Privacy by Notice

Document Sample
Privacy by Notice Powered By Docstoc
					Visualizing privacy

Aleecia M. McDonald
Overview
   The Gramm-Leach-Bliley (GLB) Act
       Selected portions from An Evaluation of the Effect of US Financial Privacy
        Legislation Through the Analysis of Privacy Policies
   Privacy text is hard
     Privacy Mad Libs example
     Privacy bingo cards

   Making GLB more useable
       Evolution of a Prototype Financial Privacy Notice
   What happens in practice?
       Privacy practices of Internet users: Self-reports versus observed behavior
   Privacy images are hard
       Privacy Pictionary / Time’s Up
What is the Gramm-Leach-Bliley
(GLB) Act?
What is the Gramm-Leach-Bliley
(GLB) Act?
   Senator Gramm (R, Texas)
What is the Gramm-Leach-Bliley
(GLB) Act?
   Senator Gramm (R, Texas)
   Representative Leach (R, Iowa)
What is the Gramm-Leach-Bliley
(GLB) Act?
   Senator Gramm (R, Texas)
   Representative Leach (R, Iowa)
   Representative Bliley (R, Virginia)
What is the Gramm-Leach-Bliley
(GLB) Act?
   Enacted November 12, 1999
   Effective November 13, 2000
   Not primarily privacy legislation
       A.K.A. Financial Services Modernization Act of 1999
       Modernization = ?
What is the Gramm-Leach-Bliley
(GLB) Act?
   Enacted November 12, 1999
   Effective November 13, 2000
   Not primarily privacy legislation
       A.K.A. Financial Services Modernization Act of 1999
       Modernization = Mergers
       Financial services includes: banks, stock brokerage companies,
        and insurance companies
Why does the GLB address
privacy?
   New privacy concerns arise from future mergers
       What happens when your mortgage company talks to your health
        insurance company?
   Existing privacy issues
     November 1997, Charter Pacific Bank sold millions of credit card
      numbers to an adult website company.
     1998, NationsBank shared information with affiliated stock brokerage.
      Sold high-risk investments to senior citizens.
     1999 - 2000, Memberworks telemarketers. 19/25 top banks.

   International issues
       1995, the EU passed the Data Protection Directive.
       Initial Safe Harbor proposal did not include the financial industry.
Privacy provisions in GLB
   Must store personal information securely
     ensure security and confidentiality
     protect against anticipated threats
     protect against unauthorized access that could
      substantially harm or inconvenience customers
   Must give notice of policies about sharing personal
    financial information
   Must give option to opt-out of some sharing
   No sale of specific data for marketing
   Pretexting banned
Privacy provisions in GLB
   Must store personal information securely
     ensure security and confidentiality
     protect against anticipated threats
     protect against unauthorized access that could
      substantially harm or inconvenience customers
   Must give notice of policies about sharing personal
    financial information
   Must give option to opt-out of some sharing
   No sale of specific data for marketing
   Pretexting banned
Privacy protection exceptions
   Disclosure to affiliates
       No notice required
       No ability to opt out
       Free information flow within entire “corporate
        family” - can be 1000+ companies, not all financial

   Joint marketing disclosure
       No notice required
       No ability to opt out
       Can flow all through the second “corporate family”
What is in a GLB Privacy
Notice?
   Clear, conspicuous, and accurate statement of the
    company's privacy practices
   What information the company collects about its
    consumers and customers
   With whom it shares the information
   How it protects or safeguards the information
   Applies to "nonpublic personal information"
Who Gets Notice?
   Have you seen a GLB notice?
   Have you read a GLB notice?
Who Gets Notice?
   Have you seen a GLB notice?
   Have you read a GLB notice?
   Goes to all new customers
   Goes out annually to all customers
Who Gets Notice?
   Have you seen a GLB notice?
   Have you read a GLB notice?
   Goes to all new customers
   Goes out annually to all customers
   Do notices get noticed?
   How does this compare to privacy indicators in
    web browsers?
Did GLB help?
Part I: More clarity
                        Completeness of Privacy Policies in the Random 30 banks
                                   83%
                                                                                       Pre-GLB (2000)
                                                                          77%
                                               73%                                     Post-GLB(2005)
  Percentage Unkown




                      63%




                                                                                30%

                                                                                         20%
                                         17%         17%
                                                            13%
                            10%

                                                                  0%                           0%


                      Affiliate    Affiliate   Affiliate   Third Party   Third Party    Third Party
                      Sharing     Disclosure   Choice       Sharing      Disclosure       Choice
Did GLB help?
Part II: Sharing alike
              Information Shared with Affiliated Companies

                                                                    10%
                                              17%
      30%
                                              10%
                                                         50%

      10%
                                              23%
                                 83%
                     100%
                                                                    90%


      60%
                                              50%        50%

                                  3%
                                 13%


     2000            2005        2000        2005       2000        2005

            Top 10                  Random 30              Credit Card
   All Information      Transactional Information   Do not share   Unclear
Did GLB help?
Part III: Joint market increase
                    Third party sharing + joint marketing
                                              yes      no           unclear
    10%                        13%
                    20%                   20%                         20%
                                                      30%
    20%

                               37%
                                                      20%


                    80%                   80%                         80%
    70%

                               50%                    50%




    2000            2005       2000       2005       2000             2005

           Top 10                 Random 30                 Credit Card
Are notices readable?
   85% of adults have a high school degree
   25% have one or more college degrees
   Reading level usually three grade levels lower
   8th grade recommended for general population
   July, 2001: Privacy Rights Clearinghouse study, average
    is 15.6
   GLB legislated policies must be “reasonably
    understandable” yet policies are at college reading level
Are notices readable?

                                               Readability of Privacy Notices
                                                                                                         Source: An
                                                                               Top 10 banks
                               16                                                                        Evaluation of the
                              15.5                                             Random 30 Sample
                               15                                                                        Effect of US
  Readability (Grade Level)




                                        14.8
                                                                              GLB enacted
                              14.5
                               14
                                                  14.5
                                                            13.9
                                                                              July 2001                  Financial Privacy
                              13.5      13.4      13.3      13.4
                                                                                        13.1
                                                                                                         Legislation
                               13                                     13       13                12.9
                              12.5                                   12.7
                                                                              12.7
                                                                                       13
                                                                                                  12.5   Through the
                               12
                              11.5
                                                                                                         Analysis of
                               11
                                     1999      2000      2001      2002     2003     2004      2005
                                                                                                         Privacy Policies
                                                                                                         Steve Sheng and
                                                                                                         Lorrie Faith
                                                                                                         Cranor
What makes notices harder to
read?
   Complexity
     Long line length with lots of clauses
     Big words

   Jargon
       “But I don’t want to default”
   Legal writing
     When is the last time you read a contract for fun?
     Being informal can create legal liability

   Corporate incentive for “weasel words”
       Passive voice endemic
Privacy Mad Libs
   A "< X >" is a < Y > who has a
    "< X > relationship" with a financial
    institution. A "< X > relationship" is a
    continuing relationship with a < Y >.
Privacy Mad Libs
   A "< X >" is a < Y > who has a
    "< X > relationship" with a financial
    institution. A "< X > relationship" is a
    continuing relationship with a < Y >.
   A "customer" is a consumer who has a
    "customer relationship" with a financial
    institution. A "customer relationship" is a
    continuing relationship with a consumer.
Privacy Mad Libs
   A "< X >" is a < Y > who has a
    "< X > relationship" with a financial
    institution. A "< X > relationship" is a
    continuing relationship with a < Y >.
   A "customer" is a consumer who has a
    "customer relationship" with a financial
    institution. A "customer relationship" is a
    continuing relationship with a consumer.
Privacy Mad Libs
   A "< X >" is a < Y > who has a
    "< X > relationship" with a financial
    institution. A "< X > relationship" is a
    continuing relationship with a < Y >.
   A "customer" is a consumer who has a
    "customer relationship" with a financial
    institution. A "customer relationship" is a
    continuing relationship with a consumer.
       Source: The Federal Trade Commission’s
        explanation of the Gramm-Leach-Bliley Act
Maybe it’s just the FTC…
   Perhaps it’s hard to write about writing policies but the
    policies themselves are clear and useable.
   Perhaps the FTC hired exceptionally bad staff.
Maybe it’s just the FTC…
   "An affiliate is a company we own or control, a company
    that owns or controls us, or a company that is owned or
    controlled by the same company that owns or controls us.
    Ownership does not mean complete ownership, but means
    owning enough to have control." (Seattle Savings Bank)
Maybe it’s just the FTC…
   "An affiliate is a company we own or control, a company
    that owns or controls us, or a company that is owned or
    controlled by the same company that owns or controls us.
    Ownership does not mean complete ownership, but means
    owning enough to have control." (Seattle Savings Bank)
   "We share your non-public personal public information
    only with contractual safeguards to protect the
    confidentiality of your information." (UniTrust)
Maybe it’s just the FTC…
   "An affiliate is a company we own or control, a company
    that owns or controls us, or a company that is owned or
    controlled by the same company that owns or controls us.
    Ownership does not mean complete ownership, but means
    owning enough to have control." (Seattle Savings Bank)
   "We share your non-public personal public information
    only with contractual safeguards to protect the
    confidentiality of your information." (UniTrust)
   "In the opt-out election, you will have the option of
    including or excluding the Credit Union from your opt-
    out election." (UniTrust)
Privacy Buzzword Bingo
Making GLB more useable
   Evolution of a Prototype Financial Privacy Notice: A Report
    on the Form Development Project (February 28, 2006,
    Kleimann Communications Group, Inc.)
   Six federal agencies’ project to do better
     Board of Governors of the Federal Reserve System, Federal Deposit
      Insurance Corporation, Federal Trade Commission, National Credit
      Union Administration, Office of the Comptroller of the Currency, and the
      Securities and Exchange Commission.
     Explore why consumers don‟t read and understand privacy notices
     Develop notices that are easier for consumers to understand and use

