20 Hours a Month Reading Privacy Policies 161
Barence sends word of research out of Carnegie Mellon University calling for changes in the way Web sites present privacy policies. The researchers, one of whom is an EFF board member, calculated how long it would take the average user to read through the privacy policies of the sites visited in a year. The answer: 200 hours, at a hypothetical cost to the US economy of $365 billion, more than half the financial bailout package. Every year. The researchers propose that, if the industry can't make privacy policies easier to read or skim, then federal intervention may be needed. This resulted in the predictable cry of outrage from online executives. Here's the study (PDF).
Solution: Standardized policies (Score:5, Interesting)
If there were a few standardized policies that most sites used, then users wouldn't need to read them. Like with software licenses, you don't bother to read the GPL for each time you install software that uses that license.
Re: (Score:1)
I agree. A good job for the FCC or the ACLU.
"This site complies with FCC Privacy Policy #2."
and a link.
Bidda bing ...
Re:Solution: Standardized policies (Score:4, Insightful)
It's not the FCC job to regulate anything other than over-the-air radio waves (public property).
Software, not being radio, is private and NONE of the government's long-nosed business.
The solution I use is to not bother reading the policies, because I know the companies don't adhere to them. They just sell your info to whoever that want, and do whatever they please (similar to how Bush is eavesdropping on overseas Americans even though he promised he wouldn't). There's no point wasting my time reading a policy that is not enforced.
Re: (Score:2)
True, but unlike when you're going against the government, there's at least the implication that by agreeing to their TOS, you're entering into some sort of nonformal contract (a shrink-wrap EULA basically) in that they have to hold up to their end of the bargain. If nothing else, you could probably sue them if you find them to be in violation of their posted privacy policy. Hell, if you go for the maximum allowed in small claims court, chances are they'll determine it not worth their time and you'll win
Re: (Score:3, Informative)
But nobody was proposing that they regulate anything new. The proposal was that they make a set of standard licenses available, not that they enforce them.
Re:Solution: Standardized policies (Score:4, Insightful)
It's not the FCC job to regulate anything other than over-the-air radio waves (public property).
Software, not being radio, is private and NONE of the government's long-nosed business.
Good job. He said FCC (Federal Communications Commission) when he should have said FTC (Federal Trade Commission) and instead of reminding the rest of us what the relevant government agency would be, you took the opportunity to grandstand about his mistake. That really helps the discussion, doesn't it?
Anyway, I have a hard time seeing how this would be overstepping the government's bounds. It's just setting up a template people are free to use, or not, or use with modifications. Government-endorsed behavior (where it pays people to do something), is not the same thing as government-recognized behavior (where it sets a template to ease communication).
The worst that would happen is that it biases people into not trusting those who refuse to simplify their TOS into one of the common templates. Good. People should have distrusted long license agreements in the first place. It's the general tolerance of that kind of BS that has pushed people into accepting as commonplace the atrocious practice of agreeing to something you haven't read ... something that in any other context is evidence of coercion.
Re: (Score:2)
Re: (Score:2)
Not only a privacy policy but also a privacy certification is necessary to keep things under control.
A policy is really not much worth if you don't follow it.
Re:Solution: Standardized policies (Score:5, Informative)
Wasn't that the idea behind P3P [wikipedia.org]
Re: (Score:2)
Exactly. And what P3P underscores is that privacy policies really only have a few variations so even the idea floating around in this thread about standardized ones is certainly possible just like Creative Commons has basically a few canned variations. P3P could help to save time, but really the sites need to hypothetically pick from some standard based on what they do / want (just like picking a CC license).
Re: (Score:2)
Re:Solution: Standardized policies (Score:5, Insightful)
Creative Commons puts out a variety of licenses that have a simple (human readable) version and a complete (legal) version. A logo or link on a site makes it immediately clear which license is being used. The exact same formula would probably work quite well for privacy policies.
Re: (Score:2)
I don't think this idea would get implemented very well.
Creative Commons gives additional rights to visitors. A privacy policy does the opposite. It's designed to take away rights from visitors.
So the web sites that are the most li
Re: (Score:2)
Yes but the GPL says what you can and cannot do to the source of a project, a pretty standardized action. Privacy policies say what the website can and cannot do with your info. That's going to be different on a per website basis. Google could get everything I searched for, Facebook knows what college I go to and some of my friends, Youtube knows what videos I watched, etc. Unfortunately, one boilerplate policy would not cover all of these websites.
Re: (Score:2)
Its more like "We (US, PARTNERS, MATES) can do whatever (WITHOUT LIMITATION) with the content (EVERYTHING CONCEIVABLE)."
Well, I exaggerate, but a set of policies would be feasible. I define my trust of a site in fairly broad terms, I'm only really interested if they are going to sell my information to others, and whether I still own what I submit (regardless of content type).
Re: (Score:2)
The GPL was just an example, albeit a poor one. Think Creative Commons, which has about a dozen or so different license combination, or opensource.org which compiles a good fifty different fairly-widely-used licenses.
Coming up with some fairly simple and basic terms and wrapping a relatively generic policy around them isn't out of the question.
* Your information {may|may not|may, but only anonymously} be seen by third parties.
* Personally identifiable information {may|may not} be shared with advertisers in
Re: (Score:2)
Ah ok, I understand what you mean now. That would indeed be quite helpful. Especially if they had icons and English (not legalese) descriptions of the different licenses like the CC.
I'm your browser and I'm here to help. (Score:5, Interesting)
Re: (Score:2)
Except site owners would just be lazy and use what everyone else is using, or just outright lie.
Re: (Score:2)
Re: (Score:2)
However that assumes that you will always have a detailed knowledge of the GPL.
I Download Ubuntu and use it as a desktop system. Chances are that I am going to be abiding by the GPL.
However say I get a GPL library that I want to incorporate into my application... Now I really need to know the GPL. As I may or may not want my application to be GPL complaint, or I could be doing something in the Gray Areas of the GPL, say in the area of integration of hardware, where my application is for business use (The un
Re: (Score:2)
The GPL doesn't even apply to this, as it says absolutely nothing about usage, and is not an EULA. The GPL only comes into play if you're going to redistribute a modified version of Ubuntu.
Re: (Score:2)
The GPL is not a simple read, for normal folks who really don't care. I am sure you read it to yourself every night and know it by heart, as part of a religious experience...
However it is only a freaking license, one of many to deal with. I have read the section about Home and Business use many times... It is confusing and it is a big gray area in it. In theory it would force IBM to release its code for the software locks on its upgrades, if I buy the hardware and install some games on it. I am sure lawye
Re: (Score:2)
There is a standary policy, at least from my perspective:
I treat all sites as hostile. I give them only the information they need for me to use them satisfactorily. I go in with the expectation that they're going to fuck me over, sell everything to spammers and ad agencies, the government, whoever dangles a carrot.
If that means on Site X my name is John Fhqwhgads, then so be it.
Trusting anything on the internet is asking for trouble.
Re: (Score:2)
The problem is that would almost certainly circumvent the purpose of privacy policies.
That purpose is to allow those companies do do what ever they want to the customer's privacy with few to no options for legal retaliation from the user.
Re:Solution: Standardized policies (Score:4, Insightful)
True, but you learn about your rights by reading the license. And, by knowing what the license is, you don't have to worry about the question of whether or not you got it legitimately or not.
Re: (Score:2)
Is that ever really an issue? I have plenty of legitimately-obtained software, and a not-unhealthy-but-more-than-zero amount of not so legitimately obtained software. However, in 100% of my software, I know which is the case.
It's safe to say that accidentally finding a piece of cracked software is quite unlikely. Maybe the distributor is in violation of a redistribution license (like the GPL), but that's not something you're likely to know by reading it on their site - they wouldn't go advertising the fa
Or maybe... (Score:5, Insightful)
Or maybe people shouldn't submit their data to every website they visit. If they care about their privacy, they had better well read the privacy policy.
