Forgot your password?
typodupeerror
Privacy The Internet

20 Hours a Month Reading Privacy Policies 161

Posted by kdawson
from the half-the-bailout-every-year dept.
Barence sends word of research out of Carnegie Mellon University calling for changes in the way Web sites present privacy policies. The researchers, one of whom is an EFF board member, calculated how long it would take the average user to read through the privacy policies of the sites visited in a year. The answer: 200 hours, at a hypothetical cost to the US economy of $365 billion, more than half the financial bailout package. Every year. The researchers propose that, if the industry can't make privacy policies easier to read or skim, then federal intervention may be needed. This resulted in the predictable cry of outrage from online executives. Here's the study (PDF).
This discussion has been archived. No new comments can be posted.

20 Hours a Month Reading Privacy Policies

Comments Filter:
  • by crow (16139) on Friday October 10, 2008 @11:02AM (#25327863) Homepage Journal

    If there were a few standardized policies that most sites used, then users wouldn't need to read them. Like with software licenses, you don't bother to read the GPL for each time you install software that uses that license.

    • by Toad-san (64810)

      I agree. A good job for the FCC or the ACLU.

      "This site complies with FCC Privacy Policy #2."

      and a link.

      Bidda bing ...

      • by electrictroy (912290) on Friday October 10, 2008 @11:16AM (#25328075)

        It's not the FCC job to regulate anything other than over-the-air radio waves (public property).
        Software, not being radio, is private and NONE of the government's long-nosed business.

        The solution I use is to not bother reading the policies, because I know the companies don't adhere to them. They just sell your info to whoever that want, and do whatever they please (similar to how Bush is eavesdropping on overseas Americans even though he promised he wouldn't). There's no point wasting my time reading a policy that is not enforced.

        • by Firehed (942385)

          True, but unlike when you're going against the government, there's at least the implication that by agreeing to their TOS, you're entering into some sort of nonformal contract (a shrink-wrap EULA basically) in that they have to hold up to their end of the bargain. If nothing else, you could probably sue them if you find them to be in violation of their posted privacy policy. Hell, if you go for the maximum allowed in small claims court, chances are they'll determine it not worth their time and you'll win

        • Re: (Score:3, Informative)

          by digitig (1056110)

          But nobody was proposing that they regulate anything new. The proposal was that they make a set of standard licenses available, not that they enforce them.

        • by DriedClexler (814907) on Friday October 10, 2008 @12:20PM (#25328837)

          It's not the FCC job to regulate anything other than over-the-air radio waves (public property).
          Software, not being radio, is private and NONE of the government's long-nosed business.

          Good job. He said FCC (Federal Communications Commission) when he should have said FTC (Federal Trade Commission) and instead of reminding the rest of us what the relevant government agency would be, you took the opportunity to grandstand about his mistake. That really helps the discussion, doesn't it?

          Anyway, I have a hard time seeing how this would be overstepping the government's bounds. It's just setting up a template people are free to use, or not, or use with modifications. Government-endorsed behavior (where it pays people to do something), is not the same thing as government-recognized behavior (where it sets a template to ease communication).

          The worst that would happen is that it biases people into not trusting those who refuse to simplify their TOS into one of the common templates. Good. People should have distrusted long license agreements in the first place. It's the general tolerance of that kind of BS that has pushed people into accepting as commonplace the atrocious practice of agreeing to something you haven't read ... something that in any other context is evidence of coercion.

      • Did you mean FTC? I think this would be more likely to fall under their umbrella than the FCC. Nothing to do with regulation of radio waves.
      • by Z00L00K (682162)

        Not only a privacy policy but also a privacy certification is necessary to keep things under control.

        A policy is really not much worth if you don't follow it.

    • by sakdoctor (1087155) on Friday October 10, 2008 @11:07AM (#25327945) Homepage

      Wasn't that the idea behind P3P [wikipedia.org]

      • by ClubStew (113954)

        Exactly. And what P3P underscores is that privacy policies really only have a few variations so even the idea floating around in this thread about standardized ones is certainly possible just like Creative Commons has basically a few canned variations. P3P could help to save time, but really the sites need to hypothetically pick from some standard based on what they do / want (just like picking a CC license).

