Thursday, June 03, 2010

open and obvious privacy practices

Lately, there's been all sorts of hubbub about use of private information on websites (ahem, Facebook), but it's not really clear what's okay, and what's not okay.

Personally, I don't have a problem with sites using the data I give them as long as they're straightforward and actually Ask me for the data and admit they'll share it. I'll even hand out more extra credit brownie points if they tell me what the plan to do with it. And I'm not talking about linking to legalese privacy policies (maybe 0.5% of visitors to a site have read the privacy policy), it's gotta be up-front and in the main content. For most people, I imagine the feeling of violation comes in when there's perceived deception in data use practices.

For example, if a site says to me, "if you give me your address, I'll show you a list of stores selling fruit in your area", I'm happy to provide my address for that service. I feel comfortable in knowing what is happening with the data I provide, and this transparency gives me comfort.

On the other hand, if the same site doesn't say anything to me and simply infers my location from some sort of browser history sniffing trick, then shows me the same ads, I'll feel a bit violated when I figure out what happened. There are two points of friction in this second scenario: (1) I wasn't asked for the data, and (2) I was unaware of how the data would be used or with whom it would be shared.

Stephanie Clifford of the Times writes an article about sites that are starting to be transparent and straightforward with their data collection and use. When your users enter into a relationship with you knowing well that you intend to use the data they provide, everything works out swimmingly. If you instead just collect the data and later start using it for something new that users catch wind of, they are shocked, feel violated, and you end up in a predicament like Zuckerberg.

In a few upcoming posts, I'll go more in depth about my thoughts on web privacy. For now I'll conclude with hope that more sites will be upfront and transparent with what they do and will keep descriptions of their privacy-related practices accessible to users--users who armed with an understanding can make an educated choice on whether or not they should be sharing their data.

1 comment:

Michael Coates said...

One big problem I have is that even a site that is transparent with their privacy policy can still change it at a later date. This is similar to the facebook situation. Users joined with expectation X and then the rules changed to Y. At this point the user's data is already present and has been now converted to the new policy - whether or not the user agrees.

A privacy policy is almost like a worthless contract. You evaluate the terms and then enter into a business agreement with the web site. You provide them with your data and in exchange receive their provided service. However, the web site can change the terms at any time whether or not you agree. There is no concept of a breach of contract.

It would be interesting if the privacy policy was considered a legally binding agreement that couldn't be changed without user consent or providing the user an option to completely erase all provided data.