Policy

Research: Approach to Privacy Policies Needs a Makeover

• By Dian Schaffhauser
• 01/20/16

Plenty of people already have a tendency to ignore the privacy policies of the sites they visit or the apps they download onto their smartphones. Often the text is dense or the screen upon which they're displayed is difficult to read. Yet the risks of not understanding privacy decisions are only going to grow as the Internet of Things introduces new kinds of sensors and other Internet-connected activities that have no real interface for the users who adopt them. A team of researchers from Carnegie Mellon University, Rand and Google has come up with a set of guidelines for "properly" designing privacy notices that will help users make "informed privacy decisions."

The goal of their work, the researchers reported in "A Design Space for Effective Privacy Notices," is to help "designers, developers and researchers identify notice and choice requirements and develop a comprehensive notice concept for their system that addresses the needs of different audiences and considers the system's limitations and opportunities for providing notice."

One key is to get the timing right. For example, rather than relying on a notice during installation about the privacy practices of a given app that's just been downloaded to a phone, the paper suggests that particular activities that require "access to sensitive information such as the user's location, contacts, photos, calendars or the ability to record audio and video" should be done just when that access is required, as a "just-in-time" notice.

"There's been lots of research on improving privacy notices, but little guidance on how to design effective notices," said Florian Schaub, a post-doctoral researcher in the university's Institute for Software Research, named as the first author on the paper. "In this work, we've compiled the best practices and have provided a taxonomy and common vocabulary so we can start incorporating these design principles into privacy notices and privacy policies."

The researchers noted that in the case of IoT, devices such as smart thermostats, wearables or other sensors lack displays or have very tiny interfaces, making "appropriate and usable notice and choice mechanisms" for communicating private data usage "challenging."

In that case, the paper advised, privacy notices could be provided via "secondary channels." Opt-ins or opt-outs for personal information "could be provided at the point-of-sale...or as part of video tutorials," the researchers suggested. Or just-in-time, context-dependent and "periodic notices" could be as text messages or emails, as long as the user agreed to such notices and provides contact details during setup. Or auditory, visual or haptic signals could alert users at moments when they need to pay attention to a privacy decision.

"A privacy policy is not an effective privacy notice; it is a starting point," Schaub said. He added that companies are already motived to do a better job of notifying customers on privacy policies because they're more likely to trust the company and to share their data when they understand how it will be used.

The paper concluded that the "design space" for alerting people on privacy decisions should be "part of a comprehensive design process" that's "well integrated with the respective system, rather than bolted on."

The report was recently selected as one of the top five privacy papers by the advisory board of the Future of Privacy Forum recommended for reading by policymakers.