cultural attitudes. Why do the “nothing to hide-ers” want you to have less privacy than the rules allow?

In the previous post, we inquired into the origin of a stubbornly common cultural assumption, the idea that “you don’t need privacy unless you have something to hide.” This formulation, which is often used to defend covert or intrusive government surveillance, also has the effect of limiting consumer access to privacy-enhancing technology.

The overarching question of this series of posts is, what could be the basis for this attitude, when in fact citizen privacy protection is embedded in both the Constitution and in modern-day judge-made law? Since the law can do no more than encode our shared cultural biases and beliefs, how does this conundrum come to pass?

How The Rules get made under Common Law

Before examining this disparity, let’s cover a little background about how the sausage gets made – that is, how shared cultural expectations get encoded into law. It’s important to understand how laws validate cultural norms, in the context of the Constitution, and how those norms get articulated in judicial decisions and in legislation and regulation.

The United States (like Great Britain, India, and Canada) is a common-law jurisdiction. This means that judges get to decide the outcome of disputes that aren’t clearly covered by existing regulations, and also get to call on the legality of the regulations themselves. To do so, they rely upon the reasoning of previous decisions, as applied to the facts at hand, to arrive at a just result.

When no such guidance exists, or when the circumstances are truly novel, the judge must reach into the quivering grab-bag of cultural norms and reason afresh, to arrive at a defensible and sustainable conclusion. The judges are assisted in this effort by the attorneys on both sides, who craft compelling arguments as to why their clients’ position most closely conforms to the standards of their community and historic norms. Attorneys often apply the “reasonable person” standard; it is the basic tactic used in civil cases to assign blame when someone’s behavior falls outside of what most people in the community would consider reasonable.

(Of course, the judges’ own prejudices and experiences, and occasionally inappropriate political or economic influences, sometimes drive an outcome that does not properly reflect current mores or even the agreed facts of the matter at hand. But that’s a post for another time.)

Culture & The Courts – running off the rails

As a rule, there ought to be a close correlation between shared cultural norms and positive law-making by judges; and by extension, a virtuous cycle among (majority) consumer expectations/legal validation/commercial expectation.

It’s certainly possible to argue the directionality of law and cultural sentiment. In some cases, like the great civil rights decisions of the 50’s and 60’s, the Court seemed to be running ahead of the cultural moment in some states, and we saw results like forced busing and classroom integration, and destructive unrest. At other times, such as the long-running campaign to extend voting rights to women, decisions by the Court had to be overruled by constitutional action (in this case, the 19th Amendment) in order to bring the prevailing rules in step with the times. And of course the Court can sometimes just hit very wide of the mark, as in its Citizens United decision allowing unlimited political spending by corporations, which was opposed by an overwhelming (and bipartisan) majority of Americans.

What about privacy?

But outlying decisions like these are anomalies. The Rules, especially on topics of great public concern, ought to reflect the predominant cultural stance, expressed in the narrowest possible manner – it’s infinitely easier to grant a little bitty exemption from a narrow rule than it is to later rein in a lot of behavior under an excessively lenient rule. But in the case of the basic constitutional privacy rules, we have an unusual situation: the limits on government behavior (restricting government intrusion into private places) are actually more favorable toward citizen privacy than the “nothing to hide” faction would allow.

So, what is The Reasonable Expectation about privacy anyway?

Glad you asked. In the next post, we’ll delve into the landmark case from the 1960’s that transformed the playing field for government intrusion into private life, by setting the “reasonable expectation of privacy” standard, and that (I argue) should set the absolute minimum consumer expectation for privacy in commercial transactions.


Yes, Consumer Privacy is a “Reasonable Expectation”

Courts and the Constitution recognize privacy as a fundamental interest of citizens. Why shouldn’t consumers be entitled to the same consideration? A Manifesto.

A while back, I was working with a brilliant startup, whose technology allows you to make private, peer-to-peer connections among all your machines and devices, without the company ever storing, touching, or looking at any of your data or files. The company is using this technology to develop a consumer-grade product that would offer all the convenience of cloud storage, at a fraction of the cost, and without requiring users to entrust their data to third parties who might expose that personal data – either through the nefarious exploits of others or for their own commercial gain.

