Why Privacy Policies Suck

We have all accepted a privacy policy or terms of service agreement without thoroughly reading and understanding it. Why do we do this? Do privacy policies even matter? Are people just lazy? I hope to answer these and other questions throughout this blog post. But most of all, I want to prove that privacy policies and terms of service agreements are not an effective method of informing users what is being done with their data.

Do these policies matter?

Until recently, I had never read the privacy policy of any website, app, or online service I have used. And as of yet, I have never knowingly faced any negative repercussions from this, and I am not the only one.

However, that is not always the case. One day in 2010, 7,500 users of GameStation unknowingly agreed to pay an extremely high price for using the online service. No person could have expected a terms of service agreement to claim something this important to its users. Below is an excerpt of that terms of service policy:

By placing an order via this Web site on the first day of the fourth month of the year 2010 Anno Domini, you agree to grant us a non transferable option to claim, for now and for ever more, your immortal soul. Should We wish to exercise this option, you agree to surrender your immortal soul, and any claim you may have on it, within 5 (five) working days of receiving written notification from gamesation.co.uk or one of its duly authorized minions.

7,500 users unknowingly surrendered their immortal souls in the “immortal soul clause” buried in the terms and conditions (Smith, 2010). Yes, this was a joke and no souls were claimed. However, similar clauses were used in an 2018 academic study (Obar, 2018).

Researchers tested how undergrads would interact with the privacy policy and terms of service for a fictitious social media company called NameDrop. The study had respondents agree to a privacy policy and terms of service agreement. The two statements were modified versions of LinkedIn’s so their lengths and structure were realistic. However, in those policies the researchers put two “gotcha” clauses. One was stating that NameDrop may share your personal data with the NSA and the other was claiming the user’s first-born child. Those clauses are shown here:

3.1.1 NameDrop Data […] Any and all data generated and/or collected by NameDrop, by any means, may be shared with third parties. For example, NameDrop may be required to share data with government agencies, including the U.S. National Security Agency, and other security agencies in the United States and abroad. NameDrop may also choose to share data with third parties involved in the development of data products designed to assess eligibility. This could impact eligibility in the following areas: employment, financial service (bank loans, insurance, etc.), university entrance, international travel, the criminal justice system, etc. Under no circumstances will NameDrop be liable for any eventual decision made as a result of NameDrop data sharing.

2.3.1 Payment types (child assignment clause): In addition to any monetary payment that the user may make to NameDrop, by agreeing to these Terms of Service, and in exchange for service, all users of this site agree to immediately assign their first-born child to NameDrop, Inc. If the user does not yet have children, this agreement will be enforceable until the year 2050. All individuals assigned to NameDrop automatically become the property of NameDrop, Inc. No exceptions

Of the 543 participants in the study only 3% didn’t accept the privacy policy and 7% didn’t accept the terms of service. Respondents were later interviewed and only 11 mentioned data sharing while only 9 mentioned the child assignment clause. This means that at least 523 respondents unknowingly agreed to share their data with the NSA and forfeit their offspring (Obar, 2018).

Both of these examples had little effect in real-life, but that is not always the case. A nigeran instant loan app called Okash has been known to use some pretty harsh collection methods for users who don’t make their loan payments.

Twitter users complained that the company was messaging their contacts and telling them that the user was not paying their loan back. Users brought up stories of the loan company messaging or calling their supervisors, friends, even priests and informing them of the user’s financial woes.

I am sure that no person would want their financial issues shared with all of their contacts. So, what allowed Okash to do this? At the bottom of clause 11 of Okash’s Terms Of Service (at the time of writing this) they state the following:

11. We may contact you and/or your emergency contact. […] In the event we cannot get in contact with you or your emergency contact, you also expressly authorize us to contact any and all persons in your contact list.

Every Okash user agreed to this policy whether they knew it or not. There is little chance that many of the users understood that the company would resort to these shaming methods. This is a real-life example of one of these policies actively infringing on its users privacy and that of their contacts. This caused unnecessary harm and embarrassment for users who did not know what they were agreeing to.

This is not the only issue that has come up. There have been serious concerns about many companies’ policies in the US. Perhaps the most famous is the Cambridge Analytica Scandal. In which an app called “This Is Your Digital Life” was stealing its users’ and their Facebook friends’ data. The data was used by Cambridge Anlaytica who was working for the Trump campaign. An estimated 87 million Facebook users had their data stolen as a result (Kang, 2018).

There are countless other security issues that have received media attention including FaceApp, TikTok, Facebook, and others. These issues can and do impact all of us.

Does anyone read these policies?

Some people might, but most do not. The NameDrop study stated that their terms of service should have taken 15-17 minutes to read and the privacy policy should take 29-32 minutes. The median time respondents spent on each are 14.04 seconds and 13.6 seconds respectively. Below is a graph from the researchers showing how much time respondents spent reading the policies.

