James Governor's Monkchips

Privacy Policies Should Have RSS Feeds

Share via Twitter Share via Facebook Share via Linkedin Share via Reddit

texturbation サ Blog Archive サ Privacy Policies Should Have RSS Feeds

What a great point by Kevin Murphy. They should indeed. Changes in policy are very important.

What I really can’t understand though is how a social networking startup harvesting not only its customers details, but also their networks, can fail to put forward a policy at all. I gave the site a hard time about it before but it still no policy. What is up with MyBlogLog?

Kevin looks at the policy pages of the leviathans-but what of feed-oriented economies firms? Policy pages are static.

I am going to ask RedMonk’s technical geniuses to turn our privacy policy into a feed (ah yes another requirement for the new homepage). Not that the RedMonk privacy policy has changed since we set up RedMonk, but what if we did?

15 comments

  1. Privacy Policies should have RSS feeds

    James Governor and Kevin Murphy both agree: site Privacy Policies should have RSS feeds. Absolutely.

  2. Hi, thanks for calling us out [and for making sure you’d posted your policy before calling us out a second time 😉 ].

    We’ve been going back and forth internally about whether to have a policy more generally modeled after ad networks — even though we do no advertising targeting with out data — or social networks. We’re opting for the former in order to explain better the more subtle aspects of our service. When we post it in a couple days, we’d love feedback.

  3. good stuff scott. thanks for taking this so well, and of course i would be more than glad to provide some feedback- and who knows, i might even now use the service… 🙂

  4. Don’t forget about P3P, the Personal Privacy Preferences standard promulgated by the W3 consortium (http://www.w3.org/p3p/). An RSS feed for privacy policy changes is fine if you’re a human who likes administrivia, but P3P lets you harness your machine to enforce your privacy preferences, which gives you a whole lot of help in the day-to-day. –HaigEK

  5. P3P has a role to play in user-centric privacy but i would be wary of describing policy as adminstrivia. that’s a big part of the problem – who reads EULA or privacy policy. then we wonder when a service provider screws us. its not trivia- terms and conditions are a crucial element of any contract.

    also – there is nothing to say a bot couldnt subscribe to the RSS feed… if we could agree some standards for policy (fat chance)

  6. How about also figuring out a way to describe how resources on the site should be consumed using XACML

  7. Privacy policies are “required” by the FTC and also by most European countries.
    The FTC states
    The Federal Trade Commission Privacy Rules
    The FTC has established four core privacy principles applicable to all companies who deal with consumers.

    First, companies must give consumers notice of their information practices before collecting consumers’ non-public personally identifiable nformation (i.e., information such as a name, address, phone number or email address).

    Second, companies must give consumers a choice about whether and how their personal information may be used.

    Third, companies must allow consumers access to their personal information
    once it has been collected.

    Finally, companies must take reasonable steps to
    protect the security of consumers’ information.

    If companies collect personal data of UK itizens, then they should notify the UK information commissioner http://www.dataprotection.gov.uk/what_we_cover/data_protection/notification.aspx. This is the law, not a choice, but I wonder how many social networking solutions have bothered to do this, and I wonder if the IC would ever prosecute…

  8. interesting thomas. i knew about UK data protection, but didn’t know about the FTC rulings. are there penalties associated with non compliance

  9. FTC has some power under section 5 of the FTC act.
    they were the guys who fined choicepoint etc. fines can get big, and they can shut stuff down, or order better security etc.

    http://www.ftc.gov/opa/2006/01/choicepoint.htm

    http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html

  10. We should change our privacy policy into a cleverly formatted blog (perhaps only showing the most recent post). Then we can get an RSS feed, comments, and trackbacks on it.

  11. I do believe that P3P might have a future yet. There is an ACM study that indicates that approx 10% of online retailers already support P3P. And there are certainly interesting use cases that might arise if consumers could do froogle/whatever searches for merchants who have P3P-encoded commitments not to store credit card information.

    More on my blog. I tried to trackback here, but it doesn’t seem to be working. http://blogs.sanmathi.org/ashwin/2006/09/11/standardizing-privacy-policies/

  12. Thought this might interest you – Ralf Bendrath, a privacy researcher and activist, reports from the IGF conference (http://bendrath.blogspot.com/2006/10/privacy-and-identity-igf-workshop.html) that “Mary from NetDialogue suggested to have in in a similar way as the Creative Commons license: Privacy Policies should be human readable, lawyer readable, and machine readable.” The Mary in question is Mary Rundle, of the Berkman Center at Harvard Law. If this moves forward, there could be some interesting times ahead!

  13. It was unfortunate I chose to use the word administrivia when I did not mean to suggest that changes in a site’s privacy policy ought to be considered trivia, but rather meant to suggest that what most people care about when they have an interest in this topic is substantive changes. WHich gets back to my point that, really, it’s a shame that P#P never really took off, since its whole point is to let us harness our machines to keep an eye on such things and actively enforce our privacy desires. Ah, well. –HaigEK

    –HaigEK

Leave a Reply

Your email address will not be published. Required fields are marked *