Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications

Privacy by Notice

advertisement 
Visualizing privacy
Aleecia M. McDonald
Overview

The Gramm-Leach-Bliley (GLB) Act


Selected portions from An Evaluation of the Effect of US Financial Privacy
Legislation Through the Analysis of Privacy Policies
Privacy text is hard

Privacy Mad Libs example
 Privacy bingo cards

Making GLB more useable


What happens in practice?


Evolution of a Prototype Financial Privacy Notice
Privacy practices of Internet users: Self-reports versus observed behavior
Privacy images are hard

Privacy Pictionary / Time’s Up
What is the Gramm-Leach-Bliley
(GLB) Act?
What is the Gramm-Leach-Bliley
(GLB) Act?

Senator Gramm (R, Texas)
What is the Gramm-Leach-Bliley
(GLB) Act?


Senator Gramm (R, Texas)
Representative Leach (R, Iowa)
What is the Gramm-Leach-Bliley
(GLB) Act?



Senator Gramm (R, Texas)
Representative Leach (R, Iowa)
Representative Bliley (R, Virginia)
What is the Gramm-Leach-Bliley
(GLB) Act?



Enacted November 12, 1999
Effective November 13, 2000
Not primarily privacy legislation


A.K.A. Financial Services Modernization Act of 1999
Modernization = ?
What is the Gramm-Leach-Bliley
(GLB) Act?



Enacted November 12, 1999
Effective November 13, 2000
Not primarily privacy legislation



A.K.A. Financial Services Modernization Act of 1999
Modernization = Mergers
Financial services includes: banks, stock brokerage companies,
and insurance companies
Why does the GLB address
privacy?

New privacy concerns arise from future mergers


What happens when your mortgage company talks to your health
insurance company?
Existing privacy issues

November 1997, Charter Pacific Bank sold millions of credit card
numbers to an adult website company.
 1998, NationsBank shared information with affiliated stock brokerage.
Sold high-risk investments to senior citizens.
 1999 - 2000, Memberworks telemarketers. 19/25 top banks.

International issues

1995, the EU passed the Data Protection Directive.
 Initial Safe Harbor proposal did not include the financial industry.
Privacy provisions in GLB

Must store personal information securely
ensure security and confidentiality
 protect against anticipated threats
 protect against unauthorized access that could
substantially harm or inconvenience customers





Must give notice of policies about sharing personal
financial information
Must give option to opt-out of some sharing
No sale of specific data for marketing
Pretexting banned
Privacy provisions in GLB

Must store personal information securely
ensure security and confidentiality
 protect against anticipated threats
 protect against unauthorized access that could
substantially harm or inconvenience customers





Must give notice of policies about sharing personal
financial information
Must give option to opt-out of some sharing
No sale of specific data for marketing
Pretexting banned
Privacy protection exceptions

Disclosure to affiliates




No notice required
No ability to opt out
Free information flow within entire “corporate
family” - can be 1000+ companies, not all financial
Joint marketing disclosure



No notice required
No ability to opt out
Can flow all through the second “corporate family”
What is in a GLB Privacy
Notice?





Clear, conspicuous, and accurate statement of the
company's privacy practices
What information the company collects about its
consumers and customers
With whom it shares the information
How it protects or safeguards the information
Applies to "nonpublic personal information"
Who Gets Notice?


Have you seen a GLB notice?
Have you read a GLB notice?
Who Gets Notice?




Have you seen a GLB notice?
Have you read a GLB notice?
Goes to all new customers
Goes out annually to all customers
Who Gets Notice?






Have you seen a GLB notice?
Have you read a GLB notice?
Goes to all new customers
Goes out annually to all customers
Do notices get noticed?
How does this compare to privacy indicators in
web browsers?
Did GLB help?
Part I: More clarity
Completeness of Privacy Policies in the Random 30 banks
83%
Pre-GLB (2000)
77%
Percentage Unkown
73%
Post-GLB(2005)
63%
30%
17%
20%
17%
13%
10%
0%
0%
Affiliate
Sharing
Affiliate
Disclosure
Affiliate
Choice
Third Party
Sharing
Third Party
Disclosure
Third Party
Choice
Did GLB help?
Part II: Sharing alike
Information Shared with Affiliated Companies
10%
17%
30%
10%
10%
83%
50%
23%
100%
90%
60%
50%
50%
2005
2000
3%
13%
2000
2005
Top 10
All Information
2000
Random 30
Transactional Information
2005
Credit Card
Do not share
Unclear
Did GLB help?
Part III: Joint market increase
Third party sharing + joint marketing
yes
10%
20%
13%
no
20%
unclear
20%
30%
20%
37%
20%
80%
80%
80%
70%
50%
2000
2005
Top 10
2000
50%
2005
Random 30
2000
2005
Credit Card
Are notices readable?






