By Matt Tank
I’ve previously written about data privacy, outlining the breadth of the subject, and attempted to provide some suggestions on how to navigate the issues.
Recently, I’ve given more thought to the privacy agreement specifically; why they’re so complicated, why we don’t read them, and how they primarily exist as an enabler for almost-unlimited collection of data.
With the expected explosion of Internet-connected devices, or the Internet of Things (IoT), this issue will only get more serious. What happens when everyone has a bed that can send data about their “sleeping” patterns to the manufacturer, and how will they use this information? Or a car that knows every place you go? Tying our protection to an obfuscated, 200-page document with a giant AGREE button at the bottom will be a recipe for disaster.
My solution is simple. For every service that we use, it should be required that a privacy card is presented to us, in addition to the detailed terms of service document that we all know and ignore. This privacy card must be clicked-through when a user signs up, and whenever any of the information on the card changes.
This privacy card contains a short list of colour-coded privacy indicators. For each indicator, a coloured indicator box is required to be included in its entirety on the privacy card, and each indicator box includes the following information:
- The indicator title – linking to the government-provided definition of the indicator
- The detail text – this text reflects the privacy stance of the service/site/company for that specific indicator. The text must be included unedited.
- A more information icon – This is where company can provide context, or justify its privacy stance
Viewed together, these provide an easy-to-read overview of how your data will be collected and used. An example is provided below:
To clarify, the indicators and their options, the text, and the colour codes are all defined by the government (or standards body), and not the service provider, and will be designed to be modular and updated as technology changes. The options that a service provider has will be limited, and (comparatively) easy to understand, as per this example:
It is expected that this solution will have the following effects:
- Greater public awareness of the major privacy concerns, including being able to identify red-flags (because they’re actually red)
- Greater awareness of how service-providers collect and use their data (I suspect many of the largest Internet services would have a lot of red in their cards currently)
- Increased competition and the development of a value trade-off for privacy. Service providers that offer greater privacy for their users will be better able to compete with the established data-vacuuming multinationals. As awareness increases, collecting less data may be negatively offset by having less customers.
- The development of more flexible service offerings. For example, a free service offering could be paired with a data card that is mostly yellow and red, while a paid offering paired with a mostly green and yellow data card. Users could even be paid to provide greater access to their information.
Of course, no solution like this will be successful if it is not enforced, so legal penalties must apply to organisations for misrepresenting their service by selecting the wrong indicator box. Any existing laws around the traditional terms of service must still also apply.
Data is already a significant part of the global economy, and poised to become even more important, so we need to make sure we regulate the exchange of data in some of the same ways we regulate the exchange of money and goods. We don’t allow a mechanic to take all the spare change out of your car while it’s being serviced, and in the same way, we shouldn’t be allowing data-collecting companies to take more than what the service-user is knowingly providing.