« NPR (National Public Radio) Unveils Website Redesign
- Posting Index -
Article: Libraries in Italy: a Brief Overview »

Resource of the Week: Report — How to Read a Privacy Policy

Resource of the Week: Report — How to Read a Privacy Policy
By Shirl Kennedy, Senior Editor

While we usually post reports on our sister site, DocuTicker, we wanted to make sure this one was seen by as many folks as possible. This report — from The Common Data Project, a nonprofit based in NYC — analyzes the privacy policies of 10 major websites, as well as several start-ups. According to a press release (PDF; 78 KB):

Unlike existing privacy policy analysis, CDP’s report seeks to provide a “how to read” guide for the user who is curious about what is happening to his or her data online, but has little understanding of the technological and legal mechanisms at work.

The report walks through seven questions meant to pinpoint the issues CDP believes are most crucial for a user’s privacy, from questions on how “personal information” is defined to the kind of choices offered to users regarding how their information is shared.

You need to read this because you use most or all of these websites — some of them on a daily basis — Google, Yahoo!, Wikipedia, Microsoft, AOL, Amazon, eBay, Facebook, Craigslist, Photobucket, NYT, WebMD, Ask, Cuil, and Ixquick. The seven questions CDP asked of each of these?

  1. What data collection is happening that is not covered by the privacy policy?
  2. How do they define “personal information”?
  3. What promises are being made about sharing information with third parties?
  4. What is their data retention policy and what does it say about their commitment to privacy?
  5. What privacy choices do they offer to the user?
  6. What input do users have into changes to the policy’s terms?
  7. To what extent does they share the data they collect with users and the public?

The report is based around an ongoing series of posts on CDP’s My Place in the Crowd weblog. On one of these is an intriguing visual of how the various privacy policies “stack up next to each other, literally,” in terms of their length.

privacy policies compared

Some interesting tidbits from the report:

  • “Companies rarely vouch for what these third party advertisers are doing. Some companies, such as AOL, Microsoft, Yahoo, Facebook, Amazon, and the New York Times Digital, will at least explicitly acknowledge there are third parties that use cookies on their sites with their own policies around data collection…. Google, in contrast, doesn’t mention third party advertisers on the “privacy policy,” alluding to the separate controls for opting out of their tracking on a separate page discussing advertising and privacy.”
  • “Researchers at the University of Texas in recent years have demonstrated that it is possible to de-anonymize through combination, as when Netflix data is combined with IMDB ratings, or when Twitter is combined with Flickr. So when companies offhandedly note that they are combining information they collect from different sources, they are learning a great deal more about individual people than the average user would imagine. And as you might imagine, large companies like Microsoft, Google, and Yahoo! have a wealth of databases at their disposal, but none of this is being made explicit in the policies.”
  • “For example, Google promises not to share “sensitive personal information,” defining it as “information we know to be related to confidential medical information, racial or ethnic origins, political or religious beliefs or sexuality and tied to personal information.” Does that mean that a user’s search queries for B-list celebrities are fair game to Google? Given the varying definitions of “personal” that are used, the strong declaration that “personal information” will generally not be shared is not, ultimately, a very comforting one.”
  • “Certainly, the volume and breadth of data Amazon collects pales in comparison to what Google has access to, and some might argue that search queries are more “private” than what books one chooses to buy. But most people still probably wouldn’t want their purchase histories on Amazon to be revealed willy-nilly. Every item view shows what others have considered buying, what others have ended up buying, what else you might like. In contrast, Google, Yahoo!, and Microsoft have yet to vividly demonstrate why collecting and retaining data makes their services better. Perhaps if they did, they would be less hard-pressed to delete their data as soon as possible.”
  • “AskNetwork developed AskEraser to be a more visible way for users to use Ask.com without being tracked, but as privacy advocates noted, AskEraser requires that a cookie be downloaded, when many people who care about privacy periodically clear their cookies. AskEraser also doesn’t affect data collection by third parties on its site at all.”
  • “Facebook can’t offer the service that it does without the content generated by its users. But as it’s begun to realize, its users then have to be a part of decisions about the way that content is used.”
  • In some ways, consumers are starting to already feel that they’ve gotten a bad deal. Even though most only feel a vague discomfort at this point, it’s unlikely that companies like RealAge will be able to continue what they’ve been doing. RealAge promoted itself as a simple online quiz to help people be healthier, with endorsements by famous doctors, with only limited disclosure of the fact that their profits were based on selling quiz-takers’ information to pharmaceutical companies.

All in all, CDP, concludes:

By our standards, none of the privacy policies we surveyed quite measure up. Most of them provide incomplete information on what “personal information” means. Many of them fail to make clear that they are actively sharing information with third-parties. Even when they change their policies on something like data retention to placate privacy advocates, the changes do little to provide real privacy. The legal right companies reserve to change their policies at any time reminds us that right now, the balance of power is clearly in their favor. When they do offer users choices, the choices fail to encompass all the ways online data collection implicates users’ privacy.

And yet, CDP adds, “there are many positive signs of companies making smart moves, because they’re realizing they need buy-in from their users to survive in the long-term.”

If you prefer, you can read or download the full report as a PDF (165 KB).

The ReadWrite Enterprise blog discusses the report.

+ Privacychoice LLC recently evaluated the privacy policies of the top ten advertising networks.

+ In 2007, Privacy International issued a report — A Race to the Bottom:
Privacy Ranking of Internet Service Companies — that described the privacy practices of major Internet companies.

+ Know Privacy — “a collaborative research project” by several graduates of the UC Berkeley School of Information Masters program, class of 2009 — offers “(a) comparison of users’ expectations of privacy online and the data collection practices of website operators.”

« Posting Index

Bookmark and Share This entry was posted on Monday, July 27th, 2009 and is filed under Privacy, Resource of the Week, Social Media, Source File, Technology and Internet, Web 2.0. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

Comments are closed.