13 July 2010


Just a quick note/thought here.... We talked a little about privacy on our upcoming podcast but i thought that this article on Ars Technica was interesting since it highlighted one aspect of industry-led governance that i find troubling.

The ESRB has a "Privacy Certified" badge (which i had no idea existed) but what this badge is and what it represents is a little more nebulous than it sounds:

"The role of the ESRB Privacy Online program is to make sure that member websites—those that display our seal on their pages—are compliant with an increasingly complex series of privacy protection laws and are offering a secure space for users to interact and do business online"
"This includes addressing issues like what types of personal information can be collected, how companies must handle that information with respect to individuals' right to privacy, and ensuring that people are informed of exactly where and how their information will be used."

This is all good... though i'm not always satisfied that this complex information is easily and clearly provided to users. Those massive T&C for websites are usually no better than the EULAs of games.... lots of legal talk that makes little real-world sense.

"But online privacy protection doesn't necessarily mean the same thing as anonymity. It's about making sure that websites collecting personal information from users are doing so not only in accordance with federal regulations but also with best practices for protecting individuals' personal information online"

This is where i have a problem. "Best practices" is essentially a cop-out phrase that means "there's no industry standard, we just took an average of what everone's doing and then said that was okay". If no company is performing well then the standard they are held to is lower... if one or two companies are holding themselves to a higher standard it does not affect the average overall if the larger percentage of companies are more lax. The ESRB, PEGI and other industry bodies need to sort out a base-standard of privacy along with an easily understandable bit of text that explicitly outlines what is collected and what is done with that information. It also needs to be higher than legal requirements as they are often the very lowest rung of responsibility.

My problem with the whole Blizzard forum thing is that it is the primary means for tech support since, from what i've heard, the phone support is completely overwhelmed by demand. The article says that the ESRB worked with Blizzard to make the whole thing opt-in and 18+ only.... however, that doesn't seem to be the case since you could not opt to use the forums without using your/a real name.


And this is why we need higher standards. The ESRB, in a response to the privacy complaints from all the people who wrote to them about the debacle over at Blizzard's forums, sent out an email containing each and every person's email address. Granted, it's probably minimised a little through the fact that these people were all concerned about privacy and are so unlikely to take advantage of other people's disadvantage.... but it's certainly a bloody nose considering all the talk of privacy within the email itself!

"ESRB, through its Privacy Online program, helps companies develop practices to safeguard users' personal information online while still providing a safe and enjoyable video game experience for all."


No comments: