ShopWeather TechSports LifeMoney NewsHomepage

Inside Tech
 Talk Tech
 Web Column
 Hot Sites
 Tech News
 Tech Investor
 Tech Reviews
 Answer Desk
 Game Zone
 Daily Digest
 Shareware Shelf
 Web Potholes
 Web Resources
 Consumer Sites
 Tech Front


Print Edition

  Mobile News
  Site map
  About us
  Jobs at USA TODAY

Free premiums
  USA TODAY Update



06/07/00- Updated 07:50 PM ET


Privacy isn't public knowledge

Online policies spread confusion with legal jargon

By Will Rodger,

Most major Web sites now have privacy policies explaining how they collect and use personal information gathered from visitors. The government has long pushed for such policies, and companies hope that if sites post them voluntarily, Congress won't step in and pass restrictive privacy laws.

Expert wants to spread understanding

Mark Hochhauser, a psychologist from Golden Valley, Minn., has focused for more than 15 years on measuring the clarity of the written word.

Being a readability consultant may sound academic, but it has real-world implications few appreciate.

Subjects of medical experimentation, people who rent automobiles, employees in need of understandable rights in the workplace - all need language they can understand.

So where others obfuscate, Hochhauser, 53, elucidates.

"Historically, a lot of things were done to people without their permission," he says.

Now, large, well-funded organizations are dealing with individuals on the Internet. And again, the imbalance between companies whose operations are closed to outsiders and technologically naive consumers gives Hochhauser pause.

He got into the field in 1985 after he became concerned that AIDS prevention brochures were written in language most Americans could not understand. While at the University of Minnesota student health service, Hochhauser created a national stir at the annual meeting of the American Psychological Association when he showed that many brochures required the reading comprehension of a college sophomore - leaving most Americans out in the cold.

Hochhauser says that after analyzing the sites, he's convinced that most Web privacy policies don't do the job they claim to do. "You can say you have a privacy policy, but if no one understands it, it's pointless. It does something for the organization, but nothing for the consumer."

Few argue with the importance of disclosure. But do big Web sites want you to understand what they tell you? Maybe not, suggests an analysis by an independent expert for USA TODAY of the privacy policies of 10 major sites.

Many of the Web sites have been certified by industry bodies such as TRUSTe. But without exception, policies are ponderous, full of jargon or written so as to leave many surfers scratching their heads, says Mark Hochhauser, the psychologist and linguistics expert who analyzed the sites.

Every policy studied is written at a college level or higher, he says. And in a nation in which most people read at the 10th-grade level or below, that means a minority will understand the policies. "If you really don't want people to understand, write it in legalese and have it run on for four or five pages. People will say, 'To hell with it,' " he says.

Privacy policies began showing up on the Web four years ago, but many policies continue to be confusing because privacy is inherently complex.

"If you make it easy to read and simple, it often doesn't say much," says Ed Black, head of the Computer and Communications Industry Association. "If you get into details, it can become complicated."

But Robert Pitofsky, a lawyer for more than 50 years and chairman of the Federal Trade Commission, which monitors privacy online, says even he has difficulty. "Some sites bury your rights in a long page of legal jargon so it's hard to find them and hard to understand them once you find them," Pitofsky says. "Self-regulation that creates opt-out rights that cannot be found (or) understood is really not an acceptable form of consumer protection."

Pitofsky won't point fingers on the record, but examples aren't hard to find. A single sentence in the policy of HealthCentral, for instance, has 174 words.

"If the sentence is too long, you can't keep it in your short-term memory," Hochhauser says. That can happen with as few as 30 words, he adds. Word choice also is important; here, too, policies come up short. "Most people rely on a few hundred words in the course of their day. Why would the average person have a legal vocabulary?" he says.

In a few weeks, the FTC will release the results of its second audit of Web privacy policies. The agency will look at how many sites have privacy policies, as it did in 1998. But for the first time, it also will look at how hard the policies are to understand.

"These privacy policies are a consumer fraud" and violate federal law, says Joel Reidenberg, a professor of law at Fordham University and author of a seminal book on U.S. privacy law. "To provide a notice that most Americans cannot understand and argue that that is sufficient is utter nonsense."

All of the sites analyzed have been involved in privacy controversies, and all but two were among the 20 most visited sites on the Web, according to Media Metrix. The FTC is investigating three - HealthCentral, Yahoo! and DoubleClick - over complaints that they have violated users' privacy.

USA TODAY's exclusive daily users' guide to thriving online.

E-Briefing: The news behind the Net

Palm event explores post-PC world

Favorite characters crowd software shelves

'I Spy' a 'Poky Little Puppy,'other games

Study: No link between cell phones, cancer

Hunt for PlayStation 2 is a losing game

Waking up from dot-com dreams

3 strong challengers to ruling handheld

Browser boosters busted on privacy

Stanford goes back to its future
To understand the scope of the problem, consider the policy of Yahoo!, the Net's most visited site.

The policy, when printed out, takes eight pages. It has 3,405 words and 167 sentences. Some passages raise more questions than they answer. "As a general rule, Yahoo! will not disclose any of your personally identifiable information except when we have your permission or under special circumstances, such as when we believe in good faith that the law requires it or under the circumstances described below." But Yahoo! does not say what is required by law, let alone how it determines "good faith."

Hochhauser concedes that many consumers are used to dealing with fine print and legal language in contracts. Consumers also have a general idea of what to expect, and a long history of consumer law protects against many abuses.

But that is not the case on the Internet, privacy advocates say. Instead, consumers must wade through language drafted by high-priced lawyers.

"I'm not sure you can get a privacy policy down to the ninth-grade level," says Robert Gellman, a Washington, D.C., lawyer and privacy advocate who writes policies for commercial Web sites.

So what's the solution? "Laws," he says flatly. "We need laws to protect people's privacy."

Some sites let consumers opt out of being tracked, but that doesn't guarantee that other practices are user-friendly. Consider DoubleClick, which made headlines after a USA TODAY investigation reported it had begun tracking Net users' movements by name without permission. After weeks of controversy, DoubleClick said it would delay further implementation. The company remains under investigation by the FTC and at least four states.

DoubleClick's site discloses that users will be tracked by name when they visit the more than 11,000 sites with ads placed by the company. Double Click says it will do so only with your "permission." It doesn't tell you that it assumes it has permission unless you explicitly opt out.

Here's what you have to do:

rarrow.gif (64 bytes)Read the first 1,468 words of the policy.

rarrow.gif (64 bytes)Click on a link to another page.

rarrow.gif (64 bytes)Read 650 more words that tell you why you shouldn't opt out.

rarrow.gif (64 bytes)Click on a link to a third page.

rarrow.gif (64 bytes)Read 200 more words urging you once again not to opt out.

rarrow.gif (64 bytes)Click on a final link to opt out of the program.

"We take our privacy policy very seriously and work to make sure it is both easy to read and comprehensive," DoubleClick's Josh Isay says.

But policies may change at any time, and changes are not flagged. Unlike most contracts, the policies examined were not dated. The upshot: Visitors must reread a policy every time they visit a site.

"All of these policies can be boiled down to three simple words," says privacy advocate Jason Catlett of Junkbusters. "Subject to change."

Front page, News, Sports, Money, Life, Weather, Shop 
© Copyright 2001 USA TODAY, a division of Gannett Co. Inc.