Slashdot Mirror
U.S. vs. Europe on Online Privacy
A lot of the blame for the misreporting falls on the authors of the study. They described their study as "An international comparative study of consumer privacy on the internet", when in fact it was nothing of the kind.
One of the major problems facing pro-privacy activists today is a certain type of corporate spin. Major advertisers in the U.S. have created a PR campaign whose goal is convincing people that notice about how your privacy is being violated (typically buried in a dozen pages of fine legal print) is more important than actually having privacy. The PR campaign is designed to push the idea that a privacy policy is what is really needed, not actual privacy. Of course, the privacy policy can say anything: "You have no privacy when dealing with this website" is a perfectly valid privacy policy. A privacy policy which says, "We keep all your information private", when in fact the company sells everything it knows about you to the highest bidder, is also a perfectly valid (though untruthful) privacy policy. So the existence of a privacy policy says absolutely nothing about the actual privacy afforded. Indeed, since privacy policies are written to protect the company, not you, the existence of a privacy policy is a good clue that this is a company which intends to violate your privacy. If you don't collect information from visitors to your site, you have no need for a privacy policy.
So it's embarrassing to see "consumer" organizations take a study of privacy policies and call it a study of privacy. It says to me that either they're strapped for resources (studying privacy is much harder than studying privacy policies) or that they're being dishonest. Occam's Razor suggests the first. But the results are harmful to their cause I think - they end up promoting the idea that privacy policies = privacy. This roughly similar to the idea that good brochures equal good vacation spots, or that good signage on the outside of a hospital equals good medical care inside.
Honestly: if someone did a study of hospitals by walking around them and examining the posted signs, and called it "An international comparative study of medical care", it would immediately be seen for a fraud.
Methodology is important. No study is useful without the proper methodology to support its conclusions, and in this case few methods to study privacy were actually employed. The researchers didn't, for example, actually audit any companies, actually going on-site and interviewing people to see what was actually done to data that was collected. The only useful conclusion drawn out of the study is that the large popular European sites were less likely than large popular U.S. sites to have posted privacy policies - quite possibly because, due to the fairly strict European rules covering the use of personal data, those European sites do much less privacy-violating than U.S. sites and therefore have much less need to post privacy policies. (And the European sites aren't involved in the U.S. PR campaign run by U.S. advertisers, either.)
The study is not awful. The researchers actually did some minimal verification - checking to see whether "do not mail" actually results in not getting spam mail from a company, for instance. (They encountered several cases where they received advertisements even though they had indicated they didn't want any - Ebay users will be familiar with this practice.) But most of the study was based on examining privacy policies.
Possibly the best way I can describe the study is this way: If a company did not collect any information from visitors, did not sell it to marketers, and in general respected its visitors' privacy - but didn't have a privacy policy spelling that out, in great detail - it would receive a poor grade from this study. This is fundamentally wrong - the organizations intending to protect privacy have forgotten the forest for the trees.
Sure, maybe their "survey" found some of the best policies on US sites, but that's totally voluntary.
At least the EU has regulations, so if a site is not abiding by privacy regulations, there is some legal recourse.
Here in the U.S., no such legal recourse exists.
It's time for the U.S. Congress to debate the privacy issue and make some real reforms.
----------------------------------
"We're sorry, but the website you're trying to reach has been disconnected."
...The yanks get an early start with the Indecent communications legislation...oh, they`ve stumbled, the civil rights groups put a stop to that... And heres Echelon..what can stop this Brave New World order...
Here come the plucky Brits with their RIP act..things are looking bad for the yanks (and the british subjects, but screw them!)...
The French now, calling the stewards attention to Echelon...they`re not happy, not happy at all...
But whats this? Carnivore? DMCA? The yanks are back in front!! Is there no stopping them? Have they no shame?!
A couple of years ago I received a letter from a collection agency. Gee Mr. Anderson you owe us $1000 on this account. I didn't recognize the claimed creditor or account, so, being an innocent 'babe of the woods' type I thought "I'll just call them and point out that it's not my account" - All done! Right? Wrong! I call and am told that while the balance is $1000 they would graciously offer to settle this for me for a mere $300. What a deal! After I pointed out that this was not my account and therefore this was, in fact, a very bad deal, I was once again told this was a bargain and I should accept it regardless.
Needless to say I rejected their very gracious blackmail offer and instead opted to write them and the three major credit bureaus to inform them that this was not my debt. The credit bureaus proceeded to investigate and 2 out of three deleted the entry in 30 days as required by the FCRA (Fair Credit Reporting Act) when in fact they can not verify the debt. The last bureau deleted the entry in 45 days after a gentle reminder from me.
This was nearly two years ago and logic would dictate that there's nothing more to be said about it. Unfortunately the FCRA doesn't require logic and the FTC apparently does not enforce it.
Two days ago I received a new request from a new debt collection agency requesting that I pay $1500 on this same account! No doubt they would settle for $50 and a kiss but this is a major issue of principle. Where does it stop?
I am therefore trying a new tack and one which SlashDot readers will likely appreciate and also find very disconcerting. I have created a special website for this particular agency at http://pinnacle.avarix.com . After spending a few dollars I gathered all the information I could about the agency and its principals. At the site are the agency's real address as opposed to the PO box they provide. The CEO's real address(s) and date of birth and the last four digits of his SSN. I bought that for around $40 or so. Shocked? You should be and I hope that laws will be passed to stop my, and their, misuse of personal information, but until then, turnabout is fair play!
Maybe by getting the wolves to join we can encourage European style privacy protection (you own your personal information). If everyone has a vested interest in protecting their personal data we have a chance of changing the law. I think that if everyone took this approach we could shift the sentiment at the political level. I am sure that SlashDot readers will have some very interesting insights.
This is a prime example of how ALL 'studies' need to be scrutinized.
How often in the popular press do we read or hear of "a new study shows" that Fruit Loops cause cancer, or you can devolop venereal warts from "virtual sex" or [insert your own claim here]. There are also studies that show just how "right" or "correct" is any given side of an issue (abortion, gun control, whatever)
How often do we take the time to look up criteria used by these studies?
The scary part is that most people don't and they will happily believe what they see in print or watch on the nightly news -- without question.
We don't need big-brother. We have CNN.
-jhon
I live in France, I OWN my personnal datas (I can ask any company owning some to delete it or not resell/give it). I can sue any company not following this guideline.
Every web site has to register with a gov. agency what datas are collected and how they are used.
Now I'm curious to know how a privacy policy on a US web site can give me more protection than that...