New Tool Suite Helps Track Privacy Policies

An anonymous reader writes "Forbes reports that The Internet Society announced this week the availability of the Identity Management Policy Audit System, a suite of tools designed to give Internet users a clearer understanding of the online usage policies of the websites they visit. Born out of a collaboration between The Internet Society, the University of Colorado, the Electronic Frontier Foundation, and the Center for Democracy and Technology, the system consists of a free, open-source Firefox plug-in that checks a library of scraped terms of service and privacy policies from several popular websites. If a site changes the fine print of one of its policies, the plug-in notifies the user when they visit the website next. According to Forbes, 'that functionality would help users spot controversial switcheroos in sites' legalese, such as Facebook's change last year that suddenly gave the site the right to use your photos and other content.'"

Re:

[Lingerance]

Way to not read the summary. It states that the plugin notifies you when the PP changes. Which means you'd have to have read it in the first place anyways. Do you seriously expect someone to read the PP of every site they visit for every visit they make just to notice changes?

Re:

[Sancho]

Not just for every visit--every time they make a request!

Seriously, this sort of thing is a great idea. I wish there was a standardized protocol for displaying the policies, for notifying users of changes, and of what those changes are. I'd love to have that kind of thing in my RSS, customized for the sites I use.

A great idea that doesn't tend to work in practice

[Sancho]

TOSBack does something similar for Terms of Service for various websites. The problem is information glut. The terms of service may change frequently in very small, unimportant ways (such as formatting, or even in a few cases inconsequential HTML getting inserted.) The page can be absent one moment and back the next--causing two change notifications to show up. Sometimes the pages don't get changed across all of the website's servers, causing TOSBack to go back and forth between two changes (sometimes s

Re:

[blair1q]

It should extract the plaintext and hash it. If the current TOS associated with a page matches a past hash for the site, ignore it.

This is why we have computers do these things.

Re:

[Sancho]

Why? Reverting to older policies may be just as important to people, particularly if the older policy was more onerous or problematic for some reason. Or the page could have been erroneously edited and pushed out, and the reversion is just to get back to what the real policy actually is. The problem is that a machine can't tell if it's a reversion to an old policy or a problem with synchronization of the servers behind the load balancer. Some heuristics could probably help with that (you could detect b

Re:

[blair1q]

If that's the case you need some out-of-band communication. Like an email to users telling them when the policy has changed. Or a modification date in the policy to indicate when it was last officially updated. Oh look, that works with simple hashing as a change detector. Problem solved.

Re:

[Sancho]

That came across as awfully snarky. Yes, of course those solutions work--as long as the website implements them.

Re:

[lavagolemking]

Contracts should not be changed at all without the signer's approval. That's why whenever you fill out a check or sign a contract, but notice a tiny mistake, you're asked to initial/sign over the mistake; proving that you accept the indicated change to the original document. This kind of tool alerts customers/users that something has changed, however small, and lets them decide. Maybe it's something small like a grammatical correction, or maybe it's a change of 1 or 2 words which significantly change the me

Re:

[Sancho]

I agree. I should have said "The problem with this idea is information glut." The real root problem is certainly that people are making changes without notifying their customers. My point is that the band-aid to that problem is still broken.

That said, most TOS include language allowing the company to change them materially, that it's up to the user to follow those changes, and that continued use of the site constitutes acceptance of those changes. That's bad, but frankly, most people don't read the TOS

Re:

[whereiswaldo]

That's bad, but frankly, most people don't read the TOS anyway (which is another problem--when the TOS are too long and full of legalese, it's annoying, difficult, and unexpected for people to bother reading them.)

I wish we could force lawyers to read through all the source code to an application before allowing them to use it. Change the functionality of buttons randomly (and without notice) so they have to re-read the source code to be sure it still does what they expect. That's sort of what they're exp

Re:

[Sancho]

I like it!

Re:

[John Hasler]

The problem here is not with TOSBack, or any related software, but that companies are able to change contracts after acceptance simply by putting them online.

No they aren't.

Re:

[YourExperiment]

It becomes almost as much of a burden to check TOSBack as it does to just scan the TOS every once in a while.

Yes, it seems to me that we've reached a bit of an IMPAS.

EFF?

[lavagolemking]

Why was this tagged as EFF? There was not one link to any of EFF's websites, and as far as I know from any of the linked articles, this is not something EFF is involved with, however in line this is with their values and intentions.

Re:

[Kilrah_il]

Born out of a collaboration between The Internet Society, the University of Colorado, the Electronic Frontier Foundation, and the Center for Democracy and Technology...

Any more questions?

Re:

[Kilrah_il]

Glad to be of service.

standardize?

[Garble Snarky]

Why can't websites use standardized privacy policies and TOSs ? Sure they would need to make small changes specific to their business or whatever, but you could make it modular, etc. Wouldn't it be nice to see something like this:

Our Privacy Policy:
*Standard Non-Financial, Non-Sensitive Privacy Policy
*<two application-specific paragraphs that anyone can read quickly>

Software and media does something vaguely similar with licenses right? So why would this not work?

Re:

[Sancho]

I'd love that. I think that confusing the customer ultimately gives the corporation more power.

Re:

[psithurism]

I'd love that. I think that confusing the customer ultimately gives the corporation more power.

A confusing end user license that finely encodes in legalese, "you are now a right-less servant of this company," is a benefit to the company. However, privacy policies is something that many customers look for and scrutinize. I would be much faster to sign up with random services if I knew exactly what they did with my personal data.

I take privacy policies much more seriously than EULAs; I've never been able to un-void a warrenty (because of violation in clause 8 of paragraph 12 in section 173 under headi

Re:

[phantomfive]

Because a lot of them don't want you to understand it

Re:

[lavagolemking]

What's the point in hiding things no sane person would agree to in a contract if it's easy to read?

Re:

[lonecrow]

It's called P3P and its already a W3C standard. P3P [w3.org]

I have been implementing it on all my sites for a few years.