On Twitter: @JamesFirth and @s_r_o_c (post feed)

Got a tip? tip@sroc.eu

Monday, 26 March 2012

Our standardised privacy policy project is not an exercise in iconography

More than icons
TM. A visualisation of Privacy Footprint, part of the proposed standardised personal data scheme.  
I've spoken to a quite a few people about our plan for a suite of standardised privacy policies. Whilst about 70% of people are enthusiastic of our plan (non-scientific study!), inevitably many tend to focus solely on the icons, and at that point tell me either (a) it's been tried before (yes, I know) or (b) it won't change user behaviour.

Here's a quick response: our proposal is not primarily about icons.

And here's a fuller response...

My perspective on the Mozilla Privacy Icons project: it attempted to graphically represent all the ways that data could be used or shared, and capture this in an icon.

In some respects the Mozilla privacy icon project is a graphical progression of P3P, the compact privacy policy project. Both approaches are looking at privacy perhaps as a software engineer would.

Where we - as in Julian Ranger and myself at Open Digital - are coming from is somewhat different.

We're not trying to encode a complex amount of information into an icon.

Instead we're creating a series of say 6-7 standardised privacy policies which become gradually more private so that users may easily compare like-for-like services to find which take data protection more seriously than others.

As an engineer myself there is a temptation to see this as a technical problem. But it's not - it's a social problem and an economic problem, caused by the massive increase in capability brought by technology and the commercial value in personal data today.

We can either try and fix the socioeconomics or attempt to control the technology to regulate the resultant data.  Neither is an easy challenge, but I prefer the former over the latter.

Our scheme, instead of trying to offer a diverse range of visualisations to accommodate a diverse number of data-sharing practices, defines a handful of policies based on best-practice.

We hope these policies will help users understand what is being done with their data. They don't have to read every privacy policy, they just have to familiarise themselves with half a dozen standardised policies.

Our aim is to provide a driver for minimising the use of personal data, improving the storage of personal data and promoting the ethical use of personal data.

Our 'most private' licenses will require data to be stored securely within a system which is designed to be private.  Their use may mandate the conformance to other emerging standards such as private by design.

Above this there will be a range of less-private options, showing data may be shared with selected businesses.

And then the most open license.  I use license and privacy policy interchangeably as I see you being the licensor for your data. You decide what can and can't be done with the data, and any contract you sign up to must be clear as to what rights you grant others to use your data.

Icons are used in place of e.g. a simple numerical scale of 1-7 to aid visual recognition - a mixture of endorsement (certification marque) and visual guide.

Sure there will be businesses who don't want to be boxed in to our scheme. They will want to differentiate themselves.

But I sincerely believe there will be a push from users who want clarity. They want to understand what they're signing up to.

There are two unanswered questions. (1) can a suite of standardised licenses and associated iconography impact user behaviour and (2) will sufficient businesses adopt the scheme.

To answer these questions we first propose two studies. A socio-economic  study to answer (1) and a business attitudes study for (2).  We will use the results to decide whether and how to proceed.

As a society we're faced with 2 choices: regulate how data is used and take the consequences of either an over-bearing enforcement regime or widely circumvented laws; or, leave it to the markets and risk having corporate interests trump user interests in at least the short and mid term.

I don't think regulation will work, so I'm looking at ways to encourage the market to work more in the interests of users.



  1. Sounds a bit like Creative Commons, then?

    I know what CC-BY-SA means, and it's much easier for me to just see a CC-BY-SA logo and know what that means than to have to read a license.

    CC works so much better than Open Source licences, where the vast majority seem to be basically GPL, basically BSD, a halfway house like MPL/LGPL, or an "only one company can sell this commercially" licence (like the old QPL), but there are a dozen variants of each, with subtle differences.

    Can I suggest that you concentrate on the standard licences, rather than the pretty pictures, though - if I'm setting up a new web service and I can pick up a standard privacy policy off the shelf, then I'll probably do that, rather than making one up and then going to a lawyer later if I'm making enough money to justify one.

    Look at how many websites licence UGC under a CC licence - because "everyone" understands CC and it saves a lot of paying lawyers. If you're going to produce some standard privacy policies then that's great.

  2. Hi Richard,

    You're spon on - this is very much llike Creative Commons in approach, however I'd say that the graphics still have a role to play in user recognition, which is why we included them in our proposal paper.

    The open source GPL/BSD analogy is very useful, I hadn't thought of that but I have spent the last week arguing with mainly lawyers who cannot accept that there will be any demand for standardised licenses because users and businesses like customisation.

    In this case I argue that clarity is the single most important driver for adoption, and this driver will outweigh the business (and lawyers') temptation to tweak. I hadn't actually thought until I read your post that some businesses will atually welcome an off-the-shelf policy as it makes things simpler for them too.

    Thanks very much for your contribution,


Comments will be accepted so long as they're on-topic, do not include gratuitous language and do not include personal attacks or libellous assertions.

Comments are the views of the commentator and not necessarily the view of the blog owner.

Comments on newer posts are not normally pre-moderated and the blog owner cannot be held responsible for comments made by 3rd parties.

Requests for comment removal will be considered via the Contact section (above) or email to editorial@slightlyrightofcentre.com.