Promises, promises: what information is being shared with third parties?

If you read a bunch of privacy policies in a row, they all start to sound the same.  They all seem to collect a whole lot of information from you, whether or not they call it “personal,” and they all seem to have similar reasons for doing so.  The most common are:

• To provide services, including customer service
• To operate the site/ensure technical functioning of the site
• To customize content and advertising
• To conduct research to improve services and develop new services.

They also list the circumstances in which data is shared with third parties, the most common being:

• To provide information to subsidiaries or partners that perform services for the company
• To respond to subpoenas, court orders, or legal process, or otherwise comply with law
• To enforce terms of service
• To detect or prevent fraud
• To protect the rights, property, or safety of the company, its users, or the public
• Upon merger or acquisition.

After awhile, you can almost get lulled into believing these are all just very standard, normal uses of your information.The policies generally use language that makes it all seem very reasonable.  “Customize” advertising sounds a lot better than “targeted” advertising.  Who wants to be a “target”?  New York Times Digital even assures its readers that print subscribers’ information will be sold to “reputable companies” that offer marketing info or products through direct mail, which sounds wonderfully quaint.But what I find most interesting is the way many companies admit that they do share information with third parties.It's probably a surprise to many Americans, as a recent survey found that a majority of Californians think that when a company merely has a privacy policy, that means the company doesn’t share its users’ information with third parties.  Clearly, most of these people have never actually read a privacy policy, but even if they had, they wouldn’t necessarily be enlightened about what kind of information is being shared.Most policies begin their discussion of information-sharing with a declaration that they don’t share information with third parties, with certain exceptions.  Yahoo states, “Yahoo! does not rent, sell, or share personal information about you with other people or non-affiliated companies except to provide products or services you've requested, when we have your permission, or under the following circumstances.”  Microsoft: “Except as described in this statement, we will not disclose your personal information outside of Microsoft and its controlled subsidiaries and affiliates without your consent.”  Google’s construction is slightly different, but when it states the circumstances in which it shares information, the first circumstance is, “We have your consent. We require opt-in consent for the sharing of any sensitive personal information.”The crucial issue, then, is how “personal information” is defined.  And as I described in my last blog post, the definition of “personal information” varies widely from company to company.  When the definition can vary so much, the promise not to share “personal information” isn’t an easy one to understand.For example, Google’s promise not to share “sensitive personal information”: it’s “information we know to be related to confidential medical information, racial or ethnic origins, political or religious beliefs or sexuality and tied to personal information.”  Does that mean that my search queries for B-list celebrities are fair game?Given the varying definitions of “personal” that are used, the strong declaration that my “personal information” will generally not be shared is not, ultimately, a very comforting one.  At the same time, many of these companies admit that they will share “aggregate” or “anonymous” information collected from you.  But they don’t explain what they’ve done to make that information “anonymous.”  As we know from AOL’s debacle, a company’s promise that information has been made anonymous is no guarantee that it’ll stay anonymous.In this context, it’s interesting that Ask Network explicitly lists what it is sharing with third parties, so you don’t have to figure out what they consider personal and not personal:

(a) your Internet Protocol (IP) address; (b) the address of the last URL you visited prior to clicking through to the Site; (c) your browser and platform type (e.g., a Netscape browser on a Macintosh platform); (d) your browser language; (e) the data in any undeleted cookies that your browser previously accepted from us; and (f) the search queries you submit. For example, when you submit a query, we transmit it (and some of the related information described above) to our paid listing providers in order to obtain relevant advertising to display in response to your query. We may merge information about you into group data, which may then be shared on an aggregated basis with our advertisers.

Ask Network also goes on to promise that that third-parties will not be allowed to “make” the information personal, explicitly acknowledging that the difference between personal and not-personal is not a hard, bright line.We at CDP don’t really care whether IP addresses are included in the “personal information” category or not.  What we really want to see are honest, meaningful promises about user privacy. We would like to see organizations offer choices to users about how specific pieces of data about them are stored and shared, rather than simply make broad promises about “personal information,” as defined by that company.  It may turn out that “personal” and “anonymous” are categories that are so difficult to define, we’ll have to come up with new terminology that is more descriptive and informative.Or companies will end up having to do what Wikipedia does: honestly state that it "cannot guarantee that user information will remain private."