A guest post by Janelle Pierce who enjoys writing about various business issues, and spends her time answering questions like, “what is point of sale”?

Just last month California’s Assemblymember Ed Chau (D-Alhambra) introduced a bill that would require the website privacy policy of any company located in California to be no more than 100 words long, and written at the reading level of an 8th grade student.

While Chau’s practice what you preach 64-word bill has garnered a lot of negative press lately, one thing is for certain; it has gotten people talking about something most people don’t talk about, the privacy policy. For those who don’t know what a privacy policy is, it’s simply the legal document that every website must have. According to Wikipedia.org a privacy policy is:

“A statement or a legal document (privacy law) that discloses some or all of the ways a party gathers, uses, discloses and manages a customer or client’s data. Personal information can be anything that can be used to identify an individual, not limited to but including; name, address, date of birth, marital status, contact information, ID issue and expiry date, financial records, credit information, medical history, where you travel, and intentions to acquire goods and services.”

Whenever you register a username on a website, whether for free e-mail, picture sharing, or social networking, you must agree to the site’s established privacy policy. Generally speaking most users simply click “accept” without ever reading, much less understanding, what is written in the privacy policy. This is often because site privacy policies are long, written in confusing legalese, and often overshadowed by the false assumption that a site with a privacy policy will keep your data private. While I do agree that ultimately the responsibility for reading and understanding the privacy policy lies with the users of a site, the same can be said about those who write and present the policy.

Which brings me to the point I’d like to make, that is, I think Chau’s idea to force privacy policies to a maximum of 100 words, and require that they’re written at an eighth grade reading level, is a good one. However, I do feel it has a few drawbacks that almost invalidate its ability to be credible. First, requiring that a legal document be 100 words or less is a little short sighted. Don’t get me wrong, I think the thought behind making this otherwise lengthy, unreadable, and downright obnoxious (yet important) document accessible to everyone is a great goal, but requiring 100 words or less doesn’t offer a company the chance to disclose everything they need to disclose. I think a maximum word count should be required, but there is no reason it needs to be so low.

Second, I think requiring an 8th grade reading level is an excellent idea. Too often these policies are chalked full of legal words and phrases that even college educated users cannot make sense of. That being said, I think Chau’s attempt at “rewriting” the privacy policy is a good one, albeit a little short sighted. Like many things in life that we’ve put up with for too long the privacy policy is definitely in need of an overhaul. However, trying to shore up its lacking all at once and in such an aggressive manner may not be the right approach. There’s no doubt that something needs to be done about the state of the average privacy policy, but rushing headlong into it so aggressively tends to alienate people who would otherwise be supporters of Chau’s intention.

For help creating a privacy policy you can contact a business lawyer or simply use an online privacy policy generator.

Do you read privacy policies or simply click “accept”? Share your thoughts below.

guest blog · Privacy · privacy policy

The right to be forgotten is a topic discussed more in Europe than in the US. The core question is whether you have a right to control information about yourself that is held and published on the Internet by third parties.

This includes social media, news sites, discussion forums, search engine results, and web archives.

The information in question may be true or false, and anything from embarrassing to libelous.

Often discussions about removing old information center on calls for Google to remove information from their search results. I think they are chosen because they are the dominant search engine, and people feel that if the information is not shown in Google, then it is effectively gone. Of course, search engines are really just pointing to the actual data, while generally lives on some other website.

Being removed from Google does nothing to the existence of the information, nor would it impact indexing of that information by other search engines.

Even if you get the hosting website to remove the information, there are many organizations like archive.org who may have copied and archived the information, thus keeping it alive and available.

Here are some examples of information that you might want removed.

• Racist rantings on an old social media site to which access has been lost.
• Drunk party pictures on a friend’s social media account.
• Newspaper articles about dubious business activities.
• Court records of a conviction after the sentence has been completed.
• Negative reviews on a review website.
• Unflattering feedback on a dating website.

In many of these cases, your “right to be forgotten” runs directly into another person’s “right to free speech”.

My thinking on this is still evolving, and I would welcome your thoughts and feedback. Right now I think that the free speech right trumps the right to be forgotten except in specific situations which need to be legally carved out individually; things like limitations on how long credit information should be allowed to follow you. Of course, the problem will be that every country will draw these lines differently, making enforcement and compliance very difficult, and leading to opportunities for regulatory arbitrage.

We are already seeing this in the EU. While most of the EU is moving towards codifying a right to be forgotten, the UK is planning to opt out of that.

legislation · Privacy

Cnet reports that an internal DEA document reveals that the DEA are unable to intercept text messages sent over Apple’s iMessage protocol.

The protocol provides end to end encryption for messages between iOS and Mac OS X devices.

This is not to suggest that the encryption in iMessages is particularly good, but to contrast with standard text messages and voice calls which are completely unprotected within the phone company’s networks.

It appears that an active man in the middle attack would be able to thwart the encryption, but would be significantly more effort. The lack of any kind of out of band channel authentication suggests that such an attack should not be too difficult.

If you really need to protect your chat messages, I suggest using a tool like Silent Text. They take some steps that make man in the middle attacks almost impossible.

apple · encryption · law enforcement · Privacy · surveillance

Podcast: Play in new window | Download (6.6MB)

Welcome to the February edition of The Privacy Blog Podcast. In this episode, I’ll discuss a topic that caught me by surprise in the recent weeks – the dark alleys of the Internet aren’t as scary as we once thought. According to Cisco’s Annual Security Report, the most common, trusted websites we visit everyday have the highest overall incidents of web malware encounters. For example, Cisco reports that online advertisements are 182 times more likely to infect you with malware than porn sites.

Secondly, I’ll be talking about corporate anonymity issues, where the stakes are often extremely high due to real dollar-losses corporations could face. A few examples I’ll hit on are: competitive pricing research, search engine only pages for spoofing search results, trademark infringement, and research and development activities.

Hope you enjoy the episode. Please leave feedback and questions in the comments section of this post.

anonymity · anonymizer · competitive intelligence · corporate security · online privacy · online security

Adam Rifkin on TechCrunch has an interesting article about Tumblr and how it is actually used.
The thesis of the article is that Tumblr is used more openly and for more sensitive things than Facebook because the privacy model is so much easier to understand and implement.
If you have five interests and corresponding social circles, just set up five pseudonymous Tumblrs. Each then becomes its own independent social space with minimal risk of cross contamination.
While all of those Tumblrs are public and discoverable, in practice they are not easy to find and unlikely to be stumbled upon by undesired individuals. This is classic security by obscurity.
By contrast, Facebook wants you to put everything in one place, then use various settings to try to ensure that only the desired subset of friends, friends of friends, or the general public have access to it.
This ties to the case I have been making for a while that people want to be able to separate their various personality shards among their various social circles. Even with access controls, using the same account for all of them may be too much connection and the odds of accidentally releasing information to the wrong people is too likely.
I would like to see something like Tumblr provide stronger abilities to restrict discoverability, but it represents an interesting and growing alternative model to Facebook.

Privacy · social networks · tumblr