identity Your Privacy

Meaningful Consent and Information Sharing Standard Label

Nat 2012-06-21 Comment

When you use services like Facebook or Google, do you read their terms of use and privacy policies carefully?

I haven't read them. Well, I've read Facebook and Google's. But I haven't read most of the others. I went there because I wanted to use the service, so there's no way I'm going to read dozens of pages of terms and conditions.

The service provider must be well aware that customers will not read them, so it is highly questionable whether consent in this case is meaningful.

This situation is unfortunate for both service providers and users.

As one answer to this problem Kantara Initiative Of Information Sharing Work Group The specifications being considered are:Standard Information Sharing LabelThis is an attempt to express what is shared for the sake of convenience, and how, in a "standardized" form, like the labeling of food ingredients.

The Nutrition Facts Label for American foods looks like this:

(Source) http://en.wikipedia.org/wiki/Nutrition_facts_label

This way you can see at a glance, "Oh, there's 12g of fat in this food."

Information sharing standard labels are also displayed in the same way.

Information Sharing Standard Label

The recipient of the information is seeking to obtain your information for the following purposes:
Acquirer Facebook (http://www.facebook.com/)
Acquired information Status Update [take a look]
Source Status updates from this web page
When acquired When you press the "Submit" button
purpose of use 1. To share the situation with friends.
2. To display customized advertising to you.
Expiration date Until all original data and shares are deleted
Disclosure destination Applications that use your and your friends' timelines and Facebook's OpenGraph API and have read_stream permission.
Additional conditions
Master Agreement April 2011, 4 https://www.facebook.com/legal/terms
Third-party evaluation score Example Ratings 4.3/5 (2011/11/4)
Change of terms With some exceptions, changes are made after 7 days of notice.

(source)Joe Andrew “Standard Information Sharing Label” Translated and adapted on this site based on

This is still difficult, but at least it's much better than reading a lengthy contract.

He said he wants to make the design even cooler. (Recently, there was a fundraiser on Kickstarter to commission a designer, but it was canceled because it only raised about 50 yen... Are there any designers who would like to do a Japanese version for Loha?)

In addition, anyone can join the Kantara Initiative Information Sharing Working Group, where the actual work is being carried out. If you are interested, why not give it a try?

 Trying to apply it in practice

Let's take an example of a certain company and apply it to practice.

Information Sharing Standard Label

The recipient of the information is seeking to obtain your information for the following purposes:
Acquirer XXX Co., Ltd.
Acquired information
  1. Items to be filled in on the "Customer Registration Application Form" and ▽ Items to be registered when applying for a login ID (including any requested changes) Name, gender, date of birth, address, telephone number, email address, etc.
  2. Usage history of points programs at participating companies
  3. ▽Login ID and ▽Card suspension/cancellation status and other matters related to cases in which the Company may take measures to suspend or expel you
  4. Information regarding the allocation or use of points
  5. credit card number
  6. Other descriptions or individual numbers, symbols or other codes
  7. Anything that can identify an individual through image or voice
  8. Service usage details
  9. When you access the site, the type and version of your browser, operating system, platform, etc., as well as your service usage history, including browsing history and purchase history, are automatically acquired.
  10. Contact information
  11. The IP address used when the member's computer connects to the Internet, and contract terminal information when accessing from a mobile terminal
  12. Location information from mobile devices
  13. All information you provide when using a new service

[See it in action]
Source
  1. Membership application form
  2. ▽Point presentation terminal and ▽Login ID input destination
  3. ▽Analysis database of member information related to point services
When acquired
  1. When applying for membership
  2. When a member enters their login ID or presents their card at a participating company in the point program to use the point service.
  3. When analyzing member lifestyles
purpose of use
  1. ▽To smoothly operate the member services (including the point program) represented by the items described in Article 1, Paragraph 2, which are provided by entering your login ID or presenting your card.
  2. To transfer to a successor program and carry out related business in the event of changes to the point program, etc.
  3. To analyze members' lifestyles
  4. To provide members with various product and service information and other business information or information based on an analysis of the member's lifestyle or that the Company deems appropriate, via various notification methods including email
  5. To respond appropriately to inquiries, complaints, etc. from members
  6. For other purposes similar to or closely related to the above purposes of use
Expiration date Until the member cancels their membership. However, personal information may still be used for the purposes listed in Purpose of Use 5 above even after the member cancels their membership.
Disclosure destination
  • Consolidated companies and equity method affiliates
  • Points program participating companies (List

With regard to joint use for the above purposes, our company will be the entity responsible for managing personal data.
Additional conditions
Master Agreement Dated October 2011, 10 http://www.example.com/member/agreement/
Third-party evaluation score Example Ratings 4.3/5 (2011/11/4)
Change of terms The revised terms will be posted on our website with at least one day's notice. After the notice period has elapsed, the revised terms will apply.

Well, it's easier to understand than reading the contract. Also, looking at it like this, I think it's easier to see the problems. It depends on the person, but I would generally hesitate to agree to the above for the following reasons.

  1. Too many disclosures: The joint users are listed as "participating companies in the points program." I have heard that this company does not actually share information before k-anonymization, but according to the regulations, raw data can be shared. If that is the case, there are too many recipients. Also, if it is considered as a standard label, I think that the main company names and the total number of companies should be listed. As of June 2012, 6, it appears that it is available at 20 brands and 134 stores.
  2. The number of disclosure destinations is increasing: The joint users are "points program participating companies." This is expected to increase in the future. Even if there are companies among them that I do not want to be disclosed, there is a possibility that they will be disclosed without my knowledge.
  3. Too much information revealed: Since I am a shared user, all of my information may be disclosed. Also, my actions at multiple companies may be tracked, and lifestyle analysis may be used to create a profile of me that I may not want, which may then be shared among shared users. It may be possible to control this by creating multiple ▽ cards, but I'm not sure. It would be a little reassuring if it was explicitly stated what is provided...
  4. Change of terms: The notice period for changes to the terms is one day, and the notice is posted on the company's website (← I probably won't go there, so I won't know), and the contents of the changed terms will apply. Google, which I will talk about later, can make changes at any time, but any changes that are detrimental to the user require explicit consent.
  5. No expiration date: It is limited to responding to inquiries, but it seems that the information will never be deleted. I think it should be deleted after a certain period of time. For example, credit information agencies for credit cards set the period to 18 months.

Google Example

Next, let's look at an example from Google, which is famous for being easy to understand. I've paraphrased Google's privacy policy based on my own understanding. Does it make it any easier to understand?

Information Sharing Standard Label

The recipient of the information is seeking to obtain your information for the following purposes:
Acquirer Google Inc.
Acquired information
  • When registering a Google account Name, email address, phone number, credit card, photo [See it in action]
  • Information collected when you use our services
    • 端末 情報
    • Server log information
      • Details about your use of Google services, such as your search keywords
      • Telephone log information (such as your phone number, the phone number of the person you called, forwarding phone numbers, the date and time of the call, the duration of the call, SMS routing information, and the type of call)
      • Internet Protocol Address
      • Device event information (such as crashes, system activity, hardware settings, browser type, browser language, the date and time of your request, and referring URL)
      • Cookies that can identify your browser or your Google account
    • Current location information
    • Unique Application Number
    • Cookies and Anonymous IDs
Source
  1. Google Account Registration Form
  2. When using the service
  3. Google account and Google+ registration information
  4. Sites using Google Analytics
When acquired
  1. When registering a Google account
  2. When using various Google services
  3. When you visit a site that uses Google Analytics
  4. When you visit a site that displays Google ads
purpose of use
  1. To provide, maintain, protect, and improve our Services, develop new Services, and protect Google and our users.
  2. To provide you with customised content (such as providing you with more relevant search results and ads)
  3. To display your name and other profile information across all Google services that require a Google Account
  4. To help resolve any issues you may have
  5. To improve your user experience and the overall quality of our services
Expiration date Until you delete it, which we will do free of charge, unless it would require a disproportionate technical effort (such as developing new systems or fundamentally modifying existing methods), would jeopardize the privacy of others, or would be extremely impractical (such as requests for information on backup tapes).
Disclosure destination
  • With whom you share information
Additional conditions
  • When we tailor ads for you, we don't associate cookies or anonymous identifiers with sensitive categories, such as race, religion, sexual preference or health.
  • We understand that privacy concerns are different for everyone. We aim to be transparent about the information we collect, and to give you the ability to make choices about how it's used. For example, you can:
    • Use the Google Dashboard to collect certain information associated with your Google Account.Review and manage
    • Use the Ads Preferences Manager to manage your ad viewing preferences, including your interest categories.View and editYou may also choose not to use some of our advertising services.
    • Use Google's editorYou can review and change the way your Google profile is displayed to specific people.
    • With whom you share informationManagementAvailable
    • From many Google servicesExtracting information

