Tag Archives: privacy

Privacy nutrition labels

The recent Symposium on Usable Privacy and Security, SOUPS 2009, seemed to cover a whole lot of interesting topics. One of these days I hope to attend for real — but failing that, I’m just working my way through the proceedings slowly. One paper, A “Nutrition Label” for Privacy, is especially cool.

The researchers have gotten pretty far down the path of rationalizing website privacy policies into a graphical/tabular form that’s actually enjoyable to use (their word! and they have numbers to back it up!). Whereas such policies in natural-language form are usually wordy, complex, inconsistent, and stubbornly irrelevant to a user’s actual preferences, their proposed label format provably borrows the benefits of real U.S. FDA nutrition labels, such as making a policy more amenable to at-a-glance interpretation, allowing you to compare two policies, and providing visual boundaries for the regulated/trustable portion of what you’re seeing.

The data categories in the label are a very high-level, “cooked” version of what’s in the Platform for Privacy Preferences (P3P) policy system. It’s worthwhile asking if the labels, and even the original sophisticated descriptions of data collection and use that they’re based on, are measuring the right thing. (After all, I have very little confidence that actual FDA Nutrition Facts labels are measuring the right thing.) But the categories they list seem like a pretty good start; “your activity on this site”, for example, turns out to be one of the biggest loopholes in many of today’s prolix-but-slippery privacy policies:

  • contact information
  • cookies
  • demographic information
  • financial information
  • health information
  • preferences
  • purchasing information
  • social security number & govt ID
  • your activity on this site
  • your location

Now I’m consumed by the thought of letting a person use this matrix-based approach to configure her ProtectServe-enabled relationship manager, such that any would-be recipient has to meet her privacy terms if they want to get the goods…

What happens in Vegas

…could end up anywhere.

On vacation last week in Sin City, I got an offer someone thought I couldn’t refuse, and was put under surveillance in an interestingly creepy way.

For custom service, you have to pay — in money, attention, or personal data. The Wynn hotel-casino (which is gorgeous, but has such a useless website that I’m not linking it) desperately wanted me to sign up for its Red Card loyalty club. Here’s the deal: If I sign up for the card by showing them a valid government ID and giving them my full name, Social Security Number, date of birth, mailing address, email address, and cell phone number, they will give me a buffet meal for free. This is all listed right on the rather large offer card, and there’s nothing about privacy policies on there either. The Wynn buffet is a treat, but I’d rather give them mere dollars for that, thanks. (One person in my traveling party — a frequent gambler, something I’m not — did go for the deal.)

And if you want to be a bit of a coquette in the twenty-first century, apparently you have to be put under close and possibly recorded observation without any notice given or consent obtained whatsoever. Hey, I’ve watched CSI — I realize that in Las Vegas you aren’t safe from security cameras anywhere except the bathrooms. But then I sat down at the iBar in the Rio and started futzing around with the Big-Ass T…uh, I mean the Microsoft Surface. At first I didn’t realize other private citizens could observe me closely from their B.A.T.’s elsewhere in the bar. It’s supposed to be for flirting:

Flirt Vegas style by adding a hip ultra-lounge vibe to the flirting experience. This application allows guests to create an exciting new way to chat and meet people from one Surface to another. Strategically placed video cameras at each Surface add even more energy to the action, allowing guests to interact with old friends, flirt with new acquaintances, and take and send photos across the lounge.

Luckily, this also meant I could observe the action at other B.A.T.’s myself, which was useful when I couldn’t figure out how to find the Virtual Earth app and caught the camera’s-eye view of the people at the next table using it. Well, honestly I could have just looked over to see that, but using the spy-eye gave me such a sense of power. :)

Eli and I did play a few games of virtual bowling, which was fun in a flashback-y sort of way. It reminded me of one of the bars my first band Sleeper played regularly in ’80-’81 — the long-lost 23rd Step in Kailua. They had a game table where you could sit across from someone and play Galaxian. It was just offstage next to my keyboard setup, and I would lunge for it whenever we finished a set, about the time the other band members were lunging for the next-door 7-Eleven if it was before midnight and beer could still be legally bought. Ah, good times.

(In case anyone else who loves those old games goes to Vegas, check out the dim corners of the Gameworks on the south Strip, where you’ll find Space Invaders, Centipede, and — yes — Moon Patrol.)

Um. And with that, I think I’ve proven once again that I’m the queen of TMI (why does that acronym spring to mind every time I bring up video games here?).

Exit question: Are privacy policies positively pointless for someone who just spews random data about themselves on a public website anyway?