http://www.azarask.in/blog/post/making-privacy-policies-not-suck/
I had the same idea as Aza, a CreativeCommons-like approach to privacy policies. I also put "make an HN thread about privacy policies" on my to-do list, so here we are.
How do you think we can improve the current state of privacy policies?
(Some brainstorming is also taking place here: http://aza.etherpad.com/privacy )
People need to adopt the security-oriented attitude that says, if you post anything, anywhere, the entire Internet may very well see it. Period. You cannot trust every server, protection mechanism and employee in between. (You wouldn't really know who to sue, anyway.)
If something really "must" be private or controlled, then you don't need a policy, you need actual control over your data. For example, don't post the thing on an Internet-enabled computer in the first place. Or, strongly encrypt it, and have absolute trust in the recipients of keys. If you've made your key recipients sign something legally binding, and retained proof that no one else could have received keys from you, then at least you'd know who to sue for violating your trust.
Ideally, the mechanism for transferring the keys doesn't use a network either, e.g. physically hand something to your intended audience that will let them decrypt whatever you do send. The data should also have a built-in "time bomb" that makes it impossible to decrypt anything after some specified period of time (for peace of mind). Of course, the recipient could do something stupid like save the decrypted data somewhere, which is why the legal binding to key recipients is so important.
You can read about the UK variant here: http://www.ico.gov.uk/
But maybe we can change that.
Using plain English (not legalese) and keeping things short and to the point seems to be an effective way of making privacy policies more user friendly. By making them so obscured by legal language that they're inaccessible to most readers, you're just guaranteeing that they won't be read. Which isn't doing anyone any favors. Keep it short, keep it simple.
Another great privacy policy, is Bill Monk's: https://www.billmonk.com/about/privacy
They use user-friendly plain English, keep things relatively short (though not quite Cuil-short), and they provide a summary of the key points at the start. That's all very helpful for users, imho.
Something Awful should get points for their privacy policy, as well: http://www.somethingawful.com/d/feature-articles/website-pri...
It's written just like anything else on their site -- with a liberal dose of humor. But that's perfect for their core audience and makes it instantly readable and easy to understand (for the people whom it effects, at least).
This was part of the Longhorn project, which as we all know got scrapped, to produce what is now Vista! :-)
RSS could be one way to make sure users can receive warnings and notification of changes. However, subscribing to RSS feeds for each site would be too tedious.
A browser plugin (or rather built-in feature) that popups a warning in an overlay bar at the top of the window (like the password remember feature in Firefox), would be better. It could receive data from a centralized service, privacy policy RSS feeds, or just by screen-scraping the policy at a specified interval and checking for changes.
Clickable links from my comment:
http://www.azarask.in/blog/post/making-privacy-policies-not-...
http://aza.etherpad.com/privacy
Related projects:
Privacy policy generators:
http://www.dmaresponsibility.org/PPG/
http://www.oecd.org/document/39/0,2340,en_2649_34255_2886327...
http://wordpress.org/extend/plugins/easy-privacy-policy/
http://wordpress.org/extend/plugins/terms-of-use-2/
http://www.professionalprivacypolicy.com/ (free trial)
http://www.freeprivacypolicy.com/privacy-standard.php (free trial)
