Hacker News new | comments | ask | show | jobs | submit login
Ask HN: How can we make better, more readable privacy policies?
18 points by bhseo on Nov 1, 2009 | hide | past | web | favorite | 12 comments
I was thinking about privacy policies the other day and today I came upon this post:


I had the same idea as Aza, a CreativeCommons-like approach to privacy policies. I also put "make an HN thread about privacy policies" on my to-do list, so here we are.

How do you think we can improve the current state of privacy policies?

(Some brainstorming is also taking place here: http://aza.etherpad.com/privacy )

I personally don't believe that privacy policies are useful at all. They are at best the web equivalent of a verbal agreement.

People need to adopt the security-oriented attitude that says, if you post anything, anywhere, the entire Internet may very well see it. Period. You cannot trust every server, protection mechanism and employee in between. (You wouldn't really know who to sue, anyway.)

If something really "must" be private or controlled, then you don't need a policy, you need actual control over your data. For example, don't post the thing on an Internet-enabled computer in the first place. Or, strongly encrypt it, and have absolute trust in the recipients of keys. If you've made your key recipients sign something legally binding, and retained proof that no one else could have received keys from you, then at least you'd know who to sue for violating your trust.

Ideally, the mechanism for transferring the keys doesn't use a network either, e.g. physically hand something to your intended audience that will let them decrypt whatever you do send. The data should also have a built-in "time bomb" that makes it impossible to decrypt anything after some specified period of time (for peace of mind). Of course, the recipient could do something stupid like save the decrypted data somewhere, which is why the legal binding to key recipients is so important.

This is a pipe dream. I totally get the engineery argument for certainty and perfection, but this can't work in the real world. It's too inconvenient, and relies on users being responsible and educated.

Nothing is written in stone. People decades ago weren't locking their doors, but factors such as urbanization (with higher crime in cities) created a reality that made people change the way they think. It wouldn't have taken many friends or neighbors having TVs and cars stolen, to make them change their minds. So does it really seem that unlikely that people will not learn from the experiences of being online, and learn the digital equivalent of locking their doors?

And a several-page "privacy policy" is the solution?

In Europe the protections are better, and there are requirements that must be complied with including no data processing outside of the EEA without consent.

You can read about the UK variant here: http://www.ico.gov.uk/

At their current state, privacy policies are indeed not useful.

But maybe we can change that.

Cuil has one of the best privacy policies on the web, at least from a readability standpoint: http://www.cuil.com/info/privacy/

Using plain English (not legalese) and keeping things short and to the point seems to be an effective way of making privacy policies more user friendly. By making them so obscured by legal language that they're inaccessible to most readers, you're just guaranteeing that they won't be read. Which isn't doing anyone any favors. Keep it short, keep it simple.

Another great privacy policy, is Bill Monk's: https://www.billmonk.com/about/privacy

They use user-friendly plain English, keep things relatively short (though not quite Cuil-short), and they provide a summary of the key points at the start. That's all very helpful for users, imho.

Something Awful should get points for their privacy policy, as well: http://www.somethingawful.com/d/feature-articles/website-pri...

It's written just like anything else on their site -- with a liberal dose of humor. But that's perfect for their core audience and makes it instantly readable and easy to understand (for the people whom it effects, at least).

You might want to check out http://lexpuli.ca They are applying open source ideas to law. The plan is that will create high quality, readable legal documents (with supporting documentation, FAQs etc.) that people can use for free. They are looking for suggestions on what to work on and I know they are interested in Terms of Service and Privacy Policies for websites.

A few years ago, I knew a Microsoft intern who's project was to do exactly that for all Silverlight-type software that got installed on a user's machine. He used the P3P standard to automatically present the user with a 'privacy evaluation' before the user ok'd the installation of the software.

This was part of the Longhorn project, which as we all know got scrapped, to produce what is now Vista! :-)

One thing that bugs me in privacy policies is the "we may change this policy at any time and without warning" clause.

RSS could be one way to make sure users can receive warnings and notification of changes. However, subscribing to RSS feeds for each site would be too tedious.

A browser plugin (or rather built-in feature) that popups a warning in an overlay bar at the top of the window (like the password remember feature in Firefox), would be better. It could receive data from a centralized service, privacy policy RSS feeds, or just by screen-scraping the policy at a specified interval and checking for changes.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact