Can We Just Admit That The Idea Of A 'Privacy Policy' Is A Failed Idea?
from the no-one-reads-it,-it's-meaningless dept
At our Insight Dinner Salon on Privacy the other night, I got into a conversation about privacy policies, and how silly the concept has become. At this point, it’s commonly accepted that very, very few people ever read a privacy policy. Furthermore, there’s this bizarre belief that a privacy policy actually means a company will respect your privacy. Studies have shown that people will say that if a site has a privacy policy, it means that the site will protect their data, even if the policy makes it clear that the site operator can spread your data far and wide. In fact, the incentives are to write a “privacy policy you can’t violate,” by having it state you can do whatever the hell you want with the data you collect. It’s the “best of all worlds,” in which users think (incorrectly) they’re protected, because a “privacy policy” exists… and the companies who use them can’t get in trouble because it says the company can do whatever they want.
So forgive me for not being at all impressed with the Future of Privacy Forum complaining that so many mobile apps have no privacy policy. And things like the following statement don’t do the FPF many favors:
FPF believes that a fundamental element of protecting the privacy of consumers using Apps is the availability of a readily-accessible, written privacy policy.
Honestly, this feels like the requirement for a talisman, rather than a deeper look at the actual privacy issues (of which there are many) in the world today. Calling for more privacy policies doesn’t really do anything to keep people’s data more private. It’s just something that can be done in the belief that it must help, even if there’s scant evidence to support it.
Filed Under: privacy, privacy policies
Comments on “Can We Just Admit That The Idea Of A 'Privacy Policy' Is A Failed Idea?”
My new credit card company
My card company of > 10yrs was bought by a large bank.
Hmm. Wonder what terms they’ll change to get their ?billion stake back.
The new privacy policy was online as a PDF so I read it.
There were three sections in effect
– the ways we collect your data relating to you
– the uses it can be put to
– the groups of people we can share it with
And if you take the worst from each category and make a sentence it would read something like
We gather tons of data including every transaction you ever make and your IP address whenever you connect to our site,
and we use this for any purpose that in our view helps our business, and we may share it with absolutely anyone it suits us to share it with.
As an exercise I tried to copy the worst bits, stitch them together with a few “…” between and paste into an email back to their customer service dept and ask them to clarify.
But the PDF of their terms is not possible to copy from. I tried it lots of ways. In the end I thought maybe I’d print it to another PDF then copy from that. But CutePDF couldn’t print it (weird error).
When they put that much effort into stopping you quoting their privacy policy in an email, it HAS to be time to move on !
Re: My new credit card company
Try your snipping tool…
I’d actually like to see a talisman requirement for web sites.
Re: Re:
Talisman of Binding Agreement +4
Binds when “I Agree” is clicked
+3 Time Wasting
+5 Social Networking
+8 “Productivity”
+24 Angry Bird Levels
+24 Bikini Wallpaper
-14 Actual Working
-7% Available Storage Space
Requirements:
Level 30 or higher
Classes: Wizard, Dark Elf, Early Adopter, Charlatan/Middle Manager
Equip: Sends personal geodata along with A/S/L to ChatRoulette, Groupon & Foursquare. Auto-generates unbeatable deals on mutually pleasurable adult bookstore items/Mother’s Day Cards.
Cannot be unequipped. All data collected is the sole property of Apple, Disney and 4chan.
Intuit's Cumbersome Privacy Policy
I have issues with Intuit. Intuit for one requires that you buy a new version of Quicken every three years. TurboTax, obviously has to be bought every year. Each of these programs has the link so that you can opt-out.
Well, by the way it is structured, Intuit makes it complicated for the consumer to opt-out. First when when updating/upgrading there is NO indication that your prior privacy selection would remain in effect. Strike 1.
Second, when opting out, you have to re-enter all the information that you previously entered (from the act of registration and from prior years). Strike 2.
Third, when you opt out there is a confusing message concerning whether you would continue to actually receive valid program updates. I assume that Intuit wants you to believe that by opting out of marketing junk mail that you would no longer receive program updates. Strike 3.
Computers are supposed to make live easier by eliminating the necessity to re-certify your preferences and by eliminating the need to re-enter duplicate data. I assume that Intuit is abusing computer technology in the hopes that people won’t re-certify their decision to opt-out.
On the positive side, I have not been receiving any spam from Intuit.
Re: Intuit's Cumbersome Privacy Policy
Remember when turbotax wrote some drm type key in the mbr ? That went over like a lead balloon.
Privacy policies have never been about protecting the privacy of the user. It’s always been about how the EULA or privacy policy can legally screw you by using your information whether you agree or not.
