I spend most of my free time working on Privacy Commons, and so I was excited to see Christopher’s post and critique on the subject. Thanks as usual, Christopher, for your thought-provoking questions and observations. Likewise, Aza, CUPS, and Ralf Bendrath. Great work—each of you. I want to pick each of your brains sometime. I also want to apologize in advance for any incomplete sentences or thoughts. This is a slapped-up post.

Some Problems With Privacy Policies

As Christopher, myself, and many others have pointed out, the problems with privacy policies are myriad. Here are a few:

• Inaccessible or Unintelligible. many privacy policies are not easily understood or even physically accessible; so complicated and wrapped in legalese that they are “nigh useless” to the average consumer.
• Complicated Solution. Unless we’re careful, a Privacy Commons may end up equally or more complicated than the status quo.
• Non-Standard. Privacy Policies are not standardized, making it impossible to compare apples-to-apples.
• Incomplete. They often fail to address important privacy issues or fail to consider all potential parties
• Unsophisticated. Many boilerplate privacy policies demonstrate a fundamental lack of understanding of how privacy policies translate to privacy and business practices. Some simply don’t address the most salient issues, which may be unique to their industry. Consequently, many of the policies never translate to practice.
• Treated as Only Legal Documents. Privacy policies are often treated as “compliance” documents and relegated to the legal department. Consequently, many fail to address or actually contradict field practices.
• Privacy Waiver. Many privacy policies waive, rather than confer, privacy rights. The medical industry is extremely efficient at this practice.
• Technology-Dependent. Privacy policies which strictly enumerate technologies quickly become outdated in the face of emerging technologies.
• Non-Binding. Most importantly, US courts have consistently interpreted privacy policies to be unbinding notices, rather than contracts. As a result, privacy policies generally create no enforceable rights or enforceable expectations of privacy. In this sense, privacy policies can create a false expectation of confidentiality, privacy, or even fiduciary responsibility.

Some Assumptions About Privacy Policies

Based on my experience in technology, advocacy, and the law, I want to air some of my basic assumptions about Privacy Policies. Of course, I invite challenges to these assumptions:

1. Mitigate Liability. Privacy is the subject of dozens of laws and regulations. The present primary business case for developing, maintaining, and conforming to a privacy policy is to mitigate liability.
2. Inform Data Subjects. Data Subjects include consumers, employees, or any individual about whom information is collected, stored, or aggregated.
3. Empower Data Subjects. Mere information is not enough. A privacy policy which produces information overload without actionable intelligence is counter-productive.
4. Articulate Privacy Practices. For the benefit of both data subjects and the data stewards who must execute the privacy policy, it must explain and reflect real business practices.
5. People Don’t Read. Anything more than about two paragraphs will never be read. That’s why high-level iconography is so appealing (and achievable).
6. Must Be Easy-to Understand. Because people don’t read. Fewer words and easy-to-grasp iconography are better.
7. Short Policies Are Inherently Incomplete. Two paragraphs and pretty pictures may be sufficient to inform consumers on the portions of the privacy policy they find most important, but will always be incomplete. More on this below.
8. Adoption & Enforcement. A Privacy Commons must be optimized for adoption, rather than enforcement. That’s simply because despite the Federal Government, the states and the FTC’s regulation in the area, a privacy commons must be market-driven to be successful.
9. Sector-Specific. Different sectors/activities collect different sets of personal information, are regulated differently. In order to ensure that privacy policies are relevant, they must be taylored to specific activities.
10. Living Documents. A privacy policy which was correct six months ago may not be correct today.
11. Privacy Policies are Complex. Deal with it. Privacy Policies are complex, just like Creative Commons or the Telephone. More on that below.
12. Business Documents. Privacy Policies are business documents with legal, practical, business, and ramifications for corporations, their agents and employees, and data subjects.

Thinkers like Christopher Parsons worry that a Privacy Commons will be unnecessarily complex. Non-attorneys are often (justifiably) baffled at why lawyers take 3,000 words to say what can be said in 300 and a handshake. It turns out that a simple handshake is not as simple as most people think. Behind each handshake there is a wide range of assumptions which are not as standard as one might believe. Many (if not most) disputes arise when there is a misunderstanding about an unspoken assumption—the meaning of a word, or silence on a particular issue. That’s why it takes lawyers so many words to say something so simple; simple things are not as simple as we thought.

To demonstrate this point, we need look no further than Creative Commons. While the human-readable version of the “Attribution Non-Commercial Share Alike” creative commons license consists of 5 images and 286 words, the legal version contains 3,384 words. Clearly the unnecessary work of a verbose lawyer who needed to justify his existence, right?

