It’s a common quip about privacy policies: They’re so complex, you need a law degree to understand them.
A team at Carnegie Mellon took it to heart. Led by professor Norman Sadeh, the group asked law students to annotate more than 100 privacy policies from companies like Google and Facebook–putting their legalese into relatively plain language. Then, Sadeh’s team used their work to train an AI to do the same thing for 7,000 other privacy policies, effectively creating a searchable database that lays out these policies in clear terms. On their new portal, anyone can explore these Cliff’s Notes to common apps and websites, which are even rated by the grade level of their language. (Disney, Playstation, and others require college degree-level skills.)
“This is a very challenging problem,” Sadeh says. “Privacy is known as a secondary task–unless you’re a privacy professional, it’s never at the top of your mind.”
The Usable Privacy Project attempts to reconcile privacy with the reality that many people simply don’t want to think about it. While you still have to seek out and engage with their new explore tool, it makes understanding a policy far simpler, with user-friendly color and interactivity to highlight specific areas of interest–like details of third-party sharing and opt-out options that are often buried deep in these legalese-ladened documents.
Take a look at the entry for Buffalo Wild Wings’ website, which ranks fairly easy at a grade 14 reading level with 131 privacy statements, like this one:
We collect the information you affirmatively choose to provide us, such as when you provide your name, contact information, the pages you access and similar information for such purposes as purchasing products, creating an account, joining our loyalty programs, filling out a survey, entering contests, participating in promotions or electronic activities, posting comments on bulletin boards or otherwise interacting with our Sites.
Here’s the Usable Privacy’s human annotation:
This site collects your contact information for a basic service or feature. Collection happens when you explicitly provide information on the website.
The Usable Privacy Project, which was founded in 2013, has plans to turn its website into a browser plug-in later this year. The group’s other activities are far-reaching–they range from publishing academic research (one recent paper showed that nearly half of all Google Play store apps don’t link to any privacy policies at all) to hosting workshops and supplying their corpus of annotated policies to other groups (including another new tool covered here on Co.Design).
Such tools are not a silver bullet–they require users to seek them out, and even the annotated language can be opaque and confusing. We’re still at the dawn of a new era of pro-privacy research and design.
In addition to putting AI to work annotating privacy policies, Sadeh and his team are developing models for what people do and don’t care about when it comes to privacy. Their goal is to combine those two elements into tech that can extract the key parts of any policy based on what you really care about.
If you can do that, “you might be able to identify those statements in privacy policies that someone would want to be informed about, and just show them those statements,” Sadeh explains. “If they want to learn more, that should enable them to ask questions and enable them to dig deeper–but just highlight those things they would probably want to know about that would actually surprise them, that perhaps they don’t know about.”