How data privacy leader Apple found itself in a data ethics catastrophe

Companies that succeed will protect, fight for, and empower their users

By Daniel Wu and Mike Loukides
April 22, 2020
Map Map (source: DarkWorkX via Pixabay)

Three months ago, Apple released a new credit card in partnership with Goldman Sachs that aimed to disrupt the highly regulated world of consumer finance. However, a well-known software developer tweeted that he was given 20x the credit line offered to his wife, despite the fact that they have been filing joint tax returns and live in a community property state. The story went viral on Twitter, and led to an official government investigation for bias.

Even if Apple—the privacy leader—did not discriminate on gender, it experienced one of its worst product launches in recent history. 

Learn faster. Dig deeper. See farther.

Join the O'Reilly online learning platform. Get a free trial today and find answers on the fly, or master something new and useful.

Learn more

Apple’s customer base and bankable style combined with Goldman’s knowledge of the financial industry must have seemed like an unbeatable combination. Apple is a great producer of computer hardware, while Goldman knows finance and its complex rules backwards and forwards. If anyone could launch this product right, it would be these two companies.

Ultimately, Apple learned a critical lesson from this experience. User buy-in cannot end with compliance with rules. It requires ethics, constantly asking how to protect, fight for, and empower users, regardless of what the law says. These strategies contribute to perceptions of trust.

Trust has to be earned, is easily lost, and is difficult to regain.

Compliance and ethics

Compliance is a simple concept: “we followed all applicable rules and regulations.” Compliance minimizes the possibility of being fined and gives you a defense if you’re taken to court. You can hire compliance experts to advise you, and lawyers to defend you. That said, compliance allows plenty of room for bad, unethical behavior. For example, payday lending businesses are no doubt compliant with the law, but many aren’t models for good corporate citizenship.

Ethics is much more slippery. It’s not about staying within legal boundaries; ethics is a discussion about what’s right, not a set of rules. It’s about living a “good” life, acting in a way that allows you to live with yourself and others. There aren’t simple standards and tests for ethical behavior, nor are you as likely to be called into court for acting unethically. But unethical behavior is likely to lose your customers’ or business partners’ trust; they will view your actions with suspicion.

The importance of ethics does not, however, mean companies should ignore compliance

Compliance functions are powerful because legal violations result in clear financial costs. The European Union’s General Data Protection Regulation (GDPR), for instance, imposes fines of up to 2%–4% of global annual revenue. This could mean millions, if not billions, of lost revenue. The era in which fines were merely a cost of doing business appears to be ending. Fines in the billions have been levied against Google and Facebook, and Practice Fusion (an electronic medical records company) has agreed to a $145 million settlement for using “its EHR software to influence physician prescribing of opioid pain medications.”

Because of its clear impact on the bottom line, compliance often reshapes business operations. For instance, financial companies are investing millions into using artificial intelligence to comply with anti-money laundering regulations or stricter data regulations.

Because compliance is so clear-cut, it is tempting to substitute compliance for ethics

Don’t do it. 

As the Apple case illustrates, rule-following is not sufficient for trust-building. Laws are frequently a minimum standard; they set a low bar. As a privacy leader in the technology space, Apple knows this well and has benefited from a strong reputation as a data steward.

For one, the law often lags behind technology and user expectations. Organizations that simply follow the rules will be sideswiped by rapidly changing technology and user expectations. Case in point: the public hearings after the outrage over Facebook’s Cambridge Analytica. Here, the public discovered that even highly experienced senators didn’t fully understand key technologies, like Facebook, much less their potential harm on users.

Furthermore, compliance-only companies will play a seemingly insurmountable game of “whack-a-mole” as new data regulations pass around the world. New rules will catch these organizations off-guard, especially when they use emerging technologies and face ambiguous rules.

Finally, investors from BlackStone to JP Morgan are beginning to prioritize environmental, social, and governance metrics—like ethics—into its definition of shareholder value. Legal compliance is increasingly inadequate for this powerful stakeholder.

As a result, to build trust, a company should lead with ethics

In our more global, diverse, and rapidly- changing world, ethics may be embodied by the “platinum rule”: Do unto others as they would want done to them. One established field of ethics—bioethics—offers four principles that are related to the platinum rule: nonmaleficence, justice, autonomy, and beneficence.

For organizations that want to be guided by ethics, regardless of what the law says, these principles as essential tools for a purpose-driven mission: protecting (nonmaleficence), fighting for (justice), and empowering users and employees (autonomy and beneficence).

An ethics leader protects users and workers in its operations by using governance best practices. 

Before creating the product, it understands both the qualitative and quantitative contexts of key stakeholders, especially those who will be most impacted, identifying their needs and fears. When creating the product, it uses data protection by design, working with cross-functional roles like legal and privacy engineers to embed ethical principles into the lifecycle of the product and formalize data-sharing agreements. Before launching, it audits the product thoroughly and conducts scenario planning to understand potential ethical mishaps, such as perceived or real gender bias or human rights violations in its supply chain. After launching, its terms of service and collection methods are highly readable and enables even disaffected users to resolve issues delightfully.

Ethics leaders also fight for users and workers, who can be forgotten. These leaders may champion enforceable consumer protections in the first place, before a crisis erupts. With social movements, leaders fight powerful actors preying on vulnerable communities or the public at large—and critically examines and ameliorates its own participation in systemic violence. As a result, instead of last-minute heroic efforts to change compromised operations, it’s been iterating all along.

