Deficiencies in online privacy policies : factors and policy recommendations
Author(s)Sowell, Jesse H., II (Jesse Horton)
Massachusetts Institute of Technology. Technology and Policy Program.
David D. Clark.
MetadataShow full item record
Online service providers (OSPs) such as Google, Yahoo!, and Amazon provide customized features that do not behave as conventional experience goods. Absent familiar metaphors, unraveling the full. scope and implications of attendant privacy hazards requires technical knowledge, creating information asymmetries for casual users. While a number of information asymmetries are proximately rooted in the substantive content of OSP privacy policies, the lack of countervailing standards guidelines can be traced to systemic failures on the part of privacy regulating institutions. In particular, the EU Data Protection Directive (EU-DPD) and the US Safe Harbor Agreement (US-SHA) are based on comprehensive norms, but do not provide pragmatic guidelines for addressing emerging privacy hazards in a timely manner. The dearth of substantive privacy standards for behavioral advertising and emerging location-based services highlight these gaps. To explore this problem, the privacy policies of ten large OSPs were evaluated in terms of strategies for complying with the EU-DPD and US-SHA and in terms of their role as tools for enabling informed decision-making. Analysis of these policies shows that OSPs do little more than comply with the black letter of the EU-DPD and USSHA. Tacit data collection is an illustrative instance. OSP privacy policies satisfice by acknowledging the nominal mechanisms behind tacit data collection supporting services that "enhance and customize the user experience," but these metaphors do not sufficiently elaborate the privacy implications necessary for the user to make informed choices. In contrast, privacy advocates prefer "privacy and surveillance" metaphors that draw users attention away from the immediate gratification of customized services. Although OSPs do bear some responsibility, neither the EU-DPD nor the US-SHA provide the guidance or incentives necessary to develop more substantive privacy standards. In light of these deficiencies, this work identifies an alternative, collaborative approach to the design of privacy standards. OSPs often obscure emerging privacy hazards in favor of promoting innovative services. Privacy advocates err on the other side, giving primacy to "surveillance" metaphors and obscuring the utility of information based services. Rather than forcing users to unravel the conflicting metaphors, collaborative approaches focus on surfacing shared concerns. The collaborative approach presented here attempts to create a forum in which OSPs, advertisers, regulators, and civil society organizations contribute to a strategic menu of technical and policy options that highlight mutually beneficial paths to second best solutions. Particular solutions are developed through a process of issue (re)framing focused on identifying common metaphors that highlight shared concerns, reduce overall information asymmetries, and surface the requirements for governance and privacy tools that address emerging risks. To illustrate this reframing process, common deficiencies identified in the set of privacy policies are presented along with strategic options and examples of potential reframings.
Thesis (S.M. in Technology and Policy)--Massachusetts Institute of Technology, Engineering Systems Division, Technology and Policy Program, 2010.Cataloged from PDF version of thesis.Includes bibliographical references (p. 111-121).
DepartmentMassachusetts Institute of Technology. Engineering Systems Division.; Massachusetts Institute of Technology. Technology and Policy Program.
Massachusetts Institute of Technology
Engineering Systems Division., Technology and Policy Program.