Can We Just Admit That The Idea Of A 'Privacy Policy' Is A Failed Idea?

from the no-one-reads-it,-it's-meaningless dept

At our Insight Dinner Salon on Privacy the other night, I got into a conversation about privacy policies, and how silly the concept has become. At this point, it's commonly accepted that very, very few people ever read a privacy policy. Furthermore, there's this bizarre belief that a privacy policy actually means a company will respect your privacy. Studies have shown that people will say that if a site has a privacy policy, it means that the site will protect their data, even if the policy makes it clear that the site operator can spread your data far and wide. In fact, the incentives are to write a "privacy policy you can't violate," by having it state you can do whatever the hell you want with the data you collect. It's the "best of all worlds," in which users think (incorrectly) they're protected, because a "privacy policy" exists... and the companies who use them can't get in trouble because it says the company can do whatever they want.

So forgive me for not being at all impressed with the Future of Privacy Forum complaining that so many mobile apps have no privacy policy. And things like the following statement don't do the FPF many favors:
FPF believes that a fundamental element of protecting the privacy of consumers using Apps is the availability of a readily-accessible, written privacy policy.
Honestly, this feels like the requirement for a talisman, rather than a deeper look at the actual privacy issues (of which there are many) in the world today. Calling for more privacy policies doesn't really do anything to keep people's data more private. It's just something that can be done in the belief that it must help, even if there's scant evidence to support it.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Griff (profile), May 26th, 2011 @ 2:33pm

    My new credit card company

    My card company of > 10yrs was bought by a large bank.
    Hmm. Wonder what terms they'll change to get their £billion stake back.

    The new privacy policy was online as a PDF so I read it.

    There were three sections in effect
    - the ways we collect your data relating to you
    - the uses it can be put to
    - the groups of people we can share it with

    And if you take the worst from each category and make a sentence it would read something like

    We gather tons of data including every transaction you ever make and your IP address whenever you connect to our site,
    and we use this for any purpose that in our view helps our business, and we may share it with absolutely anyone it suits us to share it with.

    As an exercise I tried to copy the worst bits, stitch them together with a few "..." between and paste into an email back to their customer service dept and ask them to clarify.

    But the PDF of their terms is not possible to copy from. I tried it lots of ways. In the end I thought maybe I'd print it to another PDF then copy from that. But CutePDF couldn't print it (weird error).

    When they put that much effort into stopping you quoting their privacy policy in an email, it HAS to be time to move on !

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, May 26th, 2011 @ 2:41pm

    I'd actually like to see a talisman requirement for web sites.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Steve R. (profile), May 26th, 2011 @ 2:47pm

    Intuit's Cumbersome Privacy Policy

    I have issues with Intuit. Intuit for one requires that you buy a new version of Quicken every three years. TurboTax, obviously has to be bought every year. Each of these programs has the link so that you can opt-out.

    Well, by the way it is structured, Intuit makes it complicated for the consumer to opt-out. First when when updating/upgrading there is NO indication that your prior privacy selection would remain in effect. Strike 1.

    Second, when opting out, you have to re-enter all the information that you previously entered (from the act of registration and from prior years). Strike 2.

    Third, when you opt out there is a confusing message concerning whether you would continue to actually receive valid program updates. I assume that Intuit wants you to believe that by opting out of marketing junk mail that you would no longer receive program updates. Strike 3.

    Computers are supposed to make live easier by eliminating the necessity to re-certify your preferences and by eliminating the need to re-enter duplicate data. I assume that Intuit is abusing computer technology in the hopes that people won't re-certify their decision to opt-out.

    On the positive side, I have not been receiving any spam from Intuit.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, May 26th, 2011 @ 2:56pm

    Privacy policies have never been about protecting the privacy of the user. It's always been about how the EULA or privacy policy can legally screw you by using your information whether you agree or not.

    As a general rule of thumb, the longer the policy is, the more nasties are in it. They need all the extra words to have a hiding place for those nasties.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    fogbugzd (profile), May 26th, 2011 @ 3:08pm

    Even if a site has a decent privacy policy on the day you read it does not mean the policy is permanent. Companies usually reserve the right to change the policy unilaterally and without notice. And if the company is bought out all bets about you data are off.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, May 26th, 2011 @ 3:14pm

    What the hell is a "Insight Dinner Salon on Privacy"? A bunch of geeks getting their hair done while eating some sushi?

    :)

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, May 26th, 2011 @ 3:21pm

    Re:

    Wait I found the right definition:

    "A periodic gathering of people of social or intellectual distinction"

    So, reading the first sentence, "At our...." Can somebody say EGO!!!!

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, May 26th, 2011 @ 3:44pm

    Re:

    So it's sorta like steganography.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    chrinich (profile), May 26th, 2011 @ 3:45pm

    Re: My new credit card company

    Try your snipping tool...

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    FormerAC (profile), May 26th, 2011 @ 3:46pm

    Changing privacy policies

    Nothing stops a site/app from changing a privacy policy anytime they want to. Even if they create a nice privacy policy saying they will never share anything, it goes out the window if they start losing money or a new VP comes in who changes it. They write a new policy and start selling everything. oops!

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Robin Wilton, May 26th, 2011 @ 4:02pm

    Privacy policies

    Actually the issue is not with privacy policies: every online organisation should have one of those. The issue you describe is with the privacy policy statement, which is not the same thing. That may sound like nit-picking, but think of it like this: the privacy policy is the organisation's idea of how it intends to treat you; the policy statement is what it is prepared to tell you. So you're right: that statement needs to be seen for what it is, and judged against the visible evidence of how the organisation handles privacy, not just the window-dressing.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    bdhoro (profile), May 26th, 2011 @ 4:16pm

    south park

    I'm assuming you saw the first episode of the this season of south park a few weeks ago featuring the human cent-iPad. I was very happy as an avid reader of this site and a loyal fan of South Park that the entire plot of the episode was based on the fact that nobody reads itunes EULA.

    Basically Steve Jobs wanted to make the most advanced piece of technology possible - an iPad/iPhone that can also read and walk. He sews 3 subjects together from mouth to anus a la The Human Centipede, and attaches an iPhone to the head of the first guy and an iPad on the ass of the last guy.

    But still he is unable to get the device to read his EULA.

    I know, EULA and privacy policy are completely different but I just lump it in with documents that you're told you must read but aren't expected to.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    Capitalist Lion Tamer (profile), May 26th, 2011 @ 6:05pm

    Re:

    Talisman of Binding Agreement +4

    Binds when "I Agree" is clicked

    +3 Time Wasting
    +5 Social Networking
    +8 "Productivity"
    +24 Angry Bird Levels
    +24 Bikini Wallpaper
    -14 Actual Working
    -7% Available Storage Space

    Requirements:

    Level 30 or higher
    Classes: Wizard, Dark Elf, Early Adopter, Charlatan/Middle Manager

    Equip: Sends personal geodata along with A/S/L to ChatRoulette, Groupon & Foursquare. Auto-generates unbeatable deals on mutually pleasurable adult bookstore items/Mother's Day Cards.

    Cannot be unequipped. All data collected is the sole property of Apple, Disney and 4chan.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    abc gum, May 26th, 2011 @ 6:43pm

    Re: Intuit's Cumbersome Privacy Policy

    Remember when turbotax wrote some drm type key in the mbr ? That went over like a lead balloon.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    abc gum, May 27th, 2011 @ 5:01am

    Re: Privacy policies

    Either way the customer is just a commodity, something to be fleeced in the pursuit of increased profits. Policies and procedures are the weasel words produced in response to laws which require them, they mean nothing.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Patricia, May 27th, 2011 @ 10:51am

    Adobe's EULA and Privacy Policy

    I tend to agree that the phrase "privacy policy" is causing more trouble than benefit. How about we require a "data handling" disclosure?
    To Griff's comment - I had a similar experience with Adobe, described here: http://paymentsjournal.com/Blogs/Mercator_Blog/Adobe_%28and_Other_Un-named_Offenders%29__I_Expect_Be tter/
    This focuses on Flash, but I repeated the exercise with Acrobat Reader, with similar outcomes. Why worry? The disclosure PDF format is either not printable or not savable...and yes, says they can do virtually anything. Nearly every bank and financial co. uses Acrobat to format your downloadable bank statements. Is that safe and private? Who knows?....Does the bank take responsibility? Not at all.... So - if consumers DO try to read those policies, they get nowhere. I hope the evolution of the technology will lead to better, clearer choices for consumers.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    eric arthur blair, May 27th, 2011 @ 11:57am

    that's an outrage....

    Please leave your name, email address and URL to comment on the importance of privacy....

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    ShaunDakin (profile), May 27th, 2011 @ 12:41pm

    Privacy Policies are a good first step

    Thanks for the post.

    We (the Future of Privacy Forum - FPF) are agreed that privacy policies are a failure as a consumer communication tool.

    That is why we helped pioneer the use of privacy icons on the internet, particularly with online advertising.

    But a privacy policy is a must for any sort of accountability as privacy enforcement is limited unless a company has made a public formal commitment that the FTC can hold them to. And as all of us who have drafted privacy policies know, the process of doing so forces you to actually map in detail practices that you may not have otherwise fully documented.

    And until you know what you are doing, you can't possibly start to communicate about it.

    So creating a privacy policy is step ONE.

    Of course you can't stop there, you need to figure out how to communicate the key elements to users.

    For many mobile apps today, that isnít easy, given space constraints and the fact that the mobile platforms manage some key parts of the process.

    For example, Apple and Android properly ensure that Apps donít obtain user location without giving affirmative consent. However, since Apple and Google manage this process, an application developer (in the application) doesnít have an easy way to explain until later why the application wants location and what it will do with it.

    We believe that lots of work to be done here.

    So when applications do have privacy policies, FPF will come back and assess how well they are doing at taking the key points and communicating them clearly to the user.

    The FTC has just kicked off a new look at its Dot Com Disclosures for Advertising guidance so they are following this issue closely and are in particular looking at apps and the mobile space.

    So donít wait for our next survey! Our new site for developers, www.applicationprivacy.org, should provide some assistance.

    Feedback is much appreciated.

    Shaun Dakin
    Fellow
    The Future of Privacy Forum
    Application Privacy Project

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This