The Ken welcomed its first subscribers in October 2016. But just six months later, we were sending an email to all our subscribers titled, “We’re deleting some of your data”.
Subscriber email from The Ken, April 2017
Many of our subscribers wrote back to me, puzzled as to why a media company would want to delete information about its subscribers. Or, to top it off, informing them about it.
Here’s why—when subscribers pay you for your journalism, they no longer deserve to be treated as “products” that you need to “sell” to advertisers.
Subscription-journalism is an undeniable and secular global trend today, from respected giants like NYT and WSJ to relatively younger, smaller and more niche publications like The Ken, The Information and De Correspondent, and finally, single-person publications like Stratechery, Above Avalon and Baekdal. The inversion of value that has taken place as a result means that subscribers are no longer the product, but journalism is. As it always should have been.
At The Ken, we’ve known this since day 1. We had no reason to collect more and more data on our subscribers for the simple reason that we had nothing to do with it. If we didn’t sell it and if we didn’t share it, we didn’t want to store it either. In fact, we think personal information about your subscribers is toxic. Because there is always the risk that it will leak, be hacked or misused despite your best efforts.
Which is why we try and collect as little data as possible from you. What does this mean?
- When you sign-up, we don’t collect any more personal information from you than what we need to give you access and create your subscriber experience.
- That means we just ask for your name and your email address. That’s the bare minimum we need to authenticate you, contact you, and call you by your name.
Our website and exclusive subscriber apps follow the same principles. Minimise data collection, maximise subscriber experience.
https://twitter.com/helloanand/status/998202910059180032
Here are the permissions our iOS and Android apps ask for.
- Internet access: So that we can fetch the story and find out how much of it you’ve read (we seamlessly sync reading progress across our apps and website).
- Cache: So we can store stories on your device to make them load faster.
- Notifications: So that we can tell you we have a new story (admittedly, this feature isn’t live yet)
We do not ask for access to your SMS messages, contacts, photos and media or GPS location.
Locating and Fixing Third Party Black Holes
But regardless of how well websites and apps minimise direct data collection, there are exponentially bigger and darker sources for that to still take place—via “third-party” services.
It is almost an accepted axiom today that modern software products will have third-party services embedded within them to perform specialised tasks. Like tracking visits, enabling sharing, loading GIFs, improving load times, etc. The Ken’s website and apps too, were reliant on various third-party services.
In the last few weeks though, we took an axe to them.
- We use a bunch of distinctive typefaces (“fonts”) for our story headlines and copy, all of which were being served via typography.com, the premium online foundry that licenses them to us. We elected instead to serve the fonts via our own site.
- We got rid of a third-party service that helped us identify EU visitors by their IP address, so we could serve their “EU cookie notices”. Yeah. We now do it via our own servers.
While we had previously removed social-sharing buttons in the interest of privacy, several subscribers wrote in and requested quick social-sharing buttons to share our stories. So, on 20th September 2019, we’ve added them back. We worked hard to do this the right way—social sharing buttons on The Ken do not load any third-party scripts from Google, Facebook, Twitter or LinkedIn.
As a result, we’re down to zero trackers today. But we still have four third-party domains that serve scripts. They exist because each of them does something we cannot do to the same standards ourselves.
- Google Analytics – We use GA, as it is popularly known, to understand visitor and subscriber activity on our website. Which stories bring in readers. Which stories are being read or abandoned. How long stories take to be read. How our site’s navigation enables or hinders discovery of stories. But do note, we do not use GA’s ad tracking cookies and all data sent to GA is completely anonymised. Forget email IDs, we have added another level of security where users’ IP addresses are anonymised before they’re sent to GA. This isn’t merely a toggle option, but something we’ve specifically implemented on our end to protect our users’ IP addresses and privacy.
- Metrilo – We use this service to monitor our subscription flows, improve subscriber engagement with stories and run automated renewal reminder services, etc.
- Intercom – We intend to use Intercom to send notifications to our subscribers when a new story is out, regardless of which device they use. Or to try and understand what kind of stories individual readers prefer, so we can tailor our website or app experiences accordingly.
- Bootstrap CDN – Our design is based on Bootstrap Foundation’s architecture which lets content and navigation automatically adjust to different device resolutions in real time. A bunch of code that helps us do this runs from here.
In addition, our website and apps also interface with the following service providers:
- Facebook and Google – To enable some of our subscribers to log in using their FB or Google accounts. We ensure that no advertising cookies are placed here. The only cookie that’s there is just for authentication.
- Cloudflare – To cache our content on servers across the world so we can serve it from the nearest and fastest location to our subscribers.
- Razorpay, Paytm and PayPal – To enable payments. We are, after all, a subscription site.
- Sendgrid – All our subscriber emails are sent out via Sendgrid. Every single email we send out has an ‘unsubscribe’ link at the bottom.
Each of the third-party services that we work with conforms to the highest data processing restrictions, including GDPR which is the gold standard.
We’re not done yet
I began this post by telling you how we deleted all the address data we had on our subscribers back in April 2017. I’m ending it with details of how that process is still ongoing in May 2018.
We rewrote our cookies (we use them to ensure we recognise subscribers when they log in or come back) to reduce the amount of data we collect. For instance, till two days ago our cookies used to store your password in order to authenticate you. We did away with it and now authenticate you via “session IDs”, a higher standard.
We’ve also implemented a stricter two-factor opt-in for email sign-ups. So that we are sure that the owner of the email address is indeed the person who has created the account.
Lastly, we’re overhauling our entire privacy policy to put our subscribers at its core. It should be out within the next fortnight.
By doing all of this, we hope to reduce the amount of data we collect on our subscribers. This, in turn, is the foundation for a more trusting relationship with them, which finally gives us the confidence and bandwidth to spend more of our efforts on doing the thing we love most – creating journalism that subscribers will value enough to pay us for.
It’s about time the dog wags its own tail.