Not so fast. The full Attribution Non-Commercial Share Alike license covers a whole bunch of other stuff that consumers don’t usually take time to think about, unless of course there is a dispute. It’s only at that point that we’re glad we included it. The legalese version covers essential topics like media and language translation, public performance, DRM, collections of works, waiver of compulsory license fees, preservation of moral rights, representations and warranties, limitation on author’s liability, termination, severability, waiver, and entire agreement, just to name a few. Consumers don’t (and shouldn’t) think about this kind of stuff when they proverbially “shake hands” with a licensee. Creative Commons is simple on the surface, but look under the hood and you’ll see the complexity necessary to create the elegance that most people associate with the CC licenses. Saying that the legalese version of a Creative Commons License (or Privacy Commons Policy) is a “necessary evil” is incorrect and misses the point. It’s not evil at all; it’s just necessary.

It’s like a telephone—an elegant piece of equipment which is exceedingly easy to use. The end-user only cares about a few things: Connectivity, line quality, cost, and accessibility. Yet the infrastructure and technology supporting telephony and networking is extremely robust and complex. Consumers pay the telcos to worry about all of the other stuff so they can focus on the four or five things that consumers care about. The millions of miles of copper, routers, substations and central offices aren’t a “necessary evil,” they’re just necessary.

Some Conclusions About Privacy Policies

We’re just going to have to deal with the fact that privacy policies are complex, and will continue to be complex. The best solution (as I see it) is to do three things: ID c.

• Require Thoroughness. A Privacy Commons-compliant policy is thorough
• Identify Cultural Notions of Privacy. Identify culturally important notions of privacy, and embody them in easy-to-understand iconography. Christopher Parsons suggests these notions might center on Data Collection, Data Sharing, Data Identification, Data Tracking, Data Deletion, and Aggregation, which I think is a good start. And Ralf Bendrath offers these excellent icons, which are more elegant than any I’ve seen.
• Embody the Cultural Notions of Privacy in Iconography. Then let the legalese version fill in the (necessary) gaps.

A privacy policy which conforms to Privacy Commons requirements will be complete, informative, easy to understand, and easy to adopt. Like Creative Commons, Privacy Commons seeks to identify common cultural notions of privacy, and embody them in easy-to-understand policy frameworks, with simple high-level iconography.

Note: I usually blog on securitycatalyst.com and jeffreyneu.com, but this post doesn’t fit very well on either.

~IDENTITÄT – The »Gestalt« of digital identity is the bachelor’s thesis of Jonas Loh and Steffen Fiedler. The students at University of Applied Sciences Potsdam, Germany crawled more than 100,000 personal raw data sets on the web and analyzed their contents, including parameters of time. They developed methods for visualizing and comparing the data, resulting in a series of “personal interpretation[s] of the dig­ital identity as an amorphous sculpture.”

The results are striking embodiments of complexity, movement, incongruity, and finiteness; much like the average identity. These sculptures are successful because they capture the movement and growth of one’s identity, convoluted and tied in messy knots of contradictions, incompleteness, and experimentation.

~IDENTITÄT is a reminder of the simultaneous complexity and finiteness of human identity, and a warning that our digital identities are nothing more than a collection of credit reports, Facebook pages, Google results, bank account numbers, and archived e-mails.

As an odd mashup of Geek, Identity Guy, and Architect/Designer, I couldn’t help but give this project a shout-out. And though I think that the description “gestalt” is a little overstated, the provocative sculptures teach us new ways to abstract something as indeterminate and personal as your identity. Bravo, Jonas and Steffen.

Hat tip: Identity Woman.

by Aaron Titus

As a privacy and consumer advocate, it ruffles my feathers when otherwise legitimate companies force the public to disregard common-sense online safety practices in order to use their services. Among the many safety tips are:

1. Only give confidential personal information to people you affirmatively contact, never to anyone who spontaneously contacts you.
2. Don’t click on URLs in unsolicited e-mails.
3. If you want to click on an e-mail link, never click “dishonest” links – links that don’t match the displayed URL.

Bad Practices

American Student Assistance (ASA) is a non-profit organization which helps students keep track of their student loans. It’s also an example of a legitimate organization with some irresponsible privacy practices.

Earlier this year I received an unsolicited e-mail from the ASA. I had never heard of the ASA, but the e-mail insisted that they were “the guarantor of [my] federal student loans.” To this day my bank has not introduced me to the ASA. Of course, this spontaneous contact from an “authoritative” organization made me suspicious. Red Flag 1: Unsolicited e-mail claiming to be from an authoritative source.

The letter instructed me to follow a link to log in with my FAFSA PIN. I was also notified that I have a “Profile,” and was invited to Update my profile by clicking on a link. The link took me to an insecure and unbranded website which automatically filled out my name, e-mail address, and indicates that I have been opted-in to receive a newsletter. Red Flag 2: Unsolicited authoritative e-mail, requesting that you “log-in” using sensitive information on an unsecured, no-name server. Spam newsletters are a bonus.

But before clicking on the links, I moused over each of them to see where they led to. A link which purported to go to “www.amsa.com/bor” actually links through “http://click.email-asa.org/?qs=33c40ef691b275c8d3b7e7d0430ce34d0980241c6c7eb313b745465bb515d8d5″. In fact, each of the eight links in the e-mail were “dishonest,” in that the actual URL was different from the displayed URL. Red Flag 3: Dishonest links.

