Can we fix the problem of Privacy Policies and Terms of Service agreements we never read, so we’ll actually stay safe?
The dental hygienist raised her gloved hands and turned toward the patient.
Terms of service agreements? “I don’t ever read them,” she laughed. “I just figure they’re all the same. Maybe they just change a few things.”
But those agreements and policies that pop up for sites, services and apps can put you in jeopardy, if you agree to something risky without reading.
Even so, they go unseen.
Reading them can seem as painful as getting dental work.
“I try to read them,” added the dentist herself, as she leaned over the patient. “But I can’t read all of them.”
First-born
They’re not the only ones. A recent study showed that 100% of people signing up for a social networking site agreed to terms where they would give up their first-born baby to the site as payment. Only 9 people out of more than 500 mentioned the baby clause—but signed up for the service anyway.
Some say terms of service and privacy policy agreements—a standard our of our digital era—aren’t working. Now there is an international movement to change the system, before your ‘Too Long, Didn’t Read’ turns into ‘Too Late, Danger & Risk.’
How bad is it?
Professor Jonathan Obar of York University knew it was bad. But the study he did with Anne Oeldorf-Hirsch of the University of Connecticut showed the evidence in full color.
They asked 543 college students to evaluate a social networking site called NameDrop. During sign-up, the site gave the students a chance to either read the terms of service and privacy policy, or skip it and get started right away.
About 75% chose to sign up without reading—and missed the lines where the site said it would share data with the National Security Agency, a controversial issue, and also take their first-born child.
Most participants later said that is their usual approach to ToSs and PPs [terms of service and privacy policies]—just skip and click.
The few who did read often spent about 14 seconds glancing over the policies before clicking “yes,” not enough time to understand the 4,000 to 8,000-word legal contract they were about to enter.
First-born child clause from Obar & Oeldorf-Hirsch’s study.
“The first-born ‘gotcha-clause’ was part of the study because it is an extreme,” Obar told Archer News. “If people are missing such an outrageous clause, imagine the less outrageous but still quite serious things that users miss every day when engaging with services.”
Even worse, the students who participated came from a communications class where they studied these very kinds of issues.
“If communication scholars-in-training cannot be bothered to read SNS [social networking site] policies, let alone demonstrate concern about the implications of ignoring notice opportunities, it seems likely that the general public would commonly ignore policies as well,” the study report said.
Why didn’t they read?
One student wrote that there appeared to be little risk. “Nothing too bad happened yet, but it’s not like I post anything interesting or worthy.”
But some of the dangers run deeper. Are you giving away your personal information, your pictures, your privacy, and allowing companies to keep and sell your information for years to come? Will someone else own or trade your digital life history in twenty years? You don’t know, but you just clicked “yes.”
The wildly popular Pokemon Go game caused a stir when it first came out, requesting full access to your Google account and gaining permission to see and modify all of your Google account info, reported USA Today. When a researcher brought the issue into the public spotlight, the game’s creator, Niantic, fixed the problem, saying it was a mistake.
Pokemon Go also “strips users of their legal rights,” reported Consumerist—by agreeing to the terms, you agreed to lose your ability to file a lawsuit or join a class action suit against the company if something should go terribly wrong, like a massive data breach. The terms gave you thirty days to opt out—which you might know only if you actually read them.
Pokemon Go’s Privacy Policy currently says it can make changes at any time that can have a retroactive effect, essentially saying you have already agreed to the changes they will make in the future.
Pokemon Go Privacy Policy.
Losing data & destroying social order
Terms of service policies tend to be one-sided in favor of the company, said the Electronic Frontier Foundation.
Facebook can do whatever it wants with your posts, even using them for advertising, Mashable reported.
Toymaker VTech quietly changed its terms to make parents agree that their data not be secure after all—angering parents and dismaying cybersecurity experts when it was brought to light—after a big hack that sucked out information for six million VTech customers, including kids’ names, birthdates and pictures.
And the operating system Remix OS comes with a surprise in its user agreement, according to Softpedia, saying, “Harming national honor and interests; Inciting ethnic hatred or ethnic discrimination, and undermining national unity; Undermining national religious policy, promoting cults and superstitions; Spreading rumor, disturbing social order, undermining social stability.”
