Every time I send out a survey using my Zoomerang or SurveyMonkey accounts, there is always at least one wise guy among the respondents who dings me for risking their privacy with these tools. But do they have a point? Last week I decided to finally find out.
Let’s call it a privacy-impact assessment (PIA) for online-survey services.
A PIA tries to answer two main questions: Will a system, process or product create risk to personal privacy? And, if so, what can be done to mitigate that risk? When I think about using these tools myself, three more questions come top of mind:
* Will the online-survey company in any way access or use my survey responses or contact lists?
* How will the company secure my survey responses?
* Does the company offer tutorials to users like me on how to conduct a survey that protects privacy?
So those are the criteria I took with me when I visited the Web sites and called the contact centers of the two leading online-survey products, Zoomerang and SurveyMonkey. What did I find out?
1. Similar business models
First, this is another case of a lot of personal data being stored in the northwestern U.S. MarketTools parent company of Zoomerang, is based in downtown San Francisco, while SurveyMonkey maintains headquarters in Menlo Park, Calif., with data operations in Portland, Ore.
Both are survivors of the dot-com bust. Walter Good and three other market-research professionals co-founded MarketTools in 1998 in the San Francisco Bay area. I spoke with Good, who pinpointed the birth of Zoomerang to a Minneapolis meeting his team had with the CIO of General Mills. Their idea was to use the Internet to revolutionize consumer research and bring it to the masses. The CIO, Gail Fuget, loved the concept, and soon General Mills and Procter & Gamble were investors.
Now employing 550 people, MarketTools provides other market-research software products in addition to Zoomerang. Housed in an upscale, downtown San Francisco office building where Google< takes up three floors, MarketTools also maintains concentrations of employees in Minneapolis, Chicago, New York and its European headquarters in London.
The company’s current leaders joined the firm in 2005 and 2006, and the company’s Web site reports that strong growth occurred in 2009. Zoomerang’s business model is to attract users to its free service and then entice them to upgrade to packages that run as high as $600 per year.
For its part, SurveyMonkey followed a similar trajectory. Ryan Finley launched the company in Madison, Wis., after he left college in 1999. After moving to Portland, Finley hired his brother Chris in 2002 and eventually saw revenue hit a reported $30 million in 2008.
A venture-capital fund bought SurveyMonkey in 2009, installed its current management team and moved its headquarters to the Bay area. A former Yahoo executive now runs the company, which employs 31. The company’s business model is also to attract users to its free service and then upsell them to a premium service, which in SurveyMonkey’s case costs $240 per year.
2. Privacy programs
Do the leading online-survey companies maintain privacy programs? It’s hard to tell by external appearances. The companies aren’t visible in the privacy community, and their Web sites don’t indicate that they have someone in charge of privacy. I did find out by contacting the companies that Stuart Loh, corporate counsel for SurveyMonkey, is responsible for privacy, and Chris Robertson, security manager at MarketTools, handles privacy for Zoomerang.
On the plus side, both companies joined the privacy-seal program of San Francisco-based Truste and are also self-certified to the U.S.-EU Safe Harbor. Neither has suffered a publicized privacy breach that I could find, in spite of all of the sensitive corporate data they must host.
“The revision was discussed and reworked internally by staff across the business,” she added, “as well as by external lawyers from DLP Piper and a highly reputable independent privacy consultant, David Flaherty.” Flaherty was the first privacy commissioner of British Columbia.
3. Use of survey data
If you answer a survey hosted by Zoomerang or SurveyMonkey, is it safe to assume that no one except the survey sponsor will access or use that data, and that when the sponsor deletes the data, it’s gone? Their privacy policies tell markedly different stories, with SurveyMonkey’s offering more details.
The Zoomerang terms and conditions did, however, address this topic. It states:
“We agree not to use any of your Confidential Information (defined below) for any purpose except to operate the Site and Services in accordance with this Agreement. We agree not to disclose any of your Confidential Information to any third party other than to our employees and consultants who are bound by confidentiality obligations and are required to have access to the Confidential Information in order to operate the Site and Services.”
In a phone interview, Robertson and the MarketTools heads of marketing and product development told me that it was against company policy for MarketTools staff to access client information without client consent or a court order.
