Simpler privacy
Can we do for privacy what Creative Commons has done for copyright? I'm keen to find out...
Background
Web users consistently report that are very concerned about their privacy. [Fox, 2000, Lenhart and Madden, 2007, Madden and Smith, 2010] While most people take action to protect their privacy, they also upload large amounts of personal information onto Web sites. [boyd and Hargittai, 2010] Many do not understand what controls they have over their privacy. [Debatin et. al., 2009]
Governments have responded to this concern by developing privacy principles and enacting legislation. They have also created organisations to help people and businesses understand what their rights and responsibilities are. [Ligertwood and Jackson, 2007, Raab and Koops, 2009]
However, most Web sites do not handle privacy well. Their privacy statements indicate that they do not understand what legislation applies, what their responsibilities are or what risks they are exposing themselves to. For most Web sites, privacy seems too complicated for the resources they have available. [Shelly and Jackson, 2009]
Eight years ago, copyright was also seen as being too complicated and too hard for most businesses to cope with. [Lessig, 2003] In the last eight years, Creative Commons has simplified copyright enormously. [Forsythe and Kemp, 2008] By creating a simple framework for copyright, Creative Commons has made it possible to for organisations and individuals to understand and use copyright correctly. [Herko, 2008] While not solving all the issues related to copyright, it has provided a great deal of clarity for both content creators and content users. [Elkin-Koren, 2006]
The development and adoption of Creative Commons provides a model for creating simplified legal frameworks that encourage greater understanding of complex legal issues. The Creative Commons model, while not an exact fit for privacy, could allow organisations that are gathering private data to make their intentions clear to people who are supplying private data.
Vision
Julie is subscribing to a newsletter. Beside the form's "Submit" button, she sees a small graphic that shows a dollar sign with a slash through it, a skyscraper with a slash through it and "1yr" on a rubbish bin. Intrigued, she clicks on it. It takes her to a page that clearly tells her that her information will not be sold, that it will not be shared with anyone else and that it will only be kept for one year (at which time, she will be asked to reconfirm her subscription). Impressed with the clarity of the information and simplicity of the system, Julie submits her e-mail address and goes on her way.
What Julie doesn't realise is that there is another layer to this system. If Julie had chosen to, she could have read the legal code that sits below the plain language statement. It is a legally enforceable contract that states that Julie's information will not be sold, will not be shared and will be discarded after a year. If Julie discovers that this company has passed her information on to a third-party, she can sue them for breach of contract.
A simple framework for privacy, based on the Creative Commons model, would have the following features:
The project is based on the assumption that a majority of Web site owners what to do the right thing. They do not intend to mislead their users and do not collect private data for undisclosed purposes. They would welcome a simple mechanism that would allow them to make this clear to their users.
The strengths of the project are:
This project does not seek to solve all issues related to privacy on the Web. Rather, it allows people who want to do the right thing to demonstrate that to their customers in a simple, rigorous manner.
Research
Review research to simplify Web privacy
There have been other attempts to standardise privacy on the Web. Most notably, the Platform for Privacy Preferences sought to enable "...Web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily" by browsers. (Cranor et. al., 2006).
The Platform for Privacy Principles has led to on-going research projects to automate privacy preferences, such as the idea of the Policy Aware Web and specific efforts such as the Transparent Accountable Datamining Initiative. The Policy Aware Web is being persued in Australia by Renata Inniella.
With respect to simplifying the expression of privacy information, the closest recent research related to this project is the work on creating 'nutrition labels' for privacy. This work has done a lot to understand how to simplify the whole gamut of privacy policies. (Kelley et. al., 2010)
Review of global privacy requirements and report on privacy requirements, focusing on common elements across jurisdictions.
Most countries in the world have implemented legal frameworks for privacy. We should be mindful of the range of legal frameworks that have been implemented.
In the first instance, this project should aim to implement this system for the Australian jurisdiction. It can then be ported to other jurisdictions by experts in those domains.
Outline of a simplified framework for privacy.
From a review of past research and of existing legal frameworks, we should aim to find the common and essential elements in these various legislative frameworks.
It is important that we isolate the smallest possible number of elements that represent the essential requirements of privacy. Every additional element will introduce a level of complexity that will make the system less workable. As a benchmark, Creative Commons has four essential elements.
Develop the three core elements of our framework: legal code; 'plain-language' statements and simplified icons.
Each element should be developed by the core team and then reviewed by key stakeholders.
As part of a program to refine our ideas, we should publish papers and present at conferences and workshops, describing the key elements of the framework. These papers and presentations should aim to expose flaws in the system as well as establish the beginnings of a ground-swell of support for the idea.
Outreach and maintenance
To be useful into the future, the project would require:
References
Background
Web users consistently report that are very concerned about their privacy. [Fox, 2000, Lenhart and Madden, 2007, Madden and Smith, 2010] While most people take action to protect their privacy, they also upload large amounts of personal information onto Web sites. [boyd and Hargittai, 2010] Many do not understand what controls they have over their privacy. [Debatin et. al., 2009]
Governments have responded to this concern by developing privacy principles and enacting legislation. They have also created organisations to help people and businesses understand what their rights and responsibilities are. [Ligertwood and Jackson, 2007, Raab and Koops, 2009]
However, most Web sites do not handle privacy well. Their privacy statements indicate that they do not understand what legislation applies, what their responsibilities are or what risks they are exposing themselves to. For most Web sites, privacy seems too complicated for the resources they have available. [Shelly and Jackson, 2009]
Eight years ago, copyright was also seen as being too complicated and too hard for most businesses to cope with. [Lessig, 2003] In the last eight years, Creative Commons has simplified copyright enormously. [Forsythe and Kemp, 2008] By creating a simple framework for copyright, Creative Commons has made it possible to for organisations and individuals to understand and use copyright correctly. [Herko, 2008] While not solving all the issues related to copyright, it has provided a great deal of clarity for both content creators and content users. [Elkin-Koren, 2006]
The development and adoption of Creative Commons provides a model for creating simplified legal frameworks that encourage greater understanding of complex legal issues. The Creative Commons model, while not an exact fit for privacy, could allow organisations that are gathering private data to make their intentions clear to people who are supplying private data.
Vision
Julie is subscribing to a newsletter. Beside the form's "Submit" button, she sees a small graphic that shows a dollar sign with a slash through it, a skyscraper with a slash through it and "1yr" on a rubbish bin. Intrigued, she clicks on it. It takes her to a page that clearly tells her that her information will not be sold, that it will not be shared with anyone else and that it will only be kept for one year (at which time, she will be asked to reconfirm her subscription). Impressed with the clarity of the information and simplicity of the system, Julie submits her e-mail address and goes on her way.
What Julie doesn't realise is that there is another layer to this system. If Julie had chosen to, she could have read the legal code that sits below the plain language statement. It is a legally enforceable contract that states that Julie's information will not be sold, will not be shared and will be discarded after a year. If Julie discovers that this company has passed her information on to a third-party, she can sue them for breach of contract.
A simple framework for privacy, based on the Creative Commons model, would have the following features:
- A selection of privacy icons that provide a graphic summary of the intention of a Web site owner.
- Plain language statements that make it clear what will happen to the information that users enter into a form
- Legal code that sets out the rights and responsibilities of both parties in a way that is enforceable in a court of law.
The project is based on the assumption that a majority of Web site owners what to do the right thing. They do not intend to mislead their users and do not collect private data for undisclosed purposes. They would welcome a simple mechanism that would allow them to make this clear to their users.
The strengths of the project are:
- It builds on an existing framework that has traction across the Web.
- It is simple enough for individuals and small busineses to understand and implement.
- Improvements to the system, including court decisions ratifying the system, strengthen the position of all users.
This project does not seek to solve all issues related to privacy on the Web. Rather, it allows people who want to do the right thing to demonstrate that to their customers in a simple, rigorous manner.
Research
Review research to simplify Web privacy
There have been other attempts to standardise privacy on the Web. Most notably, the Platform for Privacy Preferences sought to enable "...Web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily" by browsers. (Cranor et. al., 2006).
The Platform for Privacy Principles has led to on-going research projects to automate privacy preferences, such as the idea of the Policy Aware Web and specific efforts such as the Transparent Accountable Datamining Initiative. The Policy Aware Web is being persued in Australia by Renata Inniella.
With respect to simplifying the expression of privacy information, the closest recent research related to this project is the work on creating 'nutrition labels' for privacy. This work has done a lot to understand how to simplify the whole gamut of privacy policies. (Kelley et. al., 2010)
Review of global privacy requirements and report on privacy requirements, focusing on common elements across jurisdictions.
Most countries in the world have implemented legal frameworks for privacy. We should be mindful of the range of legal frameworks that have been implemented.
In the first instance, this project should aim to implement this system for the Australian jurisdiction. It can then be ported to other jurisdictions by experts in those domains.
Outline of a simplified framework for privacy.
From a review of past research and of existing legal frameworks, we should aim to find the common and essential elements in these various legislative frameworks.
It is important that we isolate the smallest possible number of elements that represent the essential requirements of privacy. Every additional element will introduce a level of complexity that will make the system less workable. As a benchmark, Creative Commons has four essential elements.
Develop the three core elements of our framework: legal code; 'plain-language' statements and simplified icons.
Each element should be developed by the core team and then reviewed by key stakeholders.
As part of a program to refine our ideas, we should publish papers and present at conferences and workshops, describing the key elements of the framework. These papers and presentations should aim to expose flaws in the system as well as establish the beginnings of a ground-swell of support for the idea.
Outreach and maintenance
To be useful into the future, the project would require:
- A central web site where people can learn about and choose the privacy statement appropriate for to the information they are collecting.
- Outreach to a community of users, including legal experts who are willing to port the agreements into their own jurisdictions.
- An organisation that is willing to actively promote and defend the integrity of the licenses, including pursuing court cases to establish precedents.
References
- danah boyd and Eszter Hargittai, 2010, Facebook privacy settings: Who cares? First Monday, Volume 15, Number 8, 2 August 2010.
- Lorrie Cranor et al., 2006, The Platform for Privacy Preferences 1.1 (P3P1.1) Specification, W3C Working Group Note (World Wide Web Consortium (W3C), November 13, 2006).
- Bernhard Debatin et al., Facebook and Online Privacy: Attitudes, Behaviors, and Unintended Consequences, Journal of Computer-Mediated Communication 15, no. 1 (10, 2009): 83-108.
- Niva Elkin-Koren, “What Contracts Cannot Do: The Limits of Private Ordering in Facilitating a Creative Commons,” Fordham Law Review 74 (2005): 375.
- L. M Forsythe and D. J Kemp, “Creative Commons: For the Common Good,” U. La Verne L. Rev. 30 (2008): 346.
- Susannah Fox, Trust and Privacy Online, Internet & American Life (Pew Research Center, August 20, 2000).
- Hietanen Herkko, “The Pursuit of Efficient Copyright Licensing-How Some Rights Reserved Attempts to Solve the Problems of All Rights Reserved” (Lappeenranta University of Technology, 2008).
- P. G Kelley et al., “Standardizing privacy notices: An online study of the nutrition label approach,” in Proceedings of the 28th international conference on Human factors in computing systems, 2010, 1573-1582.
- Amanda Lenhart and Mary Madden, Teens, Privacy and Online Social Networks, Internet & American Life (Pew Research Center, April 18, 2007).
- Lawrence Lessig, “The Creative Commons,” Florida Law Review 55 (2003): 763.
- Julian Ligertwood and Margaret Jackson, “Transborder Data Protection and the Effects on Business and Government,” in Usability and Internationalization. Global and Local User Interfaces, ed. Nuray Aykin, vol. 4560, Lecture Notes in Computer Science (Berlin, Heidelberg: Springer Berlin Heidelberg, 2007), 140-149.
- Mary Madden and Aaron Smith, 2010. “Reputation management and social media,” Pew Internet & American Life Project, 26 May 2010.
- Charles Raab and Bert-Jaap Koops, “Privacy Actors, Performances and the Future of Privacy Protection,” in Reinventing Data Protection?, ed. Serge Gutwirth et al., vol. 3 (Springer Netherlands, 2009), 207-221.
- Kate Raynes-Goldie, 2010. Aliases, creeping, and wall cleaning: Understanding privacy in the age of Facebook, First Monday, volume 15, number 1, 4 January 2010.
- Marita Shelly and Margaret Jackson, “Doing Business with Consumers Online: Privacy, Security and the Law,” International Journal of Law and Information Technology 17, no. 2 (2009): 180-205, ean003.