WebProNews

Tag: Privacy Policies

  • NTIA Introduces Mobile App Code of Conduct For Privacy

    The U.S. National Telecommunications and Information Administration (NTIA) this week announced that its stakeholder partners for an app transparency process will soon begin testing a voluntary code of conduct for mobile app privacy. The code implores app developers to, “where practicable,” provide app users with short form notices about what data an app collects and who it will be shared with.

    The image above is one of several examples the NTIA released to show how apps following the code might display such notices.

    According to the code, notices should inform app users of data collection from the categories of biometrics; browser history; phone and text logs; contacts; financial information; health, medical, or therapy data; location data; and user files. The sharing notices should cover the categories of ad networks; carriers; consumer data resellers; data analytics providers; government entities; operating systems and platforms; other apps; and social networks.

    “NTIA is pleased that today a diverse group of stakeholders reached a seminal milestone in the efforts to enhance consumer privacy on mobile devices,” said Lawrence Strickling, the NTIA administrator. “We encourage all the companies that participated in the discussion to move forward to test the code with their consumers. I want to congratulate all of the participants, who through their commitment and dedication have demonstrated the promise and importance of the multi-stakeholder policy-making process.”

    Though Strickling’s statement shows the NTIA is proud to have provided a framework for disclosure in mobile apps, other privacy advocates are calling for stricter privacy measures. The American Civil Liberties Union (ACLU) this week called the NTIA’s code of conduct “modest,” and called on congress to pass “meaningful” consumer privacy protection legislation.

    “The American Civil Liberties Union supports this code as a modest but important step forward for consumer privacy,” said Christopher Calabrese, legislative counsel at the ACLU’s Washington Legislative Office. “It allows applications to compete on privacy and gives consumers a tool to pick the most privacy friendly applications.

    “The fact that it took a year to come to agreement on just this single measure, however, makes it clear that we need comprehensive privacy legislation in order to gain meaningful privacy protections for consumers. After all, we should be able to enjoy cool new technologies without giving up our privacy.”

  • Reddit’s New Privacy Policy Is Written for Clarity, Specificity

    Reddit’s New Privacy Policy Is Written for Clarity, Specificity

    Reddit has just announced that they have completely rewritten their privacy policy “from the ground up,” to be clearer and more accessible to the average user.

    “For some time now, the reddit privacy policy has been a bit of legal boilerplate. While it did its job, it does not give a clear picture on how we actually approach user privacy. I’m happy to announce that this is changing. The reddit privacy policy has been rewritten from the ground-up. This new policy is a clear and direct description of how we handle your data on reddit, and the steps we take to ensure your privacy.”

    The new policy will go into effect on May 15th.

    The main difference (other the clarity) in reddit’s new privacy policy, as opposed to the older policy, is that this one is more specific to reddit. The previous privacy policy was overbroad, having been written by Conde Nast (who owns reddit).

    “The old policy was written very broad. It was a generic one written by Conde Nast. This was written specifically to apply to reddit. The goal was to be clear and specific. Especially about data retention. Some things were added like reddit Gold and specific information about the new advertising providers,” says legal strategist Lauren Gelman, who helped write the new policy.

    For one, the new policy expresses exactly what information reddit collects from its users. One new additon involves posts and comments, and how long they stay accessible (hint: forever):

    The posts and comments you make on reddit are not private, even if made to a subreddit not readily accessible to the public. This means that, by default, they are not deleted from our servers– ever– and will still be accessible after your account is deleted. However, we only save the most recent version of comments and posts, so your previous edits, once overwritten, are no longer available.

    Reddit clarifies that if you truly want a comment gone for good, it’s best to simply edit it.

    Another involves IP addresses:

    reddit stores the IP addresses associated with specific posts, comments, and private messages for 90 days after they are made or sent.

    On a site like reddit, privacy is paramount. Just spend any time on there, and you’ll see what I mean. If you want to read the (incredibly readable) new privacy policy, check here.

  • Verizon Highlights Its Privacy Policy in the Wake of Windows Phone Rumors

    Earlier today rumors surfaced that Windows Phone 8 devices scheduled to be sold and used on Verizon’s network might be delayed or even cancelled. The story is that Verizon wants more access to Windows 8 smartphones, to better collect users’ location and web browsing data, and Microsoft isn’t budging on user privacy.

    Though neither Verizon nor Microsoft have verified the rumor, Verizon is attempting to spin things its way by releasing a statement on its privacy policy. The company claims that “protecting customer data and safeguarding privacy have always been top priorities at Verizon.”

    Though many of the articles this morning referred to Verizon’s data collection efforts as spyware, the company wants everyone to know that they informed customers before they began collecting their data and that customer data is “de-identified” and then aggregated, so it’s ok. It’s not your data, its everyone’s data. From Verizon’s statement:

    In 2011, we announced a number of new programs that will help companies better understand mobile consumers in a more detailed and efficient way. None of the data that is used in this program is personally-identifiable, and we do not sell raw data to third-parties. We are not selling your personal data. At the time these programs were announced, we informed our customers of the changes through updates to our privacy policy and through emails or direct mail, depending on preferences for how they wanted us to communicate these types of changes with them.

    One of these programs provides insights into audiences on the move by connecting aggregated demographic, mobile usage, and location data into useful business and marketing reports. To be clear about this, we are aggregating customer data that has already been de-identified, which means none of it is personally identifiable information.

    Verizon goes on to state that they use customer information to group people by demographics and interests, such as age, gender, and “tennis enthusiasts.” A profile of everything about a customer, only without the customer’s name. The info is then used to deliver mobile ads as well as other advertising based on the demographics of a geographic region.

    The company states that customers can opt-out of these programs through the Verizon website or via phone. That does imply, though, that the data collection is opt-in by default.

    Verizon is really splitting hairs here. Sure, the raw data isn’t sold to companies, but they also admit in no uncertain terms that customer demographic info and postal addresses are being used to serve up ads. The fact is, Verizon is making money, one way or another, by collecting data on their subscribers. The company should stop pretending and simply explain to customers (and Microsoft) why personally-tailored ads aren’t necessarily a bad thing.

  • EU Will Tell Google To “Unravel” Its Privacy Policy On Tuesday [Report]

    According to a report from the Guardian out today, Google will be told on Tuesday to “unravel” the changes it made to its European privacy policy earlier this year.

    As you may know, the company launched a major privacy policy change globally earlier this year. It essentially consolidated a number of policies into one major policy to encompass most of Google’s products. This way, people using various Google products would be under the terms of one major policy, effectively turning these different products into features of a central Google product. Because of this, Google is able to use user data from one service to the next, and personalize the user experience based on that.

    According to the Guardian, the CNIL, France’s data protection agency will hold a press conference on Tuesday, to “announce the results of its deliberations together with the data protection chiefs of the other European Union countries.”

    Last week, news came out (also from The Guardian) that Google woud come under fire from European data protection commissioners, and it appears that dat is about to come.

    It will be interesting to see what exactly comes of this, and what effect it might have on Google’s policy throughout the world.

    Google maintains that its policy enables it to build a “better, more intuitive user experience across Google for signed in users.” It’s also important to note that Google’s actual privacy controls did not change.

  • LinkedIn Addresses Mobile Calendar Privacy Concerns

    Social networks have been struggling to find a balance on the issue of privacy for years, and LinkedIn is no different. Being the social network for professional networking means privacy is especially important to LinkedIn – careers can be dashed if highly personal information is shared haphazardly. In the past week the company has updated its privacy policy, and today it is addressing some privacy concerns that have been raised about its mobile calendar feature.

    With the LinkedIn app for mobile platforms, such as the iPad, users can enable the calendar feature of the app to sync with their mobile device’s calendar and pull in information about the meetings they have scheduled. With the feature enabled, users can view the LinkedIn profiles of the people listed as attending a meeting. While this may seem to be a simple way to remember names and prepare for a meeting, LinkedIn admits that there have been concerns about what the company does with the event information, particularly meeting notes, that it pulls from device calendars.

    To alleviate concerns, LinkedIn Mobile Product Head Joff Redfern outlined exactly what the company’s policies are with regards to calendar data. He provided clarity in a blog post over at the LinkedIn Blog:

    In order to provide our calendar service to those who choose to use it, we need to send information about your calendar events to our servers so we can match people with LinkedIn profiles. That information is sent securely over SSL and we never share or store your calendar information.

    In an effort to make that algorithm for matching people with profiles increasingly smarter we pull the complete calendar event, including email addresses of people you are meeting with, meeting subject, location and meeting notes.

    So, while LinkedIn does pull what could be considered sensitive meeting information, Redfern is adamant that the company does not store or share the information with third parties. He also reiterated several times in his post that the calendar sync feature is opt-in, meaning users must explicitly give LinkedIn permission to pull their device’s calendar information.

    Redfern stated that LinkedIn has taken immediate action to improve the mobile calendar’s privacy features. “We will no longer send data from the meeting notes section of your calendar event,” said Redfern. Also, a “learn more” link will be provided to better educate users on how the feature uses their calendar data. These changes have already rolled out for the Android version of the LinkedIn app, and the iOS version will be updating soon.

  • LinkedIn Updates its Privacy Policy

    LinkedIn Updates its Privacy Policy

    LinkedIn, the social network for professional networking, announced this weekend that it will be updating its privacy policy. Starting on Thursday June 7, the company’s Privacy Policy and User Agreement will be updated for clarity and to provide LinkedIn members more control over where their data can be viewed.

    Eric Heath, the director of legal for product at LinkedIn, announced the changes in a post over at the LinkedIn Blog. There are two major changes in policy. LinkedIn will now delete personally identifiable information obtained through their plug-ins and off-site advertising after 24 hours. This is likely a reaction to Facebook coming under pressure from European activists regarding its off-site advertising practices. LinkedIn has also “enhanced” its privacy controls by making public profile privacy settings for members also determine the information that can be accessed by search engines and third-party plugins.

    “Ensuring more privacy and control over your personal data remains our highest priority,” said Heath. That’s probably the best place for a social network to prioritize privacy. As Facebook has found out in the past few years, privacy is not something that can be overlooked, and social networks have a responsibility to their members to make privacy policy crystal-clear.

    The last time LinkedIn updated its privacy policy was almost exactly one year ago. At that time, the company allowed members to opt-out of being mentioned in ads for products they have recommended, and gave members the ability to opt-out of information sharing through LinkedIn’s browser plugins. LinkedIn’s privacy policy can be viewed on its website.

  • Why No One Reads (And Never Will Read) Privacy Policies

    Because of all the high-profile breaches of information around shady privacy policies associated with mobile apps and Google’s public relations trouble with their recently updated, one-ring-to-rule-them-all privacy policy, it’s beginning to feel like “privacy policy” will be the internet meme of 2012 that nobody laughed at. Still, every time a new story concerning a privacy policy breaks, I never fail to think back to one of the more gruesome yet hilarious episodes of South Park: ‘HUMANCENTiPAD.’

    In typical South Park fashion, the episode does a masterful job of skewering both companies that produce these epic tomes that they call a privacy policy – in this case, Apple – and the naive consumers who never bother to read these privacy policies and just click “Agree” to get on with it – in this case, Kyle. During the episode (*SPOILER ALERT* if you’re really that worried about being spoiled), Kyle innocently agrees to Apple’s policies and inadvertently commits himself to volunteer as a participant in the company’s next revolutionary device: the HUMANCENTiPAD. If you’ve brushed shoulders with pop culture in the past couple of years, I don’t feel like I need to explain what that means. If you need clarification for what this particular kind of fate entails, I suggest you refer to the internet.

    While the episode is a shocking yet poignant admonishment to all of us who mindless agree to anything and everything without really vetting the policies that will directly affect us, a new report was released recently that concludes if we really wanted to try to read every single privacy policy associated with all the websites we visit, we would need an entire month off of work in order to fully read every document. Since nobody really has that much time disposable vacation time saved up to devote to such a task, we’re all probably lucky we haven’t ended up as some middle segment to some sinister iDevice yet.

    The analysis, which was conducted by Aleecia M. McDonald and Lorrie Faith Cranor, who are both researchers at Carnegie Mellon, found that in order for the average person to completely read every privacy policy accompanying the websites they visit, the person would need to spend about 250 working hours each year, or about 30 full working days, to finish the herculean task.

