Reprinted from TidBITS by permission; reuse governed by Creative Commons license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary on Apple and Internet topics. For free email subscriptions and access to the entire TidBITS archive, visit http://www.tidbits.com/ FlippedBITS: Do Privacy Policies Mean Anything? Joe Kissell Sometimes you want to go where everybody knows your name, IP address, shopping habits, browsing history, birthday, mother's maiden name, and other personally identifiable information. Other times you don't use the Internet. Most of us take it for granted that the Web sites we visit collect massive amounts of data about us behind the scenes. If you aren't aware of this ' or if you are, but wish you could keep more of that information private ' I can refer you to a little book I wrote on that topic: '[1]Take Control of Your Online Privacy.' It's helpful to have greater awareness of who's collecting what data about you and why. You can do things like changing browser settings, adding plug-ins, and adjusting your preferences on various sites to discover when they track your actions and to reduce (though not eliminate) the endless flow of private information you send out as you use the Web. I talk about all this in my book. But what about privacy policies? Nearly every commercial Web site has one, and you often have to agree to such a policy (implicitly or explicitly) when signing up for an account. Privacy policies spell out what data the company collects (particularly personally identifiable information), how it's used, what protections are in place to safeguard it, and so on. Some people mistakenly think that these policies offer some guarantee of privacy or even legal protection. I'd like to disabuse you of that belief in this installment of FlippedBITS. Policies vs. Facts -- The existence of a privacy policy, along with a prominent link to it on a site's home page, is sort of like the words 'Nutrition Facts' on a food label. The facts could be that a site offers no privacy, or that a food is full of nasty stuff that provides no nutritional benefit. Sites may display a privacy policy because they're required to by law, or because they think it makes their users feel better. Sorry to say, but ' not to put too fine a point on it ' privacy policies by themselves don't mean diddly-squat. That's not to say privacy policies are meaningless, and as I'll explain in just a moment, I recommend reading them attentively. But don't mistake a policy for a guarantee. A policy is just that ' a statement about the practices a person or company follows as a general principle. I mean, I have a policy of being honest, but that doesn't mean I never lie. My library has a policy of charging patrons for overdue books, but sometimes they let it slide. A store has a policy of beating competitors' prices, but draws the line when someone brings in an ad for a buy-one-get-two-free promotion. When a company's lawyers draft a privacy policy, there's no guarantee that all the other employees are even aware of it, much less that they universally agree to it. And even if they do, that doesn't prevent lapses, mistakes, attacks by outside hackers, or other issues. In short, even the best privacy policy, crafted lovingly by People Who