      • by outcast36 (696132)
        for everyone out there does your website have a p3p policy? IBM has a free tool [ibm.com] to build one. Of course, be sure to revisit your policy once a year to make sure that you retain your high and mighty standards.
    • by truthsearch (249536) on Friday October 10, 2008 @11:08AM (#25327967) Homepage Journal

      Creative Commons puts out a variety of licenses that have a simple (human readable) version and a complete (legal) version. A logo or link on a site makes it immediately clear which license is being used. The exact same formula would probably work quite well for privacy policies.

      • Creative Commons puts out a variety of licenses that have a simple (human readable) version and a complete (legal) version. A logo or link on a site makes it immediately clear which license is being used. The exact same formula would probably work quite well for privacy policies.

        I don't think this idea would get implemented very well.

        Creative Commons gives additional rights to visitors. A privacy policy does the opposite. It's designed to take away rights from visitors.

        So the web sites that are the most li

    • Yes but the GPL says what you can and cannot do to the source of a project, a pretty standardized action. Privacy policies say what the website can and cannot do with your info. That's going to be different on a per website basis. Google could get everything I searched for, Facebook knows what college I go to and some of my friends, Youtube knows what videos I watched, etc. Unfortunately, one boilerplate policy would not cover all of these websites.

      • by ozphx (1061292)

        Its more like "We (US, PARTNERS, MATES) can do whatever (WITHOUT LIMITATION) with the content (EVERYTHING CONCEIVABLE)."

        Well, I exaggerate, but a set of policies would be feasible. I define my trust of a site in fairly broad terms, I'm only really interested if they are going to sell my information to others, and whether I still own what I submit (regardless of content type).

      • by Firehed (942385)

        The GPL was just an example, albeit a poor one. Think Creative Commons, which has about a dozen or so different license combination, or opensource.org which compiles a good fifty different fairly-widely-used licenses.

        Coming up with some fairly simple and basic terms and wrapping a relatively generic policy around them isn't out of the question.
        * Your information {may|may not|may, but only anonymously} be seen by third parties.
        * Personally identifiable information {may|may not} be shared with advertisers in

        • Ah ok, I understand what you mean now. That would indeed be quite helpful. Especially if they had icons and English (not legalese) descriptions of the different licenses like the CC.

    • by SleptThroughClass (1127287) on Friday October 10, 2008 @11:18AM (#25328097) Journal
      Even better, a tag could tell your browser which standard policy is being used. Tell your browser which policies you want to be accepted, and what action to take for sites with other policies.
      • by Thaelon (250687)

        Except site owners would just be lazy and use what everyone else is using, or just outright lie.

      • by jambarama (784670)
        How do you get these websites to tag at all? Seems to me that privacy policies are just there to protect the sites from lawsuits, not to help inform visitors about how their data will be used.
    • However that assumes that you will always have a detailed knowledge of the GPL.
      I Download Ubuntu and use it as a desktop system. Chances are that I am going to be abiding by the GPL.

      However say I get a GPL library that I want to incorporate into my application... Now I really need to know the GPL. As I may or may not want my application to be GPL complaint, or I could be doing something in the Gray Areas of the GPL, say in the area of integration of hardware, where my application is for business use (The un

      • by vadim_t (324782)

        I Download Ubuntu and use it as a desktop system. Chances are that I am going to be abiding by the GPL.

        The GPL doesn't even apply to this, as it says absolutely nothing about usage, and is not an EULA. The GPL only comes into play if you're going to redistribute a modified version of Ubuntu.

    • by billcopc (196330)

      There is a standary policy, at least from my perspective:

      I treat all sites as hostile. I give them only the information they need for me to use them satisfactorily. I go in with the expectation that they're going to fuck me over, sell everything to spammers and ad agencies, the government, whoever dangles a carrot.

      If that means on Site X my name is John Fhqwhgads, then so be it.

      Trusting anything on the internet is asking for trouble.

    • by Gerzel (240421)

      The problem is that would almost certainly circumvent the purpose of privacy policies.

      That purpose is to allow those companies do do what ever they want to the customer's privacy with few to no options for legal retaliation from the user.

  • Or maybe... (Score:5, Insightful)

    by Aladrin (926209) on Friday October 10, 2008 @11:02AM (#25327871)

    Or maybe people shouldn't submit their data to every website they visit. If they care about their privacy, they had better well read the privacy policy.

    Companies aren't going to dumb-down their policies and open themselves to lawsuits. They are precise and lengthy for a reason.

    In the end it doesn't even matter, though. They all include a clause that lets them change the policy any time they like.

    • by tolan-b (230077)

      In the UK I believe the requirement is to have up to 3 levels of privacy policy.

      - A very simple summary of what might happen with your data at the point you enter it, linking to:
      - A more detailed plain english explanation, linking to:
      - The full privacy policy.

      Most sites just have the full policy though, afaik (IANAL) that's breaking the rules.

    • by BenoitRen (998927)

      That's assuming that people can directly control such data. Your web browser sends its user agent string and referrer in the HTTP header by default. Then there's the extra information that sites can get with JavaScript.

    • by WK2 (1072560)

      If they care about their privacy, they had better well read the privacy policy.

      All you really need to read is this part: "SourceForge reserves the right to update and change this Privacy Statement from time to time." If they can retro-actively change the policy at any time after you give them your data, then your data is never safe with them.

  • by Mister Whirly (964219) on Friday October 10, 2008 @11:02AM (#25327875) Homepage
    200 hours? big deal.
    Average amount of hours wasted reading Slashdot at work in a year : 5,000,000
  • Standardization (Score:5, Insightful)

    by FireStormZ (1315639) on Friday October 10, 2008 @11:02AM (#25327877)

    Some group need to write a half dozen or so policies covering a range of options and publish them under a license which *does not* allow them to be used under the same name if any changes are made.

    Who really reads the GPL anymore after you have went through it a few time? the MPL? BSD? If you get somewhere under a dozen options out there you can save *everybody* time..

  • My bigger concern is the content of these privacy agreements.
  • Perfect time (Score:3, Interesting)

    by speroni (1258316) on Friday October 10, 2008 @11:05AM (#25327911) Homepage

    to implement my low cost IT Law firm. For a nominal fee we would certify websites and software. Don't want to read the EULA, just check with our firm for verification.

    We'd even specialize in defending the rights of netizens and downloaders.

    Online legal service for hire.

  • 200 hours a year? I would be spending 200 hours a month if I read all of the EULAs I encountered.

  • robots.txt (Score:3, Interesting)

    by bigattichouse (527527) on Friday October 10, 2008 @11:07AM (#25327949) Homepage
    I'd like something simple and standardized: Yes you can re-use content No, it has to be attributed. No, you can't use our logo. blah blah blah etc. rights.txt Have the browser integrate it and have pretty little icons like creative commons does.
  • I can pretty much guarantee the Federal standard would be a nightmare.

    The worst of K street will have second crack at the legislation. The Cheney administration would have first crack at it and take another opportunity to sodomize legal history and Constitutional law. Both houses of Congress have more or less abdicated their responsibility in providing checks, so it gets Fugly fast.

  • You people who are obsessed with your privacy should be happy for the chance to spend 200 hours a month reading these policies. It's what you care about.

    The rest of us don't care how long they are because we would rather live good lives rather than private lives. So we don't read them.

    • by Spatial (1235392)
      Ha ha, what a useless argument. 'Good' and 'private' are not mutually exclusive qualities. It's a false dichotomy.

      You advocate a position of ignorance and mock people who value their privacy. And apparently you think someone cannot lead a good, private life. Why is that? Do you not find that a rather foolish position? (a genuine question)
      • by Kohath (38547)

        Obsession with yourself (your privacy, in this case) rarely leads to anything good. The privacy-obsessed might be better off coming out of the bunker and joining the rest of the world.

        If not though, the original point stands. Why wouldn't they want to spend their leisure time reading privacy policies if that's what they care about?

