erenuka at gmail.com
Thu Jan 10 09:53:22 EST 2008
The Hindu News Update Service
News Update Service
Thursday, January 10, 2008 : 1230 Hrs
Sci. & Tech.
London, (GUARDIAN NEWS SERVICE)
By Wendy M. Grossman
It's more likely to be designed to cover the company than to protect the purchaser, but campaigners want change
"We may keep you informed of such products and services (including special offers, discounts, offers, competitions and so on) by any of the following methods:
the policy that we follow." In other words, it came with its website because some lawyer thought more about covering the company's legal ass than consumer
protection. Sadly, this is what most privacy policies are in fact about.
This particular shop rewrote it entirely when it relaunched its site a few weeks later, and the policy is now a model of brevity, clarity and restraint.
And what it collects is everything: you can view all the purchases you've ever made from the site, even if the first one was back in 1996. It does not
offer you any way to delete this history or control how much is saved, and there isn't any obvious way to close your account.
But who reads privacy policies anyway? Lorrie Cranor, an associate research professor in computer science and engineering and public policy at Carnegie-Mellon
University, says: "Except for a very small group of privacy fundamentalists, the only time people read them is if there's a problem." Then, of course,
it's too late - as Facebook users recently found out when the service started displaying purchasing information from a variety of online partner vendors
such as Blockbuster. However, Cranor adds, at a recent workshop held by the US Federal Trade Commission, all the participants agreed that privacy policies
need to be there and need to be clear - but they need to be easier to access and understand.
The auction website eBay disagrees. "We believe consumers do look at privacy policies for specific issues they are concerned about, such as sharing with
third parties and marketing uses," it says. The more important way privacy policies are communicated, eBay argues, is by consent forms or opt-in/out boxes,
and this is a better way to make privacy choices visible to consumers. The company offers its AdChoice as an example: a link next to its banner ads takes
users to more information about how the ads are targeted, as well as the chance to opt out.
a one-screen summary and then if you want more you click through and get more details," she says. There is an effort to standardise what's in the summary
to make it easier for people to get the gist quickly. "It's going in the right direction, but not far enough, because what's standardised is the set of
sections that should be in the short notice." There are no standards for what text should be under those section headings.
In the early 2000s, Cranor was part of Platform for Privacy Protection (P3P), an effort by the World Wide Web Consortium to give users an automated way
of setting privacy preferences; the browser reads and acts upon P3P options websites set. P3P still exists in Internet Explorer: look at the Privacy tab
under Internet Options in the Tools menu and you'll find its slider bar. Firefox no longer supports it, in part because its use isn't that widespread.
The problems highlighted by the FTC workshop inspired Cranor's research group to take advantage of one of her earlier projects, Privacy Bird (privacybird.org),
a plug-in for Internet Explorer that reads P3P policies in detail. Cranor's group took the engine behind Privacy Bird and built it into a shopping search
site, Privacy Finder (privacyfinder.org), so that each hit displays an icon showing how closely it matches the user's privacy preferences. They then used
it in a project to test whether such a system influences people's purchasing choices. Their conclusion (PDF: weis2007.econinfosec.org/papers/57.pdf): people's
purchasing habits do change when privacy information is presented to them in a quickly understandable way, and some will even pay a premium to protect
"We need a nutrition label for privacy," Cranor says. "We're all used to reading nutrition labels, and we know where to find what. Privacy labels should
be the same way."
The problem with that approach, argues Brendon Lynch, Microsoft's security strategist, is that, unlike food, "every site does a different thing". Lynch
says Microsoft takes a variety of approaches, embedding privacy options into software so users see them as they go. Often, he says, if people don't read
for example the rise in identity theft and online fraud".
But one of the reasons companies need privacy policies is that in much of today's technology, privacy is added as an afterthought. Designing in privacy
isn't the fun part of development, and even if it were it goes against the business models of many companies, as Ian Cheeseman of the Connecticut-based
PR company Lakeview Associates, explains. "Privacy policies aren't a way of protecting data," he says. "They're a way of gaining access to data. They're
written by lawyers, but commissioned by the marketing department. I have sat in marketing meetings where they say, 'What do we want to do with all this
data?' Data is a resource."
to adopt an icon scheme when it may act against what they conceive to be their own best interests is a conundrum.
Cranor's idea is that "if everybody is using the scheme, not adopting it will look worse than adopting it but having a not-great policy". Making it happen,
she concedes, would require the cooperation of a major search engine. She has been talking to some of these, but her experience perfectly illustrates why
saw it wouldn't score very well. And that was that."
More information about the AccessIndia