This seems like a simple, compelling, and obviously desirable idea to me. Why wouldn’t I want seamless, private access to all my files, wherever I go, without relying on a third-party intermediary whose affiliates and activities are outside my control? I might appreciate the redundancy of a cloud storage service, and use it as backup for non-sensitive information. But my private records and files should be stored privately, where I can see them whenever I want, and where they’re unlikely to ever to get swept up in a criminal exploit or mass seizure, or be used to develop a marketing profile of me and my family.

So I was genuinely surprised when some people that we spoke with didn’t see the market for the product, asking “why would you need privacy, if you have nothing to hide?” They thought privacy-guarding tools were somehow only for criminals, terrorists, and the tinfoil-hat crowd. That is, not “people like us” – educated, law-abiding citizens with ordinary social and commercial activities and concerns.

Indeed, some folks seem to think that the desire for privacy is itself an affliction – although in some cases this seems to me more of a justification for a certain kind of carny exhibitionism than an effort at searching social commentary. And there’s another attitude, a close corollary, when the private information of a public figure is disclosed, that they had no right to privacy anyway.

What’s so bad about privacy?

Why shouldn’t consumers expect their privacy to be respected in the ordinary course of business? After all, the right to privacy is a commonplace and fundamental component of the design of the modern state, in the US and around the world. In the US, courts (and by extension the police) protect the privacy interests even of those suspected or accused of the most heinous crimes. So why shouldn’t ordinary citizens think their records and communication ought to benefit from the same protection?

And in particular, why would consumer-facing entities be held to a lower standard than government entities? At least the government might argue that there is a public interest to be served by its surveillance activities, but what public interests are served by privately held businesses like messaging companies and data collectors? Why would we give businesses a pass relative to our privacy as consumers, when we demand that our governments respect our privacy as citizens?

The Constitutional Model: limited access

The government’s ability to snoop around in your stuff is limited by various sections of the Bill of Rights – we’ll get into those in more detail in future posts – but the guiding principle is that the government can’t eavesdrop on your conversations or rummage through your files at places and times where you have a “reasonable expectation of privacy.” Over the years, we have developed a cultural model of private places and times, and the law has developed in tandem to guide government actors on when they can invade that privacy without penalty (we’ll talk later about the cost to government actors of illicit invasion of privacy, and by extension to all of us as taxpayers, citizens, and innocent bystanders).

In some cases, we (the people, through our elected representatives) have codified this “reasonable expectation” into statutes that regulate commercial undertakings. For instance, HIPAA controls the flow of private patient information, with formidable penalties for unauthorized disclosure; FERPA governs the use and disclosure of student information; FCRA keeps your potential employer from snooping around your credit report; and COPPA penalizes websites that collect and store the personal information of minors.

Clearly we recognize some commercial circumstances where the desire for privacy is considered reasonable, and we require commercial actors to submit to government monitoring and enforcement. We have agreed that some people – the mom communicating with her child’s school, the patient whose doctor sends records on his unusual case to medical journal, and the job applicant who bounced a check when she was 17 – all benefit from a reasonable expectation of privacy when dealing with a commercial institution. And we have made laws to enforce these expectations when dealing with commercial entities, but they only cover private information in certain, specific situations, and turn over the enforcement of privacy norms to government agencies (FTC, etc). How about putting comprehensive control of private information in the hands of its owners, the consumers who interact with these entities on a daily basis?

Translating public to private

Children, patients, people with bank accounts, job-seekers: all benefit from statutory protection of privacy. That these privacy-protection statutes ever arose, often against formidable lobbying efforts by businesses, demonstrates the strength of our shared cultural expectations around privacy. But the people hearing our software pitch didn’t think the product would succeed, by appealing to these same cultural norms, when dealing with the private information of consumers.

I have a few theories about why this might be, and a rather dazzling conclusion, and will go into them over a series of posts. But first, we’ll cover the backstory a bit, discuss the patchwork of laws in the US that reflect our cultural norms about privacy, and look at other cultures’ standards for recognizing individual privacy.

Next up: do The Rules around privacy really reflect prevalent community values? Who decides, and how?

Go Team Shelley!

Team Shelley Group Shot

On the bright morning of July 27, more than sixty family and friends of the inimitable Shelley Gunton met at Pioneer Square to participate in the Portland Brain Tumor Walk. We walked to celebrate and support Shelley as she wrestles brain cancer to the ground! In the process we managed to raise nearly $15,000 and have a hell of a great morning, followed by brews at the sparkling new Yardhouse Pub in downtown Portland. Way to go Team Shelley!