Smart Lock Vendors Under Fire For Collecting Too Much Private Data

from the brave-new-world dept

Like most internet of broken things products, we've noted how "smart" door locks often aren't all that smart. More than a few times we've written about smart lock consumers getting locked out of their own homes without much recourse. Other times we've noted how the devices simply aren't that secure, with one study finding that 12 of 16 smart locks they tested could be relatively easily hacked thanks to flimsy security standards, something that's the primary feature of many internet of broken things devices.

One such vendor, Latch, has increasingly had its products used by landlords eager to simply access to their properties and sell the technology as an advantage. That hasn't gone over all that well in New York City, where some residents have sued their landlords over the use of the locks, which many residents found cumbersome and difficult to use. Latch at the time reached out to us to note this shouldn't be a major obstacle, since users have the option of a smartphone app, a door code, and a physical key card to access their properties.

But there's another issue that has popped up regarding these products: the amount of data many smart locks are collecting and doling out to property managers. Privacy experts, for example, say the company's terms of service are overly broad, allowing the sharing of too much data with valued partners and landlords:

"Smart locks can be a great convenience and even privacy-enhancing for residents by allowing them to change codes when they wish or to allow one-time entry by a service provider, but they need strict privacy design and information governance to ensure they don’t cause more harm than good,” Jules Polonetsky, CEO of the Future of Privacy Forum, a nonprofit advocating for principled data practices in support of emerging technologies, tells OneZero. “[Latch’s] privacy policy allows some uses I would urge them to reconsider."

Latch says it's currently reviewing its privacy practices and revising its privacy policy "to remove any possible ambiguity and to make our strong record of privacy protection crystal clear." (Update: Latch told Techdirt the company never captures, stores or uses GPS location data of users, and does not share users’ personal data with third parties for marketing purposes or monetize that data.) The problem, of course, is that with few privacy guidelines and many napping regulators, there's not much really ensuring that smart lock companies (any companies, really) are following through on their promises. And as company ownership (especially in startup culture) changes, these policies can shift on a dime. In some cases that can even result in your product not working if its servers get shut down.

Many of these issues have also popped up increasingly in the realm of smart electricity meters, which can provide utilities with an unprecedented amount of detail regarding your daily habits, ranging from which appliances you most frequently use, how long you're home, and when you're not. The EFF has argued that this data should be protected by the Fouth Amendment, given 65 million of the devices have been installed in the United States over the last few years -- 57 million of them in consumer homes.

It's again a good example of how while everybody fixates on Facebook's (admittedly terrible) privacy practices, it's just one small part of a much larger problem that will soon go from bad to absurd. With your cell carrier, ISP, smart locks, electrical utility, and every IOT device in your home collecting data on every single move you make, it's not hard to envision a future where every step you take is monitored and monetized (and often poorly secured), with little serious recourse for consumer rights. It's a problem that's still not taken particularly seriously, despite the threat of looming privacy legislation perched just over the horizon.

Filed Under: data collection, privacy, privacy policy, smart locks
Companies: latch

Sonos Users Forced To Choose Between Privacy And Working Hardware

from the obey-or-suffer dept

For years now, we've highlighted how these days -- you don't technically own the things you buy. And thanks to a rotating crop of firmware and privacy policy updates delivered over the internet, what you thought you owned can very easily change -- or be taken away from you entirely. Time and tine again we've discussed how companies love to impose new restrictions on hardware via software update, then act shocked when consumers are annoyed because they've had either their rights -- or device functionality -- stripped away from them.

The latest example of this comes courtesy of Sonos, which informed users this week that "over time," they won't be able to use their pricey speaker systems if they refuse a new privacy policy update:

"A spokesperson for the home sound system maker told ZDNet that, "if a customer chooses not to acknowledge the privacy statement, the customer will not be able to update the software on their Sonos system, and over time the functionality of the product will decrease."

"The customer can choose to acknowledge the policy, or can accept that over time their product may cease to function," the spokesperson said.

In an e-mail to users, Sonos informed customers that they can "opt out of submitting certain types of personal information to the company; for instance, additional usage data such as performance and activity information." But users won't be able to opt out of data collection Sonos deems necessary to the system's core functionality. The problem with that, as we've seen with companies like Microsoft, is that companies aren't traditionally transparent about just what this "necessary" data entails, and tend to be overly generous when it comes to determining what personal data is "essential" in the first place.

In this case, the "functional data" Sonos won't let you avoid collection of includes email addresses, IP addresses, Sonos account login information, device data, information about Wi-Fi antennas and other hardware information, room names, system error data, and more. Needless to say, privacy advocacy groups like the EFF and the Center for Democracy and Technology aren't thrilled about users having to choose between their privacy rights or working hardware. Nor are they impressed by companies' apparent inability to cordon off essential functionality from data collection and sales:

"Sonos is a perfect illustration of how effective privacy, when it comes to not just services but also physical objects, requires more than just 'more transparency' -- it also requires choices and effective controls for users," said Joe Jerome, a policy analyst at the Center for Democracy & Technology.

"We're going to see this more and more where core services for things that people paid for are going to be conditioned on accepting ever-evolving privacy policies and terms of use," he said. "That's not going to be fair unless companies start providing users with meaningful choices and ensure that basic functionality continues if users say no to new terms."

Occasionally, consumer revolt is enough to change the tide. Media software developer Plex was forced to backtrack this week from an announcement that it would be issuing a new privacy policy that prevented users of its software from opting out of data collection and sales, including users that had paid for lifetime access to the service. Plex's retreat was forced after the company's forums lit up with complaints about what one customer called "super-duper bullshit." A subsequent Plex blog post stated that the company heard its users loud and clear, and would be reversing course on the decision.

Filed Under: bricking, freedom, freedom to tinker, ownership, privacy, privacy policy, terms of service
Companies: sonos

Why Everyone's Totally Overreacting To Spotify's Privacy Policy (Which Isn't As Bad As You Think)

from the it's-not-what-you-think dept

As you may have heard, yesterday there was a bit of a kerfuffle over the fact that Spotify changed its privacy policy in a way that people are calling creepy and eerie. And there's a ton of chatter on Twitter from people insisting that they'll never use Spotify again because of this. The specific changes that have people up in arms sure do sound creepy at first glance. The key problems are that Spotify's new privacy policy says that it "may collect information stored on your mobile device, such as contacts, photos, or media files" and that it "may also collect information about your location based on, for example, your phone’s GPS location or other forms of locating mobile devices (e.g., Bluetooth). We may also collect sensor data (e.g., data about the speed of your movements, such as whether you are running, walking, or in transit)." There's some other stuff about how it may share information with third party services.

I understand, instinctively, why so many people freaked out about this -- but it's a pure overreaction for a variety of reasons, which we'll dig into here. There are problems with this whole scenario, but it has a lot more to do with (1) the stupid reliance on "privacy policies" rather than "user controls" for privacy and (2) Spotify's apparently asleep-at-the-wheel PR team.

Privacy is a Trade-off Not a Thing

As we've said before, if you ever want perfect privacy, you'd never leave your house. The second you leave your home, you're giving up some level of privacy. But it's a trade-off most people think is perfectly reasonable. Privacy is always like that. It's a trade-off between the benefit you get from giving up a little privacy in order to get the thing that you want. The idea that privacy is some absolute "thing" is a weird way of looking at privacy and makes it difficult to do things in a reasonable manner. The real issue, then, is making sure that people understand the trade-offs involved (and we'll get to that below).

Spotify's Privacy Policy is Not that Crazy.

