We lie every time we “accept” terms that we haven’t read — a pro forma behavior that is all but required by the calf-cow model of the Web that’s prevailed since 1995. We need to change that. And so we are.
StandardLabel.org is working on “A clear, consistent way for websites to say what they do with the data they share, before we share it.” While its recent Kickstarter campaign came up a bit short, the work continues. Here is one (prototypical) way that label might look:
(The actual image I wanted there was this one, but heard it wasn’t showing up in all browsers, so I went with the one above.)
The StandardLabel folks also have a survey, which I recommend taking.
CommonTerms intends “to solve the problem of non-accessible online legal texts in a way similar to how Creative Commons made different copyright licenses accessible,” adding, “We thought that by analyzing existing agreements, we could identify the most common terms, and then create icons to symbolize them.” Background:
The CommonTerms project is coordinated by Metamatrix AB andsponsored by Internetfonden.se…
The project is a result of a session on “sustainable web development” by Pär Lannerö and Thomas Bjelkeman at the Sweden Social Web Camp, in August 2010.
Their prototype, focused on icons, stars Pär and looks like this:
Par and Lars-Erik Jakobsson (icon), Gregg Bernstein, Carl Törnquist, Hanna Arkestål, Max Walter, Mattias Aspelund, Anders Carlman have since added BiggestLie.com, source of the image at the top of this post, plus this one here, which I just earned:
The idea is to start getting real about what we’re all doing and not doing.
What we’re doing is lying: i.e. agreeing not only to what we don’t read, but to the rotted status quo of which one-sided non-agreements are a part. What we’ve not been doing for most of the last 17 years is solving the problem.
But, thanks to the work above (plus whatever I’ve missed), we are doing some things. So are PDEC.cc and companies like Personal. Other work is happening with personal clouds. (PDEC is on that case too.) Aza Raskin‘s Privacy Icons are an effort in this same direction. (CommonTerms has a longer list.)
Still, looks to me like most of the work being done so far is on the cow side of the calf-cow relationship. On our side, we need to stop being calves, for real. That is, we need to have full agency in the original sense of the word: power to cause intended effects on our own.
For that we will need machine- and user-readable ways to express own terms, preferences and policies, so they can be read by sites (the cows) and matched up. That’s the idea behind EmanciTerm, described in How about using the ‘No Track’ button we already have? and in The Intention Economy. There I explain,
With full agency, however, an individual can say, in the first person voice, “I own my data, I control who gets access to it, and I specify what I wish to happen under what conditions.” In the latter category, those wishes might include:
- Don’t track my activities outside of this site.
- Don’t put cookies in my browser for anything other than helping us remember each other and where we were.
- Make data collected about me available in a standard, open format.
- Please meet my fourth-party agent, Personal.com (or whomever).
These are EmanciTerms, and there will be corresponding ones on the vendor’s side. Once they are made simple and straightforward enough, they should become normative to the point where they serve as de facto stan- dards, in practice.
Since the terms should be agreeable and can be expressed in text that code can parse, the process of arriving at agreements can be automated.
For example, when using a public wi-fi access point, a person’s EmanciTerms might say, “I will not knowingly hog this shared resource, for example, by watching high-def video on it,” or “I will not engage in illegal activities here.” If the provider of the access point has a VRM-ready service that is willing to deal with the user on his or her own EmanciTerms as well as those of the provider, it should be possible to automate the formalities and let the user bypass the usual “read and accept our agreement” ritual.
Not everything we express in the proposed ceremony here has to be one side of a binding agreement. If we express these terms as preferences or policies they can still be heard, even if they’re not agreed to. Being heard is one idea behind BiggestLie. But the cows can’t fix this on their own. We need to work both sides.
The only problem with all this is that our work is scattered. Let’s get it together.
Communication does not require agreement, nor terms. Only corporations have created this idea – primarily due to copyright.
The issue for would be emancipated individuals is not a matter of simplifying terms, but of deprecating the concept altogether. When we wish to exchange material property, THEN we make agreements and define terms. Otherwise there is nothing to agree.
