On 5 Sep 2012, at 17:59, S Moonesamy <sm+i...@elandsys.com> wrote: > Hi Mark,
Hi, > At 15:56 04-09-2012, Mark Lizar wrote: >> I think it would be a mistake to blame the target audience for a lack of >> mature understanding of the problem. In fact, I think the audience has an >> incredible understanding of the problems. People can understand how much >> privacy practices impact them physically at the moment (immediately) and >> respond accordingly. Is expecting more from people too much to expect? It >> is the integrity of the consent mechanisms at offer, their lack of >> continuing context or meaningfulness that might be more worthy of >> responsibility. > > The wording could have been improved but then it discourages lightweight > discussion. I didn't read it as blaming the target audience. I'll put it > another way. The target audience might not be that interested in a > discussion about "informed consent" but they do have an understanding of what > they would not like to see. People are expected to make a split-second > decision; i.e. it should be easy for the person to make the decision. Again, this expectation is not only un-realistic but grossly disproportionate to the quality and usability of privacy notices and associated policies online. This is a very good point. People are 'expected' to make split second decisions. This is one of many unrealistic expectations, especially considering the content, language, format, and implications of the polices, contracts and terms. Expectations are high and blatantly unrealistic, considering children, non-english speaking, non-technical, non-legal, disabled, partially literate, busy, emotional people 'need' to use these notices. In many cases it will never be easy for people to make these decisions. Frankly, it should be easy to change ones mind, exercise privacy rights and manage informed consent from a personally controlled technical architecture. Privacy is a public facility, it needs to be enabled so that consent can be managed depending on context, without such a facility these policies and notices are not meaningful. It is in a-context that people have privacy considerations to manage. It is my opinion that privacy policies and related notices, which we are subjected to today, are still those of the industrial age. (not what should be 'expected' in the information age) For example, I can be tracked online and be served custom advertising, real time, yet it is still the law in all jurisdictions that (if a company requires it) I need to provide a written notice to manage my informed consent, gain access to my data, stop the use of my profile etc. These request can take weeks, even months. > >> Perhaps achieving informed consent should be looked upon as an iterative >> process? At the moment we have a one time policy (consent) infrastructure >> based on (or to facilitate) contracts of adhesion (TOS, EULA etc), in which >> informed consent is most often no-longer informed as soon as the service (or >> even the service user) evolves the use of the service. (online informed >> consent lacks real meaning) > > "Privacy policies usually end up as disclaimers of liability instead > of policies aimed at protecting privacy." > It is a marvel that information technology, social platforms and the like have advanced so incredibly far in the last 5 years, yet privacy policies and their use with Terms Of Service, EULA's, etc have remained largely the same. What's more, even though openness is a prinicple found amongst most (all) iterations of privacy principles, privacy policies online are ad-hoc and still very closed. At the most basic, they have no common technical location, no common format or structure. Fundamentally, privacy policies should provide clear open and independent access to basic privacy rights that are found in privacy legislated jurisdictions. Policies should be very open, independently accessible, automatically found, and systematically usable. Yet they are not. ( a lawyers dream) > A person might not remember all the details of what he/she consented to after > a while. It may be easier for the person if the consent request is > contextual. That doesn't mean flooding the person with questions as it turns > into an automated yes (or no). A person should be able to, with one click, withdraw consent from all the services they are connected to. Privacy should not only be a default, it should be a fundamental pre-requisite. (IMHO) Thanks for the opportunity to rant. > > Regards, > S. Moonesamy Kind Regards, Mark
_______________________________________________ ietf-privacy mailing list ietf-privacy@ietf.org https://www.ietf.org/mailman/listinfo/ietf-privacy
