We need standard disclosure for online privacy. Here's how

We need standard disclosure for online privacy. Here's how

Summary: Instagram. Facebook. Google. Apple. Microsoft. How can we debate over an acceptable standard of privacy online if there's little transparency at every turn? I propose a new approach.

TOPICS: Privacy, Legal, Security

I've been thinking about privacy quite a bit this week, thanks to the sudden flareup over Instagram's new terms of service. I'm sure you have, too, even if you don't use the free mobile photo sharing service.

And why wouldn't you? Our personal privacy has been a concern since we first came online, all those years ago. (Really, it has been a concern long before we invented electricity.) Yet for some reason, with all of the sophisticated technology at our disposal to capture certain data and avoid others, we are more defensive than ever. As we should be.

Many companies who collect our personal data have not been forthright about how it will be used. Shockingly, some of them do it even as they base their entire business model on it. This includes Instagram and parent company Facebook, along with every online service you've ever signed up for, from Ask.com to -- well, ZDNet.com.

Yes, it's true. Publishers fall into this group, too.

To be clear, the use of your data is always disclosed by these companies -- that's a legal requirement met by a thorough terms of service agreement. But it's not enough in practice. We "users" are still on edge about the use of our personal data because we are not legal experts. There remains frustratingly little clarity as to how our private data is used -- nevermind whether we support that use or not.

For example, I'm not much of a privacy hawk, and I have no problem exchanging information about my age, location, education or employment in exchange for the free use of a service. Could I tell you off the top of my head how LinkedIn uses my data, though? Not a chance.

Some progress has been made. Facebook has created a standard warning for apps that run within its network (if you're interested, here's an excellent feature story by the Wall Street Journal about this practice, even as the Journal itself engages in it), and Google Android users have long enjoyed easy-to-understand warnings about how downloaded apps use their data and hardware.

But we still know little about how Facebook or Google or the Journal themselves use our personal data, nevermind which data they collect in the first place. That information is usually difficult to reference once we've already signed up for the service, and notifications about changes usually mention new policy without contrasting it with the old. The entire situation is frustratingly opaque, even as data effectively becomes currency in a new, massive digital economy.

I propose a new standard. Much like the U.S. Credit Card Act of 2009 helped force issuers to explain terms of their agreement with customers with more clarity -- thanks to increased use of plain language and a new, rubric-style format -- Internet-connected services need a standard disclosure form that makes it exceedingly clear how personal data is used.

Simply, we users need to be protected from ourselves. There is little supporting evidence that a standard terms-of-service agreement is sufficient for this.

What if an easy-to-understand, always-accessible permissions resource were available for every online service that required an account?

Something like this:


Would it then be easier to understand how services use our personal data? Absolutely.

Would it help us, as customers, compare services? I think so.

Would it help the average person understand how a free service can remain free? Just maybe.

I don't have all the answers, and the above mockup doesn't include every nuance that's worth discussing, such as who owns users' data and if it can be sold or used in advertisements for the company in question -- some of the key concerns of the Instagram story. But I do know that having a page like the above for every online service for which I hold an account would make it easier for me to understand the transaction I'm really making. Which is the point, isn't it?

Topics: Privacy, Legal, Security

Andrew Nusca

About Andrew Nusca

Andrew Nusca is a former writer-editor for ZDNet and contributor to CNET. During his tenure, he was the editor of SmartPlanet, ZDNet's sister site about innovation.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This is a good start, Andrew, however there is always one last issue...

    ..how can adopting this standard benefit the companies whose online services are affected? Will adopting this standard increase profits for Google, Facebook, Microsoft, Apple, Instagram, etc, or will it just create more work and expense for them to manage?

    Without a good answer to the "how does it benefit the service provider?" question, any kind of standard such as this is dead in the water. The only alternative is to convince the governments of the world to agree to regulate the internet and create it as a legal requirement. For many people, this type of government intervention is a bigger problem in itself, than the problem it is attempting to solve.

    One thing that may be helpful, though, is if that type of "simplified" privacy ratings system becomes used on an independent website that rates the privacy terms and data usage of services like Facebook. Any time a change to TOS is made, or information comes to light about the use or mis-use of private information, ratings are updated. In this way, people who really care can at least be made aware much more readily, by referencing such a site, while those who don't.. well.. don't have to be bothered.

    There would be the issue that the information may not be as accurate as possible, given that it is maintained by unrelated third-parties; but then again, this can also help filter out some of the privacy "spin" that the service providers would no-doubt add to the mix.
    • I don't want this to spin into a regulation vs. privatization thing, but

      I do think that companies providing online services, left to their own devices, haven't done a very good job explaining this transaction beyond the ToS. In some cases, they actively avoid it, because they're pushing for on-boarding customers as quickly and easily as possible. They don't want to erect barriers.