Perhaps even more concerning, the study also found that 90% of respondents claimed that they use quick-join clickwraps often or sometimes. This means that these users agree to the policy without ever even seeing any part of it (Obar, 2018).

The lack of people reading these statements has inspired countless references from comedians and tv shows. Even an FTC chairman said, “We all agree that no one is reading privacy policies” (Cate, 2020).

Should I read these policies?

Yes, but no. Of course, everyone should know what a company is doing with their data. But it’s pretty unlikely that anyone could read all of the policies that they come across. In fact, PayPals’ privacy notice has 36,275 words which is longer than Hamlet (Warner 2020).

A 2008 study found that for one person to read the privacy policy of every site they come across they would need 244 hours a year which comes out to over 30 eight-hour working days of just reading privacy policies annually. If people were to skim the policies, they would spend 154 hours or just over 19 eight-hour days skimming. Accumulating in 53.8 billion hours of reading or 33.9 million hours of skimming nationwide. If companies were to pay employees to read all of the of the privacy policies they interacted with at work it would cost 617 billion dollars at the national level (McDonald 2008). Keep in mind, this study was done in 2008. The average number of sites visited and the number of sites with privacy policies has probably increased since then.

Clearly, people cannot be expected to take the time necessary to read these policies. But can they even understand them? Another study done in 2002 looked at the average reading level required to understand privacy policies of the top 25 internet health sites. They found that the policies ranged from “somewhat difficult” to “very difficult” and were written at a 14th grade reading level. Meaning that two years of college would be expected before someone could read and comprehend the policies (Gerber, 2002). A similar study was done in 2005. It that found that a 14th grade reading level was still required. This is extremely concerning considering that an 8th grade level is recommended for general consumption (Sheehan, 2005).

Worse still, there was another study in 2005 that analyzed the communicative strategies that were used in online privacy policies and found that they often employed problematic language. First, they downplayed certain qualities of the policy by using words like “carefully selected” or “occasionally”. Second, companies tended to obfuscate reality by using cautious language or by deceiving and confusing readers. This is done with terms like “may”. Furthermore, companies try to forge intimate relationships with their readers in order to build more trust. This is done by using first-person pronouns like I, my, you, and your (Pollach 2005). Not only are these policies difficult to read, they are actively using language that is designed to make you more likely to accept the policy regardless of how problematic the contents are.

So, these policies are first, simply too long and too plentiful to read. Second, they are written at a prohibitively high reading level. Third, they use advanced literary strategies in order to convince readers to agree. It cannot be argued that these policies effectively inform users how a company will use their personal data or what data they will collect.

What does this mean?

This model of informed consent is broken and needs dramatic change. Several ideas have been advanced over time as to how to deal with the issues presented in this post. I discuss these in my post Notice & Consent Alternatives.

References

Cate, F. (2020) Data Privacy and Consent. Retrieved from https://www.youtube.com/watch?v=2iPDpV8ojHA&t=422s

Graber, M. A., D’Alessandro D. M., Johnson-West, J.(2002) Reading Level of Privacy Policies on Internet Health Web Sites. Journal of Family Practice 51:7 642-642

Kang, C., Frenkel, S. (2018) Facebook Says Cambridge Analytica Harvested Data of Up to 87 Million Users. Retrieved from https://www.nytimes.com/2018/04/04/technology/mark-zuckerberg-testify-congress.html

McDonald, A. M., Cranor, L. F. (2008) The Cost of Reading Privacy Policies. I/S A Journal of Law and Policy, 4:3 543-568.

Obar, J. A., Oeldorf-Hirsch, A. (2018) The Biggest Lie on the Internet:
ignoring the privacy policies and terms of service policies of social networking services. Information, Communication & Society, 23:1, 128-147. doi: 10.1080/1369118X.2018.1486870

Pollach, I. A (2005). Typology of Communicative Strategies in Online Privacy Policies: Ethics, Power and Informed Consent. Journal of Business Ethics 62, 221-235. doi: 10.1007/s10551-005-7898-3

Sheehan, K. B., (2005) In Poor Health: An Assessment of Privacy Policies at Direct-to-Consumer Web Sites. Journal of Public Policy & Marketing, 24:2 278-283.

Smith, C. (2010) 7,500 Online Shoppers Accidentally Sold Their Souls to Gamestation. Retrieved from https://www.huffpost.com/entry/gamestation-grabs-souls-o_n_541549

Warner, R. (2020) Notice and Choice Must Go: The Collective Control Alternative. SMU Science & Technology Law Review, forthcoming

Published by Devin Doneen

MSBA student

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: