Can We Just Admit That The Idea Of A 'Privacy Policy' Is A Failed Idea?

from the no-one-reads-it,-it's-meaningless dept

At our Insight Dinner Salon on Privacy the other night, I got into a conversation about privacy policies, and how silly the concept has become. At this point, it's commonly accepted that very, very few people ever read a privacy policy. Furthermore, there's this bizarre belief that a privacy policy actually means a company will respect your privacy. Studies have shown that people will say that if a site has a privacy policy, it means that the site will protect their data, even if the policy makes it clear that the site operator can spread your data far and wide. In fact, the incentives are to write a "privacy policy you can't violate," by having it state you can do whatever the hell you want with the data you collect. It's the "best of all worlds," in which users think (incorrectly) they're protected, because a "privacy policy" exists... and the companies who use them can't get in trouble because it says the company can do whatever they want.

So forgive me for not being at all impressed with the Future of Privacy Forum complaining that so many mobile apps have no privacy policy. And things like the following statement don't do the FPF many favors:

FPF believes that a fundamental element of protecting the privacy of consumers using Apps is the availability of a readily-accessible, written privacy policy.

Honestly, this feels like the requirement for a talisman, rather than a deeper look at the actual privacy issues (of which there are many) in the world today. Calling for more privacy policies doesn't really do anything to keep people's data more private. It's just something that can be done in the belief that it must help, even if there's scant evidence to support it.

Filed Under: privacy, privacy policies

Feds Say It Doesn't Matter If No One Reads A Privacy Policy; It Still Means Gov't Can Have Your Info

from the reading-is-not-fundamental dept

In the ongoing attempt by the US government to access Twitter info from some Wikileaks supporters, we noted that an odd part of the government's reasoning for why it should be allowed access to this info is that Twitter's privacy policy is evidence that users are willing to give up private info such as the info requested. That would seem to set a dangerous precedent, especially since almost no one reads privacy policies. The fact that such a privacy policy actually may apply beyond just the agreement between a service provider and a user, but to the government reaching in to access your info seems quite troubling.

In defending these claims, the government is going so far as to say it doesn't matter if no one reads privacy policies, it still means that people have willingly allowed the government to access their info in this case.

In their brief the U.S. attorneys attack an argument from Appelbaum, Jonsdottir and Gonggrjip's team that they shouldn't be held to Twitter's privacy policy--which allows authorities to lift data like users' IP addresses--because it's unreasonable to assume that users have read it or any other of the dense policies they face on commonly used sites.

"The existence of the Privacy Policy, even if unread by the Subscribers, undermines the legitimacy of any expectation of privacy the Subscribers may have had in the IP addresses they conveyed to Twitter," reads the brief. "Although individual users might be ignorant of the terms of Twitter's Privacy Policy, society is not prepared to recognize as reasonable an expectation of privacy that is directly contradicted by policy statements available to all who wish to read them."

But, of course, that seems to raise some other serious questions. The "privacy policy" is basically an agreement between the user and Twitter, not the user and the US government. Should the US government really be able to use the terms of such an agreement when it's likely that most people would not have considered the government a party to the agreement in the first place? And, does the government really want to establish a precedent that a policy applies even if no one has read it?

Filed Under: privacy, privacy policies, wikileaks
Companies: twitter, wikileaks

People Don't Read Privacy Policies... But Want Them To Be Clearer

from the sounds-good-to-me dept

We already know that people don't read online privacy policies and often (falsely) assume that if there's any such privacy policy it means their data is safe. There are, of course, even questions as to whether or not a privacy policy is even valid if no one reads it. Still, many consumer and privacy activists continue to act as if the privacy policy is a key aspect of online privacy. In fact, regulators in both the UK and the US seem to be admitting no one reads privacy policies, but demanding they are improved anyway. Specifically, a study done by regulators in the UK shows that 71% of people don't read privacy policies, but 62% want them clearer.

Now, you could make the argument that the reason people don't read privacy policies is because they are too confusing and not at all clear. And, there's something to be said for simplifying privacy policies. To be honest, I'm surprised no one has come up with a Creative Commons-like standard setup for privacy policies (pick and choose a few attributes, have nice images, and make it all clear in a single link). However, it seems to be focused on the wrong issue. It seems likely that the uselessness of privacy policies has a lot more to do with the fact that people don't care (or they don't believe any privacy policy, no matter how clear) or that they think no matter what the privacy policy is, it won't matter once the data is leaked or the company changes its policy. So rather than focusing on creating better privacy policies, shouldn't the focus be on what companies actually do rather than what they say they do?