85% of adults have a high school degree
25% have one or more college degrees
Reading level usually three grade levels lower
8th grade recommended for general population
July, 2001: Privacy Rights Clearinghouse study, average
is 15.6
GLB legislated policies must be “reasonably
understandable” yet policies are at college reading level
Are notices readable?
Readability of Privacy Notices
Top 10 banks
16
Random 30 Sample
Readability (Grade Level)
15.5
15
14.8
14.5
14
13.5
GLB enacted
July 2001
14.5
13.9
13.4
13.3
13.4
13
13
12.5
12.7
13
12.7
13.1
13
12.9
12.5
12
11.5
11
1999
2000
2001
2002
2003
2004
2005
Source: An
Evaluation of the
Effect of US
Financial Privacy
Legislation
Through the
Analysis of
Privacy Policies
Steve Sheng and
Lorrie Faith
Cranor
What makes notices harder to
read?

Complexity
Long line length with lots of clauses
 Big words


Jargon


“But I don’t want to default”
Legal writing
When is the last time you read a contract for fun?
 Being informal can create legal liability


Corporate incentive for “weasel words”

Passive voice endemic
Privacy Mad Libs

A "< X >" is a < Y > who has a
"< X > relationship" with a financial
institution. A "< X > relationship" is a
continuing relationship with a < Y >.
Privacy Mad Libs


A "< X >" is a < Y > who has a
"< X > relationship" with a financial
institution. A "< X > relationship" is a
continuing relationship with a < Y >.
A "customer" is a consumer who has a
"customer relationship" with a financial
institution. A "customer relationship" is a
continuing relationship with a consumer.
Privacy Mad Libs


A "< X >" is a < Y > who has a
"< X > relationship" with a financial
institution. A "< X > relationship" is a
continuing relationship with a < Y >.
A "customer" is a consumer who has a
"customer relationship" with a financial
institution. A "customer relationship" is a
continuing relationship with a consumer.
Privacy Mad Libs


A "< X >" is a < Y > who has a
"< X > relationship" with a financial
institution. A "< X > relationship" is a
continuing relationship with a < Y >.
A "customer" is a consumer who has a
"customer relationship" with a financial
institution. A "customer relationship" is a
continuing relationship with a consumer.

Source: The Federal Trade Commission’s
explanation of the Gramm-Leach-Bliley Act
Maybe it’s just the FTC…


Perhaps it’s hard to write about writing policies but the
policies themselves are clear and useable.
Perhaps the FTC hired exceptionally bad staff.
Maybe it’s just the FTC…

"An affiliate is a company we own or control, a company
that owns or controls us, or a company that is owned or
controlled by the same company that owns or controls us.
Ownership does not mean complete ownership, but means
owning enough to have control." (Seattle Savings Bank)
Maybe it’s just the FTC…


"An affiliate is a company we own or control, a company
that owns or controls us, or a company that is owned or
controlled by the same company that owns or controls us.
Ownership does not mean complete ownership, but means
owning enough to have control." (Seattle Savings Bank)
"We share your non-public personal public information
only with contractual safeguards to protect the
confidentiality of your information." (UniTrust)
Maybe it’s just the FTC…



"An affiliate is a company we own or control, a company
that owns or controls us, or a company that is owned or
controlled by the same company that owns or controls us.
Ownership does not mean complete ownership, but means
owning enough to have control." (Seattle Savings Bank)
"We share your non-public personal public information
only with contractual safeguards to protect the
confidentiality of your information." (UniTrust)
"In the opt-out election, you will have the option of
including or excluding the Credit Union from your optout election." (UniTrust)
Privacy Buzzword Bingo
Making GLB more useable