  • By a nice coincidence, though, the financial rescue package of $700 billion duplicates a number that was also in the news last week - the Pentagon budget. In the fiscal year just beginning, the Defense Department will spend $607 billion on normal military costs, and an additional $100 billion on the wars in Iraq and Afghanistan. (As of June 30, 2008, Congress had appropriated $859 billion for the wars; Congressional Budget Office projections assume further costs of $400 billion to $500 billion as the wars w

    • The right tends to prefer less regulation, and to let the markets work as efficiently as possible. Deregulation - generally led by the right and approved by both major political parties - occurs over the course of many years. This deregulation often leads to growth and an increase in prosperity, especially for those with substantial money to invest - i.e. those who don't work for a living. The right suspects that with the increase in private funds, fewer social programs are needed and they save money. This

      • Part of the problem is the terminology. I prefer to think of "regulation" as rules and referees. Without rules, there is no game. Without referees, there's no fair play. A "self-regulated" game of professional hockey would be a disaster. There wouldn't be a hockey game, there'd only be street fighting.

        Much damage has been done in the name of deregulation. I thought trucking deregulation was a great example of the positive side until I read a few pages of "Sweatshops on Wheels". Deregulation did get

  • Even if we did read and understand the privacy policy, would we disagree and not access the website/content?
    • by WK2 (1072560)

      Perhaps we would still access it, but would not submit personal information. I use a fake name and a sneakemail address for most sites, and read the policies and terms anywhere that I give my real name, such as banks.

      I recently moved my Open Source Gamebook Project [freegameengines.org] from Sourceforge, solely because of their asinine TOS. I have since moved my svn to cvsdude, who specifically respects my rights to my code. Launchpad also has a reasonable TOS.

  • The researchers propose that, if the industry can't make privacy policies easier to read or skim, then federal intervention may be needed.

    Why does the government need to be involved in everything? Why can't people take a little responsibility? If you don't like the privacy policy on a site (or it is too long to read), then DON'T GO THERE. You don't need the gov for that.

    Not to mention that the web is international. Nothing the EU does forces anything on Brazil, for example.

  • Slashdot shares its privacy policy with SourceForge and at nearly 3500 words of legalese they're able to declare themselves "self-certified" under the Safe Harbor principles set up by the US Department of Commerce. There's even a fancy image to prove it.

    I like this part of the policy:

    Photographs

    Users may have the opportunity to submit photographs to the Sites for product promotions, contests, and other purposes to be disclosed at the time of request. In these circumstances, the Sites are designed to allow

  • How hard would it be to write the following summary:

    "We will collect your information to provide product recommendations for you while logged in at this site. We will not share your personal information with any third party without your permission as demonstrated by going to your user profile and opting in for information sharing. We promise to take every reasonable measure to ensure that your personal information, while stored by us, is inaccessible to hackers and other potential identity thieves."

    Then, at

    • by pbhj (607776)

      Translations inline:

      "We will collect your information to provide product recommendations for you while logged in at this site.

      We will sell your details to spammers and identity fraudsters if you ever log in.

      We will not share your personal information with any third party without your permission as demonstrated by going to your user profile and opting in for information sharing.

      Ha-ha we tricked you to sign in to have your info shared by using an off-screen checkbox/ quadruple negative written in Farsi/ just saying that if you look at our site you've opted in.

      We promise to take every reasonable measure to ensure that your personal information, while stored by us, is inaccessible to hackers and other potential identity thieves."

      We'll do anything that doesn't cost money. Basically, nothing. We'll claim to use the latest security measures but really we're selling the details on eBay; or you could just pick up one of our company laptops - they all have a

  • by iteyoidar (972700) on Friday October 10, 2008 @11:17AM (#25328087)
    I would imagine every American loses like, a bujillion hours a month watching TV. That probably costs a lot too.
  • Not to nitpick, but 200 hours per year is actually 40 hours less than 20 hours per month by my rough estimate or roughly 16 hours and 40 minutes per month. Not that I am a math major or anything, but I am pretty good with basic arithmetic. Someone, please check my work.