Much of the reaction is because people immediately assumed that there was some nefarious reason why Spotify was going to collect all this information on people. Yet, as a few people pointed out when everyone started freaking out -- and which Spotify eventually clarified in a blog post "apologizing" for the poor roll out, there are legitimate service reasons for each of these requests. Also, the company made it clear that before it actually accesses any of this content, it would first ask your permission. In short, it's like when various services ask if you'd like to "find friends" using a service, you have to first approve it. Same would be true here. And, note, that each of the uses would be for services that some people might actually like (personalizing cover art, voice control, etc.):

Photos: We will never access your photos without explicit permission and we will never scan or import your photo library or camera roll. If you give us permission to access photos, we will only use or access images that you specifically choose to share. Those photos would only be used in ways you choose and control – to create personalized cover art for a playlist or to change your profile image, for example.

Location: We will never gather or use the location of your mobile device without your explicit permission. We would use it to help personalize recommendations or to keep you up to date about music trending in your area. And if you choose to share location information but later change your mind, you will always have the ability to stop sharing.

Voice: We will never access your microphone without your permission. Many people like to use Spotify in a hands-free way, and we may build voice controls into future versions of the product that will allow you to skip tracks, or pause, or otherwise navigate the app. You will always have the ability to disable voice controls.

Contacts: We will never scan or import your contacts without your permission. Spotify is a social platform and many people like to share playlists and music they discover with their friends. In the future, we may want to give you the ability to find your friends on Spotify by searching for Spotify users in your contacts if you choose to do that.

The Real Problem is that We Use Privacy Policies at All

For many years, we've been pointing out that this whole system of privacy policies is broken. It's one of those ideas that people came up with years ago that sounds good, but isn't. And yet, we're not only stuck with it, we have politicians who keep pushing more requirements for more privacy policies. But that's stupid.

First: the only way you can legally get in trouble over privacy issues is by violating your privacy policy. So every company is incentivized by law to create privacy policies that are very broad and expansive, making it less likely they'll violate them in the first place. The only time such a broad privacy policy backfires is if the public suddenly has a viral panic about it, like this time, but that rarely happens because no one reads privacy policies.

In fact, one of the worst things about privacy policies is that people simply believe if you have a privacy policy it means "oh they'll keep my info private" even if the privacy policy says "we're going to share your information with everyone."

Let's face it: privacy policies are a stupid way to deal with privacy. They don't work. They fuck up incentives. No one reads them. And yet, because politicians are clueless, they're often "required." You end up with grandstanding politicians who play gotcha games on privacy policies, without caring about actual privacy practices.

The Way to Deal With Privacy is MORE TRANSPARENCY and MORE USER CONTROL

Rather than using privacy policies, the real way to deal with privacy is to give the end user more transparency into what's happening and more control. I don't have an iPhone, but I believe it already offers the ability at an individualized level to allow users to block apps from accessing certain features/data on a phone. And I know that the next version of Android is moving to a similar model, including only asking you to approve privacy permissions at the moment the app is requesting it. In other words, when Spotify wants to access your photos, the app will directly ask you for permission at that moment -- and, assuming it's for something you want to do (like customizing your cover art), you're more likely to grant permission without thinking it's creepy at all.

The Real Problem Here Was The Perception Problem

And this is something Spotify should have prepared for much better. The company probably assumed, incorrectly, that no one would really read the new privacy policy, because no one reads privacy policies. But that didn't happen. What Spotify should have done is from the beginning describe the new features it was offering -- with a direct explanation of why that feature might then require a change in the privacy policy, along with the promise that the app will ask permission directly at the time of use. Spotify eventually kind of got there, but they did it after, not before. This goes back to the "more transparency" aspect above. Do it that way, and you have less of a freakout.

So, really, to everyone freaking out over Spotify's privacy policy, I understand the gut reaction reasons for doing so. Of course, at first, it seems fucked up that a music player wants to access your contacts or your location. But there are perfectly legitimate, non-nefarious reasons for doing so. And Spotify could have cut off the freakout by being more transparent and upfront about things at the beginning. But, really, the problem here is our stupid reliance on privacy policies, rather than user controls.

Filed Under: apps, control, music, privacy, privacy policy, tradeoffs, users
Companies: spotify

Facebook's Updated Privacy Policy Breaches EU Law, Belgian Study Claims; Other Countries Investigating

from the must-try-harder dept

Europeans have a rather ambivalent attitude to Facebook. On the one hand, millions of them love using it. On the other, many people are worried about the huge stores of personal information it is building up on its users -- and what it does with it. This has led to various attempts by the Austrian Max Schrems to find out what Facebook knows about him -- and to establish whether its handling of his data is compliant with EU data protection laws. Separately from those efforts, the Belgian privacy commission has been investigating Facebook's privacy policy. It asked researchers at a pair of local universities to provide an analysis. Here's what they found, as reported by the Guardian:

A report commissioned by the Belgian privacy commission has found that Facebook is acting in violation of European law, despite updating its privacy policy.

Conducted by the Centre of Interdisciplinary Law and ICT at the University of Leuven in Belgium, the report claimed that Facebook's privacy policy update in January had only expanded older policy and practices, and found that it still violates European consumer protection law.

The report runs to over 60 pages (pdf). The key findings are as follows:

To be clear: the changes introduced in 2015 weren't all that drastic. Most of Facebook's "new" policies and terms are simply old practices made more explicit. Our analysis indicates, however, that Facebook is acting in violation of European law. First, Facebook places too much burden on its users. Users are expected to navigate Facebook's complex web of settings (which include "Privacy", "Apps", "Adds", "Followers", etc.) in search of possible opt-outs. Facebook's default settings related to behavioural profiling or Social Ads, for example, are particularly problematic. Moreover, users are offered no choice whatsoever with regard to their appearance in "Sponsored Stories" or the sharing of location data. Second, users do not receive adequate information. For instance, it isn't always clear what is meant by the use of images "for advertising purposes". Will profile pictures only be used for "Sponsored Stories" and "Social Adverts", or will it go beyond that? Who are the "third party companies", "service providers" and "other partners" mentioned in Facebook's data use policy? What are the precise implications of Facebooks' extensive data gathering through third-party websites, mobile applications, as well recently acquired companies such as WhatsApp and Instagram?

Unfortunately for Facebook, this is just the start of a much wider investigation across Europe:

The Belgian Privacy Commission is also part of a European task force, which includes data protection authorities from the Netherlands, Belgium and Germany. [Leuven University's] ICRI/CIR and [Vrije Universiteit Brussel's] iMinds-SMIT will continue to support the Privacy Commission in the context of its investigation and future updates to the report will also be shared with their German and Dutch colleagues.

The Guardian notes that other European groups are scrutinizing Facebook's privacy policy:

Facebook is already being investigated by the Dutch data protection authority, which asked Facebook to delay rollout of its new privacy policy, and is being probed by the Article 29 working party formed of data regulators from individual countries across Europe, including the UK’s Information Commissioner’s Office.

Looks like Facebook has a busy few years ahead of it -- and what applies to Facebook is also likely to apply to a host of other companies that offer online services based on gathering large amounts of personal data in Europe.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: belgium, data protection, eu, privacy, privacy policy, terms of service
Companies: facebook

TRUSTe Pays Up $200k To Settle Charges Of 'Deceiving Consumers' Over Its Certification Of Sites

from the not-so-truste dept

TRUSTe, the organization whose seals of approval are used by many sites to prove that they're trustworthy, especially with regards to privacy practices, has just agreed to pay the FTC $200,000 and change its representations about how it goes about certifying various sites. In particular, the FTC claims that TRUSTe did not review sites frequently enough. Separately, there were some shenanigans over the fact that TRUSTe switched from being a non-profit to a for-profit operation in 2008, but let users of the seal still tell people that TRUSTe was some sort of non-profit (as many in the public have believed).

The FTC’s complaint alleges that from 2006 until January 2013, TRUSTe failed to conduct annual recertifications of companies holding TRUSTe privacy seals in over 1,000 incidences, despite providing information on its website that companies holding TRUSTe Certified Privacy Seals receive recertification every year.

In addition, the FTC’s complaint alleges that since TRUSTe became a for-profit corporation in 2008, the company has failed to require companies using TRUSTe seals to update references to the organization’s non-profit status. Before converting from a non-profit to a for-profit, TRUSTe provided clients model language describing TRUSTe as a non-profit for use in their privacy policies.

