The ambiguous privacy policy is on purpose

www.edu-cyberpg.comWE SUPPORT STEVE BELLOVIN

Pass a strong Federal privacy law to protect our data, if you need to protect the population when the next pandemic hits.

As Joel Reidenberg and his colleagues have pointed out, privacy policies are ambiguous, perhaps deliberately so. One policy they analyzed said

  1. “Depending on how you choose to interact with the Barnes & Noble enterprise, we may collect personal information from you…”
  2. “We may collect personal information and other information about you from business partners, contractors and other third parties.”
  3. “We collect your personal information in an effort to provide you with a superior customer experience and, as necessary, to administer our business”

“May”? Do you collect it or not? “As necessary”? “To administer”? What do those mean?

The same lack of clarity is true of location privacy policies.

The New York Times showed that some apps that legitimately need location data are actually selling it, without making that clear:

The Weather Channel app, owned by an IBM subsidiary, told users that sharing their locations would let them get personalized local weather reports. IBM said the subsidiary, the Weather Company, discussed other uses in its privacy policy and in a separate “privacy settings” section of the app. Information on advertising was included there, but a part of the app called “location settings” made no mention of it.

Society is paying the price now. The lack of trust built up by 25 years of opaque web privacy policies is coming home to roost. People are suspicious of what else will be done with their data, however important the initial collection is.

Can this be salvaged? I don’t know; trust, once forfeited, is awfully hard to regain. At a minimum, there need to be strong statutory guarantees:

  • The information collected will only be used for contact tracing;
  • It will not be available to anyone else, including law enforcement, for any reason whatsoever;
  • There are both criminal and civil penalties for unauthorized collection or use of such data, e.g., by a store;
  • There is a private right of action as well as city, state, and Federal enforcement;
  • That class action suits to enforce this are permitted, regardless of terms and conditions requiring arbitration.

and this needs to be as iron-clad as a battalion of lawyers can make it.

I don’t know if even this will suffice—as I said, it’s hard to regain trust. But passing a strong Federal privacy law might make things easier when the next pandemic hits—and from what I’ve read, that’s only a matter of time.

(There’s a lot more to be said on this topic, e.g., should a tracking app be voluntary or mandatory? The privacy advocate in me says yes; the little knowledge I have of epidemiology makes me think that very high uptake is necessary to gain the benefits.)

 

 

 

 

Steven Bellovin on Twitter: “Code isn’t just law, it’s a binding international treaty.
(I’m now waiting for England (no, I didn’t mean Britain or the UK…) to want to pull out of the Apple ecosystem as an infringement on its sovereignty.)