I added the privacy policy to the game site
One of the paradoxes of the Internet is that companies that want to abuse the privacy of their users obsess over privacy policies. For example,
Google and Facebook spend millions of dollars in legal fees going over each letter of their privacy policy detail to obscur the fact that they are aggressively recording user activity in minute detail with the goal of creating profiles that they can use to manipulate their clients.
Meanwhile web sites that have absolutely no intention of violating user privacy agonize over privacy policies.
For example, the media makes hay out of using cookies.
Unfortunately, to provide an interactive feature, a web site must have a mechanism to track user activity so that the user can interact with the site.
The EU actually requires web sites to throw out an intrusive popup to warn users of cookies.
The restriction on cookies does not stop conglomerates from tracking user activity. The restrictions simply create a world class headache for small companies trying to add interactive features to a site.
I actually track a great deal of information. I record the IP addresses and the POST and QUERY data. I do this to track the unending barrage of XSS and SQL injection attacks I receive every day. If ever they get in, I want to know how and when they got in.
Anyway, I wrote up a privacy policy for the Vagabond Spirit Game.
Vagabond Spirit is a fantasy game. Essentially the vagabond spirit of a player leaves its corpuscular host and sets out on its own. Players use fitness trackers. For each step a person takes in the real world, the vagabond spirit takes a step in the vagabond world.
The game publishes the locations of the spirits.
This is a fictional creature, but users following the site could figure out how many steps you take with your fitbit ... which they could do by going to the fitbit.com.
I will display the information of the vagabond spirits in a chain of blocks. If hackers wanted to, they could recreate the paths the fictional characters follows.
I do care a great deal about the privacy of the actual humans playing the game. So, I will use oauth for authentication and allow people to use anonymous handles.
What the game is doing is obvious. If you don't want the game to do what the game is doing, then don't do the game.
The game will allow the vagabond spirits to interact with each other. I will probably look to find ways to block players that harrass others.
This observation leads into my final thoughts on privacy.
Today, it is common for web sites to receive a barrage of DDOS, XSS, SQL Injection and other hacking attacks.
I take a proactive view of security; So, I record all inbound hits. The primary thing I do with this data is check out latest attack.
I actually record every single action that takes place on the server in an attempt to understand and defend against these attacks.
Technically speaking, my little site records every piece of information I can about the users of the site. This is because I am trying to protect the users of the site from abuse.
I often report abusive IP addresses to abuse databases.
Getting back to the stupid privacy policies that we have to put on web sites.
I actively engage in tracking the activity of hackers and I am happy to report abuse to authorities.
If someone hacked into my server and used my server to commit a crime, then I would be happy to work with law enforcement to track down and prosecute the bastard. If someone abused a program I wrote to harrass another person, then I am happy to help the victim in tracking down and reporting the abuse.
Attempts to protect a victim from an abuser violates the privacy of the abuser ... and I guess I really don't care about the privacy of people out to do others wrong.
Conclusion: The privacy policies that companies write rarely protect the privacy of the people. Facebook and Google still find ways to sell user's personal information.
We don't enhance security by these absurd privacy policies. Web site security is about protecting valued customers against the people who want to abuse them.
I got the picture for this post from BigStockPhoto.com
Do you think privacy policies enhance web security, or do you share my opinion that they are rather absurd?