You just downloaded the hottest new app, and now you have to click through pages of boilerplate text before you can use it. Who has time for all that? Even privacy and security-minded folks often skim through an app’s Terms of Service, and for good reason. Researchers at Carnegie Mellon estimated that it would take a whopping 76 work days to read through all the privacy policies encountered in a year, and that was back in 2008!
While you shouldn’t feel compelled to read your apps’ and services’ privacy policies word for word—boring!—there are still a few key criteria you should look for while you’re skimming. Yes, skimming; you shouldn’t ignore privacy policies completely, because it’s important to know what’s being done with (or to) your data.
Thanks to the GDPR and increasing awareness of online privacy issues, a number of companies are starting to write out their privacy policies in language that’s easier to understand. Some are even focusing on issues such as how data is collected, stored, used and shared, but that doesn’t always help with brevity.
Whitney Merrill, Privacy and Data Counsel at Brex, said that privacy policies that are long aren’t necessarily bad. “If people see something that’s really long, they think, ‘Oh, my God, you’re doing all these bad things!’ but it could also mean you’re being super transparent about everything and you’re trying to explain what’s happening,” she said.
Look for brevity, updates and callbacks
Merrill likes Apple’s privacy page, which explains its privacy values and principles. And, she pointed out, Apple has a graphic of two little blue people shaking hands that shows up throughout their signup flows and copy. This same icon appears within iOS and macOS whenever Apple’s apps ask to use your personal information in some way.
“Anytime you see them, it’s in the indication that they’re going to talk about data, data use, data sharing, or data collection,” she said.
In some areas, Apple will even provide links or refer back to their policy to provide additional information on what is being collected and how it’s being used. “I think that’s really helpful, too, because one of the concerns is, when you give permissions to something, you don’t really have the context to understand what it’s being used for,” she said.
For example, a photographer worried about copyright might pay more attention to photo tools’ policy than someone who’s just posting amateur food photos to Instagram, and a business owner might look closely at cloud sharing or file storage services.
Broad can be bad
Some companies draft terms that are very permissive (to themselves), often because their lawyers want to cover all possible scenarios. In some cases, companies aren’t actually using the data you provide, but they want to have the opportunity to do so in the future without the bad press that companies sometimes get when they change their privacy policies (or the hassle of needing to get everyone’s consent again). However, it’s hard to tell whether or not companies intend to, for example, take advantage of the copyright you signed away to your own user-created content, or are including that as language in their policy it just in case.
Language used in privacy policies is often deliberately ambiguous, says Jen King, Director of Consumer Privacy at Stanford Law School’s Centre for Internet and Society. For example, many forms say they ‘may’ or ‘might’ or ‘could’ do certain things, which makes interpretation tricky.
When in doubt, it’s best to assume that companies are doing or will soon be doing exactly what they reserve the right to do in their policies. Whether or not it’s a deal breaker for you depends on what you’re using their services to do. According to Jennings, some areas you may want to pay attention to while scrolling through the policy include sections covering what data a company collects, and how it shares and stores this data.
Beyond your personal information, there’s also the question of content you create using a company’s apps or services. Pay attention to whether the company is getting a licence to simply post your images or other content to third parties, or if it’s claiming a larger degree of ownership.
If a photographer is planning on publishing images to a photo-sharing site, but may also want to sell it elsewhere later, a publisher may want to know if any other entities have a right to publish that work. “If I have to delete my account to say that I have not published it anywhere else, I’d still want to know whether that data is perpetually licensed to the company, even after I delete my account,” Jennings explained.
Start by hitting Ctrl+F and looking for “ownership” to suss out what kind of rights and what kind of licence the company is getting to your creative work: ownership, perpetual (perpetual or perpetuity are legalistic keywords that sometimes get used to explain how some how long something is held on to), worldwide, or sole discretion. Once you find the appropriate section, take some time to read it in detail.
But even companies that insist they don’t sell your data aren’t doing enough, because “sharing” can be just as bad. And apps that say “we only share with our affiliates” could be doing it in a broader way than you’d imagined. For example, Match Group, Inc owns Match.com also owns Tinder, OkCupid and PlentyOfFish—and OkCupid users may not be aware their data is being shared with Tinder. Additionally, even if you trust the data sharing policy of the organisation you want to share information with, the organisations it shares with may have different policies
Look for words ‘collect’ and ‘share’ and ‘affiliates.’
Data sharing also includes sharing information with the government. “If this is some place where I’m storing more private data, I might be curious about phrases like ‘legal process’ or ‘law enforcement’ in there as well,” Jennings said. ‘Disclose’ may also be useful.
Control-F for phrases like “store” and “encrypt” to find information about how a company is saving your data on its servers, and look up “deletion” or “retention” to see what you can learn about how long it keeps your information.
Consider only providing apps with the information needed for them to function. Adding data beyond what’s required doesn’t always offer much benefit. For example, a period tracking app only needs dates and times to work; it doesn’t need the names and birthdates of your sexual partners.
Make sure to use unique, complex passwords on your accounts, so that if your password is compromised, it’ll only affect one account.
Widely shared posts about what Facebook does with your data have been thoroughly debunked, but there are some useful resources found online. Although it’s still in its infancy, Guard is an artificial intelligence service that reads privacy policies and warns users of privacy threats in digital services they use.
EFF also has a “Who Has Your Back” report, which does the heavy lifting and breaks down companies’ transparency in reporting takedown requests based on platform policy violations and on legal requests and whether there’s notice and an appeal process for content takedowns and suspensions, among other things.