People have always balked at reading terms of service — the acres of fine print on the bottom of insurance policies and product agreements and in pop-ups on apps and websites. It’s so much easier and quicker to click “I agree” than to wade through hours of boring legalese. But there are risks. A 2016 academic study found that 98 percent of people signed up for a fictitious free Wi-Fi service, NameDrop, even though clause 2.3.1 of its terms states: “By agreeing to these Terms of Service, and in exchange for service, all users of this site agree to immediately assign their first-born child to NameDrop, Inc.”
In this age of big data, AI, and machine learning, there must be a better way for companies to present — and for consumers to manage — the small print. A sense of urgency to develop such systems is rising. “Data companies have preached the mantra of transparency for their users, but have not applied it to themselves,” explained Alessandro Acquisti, PwC William W. Cooper Professor of Risk and Regulatory Innovation at Carnegie Mellon University, in an email. As a result, “privacy policies do not really fulfill the goal of transparency.”
To address these shortcomings, participants in the open data scene, who have been raising red flags about privacy and data for years, and academics have developed a transparent user-powered review site for the fine print. When I first stumbled across Terms of Service; Didn’t Read (ToS;DR), an initiative started in 2012, I thought I was in an online confessional for guilty “I agreers.” But ToS;DR is far more useful. Its purpose is to do the reading for you — or, rather, to have others do the reading for you — and rate the privacy details in ToS agreements, including those of Google, Facebook, Amazon, and YouTube.
Think of Rotten Tomatoes or Reddit, but for the fine print. ToS;DR assigns thumbs-up or thumbs-down icons based on the aggregate scores of its crowdsourced reviews. It’s especially keen on revealing what a site will do with your data. Each site analysis is summarized with a bulleted list of useful ToS elements, such as “this service tracks you on other websites,” “this service can share your personal information with other parties,” and “this service can delete your account without prior notice and without a reason.”
“Data companies have preached the mantra of transparency for their users, but have not applied it to themselves.”
“We’re a grassroots, nonprofit community. Our review process is open for everybody to join the discussions, and to challenge review points when they disagree,” explained Michiel de Jong, who helps maintain the site that describes him as an independent freedom hacker. “It’s similar to ratings you may read on sites where a community of users reviews movies, restaurants, or hotels. If you don't agree with a review point, you can leave a comment there and participate in the discussion.”
About 100,000 people have downloaded a ToS;DR browser extension widget that sounds the alert as you hover over that tempting button to immediate gratification. That’s an infinitesimally small proportion of the billions of Internet users. Still, it shows there is a community that cares about independence. The site, which does not pay for reviews, supports itself from donations and grants. It received a €10,000 Google Entrepreneurship grant, for example, and a €15,000 donation from DuckDuckGo, a search engine that differentiates itself by not tracking users. (DuckDuckGo, as you might expect, has more positive ratings on ToS;DR than Google.)
The Wisdom of Computers
In this age of machine learning, computers are taking on some of the work that people have long done for themselves. Just as Netflix discerns your preferences in films and Zappos gets wise to your taste in shoes, algorithms could learn to understand your privacy preferences. A group of researchers at Carnegie Mellon University are working on what they call “personalized privacy assistants,” or, as their site explains, “intelligent agents capable of learning the privacy preferences of their users over time, semi-automatically configuring many settings, and making many privacy decisions on their behalf.”
To set up a privacy assistant, however, users are going to have to agree to being stalked online so the computer can learn about their relationship to privacy, something that presumably requires us to agree to terms of service. The ultimate goal may be to nudge us to take more care with what we agree to, but what privacies will we have to give up in the process?
Relying on either the wisdom of crowds or the wisdom of computers, however, might not be enough. Acquisti, who is part of the Carnegie Mellon team, believes that the onus shouldn’t be on consumers to continually track the way their data is used. “We cannot expect, or pretend, individuals to be constantly aware of and engaged with all the myriad of ways tools and services continuously collect and track their information,” he wrote in an email. “The effort needed to consciously manage such unending flows of data would be nearly superhuman.”
Instead, because privacy management is a societal issue that requires societal solutions, Acquisti argues that it is necessary to set clear privacy standards that companies can adhere to. “If, as a society, we were to set a goal of handling the issue of privacy better, then a combination of smart regulation and technology would be needed,” he noted. Smart regulation should encourage technologies that allow organizations to collect and use consumer data while doing more to protect privacy.
Earlier this year the European Union’s General Data Protection Regulation, developed in response to data privacy concerns, went into effect. Among other things, it requires all companies operating in the E.U. that collect personal data, no matter where they are located, to disclose what they do with that data “in an intelligible and easily accessible form, using clear and plain language.” But this effort produced its own avalanche of fine print. In the run-up to GDPR, hundreds of millions of consumers received emails from all the websites and apps they use asking them to review the new privacy settings — or to simply click “I agree.” Without guidance from the ToS;DR widget or help from a privacy personal assistant, most people probably took the path of least resistance.
In the future, the courts may help define what “intelligible and easily accessible” is as it applies to websites, depending on how the regulations are enforced and disputed. Such a step could ultimately provide clearer guidelines and perhaps even a generally accepted data privacy ratings system. One thing is certain, however: The small print is here to stay.