Deficiencies in online privacy policies : factors and policy recommendations
Author(s)
Sowell, Jesse H., II (Jesse Horton)
DownloadFull printable version (9.905Mb)
Other Contributors
Massachusetts Institute of Technology. Technology and Policy Program.
Advisor
David D. Clark.
Terms of use
Metadata
Show full item recordAbstract
Online service providers (OSPs) such as Google, Yahoo!, and Amazon provide customized features that do not behave as conventional experience goods. Absent familiar metaphors, unraveling the full. scope and implications of attendant privacy hazards requires technical knowledge, creating information asymmetries for casual users. While a number of information asymmetries are proximately rooted in the substantive content of OSP privacy policies, the lack of countervailing standards guidelines can be traced to systemic failures on the part of privacy regulating institutions. In particular, the EU Data Protection Directive (EU-DPD) and the US Safe Harbor Agreement (US-SHA) are based on comprehensive norms, but do not provide pragmatic guidelines for addressing emerging privacy hazards in a timely manner. The dearth of substantive privacy standards for behavioral advertising and emerging location-based services highlight these gaps. To explore this problem, the privacy policies of ten large OSPs were evaluated in terms of strategies for complying with the EU-DPD and US-SHA and in terms of their role as tools for enabling informed decision-making. Analysis of these policies shows that OSPs do little more than comply with the black letter of the EU-DPD and USSHA. Tacit data collection is an illustrative instance. OSP privacy policies satisfice by acknowledging the nominal mechanisms behind tacit data collection supporting services that "enhance and customize the user experience," but these metaphors do not sufficiently elaborate the privacy implications necessary for the user to make informed choices. In contrast, privacy advocates prefer "privacy and surveillance" metaphors that draw users attention away from the immediate gratification of customized services. Although OSPs do bear some responsibility, neither the EU-DPD nor the US-SHA provide the guidance or incentives necessary to develop more substantive privacy standards. In light of these deficiencies, this work identifies an alternative, collaborative approach to the design of privacy standards. OSPs often obscure emerging privacy hazards in favor of promoting innovative services. Privacy advocates err on the other side, giving primacy to "surveillance" metaphors and obscuring the utility of information based services. Rather than forcing users to unravel the conflicting metaphors, collaborative approaches focus on surfacing shared concerns. The collaborative approach presented here attempts to create a forum in which OSPs, advertisers, regulators, and civil society organizations contribute to a strategic menu of technical and policy options that highlight mutually beneficial paths to second best solutions. Particular solutions are developed through a process of issue (re)framing focused on identifying common metaphors that highlight shared concerns, reduce overall information asymmetries, and surface the requirements for governance and privacy tools that address emerging risks. To illustrate this reframing process, common deficiencies identified in the set of privacy policies are presented along with strategic options and examples of potential reframings.
Description
Thesis (S.M. in Technology and Policy)--Massachusetts Institute of Technology, Engineering Systems Division, Technology and Policy Program, 2010. Cataloged from PDF version of thesis. Includes bibliographical references (p. 111-121).
Date issued
2010Department
Massachusetts Institute of Technology. Engineering Systems Division; Technology and Policy ProgramPublisher
Massachusetts Institute of Technology
Keywords
Engineering Systems Division., Technology and Policy Program.