Notice and Consent

New Research: Rebecca Lipman, "Online Privacy and the Invisible Market for Our Data." The paper argues that notice and consent doesn't work, and suggests how it could be made to work.

Abstract: Consumers constantly enter into blind bargains online. We trade our personal information for free websites and apps, without knowing exactly what will be done with our data. There is nominally a notice and choice regime in place via lengthy privacy policies. However, virtually no one reads them. In this ill-informed environment, companies can gather and exploit as much data as technologically possible, with very few legal boundaries. The consequences for consumers are often far-removed from their actions, or entirely invisible to them. Americans deserve a rigorous notice and choice regime. Such a regime would allow consumers to make informed decisions and regain some measure of control over their personal information. This article explores the problems with the current marketplace for our digital data, and explains how we can make a robust notice and choice regime work for consumers.

Posted on February 26, 2016 at 12:22 PM • 12 Comments


Clive RobinsonFebruary 26, 2016 2:44 PM

If people are thinking of downloading rhe PDF although it is 34 pages long... As is common in law journal form the lines are double spaced and there are lots of footnotes that can largly be ignored. It thus has about 17 lines / page to read which makes it about the same as an eight page technical paper, so don't be put off.

Now all I needs is a big steaming load of brownian motion generator (AKA Tea) in my pint mug and the comefy chair in the corner (and a couple of matchsticks to prop the eyelids ;-)

albertFebruary 26, 2016 4:16 PM

Don't bother. @Behavioral...and the abstract were enough to see the gist of it.
@Behavioral...said: "...society that will use technology to further enslave and control the masses who are becoming superfluous in the oligarchic economic model...."

The Elite believe that, but they're wrong. THEY are the superfluous ones. If one believes (as I do) that the masses include everyone except the Elite, then the Elite are in for a rough ride. They are incapable of doing anything for themselves, and will always have to rely on others to take care of things. Just maintaining the infrastructures (Physical and Technological) is a vast challenge, and the Elite can't even rise to meet it halfway.
The question I have is this: 'Will the revolution come from within, or without?'

. .. . .. --- ....

KedzieFebruary 26, 2016 5:27 PM

@ Behavioral change not consent

Thanks for writing. Following your suggestions, we would have to avoid most or all smart phones, since they're proprietary. But then, how do we make encrypted phone calls? Signal, for example, uses Google Play Services, and it only works on Android and iPhone. Should we boycott it because it only works on proprietary systems?

If so, how do you recommend we make phone calls?

shhllFebruary 26, 2016 9:32 PM

The crucial thing about this article is the way Lippman puts her contractual blinkers on before she starts to think. Corporations naturally think the answer to everything is more and better contracts. Contracts are how corporations try to negate your rights. Outside the US corporate propaganda bubble, people believe your rights come first so corporations can't force you to give them up, like so

WinterFebruary 28, 2016 5:51 AM

"There is nominally a notice and choice regime in place via lengthy privacy policies. However, virtually no one reads them."

This is a false complaint. A user can read the policy, but it will not help him/her in any way to understand what s/he is consenting to. The policy is in legalese that requires knowledge of jurisprudence, which is inaccessible to the user. Furthermore, the acts of the firm are never specified (who gets what information). Again, the limits of the actions of the firm are legalese that a user cannot understand without the help of a specialized lawyer.

SBFebruary 28, 2016 10:03 AM


Here, if you're having trouble understanding some of the legalese, let me help you:

"The Company can do whatever it wants, whenever it wants, with anything it wants, and you have no recourse whatsoever. You are required to consent, in order to use any of our services."

That's a pretty good overall summary of all of them. Why would you need a lawyer to understand that?

And what kind of choice is that? Your choice is to do no business with anyone anywhere ever, and live like a hermit in a cave... or agree to these things!

sanders34February 28, 2016 12:47 PM

well.... contract law gets complicated -- not all contracts are enforceable in court even if both contracting parties voluntarily agreed to a given contract (like these Notice & Consent situations).

The U.S. commercial legal standard of "Unconscionability" applies to heavily one-sided contracts. Unconscionable contracts are not enforceable.

Unconscionable contracts typically involve cases where a party inserts contract language unlikely to be understood or appreciated by the average person...or where a seller offers a standardized contract of for the purchase of goods or services on a "take it or leave it" basis, without giving purchasers realistic opportunities to negotiate terms that would benefit their interests.

Delightful DetailsFebruary 29, 2016 1:05 AM

"and the numbers of people making significant changes to their on-line behavior is still negligible."

Citation needed, it sounds like something you made up.

arfnarfFebruary 29, 2016 3:31 AM

So who uses their real demographic data online anyway? Facebook is probably an exception, but in general fake information is easy to provide and hard to validate.

They can put what they like in their contracts but they can't enforce the quality of the data you provide. All they get is browsing profiles.

Mark MayerFebruary 29, 2016 11:45 AM

Groups like Anonymous, the Cacophony Society, the Erisian Liberation Front, etc. could really mess with data sets if the used botnets to to surf and enter data. They'd need to do an analysis of how the data is collected and used, but much of that info is public and what is proprietary can be pried out with the new Europe-U.S. privacy agreement.

This could also be a fun way to sabotage or subvert machine learning, which relies on large data sets. Garbage in, garbage out.

Beyond that, this might have applications for defeating mass surveillance based on bulk collection and metadata techniques.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.