Finally, ethics leaders empower their users and workers. With diverse communities and employees, they co-create new products that help improve basic needs and enable more, including the vulnerable, to increase their autonomy and their economic mobility. These entrepreneurial efforts validate new revenue streams and relationships while incubating next-generation workers who self-govern and push the company’s mission forward. Employees voice their values and diversify their relationships. Alison Taylor, the Executive Director of Ethical Systems, argues that internal processes should “improve [workers’] reasoning and creativity, instead of short-circuiting them.” Enabling this is a culture of psychological safety and training to engage kindly with divergent ideas.

These purpose-led strategies boost employee performance and retention, drive deep customer loyalty, and carve legacies.

To be clear, Apple may be implementing at least some of these strategies already—but perhaps not uniformly or transparently. For instance, Apple has implemented some provisions of the European Union’s General Data Protection Regulation for all US residents—not just EU and CA residents—including the ability to access and edit data. This expensive move, which goes beyond strict legal requirements, was implemented even without public pressure.

But ethics strategies have major limitations leaders must address

As demonstrated by the waves of ethical “principles” released by Fortune 500 companies and commissions, ethics programs can be murky, dominated by a white, male, and Western interpretation.

Furthermore, focusing purely on ethics gives companies an easy way to “free ride” off social goodwill, but ultimately stay unaccountable, given the lack of external oversight over ethics programs. When companies substitute unaccountable data ethics principles for thoughtful engagement with the enforceable data regulation principles, users will be harmed.

Long-term, without the ability to wave a $100 million fine with clear-cut requirements and lawyers trained to advocate for them internally, ethics leaders may face barriers to buy-in. Unlike their sales, marketing, or compliance counterparts, ethics programs do not directly add revenue or reduce costs. In recessions, these “soft” programs may be the first on the chopping block.

As a result of these factors, we will likely see a surge in ethics-washing: well-intentioned companies that talk ethics, but don’t walk it. More will view these efforts as PR-driven ethics stunts, which don’t deeply engage with actual ethical issues. If harmful business models do not change, ethics leaders will be fighting a losing battle.

Yet despite these tremendous barriers, leaders must weave ethics into their strategies

Ethics must be embraced by top leaders, who must fundamentally shift corporate governance, C-suite incentives, strategic roadmaps, and daily operations to empower stakeholders. Inconsistent or wishy-washy company behavior will severely harm, not build, trust.

To move beyond narrow interpretations of ethics, ethical leaders must engage with critiques—like the Feminist Data Manifest-no. These push leaders to investigate and ameliorate power relations, marginalizing processes, and the history of injustice against vulnerable communities.

Similarly, leaders must engage with international human rights frameworks (IHRFs), such as the Universal Declaration of Human Rights and International Covenant on Economic, Social and Cultural Rights. While these have often been enforced against states (fighting, for instance, censorship, unfair trials, and torture), supporters nonetheless argue IHRFs afford a rich ecosystem of multilateral organizations, compliance approaches, shared language, and jurisprudence to help organizations balance human rights against competing interests, like innovation.

To gain more buy-in from top internal business leaders, ethics leaders can form coalitions with compliance, data, and even marketing departments. By leading programs with resources and measurable accountability, ethics leaders must articulate how ethics improves trust and loyalty. The effectiveness of such coalitions may explain the rise of chief ethics and compliance officers— as well as a host of new chief trust, social responsibility, citizenship, and data officers by technology leaders like Salesforce, Workday, and Unisys. Robert Smith, Director of Ethics and Compliance at InterContinental Hotels Group, agrees, arguing that these related teams should speak with “one voice.”

To further bolster support, leaders should consider participating and learning from new cross-sector coalitions. These include those focused (a) on specific technologies like AI, such as The Partnership on AI, (b) on specific industries, such as health (All-in), government (Civic Data Privacy Leaders Network), and cities (Cities Coalition for Digital Rights or the Right to the City Alliance); or (c) on a general set of emerging issues, such as IEEE, WEF, Metrolab, or Data Collaboratives Research Network. Due to the wide variety of community, academic, and nonprofit leaders, these coalitions also provide invaluable opportunities for leaders to diversify their networks and challenge their assumptions.

While incorporating human rights and ethics into business strategies may be costly in the short run, over the long term, Paul Barrett, deputy director of New York University’s Center for Business and Human Rights, argues that “companies will benefit financially from operating humane, efficient supply chains and employing motivated workers proud of their jobs.”

Ultimately, organizations that discard ethics may find themselves on the wrong side of history. They risk becoming the redlining banks that excluded communities of color from loans due to perceived financial risk, or the government agency that denied treatment to African Americans suffering from syphilis due to a desire to for innovative research, or the billion-dollar company whose planes killed 346 people, after placing “undue” pressure for safety approvals of new algorithms to improve take-off performance.

In the next decade, leaders—from Apple to the next venture-financed startup— will use cutting-edge technologies in a fight for competitive advantage and better operations. But those that succeed in our history books protect, fight for, and empower their users, including the most vulnerable.

Leaders must not give up.

Post topics: AI & ML
Post tags: Deep Dive

Get the O’Reilly Radar Trends to Watch newsletter