Security

How to make confusing privacy policies usable

Privacy policies are often complicated and not easy to find, leaving consumers wondering whose privacy they're supposed to protect. Privacy researchers suggest it is time for that to change.

Privacy pundits have warned for years of the need to read privacy policies, yet many people who use the internet choose to ignore this advice. Why is that?

First and foremost, not everyone has a law degree—a requirement to understand the legalese rampant in privacy policies. Another reason is the cost. My TechRepublic article Reading online privacy policies costs us $781 billion per year was written in 2012; one can imagine what the amount would be today.

Time spent reading privacy statements is another consideration. The 2008 paper The Cost of Reading Privacy Policies (PDF) written by Dr. Aleecia M. McDonald and Dr. Lorrie Faith Cranor states:

"If all American internet users were to annually read the online privacy policies word-for-word each time they visited a new site, the nation would spend about 54 billion hours reading privacy policies. To put these figures in perspective, using the estimate of 244 hours per year to read privacy policies per person means an average of 40 minutes a day."

SEE: Information security incident reporting policy (Tech Pro Research)

Privacy policies have become more complicated

Unfortunately, things have gotten worse. "People are confronted with terms of service agreements and privacy policies all the time," writes Florian Schaub, assistant professor of electrical engineering and computer science at the University of Michigan, in The Conversation column Nobody reads privacy policies - here's how to fix that. "Regulations requiring these notices aim to ensure that consumers can make informed decisions, but current privacy policies miss the mark."

It's unclear what information is collected and who sees it

Schaub is also concerned that privacy policies are unnecessarily vague—in particular, how collected personal information is used, and with whom it is shared. Schaub uses Google's privacy policy as an example. It states:

"We collect information about the services you use and how you use them, like when you watch a video on YouTube, visit a website that uses our advertising services, or view and interact with our ads and content."

Schaub's point of contention: What exactly is "information" and how is it used?

SEE: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)

Privacy policies are not readily accessible

Another consideration is that privacy policies are becoming increasingly difficult to locate. It is more convenient for app and website developers to post privacy policies on a communal website rather than as an integral part of the application or website. For instance, websites have links to privacy policies at the bottom of web pages; mobile apps link to policies in the app store; and privacy policies of IoT devices are likely posted somewhere on the company's website.

Who do privacy policies help?

Privacy policies, according to Schaub, serve too many masters. Companies concerned about limiting liability use privacy policies to advertise compliance with legal and regulatory requirements. On the flip side, governmental agencies use privacy policies to enforce compliance with their regulations. As one might expect, this legal jousting places consumers several rungs down on the priority ladder.

Break privacy policies into manageable chunks

Schaub suggests breaking the documents into smaller pieces. "People casually browsing a website only need information about how the site handles their IP address; if what they look at is shared with advertisers; and if they can opt-out of interest-based ads," writes Schaub. "Those people do not need to know about rules associated with subscribing to the site's email newsletter, nor how the site handles personal or financial information."

Continuing the example, Schaub explains if a visitor to the website decides to sign up for an email newsletter, a privacy notice could pop up with additional pertinent information. "These shorter documents should also offer users meaningful choices about what they want a company to do—or not do—with their data," adds Schaub. "For instance, new subscribers might be allowed to choose whether the company can share their email addresses or other contact information with outside marketing companies."

Privacy notices could be simpler if they focused on unexpected data collection or sharing. For instance, people with fitness trackers understand the device counts steps, but they typically do not expect other personal data to be collected, compiled, and shared with third parties.

SEE: WhatsApp, Facebook to face EU data protection taskforce (ZDNet)

Coexist with traditional privacy policies

Schaub and other privacy pundits are heartened by the fact that companies like Google and Apple have already incorporated the shorter, consumer-friendly privacy notices into mobile-device firmware. "Systems like this give consumers usable information and real choices," concludes Schaub. "And they encourage app developers to communicate better with users about privacy."

Also see

Image: iStock

About Michael Kassner

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks

Free Newsletters, In your Inbox