Evolution of a Prototype Financial Privacy Notice: A Report
on the Form Development Project (February 28, 2006,
Kleimann Communications Group, Inc.)
Six federal agencies’ project to do better




Board of Governors of the Federal Reserve System, Federal Deposit
Insurance Corporation, Federal Trade Commission, National Credit
Union Administration, Office of the Comptroller of the Currency, and the
Securities and Exchange Commission.
Explore why consumers don’t read and understand privacy notices
Develop notices that are easier for consumers to understand and use
Phase I: complete

8 test sites
 16 month iterative cycle for prototype

Phase II: quantitative study to assess the prototype
Project Goals: Paper Prototype



Comprehension. The prototype must enable consumers
to understand the basic concepts behind the privacy
notices and understand what to do with the notices. It
must be clear and conspicuous as a whole and readily
accessible in its parts.
Comparison. The prototype must allow consumers to
compare information sharing practices across financial
institutions and to identify the differences in sharing
practices.
Compliance. The content and design of the alternative
privacy notices must include the elements required by
the GLBA and the affiliate marketing provision of the Fair
and Accurate Credit Transactions Act.
Good design: necessary but not
sufficient



Table design worked best
Two page design with more details available for
those who want them (definitions and GLB
mandated notices)
“We learned that we needed to include an
educational component in the notice as consumers
had no prior understanding of information sharing
practices.”
Four Parts of the Design




Title
Frame
Disclosure Table
Opt-out Form
The Title





Attract consumers’ attention so that they will read
the notice
Avoids inflammatory language
Helps consumers understand that the information is
from their own financial institution
Their personal information is currently being
collected and used by the bank
Does not explicitly mention consumer rights
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
The Frame



Problem: customers uninformed about financial
privacy
Need basic information about financial sharing
practices to understand the notice
The Frame provides context and supports the core
information about a financial institution’s sharing
practices


Key frame: heart of ensuring comprehension
Secondary frame: nice to have (FAQs, details, mandates)
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
The Disclosure Table

Goals:



Understand information about financial sharing policies and their
personal information
Can compare sharing practices across financial institutions
Seven basic reasons a financial institution can
share information



What is being shared
What can customers opt-out of
Enables direct comparison between companies
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
The Opt-out Form




On a separate page to make it easy to mail in
Designed to help consumers understand how to
opt-out
Structured by type of sharing consumers can optout of
Given the GLB: does this seem to do a good job?
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Four testing methods

Focus groups

What a group of consumers thinks about privacy notices
 What they see as barriers to understanding them
 Do not tell the researcher what a consumer will actually do with a notice

Preference testing

In-depth one-on-one interviews
 Preferences for vocabulary, headings, notice components, and ordering

Pretests

Dry run of the diagnostic usability test
 Validates the methodology

Diagnostic usability testing (structured + unstructured)

how the individual participant actually works with a document
 elicits reaction to the information to target and diagnose problems
 iterative process; adjustment with successive test rounds
Lessons Learned: Focus Group

People did not read the old style notices






Type was too small, particularly for seniors
Small font signaled unimportant information
Important information was grey on black
Four pages was too much to read
Customers expect banks are trying to conceal information
People believed that all privacy notices were the same

Regulations mean uniformity
 Can change at any time so meaningless
 Did not understand there are opt-out choices
 Choose a bank for free checking and not privacy policies
Lessons Learned: Pretest

Customers did not understand the purpose of
notices




In essence: wrong mental model
Thought notice was requesting personal information
Lacked context to understand the text
Opt-out was confusing



Unexpected
Did not have the context to understand the choices
Too much information
Lessons Learned: Pretest
“None of the designs worked”
“In the end, it did not matter if we changed the test
scenario, provided them with more time to ‘study’
the information, or tutored them during the session.
Participants had too little of their own context about
financial sharing information to understand the
content of the notices. Since they had no basis for
or understanding of the information in the notices,
the designs simply weren’t working in their current
format or with their current content.”
Lessons Learned: Usability
Testing








Customers do care what happens to their information
Indicated they would read the new notices
Understood why they got the notice and “much of” the
content
Recognized opt-out form as an action item
Layout improved comprehension
Word choice matters
Could compare side-by-side policies
Standardization can actually be confusing
Are we there yet?
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
In closing: Six meta-themes




Keep it simple
Good design matters
Can design to avoid bias
Whole-to-part design is critical



“Without context, they understood virtually nothing”
Standardization is effective
Disclosure table is critical
Overview revisited:
We are here

The Gramm-Leach-Bliley (GLB) Act


Selected portions from An Evaluation of the Effect of US Financial Privacy Legislation
Through the Analysis of Privacy Policies
Privacy text is hard

Privacy Mad Libs example
 Privacy bingo cards

Making GLB more useable


What happens in practice?


