No One Reads That Sh*t And You’re Suffering From It
A plea to consumers to read privacy policies and how to do it quickly and effectively
What if I told you that every time you go to a website or open up an app, there is a company that you have never heard of that is collecting information about you? What if I told you that the website or app that you are trusting, is likely knowingly sharing some of your personal information? What if I told you that if that website or app goes out of business, they’re going to pay off their debt collectors by selling every speck of data they have on you to the highest bidder. Well all of these things are true, and I learned them by reading that dreaded thing I know that you have never read in your life: a privacy policy.
As a Computer Science & Public Policy major, I decided to spend the summer of 2015 learning about privacy and security. After diving into the weeds, I was shocked at how little the average consumer knows about what companies are doing with their personal information. Think about those questions I asked above again. What if that company has your Social Security Number? What if it has your personal health data? I believe that consumers have a right to own their own data and should have a right to know who is using their personal information. Though I am by no means an expert on privacy and security, I’d like to share some of my findings.
I learned some of these things working for the Federal Trade Commission this summer. I want to explicitly state that the views expressed here are those solely of my own (Max Greenwald) and do not necessarily represent or reflect the views of the Federal Trade Commission.
Companies are collecting information about you, knowingly or not, in a lot different ways. You might submit information to a company, such as an email and password. You might passively give the company information, such as your sleep and exercise patterns when using a fitness tracker or your contact list when you enable a sharing feature on a company’s mobile app. In all of these cases, information pertaining to you, the consumer, is being shared.
But how do you know what is being shared and how it is being done? Well it is supposed to be in the privacy policy. But here is the reality: privacy policies are written to be obscure and companies are doing whatever they want with your data anyways. You may not realize this but companies often will give or sell your information to other companies. Most privacy policies are tucked away at the bottom of the website of a company and can be hundreds of pages long. This makes it incredibly impractical for the average consumer to look through and understand. If a company does not have a privacy policy, this is a massive red flag and you shouldn’t use that company’s product or service if you have an alternative.
Note to policy-makers: Shouldn’t companies list exactly how their consumer’s data is shared in a single page, easily accessible on a website and also in non-legalese so that anyone can understand?
When you are scanning through a privacy policy, and want to do so quickly and effectively, here are the 4 things that you want to find out:
1) Information the company collects
Background information: Companies collect two kinds of information: personally identifiable information and non-personally identifiable information. The former includes things like your name, e-mail and date of birth. The latter includes things like the time that you viewed a website, the pages you visited, type of browser you use.
Why do I care? You might want to find out what information the company collects because the company can sell your data to ad targeting companies who might use your personally identifiable information to send you creepy ads or give you different prices for products based on your ability to pay.
A good company would: explicitly list all of the information that it collects broken down by personally and non-personally identifiable information.
Tricks to look out for: Companies that use a phrase like “We collect name, age, etc.” This is not explicit enough to let you know what they collect.
2) Information the company shares to other companies
Background information: Most companies share information about you with other companies, who provide useful services to help out the company. This is not inherently bad but you deserve to know exactly what is being shared, to whom, and for what purpose. The companies receiving your information are often called “third parties.” They serve many different purposes to help the company that you are evaluating — including but not limited to providing analytics on how the company can improve or helping the company serve advertisements on its website and mobile applications. A company will allow these third parties to place little listeners, called cookies, in the apps on your phone or on a website in your browser on your computer to allow the third party to send itself information about you. A cookie allows sites to record your browsing activities — like what pages and content you’ve looked at, when you visited, what you searched for, and whether you clicked on an ad.
Why do I care? Third party companies now own your data and will likely sell your information to other companies, which may not be to your benefit. Do you want your insurance company learning about your eating habits? Or an Internet provider to adjust the content you get? Do you want a shoe company to charge you higher prices because they know your area code and infer that you must be wealthy?
A good company would: explicitly list every company that it shares your information with and all of the information it shares. It should furthermore list a brief description of its purpose for sharing this information. It should state that the information, once shared, will be treated under a privacy policy at least as strict as its own.
