Shostack + Friends Blog Archive


Does Ryan Singel Need A Privacy Policy?

Yesterday, I commented that Ryan Singel, in his review of Robert O’Harrow’s* new book, had an Amazon tracking URL. I was mostly noting the irony of aiding tracking in a post titled “Pay Cash for This Book,” but Ryan comments: “it got me to thinking that this site has no privacy policy.”

Not to pick on Ryan, but I’m not sure a blog should have a privacy policy. Most web servers log (including mine.) I don’t control the host, nor the web server, and so a breach due to error would be outside my control, as would a breach due to subpoena. Once you have a policy they’re boring, no one reads them, and as Tony Vila, Rachel Greenstadt, David Molnar point out, that makes sense (PDF). Those of us who do read them find them hard to decipher.

Finally, its a lot of work. I spent a long time on the privacy policy I wrote. It was educational, seeing how much data-slinging a small organization did. And this was an organization run by people who cared about privacy, many of whose customers think deeply about privacy as part of their professional lives. However, all that work was educational, and so it may be a useful exercise for Ryan to go through.

* I’m torn: The doubling of the apostrophe is both neat and wrong. In reading reviews, you can probably see the hand of editors who, to avoid splitting the infinitive, or putting those apostrophes on each end, rewrite the sentence. A fine plan.