Making Privacy Policies not Suck
Privacy policies are long legalese documents that obfuscate meaning. Nobody reads them because they are indecipherable and obtuse. Yet, these are the documents that tell you what’s going on with your data — how, when, and by whom your information will used. To put it another way, the privacy policy lets you know if some company can make money from information (like selling you email to a spammer).
Creative Commons did an amazing thing for copyright law. It made it understandable.
Creative commons reduced the complexity of letting others use your work with a set of combinable, modular icons.
In order for privacy policies to have meaning for actual people, we need to follow in Creative Commons footsteps. We need to reduce the complexity of privacy policies to an indicator scannable in seconds. At the same time, we need a visual language for delving deeper into how our data is used—a set of icons may not be enough to paint the rich picture of where you data is going.
Understanding Data Flows
With the rise of web services, your information can end up in unexpected places. To get a better understanding of some of the complexities of data flow, we sketch out how Anti-phishing works in Firefox (with help from Oliver Reichenstein).
Here’s what that looks like as a wall of text, which is the typical privacy policy mode.
The difference in understandability is huge between the text and the schematic. In fact, while we were working on creating this infographic we found a hole in our legalese and updated it accordingly.
The idea here is that by creating a visual schematic language, it is relatively painless way for a company to convert their wall-of-text into something a bit more approachable. And that the more visualization actually shines a light into the dense tangle of words, possibly highlighting flaws or trouble spots that would have otherwise remained hidden.
The simple form
The visual schematic language is a descriptive way of explaining a privacy policy and helps us to understand what’s going on underneath the hood. It doesn’t solve the problem of being able to quickly figure out the guarantees a privacy policy is making on your data.
For that, we want to move from the descriptive to the proscriptive, to a set of legally-bindings icons like Creative Commons.
As an experiment, we tried a schematic form of icons. The feedback that we’ve got so far is that the schematic is over-kill and that a set of icons more similar to Creative Commons’s would be easier to scan and understand. The next step is for us to come up with a set of orthogonal decisions about what compromises the most important aspects of a privacy policy. In the end, we probably shouldn’t have more than 5 icons in the interest of simplicity.
For now here are a set of axis we’ve come up with that need to be whittled down:
Is your information…
Shared with a 3rd Party? Shared internally within the company?
Anonymized/Aggregated before being stored or used?
Personally Identifiable?
Stored for more than x number of days?
Encrypted on the server?
Monetized (sold) in some way?
Usable to contact you?
Update: Based on the feedback, we’ve decided the set of attributes people should care about.
RT @azaaza Making Privacy Policies not Suck | Follow @azaaza on Twitter | All blog posts
Oscar Reyes
The irony on this post is that at first I resisted to read it all :) Because it look like a wall of text; fortunately the images catch my attention ;)
Zack Grossbart
It might help to think of this in terms of what you won’t do instead of what you will. When I give my data to someone I’m more interested in what they won’t do with it. Now your list becomes:
We promise we won’t:
Share you data
Sell your data
Contact you with you data
Extract your data
Most customers don’t worry about encrypting data past knowing it is secure. You aren’t going to tell them which cryptographic algorithms you’re using. I also don’t think most people worry how long you’ll keep the data.
You could go with the Creative Commons model around the words share, sell, contact, and extract. Maybe mine would be better than extract.
I hope this helps.
Michael Kaply
Aza,
You should check out privacychoice (http://www.privacychoice.org/)
They’re attempting to do exactly what you are talking about.
karl
I had a smile. Following “You can help us brainstorm them.” I had a page saying that I had to enable cookies to be able to use the site. :)
The brainstorm not accessible without cookies.
eig
I agree with Zack’s.
that’s all I want to know but the schematic flow of what you “do” may be needed when business user wants more detail.
Richard Paul
A complication I see with this is the range of different data you give to a service. While some of the data I give to a service I may want shared (listening habits on last.fm) other details like my email address I wouldn’t want shared.
A possible solution would be to group the provided data, then for each group (personal details, listening habits) apply the privacy policy.
James
Simply saying “anonymising” is misleading – there’s plenty of ways to deanonymise data. And in this particular case, safebrowsing.clients.google.com sets a cookie.
bhseo
I started a thread about this on HN:
http://news.ycombinator.com/item?id=915256
Lawrence
Some great thoughts and it’s definitely an issue that needs addressing, however, I was almost put off in the first line. Language is ultra important, therefore is using a word like ‘obfuscate’ particularly open and accessible? Just a small point I know…
Jaanus
Check out some related work: http://cups.cs.cmu.edu/blog/?p=175
dl
Aza my one mantra in this day of interface…
cube instead of line…or in this case square.
and I have serious issues with Creative Commons for over-simplicity issues… in translating what they were doing from something written or music (usually 1person or a handful involved in creation) to something incredibly complex and layered like film.
Sometimes things are complex for a reason… and a person’s investment and time in understanding is to protect them from the “hiddens” in the complexity.
