[AYBABTME]

I think it's time for an external, trustworthy entity to spawn that would vet and endorse companies that respect their users. Something like the "USDA Organic" label but for user privacies. Maybe it'd be an EFF-like entity that audits companies in exchange for a fee and endorse that "Company X, and the product/services it uses, are respecting user privacy". We could then derive a chain of trust between companies, maybe have a browser extension that tells when we're using a website that is endorsed by such entity?

[technion]

I've gone back and forth on this. The very likely outcome of such a thing in practice is another PCI-like process. We both know an "EFF-like" organisation selected by a Government will one of the big accounting firms or similar in practice.

Particularly once there's a certification fee, it quickly becomes a racket, where people with strong ethics and skills get pushed aside by someone who paid a fortune to sit a course. Language lawyers will find ways to sign off on major issues, and some largely irrelevant thing ends up becoming the majority of the process.

[heyjudy]

You're catastrophizing by jumping to a negative outcome, similar to a cognitive distortion. It doesn't have to become a racket; that is a leadership choice. Individual identity issuing, public key certifying authority, banking, news, healthcare, truth-worthiness and many more areas would all be served best by non-profits that are funded by a combination of grants, modest fees and/or donations. There are some human activities that are too important to be privatized, like the fire department and the NTSB... whether the government should or shouldn't be responsible for running X is a topic for another time.

[btrettel]

Standards could help too.

I recently started setting up a phpBB forum for a personal project. Because I wanted to respect people's privacy as much as possible, I removed certain fields like the birthday so that they can't be entered. I disabled private messages to avoid keeping unneeded nominally private data. To contact a specific user, I allowed only emails sent via a form to prevent leaking a user's email address. And I installed an extension to allow users to delete their accounts. I was pleasantly surprised with how easy disabling birthdays and other profile fields were, but somewhat disappointed that allowing users to delete their own accounts wasn't built in yet. Would be nice for forum softwares to have a standard set of features and default behaviors that respect privacy. I doubt many people change the configuration settings I did. (If you have any other ideas for forum admins to make their forum respect privacy better, I'm interested.)

I don't see why a forum should have a birthday field in particular. If COPPA compliance is a concern, just ask if the user is 13 or older at registration.

[bmn__]

> If you have any other ideas for forum admins to make their forum respect privacy better, I'm interested.

Tell the software vendor! They need to supply sane and private defaults, so that every admin who deploys an instance benefits automatically.

You could drive home the point by saying that if you were to run the software in the EU, it becomes a ticking time bomb and is an invitation for getting a forum admin into obnoxious manual cleaning work at best, legal trouble at worst.

[pjc50]

Or you could follow the EU example and make it mandatory with national agencies empowered to levy fines?

The history of "web page endorsements" is pretty lousy. The only one that really stuck was SSL enhanced verification, and all that does is tie a cert to a business entity.

[AmericanChopper]

Have you ever implemented a standard before? The process is usually a bureaucratic joke. There will always be auditors that will certify you for essentially just paying them. This is not only a privacy problem, it’s also a security problem. ISO 27001 and other standards have been around for a long time, and getting certified has always meant little, and companies still get breached. ISO are working on a privacy standard right now, and when that’s finalized, I guarantee you that consumers are going to take no interest in it, and that people will still be tracked and companies will still be breached. The system you’re describing would only ever be noticed by a very small subset of privacy conscious and educated users, and even then it would likely achieve nothing.