A 2008 study conducted by a pair of Carnegie Mellon University researchers found it would take the average person 201 hours to read every privacy notice they encountered in a calendar year. Since then, the number of websites, apps, and services have skyrocketed, and in Feb. 2016, a different pair of researchers took notice of the rise in popularity of "chatbots" and decided to create one to answer questions about organizations' privacy policies. 

That bot would eventually be called PriBot, and it was brought to fruition by Hamza Harkous, a postdoctoral researcher at École polytechnique fédérale de Lausanne in Switzerland, and Kassem Fawaz, assistant professor at the University of Wisconsin – Madison.

Privacy Tech recently had the chance to catch up with Harkous and Fawaz in a phone conversation about their work. 

A year after inventing PriBot and using advances in language processing and neural networks, Harkous and Fawaz developed Polisis, a tool that can automatically scan a website’s often complex privacy notice in a simplified manner. Harkous and Fawaz found that, while the chatbot was good at answering questions users already had about privacy policies, there needed to be a way to offer a level of discovery to inform users about practices they did not know existed.

“When we started noticing that we have a very powerful approach for labeling every segment in the notice according to multiple labels, such as whether this segment is talking about third-party collection, or is it talking about sharing financial data with third parties,” said Harkous. “Once we started having good results there, we said to ourselves, ‘how can we pass this information to a user, even without having to ask?’”

The pair decided a visual representation would be the best method to convey a privacy notice's complexity. The tool can be accessed by either placing a website URL into the Polisis section of the PriBot website, or by installing a Firefox or Chrome extension to direct a user there automatically.

[caption id="attachment_251792" align="aligncenter" width="650"]The map coming from Polsis after examining Facebook's privacy policy. A Polisis map of Facebook's privacy notice.[/caption]

If the notice is already in the tool’s database, a colorful graph appears broken down into three different sections. One features the type of data a website collects. Moving left to right, the types of data move in waves through the different parts of section two, identifying what the data is used for, including advertising, analytics research, and basic service features. From there, the lines continue to move to the last section, outlining whether users have options in controlling the data collection, such as whether they have to opt in to the feature, or avoid using the feature entirely.

If a website has not been scanned by Polisis, users have the ability to upload it themselves. For the sake of testing, I uploaded the IAPP’s own privacy notice to Polisis. Overall, the tool worked if the notice was already uploaded into the database, and the visualization clearly informed me on the data collection process. It’s nice to be able to hover over the lines of the privacy notice and have the relevant information directly lifted from the privacy notice pop up in front of me.

I wasn't the only one who ended up giving Polisis a spin. Autodesk Senior Global Privacy and Data Security Counsel Alexandra Ross, CIPP/E, CIPP/US, CIPM, CIPT, and Center for Democracy & Technology Joseph Jerome, CIPP/US, each used the tool, and offered how Polisis could be helpful for both privacy professionals and privacy advocates.

Ross ran her company's privacy notice through the service and found it a good way for privacy pros to validate their own privacy disclosures. Similar to many other companies, Autodesk is in the process of reviewing their privacy practices in preparation for the EU General Data Protection Regulation.

Ross said it was informative to see her company's privacy notice laid out in a visual format.

"I lived with this privacy statement for several years, and my predecessor in this role drafted it and I inherited it, so it’s gone through several iterations," she said. "It’s nice it see through a different lens, and to see it visually in terms of the how the tool categorizes the different sections. It was interesting to see that in a different perspective because it helped me look at it in a different way, because I was embedded in it for so long."

Though she found it helpful, Ross said Polisis could use a little refinement, noting it did not paint a completely accurate picture of Autodesk's notice.

"I think the more that they can make sure that the collection points are accurate [the better], because what I found was that some of the sections were pulled into things where I didn’t believe it was an accurate characterization of our privacy statement," said Ross, adding, "it wasn’t quite getting what a human would understand in terms of how they were parsing out certain sections of the document."

The CDT's Joseph Jerome actually used Polisis to vet a partner the CDT was planning to work with in order to ensure it held up to the high standards the advocacy group sets with its own privacy notice. Jerome was also impressed with the visual elements of Polisis and believes similar tools are helpful for advocates. 

Polisis can also potentially help solve a vexing problem for notice creators.

"We want privacy policies that both say things that are useful and are somewhat standardized, but are actually informative of what a company is doing," said Jerome. "I think stuff like this helps, because the way that they are coding for words allows for different word choices while still getting at the same concepts, and at the same time, they were able to slice and dice through where privacy policies are being vague."

Both Jerome and Ross said they will be keeping an eye on Polisis in the future. Any time a major privacy event occurs, Jerome will check any affected company's privacy notice. For his line of work, Polisis earned a bookmark from the CDT counsel.

"I read privacy policies every day, and I still find them impenetrable and confusing, and I’m looking for shortcuts as to things I should be concerned about. All it takes is uploading one privacy notice to this tool, and you can pretty quickly see, visually, all the stuff you might be interested in," he said.

When asked how they came up with the current choice for a visual, Harkous and Fawaz said they did not do any testing to see what worked best, they just chose what they thought was cool. The pair said they will be revamping the visualizations as they continue to refine and add to the tools in order to provide the best experience for the user.

The duo plans to add more privacy policies moving forward and hopes to get the word out in order to ensure the number continues to rise. Harkous and Fawaz hope to get PriBot to the point where it can set privacy preferences for websites, while also providing more organic answers rather than simply returning questions with privacy notice snippets. The Polisis team hopes to inform users about the more unexpected ways companies use data and to offer a way to compare privacy policies of different companies.

[caption id="attachment_251793" align="aligncenter" width="650"]PriBot in action. PriBot in action.[/caption]

Fawaz believes the previous model for delivering privacy policies simply does not work anymore, and with data collection practices receiving media coverage, internet denizens are more aware of their online footprint than ever before.

“In the coming months with the transition and the emergence of the GDPR as something people have to pay attention to, we think that the privacy issues will regain their importance ... especially privacy policies, which will be subject to a lot of scrutiny,” said Harkous. “We think that if we can do our job in having a simplified navigation of privacy policies, we are at least contributing in a way to a better application of these new legal requirements.”