Evolution of a Prototype Financial Privacy Notice
Privacy practices of Internet users:
Self-reports versus observed behavior
Privacy images are hard

Privacy Pictionary / Time’s Up
Essential tension



In survey after survey, people say they are very
concerned about privacy and it is a decision
making factor
Other forms of data analysis suggest this is not
true (log files, for instance)
Is there a gap between what people say and what
people do?
Four part study




175 participants recruited via email and web in
2005. No compensation. 45-60 minutes, topic
known.
Basic demographic survey
Survey of privacy values and attitudes
Knowledge test
Pair-wise comparisons of privacy indicators
Basic demographic survey




2/3rds in education
More highly educated than Internet population (16.2 v.
14.4 years of school)
Self-selected
More men than women (74% v. 26%)



Women reported lower levels of computer expertise
Comfortable with e-commerce and computers
Installed software (38%) or taken other steps (43%) to
protect online privacy
Survey of privacy values and
attitudes

Motivation: was Westin right?

Privacy fundamentalists
 Privacy pragmatists
 Privacy unconcerned

Five questions on a five-point Likert-scale:





I am concerned about online identity theft
I am concerned about my privacy online
I am concerned about my privacy in everyday life
I am likely to read the privacy policy of an ecommerce site before buying
anything
Privacy policies accurately reflect what companies do
Knowledge test


Perception gap: subjects over-report their understanding
of privacy issues as well as willingness to act
Tested knowledge of three areas:

Cookies
 Web bugs
 P3P and third party cookies


Asked to rate level of concern
Asked why the technology matters (two correct, three
incorrect reasons)
Knowledge test
Cookies
Web bugs
P3P
Claim
knowledge
90%
35%
21%
False claim
85%
83%
75%
Overall
knowledge
14%
5%
5%
Fundamentalists do not know more - they just worry more
Pair-wise comparisons of
privacy indicators
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Pair-wise comparisons of
privacy indicators
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Twelve factors for decision
making

Price



SSL indicator
Use of 3-party cookies
and P3P




20% discount = $5
IE blocked cookie icon
An email address
A phone number
A postal address



TRUSTe privacy seal
Credit card symbols
Four different privacy
policies:

User centered - good
 User centered - bad
 Company centered - good
 Company centered - bad
Regression model of factors
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
TRUSTe seal
User centered - good policy
Company centered - good policy
Company centered - bad policy
User centered - bad policy
Phone number
Address
Price discount
Credit card symbols
SSL indicator
Email address
Factors, a deeper look


There is a preference for good policies over bad
Under 30% of participants looked at the privacy policies

Not much difference between Westin groups
 Policy itself serves as a trust mark

TRUSTe dominates in part because people do not read
privacy policies



Even more significant for women
Do subjects even see the P3P/third party cookie and SSL
indicators? Or understand them?
No fit at all for a regression model for Fundamentalists
Any questions before we play?
David Brin’s Happy World of Equals
Competing Views of
Online Privacy

“Privacy is dead, deal with it”


“My aim all along has been to suggest that the promoters
of anonymity and secrecy are basing their zeal on
untested assumptions and bear a burden of proof before
we consign our destiny to their transcendental vision of
salvation through encryption.”


Scott McNealy, CEO of Sun MicroSystems
David Brin, The Transparent Society
“A full-on privacy rebellion won't be pretty, it won't be
non-violent and people will get hurt.”

Brock N. Meeks, opinion piece for MSNBC
Related documents
Software Registration Form
Software Registration Form
“Contrasting the early 19th versus early 21st Centuries”
“Contrasting the early 19th versus early 21st Centuries”
Central Missouri Cardiovascular Associates P
Central Missouri Cardiovascular Associates P
Privacy Confidentiality Minor
Privacy Confidentiality Minor
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Download
advertisement