Data Privacy ‘Nutrition Labels' for Web Users Slow to Catch On

Original Source 

From pervasive data collection by the U.S. National Security Agency and other intelligence agencies to the leak of intimate photos and information on dozens of celebrities from Apple's iCloud service, the privacy failings of the Internet have increasingly garnered the spotlight. While new products have reached the market aimed at helping privacy-conscious consumers better secure their data, another effort is focusing—not on new technology—but on policy and education. The nascent effort aims to improve privacy by notifying consumers using a short-form notice, also known as a privacy "nutrition label," and it may get some much-needed momentum from the current focus on information-collection practices. First discussed more than a decade ago, short-form information-collection notices seek to clarify the privacy choices facing consumers. Last week, for example, security firm AVG launched its own short-form notices for its mobile products, using icons and simple statements to outline what data the company collects, what data it does not collect and with whom it shares information. The aim is to make consumers' privacy choices more meaningful, Harvey Anderson, AVG's chief legal officer, told eWEEK. 

"In general, the terms of service for most products and Websites are a race to the bottom," he said. "Basically, they are saying that, if we give you this service for free, we can do what we want with your information."

While it is good that such arrangements leave open future business models, this type of language does not protect consumers, he said—especially because, unlike nutrition labels, privacy is not something that can be measured and quantified.

"Privacy is not a thing; it is a quality," he said. "And it is made up of these practices, and the practices vary widely."

AVG's privacy notice for its mobile application is part of an effort to create easy-to-understand statements to help consumers make better choices. In July, Intuit and the Application Developers Alliance teamed up to release code for mobile application programmers to add the feature to their products.

Yet, efforts to create more succinct and clear statements on information collection have generally not been widely adopted. A decade ago, Microsoft and other companies announced support for short-form notices on Websites to clearly state what consumer information the sites collect. In July 2013, the U.S. National Telecommunications and Information Administration (NTIA) released a draft of the short-form privacy requirements for mobile applications created by the Multi-Stakeholder Process on Application Transparency.

"The transparency created by displaying information about application practices in a consistent way as set forth in this code is intended to help consumers compare and contrast data practices of apps," the guidelines state. "These short notices seek to enhance consumer trust in app information practices without discouraging innovation in mobile app notices or interfering with or undermining the consumer's experience."

Yet, such efforts have not spurred adoption. Intuit's repository for its open-source privacy notices on GitHub, for example, shows hardly any activity. AVG hopes that its focus on security and privacy will spread through the industry. In five years, most developers will likely include the notices, Anderson said.

"The ideas have been percolating for a while," he said. "The way I think about this is that this is an evolutionary step."