Is Web 2 0 Privacy Stuck in 1999 and Can They Do Better Jon Hyman and Kevin Bombino jhyman bombino eecs harvard edu The Web 2 0 revolution is in full swing and entirely new classes of interactive web services are now being used by millions of people Instead of simply browsing web pages people are interacting with these websites by posting their own personal data such as photos videos appointments and more People are taking their personal interactions online social networking sites such as Facebook MySpace and LinkedIn claim millions of users each Personal productivity applications are also moving online applications for messaging chat accounting and contact management that used to live on individual desktops are now being offered as hosted services Even wholesale data is being put on the Internet services such as XDrive and Apple s Mac are offering online file storage and backup As a result more people are entrusting third parties with their data than ever before Web 2 0 is about controlling data Tim O Reilly who coined the phrase Web 2 0 Because of activism by the privacy community in the early days of the Internet it has become a given that all commercial websites will likely have some sort of privacy policy However most of these privacy policies are built around the now antiquated notion that the World Wide Web is a collection of static content and the primary threat to privacy is for someone to track what you have been looking at Now that users are providing content and data to these Web 2 0 companies privacy policies should be revisited to ensure that they explain the privacy practices with regard to this data How is this it being protected Are these companies mining it to look for trends Can it be sold without our knowledge We scoured the web and took a look at the privacy policies of many Web 2 0 companies in the areas of personal applications communications and networking and online backup We looked at the following personal applications Google s Apps and Calendar 37signals Basecamp project management Stikipad online wiki and QuickBooks accounting software The communications tools we looked at were GMail Facebook MySpace Meebo web based instant message gateway and LinkedIn In the backup space we looked at XDrive Apple Mac and Amazon Web Services S3 All of these services have hundreds of thousands of users each although most reach into the millions All privacy policies examined were the current versions posted on the websites for these services as of May 4 2007 Analyzing a Web 2 0 Privacy Policy A privacy policy is very useful for understanding how a company will use the data it collects Plenty of work has been done on evaluating privacy practices of companies in many respects such as user tracking and we will not be undertaking a full analysis of the privacy practices of each of these websites Instead we would like to focus our study on how these privacy policies treat the Web 2 0 aspect of their respective websites that is how they are treating the new types of data such as private messages photos video tags and social network interactions that consumers are trusting them with Additionally we want to look at how these policies are treating the difference between what we re going to call sensitive and non sensitive data The idea is that there is a fundamental difference between data that is posted to a Web 2 0 application for the purpose of publishing non sensitive and data that is for personal use only sensitive For example the contents of a personal profile on MySpace are intended for publishing so we would consider that to be non sensitive data However users of TurboTax online store their financial data on TurboTax s servers so you they use TurboTax s online processing software so this should be considered sensitive data It is important to realize that most Web 2 0 websites actually process and store both sensitive and insensitive data for its users Take Facebook as an example a user s picture is insensitive data the user wanted it to be published while a private message that the user sent to his girlfriend is sensitive data it was processed by the system for the exclusive use of those two users The privacy policy should reflect a distinction between these different types of data being stored Our findings We found that although some websites do seem to be on the mark with regard to their privacy policy many of the privacy policies we looked at do not address the differences between sensitive and non sensitive data and some don t address much of anything at all One thing that we did find abundant in most of these privacy policies was information about cookies and banner image tracking the things that were originally concerning to people when privacy policies were first created back in the late nineties We suspect that most current privacy policies are written using an existing privacy policy as a template and since these issues have been covered exhaustively since the dawn of the privacy policy lawyers continue to include these provisions It s hard to blame just the lawyers most online privacy policy generators1 ask questions such as does your website have links instead of what are the different types of data that the user might provide and how do you handle it differently 1 http www the dma org privacy creating shtml http www enbs com privacy policy generator php But we want to focus on user submitted data MySpace lists in its privacy policy that it collects the following user submitted information name email address age and profile data Is that all What about personal messages photos photo comments and videos You know all the Web 2 0 stuff the stuff O Reilly talks about when he says that Web 2 0 is about data Presumably they lump all of that stuff under the term profile data even though the uses of these different types of data should vary greatly Private messages should be protected more than public comments the MySpace equivalent of the Facebook wall A few of these companies do make an explicit distinction between sensitive and nonsensitive data For example XDrive specifically states in their privacy policy that they do not look at the files users upload but files that are shared through the service are subject to different expectations of privacy than files that are simply backed up XDrive do es not use the data information or files that you submit upload post or download on or through Xdrive Xdrive Files If however you disclose your Xdrive Files on public areas