CERIAS Symposium

Today (Wednesday) was the second last day of the annual CERIAS Symposium at Purdue University. I only remembered it a little before noon on Tuesday. That’s what being on break for a week will do to your brain, I guess.

Anyway, I didn’t miss the poster session early Tuesday afternoon, where I had a poster on my SELinux policy language work. Fortunately there weren’t many periods of standing around waiting to be asked a question. About half of that question-answering time was spent explaining what SELinux is rather than talking about my work in particular, though.

Sometime in the near future there should be copies of the posters available on the symposium website. People who registered for the conference already got copies as part of their information packets. One nifty thing is that instead of distributing them on CD like last year, they gave each registrant a 128 MB USB flash drive with the posters on them. So, now I have a USB flash drive. Not too shabby, especially when the registration fee is waived for Purdue students.

My main disappointment with the symposium was that a lot of the sessions were very Purdue-centric. It makes sense that CERIAS would be showcasing the work going on here, but it means that a large number of the talks are ones I’ve already heard before. The forensics panel Wednesday afternon was pretty good, though; not coincidentally, it consisted mostly of people from government and industry in the field, instead of being dominated by our professors and grad students.

The final talk on comprehensibility of privacy policies was discouraging. In a nutshell, The Privacy Place did some surveys on how people reacted to and understood privacy policies, both in their “natural” language (read: lawyerese) and in altered formats intended to make them more understandable. The results were that, although people better understood the policies when presented in categorized or annotated forms, they believed they understood the current “natural” language style and believed they were more comprehensive than the other forms.

So, what does this mean? My interpretation is, you’re screwed either way. If the company is honest and wants the visitor to understand the policy, in theory they should use a categorized format, but people erroneously perceive it as less useful than “natural” language. Since the intent behind the privacy policy is to make the visitor comfortable with disclosing information, it’s in their best interests to target perceived, rather than actual, comprehensibility. And if the company is dishonest and wants to sneak odious terms in, their best bet is a long-winded monolithic policy that people will think is comprehensive but probably won’t even bother reading. In either case, the status quo is maintained.

Comments Off