Filed Under: complexity, privacy, privacy policies

What Should Be The Legal Recourse In Cases Of Privacy Policy Breaches?

from the big-questions dept

Privacy is an interesting issue -- where a lot of people have opinions on it that don't match up with either how they act or with what the law actually says. People say privacy is important to them, but then are very open about private things, even to the point of giving out all sorts of private info if someone gives them anything (chocolate, a pen, nothing at all). Yet, at the same time, if you talk to people about privacy, they talk about how important it is, and make silly demands about privacy policies, even though no one actually reads the policies, and assume (incorrectly) that if a site has any privacy policy, it means they'll keep the data completely private.

And, of course, we see privacy breaches on an all too regular basis. They've become a lot more noticeable over the last few years, as new rules required disclosure, but there are still questions about what it means if a company breaches its privacy policy. The traditional recourse has been one free year of credit monitoring service (if the breach included info that could be used for identity fraud). However, there have been some lawsuits over the matter, and as Ethan Ackerman and Eric Goldman discuss, the courts have been very reluctant to reward any damages to those who were "victims" of privacy breaches if there's no clear monetary loss.

This leads to a series of interesting questions. Congress has considered at times creating privacy legislation that could potentially include statutory damages for privacy breaches (and there are a few ideas for such legislation floating around with lobbyists). The problem with this, though, is that in some cases breaches really are inevitable -- and including a monetary reward could clearly (as Goldman notes) "overcompensate the victim or overdeter the defendant." That could have pretty significant unintended consequences, including significantly limiting the availability of certain services as companies don't want to take on the potential liability. At the same time, without any chance of monetary damages, there's a question about leaving little in the way of incentives for companies to actually take privacy seriously.

There's something to be said for the fact that a privacy breach does have a negative reputational impact on the companies who violate people's privacy, but it's reaching a point of saturation, where so many people's private info has been breached so often, that many people don't even register who's involved each time the latest breach comes along. So, it's not clear that there's a really good answer here -- though, I'm sure some folks in the comments will have some strong opinions. Should there be monetary awards for privacy breaches? Should Congress create a privacy law?

Filed Under: breaches, privacy, privacy policies, recourse

Does It Really Matter How Complex Privacy Policies Are?

from the not-really dept

Slashdot points out that a recent study of various privacy policies shows that most are at an extremely high reader level, in some cases ridiculously high. Of course, this is used to suggest that people don't understand the privacy policies they read -- but that's been known for years. But the issue has little to do with the policies themselves, because no one tends to read them, no matter how readable (or not) they are. In fact, many people falsely assume that the very presence of any policy means that their privacy is safe. So, even if a site has a privacy policy that says "you have no privacy, and we'll reveal all your data to whoever pays top dollar," people won't read it and will assume that a site will keep their data private. That's because people assume that any privacy policy means the site takes privacy seriously, even if that's not the case. Given that, it doesn't really matter how readable the privacy policy is, people aren't going to read it and aren't going to pay attention to what it says if they do read it. It seems like privacy policies, in general, are simply a relic of a legal system, rather than anything actually useful. Instead of focusing on the readability of privacy policies, shouldn't we be looking for a better solution altogether?

Filed Under: complexity, privacy, privacy policies

Don't You Feel Safer Now That Google Added A Link To Its Privacy Policy?

from the phew! dept

One of the more idiotic accusations thrown at Google of late was this idea that it was somehow a problem that it didn't link directly to its privacy policy from its home page. It had a privacy policy. That privacy policy was easy to find. Almost no one actually reads its privacy policy -- but a bunch of privacy groups who surely had more important things to spend their time on got all upset that Google refused to link from its front page. It appears that Google has now given in and agreed to link to the privacy policy, oddly removing the word "Google" from its copyright notice and replacing it with a link to the privacy policy.

Perhaps more idiotic is the response from a bunch of privacy groups claiming that this somehow makes a difference. It doesn't. It's privacy theater. It looks good, but it means nothing. People still won't read the privacy policy -- and even if they did, they probably wouldn't even remember what it said. Where a privacy policy is linked from a website is meaningless compared to what a company actually does to take the privacy of its users seriously. Getting up in arms over whether or not Google links to the privacy policy from its front page is a joke. And, oh yeah, some are noticing that just linking to the privacy policy probably does not fulfill the legal obligation required by California's law on linking to privacy policies. Perhaps these "privacy advocate" groups have something else to complain about now.

Filed Under: aclu, eff, hype, privacy, privacy policies, privacy theater
Companies: google

Marketing Execs And Privacy Execs Disagree Over What Companies Do With Private Info

from the data-leaks dept

We've already established that privacy policies are pretty much useless, no matter how much some organizations want to pretend they matter. First off, no one reads them -- and if you asked most people, they simply assume that if a site has any privacy policy then it automatically means they won't give away any personal details to others -- even if the privacy policy says exactly the opposite. In other words, someone could put up a privacy policy that says that it will reveal all your personal data to organized criminals, and most people would think that the site was safe. It's "privacy theater" designed to make people feel good, but that has nothing to do with real privacy.

And, of course, it's not just the people reading the policies that don't seem to understand them -- it's those in charge of living up to and enforcing the policies. A new study surveyed a bunch of executives, including both marketing execs and those in charge of enforcing the privacy policy, and quickly discovered that marketers have a very different concept of "privacy" than privacy officers. Not surprisingly, they don't see anything wrong with sharing all sorts of data that seems to horrify privacy officers. So, no matter who controls the policy (or where it's posted on a site), the real issue may be who actually has access to the data and what they're able to do with it.

Filed Under: marketing, privacy policies

Privacy Groups Miss The Point: It's Not Where Google's Privacy Policy Is, It's What It Does

from the focusing-on-the-wrong-thing dept

Last week, we wrote about the ridiculous concerns being raised by a few privacy advocates that (gasp!) Google doesn't include a link to its privacy policy on the front page. This seemed like a really pointless concern since almost no one reads these privacy policies anyway, and those who do often misunderstand the policy anyway. Besides, there are plenty of companies out there that don't even abide by their own privacy policies. In other words, the real issue isn't where the privacy policy is, but whether or not the company actually keeps its promises and treats its users' data properly.

And yet... a bunch of consumer and privacy groups, including ones I respect like the EFF and the ACLU are now trying to turn this into a big deal by publicly demanding that Google add a link to its privacy policy on its home page. This isn't about privacy. This is "privacy theater." It's about putting on a good show that has nothing to do with whether or not Google is doing right by its users. If there's a link to Google's privacy policy on its front page or not, it won't change what Google does with users' info, and it almost certainly won't change the way anyone (other than maybe these groups) view Google. It's all a big show for no reason. There are plenty of important causes that these groups should be working on. Worrying whether or not Google links to its privacy policy from its front page or one page deep is silly pandering.

Filed Under: aclu, eff, hype, privacy, privacy policies, privacy theater
Companies: aclu, eff, google

Does Anyone Really Care Where Google Places Its Privacy Policy?

from the isn't-it-more-important-what's-in-it? dept

In the past, we've discovered that most people don't read a website's privacy policy, and many (incorrectly) assume that as long as a site has a privacy policy, then it means that the site will keep their info private -- even if the policy is to say the exact opposite. Basically, what this means is privacy policies are almost entirely meaningless. Yet, some still think they're important for show. Even more than that, they think that where you put the privacy policy matters. And that's put Google into a bit of a bind, as it tries to join the Network Advertising Initiative, a trade group that sets standards relating to how companies collect data for advertising purposes. The problem is that one of the NAI's principles is that the proper thing to do is put a link to your privacy policy on the homepage -- something that Google refuses to do. Google, of course, takes the look and feel of its front page rather seriously, and refuses to clutter it with anything it feels is unnecessary (other than the copyright notice, which was added after tests showed people didn't know if the page had finished loading).

All in all this seems like a totally pointless debate. As Google points out, if you want to find Google's privacy policy from the front page, the easiest thing to do is type "google's privacy policy" into the search box and you'll get there fast enough. Luckily, it looks like the NAI will likely relent and allow Google to join. However, isn't it about time that a trade group like this actually focused on things that mattered -- such as what's actually in a privacy policy, or whether companies live up to it (or whether users care), rather than where the privacy policy is linked?

Filed Under: privacy, privacy policies
Companies: google, network advertising initiative