At PrivacyChoice we curate quite a bit of data about the privacy ecosystem, including detailed classifications of the privacy practices of more than 4,000 leading websites and data collectors. To support this dataset and keep it current, we’ve built systems that analyze and monitor privacy disclosures, track industry affiliations, examine data collection methodologies and test choice frameworks. We’ve made this investment because better data enables easier and more informed choices about privacy. We believe that better privacy experiences will be built on data.
Of course, not all of these experiences need to be or will be built by us. This is why today we’re opening up our data platform in two important ways: First, to allow members of the PrivacyChoice community to analyze and submit privacy data to the system, and second, to allow developers to get data back out of our system for new and useful applications. We call it the PrivacyChoice Data Project, and the full announcement (and some interesting research) follows.
PrivacyChoice Project Makes Privacy Easier Through Data
“Wikipedia for Privacy Data” will improve privacy assurance for all
November 26, 2012 – Santa Cruz, CA – Privacy-technology leader PrivacyChoice today launched an ambitious initiative to bring privacy transparency to the world’s websites and apps. Using an open data platform, volunteers around the world can now quickly and accurately evaluate any website’s privacy practices, and contribute their work to an open dataset supporting innovative privacy tools, greater consumer understanding and better privacy practices
“On their own, privacy policies are too long and complicated to be of use to most people,” said PrivacyChoice Founder Jim Brock. “But by empowering the crowd to analyze essential privacy terms, we can actually make privacy policies meaningful and actionable for everyone.”
PrivacyChoice also released the first-ever wide-scale analysis of 2,500 top privacy policies, which comprise the starting dataset for the project. The research reveals that 20% of sites and apps reserve the right to share personal data freely for commercial purposes. Also, 60% of website privacy policies do not provide any written assurance that users can delete their personal data at the end of the relationship. “Without greater transparency, these outliers have little incentive to step up to more protective privacy practices,” said Brock.
The new initiative builds on the popular Privacyfix tool, now used by more than 200,000 people, which provides instant access to privacy ratings for top websites and Facebook apps. Brock said: “We were blown away by how many Privacyfix users volunteered to help us analyze even more privacy policies. This inspired us to upgrade our internal tools and open them up so anyone can participate in and build on our work.”
Analysts use a special Chrome browser extension with a review console to make policy evaluations efficient and accurate. In each review category — such as “Data Sharing” — keyword highlighting emphasizes the passages most likely to relate to the topic. It also captures and submits the classification and related text, which is then subject to peer review and algorithmic validation. Analysts can select any site policy they want to review, or can call for assignments through the extension. PrivacyChoice also monitors policy pages to tell when policies change, and automatically directs reviewers to update the analysis when necessary.
All privacy ratings gathered in the PrivacyChoice Project will be available in a free API, so that developers can incorporate the data into their own privacy applications and add-ons. “With an open data platform, we can imagine cool and useful tools to make privacy easier. Anyone can design visually powerful icons associated with policies, or map them to the Mozilla privacy icon project. Browser add-ons can use the data to warn users before they provide personal data to less protective companies; to compare privacy practices of competitive services; or to inject privacy ratings within search results. Also, this unique dataset should be very useful to academic and policy researchers seeking to understand trends in privacy terms.”
So far, the PrivacyChoice Project has analyzed the privacy policies of more than 2,500 top websites and apps. The examination of each policy, which was done by at least two reviewers, includes key terms such as whether personal data may be shared with third parties for commercial purposes, whether notice is provided in the event of government requests for data, whether data can be deleted by the user on request and whether policies confirm that data sharing with vendors is subject to restrictions on re-use.
Nearly two-thirds of all policies examined (63%) provide assurance that personal data generally will not be shared with other companies, while another 10% promise not to share personal data for “marketing purposes.” However, one in five sites provide no assurance against sharing personal data with other companies.
We examined privacy policies to determine whether sites provide assurance that users can request and achieve deletion of personal data when they no longer use the site or app.
Of all policies examined, 60% provide no data removal process or assurance. Three percent (3%) of site policies contemplate a data removal process, but reserve exceptions for purposes such as transaction auditing and backup storage. A minority of sites and apps, 38%, either do not retain personal data or appear to have a process for data removal.
We examined privacy policies to determine whether sites promise to provide notice in the event that personally identifiable information is requested in connection with government processes, such as law enforcement and litigation.
Very few sites (approximately 2%) provide any assurance of notice. We also observed that only a handful of site policies promise to limit data disclosure to court-issued orders, as opposed to ad-hoc subpoenas and requests.