How To Skim A Privacy Policy

You just downloaded the hottest new app, and now you have to click through pages of boilerplate text before you can use it. Who has time for all that? Even privacy and security-minded folks often skim through an app’s Terms of Service, and for good reason. Researchers at Carnegie Mellon estimated that it would take a whopping 76 work days to read through all the privacy policies encountered in a year, and that was back in 2008!

While you shouldn’t feel compelled to read your apps’ and services’ privacy policies word for word—boring!—there are still a few key criteria you should look for while you’re skimming. Yes, skimming; you shouldn’t ignore privacy policies completely, because it’s important to know what’s being done with (or to) your data.

A shorter privacy policy isn’t always better

Thanks to the GDPR and increasing awareness of online privacy issues, a number of companies are starting to write out their privacy policies in language that’s easier to understand. Some are even focusing on issues such as how data is collected, stored, used and shared, but that doesn’t always help with brevity.

Whitney Merrill, Privacy and Data Counsel at Brex, said that privacy policies that are long aren’t necessarily bad. “If people see something that’s really long, they think, ‘Oh, my God, you’re doing all these bad things!’ but it could also mean you’re being super transparent about everything and you’re trying to explain what’s happening,” she said.

In other words, don’t give a free pass to a company with a short privacy policy, and don’t ignore a privacy policy that’s a bit long—thoroughness, in this case, isn’t the worst thing in the world.

Look for brevity, updates and callbacks

If brevity isn’t necessarily an indicator of a better privacy policy, what is? Privacy policies using easy-to-read language or that have summaries that are clear and concise are, at the very least, an indicator that the company is trying to communicate in a way that users can understand. Information on when a privacy policy has been updated is a good sign, too. (GitHub even describes changes to its privacy policy in its Site Policy repository.)

Merrill likes Apple’s privacy page, which explains its privacy values and principles. And, she pointed out, Apple has a graphic of two little blue people shaking hands that shows up throughout their signup flows and copy. This same icon appears within iOS and macOS whenever Apple’s apps ask to use your personal information in some way.

“Anytime you see them, it’s in the indication that they’re going to talk about data, data use, data sharing, or data collection,” she said.

In some areas, Apple will even provide links or refer back to their policy to provide additional information on what is being collected and how it’s being used. “I think that’s really helpful, too, because one of the concerns is, when you give permissions to something, you don’t really have the context to understand what it’s being used for,” she said.

You might not need to deep-dive a privacy policy after all

Fred Jennings, Associate Corporate Counsel at GitHub (who asked to clarify that he was not giving legal advice or acting as GitHub’s lawyer when speaking to us) points out that the level of scrutiny you give to a privacy policy might depend on what you’re using the app or tool to do. “The threshold question before you even start reading the policy is, what kind of data am I giving to the service and how private is it?” he said.

For example, a photographer worried about copyright might pay more attention to photo tools’ policy than someone who’s just posting amateur food photos to Instagram, and a business owner might look closely at cloud sharing or file storage services.

Broad can be bad

Some companies draft terms that are very permissive (to themselves), often because their lawyers want to cover all possible scenarios. In some cases, companies aren’t actually using the data you provide, but they want to have the opportunity to do so in the future without the bad press that companies sometimes get when they change their privacy policies (or the hassle of needing to get everyone’s consent again). However, it’s hard to tell whether or not companies intend to, for example, take advantage of the copyright you signed away to your own user-created content, or are including that as language in their policy it just in case.

Language used in privacy policies is often deliberately ambiguous, says Jen King, Director of Consumer Privacy at Stanford Law School’s Centre for Internet and Society. For example, many forms say they ‘may’ or ‘might’ or ‘could’ do certain things, which makes interpretation tricky.

When in doubt, it’s best to assume that companies are doing or will soon be doing exactly what they reserve the right to do in their policies. Whether or not it’s a deal breaker for you depends on what you’re using their services to do. According to Jennings, some areas you may want to pay attention to while scrolling through the policy include sections covering what data a company collects, and how it shares and stores this data.

Data collection

A great privacy policy spells out what information a company is collecting about you. This could include your name, address, social media details, IP addresses and other unique identifiers, GPS information, and so forth. This data might also be combined with information the company collects from third parties.

Beyond your personal information, there’s also the question of content you create using a company’s apps or services. Pay attention to whether the company is getting a licence to simply post your images or other content to third parties, or if it’s claiming a larger degree of ownership.

If a photographer is planning on publishing images to a photo-sharing site, but may also want to sell it elsewhere later, a publisher may want to know if any other entities have a right to publish that work. “If I have to delete my account to say that I have not published it anywhere else, I’d still want to know whether that data is perpetually licensed to the company, even after I delete my account,” Jennings explained.

Start by hitting Ctrl+F and looking for “ownership” to suss out what kind of rights and what kind of licence the company is getting to your creative work: ownership, perpetual (perpetual or perpetuity are legalistic keywords that sometimes get used to explain how some how long something is held on to), worldwide, or sole discretion. Once you find the appropriate section, take some time to read it in detail.

Data Sharing

“One of the number one things I look for when I do skim them is if I can determine if they’re selling my data,” King said. This, again, is where declarative statements fit in. “Occasionally you find a privacy policy where the company has taken a stand on that issue, and they’ll just say, clearly, we do not sell or share your data with anybody.”

But even companies that insist they don’t sell your data aren’t doing enough, because “sharing” can be just as bad. And apps that say “we only share with our affiliates” could be doing it in a broader way than you’d imagined. For example, Match Group, Inc owns Match.com also owns Tinder, OkCupid and PlentyOfFish—and OkCupid users may not be aware their data is being shared with Tinder. Additionally, even if you trust the data sharing policy of the organisation you want to share information with, the organisations it shares with may have different policies

Look for words ‘collect’ and ‘share’ and ‘affiliates.’

Data sharing also includes sharing information with the government. “If this is some place where I’m storing more private data, I might be curious about phrases like ‘legal process’ or ‘law enforcement’ in there as well,” Jennings said. ‘Disclose’ may also be useful.

Data Storage

Control-F for phrases like “store” and “encrypt” to find information about how a company is saving your data on its servers, and look up “deletion” or “retention” to see what you can learn about how long it keeps your information.

Unfortunately, information on data storage is often vague and opaque, and companies suffer so many security breaches that it’s hard to keep count. Even if a privacy policy is one you’re comfortable with, protecting your data requires additional measures beyond trusting the company that’s storing it:

  • Consider only providing apps with the information needed for them to function. Adding data beyond what’s required doesn’t always offer much benefit. For example, a period tracking app only needs dates and times to work; it doesn’t need the names and birthdates of your sexual partners.

  • Make sure to use unique, complex passwords on your accounts, so that if your password is compromised, it’ll only affect one account.

  • Use a security key (such as Yubikey) or an app like Google Authenticator or Authy, in addition to your password, for multi-factor authentication.

Additional Resources

Widely shared posts about what Facebook does with your data have been thoroughly debunked, but there are some useful resources found online. Although it’s still in its infancy, Guard is an artificial intelligence service that reads privacy policies and warns users of privacy threats in digital services they use.

EFF also has a “Who Has Your Back” report, which does the heavy lifting and breaks down companies’ transparency in reporting takedown requests based on platform policy violations and on legal requests and whether there’s notice and an appeal process for content takedowns and suspensions, among other things.

Comments


Leave a Reply