Most consumers treat online privacy notices like the ‘UL’ labels on physical products, he said. “People think privacy notices mean certain default protections. Consumers don’t understand that privacy policies are just notices. They don’t guarantee any rights.”
One example of that disconnect is that more than half — about 55 percent — of those surveyed falsely assumed that a company’s privacy polices prohibited it from sharing their addresses and purchases with affiliated companies.
Compounding user ignorance is the fact that many companies say they respect a user’s choice not to be tracked, yet still find ways of circumventing that commitment, Hoofnagle said. For instance, some Web sites that promise not to allow third-party tracking cookies to be installed on a user’s system do so anyway in a roundabout fashion via so-called first-party sub-domain cookies, he said. Similarly, some companies install flash cookies to uniquely track users across sites, he said. ^
When I write about security, I write from the perspective of many years’ experience securing systems, which necessarily includes the human dimension. Anyone who does not accept the human dimension, or scorns users by saying “Only a total idiot would do that,” misses the point. It is reality that humans will screw up. It is reality that even good offices may hire idiots. It is true that many advanced degree types can be perfectly functional with complex technology, but blow off the simple stuff, creating disaster in their wake.
Users are going to get the security game wrong. If you make them use hard passwords, they will write those passwords down on sticky notes, especially if the passwords change frequently. If you present them with a one-page document that looks like a contract, but is in actuality a “policy” that no one intends to follow, they will fall for it. If you, as CNN.com and other major press houses did, make a giant big deal about cookies, they will become trained to ask about cookies and forget everything else, including tracking images, flash bugs and passed string tokens.
The solution to user security is to simplify the process, inform the user, and make it a regular part of their experience. Just like washing hands before you leave a bathroom. For the web end-user, we need a contract suggesting general practices that web sites follow, and then we need specific policies that are binding so that users can read in one place, in four or five paragraphs, what will happen with their data — not empty promises as to what nonexistent threats won’t happen with it.
[...] will, in addition to getting you software that comes with your subscription to Windows, including security updates, get you new software components and will sell you third-party software. It’ll be like an [...]