Elias Bizzanes discussed Facebook and privacy on Techcrunch and wrote:
“…the current ToS and EULA model—those hundred page legal documents you are forced to agree to in order to use a service—are often ignored by consumers and hence they are surprised when they get a service enforcing its terms. We believed a simpler way is needed to communicate what a service does with respect to a person’s data and what rights they have over it.”
This got me to thinking about when I last read a privacy statement and realized that the last time I read a website’s privacy statement was when I wrote one. I wrote it based on two or three other privacy statements and went through more or less the same topics such as “what data we collect” “who do we share it with” and “what you can do to opt out.”
When I was done the lawyers went through it and changed a few things:
1. The language was friendly before but legalese afterwards making it much harder to read.
2. So many ifs and buts were added making it harder to slog through a sentence.
3. Entire sections were added distracting from topics that were important to users, making it much harder to make it to the end of the document.
At that point, it was clear to me that I was writing it for only two audiences: other lawyers and the press. That said, I’m not sure that such privacy statements can be significantly changed without compromising their legal integrity, and since we’re not that naive, let’s assume that privacy statements will remain legal documents.
So what can be done to make sure people understand the privacy implications of the services they use?
Following up on Mr. Bizannes’ idea that an external non-profit group provide companies with a questionnaire that they can answer about their user’s data, I’d like to suggest another idea. Instead of asking questions, the group can read the privacy statements for each company and “translate” it for the rest of us into a list of 10-20 privacy topics with a grade for each where 100 is a perfect score. Call it a “Privacy Score” (sort of like a person’s credit score)
For example, let’s take the topic “what personal data is collected” – a 100 would be no data: this service doesn’t require any personal data from you in order for you to become a member. 99 would be a unique user name, perhaps 90 would be a personal, verified email address and so on. Zero would probably be if your social security number is required to open an account.
As you can see, zero is not necessarily evil as you’d probably need to provide your SSN to open a bank account, but when your “data collection” score is a zero, you better be sure that the service’s “data protection” score is very high.
Anyway, with a Privacy Score users can use it to decide what services they’d like to sign up for based on a privacy statement that they can understand. I think I’ll post more about this soon, it begs exploration.