For those that run businesses that collect user data (email addresses, messages, media, etc.), it would seem best and ethical to view as little of this information as possible. Obviously, in some support cases, it is unavoidable to view user data, and also when running analytics on your user-base, you may have the need to view some information. Do you use any systems or best-practices to ensure that even the owners of the site (yourself + partners + employees) don’t gratuitously view customer data, or are you on the honor system?
Firstly, whoever own the database credentials “owns” the data. If I as the developer want to view someone’s data, I can.
When it comes to building “impersonate user X” or “ghost as user X” features for support staff to log in as a particular user: They always make me uncomfortable (you’re basically coding an authentication loophole) but they’ve proven to be critically necessary in providing a great support experience.
Some things I’ve done before:
- only support staff are given the ability to impersonate another user (not founders, or sales people, etc)
- post to a common Slack channel whenever anyone in the company impersonates a user. This creates some social awareness
- keep an audit log
- a user setting like “Allow support staff to view your account?”
While I agree that this is technically correct, my question is basically suggesting that there is a responsibility in ownership. Some may disagree, but I think most would not. Take, for example, a service that stores your uploaded personal photos (privately, not for public consumption). While I think a realistic user would not expect that those pictures would not be viewed by someone else under any circumstances, they would also hope that no one would view them unless absolutely necessary. This is the crux of what I’m getting at.
Imagine you have a site that allows users to record private video messages for other users, for occasions like birthdays, etc… Those videos have an expectation of being personal and private. However, they could also provide valuable information to the business owner on how users are using the service and how it could be improved (evaluating quality, new feature ideas, for example). We’re ok with watching mouse location and clicks, but are we also ok with viewing user’s private photos and videos?
I’m not saying there’s a right answer and I’m a bit on the fence, so that’s why I’m asking.
It sounds like you’ve handled this part of your business(es) well.
Often (depending on jurisdiction) the data you collect with your SaaS app are not yours.
And users expect confidentiality. I’d say be clear in your “Terms of use” what you do and why (and check if you are legally allowed to do some things).
In this scenario: looking at someone’s account in response to a support request (i.e, "HELP! My photos aren’t loading in IE6) is vastly different to “I’ll just surf around looking at people’s account to see how they use our service… and don’t they have a pretty girlfriend… oh their kids are brats…”. The former is ethically fine. The latter is scumbag voyeuristic growth hacking behaviour. One is not like the other.
I think most people can tell the difference, or you hire people who understand the difference. Perhaps you need to put it into words that policy to guard against future abuses but that’s not a situation I’ve encountered. It would be a breach of customer trust, probably a breach of EU data protection rules, and I’d be starting dismissal proceedings (official warning)
Not OK unless permitted. Your statistics and such is your problem, not users. Ask them if you need to watch some.
I like @ideasasylum approach of posting who had access to a profile data.
With the private photos I’d go further and added a message to the user’s profile “John Doe from support accessed this video on (date)”. If this was not caused by a support call, it will generate an angry support call now.
Posting to Slack is OK, but it will get fewer attention over time, as support has to impersonate users, and who knows if this particular impersonation was legit or a malicious? Must be legit, move along. Users themselves tho would know and pay attention.
So to summarize:
If you promised your users the data are safe, you are not excepted from that promise.
You may have a technical capability, but not a right.
When the team grows, you need to have checks in place to prevent unauthorized access.
I previously worked at a company that stored customers’ data and it was explicitly documented how their data could be accessed and viewed. Breaking those rules could result in job termination. The privacy and trust can not be taken lightly.
Indeed. This was kind of what I had in mind beforehand, but obviously it’s a hypothetical for me so I wanted to see how others are handling it. I suppose from a technical perspective, it’s a matter of establishing the right roles and permissions when it comes to data access.