Danger: Privacy Agreements

Good privacy agreements strengthen enterprise IT, but they're hard to find and careful scrutiny is needed.

Users leveraging online services as part of their work sign privacy agreements all the time. In the process, theyre often agreeing to the installation of adware and spyware, not to mention setting the stage for increased spam.

To see what IT administrators are up against—and to provide some recommendations for mitigating the potential consequences of hitting the "I agree" button—eWEEK Labs looked at privacy agreements from some of the biggest online services. These included financial sites, media players, newspapers and auction sites.

Privacy agreements—not to be confused with EULAs (end-user license agreements)—spell out exactly what information is collected by a Web site and how that information can be shared, sold, reused and stored. Many times the privacy agreement provides its own "Ive read and understand" button that must be clicked to use a Web site.

But reading and understanding these agreements is not a simple process. To use RealNetworks Inc.s RealPlayer to view videos or listen to presentations, for example, users must read and agree to a hefty 11,495-word privacy statement. Microsoft Corp.s MSN requires that users sign off on a 6,000-word privacy statement.

Privacy agreements are driven in large part by a Federal Trade Commission code requiring that commercial services not be deceptive, but the privacy agreements themselves vary widely in content. Even privacy statements from the same company often vary depending on the services a user selects. For example, "Privacy & American Business," a newsletter published by the nonprofit Center for Social and Legal Research, maintains a sample database of nearly 200 privacy agreements.

The still-evolving paradigm of doing business on the Web is also affecting privacy agreements. The privacy policy at the New York Times Web site (www.nytimes.com), for example, states: "These guidelines have been developed with the recognition that Internet technologies are rapidly evolving, and that underlying business models are still not established. Accordingly, guidelines are subject to change."

Based on our evaluation of myriad privacy agreements, we recommend that IT managers stringently review the privacy and license agreements of the services used in their organization.

We also urge IT staffers to educate users about selective agreement—that is, reviewing the agreement to see if they must opt out of future marketing or automatic software installation "opportunities."

When vetting privacy agreements, IT managers must look closely for any language that will allow for information to be collected. Almost every agreement we examined allowed for cookies and Web beacons to be used to gather information about user activity on the Web site.

IT managers must also identify whether the agreement states that additional software can be installed or configuration changes can be made on a users system. In our "ideal privacy agreement," we dont include any provision for the installation or reconfiguration of user machines. Installation and reconfiguration options should be covered in the license agreement of a product or service, not buried in a privacy statement.

Deploying browsers with carefully preconfigured privacy settings can also help keep users from getting into trouble while conducting business on the Web. Most browsers, for example, support the World Wide Web Consortiums P3P (Platform for Privacy Preferences Project), a standard way for Web sites to communicate their privacy practices.

Adding significantly to the complexity of privacy agreements are the relationships among service providers. For example, the Kazaa Media Desktop from Sharman Networks Ltd. comes with a software component called the Gain AdServer from Gain Publishing. Sharman makes it clear in its privacy agreement that it has no responsibility or control over the Gain AdServer software or Gains data collection practices.

Privacy agreements may become more uniform, and thus easier to understand, because of action in the European Union. Earlier this month, the EU committee of data privacy commissioners issued guidelines that were adopted in November to make corporate privacy statements easier to grasp and compare.

Although it remains to be seen if the EU guidelines will actually streamline corporate policy statements (for example, even determining which country had jurisdiction over privacy disputes was a complex process in itself), the work is a step in the right direction.

Martin Abrams, executive director of the Center for Information Policy Leadership, a group that facilitated work that led to the EUs adoption of privacy guidelines, is hopeful. During an interview with eWEEK Labs, he said, "Much of what IT managers may expect to see in the future are layered privacy notices that are much more uniform and easier to understand."

Untangling the webs that are privacy agreements will be no easy task—the privacy agreement for MSN alone links to nine other Microsoft privacy agreements. However, the time, money and headaches saved will be well worth it.

Labs Technical Director Cameron Sturdevant is at cameron_sturdevant@ziffdavis.com.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.