Tricks to look out for: Companies may use a phrase like “We share information with companies like Mixpanel and Google analytics” which is not explicit enough to let you know what they collect. Companies also sometimes claim that once your information is sent to the third party that your information is subject to the third party’s privacy policy, which necessitates you having the burden of going to the third party’s website to check out their privacy. Companies sometimes state that third parties may use cookies on their mobile apps and websites but cookies can last for a day, a year or forever unless the company gives the third party an explicit timeframe — perhaps an hour would be reasonable.
3) Security measures implemented on all acquired information
Background information: A company is only as secure as its weakest security feature. With the sophistication of today’s malicious hackers and hacking technology, nobody is perfectly safe. However you should expect reasonable security practices from a good company.
Why do I care? You might want to know this information because companies who do not implement at least the bare minimum 6 or 7 good practices make your data incredibly vulnerable to malicious hackers.
A good company would: list exactly how it deals with the storage and transportation of sensitive information. A company should state, in accordance with law, that it will notify you in the event that your data has been compromised.
Tricks to look out for: Companies may claim to store your information securely using SSL encryption, but information is also at risk in transition from your phone or computer to the company’s servers. Companies might also claim to keep your credit card number obscured but often will store that information on your phone in a way that a hacker could actually acquire. Lastly companies often say that they use “industry standard” security or “bank level” encryption, these terms mean absolutely nothing and could indicate that they might have not even implemented any security measures whatsoever!
4) Ability to remove all acquired information
Background information: Companies store your information on their servers and it usually it is extremely cheap to keep it, even if you delete your account with the company. The company can hold on to this and sell the information later.
Why do I care? If you end your relationship with a company, you don’t want the company to hold on to and sell all of your sensitive information. If nothing else, it means more of an unending opportunity for your information to get leaked!
A good company would: actually remove all your information if you discontinue the service. They should explain how and when they will remove your information once you leave the service.
Tricks to look out for: often times companies will say that they have removed your information when they haven’t — scrubbing data is a bit expensive and tough to do especially if you have a lot of users. A good indication that a company is not doing this is to delete your account with a company, then recreate that account and see if the company “remembers” any information about you that you had not previously provided since recreating the account.
Furthermore, companies often claim in their privacy policies that they reserve the right to change their privacy policy at any time and may or may not notify you, the consumer. This is an unfair practice. A company that cares about its consumers should give you an option upon signing up for the service to receive notification (in non-legalese) about changes to privacy policies.
Don’t trust the company? Here are some free tools to enhance your privacy:
o AdBlock — The Adblock browser extension prevents ads from appearing on your browser when you are visiting sites. It also prevents some third parties from receiving some, but not all, information about you. Available on Chrome and Safari.
o PrivacyGrade — PrivacyGrade is a website that allows you to see how robust a company’s mobile application is at protecting your privacy.
o Do Not Track — This browser extension also attempts to minimize the information about you that third parties collect by informing them (many have opt-out policies) that you would not like to be tracked.
o Cookiepedia — Cookiepedia is an index of thousands of companies that try to collect information about you by placing cookies in your browser. If a company in their Privacy Policy listed the third parties that it uses, you can look them up here to learn more about what they do with your data.
Still don’t trust the company? Use a free tool to check the company yourself:
A lot of the information that we would want a company to tell us in their privacy deals with who gets what information. By using a “behind the scenes” tool you can actually discover in real time all the information getting sent from your phone and computer an to whom it is sent. Though if you’re an “average Joe” you probably don’t have the technology expertise to perform a data transfer analysis of a company — by following my guide “Mitmproxy — Your D.I.Y. Private Eye,” you can do it! In the guide I go through the steps for setting up a free tool called Mitmproxy which can be used to verify many of the privacy and security claims of these companies. The tool shows you exactly what data of yours is being sent where and to whom. Surprisingly to most, when you log in to most mobile or web applications, at least 15 pieces of information are sent in several directions. Playing with your favorite mobile application for about 5 minutes can create around 500 data transfers… and all of them contain juicy information to see whether your company is following their privacy policy or not!
You can see whether a company sends information using SSL encryption, which third parties are receiving what information, and whether the company is collecting more information about you than you as a consumer would expect. If you catch them claiming one thing, but in reality doing another, get justice by reporting the company to the Federal Trade Commission. Get the guide here.
Max Greenwald is an Associate Product Manager at Google and a Computer Science & Public Policy Major fromPrinceton University. Read more of his work at www.maxgreenwald.io/blog
