We need standard disclosure for online privacy. Here's how

Instagram. Facebook. Google. Apple. Microsoft. How can we debate over an acceptable standard of privacy online if there's little transparency at every turn? I propose a new approach.
Written by Andrew Nusca, Contributor

I've been thinking about privacy quite a bit this week, thanks to the sudden flareup over Instagram's new terms of service. I'm sure you have, too, even if you don't use the free mobile photo sharing service.

And why wouldn't you? Our personal privacy has been a concern since we first came online, all those years ago. (Really, it has been a concern long before we invented electricity.) Yet for some reason, with all of the sophisticated technology at our disposal to capture certain data and avoid others, we are more defensive than ever. As we should be.

Many companies who collect our personal data have not been forthright about how it will be used. Shockingly, some of them do it even as they base their entire business model on it. This includes Instagram and parent company Facebook, along with every online service you've ever signed up for, from Ask.com to -- well, ZDNet.com.

Yes, it's true. Publishers fall into this group, too.

To be clear, the use of your data is always disclosed by these companies -- that's a legal requirement met by a thorough terms of service agreement. But it's not enough in practice. We "users" are still on edge about the use of our personal data because we are not legal experts. There remains frustratingly little clarity as to how our private data is used -- nevermind whether we support that use or not.

For example, I'm not much of a privacy hawk, and I have no problem exchanging information about my age, location, education or employment in exchange for the free use of a service. Could I tell you off the top of my head how LinkedIn uses my data, though? Not a chance.

Some progress has been made. Facebook has created a standard warning for apps that run within its network (if you're interested, here's an excellent feature story by the Wall Street Journal about this practice, even as the Journal itself engages in it), and Google Android users have long enjoyed easy-to-understand warnings about how downloaded apps use their data and hardware.

But we still know little about how Facebook or Google or the Journal themselves use our personal data, nevermind which data they collect in the first place. That information is usually difficult to reference once we've already signed up for the service, and notifications about changes usually mention new policy without contrasting it with the old. The entire situation is frustratingly opaque, even as data effectively becomes currency in a new, massive digital economy.

I propose a new standard. Much like the U.S. Credit Card Act of 2009 helped force issuers to explain terms of their agreement with customers with more clarity -- thanks to increased use of plain language and a new, rubric-style format -- Internet-connected services need a standard disclosure form that makes it exceedingly clear how personal data is used.

Simply, we users need to be protected from ourselves. There is little supporting evidence that a standard terms-of-service agreement is sufficient for this.

What if an easy-to-understand, always-accessible permissions resource were available for every online service that required an account?

Something like this:


Would it then be easier to understand how services use our personal data? Absolutely.

Would it help us, as customers, compare services? I think so.

Would it help the average person understand how a free service can remain free? Just maybe.

I don't have all the answers, and the above mockup doesn't include every nuance that's worth discussing, such as who owns users' data and if it can be sold or used in advertisements for the company in question -- some of the key concerns of the Instagram story. But I do know that having a page like the above for every online service for which I hold an account would make it easier for me to understand the transaction I'm really making. Which is the point, isn't it?

Editorial standards