Insights from PII2012
The FTC Privacy Report makes it clear that context is the key to privacy. For example, notice and consent need not be presented and secured if the use is obvious from context: If you buy a book from Amazon, it’s clear they need an address to ship you the book.
But sometimes the context isn’t clear to the average user, even when it is obvious to developers. My Mom believes she doesn’t share anything on Facebook because she mostly just comments on other people’s posts. Ilana Westerman’s work shows the same disconnect: many people just don’t see their privacy exposure because they have simplified models of their actions. They think what they are doing isn’t the risky stuff, but they rarely have the awareness of what they are really doing.
Making that harder are monolithic Terms of Service and Privacy Policies that bury the details arbitrarily far away from the point of exposure, and in confusing legalese.
The answer is some form of bite-size context management. For example, Smart Disclosure, which is the US administration’s language for greater clarity about risks of information sharing:
One of the most powerful versions of smart disclosure is when data on products or services (including pricing algorithms, quality, and features) is combined with personal data (like customer usage history, credit score, health, energy and education data) into “choice engines” (like search engines, interactive maps or mobile applications) that enable consumers to make better decisions in context, at the point of a buying or contractual decision
Or perhaps something along the lines of Personal Levels of Assurance, a term from AT&T describing piece-wise on-demand disclosure and consent.
This is also the approach behind the Standard Information Sharing Label, which let’s you see in simple, consistent terms, exactly what happens with the data you are about to share, before you share it. That instance of sharing defines the context for which the information may be used, and the label makes it easy for individuals to understand that context.
We aren’t compressing the entire Terms of Service and Privacy Policy for a given site, we’re presenting just the essential details about a particular instance of information sharing. Bite-size disclosure, right at the point of sharing, because nobody wants to read 47 pages of legalese.
We think that’s the right model for untangling the world wide web.