Inundated with Privacy Policy Emails and Questionable Acceptance Requests?

May 27, 2018 | Views: 1620

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

First, before I get down to the issue, let me apologize to the DevOPs and Marketing professionals who read this. I don’t intend to offend anyone, but I believe that after reading this, you will understand the irony and disbelief experienced by those of us trying to wade through all the new regulations and compliance being requested by the IT community. I will also try not to name names or represent specific industries in a negative light, but some examples will represent such, and the implications may be obvious to some.


As the EU passed new laws regarding Data Collection and Security, and they are now being implemented, users are being required to accept new privacy policies as data collection practices evolve. This isn’t really a new requirement; as companies rewrite privacy policies everyday that we have to decide to read (Gasp!), or simply hit Accept to continue to use a service. However, with the laws changed, every company doing business in the EU is now sending emails with updated policies, and the amount of email is staggering. The emails remind us that the services we may use that effect the EU are convenient, but the practices being used in the emails to solicit user response is contradictory to the policies being accepted by the users.

Let me give some examples:

1. Why would a user want to click on a link in an unsolicited email to accept a policy when it is never a best practice to do so? Even hovering over the link may indicate a legitimate domain, but there is no guarantee that the website at that domain has not been hacked. Wouldn’t it be a better idea to ask the user to login to their account, and temporarily present them with a landing page requesting users to accept the new policy before continuing to use the service? Yes, this is annoying; our financial institutions do this with paperless requests and advertisements for new services, but it is more secure and less likely to promote phishing scams.

2. Why, in today’s security climate, would an organization use a redirect service to provide a link for policy acceptance? I have seen this several times in the last few weeks. Not only will this prevent savvy users from following the link, but it is also ludicrous that a service would use a redirect to track which users are accepting their policy. Again, just ask the user to login and use a landing page. Their response on the website is your answer to the statistics you want to collect.

3. Why do we continue to force users to download beacon graphics to read email? Okay, I understand you want to know who is actually interested in your service but may not click on your links in the email. But for those of us that turn off loading of remote content, this only makes your email difficult to read due to formatting anomalies, and in the end may simply get your email filtered permanently. So what do they actually accomplish, other than teaching the uneducated masses to accept insecure practices and asking them to accept something that the law is trying to restrict?

4. Why can’t we simplify the verbiage? Talk to any user, and they will express disgust with the legal language of privacy policies and EULAs. Even worse, a good majority will admit to not even reading the script before clicking Accept. Would it not be more beneficial to present a more concise explanation with a link on the website to the full legal documentation? Some companies try to do this, but as an industry, we fail miserably at informing the users of our intentions.

5. Lastly, I will ask, why can’t we provide links in privacy policies to help users determine how to protect themselves, and decide how much information they actually want to divulge to companies? When the Internet was young, and we didn’t have all the online marketing choices, education was a common goal for most users. Those of us online wanted to explore the possibilities, and learning about the consequences was part of the process. Users today have less motivation to learn about security than previous generations, but I am confident that, given a choice, more users would rather read how to protect themselves across multiple platforms (general end-user security), rather than read a policy that applies to one service.


This article was just intended to express some frustration and present some observations this user has had during these latest regulation changes. I fully support the changes, but I wish those of us who are forced to comply would spend more time thinking about what they mean to our users and how we can make the Internet a safer place for all.

/me stepping off my soapbox.


Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel