X hits on this document





31 / 100

Finally, we note that there is still a strong need for better tools and techniques for designing, implementing, and deploying privacy-sensitive systems. We discuss these issues as key research challenges in Sections 4.2.2 through 4.2.5.

3.3.1 Privacy Policies for Products

Publishing a privacy policy is one of the simplest ways of improving the privacy properties of an IT product, such as a web site. Privacy policies provide information to end-users to express informed consent and help products comply with the Openness and Transparency principles of the FIPS.

Privacy policies are very popular on the World Wide Web, both in nations that mandate them whenever personal data is collected (e.g., the EU) and where they are used because of market pressure (e.g., in certain industries in the USA). The specific content and format of privacy policies varies greatly between national contexts, markets, and industries. Under many legal regimes, the content of privacy notices is specified by law, and web site publishers have little leeway in writing them. The objective of these laws is to inform the user of his rights and to provide notices that enable informed consent. In other cases, privacy policies are written with the goal of increasing user trust and have a reassuring, rather than objective, tone. Certification programs such as TRUSTe and BBBOnline also mandate certain minimal requirements for privacy policies. These programs also verify that participating web sites comply with their stated policy, although such verification is “shallow” because the certification programs do not assess the internal processes of the organizations running the web sites.

Helping End-Users Understand Privacy Policies

There have been extensive efforts to make policies more understandable by consumers, especially for Business-to-Consumer (B2C) e-commerce web sites. However, the results thus far have not been encouraging. Controlled experiments by Good et al. on End-User Licensing Agreements [127] and by Jensen et al. on web site privacy policies [169] strongly suggest that users tend not to read policies. These studies also indicate that policies are often written in technical and legal language, are tedious to read, and stand in the way of the primary goal of the user (i.e., concluding the transaction).

Evidence external to the HCI field confirms this finding. A 2003 report by the EU Commission showed that eight years after the introduction of the EU data protection directive 95/46, the public is still not knowledgeable of its rights under data protection legislation [64]. This is remarkable, considering that these rights must be repeated to the users in a mandatory privacy policy every time personal information is collected, and that the user must agree with the policy before the collection can take place.

Indeed, the general consensus in the research community is that privacy policies are designed more to shield the operators of IT services from liability than to inform users. Furthermore, Jensen and Potts’s evaluation of the readability and usability of privacy policies suggests that current policies are unfit as decision making tools due to their location, content, language, and complexity [168]. Users instead tend to receive information about privacy-related topics such as identity theft from the media and trusted sources like expert friends.

end-user-privacy-in-human-computer-interaction-v57.docPage 31 of 85

Document info
Document views361
Page views361
Page last viewedSun Jan 22 20:19:19 UTC 2017