   Phase I: complete
     8 test sites
     16 month iterative cycle for prototype

   Phase II: quantitative study to assess the prototype
Project Goals: Paper Prototype
   Comprehension. The prototype must enable consumers
    to understand the basic concepts behind the privacy
    notices and understand what to do with the notices. It
    must be clear and conspicuous as a whole and readily
    accessible in its parts.
   Comparison. The prototype must allow consumers to
    compare information sharing practices across financial
    institutions and to identify the differences in sharing
    practices.
   Compliance. The content and design of the alternative
    privacy notices must include the elements required by
    the GLBA and the affiliate marketing provision of the Fair
    and Accurate Credit Transactions Act.
Good design: necessary but not
sufficient
   Table design worked best
   Two page design with more details available for
    those who want them (definitions and GLB
    mandated notices)
   “We learned that we needed to include an
    educational component in the notice as consumers
    had no prior understanding of information sharing
    practices.”
Four Parts of the Design
   Title
   Frame
   Disclosure Table
   Opt-out Form
The Title
   Attract consumers‟ attention so that they will read
    the notice
   Avoids inflammatory language
   Helps consumers understand that the information is
    from their own financial institution
   Their personal information is currently being
    collected and used by the bank
   Does not explicitly mention consumer rights
       QuickTime™ and a
   TIFF (LZW) decompressor
are needed to see this picture.
The Frame
   Problem: customers uninformed about financial
    privacy
   Need basic information about financial sharing
    practices to understand the notice
   The Frame provides context and supports the core
    information about a financial institution’s sharing
    practices
       Key frame: heart of ensuring comprehension
       Secondary frame: nice to have (FAQs, details, mandates)
       QuickTime™ and a
   TIFF (LZW) decompressor
are needed to see this picture.
       QuickTime™ and a
   TIFF (LZW) decompressor
are needed to see this picture.
The Disclosure Table
   Goals:
       Understand information about financial sharing policies and their
        personal information
       Can compare sharing practices across financial institutions
   Seven basic reasons a financial institution can
    share information
       What is being shared
       What can customers opt-out of
       Enables direct comparison between companies
       QuickTime™ and a
   TIFF (LZW) decompressor
are needed to see this picture.
The Opt-out Form
   On a separate page to make it easy to mail in
   Designed to help consumers understand how to
    opt-out
   Structured by type of sharing consumers can opt-
    out of
   Given the GLB: does this seem to do a good job?
       QuickTime™ and a
   TIFF (LZW) decompressor
are needed to see this picture.
       QuickTime™ and a
   TIFF (LZW) decompressor
are needed to see this picture.
Four testing methods
   Focus groups
      What a group of consumers thinks about privacy notices
      What they see as barriers to understanding them
      Do not tell the researcher what a consumer will actually do with a notice

   Preference testing
        In-depth one-on-one interviews
        Preferences for vocabulary, headings, notice components, and ordering
   Pretests
      Dry run of the diagnostic usability test
      Validates the methodology
   Diagnostic usability testing (structured + unstructured)
      how the individual participant actually works with a document
      elicits reaction to the information to target and diagnose problems
      iterative process; adjustment with successive test rounds
Lessons Learned: Focus Group
   People did not read the old style notices
       Type was too small, particularly for seniors
       Small font signaled unimportant information
       Important information was grey on black
       Four pages was too much to read
       Customers expect banks are trying to conceal information
   People believed that all privacy notices were the same
     Regulations mean uniformity
     Can change at any time so meaningless
     Did not understand there are opt-out choices
     Choose a bank for free checking and not privacy policies
Lessons Learned: Pretest
   Customers did not understand the purpose of
    notices
       In essence: wrong mental model
       Thought notice was requesting personal information
       Lacked context to understand the text
   Opt-out was confusing
       Unexpected
       Did not have the context to understand the choices
       Too much information
Lessons Learned: Pretest
“None of the designs worked”
 “In the end, it did not matter if we changed the test
 scenario, provided them with more time to „study‟
 the information, or tutored them during the session.
 Participants had too little of their own context about
 financial sharing information to understand the
 content of the notices. Since they had no basis for
 or understanding of the information in the notices,
 the designs simply weren‟t working in their current
 format or with their current content.”
Lessons Learned: Usability
Testing
   Customers do care what happens to their information
   Indicated they would read the new notices
   Understood why they got the notice and “much of” the
    content
   Recognized opt-out form as an action item
   Layout improved comprehension
   Word choice matters
   Could compare side-by-side policies
   Standardization can actually be confusing
Are we there yet?