    You can set your browser to block all cookies, including those associated with Google services, or to indicate when a cookie is set by Google. However, please note that many of our services may not function properly if you disable your cookies - for example, we will not be able to remember your language preferences.
Master Agreement Dated October 2011, 10 http://www.example.com/member/agreement/
Third-party evaluation score Example Ratings 4.3/5 (2011/11/4)
Change of terms From time to time, but we will not make any changes that reduce your rights unless we obtain your consent.

What do you think? It's a bit tricky because the original is very easy to understand, but I think it's great that it makes it easier to make side-by-side comparisons.

Future tasks

When we apply this to real-life examples, we can see various issues. For example, in the case of Google, the problem of the so-called "As if owner provision" that is included in the terms of use rather than the privacy policy is not clear. The "As if owner" provision allows Google to act as if it were the owner of content uploaded by users. Here is a quote:

Some parts of the Service allow users to submit content. You retain any intellectual property rights you may have in that content - what's yours is still yours.

When you upload or otherwise provide content to a Service, you grant Google (and third parties working with Google) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as derivative works resulting from Google's translation, conversion, or other changes to make your content work better with the Service), transmit, publish, publicly perform, publicly display, and distribute that content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving the Service and developing new ones. This license continues even if you stop using the Service (for example, a business listing you added to Google Maps). Some Services may provide you with a way to access and remove content you have provided to that Service. In addition, some Services have rules or settings that narrow the scope of Google's use of content provided to that Service. Make sure you have the necessary rights to grant this license to Google for the content you provide to the Service.

 You can find more information about how Google uses and stores content in the Google Privacy Policy or additional terms for specific Services. If you submit feedback or suggestions about the Services, Google may use that feedback or suggestions without any obligation to you. (Source:http://www.google.com/intl/ja/policies/terms/)
 The first paragraph says, "You own what you own," but the second paragraph gives Google a permanent license, which is almost all copyright. In other words, the first and second paragraphs together mean that users can continue to use it freely, but Google can use it as well. However, in the case of Google, the purpose of use is limited to providing the service in question [1]. Furthermore, privacy-related information is overwritten by the privacy policy. The standard label above does not yet express this. It is a future challenge.

 

[1] In the case of Facebook, this restriction does not seem to exist. "For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it. It's supposed to be controllable with Privacy and application settings, but "unless your content has been shared with others, and they have not deleted it." has quite an effect, and it seems like there's no control over what has been set to Public. Is there anyone who can look into this in more detail?

1 Response to "Meaningful Consent and Information Sharing Standard Label"

  1. Pingback: Meaningful Consent Part 2 – ToS-DR Project: .Nat Zone

Leave a comment

This site uses Akismet to reduce spam.For details of how to process comment data, please click here.