This e-mail screamed “Phishing Scam,” so I called the toll-free phone number listed in the e-mail. A woman answered the phone. She immediately asked for sensitive personal information. I gave her my first and last name, but refused to give her any additional information since they had contacted me and I had no way to verify who they were. Red Flag 4: Unsolicited third party requesting personal information over the phone.

ASA’s Privacy Policy contains the following promises:

We do not disclose any nonpublic personal information about you or our other current or former customers, except as permitted by law…. We restrict access to nonpublic personal information about you to our employees, contractors, and agents who need to know the information in order to provide service to you…. We maintain physical, technical, and administrative safeguards in compliance with federal regulations to safeguard your nonpublic personal information. (Accessed August 27, 2009.)

But ASA’s privacy policy didn’t translate to privacy practices. After I refused to share personal information the lady on the phone asked, “Is your name Aaron [X] Titus, or Aaron [Y] Titus?” Uncomfortable, I replied, “Aaron [X]…” She asked for my date of birth. When I refused to give it to her, she read it to me over the phone. When I refused to give her my address, she repeated my full address including street, number state and zip code. She told me which school I attended and that she had access to my social security number on her screen. Red Flag 5: A representative sharing sensitive personal information over the phone without first authenticating.

Since I had no idea who this organization was I asked, but never got a straight answer. She and her supervisor variously described the organization as a “government agency,” “not a government agency,” “a non profit government agency,” and a “non profit organization which receives federal funds.” They relied on some relationship with the federal government to gain credibility. Red Flag 6: A fishy and inconsistent story designed to earn your trust.

My Advice: Quit it

After filing a complaint with the company, I talked with ASA’s Privacy and Compliance Director, Betsy Mayotte. Ms. Mayotte was kind enough to apologize for the behavior of her organization, and convinced me that the ASA is a legitimate organization, albeit one with uneducated and dangerous privacy practices. Apparently the representative was re-trained. But they did not plan to change anything else.

The dishonest links were designed to measure click-throughs: A common marketing practice. The unbranded and insecure server which asked me to update my “profile” was the result of bad practices, laziness or poor training. The other blatant violations of their privacy policy and outrageous behavior by the representative was more of the same.

I wish I could say that this is an unusual event. But unfortunately I’ve seen similar behavior by my bank, and even former employers. When legitimate companies force consumers to be irresponsible, the online public becomes irresponsible. Forcing consumers to ignore common-sense safety practices may save you a buck in the short run, but they make your customers irresponsible and erode overall online public safety. So here’s my advice to legitimate companies who behave like phishing rings:

Quit it.

Seriously, stop training the public to be irresponsible. If you want to track click-throughs for an e-mail marketing campaign, set up a virtual redirect on your main server. If you got sensitive personal information through a third party, make sure to have that third party introduce you to the customer. Don’t send unsolicited e-mail, and don’t cold-contact potential customers to request that they share personal information. Once and for all, encrypt your website. If your marketing department isn’t all that tech-savvy, hire someone who is. Train your customer service representatives never to give out personal information without first authenticating the identity of the person on the other end of the line.

Privacy policies are not just legal boilerplate which you can write and forget. Make sure that your privacy policy matches your privacy practices. This means that your customer service representatives should be as familiar with it as your general counsel.

Note: This article originally appeared on Security Catalyst.

Note: This article was originally posted on Securitycatalyst.com.

by Aaron Titus

Georges-Pierre Seurat was a 19th century French painter credited with starting Neo-impressionism and developing a painting technique called “pointillism.” His famous painting, La Parade, contains the detail on the right: A complicated series of blue, orange, pink, red, black, and yellow dots that together create a man’s profile.

This detail is the single best visualization of your “Data Self” I have seen. Your Data Self is a collection of your credit report, Facebook page, Google results, Bank account numbers, archived e-mails, and an endless parade of other data. Like pointillism techniques, which juxtapose contrasting dots to create vibrant masses of shaded tones, each piece of personal information is a single dot. Perhaps one is your address, your middle name, your pet’s name, or your favorite color. Maybe some represent your family, and others represent your friends or religious beliefs. Some represent your travels, magazine subscriptions, and purchase habits. Still others are intimate thoughts.

Taken individually or in small groups, they do not mean much- they may even seem to contrast or contradict one another. But all together they form your profile, or Data Self: A pretty good, but not 100% accurate representation of who you are. And this profile is exactly what data brokers, government actors, and marketers (among others) are trying to determine.

We leave trails of dots as we interact with others, especially online. As Gregory Conti, a computer science professor at the United States Military Academy at West Point, explained, “Free Web services aren’t free. We pay for them with micropayments of personal information.”

Since your Data Self is a digital alter-ego, with the power to enter contracts, grant access to your financial assets, have surgery, or commit crimes, you should actively shape and control access to your Data Self.