Scott Hanselman

The Privacy Chain - Your Site's Privacy Policy as the 3rd Party services pile up

March 24, 2012 Comment on this post [7] Posted in Musings
Sponsored By

There are so many really innovative products online right now. A good friend was showing me amazing product called Intercom that lets you see who of your users are online, their social profiles, even direct message/chat them live on your site.

You just add this JavaScript to your site. Here's the snippet from their home page:

<script id="IntercomSettingsScriptTag">
var intercomSettings = {
app_id: 'tx2p1ufd7g30c',
email: '',
created_at: 1234567890
(function() {
function async_load() { var s = document.createElement('script'); s.type = 'text/javascript'; s.async = true; s.src = ''; var x = document.getElementsByTagName('script')[0]; x.parentNode.insertBefore(s, x); }
if (window.attachEvent) {
window.attachEvent('onload', async_load);
} else {
window.addEventListener('load', async_load, false);

My buddy was thrilled and thought this was an amazing product. It totally is. With modern browsers and modern JavaScript we can more quickly integrate applications like Intercom, Google Analytics, UserVoice, JanRain and a thousand others into our websites. It's a LEGO web, indeed. Just add some JavaScript like above and you're off.

However, after looking at this for about 5 minutes, I rained on my friends parade.

"Hey, is that the user's email address there?

"Yes! The 3rd party needs that so they can populate their dashboard and keep track of who's who."

"Ah, OK, but you're sending that email to them, right?"


"And they're storing that, right?"


"So, what's their privacy policy and how will it be added into yours? There's a chain of privacy policies that needs to happen here. What 3rd parties does this company use? And theirs?"

"You're totally raining on my parade. But you're right."

We emailed the folks at Intercom and they knew immediately what we were talking about and answered exactly as they should. Here's their email:

Sure thing, firstly our official terms & privacy policy are here:

The short summary is...

1. You own your data, when you kill your account we don't keep it. We never sell it. We never contact your users. We will never do anything with your data that we wouldn't be proud to tell the world about.

2. We have a feature where we use a 3rd party service called FullContact, to augment your data, for example find an twitter/linkedin/facebook/github account that matches an email address. This can give you extra insight into the types of users  you have. You can easily disable this in your app settings.

Regarding updating your privacy policy, you obviously should note that you send data to Intercom for the purposes of providing support and extended communication with your customers. You might already have this covered under other areas (for example if you use helpdesk software, certain analytics packages, etc then you're already doing precisely this)

Ultimately you should check with your lawyer who created your privacy policy to ensure that using Intercom doesn't violate your existing privacy and find out precisely what changes are necessary.

Exactly. Knowing is half the battle. Are you using a number of 3rd party services? Are you integrating "on the glass" with JavaScript? Step 0 is making sure your Privacy Policy reflects the chain of Privacy Policies for all the products you use.

Sponsor: Again, I want to thank my friends DevExpress for sponsoring this week's feed. There is no better time to discover DevExpress. Visual Studio 11 beta is here and DevExpress tools are ready! Experience next generation tools, today.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Hosting By
Hosted in an Azure App Service
March 24, 2012 3:27
Such an easy thing to overlook as a site owner. For instance - you store my email in your comments but have no Terms or Privacy Policy that I can see. Not that you would ever… but you know…

My point is - emails are given out so freely. We have to send customer information to our gateway (Stripe… was Braintree) so there's that. We also have a support app (Tender) that we link to - again we need to know who the customer is. So there's that too.

Your browser tells my server all kinds of stuff about you, regionally speaking, through an IP trace. I can also use a 3rd party service (like FullContact) to trace your email through various social networks and get all kinds of lovely information on you (Facebook,Twitter, Google+, etc).

Access to Twitter is usually enough - from there I can read your bio and figure out where you live (Portland) and where you work (Microsoft) - none of this is news. Until I ask you to log into my site using Twitter or Facebook… then it gets fun.

Did you know that if you use OAuth with Facebook or Twitter, I could (if I asked for it) have access to your entire bio - including your cell phone? Stop and take a look at the apps which you've granted access to your Twitter account:

How many have "read and write access"? Usually just about all of them - but what's more important is that if they have the basic: the "read" access, they can pull up everything in your profile including your cell phone, your location, your email, and yes… your tweets.

I think everything you've mentioned here is spot on: don't assume (if you run a site) that giving a user's information out is "just OK".

This goes for you to :). Running any analytics on your visitors by any chance?

March 24, 2012 6:42
Great point! My blog needs a privacy policy.
March 25, 2012 13:19
But that email is there visible for all spiders, right? that is another problem...
March 26, 2012 20:47
Thanks for the write up Scott, it's really appreciated.

The the commenter above - Intercom is only installed on web apps that require a log in, so web spiders aren't an issue as they can't see the content. (in much the same way that a web app couldn't spider GMail or Hotmail to see everyone who is logged in).

(COO at Intercom)

April 02, 2012 18:43
What is JainRan? Did a quick google but maybe it was a typo?
April 02, 2012 21:38
Ryan - Sorry, "Janrain."
April 12, 2012 8:32
I think this is not a good idea to pull information of a user who is not aware of the issue.

In this case website must tell user that, they will share their email address with 3rd party which will scrape all my social data and show it to website owner.

Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.