Slashdot Mirror

← Back to Stories (view on slashdot.org)

Privacy Policies Only as Good as the People Enforcing Them

Posted by ScuttleMonkey on from the fear-the-market-droids dept.

Techdirt is reporting that while we all know privacy policies may not matter much in the grand scheme of things, a recent study shows that it may be even worse than originally surmised. It seems that the real issue is with who has access to personal data and what they are able to do with it. "of course, it's not just the people reading the policies that don't seem to understand them -- it's those in charge of living up to and enforcing the policies. A new study surveyed a bunch of executives, including both marketing execs and those in charge of enforcing the privacy policy, and quickly discovered that marketers have a very different concept of 'privacy' than privacy officers. Not surprisingly, they don't see anything wrong with sharing all sorts of data that seems to horrify privacy officers."

20 of 104 comments (clear)

  1. s/News/Not News/ by Lord+Grey · · Score: 4, Informative
    The article links to TechDirt but the actual article is at Forbes:

    What Privacy Policy?

    Survey statistics from the real article:

    More specifically, 80% of marketers said their organizations share e-mail addresses with third parties, compared with 47% of security and privacy officers. Other examples: 65% of marketers said they would distribute a customer's cellphone number, while only 47% of privacy execs said their companies allowed the data to be shared. Forty-five percent of marketers believe their companies shared credit card data, compared with 32% of privacy officers, and 29% of marketers believe their firms distribute social security numbers, compared with 7% of privacy professionals.

    Those numbers just back up what we all believed anyway, right? I mean, is this really news? Or just news with different numbers?

    --
    // Beyond Here Lie Dragons
    1. Re:s/News/Not News/ by Shadow+Wrought · · Score: 5, Funny

      You mean... marketers don't care about us? All they care about is our money? So many illusions shattered.

      --
      If brevity is the soul of wit, then how does one explain Twitter?
    2. Re:s/News/Not News/ by b4upoo · · Score: 3, Insightful

      Although I am not a privacy advocate I do advocate for truth. If companies are sharing data while deceiving customers then prison is the place for these executives.
                          I am convinced that our justice system has become little more than a racial and social system that is clearly devoted to crushing the lower classes. That is why we are bombarded with white collar crime and these people rarely are punished.

    3. Re:s/News/Not News/ by Original+Replica · · Score: 3, Insightful

      You mean... marketers don't care about us? All they care about is our money?

      It's in the nature of what they do. They trade in the awareness and perceptions of other people. A marketer that wanted to preserve consumers privacy and individual choice would be like a surgeon that was afraid of blood and was squeamish about cutting into somebody. A marketers job is to tell you how to think, what to want, and what ideals to have. They respect you like a puppeteer respects a puppet.

      I've always found the marketer/news media duality more entertaining than the marketer/privacy policy duality. Journalists will swear that they aren't trying to influence people. They are just reporting the facts. But the ad sales departments sell commercial slots for those same programs with the pitch about how many millions of viewers can be influenced.

      --
      We are all just people.
  2. Ummm.... Duh... by guruevi · · Score: 4, Insightful

    The strength of a chain is only that of it's weakest link. We recently had a proposal to implement NAC and they're constantly tightening policies. Most solutions however are easily circumvented and rendered incapacitated by only one person or device.

    As usual, the problem with computer and/or network security is not necessarily the computer (unless you're running Windows) but the people sitting in front of it.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  3. What other areas does this apply to? by RabidMoose · · Score: 5, Interesting

    I, for one, would seriously like to see a survey conducted across a wide ranges of job types and industries, polling employees about how compotent they feel they are at their job. I get the feeling a rather large number of people are just desk-fillers, who happened to be able get through the interview process, only to realize they have no idea what they're doing. And the same people have bosses who are just as incompotent, so everybody keeps their job.

  4. Any policy... by eepok · · Score: 3, Insightful

    Any policy is only as good as the people enforcing them.

    See: US Constitution, Antitrust Law, the Tax Code

    1. Re:Any policy... by Bearpaw · · Score: 4, Informative

      True, although it's worth noting that the enforcement of the US Constitution is ultimately the responsibility of US citizens.

  5. Most privacy policies are worthless anyway. by Ken+D · · Score: 5, Interesting

    Seriously. Google the phrase "except as allowed by law", you will find tons of privacy policies that look like this "BlahCo does not share your data except as allowed by law".

    Oh great! They won't break the law. That's comforting. Thanks for spending money telling me how you won't do anything to break the law. You'll just distribute my info to anyone to whom it is legal to do so.

    How about "BlahCo will not share your data except as REQUIRED by law." Oh no, that would stop their marketing efforts....

    1. Re:Most privacy policies are worthless anyway. by swm · · Score: 4, Interesting

      A few years ago, congress passed a law requiring companies to disclose their privacy policies to their customers. That's when we started getting those dense little privacy notices stuffed into our credit card bills and splashed onto web signup pages.

