In early January of this year, in a conference room with a few other colleagues, we were at a point where we needed to decide how to balance convenience and privacy for our customers. The context being our team earnestly finalizing and prioritizing the launch features of our revamped Backblaze Business Backup product. In the process, we introduced a piece of functionality that we call Groups. A Group is a mechanism that centralizes payment and simplifies management for multiple Backblaze users in a given organization or business. As with many services there were tradeoffs, but this one proved thornier than most.
The Trade-off Between Convenience and Privacy
The problem started as we considered the possibility of having a Managed Group. The concept is simple enough: Centralized billing is good, but there are clear use cases where a user would like to have someone act on their behalf. For instance, a business may want a system administrator to create/manage restores on behalf of a group of employees. We have had many instances of someone from the home office ordering a hard drive restore for an employee in the field. Similarly, a managed service provider (MSP) might provide, and potentially charge for, the service of creating/managing restores for their customers. In short, the idea of having an administrator manage a defined collection of users (i.e. a Group) was compelling and added a level of convenience.
Great. It’s decided then, we need to introduce the concept of a Managed Group. And we’ll also have Unmanaged Groups. You can have infinite Groups of either kind, we’ll let the user decide!
Here’s the problem: The Managed Group feature could have easily been used for evil. For example, an overeager administrator could restore an employee’s files, at anytime, for any reason—legitimate or nefarious. This felt wrong as we’re a backup company, not a spyware company.
This is when the discussion got more interesting. By adding a convenience feature, we realized that there was potential for user privacy to be violated. As we worked through the use cases, we faced potential conflict between two of our guiding principles:
- Make backup astonishingly easy. Whether you are a individual, family, or business (or some combination), we want to make your life easier.
- Don’t be evil. With great data storage comes great responsibility. We are the custodians of sensitive data and take that seriously.
So how best to balance a feature that customers clearly want while enabling sane protections for all users? It was an interesting question internally—one where a fair amount of meetings, hallway conversations, and email exchanges were conducted in order to get it right.
Enabling Administration While Safeguarding Team Privacy
Management can be turned on for any Group at the time of Group creation. As mentioned above, one administrator can have as many Groups as desired and those Groups can be a mix of Managed and Unmanaged.
But there’s an interesting wrinkle—if management is enabled, potential members of that Group are told that the feature is enabled before they join the Group.
We’ve, in plain terms, disclosed what is happening before the person starts backing up. If you read that and choose to start backing up, then you have been armed with full information.
Unfortunately, life isn’t that cut and dry. What if your company selected Backblaze and insists that everyone join the Group? Sure, you were told there are administrators. Fine, my administrator is supposed to act in the constructive interest of the Group. But what if the admin is, as the saying goes, “for badness?”
Our solution, while seemingly innocuous, felt like it introduced a level of transparency and auditability that made us comfortable moving forward. Before an administrator can do a restore on a Group member’s behalf, the admin is presented with a pop up that looks like this:
If the admin is going to create a restore on a user’s behalf, then that user will be notified of the activity. A less than well intentioned admin will have some reluctance if he knows the user will receive an email. Since permission for this type of activity was granted when the individual joined the Group, we do allow the admin to proceed with the restore operation without further approval (convenience).
However, the user will get notified and can raise any questions or concerns as desired. There are no false positives, if the user gets an email, that means an admin was going to restore data from the user’s account. In addition, because the mechanism is email, it creates an audit trail for the company. If there are users that don’t want the alerts, we recommend simply creating an email filter rule and putting them into a folder (in case some day you did want them).
The struggle for us was to strike the right balance between privacy and convenience. Specifically, we wanted to empower our users to set the mix where it is appropriate for them. In the case of Groups, it’s been interesting to see that 93% of Groups are of the Managed variety.
More importantly to us, we get consistently good feedback about the notification mechanisms in place. Even for organizations where one admin may be taking a number of legitimate actions, we’re told that the notifications are appreciated in the spirit that they are intended. We’ll continue to solicit feedback and analyze usage to find ways to improve all of our features. But hearing and seeing customer satisfaction is a positive indicator that we’ve struck the appropriate balance between convenience and privacy.
The late 20th century philosopher, Judge Smails, once posited, “The most important decision you can make right now is what do you stand for? Goodness or badness?”
We choose goodness. How do you think we did?