Site icon Sophos News

Users sign away their firstborns on fake social network

We already know that people are willing to hand over their firstborns for free Wi-Fi.

Or, at least, they’re more willing to accidentally sign over perpetual ownership of their tots than they are to read lengthy terms and conditions. We know this thanks to a security firm that set up an open Wi-Fi network in a busy public area in London and then presented people with lengthy terms and conditions to sign up and – buh-bye, now! – inadvertently sign kids away in blissful ignorance.

Now, thanks to new research, we know that the same goes for signing up for a new social media platform.

Sorry, kids: you’ve once again been put on the bargaining table by researchers out to prove the point that this is the biggest lie on the internet:

I have read and agree with the terms and conditions.

The study comes from Jonathan Obar, who teaches communication technology at York University, and Anne Oeldorf-Hirsch, a University of Connecticut communications assistant professor.

Their study is titled The Biggest Lie on the Internet: Ignoring the Privacy Policies and Terms of Service Policies of Social Networking Services.

Besides sneaking the (legally unenforceable, of course!) Herod clause about the firstborn past most people, the study also found that participants are apparently just fine with their data being shared with the National Security Agency (NSA) and employers.

The reason is similar: they’re not reading privacy policies.

The study involved 543 participants – undergraduate students “recruited from a large communication class at a university in the eastern United States” – and an experimental survey that presented them with a new, fictitious social networking site named “NameDrop.”

The students were told that their university was working with NameDrop and that they would be “contributing to a pre-launch evaluation.” According to the deception, the students needed to sign up for the site to perform that analysis.

To make sure the TOS policies were long enough to ensure glazed-over eyeballs, the researchers modeled them on an actual policy: namely, LinkedIn’s.

The privacy policy, modified with the “gotcha!” clause, weighed in at 7,977 words. The modified TOS came in at 4,316.

The results: 74%, or 399 students, signed up with NameDrop without reading the privacy policy, instead selecting a “quick join” option.

Most – 98% – missed both NameDrop’s gotcha clause about data sharing with the NSA and employers, as well as the bit about paying for the service with a firstborn.

For those who did read the privacy policy, the average reading time clocked in at 73 seconds. For those who bothered to read the terms and conditions, the average reading time was 51 seconds.

It should have taken far longer, the researchers said, given the average adult reading speed of 250-280 words per minute.

From the study:

PP should have taken 30 minutes to read, TOS [Terms of Service] 16 minutes.

That can add up fast: A separate study from Carnegie Mellon found, in 2012, that were each and every internet citizen to read each and every privacy policy on every website they visit, they’d spend 76 work days per year doing nothing but that.

From a writeup in The Atlantic:

If it was your job to read privacy policies for 8 hours per day, it would take you 76 work days to complete the task. Nationalized, that’s 53.8 BILLION HOURS of time required to read privacy policies.

With regards to the more recent study, the researchers say that the cause of all these firstborn babies being theoretically handed over as currency for online services is, no surprise here, information overload:

A regression analysis revealed information overload as a significant negative predictor of reading TOS upon signup, when TOS changes, and when PP changes.

Qualitative findings further suggest that participants view policies as nuisance, ignoring them to pursue the ends of digital production, without being inhibited by the means.

The researchers conclude that the study adds support for the argument that “notice and choice policy is deeply flawed, if not an absolute failure.”

From the paper:

Transparency is a great place to start, as is notice and choice policy; however, all are terrible places to finish. They leave digital citizens with nothing more than an empty promise or protection, an impractical opportunity for data privacy self management, and… too much homework.

If adults can’t get through these policies, imagine how vanishingly small the possibility is that children can protect themselves, the researchers suggest.

They can’t be protected by long policies that nobody reads, and they can’t keep their parents from inadvertently signing them over – along with their own data privacy rights.

Exit mobile version