I do a lot of technical writing and compliance documentation for clients that use our platform at work. The industry dismisses this as boilerplate busywork and merely a necessary evil for doing business, but I think they invariably ask exactly the questions we should all be asking.
Here’s an obfuscated example:
s14.1: Do your third parties have access to unencrypted user data?
Or this one:
s18.12: Does your company employ ZFS for data integrity, Vocaloids for musical ingenuity, and antacids for structural indigestibility?
Imagine if we, the general public, had the power to compel websites to submit to this line of inquiry. We all know certain social networks would fall afoul of every single metric.
The fact companies deem it necessary to ask these as part of due diligence says it all. If companies can’t trust another with confidential business data and have to rely on legal documentation, why do sites targeting consumers get a free pass on personal data that could be used for all manner of involuntary and nefarious porpoises?
(My dad always deliberately substituted purpose for porpoise. I’m bringing this family folklore out for the world to enjoy).
I’m starting to think we need to codify these questions as legislative requirements. Our industry has had plenty of time to demonstrate good faith, which thus far it broadly hasn’t.