      Someone went through and *read* one of those things (from a major brand, I forget who) and worked out the actual content of it. What it came down to was

      "If you don't check the box [on the signup page], we will do whatever we like with your personal information.

      "If you do check the box, we will do whatever we like with your personal information, but we won't break the law."

  6. Some companies, such as Deniro just plain lie. by www.sorehands.com · · Score: 4, Interesting

    There are some companies, that just plain lie. In one such instance, Deniro Marketing, they were provided a unique e-mail address, and now that e-mail address is getting spam for drugs, enhancement products, stock tips, etc.

    I have had other companies (versuslaw.com) try to claim that "you must have been infected with a virus that distributed your address book." Of course, I run OS/2 and Post Road Mailer. Nobody writes virii for OS/2 and Post Road Mailer does not run scripts or anything else. Of course, I had another company blame it on their fulfillment people.

    --
    Fight Spammers!
  7. Re:In related news by sm62704 · · Score: 5, Insightful

    Shit stinks

    When my oldest daughter was born, the first time I changed her diaper I said "Wow! A miracle baby! My kid's shit don't stink!

    Two weeks later I almost gagged changing her, I was ready to call the EPA. Later I found that no newborn's shit stinks. It only stinks after the baby has bred bacteria in its bowels.

    Shit does not, in fact, stink. Bacteria stinks. You might actually need to run a scientific experiment to determine this statement's validity.

    The article would be a lot more newsworthy is the researchers had found surprising data rather than what everyone expected.

    --
    mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
  8. Policy != same interpretations by jellomizer · · Score: 3, Insightful

    There is a thick gray line for what falls under protecting privacy and sharing critical information.

    Giving an email adress for some may not seem like critical information that will violate a persons privacy, while to others it would be like a crime against humanity and all that is decent. Or you can go more to the middle, like the information that TiVo collects, while it is not accoated to any particular person however their viewing habits are monitored and tracked and used for advertisers, to but a little green thumb next to stuff you may be interested in. Or to see that you actually do watch that show that in public your vietemently deny ever seeing. Perhaps it could go one step further of using your system ID left join to user names of system IDs name and adresses.... All information falls on the sliding scale. If you are a good data miner and have the access you can figure out most anything.

    Eg. a normal Slashdot post. you have the user name. Then you can see all the posts the person posts in the past. For example you can probably search all my posts and find my Real Name and my Current address. As looking at pages I have linked to areas of interests I talked about with some authority on, or if I had a home page setup people would see my home page... Then you may cross reference my login name with other sites and see other interests I may have or it could be someone else with the same handle however it could be a clue, further on. Then finding my name and location my may find where they work and most likely their resume if they are looking for a job......
    Now I would prefer that you didn't do such as I would feel it would be a violation of my privacy. However there is a lot of information that can be gathered from a person today.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  9. I'm not surprised... by Registered+Coward+v2 · · Score: 4, Insightful

    Marketers are rewarded for increasing sales / revenue / market share and so would view anything that can do that as a good thing to do.

    Privacy officers, OTOH, are trying to protect customer data and so have a different outlook and reward structure.

    My point - this is why strategies (Financial / Customer / Process) need to be articulated at the C level and reviewed and outcomes monitored on a regular basis - so everyone is on the same page.

    What really bothered me was this:

    And in 2005, data broker Choicepoint sold more than 145,000 individuals' personal data to Nigerian scammers it believed were legitimate marketers.

    In another ongoing case, Ponemon founder Larry Ponemon says he is consulting with a major financial institution currently being investigated by several states' attorneys general in a major data breach attributed to an e-mail marketing partner. The company, Ponemon says, gave data from six million customer accounts to a marketing firm in Southeast Asia, where it was eventually posted to a Central Asian site dealing in black-market credit card numbers.

    As criminals grow in sophistication and are able to co-opt crocked government officials you'll probably see more off this - why phish when you can buy the data you need outright?

    Setup a shell company, buy the data you want and go to town (and anywhere else you want) on somebody else's dime. Off course, as corporate losses mount from such fraud the corporations will push for tighter controls simply because it starts to hit them in the wallet.

    I had someone charge airline tickets on my card - I had flight numbers, ticket numbers and names and could not get the airline to cancel the tickets; even after I told them it was fraud and the charges were disputed. Right now fraud is just a cost of doing business I guess.

    --
    I'm a consultant - I convert gibberish into cash-flow.
  10. This pretty much says it for me: by BattyMan · · Score: 3, Interesting

    From the TechDirt discussion:

    When it comes to business "data" and citizen "data" we have seem to have two standards. Business believe that they can expropriate private data at will. We already have had example where the medical profession has taken samples from patients (without their permission in some cases) and developed tests, patented those tests, and made money; and given the patient zippo.

    Now if you, as a citizen, take business "data" such as a song you are deemed to be guilty of theft! Not only that, but as Mike has pointed out in other articles, the MPAA and the RIAA want to ignore due process. If they say you are guilty, you are guilty irrespective of the existence of any evidence.

    Business' should NOT have a right to expropriate, at will, what is not theirs.

    If corporate Amerika treated my "intellectual 'property'" (i.e. my personal identity, beginning with my email address, which I'll point out that they pay me NOthing for, but rather obtain by extortion: "you must surrender an email addres to register to use this website"!) as MY PRIVATE PROPERTY, maybe I would feel more inclined to treat their "intellectual 'property'" (i.e. music and movies _I_'ve paid money to them to use!) with a little bit more respect.

    As it stands now, what's good for the goose is good for the gander, and just as they see nothing wrong with sharing "my" email address with their "coroporate partners and marketing associates", I find nothing wrong with sharing "their" music and movies with my family and friends.

    --
    Exceeding the recommended torque is not recommended.
  11. Re:Oh wow this isn't obvious by Jarjarthejedi · · Score: 4, Insightful

    The best systems are the ones that take advantage of people's laziness to help them. If it required filling out a form in order to give out any information on a customer I bet you'd see far less information being given out. On the other hand, if you can give out the information easily, you're more likely to give it out freely.

    The more it costs people (in time) to give out your information, the safer your information is.

    --
    There are two kinds of fool One says 'This is old therefore good' Another says 'This is new therefore better'- Dean Ing
  12. Re:Oh wow this isn't obvious by rlwhite · · Score: 3, Funny

    I can't let you do that, Dave.

  13. Gotta Love the Double Standard . . . by The+Angry+Mick · · Score: 4, Interesting

    . . . in this little gem from the Forbes article:

    Ponemon notes that despite their differences, the two groups [marketeers and privacy officials] tend to agree about the privacy value of another kind of information: their own. Ninety-three percent of marketers and 99% of privacy officers surveyed said their own privacy was "an important personal issue."

    Translation:

    "I don't give a shit about my customer's privacy, but nobody better ever fuck with mine.

    --

    I'm not tense. I'm just terribly, terribly, alert.

  14. Ameritrade by bcrowell · · Score: 5, Interesting

    A classic example of this is Ameritrade.

    1. http://bbs.spamgourmet.com/viewtopic.php?t=81&postdays=0&postorder=asc&start=45&sid=21389b26d00d7c69bc59424a299b3f98
    2. http://groups.google.com.fj/group/news.admin.net-abuse.email/browse_thread/thread/de64222d0929c6b4/a402bc49558f7330

    I set up an account with them, using a single-purpose email address, amtdcrowell06 at lightandmatter.com. Notice the amtd on the front, which was a unique prefix I chose just for use with them. I started getting spam like crazy. Strangely enough, the spam was all about stocks -- pump-and-dump stuff. Ameritrade tried to blame it on a virus, which wasn't very plausible, since I was running FreeBSD, postfix, and mutt. They tried to blame it on a brute force or dictionary attack, which also wasn't very plausible -- the prefix doesn't really consist of dictionary words, and 13 characters, consisting of a mixture of letters and digits, gives a total of 10^20 possible addresses that would have had to be checked by brute force. I wouldn't have minded if it was a myspace account or something, but these were people who had large amounts of my money. I migrated my account to scottrade. Years later the news broke that ameritrade had leaked tons of email addresses. They blamed it on some unknown insider. Since people had been telling them about the problem for years, you'd think they'd have clued in a lot earlier. It's amazing how bad an internet-based company can be at the internet thing. If any slashdotters are using ameritrade, you might want to think about switching to some other company. (Ameritrade's web interface also had some functionality that didn't work properly in Firefox on Linux.) You can transfer your portfolio from one company to another without having to pay capital gains, and without incurring transaction costs.

    --
    Find free books.
    1. Re:Ameritrade by bcrowell · · Score: 3, Informative

      I am an AMTD customer. Can you please explain this transfer in a little more details to spare me from doing the research?
      Well, let's say you're going to switch to scottrade, which is what I did. Basically all you do is call up scottrade and tell them what you want to do. They'll guide you through the process of transferring your positions from ameritrade to them -- they're motivated to help you complete the process, because they want you as a customer. It was pretty easy when I did it. The only minor hassle was that small amounts of money ($5 and $10 amounts) kept showing up in my ameritrade account for a while from dividends from the stocks I'd had in that account before, and I had to talk to ameritrade to get that money sent to me (couldn't have them write me a check by the normal mechanism, because I no longer had a functioning account). Although the experience with Ameritrade was annoying, the whole thing did kind of work out well in a way, because Ameritrade gave me a certain number of free trades when I opened my account, whereas Scottrade would have charged me $7 a trade. So I got all my positions established for free, and then transferred them to a brokerage that wasn't so incredibly clueless about security and running a w3c-standards-compliant web site.

      --
      Find free books.