A version of this post originally appeared on Tedium, a twice-weekly newsletter that hunts for the end of the long tail.
You know who had a bad week last week? The folks at Evernote.
"Modern information systems are essential to our economy. They contribute to the comfort and convenience of our lives. But they can be misused to create a dangerously intrusive society. Our challenge is to provide privacy safeguards that respond to these social changes without disrupting the essential flow of information."
How the pre-internet era defined internet-era privacy policies
Data collection—think credit scores and bill collectors—grew increasingly complex in the 1980s and 1990s, and this created a massive web of information that seemed to go all over the place. A 1991 Time piece breaks down how messy it was even back then:
To get a driver's license, a mortgage or a credit card, to be admitted to a hospital or to register the warranty on a new purchase, people routinely fill out forms providing a wealth of facts about themselves. Little of it remains confidential. Personal finances, medical history, purchasing habits and more are raked in by data companies. These firms combine the records with information drawn from other sources—for instance, from state governments that sell lists of driver's licenses, or the post office lists of addresses arranged according to ZIP code—to draw a clearer picture of an individual or a household.
The repackaged data—which often include hearsay and inaccuracies—are then sold to government agencies, mortgage lenders, retailers, small businesses, marketers and insurers. When making loan decisions, banks rely on credit-bureau reports about the applicant's bill-paying history. Employers often refer to them in making hiring decisions. Marketers use information about buying habits and income to target their mail-order and telephone pitches. Even government agencies are plugging into commercial databases to make decisions about eligibility for health-care benefits and Social Security.
If not handled correctly, there was a lot of potential for the internet to take these already troubling trends and turn them into full-blown disasters.
In the United States, no single law dealt with the concerns raised by this complex privacy trade that was forming as the technology started to allow it. Instead, it was a whole bunch of laws, many of them only covering the issue in pieces—likely due to the complexity of the situation described in the Time piece above.
Perhaps the two best-known examples of these laws came during the Clinton era: The Health Insurance Portability and Accountability Act (HIPAA), the 1996 law specifically targeting healthcare disclosures; and the Children's Online Privacy Protection Act (COPPA), a 1998 law specifically targeting websites that market to children.
Bits and pieces of other laws also played a role in building this rule-making out—most notably, the California Online Privacy Protection Act (CalOPPA), which represents the kind of comprehensive take on the issue at the state level that the US has never touched—but ultimately, the two factors that played a role in making privacy policies common all over the internet were the Federal Trade Commission, which first proposed the idea in 1995, and efforts by industry groups to self-regulate their own industry before the problems got any worse.
"The development of the online marketplace is at a critical juncture. If growing consumer concerns about online privacy are not addressed, electronic commerce will not reach its full potential," the report stated.
Electronic commerce definitely did meet its full potential. But ultimately, the mess of regulation was never fully spelled out by a single law, as it was in the European Union.
So as a result, privacy standards are completely spread out among US federal agencies. It mostly works, but it's messy.
"If you happen to see a posting anywhere on our site that you feel is objectionable, please utilize the emergency e-mail address listed in the Beanie Info section which will direct your message to one of my friends at Ty who will look into the matter as soon as possible."
But what if that contract just wasn't there at all? Turns out that this is a more common situation than you'd think, in part due to lax detection and oversight. Last month, researchers at Carnegie Mellon University cranked up this discussion by analyzing 18,000 Android apps in Google's Play store, using a natural-language-driven approach that allowed the researchers to dive through all 18,000 apps at a rate of around one every six seconds.
"With a few servers, we should be able to scan all the free apps in the Google Play store every month," noted Norman Sadeh, the computer science professor that led the research.
Nearly as crazy as the research strategy were the results: Roughly half of the apps studied didn't have privacy policies at all, despite the fact that more than two thirds of apps (71 percent) used some form of personally identifiable information on the part of the user. (Which makes sense: A mapping app is likely to ask for data that identifies you, because of how digital mapping works at a base level.)
Sadeh admitted that a second layer of research, this time with human hands, was necessary to check the results.
"Just because the automated system finds a possible privacy requirement inconsistency in an app does not mean that a problem necessarily exists," he admitted in a news release.
But even if a hand-counting found that the result was slightly off, the stats would still make sense as a whole. Privacy policies are pretty much the most boring, least interesting part of any website. It's legalese. Ain't nobody got time for that.
Ain't nobody got time, that is, unless proof of its value stares developers in the face.
Perhaps that's why the Evernote saga is so useful. It shows that the public actually cares about boilerplate language—whether it's federally mandated or not.
It's relatively boilerplate, and probably needs an update at some point, but I tried to write it so that, if you were to stumble upon this page, it would not be the most boring thing on the internet. I also tried to give it to you straight—yes, we advertise, and we do so in a specific way; yes, of course we ask for your email address, this is a newsletter; no, we won't be able to figure out your credit card number from all this.
Michelle De Mooy, the acting director of the Center for Democracy and Technology's Privacy and Data Project, told The Hill this month that the US is a rarity in terms of how complicated its data laws are, with the lack of a comprehensive law on the issue that covers every aspect of life ultimately harming the United States by keeping outdated regulations on the books.
"There are only two countries in the developed world with no baseline privacy standards," she said. "One is the United States. The other is Turkey."