Companies aren't going to dumb-down their policies and open themselves to lawsuits. They are precise and lengthy for a reason.
In the end it doesn't even matter, though. They all include a clause that lets them change the policy any time they like.
Re: (Score:2)
In the UK I believe the requirement is to have up to 3 levels of privacy policy.
- A very simple summary of what might happen with your data at the point you enter it, linking to:
- A more detailed plain english explanation, linking to:
- The full privacy policy.
Most sites just have the full policy though, afaik (IANAL) that's breaking the rules.
Re: (Score:2)
That's assuming that people can directly control such data. Your web browser sends its user agent string and referrer in the HTTP header by default. Then there's the extra information that sites can get with JavaScript.
Re: (Score:2)
Wow, you can read my age, gender, address, etc with javascript?
Re: (Score:2)
If they care about their privacy, they had better well read the privacy policy.
All you really need to read is this part: "SourceForge reserves the right to update and change this Privacy Statement from time to time." If they can retro-actively change the policy at any time after you give them your data, then your data is never safe with them.
No big deal. (Score:5, Funny)
Average amount of hours wasted reading Slashdot at work in a year : 5,000,000
Re:No big deal. (Score:5, Funny)
This is a very BIG deal! (Score:4, Funny)
So, if our time, 200 hrs, is worth $350 billion
And we spend 5,000,000 hrs / year reading slashdot
That means our wasted hours reading slashdot is worth $8,750,000,000,000,000.00
Good God man! If we slashdotters collude on this we can buy the whole planet and kick everyone else off it, or at least charge them rent.
-----
Never underestimate the power of stupid people in large groups
Re:This is a very BIG deal! (Score:5, Funny)
So, if our time, 200 hrs, is worth $350 billion
Where do I apply for this $1.75 billion an hour job, reading privacy agreements?
Re: (Score:2)
Average amount of hours wasted reading Slashdot at work in a year : 5,000,000
Realizing that you've trashed your life: Priceless!
Re:No big deal. (Score:4, Funny)
By my own calculations using your helpful data, it means a slashdotter in average wastes each work hour 2500 times...
Using relativity formulae, I guess we would come close to the speed of light...
Re: (Score:2)
It's like the improbability drive, although I call this one the incapability drive.
Re:No big deal. (Score:4, Funny)
Actually, the average for Slashdot editors appears to be slightly lower than the general populace... it's the only explanation I can see. :)
MadCow.
Re: (Score:2)
5,000,000 hours per year per person?
I'd like to borrow your time machine, if you don't mind. Using my knowledge of the stock market could make me trillions! Or even billions! </dr.evil>
Re: (Score:2)
Standardization (Score:5, Insightful)
Some group need to write a half dozen or so policies covering a range of options and publish them under a license which *does not* allow them to be used under the same name if any changes are made.
Who really reads the GPL anymore after you have went through it a few time? the MPL? BSD? If you get somewhere under a dozen options out there you can save *everybody* time..
Length? (Score:1)
Perfect time (Score:3, Interesting)
to implement my low cost IT Law firm. For a nominal fee we would certify websites and software. Don't want to read the EULA, just check with our firm for verification.
We'd even specialize in defending the rights of netizens and downloaders.
Online legal service for hire.
Re: (Score:2)
Pfffft (Score:2)
200 hours a year? I would be spending 200 hours a month if I read all of the EULAs I encountered.
robots.txt (Score:3, Interesting)
The Problems With Passing Federal Laws (Score:2, Interesting)
I can pretty much guarantee the Federal standard would be a nightmare.
The worst of K street will have second crack at the legislation. The Cheney administration would have first crack at it and take another opportunity to sodomize legal history and Constitutional law. Both houses of Congress have more or less abdicated their responsibility in providing checks, so it gets Fugly fast.
You are obsessed with privacy, so read them (Score:2)
You people who are obsessed with your privacy should be happy for the chance to spend 200 hours a month reading these policies. It's what you care about.
The rest of us don't care how long they are because we would rather live good lives rather than private lives. So we don't read them.
Re: (Score:2)
You advocate a position of ignorance and mock people who value their privacy. And apparently you think someone cannot lead a good, private life. Why is that? Do you not find that a rather foolish position? (a genuine question)
Re: (Score:2)
Obsession with yourself (your privacy, in this case) rarely leads to anything good. The privacy-obsessed might be better off coming out of the bunker and joining the rest of the world.
If not though, the original point stands. Why wouldn't they want to spend their leisure time reading privacy policies if that's what they care about?
Re: (Score:2)
Have you noticed the trend? (Score:2)
The right tends to prefer less regulation, and to let the markets work as efficiently as possible. Deregulation - generally led by the right and approved by both major political parties - occurs over the course of many years. This deregulation often leads to growth and an increase in prosperity, especially for those with substantial money to invest - i.e. those who don't work for a living. The right suspects that with the increase in private funds, fewer social programs are needed and they save money. This
Re: (Score:2)
Part of the problem is the terminology. I prefer to think of "regulation" as rules and referees. Without rules, there is no game. Without referees, there's no fair play. A "self-regulated" game of professional hockey would be a disaster. There wouldn't be a hockey game, there'd only be street fighting.
Much damage has been done in the name of deregulation. I thought trucking deregulation was a great example of the positive side until I read a few pages of "Sweatshops on Wheels". Deregulation did get
What's the point? (Score:1)
Re: (Score:2)
Perhaps we would still access it, but would not submit personal information. I use a fake name and a sneakemail address for most sites, and read the policies and terms anywhere that I give my real name, such as banks.
I recently moved my Open Source Gamebook Project [freegameengines.org] from Sourceforge, solely because of their asinine TOS. I have since moved my svn to cvsdude, who specifically respects my rights to my code. Launchpad also has a reasonable TOS.
Not the answer to everything! (Score:1)
The researchers propose that, if the industry can't make privacy policies easier to read or skim, then federal intervention may be needed.
Why does the government need to be involved in everything? Why can't people take a little responsibility? If you don't like the privacy policy on a site (or it is too long to read), then DON'T GO THERE. You don't need the gov for that.
Not to mention that the web is international. Nothing the EU does forces anything on Brazil, for example.
Slashdot's is nearly 3500 words (Score:2)
Slashdot shares its privacy policy with SourceForge and at nearly 3500 words of legalese they're able to declare themselves "self-certified" under the Safe Harbor principles set up by the US Department of Commerce. There's even a fancy image to prove it.
I like this part of the policy:
Re: (Score:2)
OK, Betty. :)
Re: (Score:2)
Re: (Score:2)
Translations inline:
"We will collect your information to provide product recommendations for you while logged in at this site.
We will sell your details to spammers and identity fraudsters if you ever log in.
We will not share your personal information with any third party without your permission as demonstrated by going to your user profile and opting in for information sharing.
Ha-ha we tricked you to sign in to have your info shared by using an off-screen checkbox/ quadruple negative written in Farsi/ just saying that if you look at our site you've opted in.
We promise to take every reasonable measure to ensure that your personal information, while stored by us, is inaccessible to hackers and other potential identity thieves."
We'll do anything that doesn't cost money. Basically, nothing. We'll claim to use the latest security measures but really we're selling the details on eBay; or you could just pick up one of our company laptops - they all have a
What about television (Score:3, Funny)
200hours 20 per Month (Score:1, Redundant)
Not to nitpick, but 200 hours per year is actually 40 hours less than 20 hours per month by my rough estimate or roughly 16 hours and 40 minutes per month. Not that I am a math major or anything, but I am pretty good with basic arithmetic. Someone, please check my work.
Bill
Nobody reads them (Score:2)
Irony (Score:2)
Has anyone read the entire tax law recently, much less ALL the laws we're supposed to know?
Ignorance is no defense, after all.
Creative Commons (Score:2)
This sounds like an area ripe for the Creative Commons treatment.
Produce a small suite of precise privacy practices, as detailed as you like, each with an approved "plain English" summary, just as the CC licenses do.
After a short adjustment period, one would no longer have to even skim the summary of the license, just as many surfers know by now what the "Share Alike" CC license is.
Call them CPPs: Common Privacy Practices. You could have CPP: Share Internal, CPP: Share With Partners, CPP: Sell To Anyone, C
Interesting (Score:2, Funny)
Federal intervention may be needed? (Score:2)
Federal intervention may be needed to control privacy policies on teh intarweb? That global, international thingy?
Good luck forcing a (pick your country) federal anything on other countries.
I'm not against the general idea, however it should come from a standard web group (not sure if it would fall within the W3C domain, the IETF, etc).
New monetary comparison value? (Score:2, Funny)
Simple Privacy Policy (Score:2)
How about a one-line privacy policy that states "We will most likely sell your credit card information to Al-Qaeda for a box of doughnuts."
Brick-and-mortar (Score:2, Insightful)
I went to a supermarket this morning.
I didn't need to license the right to walk around and view the "product label prices" content, nor did I need to agree not to sue them for being out of Diet Coke Lime, nor did I need to consent to be monitored by security cameras and have my image stored on tapes.
Why can't visiting a web site on-line be that simple?
Advertisers hated self-regulation, too. (Score:2)
TrustE, in their early days, used to have several seals that indicated the level of privacy policy in use. So the TrustE seal actually meant something.
Then, in response to advertiser pressure, TrustE caved in. All a TrustE means now is that the site agrees to abide by its own privacy policy. It doesn't matter how intrusive the policy is; the site can still get a TrustE seal.
TrustE enforcement has been very weak. Here's a study of TrustE enforcement actions. [galexia.com] "Their privacy standards are low to begin w
Logicless Leap (Score:5, Interesting)
The researchers propose that, if the industry can't make privacy policies easier to read or skim, then federal intervention may be needed.
Why? Why should I need the federal government to get involved? At what point did I lose the power to choose to simply not use the service. If I don't have time to read the policy, then I can simply say no. It is only at the point that I no longer have a choice and that my rights are threatened that I need the federal government to step in and protect my rights.
How did we become a society of people who believe that the only ones who can solve our problems are the government, worse, the federal government? Have we no self reliance anymore?
Re: (Score:2)
What do you think about nutritional labels on food? Or ingredient labels on food?
Personally, I would object if the government forbade me from eating Ben & Jerry's Triple Chocolate Caramel Fudge Brownie Marshmellow with Butterscotch ice cream. But I am glad manufacturers have to tell me what's in my food (and the nutrition info). Because if I don't know, I can't make an informed decision. Capitalism doesn't work well if the consumers don't know what they're buying.
Re: (Score:2)
It is only at the point that I no longer have a choice and that my rights are threatened that I need the federal government to step in and protect my rights.
Actually, I think we need a netizen's bill of rights. I'd like to see Constitutional rights to privacy.
Re: (Score:2)
How did we become a society of people who believe that the only ones who can solve our problems are the government, worse, the federal government? Have we no self reliance anymore?
Government by the people for the people means that government should work in your favour - the question is why set up a group to represent all the citizens and establish a standardised privacy policy system when you have a group (called Government) that is perfectly placed to be the focus for such work already, and which already employs experts in this field, and which can pass legislation to help both the uptake of the system and the enforcement of the system (to the benefit of citizens)?
In Soviet USA... (Score:2)
'nough said.
PRIVACY (Score:2)
Privacy Statement
SOURCEFORGE, INC. UNITED STATES/EUROPEAN UNION SAFE HARBOR PRIVACY STATEMENT (âoePRIVACY STATEMENTâ)
(Last Updated May 23, 2008)
(Effective Date May 24, 2008)
SourceForge, Inc. (âoeSourceForgeâ), comprised of the Internet sites SourceForge.com, SourceForge.net, Slashdot.org, freshmeat.net, ITmanagersJournal.com, Linux.com, ThinkGeek.com (the âoeSitesâ), is committed to protecting the privacy of users of the Sites. SourceForge intends to give users as much control
Tried to Read Online MS EULA Once... (Score:2)
I figured I would read it first and then click OK (knowing I couldn't understand it all).
After about 15-20 minutes I realized their server had timed me out & I lost my connection to their server.
Never tried again after that.
Idiotic proposal (Score:2)
The researchers propose that, if the industry can't make privacy policies easier to read or skim, then federal intervention may be needed.
If you don't want to read their privacy policy, tell them that you're not going to use their service because their privacy policy is so long. If you convince enough people to do the same, they'll have to shorten their privacy policy. Federal regulation of the economy is never the answer. It is never justifiable.
We need real privacy laws (Score:2)
If there were real federal laws that actually protected consumer privacy, then the privacy policy of most sites would be very simple, and read as follows:
"We abide by the federal laws that protect your privacy"
Then we would not have this problem.
Re: (Score:2)
Yes, but the federal law would likely read something along the lines of:
Would that make anyone happy?
Re: (Score:2)
I said "real federal laws that actually protected consumer privacy".
Europe has them, or at least has laws that are a darn sight better than ours, privacy wise. I was pointing out the fact that it's not the policy that needs changing, it's the laws. We have to get the money out of the political system before that can happen, though.
The ultimate agreement (Score:2, Informative)
"End User License Agreement
EndUserAgreementText"
Well, at least I guess there is no significant legal risk in accepting it.
I sent a mail asking if they could not simply remove the license agreement, since it was even clearer than usual that it did
Privacy policies aren't legally enforcable anyway (Score:4, Informative)
The Bush administration tried to broker a compromise allowing Toysmart.com to sell their database as long as it was to a company in the same industry. One of the shareholders in Toysmart.com didn't want to be responsible for that decision so he bought the database himself and destroyed it. No precedent was set and the Bush administration hasn't tried to prosecute anyone for violation of privacy policy since.
new unit of measure (Score:2)
Is "financial bailout package" going to join "library of congress" as a standard slashdot UOM?
I have long made the following assertion: (Score:2)
If a businesses' privacy policy is more than one sentence long it means they don't have one.
This is really simple (Score:2)
yes, this puts you in a highly insecure legal position - which is what they WANT!
whatever goes wrong: it's YOUR fault!
Just what we DON'T need... (Score:2)
More Federal Intervention.
The real question is... (Score:2)
Aren't these privacy policies often muted in court anyway? Like, cases where users claim the policy itself was too confusing, and no one in their right mind should be expected to read, comply, and then choose for themselves whether or not to accept the terms of a service that they probably will need regardless?
And do we really have a choice? I mean, if I don't agree with Microsoft's terms, I have to quit being a programmer. They can add whatever they like, and many of us really don't have a choice. Hence, i
Re:fp (Score:5, Funny)
Short, sweet and to the point. Fine use of rhetoricals and emphasis on the punchline. This well balanced piece is let down by its brevity and typos, I can't help but feel that Coward rushed this work.
Worth your time. Three and a half stars.
Re:fp (Score:4, Funny)
Fair assessment. Great turnaround time.
Would troll again AAAAAAAAAAAAA++++++++++++++++
Re: (Score:2)
i lol-ed, v funny
Re: (Score:2, Informative)
Ozphx makes a well balanced critique of the Cowards work.
A must read, two thumbs up.
Re: (Score:2)
Pff, as if. Even a harem of gay boys can't handle my jelly-jelly!
Re: (Score:2, Insightful)
A man had a problem and he decided to convince the Goverment to pass a law to help him. Then he had two problems.
Re:They need another study (Score:5, Funny)
Not even congress reads the laws.
Re: (Score:2)
The annual total had 1 significant digit. The monthly total in the summary has 1 significant digit. You computer-people don't have to deal with error and such like we engineers, but imo 200/12 ~= 20 isn't really a problem.
They didn't write 2.10^2 BUT (Score:2)
They didn't write 2.10^2 because most people wouldn't get it, but that's probably what they meant and what Col. Korn assumed they meant.
Had they written "201", "199", or "EXACTLY 200 hours," which they haven't, then that would have been, indeed, 3 significant digits.