We already know that people are willing to hand over their firstborns for free Wi-Fi.
Or, at least, they’re more willing to accidentally sign over perpetual ownership of their tots than they are to read lengthy terms and conditions. We know this thanks to a security firm that set up an open Wi-Fi network in a busy public area in London and then presented people with lengthy terms and conditions to sign up and – buh-bye, now! – inadvertently sign kids away in blissful ignorance.
Now, thanks to new research, we know that the same goes for signing up for a new social media platform.
Sorry, kids: you’ve once again been put on the bargaining table by researchers out to prove the point that this is the biggest lie on the internet:
I have read and agree with the terms and conditions.
The study comes from Jonathan Obar, who teaches communication technology at York University, and Anne Oeldorf-Hirsch, a University of Connecticut communications assistant professor.
Their study is titled The Biggest Lie on the Internet: Ignoring the Privacy Policies and Terms of Service Policies of Social Networking Services.
Besides sneaking the (legally unenforceable, of course!) Herod clause about the firstborn past most people, the study also found that participants are apparently just fine with their data being shared with the National Security Agency (NSA) and employers.
The reason is similar: they’re not reading privacy policies.
The study involved 543 participants – undergraduate students “recruited from a large communication class at a university in the eastern United States” – and an experimental survey that presented them with a new, fictitious social networking site named “NameDrop.”
The students were told that their university was working with NameDrop and that they would be “contributing to a pre-launch evaluation.” According to the deception, the students needed to sign up for the site to perform that analysis.
To make sure the TOS policies were long enough to ensure glazed-over eyeballs, the researchers modeled them on an actual policy: namely, LinkedIn’s.
The privacy policy, modified with the “gotcha!” clause, weighed in at 7,977 words. The modified TOS came in at 4,316.
The results: 74%, or 399 students, signed up with NameDrop without reading the privacy policy, instead selecting a “quick join” option.
Most – 98% – missed both NameDrop’s gotcha clause about data sharing with the NSA and employers, as well as the bit about paying for the service with a firstborn.
For those who did read the privacy policy, the average reading time clocked in at 73 seconds. For those who bothered to read the terms and conditions, the average reading time was 51 seconds.
It should have taken far longer, the researchers said, given the average adult reading speed of 250-280 words per minute.
From the study:
PP should have taken 30 minutes to read, TOS [Terms of Service] 16 minutes.
That can add up fast: A separate study from Carnegie Mellon found, in 2012, that were each and every internet citizen to read each and every privacy policy on every website they visit, they’d spend 76 work days per year doing nothing but that.
From a writeup in The Atlantic:
If it was your job to read privacy policies for 8 hours per day, it would take you 76 work days to complete the task. Nationalized, that’s 53.8 BILLION HOURS of time required to read privacy policies.
With regards to the more recent study, the researchers say that the cause of all these firstborn babies being theoretically handed over as currency for online services is, no surprise here, information overload:
A regression analysis revealed information overload as a significant negative predictor of reading TOS upon signup, when TOS changes, and when PP changes.
Qualitative findings further suggest that participants view policies as nuisance, ignoring them to pursue the ends of digital production, without being inhibited by the means.
The researchers conclude that the study adds support for the argument that “notice and choice policy is deeply flawed, if not an absolute failure.”
From the paper:
Transparency is a great place to start, as is notice and choice policy; however, all are terrible places to finish. They leave digital citizens with nothing more than an empty promise or protection, an impractical opportunity for data privacy self management, and… too much homework.
If adults can’t get through these policies, imagine how vanishingly small the possibility is that children can protect themselves, the researchers suggest.
They can’t be protected by long policies that nobody reads, and they can’t keep their parents from inadvertently signing them over – along with their own data privacy rights.
Mahhn
Should have called the program Rumpelstiltskin. Just for the additional slap in the face.
w1nt3l
I have a friend, who is a Lawyer, and I’ve witnessed him review an entire ToS and actually redline some of the text prior to signing the agreement. Point here, if you’re not a lawyer, they are terribly hard to understand in most cases. What are we to do? Stop using all things that require a PP or a ToS to be signed?
Bedhead (@Bedhead_001)
No matter what you do, you “agree” to share everything with the NSA.
jkwilborn
One problem is if you don’t agree, you don’t use the site. Many don’t see this as a problem or the associated consequences. I went to a site, the ULA (User License Agreement). Anyway the ULA was 960+ pages all written in CAPS and legalese. I skipped the site. I doubt they knew or cared, which they should. I bet none of these sites track who reads them and leaves. Many commercial sites allow data to be stored anywhere in the world and the company owns it, even thought it’s yours. One place that was support for the animal ID for my pet. So to use the device that I paid for, I now have to agree to something unknown at the time of purchase. They store data world wide and anything entered by you is theirs for any use they wish. NO THANKS, how to get it out of my cat??? I work in politics sometimes and know senators or representatives. I don’t want anything that relates to them on a server that ISIS can get to, or anyone else for that matter. I’m uncomfortable if they can get access to the hardware. Also like iOS 10, nice, but can’t control the iCloud that I’ve found.
SoozeNYC
They’re intentionally impossible to read. I am in the miniscule number of patients who actually read the 28 pages of the privacy policy at my hospital: the first two pages are straight-forward and easy to read, and parrot the usual HIPAA terms; the next 26 pages are written in legalese and basically say, “if we deem your data useful for an important purpose, we will anonymize it to our own satisfaction and use it, without notifying you or requiring your permission.” You can drive trucks through the legal holes. They are there by design.