               QuickTime™ and a
           TIFF (LZW) decompressor
        are needed to see this picture.
In closing: Six meta-themes
   Keep it simple
   Good design matters
   Can design to avoid bias
   Whole-to-part design is critical
       “Without context, they understood virtually nothing”

   Standardization is effective
   Disclosure table is critical
Overview revisited:
We are here
   The Gramm-Leach-Bliley (GLB) Act
        Selected portions from An Evaluation of the Effect of US Financial Privacy Legislation
         Through the Analysis of Privacy Policies
   Privacy text is hard
      Privacy Mad Libs example
      Privacy bingo cards

   Making GLB more useable
        Evolution of a Prototype Financial Privacy Notice
   What happens in practice?
        Privacy practices of Internet users:
         Self-reports versus observed behavior
   Privacy images are hard
        Privacy Pictionary / Time’s Up
Essential tension
   In survey after survey, people say they are very
    concerned about privacy and it is a decision
    making factor
   Other forms of data analysis suggest this is not
    true (log files, for instance)
   Is there a gap between what people say and what
    people do?
Four part study
    175 participants recruited via email and web in
    2005. No compensation. 45-60 minutes, topic
    known.
   Basic demographic survey
   Survey of privacy values and attitudes
   Knowledge test
   Pair-wise comparisons of privacy indicators
Basic demographic survey
   2/3rds in education
   More highly educated than Internet population (16.2 v.
    14.4 years of school)
   Self-selected
   More men than women (74% v. 26%)
       Women reported lower levels of computer expertise
   Comfortable with e-commerce and computers
   Installed software (38%) or taken other steps (43%) to
    protect online privacy
Survey of privacy values and
attitudes
   Motivation: was Westin right?
     Privacy fundamentalists
     Privacy pragmatists
     Privacy unconcerned

   Five questions on a five-point Likert-scale:
       I am concerned about online identity theft
       I am concerned about my privacy online
       I am concerned about my privacy in everyday life
       I am likely to read the privacy policy of an ecommerce site before buying
        anything
       Privacy policies accurately reflect what companies do
Knowledge test
   Perception gap: subjects over-report their understanding
    of privacy issues as well as willingness to act
   Tested knowledge of three areas:
     Cookies
     Web bugs
     P3P and third party cookies

   Asked to rate level of concern
   Asked why the technology matters (two correct, three
    incorrect reasons)
Knowledge test
                 Cookies       Web bugs          P3P

Claim              90%            35%           21%
knowledge
False claim        85%            83%           75%

Overall            14%            5%             5%
knowledge

Fundamentalists do not know more - they just worry more
Pair-wise comparisons of
privacy indicators




            QuickTime™ and a
        TIFF (LZW) decompressor
     are needed to see this picture.
Pair-wise comparisons of
privacy indicators




            QuickTime™ and a
        TIFF (LZW) decompressor
     are needed to see this picture.
Twelve factors for decision
making
   Price                           TRUSTe privacy seal
       20% discount = $5           Credit card symbols
   SSL indicator                   Four different privacy
   Use of 3-party cookies           policies:
    and P3P                           User centered - good
       IE blocked cookie icon        User centered - bad
                                      Company centered - good
   An email address
                                      Company centered - bad
   A phone number
   A postal address
Regression model of factors
1.    TRUSTe seal
2.    User centered - good policy
3.    Company centered - good policy
4.    Company centered - bad policy
5.    User centered - bad policy
6.    Phone number
7.    Address
8.    Price discount
9.    Credit card symbols
10.   SSL indicator
11.   Email address
Factors, a deeper look
   There is a preference for good policies over bad
   Under 30% of participants looked at the privacy policies
     Not much difference between Westin groups
     Policy itself serves as a trust mark

   TRUSTe dominates in part because people do not read
    privacy policies
       Even more significant for women
   Do subjects even see the P3P/third party cookie and SSL
    indicators? Or understand them?
   No fit at all for a regression model for Fundamentalists
Any questions before we play?
David Brin’s Happy World of Equals
Competing Views of
Online Privacy
   “Privacy is dead, deal with it”
       Scott McNealy, CEO of Sun MicroSystems

   “My aim all along has been to suggest that the promoters
    of anonymity and secrecy are basing their zeal on
    untested assumptions and bear a burden of proof before
    we consign our destiny to their transcendental vision of
    salvation through encryption.”
       David Brin, The Transparent Society

   “A full-on privacy rebellion won't be pretty, it won't be
    non-violent and people will get hurt.”
       Brock N. Meeks, opinion piece for MSNBC