Text archives Help


Re: [projectvrm] Fwd: [ PFIR ] Proposed California law requires site privacy polices not to exceed 8th grade language and 100 words


Chronological Thread 
  • From: Doc Searls < >
  • To: "Murray Lohoar" < >
  • Cc: "'Drummond Reed'" < >, "'Alan Mitchell'" < >, "'mary hodder'" < >, "'Phil Wolff'" < >, "'Sean Bohan'" < >, "'Judi Clark'" < >, "'Project VRM'" < >
  • Subject: Re: [projectvrm] Fwd: [ PFIR ] Proposed California law requires site privacy polices not to exceed 8th grade language and 100 words
  • Date: Thu, 14 Feb 2013 13:50:59 -0500
Much of offline is broken. Worse, as you say, much of the brokenness of offline commerce modeled on rude online practices. (For example, requiring that customers carry loyalty cards in order to get a "discount" or whatever.) What matters about offline is that some or most of it has courtesies built in that have been present for generations, while we have not yet experienced those on the commercial Web.

Doc

On Feb 14, 2013, at 8:39 AM, "Murray Lohoar" < "> > wrote:

Don’t be sure that the offline system is not broken.  I made a purchase a couple of months ago at Carphone Warehouse in the UK only to find the terms and conditions already applied on the reverse of the A5 receipt:
 
 
I meant to post it a while ago, but you reminded me.
 
The assumptive practices learned online are leaking into the offline world. It’s kind of insulting for a vendor to write this stuff and actually think that they have a right to do it.  I apply my “disingenuous” test which Carphone Warehouse clearly hits.
 
There are probably terms and conditions for walking into their shop which I inadvertently agreed to...I bet the print is really really small.
 
Murray
 
From: Doc Searls [mailto:dsearls@cyber.law.harvard.edu] 
Sent: 14 February 2013 13:14
To: Murray Lohoar
Cc: 'Drummond Reed'; 'Alan Mitchell'; 'mary hodder'; 'Phil Wolff'; 'Sean Bohan'; 'Judi Clark'; 'Project VRM'
Subject: Re: [projectvrm] Fwd: [ PFIR ] Proposed California law requires site privacy polices not to exceed 8th grade language and 100 words
 
The online system is broken (while the offline is not) because the online system is run by only one side of the supply/demand relationship. This can be fixed, and it's our job — here on the demand side — to fix it. The supply side can't, and won't, do it alone. After 18 years of this stuff, that much is clear.
 
Doc
 


But it’s automation of the process rather than removing it.  You publish your requirements and the participant connects or not. The actual step of having terms/policy does not disappear.  In the UK there is legislation about sale of goods which entitles you to what it says on the tin – but if they told you it was a diesel car and you put petrol in it, it’s your fault not theirs  - their terms stated that the car would only run on diesel, it’s in the paperwork.
 
A photo sharing site is not a photo sharing site is not a photo sharing site – some sites take your photos for their gain, some keep your photos private, some specifically promote the images for the commercial gain of the photographer.  These services may look all the same functionally, but need different terms/privacy and so the process of agreeing remains, the question is how easy and clear you can make it.
 
Taking the car analogy one step too far, we are all clear about the difference of hailing a cab, renting a car, leasing a car and buying a car and though they largely result in the same transport related outcome, we enter into the arrangements mainly on the clear understanding of what we’re getting into. We assume the cab driver is insured.  We assume that a breakdown in the rental car will be immediately fixed for free, etc etc. The challenge perhaps is to develop the clarity of _expression_ of the variety of information exchanges in a way that we are reasonably able to make assumptions.
 
Take email for example.  I assume that (subject to my security mechanisms) email is private.  But as soon as a provider like Google say starts to process my email, this previously fundamental assumption is challenged.  So where previously I had the model “email=private” now that is not the case. We need another term.  Perhaps Google should call it Admail, then we would know that is what they meant.  But not surprisingly Admail is not a very attractive name...
 
So for my money it’s not about having agreements or not, it’s about transparency and ease... or frankly we’ll be just fuelling the law industry with money through post assumption/agreement legal cases.
 
M
 
From:  " style="color: purple; text-decoration: underline; ">  [mailto:drummond@respectnetwork.net] On Behalf Of Drummond Reed
Sent: 14 February 2013 09:40
To: Alan Mitchell
Cc: mary hodder; Phil Wolff; Sean Bohan; Judi Clark; Project VRM
Subject: Re: [projectvrm] Fwd: [ PFIR ] Proposed California law requires site privacy polices not to exceed 8th grade language and 100 words
 
Here here! (And I really mean "here" - what Alan is preaching is what Respect Network is building - a VRM network where you'll never have to read a privacy policy again.)

 

I'm not sure I really understand this debate.
 
Why should we have to read a privacy policy in the first place? If we buy say, an automobile, we are not presented with a long and detailed list of its various components, their quality and functions, and asked if we agree or disagree with the choice of component or how it is being used. Quite rightly, we expect the car company to address all these issues in ways we can trust - and we expect them to be taken to the cleaners if they fall down on quality, safety and so on.
 
The mere fact of introducing an 'agreement' between the buyer and the car company on the quality/functionality of its components would open up a huge temptation for the car company to blind the buyer with science, cut corners, take advantage --- all now with the defence 'but you agreed to it'. That's exactly what has happened with so-called 'privacy'.
 
I do not see why I should have to read anything, tick anything to agree to anything when I share my data with a company for commercial purposes. I should 'just know' that I am only sharing data that is 100% related to the task in hand, that any data I share will only be used for the purposes of providing the service and facilitating the transaction, that it will not be passed on to anyone else, and that it will be kept by the seller only for as long as service provision is necessary. 
 
I shouldn't have to read small print or tick boxes about this. It should be the standard, default norm - just taken for granted - and any company transgressing on this norm should be taken to the cleaners (by regulators and public opinion), just as a car company transgressing on quality and safety should be taken to the cleaners. I blogged about this recently here
 
As soon as we start arguing about whether the small print is readable or not, we have already ceded the principle and the argument to the data landgrab industry.
 
Alan M 
 
 
 




-----Original Message-----
From: Mary Hodder < " target="_blank" style="color: purple; text-decoration: underline; "> >
To: Phil Wolff, PDEC < " target="_blank" style="color: purple; text-decoration: underline; "> >
CC: Sean Bohan < " target="_blank" style="color: purple; text-decoration: underline; "> >; J Clark < " target="_blank" style="color: purple; text-decoration: underline; "> >; ProjectVRM list < " target="_blank" style="color: purple; text-decoration: underline; "> >
Sent: Tue, 12 Feb 2013 17:25
Subject: Re: [projectvrm] Fwd: [ PFIR ] Proposed California law requires site privacy polices not to exceed 8th grade language and 100 words

I don't think the proscribed reading level is the problem with the bill.. that would probably work out fine.
 
It's the length and the fact that it's customary to have multiple policies.. 2-4.. that would cause this bill to be toothless.
 
And I'm not sure you can tell people not to speak (or companies that == people).
 
What if just the list of collected data, in the slimmed down 100 word privacy policy, were more than 100 words?
 
Then what?  For facebook, this list is all possible
 
Ip Address
IP location
Name 
Address
City
State
Zip Code
Country
Birth date
Browser Type
OS Type
Pages visited within site
Pages clicked upon within site
"likes"
"comments"
Pages arrived from (offsite)
Pages going to (offsite)
Location checkins
contact's list
friend types
friends recommended to others
friend requests sent
friend requests received
Pages visited (offsite, with "like" or "comments"
Status updates
Shared from others
Payment information (for promoted posts and gifts)
Pages promoted
Gift and recipient
Ads clicked
photos uploaded
videos uploaded
links shared
searched within FB
searched outside FB
messages and IMs
promoted
job history
job years
quotes
liked items for profile
relationship status
schools attended
school years
history and year
privacy settings
login settings
 
I'm sure I've missed a bunch.. but that list is 116 words..
 
Even at 200 words, which Adrian's white paper on consent dialogs suggests, there's not a lot left for the rest of the dialog and privacy information.
 
mary
 
 
 
 
On Feb 12, 2013, at 4:14 AM, Phil Wolff, PDEC wrote:



A few examples come to mind in support of this attempt.
 
Readers' Digest targeted sixth-grade reading level for its entire history. They are famous for explaining law, foreign affairs, human biology, anatomy and physiology using simple language and illustrations. "This is Joe's liver"
 
Wikipedia has a "language" of "Simple English". This is a very restricted vocabulary (850 words) and writers are translating everything from engineering and Einstein's relativity to social sciences into Simple English. It really works, stripping away jargon, hundred-dollar-words where a five-penny word will do, losing all pretension. Intensely valuable for people for whom English is a second language, with some kinds of cognitive challenges, or for whom vocabulary is a barrier. http://simple.wikipedia.org/http://simple.wikipedia.org/wiki/Special_relativity  
 
Apps that score text for readability often check word length (in syllables), sentence length, paragraph length, structure simplicity/complexity, and grammar rules that prevent semantic confusion. So overall length of a contract or advisory should help, but there are many other factors that contribute to readability and access by someone who doesn't read much or read well. 
 
I don't know if it's still true, but I was told when I first study technical writing that the average person is most comfortable reading three or four years below their highest academic grade level. Where inclusion is a goal, and I'd think it would be in the case of readable contracts, shooting for 6th grade seems both important and attainable. 
 
 



What's interesting about this is that it would be fairly easy to get around, if it passes.
 
So.. a site or app does a 100 word, easy to read Privacy Policy.
 
Then they do a TOU and Data Policy.. for the rest of what usually goes in those things.
 
It's silly to write a law this way.. and I think would also violate free speech rights...
 
I could see requiring a simple text summarizing a privacy policy in 100 words, but I just don't see this going anywhere useful, even if it does pass.
 
Which I doubt it will.
 
 
On Feb 10, 2013, at 11:51 AM, Sean Bohan wrote:



Awesome share - Thanks!
 

From a business context, Pharma companies and their agencies focus on a 7-8th grade reading level for all communications meant to be read/experienced by patients. 

FYI, FWIW. 
 
In California, I was told a few years ago by a Criminal Prosecutor & Law School Professor, an average jury pool has an 8th grade education. Elsewhere in the US, it's closer to a 7th grade equivalent, which isn't saying much these days.
 
 
 
Begin forwarded message:



Date: February 9, 2013 7:33:50 PM PST
Subject: [ PFIR ] Proposed California law requires site privacy polices not to exceed 8th grade language and 100 words
 


Proposed California law requires site privacy polices not to exceed
8th grade language and 100 words. 

We all do know that privacy policies can become long and complicated,
but they encompass complex principles.  And while we're probably very
much in favor of making them as understandable as possible, trying to
limit privacy policies in such an arbitrary manner makes about as much
sense as trying to legislate the value of pi.  In fact, the actual
bill itself would violate its own designated limits many times over.
And I've now just about hit the actual 100 word limit itself.  Sorry
about

http://j.mp/Z2CqEF  (Leginfo.ca.gov [PDF])

--Lauren--
Lauren Weinstein ( " target="_blank" style="color: purple; text-decoration: underline; "> ): http://www.vortex.com/lauren 
Co-Founder: People For Internet Responsibility: http://www.pfir.org/pfir-info
Founder:
- Network Neutrality Squad: http://www.nnsquad.org 
- PRIVACY Forum: http://www.vortex.com/privacy-info
- Data Wisdom Explorers League: http://www.dwel.org
- Global Coalition for Transparent Internet Performance: http://www.gctip.org
Member: ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Google+: http://vortex.com/g+lauren / Twitter: http://vortex.com/t-lauren 
Tel: +1 (818) 225-2800 / Skype: vortex.com
_______________________________________________
pfir mailing list
http://lists.pfir.org/mailman/listinfo/pfir
 


 
-- 
------------------------------------------------
Sean W. Bohan
 
 
 
 
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.2899 / Virus Database: 2639/6102 - Release Date: 02/13/13
 
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.2899 / Virus Database: 2639/6102 - Release Date: 02/13/13


Archive powered by MHonArc 2.6.19.

§