ShareThisIn the spring of 2010, thousands of online customers clicked on the terms of service at Game-station.co.uk and unwittingly sold their souls.
As an April Fool's prank, the British gaming retailer slipped an "immortal soul clause" into its license agreement, knowing that nobody looks at them. A 2006 survey by the University of California, Berkeley, found that only 1.4 percent of participants read these sorts of agreements "often and thoroughly."
That puts everyone in a privacy quandary. It means consumers don't know how much personal information they're giving up and how it might be used. It calls into question the informed consent rationale for our approach to online privacy. And it undermines the argument the industry has used to wash its hands of further responsibility: Hey, we told users what we were doing.
But informing isn't informing when no one reads it -- especially if you know no one reads it.
People don't ignore these policies because they're lazy. People ignore them because they couldn't possibly read all the terms they come across. It would take the average consumer more than 300 hours to read the privacy policies at websites they visit each year, according to the high-end estimates of a 2008 study published in the technology policy journal I/S.
So where does this leave us?
If we're honest about how human beings really behave, we're left with few options. First, we can place greater restrictions on how companies collect and use data. But rules need to be carefully balanced against the risks of discouraging or hampering the creation of new technological tools -- a point easier to make in a newspaper column than to spell out in legal language.
The other option is to come up with improved ways of providing notice.
Regulators around the world have been pushing companies to create simpler, more transparent disclosures. Citing those directives, Google announced recently that it was consolidating the privacy policies of 60 products into a single, clearer document.
One certainly beats dozens, and plain English trumps legalese. But it will make little difference for the vast majority of consumers.
"They're still not going to read it," said Jules Polonetsky, director of the Future of Privacy Forum, a Washington-based think tank that promotes responsible data practices.
Posting broad privacy policies is still important, Polonetsky added, even if consumers don't read them. It forces companies to consider how they use information, provides standards regulators can hold them to and allows privacy wonks and tech writers to read and highlight the critical points.
A better model for getting the message out is one developing around behavioral advertising, based on Federal Trade Commission and industry self-regulation guidelines, Polonetsky said.
In early 2010, for instance, a group of industry and privacy groups introduced a privacy label that indicates the use of targeted advertising in a more obvious way than a buried policy line.
Websites can post it to signal in a consistent way that information is being collected. Users can also click on the widget to find out more information or change their privacy settings.
Ryan Calo, director for privacy at Stanford University's Center for Internet and Society, offers another model for informing consumers -- one that takes advantage of familiar technology to warn people about how technology is working. It's the tech equivalent of using rumble strips instead of a "road narrows" sign, he wrote in a recent paper for Notre Dame Law Review.
For instance, laws have been proposed that would require cell phone cameras to include a shutter-like clicking sound, so people are aware when they've been photographed. Another example would be to add the image of a face to a website that's monitoring your behavior.
The paper noted that studies have shown people are more likely to pay for coffee available on the honor system when there is a nearby picture of a set of eyes. Calo suggests the appearance of an avatar when third-party advertisers are monitoring a person's behavior online could make users similarly self-conscious.
(Contact James at jtemple(at)sfchronicle.com.)
Must credit the San Francisco Chronicle