The proposed order announced today will help ensure that TRUSTe maintains a high standard of consumer protection going forward.  Under the terms of its settlement with the FTC, TRUSTe will be prohibited from making misrepresentations about its certification process or timeline, as well as being barred from misrepresenting its corporate status or whether an entity participates in its program. In addition, TRUSTe must not provide other companies or entities the means to make misrepresentations about these facts, such as through incorrect or inaccurate model language.

There is an interesting partial dissent from FTC Commissioner Maureen Ohlhausen, effectively challenging the issue with other websites still saying TRUSTe is a non-profit. While the issue is that TRUSTe was recertifying these websites, and thus should have said that they had to make the certification clear, Ohlhausen points out that it's wrong to blame TRUSTe for statements made by other sites and not by TRUSTe itself.

Unlike Shell and Magui Publishers, the statement that TRUSTe provided to its clients was indisputably truthful at the time. During the period in which TRUSTe required client privacy policies to state that TRUSTe was a non-profit, TRUSTe was, in fact, a non-profit. Once TRUSTe changed to for-profit status, it no longer required clients to state its non-profit status and actively encouraged clients to correct their privacy policies. TRUSTe did not pass to clients any false or misleading representations regarding its for-profit status. Nor was TRUSTe’s recertification of websites a misrepresentation of TRUSTe’s non-profit status to its clients; during recertification TRUSTe again clearly communicated its for-profit status to clients by requesting that its clients update their privacy policies. Because TRUSTe accurately represented its non-profit status to its clients, TRUSTe cannot be primarily liable for deceiving consumers under a means and instrumentalities theory.

This argument makes a lot of sense, and as someone concerned about secondary liability in a variety of places, it does seem wrong for the FTC to hold TRUSTe responsible for the conduct of third party sites, even as it was recertifying them. Either way, this settlement is a good reminder that just because there's a "trusted" certification on a site, it doesn't always mean the site is trustworthy...

Filed Under: certification, ftc, privacy policy, secondary liability
Companies: truste

California Attorney General Uses Twitter To Threaten United Airlines With Possible Legal Action

from the pointless-privacy-policies dept

Can we just admit that laws requiring privacy policies are a dumb idea? They make almost no sense. No one reads them. And the laws requiring them don't require that you actually keep info private... just that you have one of those privacy policies that no one reads and no one cares about. The only ways you get in trouble are (a) if you don't have a privacy policy or (b) if you don't abide by your privacy policy. Thus, the basic incentive is to write a privacy policy that is opaque and which no one will read -- and which says "you have no privacy at all, we can do whatever we want with your data" so you could never violate it.

But grandstanding politicians see this as an easy and cheap way to be seen as "protecting the little guy" even though it does nothing along those lines. It appears that California Attorney General Kamala Harris may be jumping into the fray -- and bizarrely using Twitter to passive aggressively threaten United Airlines. In a tweet, she asks the company where its privacy policy is on its mobile app:

Fabulous app, @united Airlines, but where is your app’s #privacy policy? 1.usa.gov/SWGCTm

— Kamala Harris (@KamalaHarris) October 12, 2012

That link is to California's law that requires privacy policies. But, once again, we're at a loss to see what this does for actual privacy, if anything. If the app doesn't have a privacy policy, does that change how United Airlines uses people's data? Doubtful. Is anyone who uses the app actually reading the privacy policy? Doubtful. If they do, will they understand it? Unlikely. So, what does this kind of thing do? You'd think that there were, perhaps, more pressing things for the state to focus on rather than harassing companies on Twitter.

Filed Under: apps, california, kamara harris, privacy policy
Companies: twitter, united airlines

FTC To Monitor MySpace And/Or Empty Space For 20 Years

from the why-you-write-broad-privacy-policies dept

We've discussed many times that the main problem with privacy policies is that their very nature encourages companies to actually do less to care about your privacy. That is, the only way a company gets in trouble with their privacy policy is if they don't obey their own privacy policy. Thus, it's much smarter to create a privacy policy that effectively says that the company can do whatever it wants and doesn't have to respect users' privacy. In that way, it's much harder to actually violate someone's privacy. Considering that no one actually reads these privacy policies (and for the few who do, no one understands them) means that it's even easier to make that work. Still, however, some companies go beyond their own privacy policies, and the FTC has to step in and slap them around. The latest... is MySpace.

Yes, MySpace. That also-ran social networking site that no one uses any more has come to an agreement with the FTC over violating its own privacy policy. Specifically, it appears that MySpace made it possible for advertisers to associate identities with advertisements so that advertisers could build a direct profile of an individual. Of course, it doesn't appear that anyone actually did this. The settlement means that MySpace will undergo "regular privacy assessments" for the next 20 years. I have two thoughts on this: first, there is almost no chance that MySpace exists in 20 years. Second, I never understand this 20 year deadline on FTC deals. If, miraculously, there is still a MySpace in 2033, it can go back to skimping on its privacy protections?

Filed Under: ftc, privacy policy
Companies: myspace

To Read All Of The Privacy Policies You Encounter, You'd Need To Take A Month Off From Work Each Year

from the get-busy-reading dept

We've discussed the stupidity of privacy policies many times in the past. Honestly, it's an idea that serves no useful purpose, yet most sites are required to have one, and if you don't, people get all upset. But no one reads them, and most people incorrectly assume that if a site has any privacy policy, they must keep data private.

The reality is that the incentives of a privacy policy are to not use it to keep your info private. In fact, the incentives are to make a privacy policy as permissive as possible. Because the only time you get in trouble is not if you fail to protect someone's privacy... but if you violate your own privacy policy. So companies have the incentive to write a privacy policy that is as permissive to the company as possible, so that they're less likely to avoid violating their own privacy policy. That is, conceptually, the best privacy policy for a company is one that says "we don't take your privacy seriously at all and share all your data," because then they'll never break that policy. Of course, companies don't go that far, because that's pretty extreme -- but it does lead to vague privacy policies that no one reads anyway. Oh, and even when people do read them, almost no one understands them.

In fact, a new report notes that if you actually bothered to read all the privacy policies you encounter on a daily basis, it would take you 250 working hours per year -- or about 30 workdays. The full study (pdf) by Aleecia M. McDonald and Lorrie Faith Cranor is quite interesting. They measure the length of privacy policies, ranging from just 144 words up to 7,669 words (median is around 2,500 words) and recognize that at a standard reading pace of 250 words per minute, most privacy policies take about eight to ten minutes to read. They also ran some tests to figure out how long it actually takes people to read and/or skim privacy policies.

They put all of this together and estimated that it would normally take a person about 244 hours per year to read every new privacy policy they encountered... and even 154 hours just to skim them. They used some variables to create a lower and upper bound estimate as well: They then go further to try to estimate the cost to the economy of all this privacy policy reading, but I always finds such extrapolations to be pretty meaningless. They assume a constant return on time, so just like bogus studies about how much personal surfing "costs" the economy, those figures seem totally meaningless. But the amount of time estimates do seem completely valid.

And, here's the thing: that's only for privacy policies. Imagine if you read terms of service and end user license agreements too... Of course, sometimes those include little hidden gems. Like the time a company put a clause in its EULA that the first person to read that clause and contact them would get $1,000. It only took four months for someone to actually spot it.

Filed Under: eula, privacy policy

Using Gaming To Drive Desired Behavior: Privacy Policy As A Game

from the pros-and-cons dept

I had just been listening to a recent On the Media rebroadcast of their episode all about video games. The episode is fantastic, but the part that I found most fascinating was during the final section on the future of gaming, which includes a wonderful clip from a presentation by Jesse Schell, in which he talks about the potential to "gamify" pretty much everything in life, giving people "points" (possibly points that can have tax implications) for desired behavior. Some of that behavior may be "desired" because it's good for you (if you brush your teeth long enough, you get extra points). And some of it may be "desired" because it's good for some companies (if you drink five Dr. Peppers this week, you get extra points).

JESSE SCHELL: And what will that world be like? Well, I think it'll be like this: You get up in the morning to brush your teeth and the toothbrush can sense that you�re brushing your teeth, and so, hey [BELL TONE], good job for you! [AUDIENCE LAUGHTER] Ten points for brushing your teeth. And it can measure how long, and you�re supposed to brush �em for three minutes, and you did. And so you get a bonus for that. Hey [BELL TONE], you brushed your teeth every day this week, another bonus. All right, and who cares? The toothpaste company, the toothbrush company; the more you brush, the more toothpaste you use. They have a vested financial interest. So then you go and you get on the bus. The bus, why am I taking the bus? You�re taking the bus because the government has started giving out [BELL TONE] all kinds of bonus points to people who use public transportation, and you can use these points for, for tax incentives. And you get to work [BELL TONE] on time, good job. You, you get a, a special bonus. So then you go to lunch and you've had Dr. Peppers all week, and so you know you got to have another Dr. Pepper �cause you get 10 points [BELL TONE], 10 points [BELL TONE], 10 points [BELL TONE], 10 points, and then you'll have another one [BELL TONE]. You know there�s a special with Dr. Pepper this week. If you have five Dr. Peppers in a week [BELL TONE], 500 bonus points, so you definitely have to take advantage of that.

And then you've got a meeting at another building that�s a half a mile away. And you could take the shuttle over but you decide, I'm gonna walk because the health insurance plan that you�re on [BELL TONE] gives you bonus points if you walk like more than a mile each day, and we can sense that easily, you know, through your digital shoes. And if you get your heart rate up [BELL TONE] above a certain, a certain amount, then you get more bonus points from your health insurance company. So then you�re going shopping on the way home, and man, this is like a place you can get a lot of points, and it�s really complicated so you let your like your app figure it out. It like looks at all the point systems you have, it looks at what you want and then it tells you which ones to buy [BELL TONE] in order to get, ooh, wow, a lot of points, just because I make good choices shopping. And then you get home and your daughter�s like, oh, I got my report card. And you�re like [BELL TONE] oh, good job. I mean, you�re getting 2,000 points from the state for getting� such good grades, and [BELL TONE] [LAUGHS] you�re getting 5,000 as a parent from the Obama bonus for the good parenting bonus, which you�re excited �cause you can use that as tax relief. And then you say, hey, wait a minute, wait a minute, did you practice your piano? And she�s like, yeah, I practiced my piano. Well, what score did you get? It�s like, oh, well, I got 150,000. A hundred and fifty thousand, that�s the best you've ever had on that particular [BELL TONE] sonata. That�s 9,000 points given by the Arts Council for your scholarship fund, so go you. Right?

Obviously, some of those things may strike some people as "good" and some may strike some people as "bad." But either way, understanding the likelihood of these things coming about is important, and you can see the full (extremely entertaining) video below. In the opening of the video, before he gets into all the stuff above, he talks about Facebook accounts, and things like Farmville, from Zynga, which he describes as "scary." Well, perhaps the scary folks at Zynga watched the video too, and at least thought a little about it in relation to privacy policies. That's because Zynga has revamped their privacy policy to make it a game, called PrivacyVille. Now, I'm on record as saying I think the entire idea of a privacy policy is a failed concept. No one reads them. No one understands that the privacy policy could say "we don't care at all about your privacy." Even those who read them don't know what they mean. It's a joke that makes some "privacy experts" feel good to say that sites need privacy policies.

But, this gets a bit more intriguing, when a company actually tries to give people incentive to not just read, but to understand a privacy policy. I don't think that others will suddenly "gamify" their own privacy policies, but I'm definitely intrigued by the concept of doing something very different with a privacy policy, rather than just what everyone else does.

Update: Or, as pointed out in the comments, it could all end up like this comic....

Filed Under: games, gamification, jesse schell, privacy policy, privacyville
Companies: zynga