Cisco

Are you checking privacy policies frequently?

Online companies collect our private information as payment for using their site. Michael Kassner looks at how changes to previously agreed upon privacy conditions are reported -- or not.

"By clicking here, you agree to our privacy policy."

That sentence or a statement similar to one in the following slide resides on millions of websites.

Don't worry; this is not a "you need to read and understand the privacy policy," sermon. Instead, mull over the following:

  • What happens if the privacy policy changes?
  • Are you informed when the policy changes?
  • If they agree to inform, how do they?

I checked privacy policies displayed on 30 websites, trying to find a common thread. The next slide is typical of what I found.

Not one company committed to directly informing individuals. Meaning, it's the responsibility of the individual to check the website for changes to the privacy policy.

Perfect example

You may have read about Connect Cloud, a service introduced by Cisco. It's all over tech news, and not because of being a neat idea. More so on how Cisco handled the introduction and why users of certain high-end Linksys routers were not able to gain access to their routers. Oops.

What tended to escape media outlets and was not mentioned in the June 29th explanation written by Brett Wingo, Vice-President of Cisco Home Networking, was the addition of over 1000 words to the Cisco Privacy Policy. Cisco's policy was one of the 30 I checked. This is what it says regarding changes:

"We may update this Privacy Statement at any time, so please review it frequently. If we change our Privacy Statement, we will post the revised version here, with an updated revision date. If we make significant changes to our Privacy Statement, we may also notify you by other means prior to the changes taking effect, such as sending an email or posting a notice on our website."

"Frequently"..."significant changes"..."may also notify"  Should a 1000-word addition be considered significant?

On July 5th, Brett Wingo wrote an ancillary statement about Connect Cloud, further addressing customer concerns. Way at the bottom of the post, I found this:

"UPDATE July 6, 2012 10:15am: Corrected Cisco Connect Cloud Terms of Service, End User License Agreement and Privacy Supplement are now available."

Finally, mention of the elusive 1000-plus-word privacy supplement.

Mistakes happen

Cisco, to their credit, is apologizing, calling facets of the Connect-Cloud rollout a mistake. Everyone makes mistakes; I know I do. So that's not a "big deal" to me. I am concerned about what I'm reading on forums and hearing from user groups. No one knew about the changes to Cisco's Privacy Policy.

I'm curious: Have you or anyone you know received direct notification from Cisco about Connect Cloud and the addition of the Connect Cloud supplement to the Cisco Privacy Policy?

What experts think

I now want to get back to what I mentioned in the Takeaway with a focus on the Connect Cloud example. Is Cisco doing enough? Or should Cisco directly contact the people who entrusted the company with their private information?

I asked several security experts what they thought. Dr. Lorrie Cranor and Ashkan Soltani were kind enough to respond. First, Lorrie:

Cranor: If a company is going to change the way they handle data they already collected from someone, I think it would be pretty unfair for them to do that without notifying the person. Ideally, they should have informed consent from every person whose data is going to be shared or used in new ways retroactively.

For new data collection, the main reason to notify existing customers is that if they are likely to assume that the policy in place when they first became a customer is still the policy unless they are given other information. If new data is collected only when the customer visits the website, posting a notice on the website in a location that customers will be likely to see it seems like an acceptable approach.

Soltani: The Connect Cloud thing was quite interesting. There's actually a great deal of debate as to whether or not companies can retroactively change their privacy policies without notifying customers. The FTC has given some guidance in this regard, for example, looking at XY magazine and the sale of customer information:

Paul Ohm also had an interesting framing of this topic this year at the "Privacy Law Scholars" conference, involving the concept of Privacy Lurch -- a change in policy makes the product different.

Final thoughts

It's not just Cisco. Within the first sentence or two, every privacy policy I checked warns the reader of the company's right to update their privacy statement at any time. My question then becomes how often is "frequently" or is there a better way?

About

Information is my field...Writing is my passion...Coupling the two is my mission.

5 comments
bboyd
bboyd

Can I return the product for a refund when the privacy policy is no longer acceptable. They need to define these once and get it right. Not pulling a update fiasco... Time to verify my Linksys routers are good, maybe change the firmware to an open source version.

Craig_B
Craig_B

It seems we need a balance of power. Companies need to be able to control their product/services and change them as they see fit. Consumers need to have an understanding of what the rules are and be alerted if the rules changes so they may make informed decisions. I guess you might call this transparency. Right now the balance of power seems to be skewed to the companies; especially ones giving you “free” services with opt-out based policies. One way to help resolve this might be to have a standard method of finding the policy information; such as having on every home page/login screen an easy to find Policy Information button. This would take you to a standard form that has a high level summary in plain language that explains the policy along with the normal lawyer speak they usually have. Whenever a change in the policy takes place, the Policy Information button could change color or change the icon or some other alert for a period of time, so users could easily see that something has changed. On this page it could even link you to the opt-in/out page. Companies should be doing something along these lines now, otherwise people will complain and Congress will create new laws so companies will be forced to do something. All of this will take time when companies have an opportunity right now to inform the consumer.

Michael Kassner
Michael Kassner

If companies have their way, you will have to check privacy statements frequently -- meaning weekly, daily, hourly? There is a problem with that philosophy, by the time you find out, the damage could be done.

Ocie3
Ocie3

should, in my experience, simply contain a log-in dialog. Many people use password managers which can automatically log the user into the site. Anything else on the log-in page can break the auto-login, simply break using the password manager at all, and/or will be ignored during the log-in process. Notification that changes have been made to the "Privacy Policy" and/or to other documents such as Terms of Use or Terms of Service can be presented first on the page that is rendered after the user has logged-in. I don't think that changing color, shape, or logos on the "button" are likely either to be recognized at all, or recognized as signifying a change to anything except the button. So simply display the notification in a prominent place and in plain text with a large point-size to the font, in whatever language is appropriate for the user who logged-in. What I really hate about such notifications is that they seldom tell me what changes have been made, and I'm not likely to recognize any changes by re-reading a document that I might never have read before anyway. Any website operator or owner who assumes that I visit their site often is most likely deluding themselves. The only really effective way to address privacy issues is by laws that govern which data a person or organization may acquire about any other person or organization, and govern the uses which the acquirer can make of it. Cisco / Linksys is now a company with which I do not expect to do business in the future. I am not happy with the E2500 which I bought about six months ago to replace the aging WRT54G router that I've been using for several years. As far as I know, the E2500 is not affected by the recent Cisco / Linksys shenanigans. They obviously don't have any respect for the individuals who have purchased their routers. I have certainly lost all respect that I've ever had for them.

Michael Kassner
Michael Kassner

A friend of mine told me about Sony. They require the user to read or say they read changes to the privacy statement before they can log in. That seems like a good idea.

Editor's Picks