W3C home > Mailing lists > Public > public-privacy@w3.org > July to September 2013

Re: simple, standardized privacy policy discovery

From: Joseph Lorenzo Hall <joe@cdt.org>
Date: Wed, 21 Aug 2013 08:17:36 -0400
Message-Id: <10791F6A-8A16-4E26-A7A9-0DFCD1D15249@cdt.org>
Cc: Pär Lannerö <par.lannero@metamatrix.se>, David Singer <singer@apple.com>, "frederick.hirsch@nokia.com" <frederick.hirsch@nokia.com>, "public-privacy@w3.org" <public-privacy@w3.org>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Well, two quick points: I'm certainly starting to see more apps with privacy policies and that seems closely related to California state law that requires them.

At least in the US, we have some enforcement of clearly made statements in privacy policies through the FTC's deceptive practices authority. This is also why many of us have lamented the dramatic shrinking and abstraction of many detailed privacy policies into instruments that can't be relied upon to actually figure out what a company is doing.

best, Joe


On Aug 21, 2013, at 6:38, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:

> NIST, NTIA, and many other US government related groups do a lot of great work*. However, what I am interested in is the impact on the real world.
> 
> Have you seen any of these lovely icons in the permission dialogs when you installed new smart phone applications? I haven't. Have you seen a lot of change in behaviour of Website operators with regard to cookies? I see new banners about cookie usage and not companies who suddenly opt for a privacy-friendly design.
> 
> Have you seen what most smart phone applications ask for? They typically ask for almost all permissions. Why is that? First, the granularity of the permission model offered by the operating system or even in browser plug-ins isn't right in most cases. It also does not allow you to state the 'purpose'. Second, there is no incentive for the developers to be restrictive (or to follow 'purpose limitation') since everyone talks about "big data"** and so nobody wants to limit themselves for potential new business models in the future.
> 
> There are a few assumptions being made with these privacy icons:
> 
> 1) Existing privacy notices are not read by end users because they are too long and complex.
> 
> Certainly true. Some studies have been published on that topic.
> 
> 2) Users are interested to learn what the privacy practices are and they act differently depending on the different offers.
> 
> Partially true. Our privacy research showed us that 1/3 of the users don't care at all. Two thirds do, however, express interest to learn about these practices. Will they change their behaviour? Hard to say.
> 
> Looking at the practice in the mobile phone app space, where the permissions are at least expressed somehow, I have my doubts that a graphical representation will change the game in any significant way.
> 
> 3) Companies are interested to clearly state what privacy practices they have.
> 
> This is the big challenge, IMHO.
> 
> 4) Someone enforces misbehaviour.
> 
> Does this enforcement really happen?
> 
> In a nutshell: It would be really nice to have these icons summarizing privacy notices everywhere but I don't see how it will happen.
> 
> Ciao
> Hannes
> (Maybe a bit pessimistic today)
> 
> *: There is also great work from the GSMA on that topic:
> http://www.gsma.com/publicpolicy/mobile-and-privacy/mobile-privacy-principles
> 
> **: This is why O'Reilly sells you the 'Data Science Starter Kit':
> http://shop.oreilly.com/category/get/data-science-kit.do
> 
> Here is the quote from the page:
> "The success of companies like Google, Facebook, Amazon, and Netflix, not to mention Wall Street firms and industries from manufacturing and retail to healthcare, is increasingly driven by better tools for extracting meaning from very large quantities of data. 'Data Scientist' is now the hottest job title in Silicon Valley."
> – Tim O'Reilly
> 
> O'Reilly is the place where developers go to learn about new developments with programming languages.
> 
> On 08/21/2013 12:11 PM, Joseph Lorenzo Hall wrote:
>> 
>> 
>> On 8/21/13 3:50 AM, Hannes Tschofenig wrote:
>>> 
>>> On the other hand if you look at many of the smart phone applications
>>> and the permissions they request then in some sense those are 'tiny
>>> versions' (although without shiny icons) of the longer privacy notices
>>> already.
>> 
>> The U.S. Dept. of Commerce's NTIA just finished a year-long process to
>> develop a multistakeholder-driven "code of conduct" for mobile
>> application transparency, including some requirements for short notice
>> screens. While this has drifted from policy discovery, here are some
>> links if you want to learn more:
>> 
>> code of conduct:
>> http://www.ntia.doc.gov/files/ntia/publications/july_25_code_draft.pdf
>> 
>> candidate screens from FPF/Intuit:
>> http://www.ntia.doc.gov/files/ntia/publications/ntia_ui_comps_update_7.23.pdf
>> 
>> HTML5 version from ACT: http://j.mp/privacydashboard
> 
Received on Wednesday, 21 August 2013 12:18:11 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 21 August 2013 12:18:11 UTC