Industry observers and analysts are divided over whether privacy policies do anything to protect netizens. However, the need to update or revise online policies in today's fast-paced information age is a unanimous yes.
Analyst Steve Hodgkinson told ZDNet Asia in a phone interview that it is "appropriate" for online privacy policies to be updated because the nature of Web 2.0 platforms is evolutionary.
According to the analyst, privacy issues are more about perception than reality. This is because a large group of online users are behaving in a dynamic manner, which changes on a day-to-day basis, he added. So Web companies need to be in tune with how these users perceive privacy on the "front foot", said Hodgkinson, who is research director, IT, at Ovum Asia-Pacific.
He added that companies need to be proactive, not arrogant, and to manage privacy as a formal technical issue. They should work constructively with users on this "joint problem", Hodgkinson highlighted.
Security technology writer Bruce Schneier held a different view. He told ZDNet Asia in an e-mail interview that privacy policies, in the first place, "are not meant to protect the consumer at all". He then referred to a blog post where he wrote that much of the control of personal information in the digital world is "illusory".
Instead, he felt that "privacy policies protect the company who writes them, from bad press, from lawsuits, etc".
As many revisions as needed
Nonetheless, analyst Ekta Aggarwal said that now, "more than ever", there is a need to update online privacy policies due to the growing security concerns among enterprises and consumers, and to an increase in data breaches.
The changing pattern of how Web users are able to share, access and utilize data also makes it critical that privacy policies ensure such user information is secure, said the program manager of ICT practice for South Asia and Middle East at Frost & Sullivan.
Schneier, too, felt that "privacy policies need to change because Web sites change. 'How often' is a meaningless question to ask. They should be changed as often as necessary".
Otherwise, the law would be dictating how technology develops, said Tan who specializes in technology cases.
While online citizens appear to have the shorter end of the stick, he stressed that if a company behaves incompliantly, it risks losing in the "court of public opinion", meaning its customers. This, Tan says, may be "a harsher penalty"--apart from other repercussions such as hefty lawsuits and sullied reputations.
One change too many
Rivera Milagros, an associate professor from the National University of Singapore (NUS), said it is "problematic" when companies frequently make changes to their privacy policies, particularly when those changes are "significant".
One example is Facebook, which often gets entangled in widely-publicized privacy battles. The social-networking giant has constantly received flak from various sides, including politicians, privacy advocates and its own users.
In addition, assoc. prof Milagros, who heads the Communications and New Media Program at the Faculty of Arts and Social Sciences, NUS, explained that Web users are often unaware of the changes made in privacy policies because they either do not read the e-mail alerting them of the changes or fail to check the updates on their own.
"The notification is just a formality. The majority of Web users are clueless of any changes or how those changes affect them," she stated.
Simplified policies make little difference
In a bid to make its privacy policies clearer and easier to understand, Google announced in September that it would be simplifying--rather than changing--its privacy policies, effective Oct. 3. A Google spokesperson said the move was intended to make the company's policies more "user-friendly" and to allow users to better understand how to control their individual privacy settings.
"We hope this update will make our policies sound like they're written less for a lawyer and more for an everyday user," she said over e-mail.
Fran Maier, president of TRUSTe which holds a privacy seal program for Web sites, said that "short notices do not replace traditional privacy policies, but offer a more user-friendly disclosure that can answer users' concerns without reading the full-length policy".
"People don't read privacy policies regardless of how simple they are," Schneier pointed out.
However, Deva Choesin, ASEAN IT executive at IBM, told ZDNet Asia that even with privacy policies in place, these are "not enough" on their own to address privacy challenges on an increasingly tech-savvy planet.
Thoughtfully-designed technologies, she suggested, can help the situation, such as patented password-based authentications and systems that can split a database into public data that gets encrypted and private data that is left alone.