    Bill

  • But nobody reads them, just like EULAs. Users just have the expectation of privacy, just as they do in real life. Even if a few companies and marketing experts think it's unrealistic or impossible, people just have that expectation anyway. Nobody is automatically suspicious of nefarious activities, people are generally unsuspecting.
  • by Puls4r (724907)
    So we're proposing the Federal government enact a law to make privacy policies easier to read?

    Has anyone read the entire tax law recently, much less ALL the laws we're supposed to know?

    Ignorance is no defense, after all.
  • This sounds like an area ripe for the Creative Commons treatment.

    Produce a small suite of precise privacy practices, as detailed as you like, each with an approved "plain English" summary, just as the CC licenses do.

    After a short adjustment period, one would no longer have to even skim the summary of the license, just as many surfers know by now what the "Share Alike" CC license is.

    Call them CPPs: Common Privacy Practices. You could have CPP: Share Internal, CPP: Share With Partners, CPP: Sell To Anyone, C

  • Sounds like an interesting report, but I can't spare the time to read it.
  • Federal intervention may be needed to control privacy policies on teh intarweb? That global, international thingy?

    Good luck forcing a (pick your country) federal anything on other countries.

    I'm not against the general idea, however it should come from a standard web group (not sure if it would fall within the W3C domain, the IETF, etc).

  • So we're going to measure the cost of things in FBP's now?
  • How about a one-line privacy policy that states "We will most likely sell your credit card information to Al-Qaeda for a box of doughnuts."

  • Brick-and-mortar (Score:2, Insightful)

    by S77IM (1371931)

    I went to a supermarket this morning.

    I didn't need to license the right to walk around and view the "product label prices" content, nor did I need to agree not to sue them for being out of Diet Coke Lime, nor did I need to consent to be monitored by security cameras and have my image stored on tapes.

    Why can't visiting a web site on-line be that simple?

  • TrustE, in their early days, used to have several seals that indicated the level of privacy policy in use. So the TrustE seal actually meant something.

    Then, in response to advertiser pressure, TrustE caved in. All a TrustE means now is that the site agrees to abide by its own privacy policy. It doesn't matter how intrusive the policy is; the site can still get a TrustE seal.

    TrustE enforcement has been very weak. Here's a study of TrustE enforcement actions. [galexia.com] "Their privacy standards are low to begin w

  • Logicless Leap (Score:5, Interesting)

    by Hercules Peanut (540188) on Friday October 10, 2008 @12:02PM (#25328631)

    The researchers propose that, if the industry can't make privacy policies easier to read or skim, then federal intervention may be needed.

    Why? Why should I need the federal government to get involved? At what point did I lose the power to choose to simply not use the service. If I don't have time to read the policy, then I can simply say no. It is only at the point that I no longer have a choice and that my rights are threatened that I need the federal government to step in and protect my rights.

    How did we become a society of people who believe that the only ones who can solve our problems are the government, worse, the federal government? Have we no self reliance anymore?

    • by Khelder (34398)

      What do you think about nutritional labels on food? Or ingredient labels on food?

      Personally, I would object if the government forbade me from eating Ben & Jerry's Triple Chocolate Caramel Fudge Brownie Marshmellow with Butterscotch ice cream. But I am glad manufacturers have to tell me what's in my food (and the nutrition info). Because if I don't know, I can't make an informed decision. Capitalism doesn't work well if the consumers don't know what they're buying.

    • by Sancho (17056) *

      It is only at the point that I no longer have a choice and that my rights are threatened that I need the federal government to step in and protect my rights.

      Actually, I think we need a netizen's bill of rights. I'd like to see Constitutional rights to privacy.

    • by pbhj (607776)

      How did we become a society of people who believe that the only ones who can solve our problems are the government, worse, the federal government? Have we no self reliance anymore?

      Government by the people for the people means that government should work in your favour - the question is why set up a group to represent all the citizens and establish a standardised privacy policy system when you have a group (called Government) that is perfectly placed to be the focus for such work already, and which already employs experts in this field, and which can pass legislation to help both the uptake of the system and the enforcement of the system (to the benefit of citizens)?

  • Privacy Statement

    SOURCEFORGE, INC. UNITED STATES/EUROPEAN UNION SAFE HARBOR PRIVACY STATEMENT (âoePRIVACY STATEMENTâ)

    (Last Updated May 23, 2008)

    (Effective Date May 24, 2008)

    SourceForge, Inc. (âoeSourceForgeâ), comprised of the Internet sites SourceForge.com, SourceForge.net, Slashdot.org, freshmeat.net, ITmanagersJournal.com, Linux.com, ThinkGeek.com (the âoeSitesâ), is committed to protecting the privacy of users of the Sites. SourceForge intends to give users as much control

  • I figured I would read it first and then click OK (knowing I couldn't understand it all).

    After about 15-20 minutes I realized their server had timed me out & I lost my connection to their server.

    Never tried again after that.

  • The researchers propose that, if the industry can't make privacy policies easier to read or skim, then federal intervention may be needed.

    If you don't want to read their privacy policy, tell them that you're not going to use their service because their privacy policy is so long. If you convince enough people to do the same, they'll have to shorten their privacy policy. Federal regulation of the economy is never the answer. It is never justifiable.

  • If there were real federal laws that actually protected consumer privacy, then the privacy policy of most sites would be very simple, and read as follows:
     

    "We abide by the federal laws that protect your privacy"

    Then we would not have this problem.

    • by cdrguru (88047)

      Yes, but the federal law would likely read something along the lines of:

      All users will have complete privacy with all communication and transactions, with the standard exceptions for commercial and law enforcement use.

      Would that make anyone happy?

      • by soren100 (63191)

        I said "real federal laws that actually protected consumer privacy".

        Europe has them, or at least has laws that are a darn sight better than ours, privacy wise. I was pointing out the fact that it's not the policy that needs changing, it's the laws. We have to get the money out of the political system before that can happen, though.

  • by gg9973 (1382401)
    I recently signed up on a website which required me to first accept a license agreement. I have the odd habit of actually reading the agreements before I accept them. When I clicked the link for the license agreement, I was presented with the following text:

    "End User License Agreement
    EndUserAgreementText"

    Well, at least I guess there is no significant legal risk in accepting it.

    I sent a mail asking if they could not simply remove the license agreement, since it was even clearer than usual that it did

  • by Aram Fingal (576822) on Friday October 10, 2008 @01:38PM (#25329917)
    Back in the Clinton administration, the FTC tried to set a precedent for enforcement of privacy policies with the case of Toysmart.com. Toysmart.com went bankrupt and a judge ruled that they could sell their customer database in violation of their own privacy policy to settle debt. The Clinton administration tried to reverse the decision on appeal but the case went on after Clinton left office and Bush came in.

    The Bush administration tried to broker a compromise allowing Toysmart.com to sell their database as long as it was to a company in the same industry. One of the shareholders in Toysmart.com didn't want to be responsible for that decision so he bought the database himself and destroyed it. No precedent was set and the Bush administration hasn't tried to prosecute anyone for violation of privacy policy since.
  • $365 billion, more than half the financial bailout package

    Is "financial bailout package" going to join "library of congress" as a standard slashdot UOM?

  • If a businesses' privacy policy is more than one sentence long it means they don't have one.

  • This is really simple: YOU ARE NOT SUPPOSED TO READ THE POLICIES!
    yes, this puts you in a highly insecure legal position - which is what they WANT!
    whatever goes wrong: it's YOUR fault!
  • More Federal Intervention.

  • Aren't these privacy policies often muted in court anyway? Like, cases where users claim the policy itself was too confusing, and no one in their right mind should be expected to read, comply, and then choose for themselves whether or not to accept the terms of a service that they probably will need regardless?

    And do we really have a choice? I mean, if I don't agree with Microsoft's terms, I have to quit being a programmer. They can add whatever they like, and many of us really don't have a choice. Hence, i

If a listener nods his head when you're explaining your program, wake him up.

Working...