    The researchers selected the 75 most popular websites that had privacy policies ranging from 144 words to a stupefying 7,669. They assumed that people would read the privacy policies at 250 words per minute, which is on the low end of the general average that people read in order to comprehend a text. However, the analysis doesn’t seem to take into account that into account that this also isn’t prose that people are reading. The documents people are reading – privacy policies – are typically written in such dry legalese that the mere words themselves seem to be dosed with comprehension-repellant. Reading the privacy policies simply as a rote mechanism is one thing, but actually comprehending them is a different beast entirely, meaning the amount of time required to understand all those privacy policies could be even more demanding than reported in their analysis.

    Speaking with NPR, Cranor described how most people really have no idea about how much of their information is being used or even how it is being used. She likened the intensity of the info-gathering involved in several of these websites to having some kind of voyeur following you around the mall and recording each and every thing you look at, touch, or remark upon.

    As if the time demands weren’t staggering enough, Cranor goes on to explain that it’s not even really economically feasible for people to read the privacy policies. If time is truly money, Cranor says that the total cost in time spent reading those privacy policies (if they indeed did read them) would total around $781 billion a year.

    Then again, one of the few things, if not the only thing, that was generally agreed upon as acceptable with Google’s new privacy policy that went into effect last month was how simplified it was (even then, it’s still over 2,000 words). Even in it’s simplified form, only 1 in 10 had actually read the policy the day before it was implemented. So much for keeping it simple in order to get people to read these privacy policies, because obviously the unnavigable bulk of these texts is not the only thing keeping people from reading them.

    For the sake of argument, though, lets just say that we did magically find an extra 30 vacation days each year and read every single privacy policy associated with the websites we haunt. Then what? What good does that do a person who wants to use the site? In case you hadn’t noticed, these are not negotiable terms. You literally have two choices: accept the terms even though they might seem intrusive or unsavory in order to continue to use the website; or you don’t accept them, so you move along. This isn’t a contract on which you can negotiate terms like you would with a salary extension or even something less grave like whether or not you want pickles on your Junior Whopper. Visiting a website and using its services is not an exercise in democracy, and part of that is because at the end of the day all of the websites you visit, in spite of how gentle they try to word their privacy policies and info-collecting practices, are for-profit businesses. You must accept their terms because, well, they own the playground.

    Generally, I think of privacy policies pertaining to websites I use as less about keeping me involved in the democratic process and more about the company informing me in advance of what kind of thumbscrews my privacy can look forward to. It’s not like there’s a mediation process where Facebook’s lawyers meet with my personal agent and they discuss the site’s terms until both parties can come to a satisfying agreement. That doesn’t happen because, one, Facebook’s lawyers would probably win everything they want anyways and, two, I don’t have an agent because I’m a normal person.

    So even if privacy policies were explained with the most simplified of jargon and they were a breezy 600 words, would anybody still read them? That wouldn’t ever happen, but again, for the sake of argument, assume that type of practice became common for websites. What would it take to get you to routinely read every policy for every website that you use? Or is this just a bad model in general that demands to be overhauled into a version more functional in the year 2012? You should share your thoughts with us and other readers because, in the mean time, under this current model of privacy terms that we live with, every single one of us should feel exquisitely lucky that we haven’t ended up with the same fate as that fictional young boy from South Park.

  • Facebook Privacy Policy Gets “Re-imagined”

    Facebook Privacy Policy Gets “Re-imagined”

    Facebook announced today that it has started a new version of its privacy policy to make it easier to understand. I could’ve swore they did that before, but now they’re going even further. This one is relying on user feedback before the company even considers implementing it. Facebook says if users like it, they’ll consider making it the official policy. 

    This is an "attempt on what a privacy policy written for you could look like," Facebok says. 

    "It’s important to note that this draft is outside of even our regular process of notice and comment," the company said in a note. "Because we’re tackling a challenge that matters to so many people — and doing it in a way that is so different from what we’ve done before —  we’re giving you a look even earlier in the process. If people like what we have, we’ll put it through our regular notice and comment process at a later date."

    "Finally, we’ve tried not to change the substance of the policy but, in our effort to simplify, we have added some new things that were elsewhere on the site (like our help center) and have made some other concepts clearer," the noted added. 

    Facebook says the new policy should be easy to understand, visual and interactive, and should focus on questions people are most likely to ask. 

    Facebook Privacy Policy Gets A Makeover

    The company says it plans on "more innovations" with regards to privacy in the coming months, but would not get into specifics.