New Tool Suite Helps Track Privacy Policies

An anonymous reader writes "Forbes reports that The Internet Society announced this week the availability of the Identity Management Policy Audit System, a suite of tools designed to give Internet users a clearer understanding of the online usage policies of the websites they visit. Born out of a collaboration between The Internet Society, the University of Colorado, the Electronic Frontier Foundation, and the Center for Democracy and Technology, the system consists of a free, open-source Firefox plug-in that checks a library of scraped terms of service and privacy policies from several popular websites. If a site changes the fine print of one of its policies, the plug-in notifies the user when they visit the website next. According to Forbes, 'that functionality would help users spot controversial switcheroos in sites' legalese, such as Facebook's change last year that suddenly gave the site the right to use your photos and other content.'"

Re:Wow silliness to the max.

[Lingerance]

Way to not read the summary. It states that the plugin notifies you when the PP changes. Which means you'd have to have read it in the first place anyways. Do you seriously expect someone to read the PP of every site they visit for every visit they make just to notice changes?

A great idea that doesn't tend to work in practice

[Sancho]

TOSBack does something similar for Terms of Service for various websites. The problem is information glut. The terms of service may change frequently in very small, unimportant ways (such as formatting, or even in a few cases inconsequential HTML getting inserted.) The page can be absent one moment and back the next--causing two change notifications to show up. Sometimes the pages don't get changed across all of the website's servers, causing TOSBack to go back and forth between two changes (sometimes several times over the course of a day or more.) It becomes almost as much of a burden to check TOSBack as it does to just scan the TOS every once in a while.

Re:A great idea that doesn't tend to work in pract

[blair1q]

It should extract the plaintext and hash it. If the current TOS associated with a page matches a past hash for the site, ignore it.

This is why we have computers do these things.

Re:A great idea that doesn't tend to work in pract

[Sancho]

Why? Reverting to older policies may be just as important to people, particularly if the older policy was more onerous or problematic for some reason. Or the page could have been erroneously edited and pushed out, and the reversion is just to get back to what the real policy actually is. The problem is that a machine can't tell if it's a reversion to an old policy or a problem with synchronization of the servers behind the load balancer. Some heuristics could probably help with that (you could detect bouncing back and forth) but you can't be sure which version is correct.

Re:Wow silliness to the max.

[Sancho]

Not just for every visit--every time they make a request!

Seriously, this sort of thing is a great idea. I wish there was a standardized protocol for displaying the policies, for notifying users of changes, and of what those changes are. I'd love to have that kind of thing in my RSS, customized for the sites I use.

EFF?

[lavagolemking]

Why was this tagged as EFF? There was not one link to any of EFF's websites, and as far as I know from any of the linked articles, this is not something EFF is involved with, however in line this is with their values and intentions.

Re:EFF?

[Kilrah_il]

Born out of a collaboration between The Internet Society, the University of Colorado, the Electronic Frontier Foundation, and the Center for Democracy and Technology...

Any more questions?

Re:EFF?

Nope. ~~Lavagolemking

Re:EFF?

[Kilrah_il]

Glad to be of service.

Re:A great idea that doesn't tend to work in pract

[lavagolemking]

Contracts should not be changed at all without the signer's approval. That's why whenever you fill out a check or sign a contract, but notice a tiny mistake, you're asked to initial/sign over the mistake; proving that you accept the indicated change to the original document. This kind of tool alerts customers/users that something has changed, however small, and lets them decide. Maybe it's something small like a grammatical correction, or maybe it's a change of 1 or 2 words which significantly change the meaning of the contract, or maybe it's a complete re-write of part or all of the contract. It's nearly impossible to make that distinction without a program being able to conceptualize human language and interpret legal documents (if we manage that, well I guess we won't need compilers anymore). The point is to let the user make that distinction, not the software.