We certainly cannot demand others surrender certain liberties, nor can we surrender our own. We are discreet, respectful and honest – that’s all we can expect of each other.
Agreements bind property, not people.
Crosbie,
Your third paragraph was one of the the points of my second-to-last paragraph.
“Agreements bind property, not people.”
Didn’t the WEF write about privacy emerging as an asset class, quite some time ago? (http://www.weforum.org/reports/personal-data-emergence-new-asset-class)
For me this means that it should be classified as property.
Certainly a kind of property we are unaccustomed with: an intangible one, yet still something that is owned by a person and that we thus have the right to sell, rent, mortgage, transfer, exchange and destroy it or exclude others from doing so.
The destruction is an eery one (the EU’s right to be forgotten) and a technical conundrum for a lot of companies who are (at least partially) in the business of sharing data with 3rd parties.
Stating clearly what you’re collecting, why, how long it’s going to be storred is imho a must have in this day and age where trust will also become an intangible asset for businesses.
I wouldn’t be surprised that trust will at some point become part of the financial concept for goodwill in one way or another when dealing with mergers and acquisitions.
Thanks for sharing Doc, inspirational as always!
Property by its original nature is a physical thing. The WEF declaring personal data an “asset class” does not make data a physical thing. Nor do laws made by governments. So on that I believe Crosbie is right.
That said, however, we do need to create means by which individuals can assert what they prefer to have done (or not done) with their data. And we need sites to say clearly what their policies are as well.
We can’t meet in the middle when the only place we exist is inside a company’s silo. That’s the main problem we have with the client-server calf-cow model that prevails on the Web today.
Hey Doc,
I think that we need to step back and assess from a different vantage point. First we are talking about relationships, which with limited exceptions are voluntary. We spoke about this today, you said, “if I want to shake your hand, I offer and it is up to you to accept.” In the context of the web today not only has the relationship become compulsory, who your are dealing with is totally cloaked and that cloaked figure (acting not only for itself but other cloaked figures) dictates all the terms of the relationship and on the other side there is just you (a person). Take any one of these factors (compulsory relationship, with unknown parties, on their exploitive self protective terms) and alarm bells go off. Let me give you an example:
Mint.com.
First line in their TOS reads:
“This Agreement sets forth the terms and conditions that apply to your access and use of the Internet Web site located at http://www.mint.com (“Mint.com”), as owned and operated by Intuit Inc., a Delaware corporation, on behalf of those of its direct or indirect subsidiaries and/or affiliates, (collectively referred to as “Intuit”).”
Translation: This “agreement” is not between you and Intuit, Inc. RATHER this ‘agreement’ is AMOUNG you, Intuit, Inc. and ‘a whole bunch of other companies and people’ called *direct and indirect subsidiaries and affiliates. So every term that includes you granting rights to Intuit understand that you are granting it to all of these other folks too. Oh, that is also true for every term that involves you agreeing to limit Intuit’s liability for problems that arise, that, too extends to this faceless crowds called ‘direct or indirect subsidiaries and/or affiliates.’
*NOTE: DON’T BE TRICKED BY MISLEADING LEGAL LANGUAGE: In this case people read subsidiary especially direct subsidiary and think that by law that means ‘companies under the direct control or owned by Intuit.” Often (in most b to b contracts this term is defined and limited, absent that clear definition (limitation) the interpretation is quite broad especially when the language includes “indirect.” Likewise, the term “affiliate’ may make you think that the relationship is limited but actually it can include a broader and more ‘distant’ (relationally) a group of people and companies when coupled with ‘indirect,’ the realm of possible parties could include just about any company and or person.
When we consider the Mint.com situation, it is clear that privacy policies cannot be considered alone and often do not reflect the real story with respect to the use of your data. All of these projects would be wise to consider the role of what I call the “anti privacy and anti people” policies aka “terms of service agreements.” Likewise statutes often permit use of data subject to consent. In both cases the terms of use tend to lend greater insight into not only the data privacy issue but also that organization’s actual commitment to or diligence with respect to its marketed messages. Don’t be misled, just because a law or policy make some assurance that your privacy is protected or information is not shared, it is not often the way you think.
When a contract effectively treats every known and unknown direct or indirect subsidiary and affiliate as FIRST party to the contract, who are third parties? How does knowing this cleaver legal trick change the way you read their Privacy Policy? Their TOS? Perhaps more importantly, how does this fact change the way you think about Mint.com in general? In that vein efforts like BiggestLie.com hit the bulls eye because they highlight the inherent dishonesty and manipulation.
That said, efforts toward transparency and “iconization” of terms are troubling because they often lack context and fail to address the larger more anti customer matters. For example, Aza Raskin‘s Privacy Icons includes the following statement under the icon “Your Data is Used for the Intended Use,” “Mint.com uses your login information to import your financial data from your banks — with your explicit permission.” On that alone, a person may be led to trust Mint.com in a way he or she would not if they also read that the terms effectively turn third party data collectors into first parties with all the accompanying rights and privileges.
Context and comprehensive understanding is critical. If they are exploiting my data, and they are honest about it; I will weigh the costs and benefits and make a decision. What I am told that my privacy is important to the company and that they do not sell my privacy etc. in a Privacy Policy and marketing messages, I expect that any “agreement” will support these claims. When, instead, I see legalese like what I present above, it is misleading. The term “bait and switch comes to mind, and I am wondering out loud if this is a possible cause of action against some of these companies; especially those proclaiming to be the answer to the privacy exploitive companies. What I mean by this is that companies like Personal.com who intend to market themselves as the unique company that cares need to back it up in more than just technology.
For example consider Personal.com:
Central to their business proposition is that they are unique in their approach to privacy and relationships with customers. Yet, reviewing their recently updated terms of service there are clauses like this:
“You agree to defend, indemnify and hold Personal, its directors, officers, employees, agents and affiliates harmless from any and all claims, liabilities, damages, costs and expenses, including reasonable attorneys’ fees, in any way arising from, related to or in connection with your use of the Sites and/or Personal Service, your violation of these Terms or the posting or transmission of any materials on or through the Site and/or Personal Service by you, including, but not limited to, any third party claim that any information or materials you provide infringes any third party proprietary right.”
Translation: I as the user must indemnify this company and their affiliates for ANY claim that in ANY way is connected with my use of this service.
In general, I am not opposed to indemnification clauses because they aim to have the people responsible for certain conduct step up to the plate and deal with issues that arise from their failure to do just that, HOWEVER, I do not agree to provisions as broad and sweeping as this provision.
Second and equally as important, where is the Indemnity from Personal.com to the user? In a typical business-to-business negotiation, it is common to ask for an indemnification just like the one requested by the party drafting the agreement. This tends to help them understand ‘what’s good for the goose is good for the gander’ and the inherent one-sidedness is quickly resolved. That said, here at a minimum, Personal should step up and provide an indemnification for damages arising from their failure to protect your data. I mean what is the point of marketing your company’s uniqueness or value if you are not willing to back it up in an agreement?
As you can see once again, the Devil is in the details…it is really terrific to see all of these efforts aimed at providing transparency, pushing for awareness (and accountability, I hope) and new tools for understanding. But I think that issues like ‘privacy,’ ‘agreements’ and even policies are just proxies that reflect an utter and complete disrespect for people and thus relationships. While it is not my goal to resolve this existential matter today, or in my lifetime perhaps, I believe that it is a source of valuable insight.
“Let’s get it together.”
Indeed!
The team behind CommonTerms and BiggestLie.com is more than willing to meet, cooperate and share with others who want change in this area.
Most of us are based in Sweden, but we will present at the SOUPS symposium in Washington, July 2012, if you would like to meet face-to-face.
