Privacy policy updates a must as Web 2.0 evolves

Revising or simplifying online privacy policies is not always beneficial to netizens, but such efforts are necessary in increasingly connected digital world, analysts say.
Written by Jamie Yap, Contributor

Industry observers and analysts are divided over whether privacy policies do anything to protect netizens. However, the need to update or revise online policies in today's fast-paced information age is a unanimous yes.

Analyst Steve Hodgkinson told ZDNet Asia in a phone interview that it is "appropriate" for online privacy policies to be updated because the nature of Web 2.0 platforms is evolutionary.

According to the analyst, privacy issues are more about perception than reality. This is because a large group of online users are behaving in a dynamic manner, which changes on a day-to-day basis, he added. So Web companies need to be in tune with how these users perceive privacy on the "front foot", said Hodgkinson, who is research director, IT, at Ovum Asia-Pacific.

He added that companies need to be proactive, not arrogant, and to manage privacy as a formal technical issue. They should work constructively with users on this "joint problem", Hodgkinson highlighted.

Security technology writer Bruce Schneier held a different view. He told ZDNet Asia in an e-mail interview that privacy policies, in the first place, "are not meant to protect the consumer at all". He then referred to a blog post where he wrote that much of the control of personal information in the digital world is "illusory".

Instead, he felt that "privacy policies protect the company who writes them, from bad press, from lawsuits, etc".

As many revisions as needed
Nonetheless, analyst Ekta Aggarwal said that now, "more than ever", there is a need to update online privacy policies due to the growing security concerns among enterprises and consumers, and to an increase in data breaches.

The changing pattern of how Web users are able to share, access and utilize data also makes it critical that privacy policies ensure such user information is secure, said the program manager of ICT practice for South Asia and Middle East at Frost & Sullivan.

Schneier, too, felt that "privacy policies need to change because Web sites change. 'How often' is a meaningless question to ask. They should be changed as often as necessary".

That said, Bryan Tan, director of Keystone Law Corporation, believes that even though a Web site's privacy policy has to be in line with specific data protection laws of a country, the "law cannot keep up with technology" because technology moves faster than legislation.

Otherwise, the law would be dictating how technology develops, said Tan who specializes in technology cases.

While online citizens appear to have the shorter end of the stick, he stressed that if a company behaves incompliantly, it risks losing in the "court of public opinion", meaning its customers. This, Tan says, may be "a harsher penalty"--apart from other repercussions such as hefty lawsuits and sullied reputations.

One change too many
Another observer noted that the irregular pace of privacy policy updates can be unnerving for netizens, even when the changes are supposed to improve or modify terms and clauses in the policies for the better.

Rivera Milagros, an associate professor from the National University of Singapore (NUS), said it is "problematic" when companies frequently make changes to their privacy policies, particularly when those changes are "significant".

One example is Facebook, which often gets entangled in widely-publicized privacy battles. The social-networking giant has constantly received flak from various sides, including politicians, privacy advocates and its own users.

The numerous and frequent overhauls made to its privacy policies have also resulted in mounting complexity and opposition.

In addition, assoc. prof Milagros, who heads the Communications and New Media Program at the Faculty of Arts and Social Sciences, NUS, explained that Web users are often unaware of the changes made in privacy policies because they either do not read the e-mail alerting them of the changes or fail to check the updates on their own.

"The notification is just a formality. The majority of Web users are clueless of any changes or how those changes affect them," she stated.

Simplified policies make little difference
In a bid to make its privacy policies clearer and easier to understand, Google announced in September that it would be simplifying--rather than changing--its privacy policies, effective Oct. 3. A Google spokesperson said the move was intended to make the company's policies more "user-friendly" and to allow users to better understand how to control their individual privacy settings.

"We hope this update will make our policies sound like they're written less for a lawyer and more for an everyday user," she said over e-mail.

Fran Maier, president of TRUSTe which holds a privacy seal program for Web sites, said that "short notices do not replace traditional privacy policies, but offer a more user-friendly disclosure that can answer users' concerns without reading the full-length policy".

But not all industry observers are in favor of Google's privacy policy simplification, including security technology writer Schneier. He described the search giant's attempt as a "good thing" that other companies should follow, but concluded that in general, simplifying the typical legalese and jargon of privacy policies has no real, positive impact.

"People don't read privacy policies regardless of how simple they are," Schneier pointed out.

However, Deva Choesin, ASEAN IT executive at IBM, told ZDNet Asia that even with privacy policies in place, these are "not enough" on their own to address privacy challenges on an increasingly tech-savvy planet.

Thoughtfully-designed technologies, she suggested, can help the situation, such as patented password-based authentications and systems that can split a database into public data that gets encrypted and private data that is left alone.

Editorial standards