Web Informant ##207, 18 July 2000:
Creating a privacy policy for your web site


If you are looking for some summer reading material, my advice is to steer clear of reading web sites' privacy statements. This is not the stuff to take to the beach. Instead, it should be read when you are ready to plow through some legalistic prose that can put even the most motivated surfer (whether on the web or on the water) to sleep in short order.

Some context is in order: I am the type of person who puts a different middle initial on his magazine subscriptions, the better to track what these companies do with my mailing information. But I give out my email willy-nilly, and don't get too upset when I receive spam that says something along the lines of "you have already been subscribed." And I presently work as an advisor to PrivacyX.com, a vendor who is working in the privacy area.

Privacy statements are big this season, especially as various folks continue to make inroads and abuses of one kind or another into web and email users' online privacy. And I am not just talking about tracking user identities with cookies or slipping a unique HTML identifier into one's email messages. The game has gotten much more subtle these days, and trying to understand who are the players, what they are doing, and whether you agree or not with their practices is getting too hard for my addled brain, especially as thoughts of working on my tan (or what amounts to one after putting on enough sunblock) take up more and more of my personal processing.

It used to be easy to finger the bad boys of privacy: DoubleClick certainly comes to mind as one of the leaders. Real Networks is another. Whether or not they actually have invaded anyone's electronic identity is immaterial: when it comes to privacy violators, perception is all that matters.

But the arms race has happened so fast that now just about anyone can be blamed for anything. Sending out a single piece of email with everyone's email address clearly visible in the header could count. A web site that tries to make it easier for its customers to login and track their accounts could be another. A piece of software that records the IP address of the machine it is running on and reports back to headquarters without telling the user could be a third. And there are plenty of variations on these and other themes to come.

And it used to be easier to figure out the good guys too. The W3C, an academically oriented group of web architects and developers, has come out with their own take on privacy policies, called the platform for privacy preferences or P3P. Their goal is to have every web site's privacy policy machine-readable, and then scan them for compliance. This seems like a curious exercise at best.

So what is someone semi-responsible to do? Several vendors have taken this burden on squarely, or so it seems, by offering to produce privacy policies for the interested web site operator. You can find links to them at the W3C site above. I tried a few out with mixed results (why are you not surprised).

TrustE has a sample policy that you can modify for free by going to this link. You'll notice it reads like a legal document, and intended to be used in a court of law rather than by mere mortals who are just trying to figure out whether the site is doing something nasty. I am not sure this is a Good Idea. But it is a good place to start.

Both IBM's software and PrivacyBot.com will produce a custom-made privacy policy, based on the things you say you do or don't do with the information you collect on your web site. It is actually a pretty good exercise. The IBM software is free, but I needed to download a newer version of Java and didn't have the time to fool with that. The IBM software is actually an outgrowth of the W3C's P3P efforts. Its goal is to produce machine-readable (versus lawyer-readable) policies, which can then by checked by the software at the W3C to determine if your site is P3P compliant.

The policy editor from PrivacyBot runs via your web browser, no need to download anything other than the actual text of the policy when you are done and when you can pony up $30 to them. I still had to mess around with the file that they sent me to correct some typos and such, but still it went a long way towards creating something that I actually like for its brevity, clarity, and comprehension. You can take a look here (since I don't collect any information on my site, it is noticeably short).

All in all, this is still a very new industry, and still fraught with problems. Too many of the web sites privacy policies that I read (when I could find them) were either too superficial or too lawyerly that I came away from the whole exercise somewhat discouraged. In the meantime, here is some very practical advice: when you fill out a web form requesting information about you, include as little as possible if you are concerned about this. And maybe you should include a different middle initial, just in case.

Self-promotions dep't

An analysis of Microsoft's BizTalk Server recently appeared on Windows200Advantage's web site, sponsored by Microsoft and Compaq.

To subscribe, send a blank email to

To be removed from this list, send a blank email to

David Strom
+1 (516) 944-3407
back issues
entire contents copyright 2000 by David Strom, Inc.
Web Informant is ® registered trademark with the U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress.