Ask HN: How can we make better, more readable privacy policies?

I personally don't believe that privacy policies are useful at all. They are at best the web equivalent of a verbal agreement.<p>People need to adopt the security-oriented attitude that says, if you post anything, anywhere, the entire Internet may very well see it. Period. You cannot trust every server, protection mechanism and employee in between. (You wouldn't really know who to sue, anyway.)<p>If something really "must" be private or controlled, then you don't need a policy, you need actual control over your data. For example, <i>don't post the thing on an Internet-enabled computer in the first place</i>. Or, strongly encrypt it, and have absolute trust in the recipients of keys. If you've made your key recipients sign something legally binding, and retained proof that no one else could have received keys from you, then at least you'd know who to sue for violating your trust.<p>Ideally, the mechanism for transferring the keys doesn't use a network either, e.g. physically hand something to your intended audience that will let them decrypt whatever you do send. The data should also have a built-in "time bomb" that makes it impossible to decrypt anything after some specified period of time (for peace of mind). Of course, the recipient could do something stupid like save the decrypted data somewhere, which is why the legal binding to key recipients is so important.

Cuil has one of the best privacy policies on the web, at least from a readability standpoint: <a href="http://www.cuil.com/info/privacy/" rel="nofollow">http://www.cuil.com/info/privacy/</a><p>Using plain English (not legalese) and keeping things short and to the point seems to be an effective way of making privacy policies more user friendly. By making them so obscured by legal language that they're inaccessible to most readers, you're just guaranteeing that they won't be read. Which isn't doing anyone any favors. Keep it short, keep it simple.<p>Another great privacy policy, is Bill Monk's: <a href="https://www.billmonk.com/about/privacy" rel="nofollow">https://www.billmonk.com/about/privacy</a><p>They use user-friendly plain English, keep things relatively short (though not quite Cuil-short), and they provide a summary of the key points at the start. That's all very helpful for users, imho.<p>Something Awful should get points for their privacy policy, as well: <a href="http://www.somethingawful.com/d/feature-articles/website-privacy-policy.php" rel="nofollow">http://www.somethingawful.com/d/feature-articles/website-pri...</a><p>It's written just like anything else on their site -- with a liberal dose of humor. But that's perfect for their core audience and makes it instantly readable and easy to understand (for the people whom it effects, at least).

You might want to check out <a href="http://lexpuli.ca" rel="nofollow">http://lexpuli.ca</a> They are applying open source ideas to law. The plan is that will create high quality, readable legal documents (with supporting documentation, FAQs etc.) that people can use for free. They are looking for suggestions on what to work on and I know they are interested in Terms of Service and Privacy Policies for websites.

A few years ago, I knew a Microsoft intern who's project was to do exactly that for all Silverlight-type software that got installed on a user's machine. He used the P3P standard to automatically present the user with a 'privacy evaluation' before the user ok'd the installation of the software.<p>This was part of the Longhorn project, which as we all know got scrapped, to produce what is now Vista! :-)

One thing that bugs me in privacy policies is the "we may change this policy at any time and without warning" clause.<p>RSS could be one way to make sure users can receive warnings and notification of changes. However, subscribing to RSS feeds for each site would be too tedious.<p>A browser plugin (or rather built-in feature) that popups a warning in an overlay bar at the top of the window (like the password remember feature in Firefox), would be better. It could receive data from a centralized service, privacy policy RSS feeds, or just by screen-scraping the policy at a specified interval and checking for changes.

A related link from Aza's post's comments:<p><a href="http://www.privacychoice.org/" rel="nofollow">http://www.privacychoice.org/</a><p>Clickable links from my comment:<p><a href="http://www.azarask.in/blog/post/making-privacy-policies-not-suck/" rel="nofollow">http://www.azarask.in/blog/post/making-privacy-policies-not-...</a><p><a href="http://aza.etherpad.com/privacy" rel="nofollow">http://aza.etherpad.com/privacy</a><p>Related projects:<p><a href="http://www.w3.org/P3P/" rel="nofollow">http://www.w3.org/P3P/</a><p><a href="http://commondataproject.org/" rel="nofollow">http://commondataproject.org/</a><p>Privacy policy generators:<p><a href="http://www.dmaresponsibility.org/PPG/" rel="nofollow">http://www.dmaresponsibility.org/PPG/</a><p><a href="http://www.oecd.org/document/39/0,2340,en_2649_34255_28863271_1_1_1_1,00.html" rel="nofollow">http://www.oecd.org/document/39/0,2340,en_2649_34255_2886327...</a><p><a href="http://wordpress.org/extend/plugins/easy-privacy-policy/" rel="nofollow">http://wordpress.org/extend/plugins/easy-privacy-policy/</a><p><a href="http://wordpress.org/extend/plugins/terms-of-use-2/" rel="nofollow">http://wordpress.org/extend/plugins/terms-of-use-2/</a><p><a href="http://www.professionalprivacypolicy.com/" rel="nofollow">http://www.professionalprivacypolicy.com/</a> (free trial)<p><a href="http://www.freeprivacypolicy.com/privacy-standard.php" rel="nofollow">http://www.freeprivacypolicy.com/privacy-standard.php</a> (free trial)