As a general rule of thumb, the longer the policy is, the more nasties are in it. They need all the extra words to have a hiding place for those nasties.
Re: Re:
So it’s sorta like steganography.
Even if a site has a decent privacy policy on the day you read it does not mean the policy is permanent. Companies usually reserve the right to change the policy unilaterally and without notice. And if the company is bought out all bets about you data are off.
What the hell is a “Insight Dinner Salon on Privacy”? A bunch of geeks getting their hair done while eating some sushi?
🙂
Re: Re:
Wait I found the right definition:
“A periodic gathering of people of social or intellectual distinction”
So, reading the first sentence, “At our….” Can somebody say EGO!!!!
Changing privacy policies
Nothing stops a site/app from changing a privacy policy anytime they want to. Even if they create a nice privacy policy saying they will never share anything, it goes out the window if they start losing money or a new VP comes in who changes it. They write a new policy and start selling everything. oops!
Privacy policies
Actually the issue is not with privacy policies: every online organisation should have one of those. The issue you describe is with the privacy policy statement, which is not the same thing. That may sound like nit-picking, but think of it like this: the privacy policy is the organisation’s idea of how it intends to treat you; the policy statement is what it is prepared to tell you. So you’re right: that statement needs to be seen for what it is, and judged against the visible evidence of how the organisation handles privacy, not just the window-dressing.
Re: Privacy policies
Either way the customer is just a commodity, something to be fleeced in the pursuit of increased profits. Policies and procedures are the weasel words produced in response to laws which require them, they mean nothing.
south park
I’m assuming you saw the first episode of the this season of south park a few weeks ago featuring the human cent-iPad. I was very happy as an avid reader of this site and a loyal fan of South Park that the entire plot of the episode was based on the fact that nobody reads itunes EULA.
Basically Steve Jobs wanted to make the most advanced piece of technology possible – an iPad/iPhone that can also read and walk. He sews 3 subjects together from mouth to anus a la The Human Centipede, and attaches an iPhone to the head of the first guy and an iPad on the ass of the last guy.
But still he is unable to get the device to read his EULA.
I know, EULA and privacy policy are completely different but I just lump it in with documents that you’re told you must read but aren’t expected to.
Adobe's EULA and Privacy Policy
I tend to agree that the phrase “privacy policy” is causing more trouble than benefit. How about we require a “data handling” disclosure?
To Griff’s comment – I had a similar experience with Adobe, described here: http://paymentsjournal.com/Blogs/Mercator_Blog/Adobe_%28and_Other_Un-named_Offenders%29__I_Expect_Better/
This focuses on Flash, but I repeated the exercise with Acrobat Reader, with similar outcomes. Why worry? The disclosure PDF format is either not printable or not savable…and yes, says they can do virtually anything. Nearly every bank and financial co. uses Acrobat to format your downloadable bank statements. Is that safe and private? Who knows?….Does the bank take responsibility? Not at all…. So – if consumers DO try to read those policies, they get nowhere. I hope the evolution of the technology will lead to better, clearer choices for consumers.
that's an outrage....
Please leave your name, email address and URL to comment on the importance of privacy….
Privacy Policies are a good first step
Thanks for the post.
We (the Future of Privacy Forum – FPF) are agreed that privacy policies are a failure as a consumer communication tool.
That is why we helped pioneer the use of privacy icons on the internet, particularly with online advertising.
But a privacy policy is a must for any sort of accountability as privacy enforcement is limited unless a company has made a public formal commitment that the FTC can hold them to. And as all of us who have drafted privacy policies know, the process of doing so forces you to actually map in detail practices that you may not have otherwise fully documented.
And until you know what you are doing, you can’t possibly start to communicate about it.
So creating a privacy policy is step ONE.
Of course you can’t stop there, you need to figure out how to communicate the key elements to users.
For many mobile apps today, that isn?t easy, given space constraints and the fact that the mobile platforms manage some key parts of the process.
For example, Apple and Android properly ensure that Apps don?t obtain user location without giving affirmative consent. However, since Apple and Google manage this process, an application developer (in the application) doesn?t have an easy way to explain until later why the application wants location and what it will do with it.
We believe that lots of work to be done here.
So when applications do have privacy policies, FPF will come back and assess how well they are doing at taking the key points and communicating them clearly to the user.
The FTC has just kicked off a new look at its Dot Com Disclosures for Advertising guidance so they are following this issue closely and are in particular looking at apps and the mobile space.
So don?t wait for our next survey! Our new site for developers, http://www.applicationprivacy.org, should provide some assistance.
Feedback is much appreciated.
Shaun Dakin
Fellow
The Future of Privacy Forum
Application Privacy Project