20 Hours a Month Reading Privacy Policies

Barence sends word of research out of Carnegie Mellon University calling for changes in the way Web sites present privacy policies. The researchers, one of whom is an EFF board member, calculated how long it would take the average user to read through the privacy policies of the sites visited in a year. The answer: 200 hours, at a hypothetical cost to the US economy of $365 billion, more than half the financial bailout package. Every year. The researchers propose that, if the industry can't make privacy policies easier to read or skim, then federal intervention may be needed. This resulted in the predictable cry of outrage from online executives. Here's the study (PDF).

Solution: Standardized policies

[crow (16139)]

If there were a few standardized policies that most sites used, then users wouldn't need to read them. Like with software licenses, you don't bother to read the GPL for each time you install software that uses that license.

Re:Solution: Standardized policies

[sakdoctor (1087155)]

Wasn't that the idea behind P3P [wikipedia.org]

Re:Solution: Standardized policies

[truthsearch (249536)]

Creative Commons puts out a variety of licenses that have a simple (human readable) version and a complete (legal) version. A logo or link on a site makes it immediately clear which license is being used. The exact same formula would probably work quite well for privacy policies.

Re:

[martinw89 (1229324)]

Yes but the GPL says what you can and cannot do to the source of a project, a pretty standardized action. Privacy policies say what the website can and cannot do with your info. That's going to be different on a per website basis. Google could get everything I searched for, Facebook knows what college I go to and some of my friends, Youtube knows what videos I watched, etc. Unfortunately, one boilerplate policy would not cover all of these websites.

Re:

[ozphx (1061292)]

Its more like "We (US, PARTNERS, MATES) can do whatever (WITHOUT LIMITATION) with the content (EVERYTHING CONCEIVABLE)."

Well, I exaggerate, but a set of policies would be feasible. I define my trust of a site in fairly broad terms, I'm only really interested if they are going to sell my information to others, and whether I still own what I submit (regardless of content type).

I'm your browser and I'm here to help.

[SleptThroughClass (1127287)]

Even better, a tag could tell your browser which standard policy is being used. Tell your browser which policies you want to be accepted, and what action to take for sites with other policies.

Re:Solution: Standardized policies

[electrictroy (912290)]

It's not the FCC job to regulate anything other than over-the-air radio waves (public property).
Software, not being radio, is private and NONE of the government's long-nosed business.

The solution I use is to not bother reading the policies, because I know the companies don't adhere to them. They just sell your info to whoever that want, and do whatever they please (similar to how Bush is eavesdropping on overseas Americans even though he promised he wouldn't). There's no point wasting my time reading a policy that is not enforced.

Re:

[Firehed (942385)]

True, but unlike when you're going against the government, there's at least the implication that by agreeing to their TOS, you're entering into some sort of nonformal contract (a shrink-wrap EULA basically) in that they have to hold up to their end of the bargain. If nothing else, you could probably sue them if you find them to be in violation of their posted privacy policy. Hell, if you go for the maximum allowed in small claims court, chances are they'll determine it not worth their time and you'll win

Re:

[digitig (1056110)]

But nobody was proposing that they regulate anything new. The proposal was that they make a set of standard licenses available, not that they enforce them.

Re:Solution: Standardized policies

[DriedClexler (814907)]

It's not the FCC job to regulate anything other than over-the-air radio waves (public property).
Software, not being radio, is private and NONE of the government's long-nosed business.

Good job. He said FCC (Federal Communications Commission) when he should have said FTC (Federal Trade Commission) and instead of reminding the rest of us what the relevant government agency would be, you took the opportunity to grandstand about his mistake. That really helps the discussion, doesn't it?

Anyway, I have a hard time seeing how this would be overstepping the government's bounds. It's just setting up a template people are free to use, or not, or use with modifications. Government-endorsed behavior (where it pays people to do something), is not the same thing as government-recognized behavior (where it sets a template to ease communication).

The worst that would happen is that it biases people into not trusting those who refuse to simplify their TOS into one of the common templates. Good. People should have distrusted long license agreements in the first place. It's the general tolerance of that kind of BS that has pushed people into accepting as commonplace the atrocious practice of agreeing to something you haven't read ... something that in any other context is evidence of coercion.

Re:Solution: Standardized policies

[Stewie241 (1035724)]

True, but you learn about your rights by reading the license. And, by knowing what the license is, you don't have to worry about the question of whether or not you got it legitimately or not.

Or maybe...

[Aladrin (926209)]

Or maybe people shouldn't submit their data to every website they visit. If they care about their privacy, they had better well read the privacy policy.

Companies aren't going to dumb-down their policies and open themselves to lawsuits. They are precise and lengthy for a reason.

In the end it doesn't even matter, though. They all include a clause that lets them change the policy any time they like.

Re:

[tolan-b (230077)]

In the UK I believe the requirement is to have up to 3 levels of privacy policy.

- A very simple summary of what might happen with your data at the point you enter it, linking to:
- A more detailed plain english explanation, linking to:
- The full privacy policy.

Most sites just have the full policy though, afaik (IANAL) that's breaking the rules.

Re:

[BenoitRen (998927)]

That's assuming that people can directly control such data. Your web browser sends its user agent string and referrer in the HTTP header by default. Then there's the extra information that sites can get with JavaScript.

No big deal.

[Mister Whirly (964219)]

200 hours? big deal.
Average amount of hours wasted reading Slashdot at work in a year : 5,000,000

Re:No big deal.

[aurb (674003)]

It's a good thing we don't read the articles. The number could be much much bigger...

This is a very BIG deal!

[tuxgeek (872962)]

So, if our time, 200 hrs, is worth $350 billion
And we spend 5,000,000 hrs / year reading slashdot
That means our wasted hours reading slashdot is worth $8,750,000,000,000,000.00

Good God man! If we slashdotters collude on this we can buy the whole planet and kick everyone else off it, or at least charge them rent.

-----

Never underestimate the power of stupid people in large groups

Re:This is a very BIG deal!

[digitig (1056110)]

So, if our time, 200 hrs, is worth $350 billion

Where do I apply for this $1.75 billion an hour job, reading privacy agreements?

Re:

[Spy der Mann (805235)]

Average amount of hours wasted reading Slashdot at work in a year : 5,000,000

Realizing that you've trashed your life: Priceless!

Re:No big deal.

[alexhs (877055)]

By my own calculations using your helpful data, it means a slashdotter in average wastes each work hour 2500 times...

Using relativity formulae, I guess we would come close to the speed of light...

Re:No big deal.

[MadCow42 (243108)]

Actually, the average for Slashdot editors appears to be slightly lower than the general populace... it's the only explanation I can see. :)

MadCow.

Standardization

[FireStormZ (1315639)]

Some group need to write a half dozen or so policies covering a range of options and publish them under a license which *does not* allow them to be used under the same name if any changes are made.

Who really reads the GPL anymore after you have went through it a few time? the MPL? BSD? If you get somewhere under a dozen options out there you can save *everybody* time..

Perfect time

[speroni (1258316)]

to implement my low cost IT Law firm. For a nominal fee we would certify websites and software. Don't want to read the EULA, just check with our firm for verification.

We'd even specialize in defending the rights of netizens and downloaders.

Online legal service for hire.

Pfffft

[martinw89 (1229324)]

200 hours a year? I would be spending 200 hours a month if I read all of the EULAs I encountered.

robots.txt

[bigattichouse (527527)]

I'd like something simple and standardized: Yes you can re-use content No, it has to be attributed. No, you can't use our logo. blah blah blah etc. rights.txt Have the browser integrate it and have pretty little icons like creative commons does.

The Problems With Passing Federal Laws

[mpapet (761907)]

I can pretty much guarantee the Federal standard would be a nightmare.

The worst of K street will have second crack at the legislation. The Cheney administration would have first crack at it and take another opportunity to sodomize legal history and Constitutional law. Both houses of Congress have more or less abdicated their responsibility in providing checks, so it gets Fugly fast.

You are obsessed with privacy, so read them

[Kohath (38547)]

You people who are obsessed with your privacy should be happy for the chance to spend 200 hours a month reading these policies. It's what you care about.

The rest of us don't care how long they are because we would rather live good lives rather than private lives. So we don't read them.

Re:

[Spatial (1235392)]

Ha ha, what a useless argument. 'Good' and 'private' are not mutually exclusive qualities. It's a false dichotomy.

You advocate a position of ignorance and mock people who value their privacy. And apparently you think someone cannot lead a good, private life. Why is that? Do you not find that a rather foolish position? (a genuine question)

Half the financial bailout package?

[conner_bw (120497)]

By a nice coincidence, though, the financial rescue package of $700 billion duplicates a number that was also in the news last week - the Pentagon budget. In the fiscal year just beginning, the Defense Department will spend $607 billion on normal military costs, and an additional $100 billion on the wars in Iraq and Afghanistan. (As of June 30, 2008, Congress had appropriated $859 billion for the wars; Congressional Budget Office projections assume further costs of $400 billion to $500 billion as the wars w

Have you noticed the trend?

[Overzeetop (214511)]

The right tends to prefer less regulation, and to let the markets work as efficiently as possible. Deregulation - generally led by the right and approved by both major political parties - occurs over the course of many years. This deregulation often leads to growth and an increase in prosperity, especially for those with substantial money to invest - i.e. those who don't work for a living. The right suspects that with the increase in private funds, fewer social programs are needed and they save money. This

Slashdot's is nearly 3500 words

[hansamurai (907719)]

Slashdot shares its privacy policy with SourceForge and at nearly 3500 words of legalese they're able to declare themselves "self-certified" under the Safe Harbor principles set up by the US Department of Commerce. There's even a fancy image to prove it.

I like this part of the policy:

Photographs

Users may have the opportunity to submit photographs to the Sites for product promotions, contests, and other purposes to be disclosed at the time of request. In these circumstances, the Sites are designed to allow

Re:

[mnslinky (1105103)]

OK, Betty. :)

Plain English

[MikeRT (947531)]

How hard would it be to write the following summary:

"We will collect your information to provide product recommendations for you while logged in at this site. We will not share your personal information with any third party without your permission as demonstrated by going to your user profile and opting in for information sharing. We promise to take every reasonable measure to ensure that your personal information, while stored by us, is inaccessible to hackers and other potential identity thieves."

Then, at

What about television

[iteyoidar (972700)]

I would imagine every American loses like, a bujillion hours a month watching TV. That probably costs a lot too.

Nobody reads them

[HalAtWork (926717)]

But nobody reads them, just like EULAs. Users just have the expectation of privacy, just as they do in real life. Even if a few companies and marketing experts think it's unrealistic or impossible, people just have that expectation anyway. Nobody is automatically suspicious of nefarious activities, people are generally unsuspecting.

Irony

[Puls4r (724907)]

So we're proposing the Federal government enact a law to make privacy policies easier to read?

Has anyone read the entire tax law recently, much less ALL the laws we're supposed to know?

Ignorance is no defense, after all.

Creative Commons

[Arkhan (240130)]

This sounds like an area ripe for the Creative Commons treatment.

Produce a small suite of precise privacy practices, as detailed as you like, each with an approved "plain English" summary, just as the CC licenses do.

After a short adjustment period, one would no longer have to even skim the summary of the license, just as many surfers know by now what the "Share Alike" CC license is.

Call them CPPs: Common Privacy Practices. You could have CPP: Share Internal, CPP: Share With Partners, CPP: Sell To Anyone, C

Interesting

[YourExperiment (1081089)]

Sounds like an interesting report, but I can't spare the time to read it.

Federal intervention may be needed?

[Yvan256 (722131)]

Federal intervention may be needed to control privacy policies on teh intarweb? That global, international thingy?

Good luck forcing a (pick your country) federal anything on other countries.

I'm not against the general idea, however it should come from a standard web group (not sure if it would fall within the W3C domain, the IETF, etc).

New monetary comparison value?

[cabjf (710106)]

So we're going to measure the cost of things in FBP's now?

Simple Privacy Policy

[Ukab the Great (87152)]

How about a one-line privacy policy that states "We will most likely sell your credit card information to Al-Qaeda for a box of doughnuts."

Brick-and-mortar

[S77IM (1371931)]

I went to a supermarket this morning.

I didn't need to license the right to walk around and view the "product label prices" content, nor did I need to agree not to sue them for being out of Diet Coke Lime, nor did I need to consent to be monitored by security cameras and have my image stored on tapes.

Why can't visiting a web site on-line be that simple?

Advertisers hated self-regulation, too.

[Animats (122034)]

TrustE, in their early days, used to have several seals that indicated the level of privacy policy in use. So the TrustE seal actually meant something.

Then, in response to advertiser pressure, TrustE caved in. All a TrustE means now is that the site agrees to abide by its own privacy policy. It doesn't matter how intrusive the policy is; the site can still get a TrustE seal.

TrustE enforcement has been very weak. Here's a study of TrustE enforcement actions. [galexia.com] "Their privacy standards are low to begin w

Logicless Leap

[Hercules Peanut (540188)]

The researchers propose that, if the industry can't make privacy policies easier to read or skim, then federal intervention may be needed.

Why? Why should I need the federal government to get involved? At what point did I lose the power to choose to simply not use the service. If I don't have time to read the policy, then I can simply say no. It is only at the point that I no longer have a choice and that my rights are threatened that I need the federal government to step in and protect my rights.

How did we become a society of people who believe that the only ones who can solve our problems are the government, worse, the federal government? Have we no self reliance anymore?

Privacy policies aren't legally enforcable anyway

[Aram Fingal (576822)]

Back in the Clinton administration, the FTC tried to set a precedent for enforcement of privacy policies with the case of Toysmart.com. Toysmart.com went bankrupt and a judge ruled that they could sell their customer database in violation of their own privacy policy to settle debt. The Clinton administration tried to reverse the decision on appeal but the case went on after Clinton left office and Bush came in.

The Bush administration tried to broker a compromise allowing Toysmart.com to sell their database as long as it was to a company in the same industry. One of the shareholders in Toysmart.com didn't want to be responsible for that decision so he bought the database himself and destroyed it. No precedent was set and the Bush administration hasn't tried to prosecute anyone for violation of privacy policy since.

Re:fp

[ozphx (1061292)]

Short, sweet and to the point. Fine use of rhetoricals and emphasis on the punchline. This well balanced piece is let down by its brevity and typos, I can't help but feel that Coward rushed this work.

Worth your time. Three and a half stars.

Re:fp

[by Anonymous Coward]

Fair assessment. Great turnaround time.

Would troll again AAAAAAAAAAAAA++++++++++++++++

Re:

[Hal_Porter (817932)]

A man had a problem and he decided to convince the Goverment to pass a law to help him. Then he had two problems.

Re:They need another study

[corsec67 (627446)]

Not even congress reads the laws.

Re:

[Colonel Korn (1258968)]

The annual total had 1 significant digit. The monthly total in the summary has 1 significant digit. You computer-people don't have to deal with error and such like we engineers, but imo 200/12 ~= 20 isn't really a problem.