| |
| META TOPICPARENT | name="FirstPaper" |
|---|
| |
<
< | Complementing Notice with Periodical Disclosures | >
> | Complementing Notice with Periodic Disclosures | | |
Introduction | |
<
< | Privacy policies or terms of use agreements (“notices”) are too long, time consuming, and complicated for most people, and therefore do not result in truly informed consent of those that click “agree”. To make things worse, notices often require you to consent at an early stage for different collections and uses of data that would span over a long period of time, and are very hard to process in advance. This essay suggests a framework, drawn from the field of behavioral economic analysis of consumer protection, that I found helpful in thinking about these problems, and most importantly, providing ideas for a solution. It should be noted that I am familiar with class-mate’s interesting essay on notices, but I address this issue from a very different angle. | >
> | Privacy policies or terms of use agreements (“notices”) are too long, time consuming, and complicated for most people, and therefore do not result in truly informed consent of those that click “agree”. To make things worse, notices often require you to consent at an early stage for different collections and uses of data that would span over a long period of time, and are very hard to process in advance. This essay considers whether these problems could be solved through complementing the notice with on-going periodic disclosures that would provide information about the data the user gave away and, to the extent possible, the risks involved. | | | | |
>
> | At least theoretically, such an idea shows great promise. Ideally, we could imagine disclosures that provide each user with a periodic review of the data that was acquired from him specifically, and a general explanation about how has this data been used. Such personalized disclosures could demonstrate to people what have they been sacrificing, and enable a more informed reassessment of personal risks. As many users consider privacy risks as remote and highly unlikely to impact their lives, such reports, which would place an emphasis on each individual’s specific use-patterns and risks, could have a major impact which is unattainable through notices. | | | | |
>
> | Theoretically, it appears that such disclosures could become reality through one of two ways: regulatory mandated disclosures; or through third parties that would provide such periodic “disclosures” for interested users. | | | | |
<
< | The Framework | | | | |
<
< | Bar-Gill and Ferrari discuss the issue of “consumer’s mistakes,” where imperfect information and imperfect rationality lead consumers to misperception about products they use. In certain cases, this results in harm to these consumers, and the writers argue that the more harmful mistakes are those concerning the individual consumer’s product use-pattern, as opposed to mistakes about the product’s attributes or about average use-patterns (because the latter are easier to identify and correct quickly). As a solution, they suggest that when the seller has a long-term relationship and is therefore, voluntarily collecting individual use information, regulation should mandate certain disclosures by sellers of consumer’s product use-pattern. For instance, credit card consumers tend to “optimism” and often fail to take into consideration the probability that they personally will end up paying over-limit and late fees. Mandating credit card issuers to disclose individual fee-paying patterns, could be helpful in gradually amending individual consumers’ misperceptions. | >
> | Regulatory Solutions | | | | |
<
< | This framework, I argue, could be applicable to notices. In some sense, consumers’ automatic consents to notices, and continued “pay-with-data” exchanges, reflect a “consumer’s mistake”, which stems from consumers’ information asymmetries and imperfect rationality (optimism, neglect of small probabilities, and myopic behavior). To be clear, I do not argue that mistakes regarding over-paying a few dollars a month are of the same harm and magnitude as the loss of privacy; just, that from a pragmatic standpoint, such framing could be insightful and productive. Like credit card consumers, consenting visitors in different online “pay-with-data” exchanges fail to grasp the long-term consequences of their consent to the initial “contract”. Different mechanisms set to improve the effectiveness of notices could definitely raise people’s awareness, but might be inherently limited because of their timing, usually at the beginning of the relationship. At that stage, even if the notice is very apprehensible, all one can truly learn about is the “product’s attributes” – what data does a certain website collect, for what purposes, etc… Because of consumers’ imperfect information, and propensity toward optimism (“this wouldn’t happen to me”), such “general” notices fail to pass through. | >
> | The idea of forcing all websites to provide such periodic disclosures might sound tempting, but there are several serious issues that should be taken into consideration. | | | | |
>