I fear the ongoing need/mistake from web-development losing site of that for a need for easy accessibility. I understand the need to make interface efficient and easy… but some things …well the investment in complexity time and getting over annoyance shows how serious someone may take what they might need to…seriously…ya know?
Rolf Kleef
Wonderful to have discovered this post, and the links here!
I’m working with an alliance of Dutch platforms aimed at international development cooperation, and we looked at Creative Commons too as a model.
Sure, Creative Commons may not be perfect, but now I can write a creative commons licensed document and find images and texts of others I can remix into it.
We want a similar thing for online volunteering. How to “harmonise” privacy policies and terms of use, *and* make it clear to the users.
If you spent efforts getting through the approval process on one platform (as a volunteer or as a project), and each platform accepts the approval process of the others, it can make it easier to cross post to another platform with a different audience or different services.
So, much like Creative Commons we hope to find/develop something like: we share the information you publish with other platforms that comply with privacy policy “non-commercial, share-alike” PP-NC-SA
A bit like Creative Commons helps you assert your rights by mostly giving you an option to declare you want to share widely, it might be insightful to also look at “privacy” from the angle of wanting to share?
Albob
@dl:
I think those are two compatible things. You can still provide a complex text to the person who wants to know all the details, but a few icons are a good way to get an overview of the text. And If we don’t bring simplification, well then the situation stays the same: people will get pass the text without reading it because they don’t care investing so much time reading it. Also sometimes, you simply don’t understand that text.
Jos
I would want to know about the “half-life” of my data with the provider. Also, can i get my data out (export)? Can i cancel/remove *all* my data? I don’t know if this comes under the privacy policy, but they are closely related.
Gerv
You need to decide whether “lots of icons = good privacy” or “few icons = good privacy”.
So say, for example, you had a default of the world’s best privacy policy, and then people had to add “exception” icons for deviations. So you might have the defaults be:
Only used within the company
Not used to contact you without an opt-in for each type of communication
Traffic data is anonymized immediately
Traffic data is deleted after three months
And then, if the site wanted to differ from any of these, it had to add a “warning” icon. One for “can be sold”, one for “” and so on.
You also need to distinguish between the type of data collected and what is done with it. The user can normally tell what type of data is collected, because they are asked for it. What happens to it is far more important when it comes to a privacy policy. But your “personally identifiable?” question is about type of data and not use.
Atul
One thing I notice about privacy policies is that I often click through them not just because they’re a wall of text, but also because it’s not my locus of attention. For instance, sometimes I’m just signing up to some site because I want to look at some content that requires a login. And as privacy policies change, I don’t want to have to be nagged to look at them again.
The place where privacy policies *are* my locus of attention, or close to it, is when I’m actually giving information to a site: it’d be interesting if HTML could be tagged with privacy commons metadata, so that as a user is entering content or hovering over a field, a non-intrustive message is displayed telling them how their information may be used.
Being able to tag DOM elements with such metadata could also be potentially useful for mashups, so they know what data they should or shouldn’t be “doing stuff” with. That metadata could even be enforced by some sort of security policy, if necessary.
Leszek
“It might help to think of this in terms of what you won’t do instead of what you will. When I give my data to someone I’m more interested in what they won’t do with it”
I disagree — if a company only tells me what they *won’t* do with my data, I’m immediately suspicious about what they’ve missed out.
e.g. “We WON’T shared your data with a 3rd Party” could mean “We WILL give your name, address and timetable to everyone and anyone working for us”.
In fact, I don’t care at all about what a company WON’T do with my data, since that list should be infinite; rather, I care about what they WILL do, as hopefully that list is finite and small.
Michael Kaply
Incidentally, privacy choice created the TrackerWatcher addon (https://addons.mozilla.org/en-US/firefox/addon/14454) so that you can see what ad network is being used for a particular site, and then view exactly what that sites policies are with regards to your personal data.
Lorrie Cranor
Interesting post and discussion. We’ve been thinking about these sorts of things for a while at the CyLab Usable Privacy and Security Lab. See our papers on the privacy nutrition label http://cups.cs.cmu.edu/privacyLabel/ as well as our other papers on privacy decision making and our search engine http://privacyfinder.org (which will soon include the privacy nutrition label in the privacy report). we would love to discuss further.
Eve Maler
Jaanus already linked to it above, but I wanted to highlight CMU CyLab’s “Privacy Nutrition Label” work. Here are direct links to the relevant research papers:
http://cups.cs.cmu.edu/soups/2009/proceedings/a4-kelley.pdf
http://www.cylab.cmu.edu/research/techreports/CMUCyLab09014.pdf
(Even though there are no graphics in this comment, maybe the promise of interesting “nutrition label” graphics will entice people to check it out…)
mooring packs
I agree with Rolf that We want a similar thing for online volunteering. It is duty of the administrator and to volunteer the things.
Michael Feldman
It wouldn’t be practical to come up with a visualization of each kind of information sharing policy, storage encryption, deletion policy, etc. Instead, it would be better to create visualizations for the various categories of policies. From Aza and a variety of other sources, the primary categories of concern seem to be:
1. Information Sharing
2. Storage (and encryption)
3. Monetization
4. Deletion
5. Contact/Notification
–
I put more information about this on the discussion page of the drumbeat post about this (before I really knew what discussion pages are really for). It can be found here: https://wiki.mozilla.org/Talk:Drumbeat/Challenges/Privacy_Icons
Natanael L
There are so many good ideas here that I’m unsure of where to start.
My summary of what I want:
By default, a site could have a privacy information box.
At the top it would say “Here’s a link to the legal document”, and below there would be the icons and a link to the privacy icons project site with descriptions.
Of course there should be a default – the standard icon alone would mean that the the standard privacy policy is used. This would include terms for various kinds of information.
There should also be information grouping – personally identifiable information, contact information, random uploaded media and work (stuff you’d use Creative Commons for), etc…
buy 8gb m2
When we all asked the TSA to lighten up, this is not what we had in mind. Glad to see from the article this inspector is no longer employed. Maybe they should revamp the little rules on a loop recording to say, “Passengers AND STAFF should avoid making jokes about airport security or possible threats.”
Joanne Furtsch
TRUSTe is actively working on how to better present privacy policies starting with small businesses. We have worked to make disclosures easier to read and understand plus represent high level topics consumers care about with icons. Here is one you can check out: http://privacy-policy.truste.com/verified-policy/www.malibal.com. It can be access from the Privacy link on the site’s homepage at http://www.malibal.com/.
dan
can i ask what you made the flow diagram in? nice and clear icons too
Matthew
I think that this is a fantastic idea, and I believe it should also be extended to the EULA’s for and Terms of Use for both websites and programs. No one wants to read twenty pages of legal jargon just to use a program, and yet that is what you have to state that you have done before installing just about anything.
The same set of metrics being developed to determine what is important about privacy policies could be used to great effect for EULA’s. Most of them boil down to, “You May not modify, release, adapt, or build upon this code,” “There is no implied warranty,” and “We are not liable for anything.”
Thanks for an awesome idea! I hope this really gets some momentum behind it.
Robert Persson
A direct comparison can be made with food labelling. In the EU I can look at almost any food packaging and see how much sugar and how much saturated fat there is in it. Quite apart from the issue as what we might call a civil rights issue, the European Commission understands that a market cannot work properly if people really don’t understand what they are buying or selling and so it uses its power under the law to make sure that certain key information is always presented clearly.
Another useful comparison is with the housing rental market. Given the scope for and history of extreme abuse of consumers, many jurisdictions limit the kinds of contracts available to either one or a small handful of statutorily prescribed formulae. Since the price of one small mistake, when it comes to protecting one’s online privacy can also be devastating, there is a case for comparable measures to be taken.
Robert Persson
btw are you aware of the Plain English Campaign? http://www.plainenglish.co.uk/ It is an immensely successful pressure group started 30 years ago by a woman who didn’t learn to read and write until she was well into adulthood. When they criticise a government body or a large corporation in the UK, things tend to change fairly quickly. I suspect they could be very interested in your idea if they are not aware of it already.
Rigo Wenning
This looks a bit like P3P on Icons. P3P used XML code to reduce the complexity of privacy legalese into simple assertions. The XML opened the option to display some human readable notice generated from this XML to the user. Note that to my great sadness, P3P was dismissed by Mozilla in 2003 as being not effective as not directly (technically) enforceable. You can read my dispute from this time in bugzilla.
I still think that Icons are a good idea, but it should be combined with a tool that watches the browser chatter and reads the P3P privacy policies it can get hold of. This way you may also fix the privacy interface to the geolocation API that was already shipped in Firefox with no privacy protection.
W3C is involved in a project called http://www.primelife.eu/ where we have done research on interfaces, policy languages and protocols. It would be great if we could further contribute to Mozilla. I hope this can enhance your laudable initiative to increase the privacy features of the browser.
Rigo Wenning
W3C Privacy Activity Lead
gutiera01
This only applies to the creative works you’re putting on the web. Still most users are unaware how easy it is to track their behavior online. By simply visiting a webpage you’re getting cookies, permamently stored Flash objects. Most users are not even suspected their browsing data might be collected or how companies get to know their browsing habits. More information on this needs to be brought to the public so that everyone would understand what online privacy means and how it is getting revealed to businesses.
sundepil epilasyon
weldone.
hemoroid
i also like your coat with the cap on it. the design is awesome.
Zayıflama Lida Fx15 Ve Biber Hapı Zlfvbh
A complication I see with this is the range of different data you give to a service. While some of the data I give to a service I may want shared (listening habits on last.fm) other details like my email address I wouldn’t want shared.
v pills
v pills ile sizlerinde kocaman olsun mu? Erken boşalma ve sertleşme sorunlarınızıda sona erdiren vprx ile mutluluk bir adım ötenizde. v pills ile sizlerde sağlıklı birer cinsel hayata adım atabilirsiniz.
piano tutorial
Very well written. I need to update my privacy policy. I have been using the same one for quite some time now.