One advantage SurveyMonkey has over Zoomerang in the data-use category is its prominent way to opt out of all SurveyMonkey surveys. If you find that you’re getting too many SurveyMonkey surveys from your friends and colleagues, you can go to surveymonkey.com, click on the “E-Mail Opt Out” link on the home page footer, and then enter your e-mail address.
4. Disclosure of survey data
One way the online-survey companies could monetize the vast stores of data they’re hosting is to mine it, package it and sell it. Do their privacy policies prevent this scenario?
For its part, Zoomerang’s policy includes this ambiguous statement: “We may share your information with affiliated companies for reward redemption and/or other market research opportunities.”
The MarketTools team explained to me that in practice this statement only applies to people who voluntarily sign up to earn and redeem loyalty points for participating in panel surveys. To redeem their points, MarketTools shares their information with a third party.
The only scenario in which MarketTools shares the personal information of survey account holders with third parties is when the account holders purchase a premium service. In these cases, Cybersource processes the payment, allowing MarketTools to not retain any credit-card information.
It’s not clear how the “anonymous” disclosure of survey content would work and how the opt-in process would work, but it’s a step in the right direction.
5. Security of survey data
Most large corporations now have vendor-compliance programs in place. If the corporations host any kind of confidential or privacy-restricted information with third parties, they require those third parties to make contractual commitments to protect that information, and demonstrate proof of their internal security controls.
My phone interview with the MarketTools team clarified this point as well. They provided me a list of security and compliance measures in place, including an SAS 70 Type II certified data center with biometric access controls, multiple layers of firewalls and intrusion-prevention sensors, quarterly third-party security audits of externally available systems and Web sites, annual third-party onsite audits, and HIPAA, PIPEDA, and U.S.-EU Safe Harbor compliance assessments. Zoomerang also passed a privacy and security audit to be listed on the Salesforce.com AppXchange for cloud-computing products.
In this area, SurveyMonkey does a better job telling its story on its Web site. The company dedicates a separate page for a Security Statement. But it shares the most details in a Help section response to a question about security. That response indicates that surveys are stored in an SAS 70 Type II certified Sungard data center protected with biometric access controls, among other things, a firewall that restricts access to all ports except 80 and 443, QualysGuard network scans run weekly and McAfee HackerSafe scans run daily, and data backups run hourly.
The only company I’ve seen do better than what SurveyMonkey promises in its security statement is San Francisco-based Salesforce.com, which dedicates a Web site — www.trust.salesforce.com — to its corporate privacy and security commitments.
6. User training on privacy
Before Zoomerang and SurveyMonkey came along, market-research professionals and statisticians conducted most consumer surveys. Now, anyone with a Web browser and contact list can launch a survey, ask any question under the sun and share that data with anyone. In that sense, Zoomerang and SurveyMonkey can’t control how account-holders use their platforms.
But they can make privacy training available on their sites, and even require users to complete some basic level of training when they open or upgrade accounts. Facebook and MySpace have taken these kinds of measures, for example. SurveyMonkey does make available a “Best Practices for Survey Design” guide, but the only privacy topic it addresses is spam. Zoomerang also offers tutorials for constructing effective surveys, but doesn’t address the topic of how to respect privacy when you’re creating a survey.
So who does better on privacy? I have to admit I started the analysis biased against SurveyMonkey just because of its name. I don’t want anyone monkeying around with my data. But on every topic I looked at, they both offered about the same level of protection in practice. SurveyMonkey gets the nod, though, for codifying these practices into clear online disclosures and commitments.
Are the wise guys who ding me for using these tools right, after all? There are many things to ding me on, but this doesn’t turn out to be one of them. On security, both companies are taking measures I see Fortune 500 firms taking. On privacy, they need to do a better job clarifying in writing what their good practices are. But the internal practices they represented to me are what I’d look for to pass a privacy audit.
If you want to further reduce your organization’s risk when using these tools, take three steps:
— Don’t load survey-taker e-mail addresses into the tools. Just e-mail survey links to your survey takers through your own e-mail account.
— Avoid asking for sensitive intellectual property on surveys.
— Don’t ask for sensitive personal data through these tools.
Zoomerang and SurveyMonkey are revolutionary American inventions. Their growth into new geographies and lines of business, such as health care, may depend on continued improvements to their privacy and security and how they tell their stories in these areas.
Jay Cline is president of Minnesota Privacy Consultants. You can reach him at firstname.lastname@example.org.