Today in Tedium: You know who’s had a bad week? The folks at Evernote. They’ve been raked over the coals by their users over a change to their privacy policy, that document on nearly every webpage that most people don’t really read unless they’re bored. Well … someone read Evernote’s policy and found out that they were going to let engineers have access to user notes in an anonymized fashion. That didn’t go over well, even after a defense by the company’s CEO. The company announced just a little while ago that they’re backing off the changes they were going to make, but think of it this way—at least there was a privacy policy there at all. What if a company made a change like that without telling you? It’d be scary stuff. Today’s Tedium ponders the online privacy policy. — Ernie @ Tedium
“Modern information systems are essential to our economy. They contribute to the comfort and convenience of our lives. But they can be misused to create a dangerously intrusive society. Our challenge is to provide privacy safeguards that respond to these social changes without disrupting the essential flow of information.”
— President Jimmy Carter, speaking on the importance having of a national privacy policy in a 1979 message to Congress. Carter’s comments on the matter, which cited how “personal information on millions of Americans is being flashed across the nation from computer to computer,” were perhaps the most significant comments a president had made on the importance of privacy up to that point. (Which, considering the NSA wiretapping program that existed under future presidents, must frustrate him a tad.) Carter’s focus on privacy issues led to the passage of at least one important piece of legislation, the Privacy Protection Act of 1980, which bars federal authorities from conducting unannounced searches of newsrooms in an attempt to find evidence. He didn’t, however, have his hands on the first notable piece of modern consumer privacy legislation, the Fair Credit Reporting Act.
How the pre-internet era defined internet-era privacy policies
In many ways, the privacy policy has come to define our online experiences, but the concerns that led to its widespread use came not from the web, but everything that came before it.
Data collection—think credit scores and bill collectors—grew increasingly complex in the 1980s and 1990s, and this created an increasingly complex web of information that seemed to go all over the place. A 1991 Time piece breaks down how messy it was even back then:
To get a driver’s license, a mortgage or a credit card, to be admitted to a hospital or to register the warranty on a new purchase, people routinely fill out forms providing a wealth of facts about themselves. Little of it remains confidential. Personal finances, medical history, purchasing habits and more are raked in by data companies. These firms combine the records with information drawn from other sources—for instance, from state governments that sell lists of driver's licenses, or the post office lists of addresses arranged according to ZIP code—to draw a clearer picture of an individual or a household.
The repackaged data—which often include hearsay and inaccuracies—are then sold to government agencies, mortgage lenders, retailers, small businesses, marketers and insurers. When making loan decisions, banks rely on credit-bureau reports about the applicant's bill-paying history. Employers often refer to them in making hiring decisions. Marketers use information about buying habits and income to target their mail-order and telephone pitches. Even government agencies are plugging in to commercial data bases to make decisions about eligibility for health-care benefits and Social Security.
If not handled correctly, there was a lot of potential for the internet to take these already troubling trends and turn them into full-blown disasters.
In the United States, no single law dealt with the concerns raised by this complex privacy trade that was forming as the technology started to allow it. Instead, it was a whole bunch of laws, many of them only covering the issue in pieces—likely due to the complexity of the situation described in the Time piece above.
Perhaps the two best-known examples of these laws came during the Clinton era: The Health Insurance Portability and Accountability Act (HIPAA), the 1996 law specifically targeting healthcare disclosures, and the Children’s Online Privacy Protection Act (COPPA), a 1998 law specifically targeting websites that market to children.
Bits and pieces of other laws also played a role in building this rule-making out—most notably, the California Online Privacy Protection Act (CalOPPA), which represents the kind of comprehensive take on the issue at the state level that the U.S. has never touched—but ultimately, the two factors that played a role in making privacy policies common all over the internet were the Federal Trade Commission, which first proposed the idea in 1995, and efforts by industry groups to self-regulate their own industry before the problems got any worse.
The FTC, which ultimately decided against pushing for new legislation to solve the problem, had a lot of work on its hands. According to a survey the FTC commissioned for a 1998 report to Congress, 85 percent of websites took some form of personal information from consumers, but just 14 percent provide any notice of this transaction, and just 2 percent had a comprehensive privacy policy to explain how the website used the data.
“The development of the online marketplace is at a critical juncture. If growing consumer concerns about online privacy are not addressed, electronic commerce will not reach its full potential,” the report stated.
Electronic commerce definitely did meet its full potential. But ultimately, the mess of regulation was never fully spelled out by a single law, as it was in the European Union.
So as a result, privacy standards are completely spread out among U.S. federal agencies. It mostly works, but it’s messy.
“If you happen to see a posting anywhere on our site that you feel is objectionable, please utilize the emergency e-mail address listed in the Beanie Info section which will direct your message to one of my friends at Ty who will look into the matter as soon as possible.”
— A portion of the privacy policy added to the Ty.com website in 1997, at a time when the standards on privacy policy were still fluid. (Also, how many rare Beanie Babies did Ty have to give to Network Solutions to get that two-letter domain name?) As the New York Times’ Stuart Elliott reported at the time, the move to add the privacy policy came not because of federal regulations, but out of concerns raised by advocacy groups such as the Center for Media Education. It was an early example of the kind of self-regulation that has helped keep away more stringent privacy-policy rules.
Privacy policy uptake is a mobile problem, too, according to some new new research
As the Evernote saga recently showed, there are quite a few reasons for a privacy policy to exist, and one of those is that it helps the public know when the apps they use are breaking the contract between the company and the end user.
But what if that contract just wasn’t there at all? Turns out that this is a more common situation than you’d think, in part due to lax detection and oversight. Last month, researchers at Carnegie Mellon University cranked up this discussion by analyzing 18,000 Android apps in Google’s Play store, using a natural-language-driven approach that allowed the researchers to dive through all 18,000 apps at a rate of around one every six seconds.
"With a few servers, we should be able to scan all the free apps in the Google Play store every month," noted Norman Sadeh, the computer science professor that led the research.
Nearly as crazy as the research strategy was the results: Roughly half of the apps studied didn’t have privacy policies at all, despite the fact that more than two thirds of apps (71 percent) used some form of personally identifiable information in the part of the user. (Which makes sense: A mapping app is likely to ask for data that identifies you, because of how digital mapping works at a base level.)
California’s CalOPPA obviously mandates that a privacy policy be there, so CMU’s researchers are working with the state’s attorney general’s office to help boost compliance checking.
Sadeh admitted that a second layer of research, this time with human hands, was necessary to check the results.
“Just because the automated system finds a possible privacy requirement inconsistency in an app does not mean that a problem necessarily exists,” he admitted in a news release.
But even if a hand-counting found that the result was slightly off, the stats would still make sense as a whole. Privacy policies are pretty much the most boring, least interesting part of any website. It’s legalese. Ain’t nobody got time for that.
Ain’t nobody got time, that is, unless proof of its value stares developers in the face.
Perhaps that’s why the Evernote saga is so useful. It shows that the public actually cares about boilerplate language—whether it’s federally mandated or not.
About a year ago, I spent a couple of days writing up a privacy policy for Tedium.
It’s relatively boilerplate, and probably needs an update at some point, but I tried to write it so that, if you were to stumble upon this page, it would not be the most boring thing on the internet. I also tried to give it to you straight—yes, we advertise, and we do so in a specific way; yes, of course we ask for your email address, this is a newsletter; no, we won’t be able to figure out your credit card number from all this.
It wasn’t hard, but it was different from my normal kind of writing. But I remember that trying to find information on how to put one together was a little confusing, only partly because of the fact that “privacy policy” is a goddamn failure of an SEO keyword. Part of the problem is that, because no firm, singular path was set on the issue way back when, it’s difficult to know exactly what the right way to go is when writing such a document. It doesn’t help that different federal agencies control specific aspects of the digital regulatory infrastructure.
Michelle De Mooy, the acting director of the Center for Democracy and Technology’s Privacy and Data Project, told The Hill this week that the U.S. is a rarity in terms of how complicated its data laws are, with the lack of a comprehensive law on the issue that covers every aspect of life ultimately harming the United States by keeping outdated regulations on the books.
“There are only two countries in the developed world with no baseline privacy standards,” she said. “One is the United States. The other is Turkey.”
The confusion around what a privacy policy is actually supposed to be is just one way that that issue manifests itself on a daily basis. Whether or not it’s a problem that needs fixing? That’s another question entirely.