We’re still not reading
The study participants gave what appear to be honest answers about why they just won’t read those ToSs and PPs, despite the risks.
“I’m in a hurry to use the service,” one wrote.
“It feels like a cultural norm not to read them and I’m too lazy to read them in detail,” said another.
But some say it’s more than laziness—it’s now impossible to read them all.
“The current state of terms and conditions for digital services is bordering on the absurd. Their scope, length and complexity mean it is virtually impossible to make good and informed decisions,” said the Norwegian Consumer Council’s Finn Myrstad on the government agency’s site.
200 hours a year?
One study in 2008 estimated it would take you about 200 hours a year to read through all of the policies you run into in your digital life, according to Obar. And the number has most likely gone up in the last eight years.
To prove the point, the Norwegian Consumer Council staged a marathon video session, reading every word of the typical number of app terms and conditions and other such policies the ‘average’ person would have on their phone.
The council said the 33 polices total more than a quarter million words, longer than the New Testament, and take more than 24 hours to read.
“The average consumer could easily find themselves having to read more than 250,000 words of app terms and conditions. For most people this is an impossible task, and consumers are effectively giving mobile apps free rein to do almost whatever they want,” the council said.
Norway’s printout of all the policies on an average user’s phone.
Read vs. understand
Even if you read all 250,000 words, would you understand what they mean?
Probably not, according to the White House’s National Privacy Research Strategy from June 2016.
“…[P]rivacy policies are often difficult to locate, overloaded with jargon, and ambiguous or open-ended in their meaning, rendering them confusing and even incomprehensible,” the report said.
Front page of the National Privacy Research Study.
On your phone, it can be even harder.
“The burden on individuals to read and understand these policies is further confounded in the mobile context where, because of the small size of the device, a privacy policy may be spread out over 100 separate screens,” the report added.
No wonder we’re not reading them. Clicking “I agree” may indeed be the “biggest lie on the Internet,” as noted by Obar and Oeldorf-Hirsch, and the website ToS;DR, which stands for “Terms of Service, Didn’t Read.”
Why lie?
Is there a better way than lying every time you sign up for a new app or service?
Norway is fighting back aggressively with its campaign called #Appfail.
The country’s consumer protection agency is using video and social media to make people aware of the risks, telling them bluntly that with apps, you often accept that:
—you waive fundamental privacy
—the app tracks you, even when it is not in use
—personally identifiable data can be resold
—terms may change at any time without notice
—the app can terminate your account at its sole discretion
The agency is also demanding that apps and services make policies more reader-friendly—shorter, clearer and easier to understand—and standardized, so readers can recognize what is unusual or missing.
Myrstad told Archer News the #Appfail campaign has been successful and has even convinced some big international app companies to change their terms and behavior.
Solutions
Organizations like the Electronic Frontier Foundation and ToS;DR have set up sites for people to stay aware of when companies update their policies.
Some companies are trying a new tack—a “just in time” disclosure that feeds you “small, understandable amounts of information at relevant points in the transaction,” according to the National Privacy Research Strategy.
The White House strategy paper lays out plans to fund research on whether this approach works, among other fixes for the “biggest lie” and other privacy issues affecting the country and industry.
“If we want digital privacy and reputation control, we need governments to do more to ensure that consent processes work,” Obar said.
Your ToS accountant
You can’t read it all and understand it all, but could someone do it for you—like a tax accountant whose full-time job is to stay on top of tax law so you don’t have to?
Obar suggested a “representative data manager,” like a tax accountant, could help solve the problem.
“Representative data management could contribute to the protection of personal data while freeing individuals from the impossible task of data privacy self-management,” he wrote in an article in the journal Big Data & Society.
There could be non-commercial data manager options as well, to eliminate “digital forms of discrimination,” he said.
You may do your own taxes. But, Obar said, the idea that you can truly manage your own data privacy in a competent way is fiction.
“More needs to be done to ensure that consent processes are effective; otherwise, digital citizens will have little control over their data and who uses it,” Obar said.