The problem here is not with TOSBack, or any related software, but that companies are able to change contracts after acceptance simply by putting them online. This is a tool to detect when companies are trying to bait-and-switch you by updating their terms of use, and if they decide they're going to bury such changes within hundreds or thousands of meaningless updates, then there is not a lot that can be done from the programmer's suggestion. We need to prohibit these kinds of changes, or make such "contracts" unenforceable, rather than expecting users to sift through multiple changes to a contract they irrevocably "signed" each day. Things like TOSBack are just automation tools to make that absurd legal expectation a little easier, but I feel like blaming the developer or tool is not appropriate in this situation.

Re:A great idea that doesn't tend to work in pract

[Sancho]

I agree. I should have said "The problem with this idea is information glut." The real root problem is certainly that people are making changes without notifying their customers. My point is that the band-aid to that problem is still broken.

That said, most TOS include language allowing the company to change them materially, that it's up to the user to follow those changes, and that continued use of the site constitutes acceptance of those changes. That's bad, but frankly, most people don't read the TOS anyway (which is another problem--when the TOS are too long and full of legalese, it's annoying, difficult, and unexpected for people to bother reading them.)

standardize?

[Garble+Snarky]

Why can't websites use standardized privacy policies and TOSs ? Sure they would need to make small changes specific to their business or whatever, but you could make it modular, etc. Wouldn't it be nice to see something like this:

Our Privacy Policy:
*Standard Non-Financial, Non-Sensitive Privacy Policy
*<two application-specific paragraphs that anyone can read quickly>

Software and media does something vaguely similar with licenses right? So why would this not work?

Re:standardize?

[Sancho]

I'd love that. I think that confusing the customer ultimately gives the corporation more power.

Re:standardize?

[phantomfive]

Because a lot of them don't want you to understand it

Re:standardize?

[lavagolemking]

What's the point in hiding things no sane person would agree to in a contract if it's easy to read?

Re:standardize?

[psithurism]

I'd love that. I think that confusing the customer ultimately gives the corporation more power.

A confusing end user license that finely encodes in legalese, "you are now a right-less servant of this company," is a benefit to the company. However, privacy policies is something that many customers look for and scrutinize. I would be much faster to sign up with random services if I knew exactly what they did with my personal data.

I take privacy policies much more seriously than EULAs; I've never been able to un-void a warrenty (because of violation in clause 8 of paragraph 12 in section 173 under heading warrenty terms 4 included silently in unpublished updates to chapter 12 of the EULA I said I read) by whining enough to customer service, but I have signed up for services and suddenly discovered I've been signed up for all sorts of bonus advertising services that I are far more work to get rid of. I suspect I'm not alone.

Re:standardize?

[lonecrow]

It's called P3P and its already a W3C standard. P3P

I have been implementing it on all my sites for a few years.

Re:A great idea that doesn't tend to work in pract

[blair1q]

If that's the case you need some out-of-band communication. Like an email to users telling them when the policy has changed. Or a modification date in the policy to indicate when it was last officially updated. Oh look, that works with simple hashing as a change detector. Problem solved.

Re:A great idea that doesn't tend to work in pract

[John+Hasler]

The problem here is not with TOSBack, or any related software, but that companies are able to change contracts after acceptance simply by putting them online.

No they aren't.

Re:A great idea that doesn't tend to work in pract

[Sancho]

That came across as awfully snarky. Yes, of course those solutions work--as long as the website implements them.

Re:A great idea that doesn't tend to work in pract

[whereiswaldo]

That's bad, but frankly, most people don't read the TOS anyway (which is another problem--when the TOS are too long and full of legalese, it's annoying, difficult, and unexpected for people to bother reading them.)

I wish we could force lawyers to read through all the source code to an application before allowing them to use it. Change the functionality of buttons randomly (and without notice) so they have to re-read the source code to be sure it still does what they expect. That's sort of what they're expecting of us with EULAs and TOS!

Re:A great idea that doesn't tend to work in pract

[Sancho]

I like it!

Re:A great idea that doesn't tend to work in pract

[YourExperiment]

It becomes almost as much of a burden to check TOSBack as it does to just scan the TOS every once in a while.

Yes, it seems to me that we've reached a bit of an IMPAS.