Schneier on Security
A blog covering security and security technology.
« Movie-Plot Threats in the Guardian |
| Using Shredded Checks as Packaging Material »
September 4, 2008
Privacy Policies: Perception vs. Reality
New paper: "What Californians Understand About Privacy Online," by Chris Jay Hoofnagle and Jennifer King. From the abstract:
A gulf exists between California consumers' understanding of online rules and common business practices. For instance, Californians who shop online believe that privacy policies prohibit third-party information sharing. A majority of Californians believes that privacy policies create the right to require a website to delete personal information upon request, a general right to sue for damages, a right to be informed of security breaches, a right to assistance if identity theft occurs, and a right to access and correct data.
Posted on September 4, 2008 at 1:15 PM
• 18 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Privacy policies are governed in good part by contract law. Contract law is a two-way street. Just as banks, web administrators and software vendors can communicate to visitors/customers what they assert to be the legal terms, customers can communicate back!
In principle, contract law does not favor either businesses or customers/users. As the future of privacy law unfolds, individuals may be able to use contract law to assert their legal terms on other parties, such as search engines or advertisers. Why shouldn't a consumer be able to broadcast what she expects to be the legal terms under which she does business? --Ben http://hack-igations.blogspot.com/2008/05/... My ideas are not legal advice for any particular situation; they are just ideas for public discussion.
In practice, contracts are often contracts of adhesion: if you want service, you're forced to agree to the (unmodified) terms of the phone company, or other large service provider. Contract law is supposed to require a "meeting of minds" but sadly, the large corporation can often tilt the playing field so much in their favor, that you have little recourse if they do something bad to you.
> seal that denotes adherence to some set of standards.
Man, the public is gullible.
Wasn't the unambiguous communication of privacy policies the goal of P3P? That is, as an individual, you plug in what you consider acceptable, and then compare that against the P3P statement of a given site. If the supplied policy doesn't match your expectations, you don't continue browsing. (This is the theory, anyway; in practice it's about as easy as getting people to care about SSL cert mismatches or even keeping secure passwords. Moreover, I don't think there are any mainstream implementations to speak of.)
They and the politicians...
I often get the feeling in the U.K. that the "Lords" have a resonable comprehension of modern technology. Whereas the "Commons" appear to only listen to those with a significant financial interest in keeping technology regulated the way they want. Usually this not the way the voter wants or needs...
I guess in these days when the political party currently incumbrent in the Commons is effectivly bankrupt, a bung in the parties pot directly or indirectly does get you what you want...
All your bits are belong to us.
It also rather unfortunately was finished right in the middle of the dot-burst aftermath when e-commerce was not a hot topic anymore, which didn't help its adoption problem.
Ironically, Internet Explorer is the only remaining popular browser that implements P3P and lets you adjust some privacy related settings (cookie acceptance) to take a published P3P policy into account.
Mozilla used to have a more complete implementation, but it was unceremoniously axed when the Mozilla Suite was abandoned in favour of Firefox.
I do not recommend reading the bugzilla entries related to that, since it is quite depressing material.
Essentially, the maintainer of that particular area (of the UI!) figured that the P3P implementation was a big chunk of disposable code with an ugly interface and nobody objected. The actual functionality was finally removed from Firefox 2.
While it is debatable that P3P really provided an effective means of helping web clients actively protect the user's privacy online, it was the only web standard related to privacy that we ever had. Nearly ten years after the need to have such a standard was recognized, we are back to zero again today.
At some point security becomes so expensive and time-consuming that only an elite can afford privacy. Is there a case to be made that regulation of the data market is needed to bring the cost down?
A question I often wonder about is what real costs do we bear today if we want to control our data and who benefits most from generating entropy (or lack of individual awareness/control)?
And I am pretty sure that they did not lie :)
Sounds like the Californian public has very reasonable expectations. It would be nice if the law followed suit.
In a similar vein, here is an amusing analysis of how complex privacy policies are (recently mentioned on slashdot). Even if consumers wanted to read and understand privacy policies, the average consumer couldn't.
Yet another example of the country I love being filled with....reality challenged people :(
@Phillip: There is an easy fix for that! http://it.slashdot.org/comments.pl?... (its not my post, but its an excellent idea):
"I'm a firm believer that there are simply too many people. Why can you pay someone $2 for this? It should cost more... but there are people willing to do it because there are too many people competing for the same jobs...
You can expand this to the food crisis, energy crisis, etc. bottom line is, there are too many people. And why? Because we're the top of the food chain. Because we heal ourselves, and live too long. Because someone that weighs 500 pounds lives alongside those fit for this society.
My proposal is to clone rapters [sic]. Then no longer would be be at the top of the food chain.. they could simply sculpt our society into one that we can manange. and lets face it, they could do it pretty effectively. Rapters are fast and intelligent, hunt in packs, and hell.. they can even open doors! Support rapter cloning!"
If we can't get real privacy, we need laws to protect us from all the subtle kinds of discrimination that are likely to result from not having it.
This news is OLD. Get with the program.
Question: do privacy policies have any legal weight whatsoever?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.