Here’s a surprising statistic. According to a recent Brookings survey, 20% of people claim they read the terms and conditions for online services most of the time. I’m not surprised because this statistic is so low. I’m surprised that it’s so high. One firm hired an actor to actually read the Kindle terms of service and found that it took 9 hours. In other words, I think that the people claiming to read the terms of service for all the sites or apps they use are probably exaggerating, to say the least. Yet, most sites offering services make you click a box to indicate that you actually read the terms of service. It’s kind of a game. “You pretend to read the terms of service and we’ll pretend to believe you.” A 2017 Deloitte survey seems closer to the truth. They found that “91% of people consent to legal terms and services conditions without reading them. For younger people, ages 18-34 the rate is even higher with 97% agreeing to conditions before reading.”
So does this mean that people don’t really care that much about privacy, or does this mean that they just don’t have enough time to worry about it? Could it be that companies realize this and take advantage of it by overwhelming users with unimportant, confusing details? Could it be that they do this in order to have access to a user’s personal information? There’s a lot to be untangled here.
My personal opinion on this is that if people really knew what they were giving away, they would never agree to it. I say this after reading and reporting on the Yahoo terms of service, which, among other conditions, states that “when you sign up for paid Services, use Services that require your financial information or complete transactions with us or our business partners, we may collect your payment and billing information.” Then, there’s my favorite paragraph, where you give away your rights to anything you use on Yahoo (Oath is their marketing arm).
“When you upload, share with or submit content to the Services you retain ownership of any intellectual property rights that you hold in that content and you grant Oath a worldwide, royalty-free, non-exclusive, perpetual, irrevocable, transferable, sublicensable license to (a) use, host, store, reproduce, modify, prepare derivative works (such as translations, adaptations, summaries or other changes), communicate, publish, publicly perform, publicly display, and distribute this content in any manner, mode of delivery or media now known or developed in the future; and (b) permit other users to access, reproduce, distribute, publicly display, prepare derivative works of, and publicly perform your content via the Services, as may be permitted by the functionality of those Services… You must have the necessary rights to grant us the license described in this Section 6(b) for any content that you upload, share with or submit to the Services.”
I should note that such agreements are not unique to Yahoo. You can find almost identical paragraphs in the terms of other well known sites. The question is this: If you knew in simple terms what they wanted from you, would you agree to use Yahoo or would you use another email provider?
To answer one of the questions mentioned above, it seems that people really do care about their privacy. The Brookings survey found that 80% of people think online privacy is important. However, 85% believe that companies should get an individual’s approval before making use of their personal data. That said, most people don’t know if their personal information is being harvested or how it is used once it is.
Let’s make this clear. Companies aren’t going to give away a service for free. They make money by collecting data from their users in order to sell it to online marketing firms. These firms mine the data so that the companies they work for can target customers. If you see an interesting ad show up on one of the sites you use, it is because some other site that you visited has gotten information that you provided, whether you knew it or not. You may have simply agreed to a contract you didn’t read, but you agreed to a contract.
People do not feel comfortable when knowingly giving out personal information online. This can happen when filling out a form to receive some document, service, or software, for example. According to a Malwarebytes survey, nearly 90% of people felt uncomfortable giving out their personal information in this manner. They are especially wary of social media sites, as can be seen in the following chart from the Malwarebytes report.
In short, no one trusts social media, but that hasn’t stopped them from continuing to use it.
Users also distrust search engines but not as much as they do social media. In truth, search engines can gather far more data than most people think. By seeing what you search for, they learn what you are interested in. This makes you an easy target for ads or suggested search results. They can also promote specific products and viewpoints. Interestingly, there are anonymous search engines that use major search engine results but hide your identity; however; most people don’t make the effort to use them. Besides, it is often convenient for users when their search engine suggests sites they frequently visit, which only means their browsing history has been captured.
So what is really going on here? People overwhelmingly say they want privacy, yet, won’t make the extra effort to get it. This is what a study at MIT referred to as the ‘privacy paradox’. “Whereas people say they care about privacy, they are willing to relinquish private data quite easily when incentivized to do so.” In this study, students gave up private information for as little as the promise of a free pizza. They also gave up privacy whenever some difficulty in achieving their objective arose. “Whenever privacy requires additional eﬀort or comes at the cost of a less smooth user experience, participants are quick to abandon technology that would oﬀer them greater protection.” In other words, if they have to read any user agreement, lengthy or not, they will readily abandon privacy concerns. This attitude falls right into the online data gatherer’s hands.
The European Union has tried to protect the web user from having their privacy exploited and their data being used without their consent. This regulation is referred to as the General Data Protection Regulation (GDPR). Each website must, when navigated to, explain what data is being collected and by whom. Sites must give the user the right to allow such collection or not. Now, given what is written above, do you really think people will read the details when they are presented with privacy options? Of course not, as one tech site noted,” all the GDPR has done is made people constantly need to click on annoying privacy and cookie notices that they don’t read and don’t find useful at all.”
Here is an example of what users see when navigating to a site that gathers information via cookies.
Some cookies you can opt out of by undoing the checked box, others do not allow you to opt out at all, and many allow you only to opt out by visiting their websites. In fact, you can only opt out of 28 (19.5%) of the sites by using this dashboard. If you visit the company site to opt out, they will only allow you to do so if you if you give them your name, address, email address, and phone number. I’m sure they will protect that information with their lives. Some sites will let you decline cookies and continue to use the site, but they are rare. More often, you can either click accept or not be allowed to visit the site at all.
In the end, the noble idea of protecting a user from having their information used without their consent has only shown that users really don’t care if their information is used without their consent. I have made a valiant effort to read all of these GDPR notices and have opted out as much as possible. However, opting out of a data gatherer working on one site does not mean that that the same data gatherer will not get your information from another site you visit. In other words, if you think you can avoid tracking cookies in this way, you are probably mistaken.
Probably the best way to stop data gatherers is to use a VPN. VPNs are not foolproof but they can stop the most basic data gathering technique; identifying you via your IP address. Another tracking technique, fingerprinting, uses the principle that all computers are unique. They can identify the computer that is accessing their site and then follow it around as it leaves its ‘fingerprints’ elsewhere on the net. Beacons are another way to get your personal data. These are invisible one pixel programs located on a website that will send out information about a site’s visitors. There are software programs that will block this type of surveillance, but other ways of following you are developing every day.
But the sad truth is that online marketers don’t need much sophistication to get your personal information. By now, they’ve probably figured out that all they really have to do is overwhelm you with privacy information and ask for your permission to use whatever data they can collect. They’ve learned that, most of the time, users will hand over their personal information without a whimper.