      So I do think there needs to be some sort of top-down force on this; you're right, it won't happen on its own. Obviously globalization is an issue with that, but we're already implementing terms of service; why not elevate that burden slightly to format and translate it for the average person?
      • Goog idea; "regulations" are supposed to be Democratic party thing, so is..

        ... there chance that such measures will be enforced in any near future?
        • not with a Republican Congress there isn't

          Just say "No" to legislation
    • a BBB of privacy practices... the PPP

      Privacy Practices Posted or something like that... make up your own PPP acronym.
      Users can post grievances that both help to inform other users and alert the companies in question of their users concerns. With enough support, a companies success will require a PPP A+ rating just like BBBs rating system. Of course, regulation and protection for minors should still fall under the law, but for everyone else, this seems like the way to go.
      • Maybe the BBB should do this...

        ..they have the history and expertise, and people can relate with a BBB rating. I would be curious whether they could be convinced to branch out into this realm.
    • Less lawyers

      It would actually cost LESS, since they could fire all the lawyers who write those TOUs.
  • Those look like Android permissions

    I see stuff like that every once in a while when I update apps on my devices. I think it works!
    John L. Ries
    • Yeah, that's the idea.

      I think that implementation is pretty solid. No need to reinvent the wheel here.
  • it's all about the users

    We get free services in exchange of using our details, nobody can never change that. There is only 1 solution:
    If u so worry about privacy issues, just don't use the service, simple like that. I don't wanna defend these companies but everybody has the choice.
    Alternatively, build your own website (social network or your own email client) and u ask your friends to use it instead of Google and Facebook.
    • That was ...

      Dumb on so many levels. Really? Just go build my own facebook huh? Good Idea. I'm sure no one else has attempted that and failed in the past.
  • Copyright and subject privacy are the issues

    It took many years of effort for photographers to obtain absolute rights to their images. Photographers may use photographs as they wish for their personal use.

    Photographers can even sell or give some usage away. The images belong to the photographers.

    However, usage of images is qualified by public or private usage and where photographs are captured. For example, a photographer can photograph a friend wearing a Calvin Klein blouse in front a Bloomingdales store for a personal album, but never for advertising (commerce and trade) purposes without explicit consent of both the person and Bloomingdales and of course the creator of image, the photographer.

    This Facebook grab to obtain all rights to usage is copyright and privacy infringement and is a serious matter. A minor can not give away rights. Nor can someone give away future rights something does not exist.
    • Indeed, you're supporting my point

      Part of the issue with your example is that it's unclear who owns which rights. There's got to be a better way to manage this in the information age.
    • Not that I'm a lawyer...

      ..however what little I do know (and was obtained in a law school setting, not just Googling stuff on the interwebs), these two statements aren't accurate, or at least, aren't as simple as you state them to be:

      1) "A minor can not give away rights." - This is true to the point that *nobody* can "give away" their rights - consitutional rights always override laws, and laws always override contracts. Where this statement isn't completely true is the idea that you are giving away your rights in the first place. You are signing a contract, and as part of a contract you can legally reassign copyright to another person or entity. You aren't giving up a right, per se, but you are giving up ownership of a piece of property.

      The ability for a minor to do this differs from jurisdiction to jurisdiction, however in most jurisdictions, minors can enter into contracts, but those contracts are considered "voidable". This is common-sense, since a minor can walk into a corner store and buy bubble gum. A parent or guardian can enter into a contract on behalf of a minor, in which case such a contract is not necesarrily voidable (such as a family cellphone plan).
      Nor can someone give away future rights something does not exist.

      Now finally, it is usually an accepted practise that contracts can be written with provisions that may conflict with laws in certain jurisdictions. That doesn't make the whole contract void, but it does make that provision unenforceable. You see this in employment contracts all the time (non-compete clauses, the vast majority of which are unenforceable, are common practise in employment contracts). It may very well be that the copyright licensing part of some TOS contravene your legal rights, in which case they aren't enforceable. Unfortunately, the only way you can know for sure is to contact a lawyer, and possibly take the company to court for copyright violation. It's up to you whether this is a good use of your money or not.

      2) "Nor can someone give away future rights something does not exist." - Again, very true, but only for the reason I'd explained above. You can sign a contract that grants ownership of future IP that you develop to another person or corporation. This type of contract is signed by engineers, architects, musicians, graphic artists, researchers, and a whole host of people every day.

      A person employed as an engineer by Apple, for example, doesn't keep ownership of their patentable work. Apple owns the patent of anything that engineer invents at work, and in many cases, could own the IP of anything that engineer invents outside of work. The same contract exists between musicians and record companies (there are exceptions, based on the contract signed). A photographer's assistant generally gives up ownership of their copyrights to any photos they take during a shoot.
  • In addition to disclosure

    In addition to disclosure, I feel we need to put some teeth into these TOS agreements. In several case, companies have been shown, in court, to violate these agreements. Unfortunately, the penalty is based on a perceived financial harm to the user, and usually amounts to chump change.
    It ought to be a significant penalty.
    Also, since corporations started buying each other, the "and it's member companies/partners" portion is often distressingly unclear and problematic.
  • No Matter the Terms, It's Still Not Legal...

    The Music / Film biz has been telling / persecuting people for a decade over copyright infringement for downloads, telling us all how illegal it is and how the artist is being stolen from.

    Now some website gives me a no-option / negative option sign-in wherein I have to agree to forsake all my rights to any intellectual property I create / upload via their site / app, and that all said property - past and future - belongs to them, in perpetuity with which they can do whatever they choose.

    Let's try using that argument against the Music /Film biz: If you want me to buy your album / film, you foresake all expectations of ownership to said intellectual property, in perpetuity, with no say as to how I use said property. It wouldn't get you very far.

    No matter what the Terms of Service state, if it's illegal, or contravenes existing copyright law - meant to protect us all, not just big biz - than the Terms of Service are null and void. Facebook / Instagram, et al take advantage of the fact that, as 'users;, we are all just individuals who will likely never coalesce into an organised group to claim a class actin suit for copyright infringement. They use their Terms of Service to intimidate and claim that they can't make any $$ if they don't operate this way. If your business plan depends on navigating the spurious and grey areas of the law, then your business plan is flawed.
    • Are you willing to bet your retirement on this?

      "The Music / Film biz has been telling / persecuting people for a decade over copyright infringement for downloads, telling us all how illegal it is and how the artist is being stolen from."

      And some of those cases have been brought to trial, and the courts have sided with the Music/Film biz. So it appears they have a case and they aren't lying to us that it is, in fact, illegal. You can wave your arms around and yell "this isn't fair" and "this isn't illegal" all you want, but that doesn't necessarily make it true.

      "Let's try using that argument against the Music /Film biz: If you want me to buy your album / film, you foresake all expectations of ownership to said intellectual property, in perpetuity, with no say as to how I use said property. It wouldn't get you very far."

      I'm pretty sure that would get you a quick "well then, don't buy my album". I don't think the Music/Film biz cares enough about your $20 to give up their copyrights. On the other hand, it's possible that you or I or most other people don't care too much about the copyright on a photo of themselves carving the Christmas turkey while wearing felt antlers. Somehow I think the copyright to your photograph just isn't worth nearly as much as the copyright to the latest Justin Bieber single.

      "No matter what the Terms of Service state, if it's illegal, or contravenes existing copyright law - meant to protect us all, not just big biz - than the Terms of Service are null and void. "

      Not true in any sense at all. If a section of the TOS is illegal, then that section is unenforceable, but it isn't void (there is a very big difference), and it generally has no bearing on the legality of any other portion of the TOS.

      Of course, you don't have to take my word for it - as I said before, I'm not a lawyer - but the cost of really finding out for sure would probably be more than your intellectual property is worth.
  • Great concept, but I think I would organize it differently....

    Love the idea and I think something like this will become di rigeur.

    I think it would be clearer to show the "buckets" or "universes" where data can be shared. In your example, these would be "Stored", "Within Company" and "With Partners". Or "Saved (but not shared", "Internally shared" and "Externally shared".

    Then for each bucket list the items. And what would REALLY make this idea work perfectly is a toggle box by each item. Then it is super easy to see the externally shared items and toggle off the ones you (as a user) don't want to have shared externally.

    To answer another comment, the benefit to companies is that users will be comfortable installing and using their apps if they understand and can control their data. And I think we will see an increasing groundswell of users demanding just that.
    • Bingo!

      "To answer another comment, the benefit to companies is that users will be comfortable installing and using their apps if they understand and can control their data. And I think we will see an increasing groundswell of users demanding just that."

      So the next question is - how will that groundwell of users demanding better privacy transparancy come about, and will there be enough users who care enough about privacy to make it happen?

      In the end, it's going to have to come down to education and making people aware of the implications of using these services. I don't know about you, but my efforts in educating friends and family members on this issue has been met with groans and eyerolls.

      The biggest challenge is still in trying to make people care. That's going to be an uphill battle for a while.
  • Simplest of all

    1. You are not allowed to share any of my data.
    2. If you do the Law fines your company an amount that HURTS.