> | First, in the age of Big Data, and given most people’s limited technical capabilities, one could worry that such disclosures would still be too complicated for users, who would find themselves clueless in deciphering masses of data thrown at them. This, I believe, could be solved through requiring websites to provide users with automated “summaries” or “highlights” of their recent privacy exposure. For example, a user might benefit from a brief periodic report explaining that the application possesses data about his whereabouts on X amount of days over the last year/month/week. An even more effective disclosure would highlight certain personal details. The “personalization” makes it more likely that the individual will pay attention, as it brings to mind more realistic scenarios. | | | | |
>
> | Second, for websites that collect and store personal data, I do not think it would be too much of a technical or financial burden to provide such summarized reports, but there are very clear limits to their ability to provide information about the full extent of the privacy exposure. For instance, in many websites we are being monitored not only by that website but also by other companies providing ad servers. The original websites might be able to report what personal information could have been collected, but would be limited in their ability to say what did the other companies collect and especially what did they do with the information. Also, when data is being collected and then sold to other “data brokers” of all sorts, the original website will not know to tell what ended up happening with the information. This puts a very clear limitation on websites’ ability to reflect the full extent of the user’s risk exposure. | | | | |
<
< | Thinking About Solutions | >
> | Third, mandatory on-going disclosures, even if designed thoughtfully by the regulator, might not be as effective as hoped. Companies are likely to make disclosures as “dry” as possible, and it would be difficult to require them to effectively highlight the individual risks. | | | | |
<
< | Bar-Gill and Ferrari argue in favor of mandating on-going individual use-pattern disclosures when the seller has a long-term relationship and is voluntarily collecting individual use information. Obviously, websites that present notice (for collection and use of data) fit this description perfectly. | >
> | Fourth, such regulation would require a very significant shift from the existing regulatory regime regarding data privacy. The FTC Act and most other US privacy laws do not provide individuals right to access the collected data, and in my research I could not identify any law requiring similar privacy-related periodic disclosures. California enacted a security breach notification law (California Civil Code §1798.82), which could be paralleled to some extent, but it deals with “breaches”, while the problems I mentioned concern consented collection and use of data, an entirely different thing. | | | | |
<
< | Alongside “improved” notices, there could also be a great benefit in an ongoing individualized use-pattern disclosure mechanism that will provide people with a chance to gradually “correct their privacy mistakes.” Ideally, a certain website’s disclosure should provide each user with a periodic review of the data that it acquired from him specifically, and a general explanation about how has this data been used. Such personalized disclosure could demonstrate to people what information have they been giving up, and enable a more informed reassessment of personal risks. | >
> | Also, looking forward, it does not appear that Congress is moving in the direction discussed here – as reflected in both recent federal privacy bills S.1995 (Personal Data Protection and Breach Accountability Act of 2014) and S.2025 (Data Broker Accountability and Transparency Act) (though I really cannot attest on their chances of moving forward, or on whether these reflect a “wider” interest in Congress). | | | | |
<
< | In the age of Big Data, and given most people’s limited technical capabilities, one could worry that such disclosures would still be too complicated for consumers, but in my opinion, this depends on design. Throwing masses of data at consumers would probably be ineffective, but an automatic “summary” or “highlights” could be very helpful. For example, a user might benefit from a brief periodical report explaining that the application possesses data about his whereabouts on X amount of days over the last year/month/week. An even more effective disclosure would highlight certain personal details that were collected about you, and provide some explanation on their use. A more personalized disclosure is more likely to get to people, demonstrating what personal information is exposed and making people think twice on whether this is worth it. | | | | |
<
< | The big question is how could such disclosures become reality? Regulatory mandated disclosures could, in my opinion, be an effective solution also regarding “use of data.” However, it is important to note that personal data privacy protection is less regulated than general consumer protection, and therefore, to apply this idea here is somewhat more “ambitious”. Also, mandatory on-going disclosures, even if designed thoughtfully by the regulator, might not be as effective as hoped. Companies are likely to make disclosures as “dry” as possible, and it would be difficult to require them to effectively highlight the individual risks. With that regard, technical solutions, putting the “disclosure” in the hands of an independent third party, more adequately incentivized, might have some advantages over regulatory mandated solutions. Perhaps like tosdr.org provides accessibility at the notice stage, others could assist on an ongoing basis, providing automatic periodical reports that identify the information you provide to a certain website, and more importantly, reflect the risks involved in a comprehensible manner. For instance, such software could provide automated simple explanations about “worst-case scenarios” it deduces: “news website Y holds a list of all articles you read this year, including this one about ‘how to hide that you cheated on your wife.’ This information has probably been sold to Z and W and could end up…”). Although there are technical measures that allow users to understand, in some circumstances, what data did they provide, in my research I did not find software that allows on-going potential-risk-oriented “disclosures” which deal exactly with the informational limitations that are so prevalent among users. | >
> | Technical Solutions | | | | |
<
< | | >
> | Alternatively, we could also think of non-regulatory, technical means to provide such “disclosure”. An independent third-party might be more adequately incentivized than the notice-providing website, and therefore could provide information in a more apprehensible format, and stress, instead of play down, the individual risks. As discussed above, such third-parties would not be able to tell you where the information goes after its initial collection, but they might at least be able to monitor what information you gave away. Perhaps, if this data-mining will be coupled with some sort of general expertise about certain websites’ operation, it would be possible for such third-parties to present an educated assessment regarding the individual’s risks. For instance: “news website Y probably holds a list of all articles you read this year, including ‘how to hide that you cheated on your wife.’ In our assessment, this information could end up…” Such assessments are surely much less effective than solid information, but could still have some, limited, impact on people’s awareness. An additional issue is that technical solutions require each individual to approach (register or download) the third party at some point and many are not likely to make the effort. | | | | |
<
< | This is responsive to one aspect of my comments last time around.
This draft presents the problem that the obscurity of the last draft
obscured. Now, given an "application" of one article, we can
perceive clearly what nonsense the whole proposition was from the
beginning. This is progress | | | | |
<
< | So—on the basis of some nonsense some people said once, which
we don't actually analyze but just sort of assume must be correct
and meaningful because they said it—we can imagine a
regulatory intervention that would require data-miners to show the
ore what was made from it. Never mind, as the draft itself notes,
that no factual similarity exists between the credit card
transaction log and the Facebook weblog. Never mind that in one
case the intervention requires the consumer to be notified about his
own spending, and in the other case the requirement would be for
disclosure and analysis of third-party activity. Never mind the
differences between the regulation of banking and the regulation of
speech. Never mind, in fact, anything that would distinguish
between the nonsense we are supposed to assume wasn't nonsense in
its original context solely—so far as the draft gives us
reason to believe it at all—because it was published once, and
its importance as an "application" in this context.
It is almost as though the goal were to avoid thinking. Two other
fellows thought about something once, and if I simply mechanically
"apply" their thinking to the current completely different situation
at least I won't have to do any thinking of my own.
Let's go from drafts that tell me some theory is in general useful,
and drafts that tell me that someone else used them once, to a
thought of your own which isn't recommended by its generation in any
particular school of dogma, or by being lifted from something that
someone else thought. State your idea simply at the beginning of
the draft. Show how that idea develops from the facts you have
learned about the world. Answer some of the obvious questions or
objections. Leave the reader with an implication she can explore on
her own given what you have thought so far for her.
| >
> | Conclusion | | | | |
>
> | The idea of complementing notices with periodic disclosures could seem promising, as, theoretically, it provides individuals with on-going information that would allow them to gradually “correct” unwise consents. However, in practice there are significant limitations that decrease both the possibility of such an idea coming to life, and its potential effectiveness. | | |
| META TOPICMOVED | by="UdiKarklinsky" date="1425659661" from="CompPrivConst.TWikiGuestFirstPaper" to="CompPrivConst.UdiKarklinskyFirstPaper" |
|---|
|
|