We can also continue the discussion on the ProjectVRM maillist, if that is an appropriate space.
There is another angle to commonterms.org: the more standardized Terms-Of-Service agreements become,
* the cheaper they are to make, reducing legal cost for providers
* the simpler they become to compare by customers
* the easier they are to bring to court
That has been bugging me for long, so I decided for my own company Refinder to
* Take existing open source terms from WordPress and adapt them for my service, thus copying half the existing terms and letting my lawyer go through them . This already made above three advantages reality.
* Now that Pär offers CommonTerms, I decided to go the leap and adopt it as first company: https://www.getrefinder.com/accounts/register/
* I hope to do the right thing 🙂
feedback welcome to leo.sauermann@gnowsis.com
Pär, agreed. Let’s rock forward.
Renee, there is so much to talk about here that I’m not sure where to begin. But I will, hopefully later today.
Doc,
With all of the dancing going on around personal privacy, agency, empowerment, ad nauseum, a couple of things keep getting missed.
You and the rest of the VRM crowd continue to think that cookies are a necessary component of website design. They are not. They are an invasion of privacy in the first case, secondly they provide website operators with a get out of litigation card with TOS’s that absolve them of responsibility by shifting it to the ‘third party’ while telling you that it is a feature of convenience to ‘enhance’ your browsing experience.
You like to proclaim that an even playing field will be achievable by having data collection continuing with us having the same data and controlling its dissemination.
Do you really think that yet another app, add on, or whole ‘nother program to set rules on a case by case basis will go any further toward making relationship management more responsive to folks when the finally get into the buying mood?
Because at the end of the day money for stuff is what is driving this whole data collection travesty.
Because in every one of the current discussions, cookie setting is required. The poster child is the aforementioned StandardLabel.org site. The label is predicated on the continued use of cookies to have something to report to create the label. Can you see the failure here?
In the case of the other organizations mentioned, they all want to enter into some sort of agreement with companies who are already mining your data, tracking you, and selling it to the highest bidder or the next guy with a checkbook. Why the hell would any of these guys agree?
Folks are not using the free tools already available to them now such as AdBlocker, Albine Do Not Track Plus, and what few browser settings are available such as ‘incognito’ in Chrome, ‘Private Browsing’ in Firefox, ‘In Private’ for those using Internet Explorer, and so on.
But even these, still require setting cookies, whether or not companies are even respecting the Do Not Track flag. And while you are browsing cookies are being set, and tracking continues, just with a different piece of data.
Even if your browser is set to delete these cookies at the end of your current session, next time you start, the cookie dance continues.
I mentioned earlier that cookies are not necessary in web design.
A simple Request Form
http://www.alistapart.com/articles/money/
is a much more elegant solution. This connects buyer and seller on their terms and not on a third party.
A much simpler solution is to block cookies entirely. No cookies, No Data mining, No Privacy violations.
You can still screw yourself up with social network sites, but that is a story for another day.
No cookies, No Labels, No VRM Platforms.
When you take cookies and the data mining and tracking ability off the table, the ad servers and data miners will need to find new employment, but the web will be much faster as it will not require all those third party calls and cookies to render pages.
Sites that require registration will still work using user/passwords and do not need cookies to function.
I still remember when the web was about getting together rather than getting over. We need to get back there.
What will be the incentive for companies to jump on board with such a plan? It seems that the calf-cow relationship obviously benefits the company.
The situation reminds of me of recent requirements placed on credit card companies and other financial service providers in the United States to simplify the terms of service, etc., as the government attempted to crack down on potentially harmful practices. Will the vision you have in mind require government regulation/intervention?
Alan, apologies for letting your comment sit in moderation. Somehow I missed it.
You make a series of great points, and I like your http://www.alistapart.com/articles/money/ proposal.
How do you make it happen? How do you stop flywheels that have been spinning for seventeen years?
Ideas?
J Mann, I don’t think anything proposed so far requires government intervention. I’d rather see problems solved with technology and practice first. But, that’s me.