December 6, 2018
Whenever I open my computer these days, another website wants me to agree to their new terms of service agreement (TOS). Blame it on the European Union (EU), specifically its General Data Protection Regulation (GDPR), a law that came into force in May that tightens privacy protections.
TOS are the epitome of a Too Long Didn’t Read document; they’re boring, technical, and pop up like weeds. Even people who have the legal savvy to read them don’t have the time. As an experiment, I decided to actually read the fine print for a week. Here’s my story.
The Experiment
Day 1
The first thing I did was google “terms of service agreements.” However, I used the Duckduckgo search engine instead of Google. Duckduckgo’s privacy policy says they don’t need a privacy policy, because they don’t track your browsing history. It’s illustrated with cartoon dragons breathing fire on legal documents.
I clicked on a link to a South Park episode that pokes fun at the iTunes TOS — infamous for changing often and being so ridiculously long you could turn them into a graphic novel.
Of course, a window popped up asking me to agree to the South Park website’s TOS. So before getting to do some hard-nosed TV-watching, I had to read a legal document.
At the top of the document you waive the right be part of a class-action lawsuit. You can opt out, but instructions for doing so are inconveniently located at the very end of the document. Also, opting out requires sending notice in writing within 45 days by first class, certified mail, or overnight courier.
Ultimately, it took me about an hour to skim-read the whole document. I found 3 typos, proving that even South Park’s lawyers haven’t read the whole thing!
When I finally agreed, I was immediately re-directed to the Canadian site, which didn’t have the episode I wanted to watch.
There’s nothing inherently wrong with copyright licensing, tracking users, disclosing personal information, or indemnification agreements. The problem is that we don’t give informed consent when we click Agree without reading the TOS, and uninformed consent hardly deserves the name.
Day 2
I was home alone on Saturday night, so I decided to check out the dating site, Tinder.
Tinder’s TOS declare that by creating an account, you warrant that you are at least 18 years old, and can form a binding contract. But if you’re not at least 18 and capable of forming a binding contract, you probably wouldn’t understand the legalese, so wouldn’t know not to use the site.
The next requirement is that you warrant that you have never been convicted of a felony, a violent crime, or a sex crime. I suppose it’s some consolation that at least violent convicts who are responsible enough to read and abide by the TOS will be weeded out.
What concerned me most was that you agree to let Tinder do pretty much anything it wants with the content you post (”host, store, use, copy, display, reproduce, adapt, edit, publish, modify and distribute”). That was enough for me to swipe left on Tinder.
Day 3
At 5:59 PM on Sunday, I checked whether I could make it to the LCBO before closing. I opened Google Maps just in time to see the virtual OPEN sign turn to CLOSED.
What I found in Google’s fine print was just as sobering.
Put simply, Google’s TOS and privacy policy are creepy. In a friendly tone, they basically tell you that they’re no better than cyberstalkers. They keep track of everything you type or click or watch or say into an audio tool, everyone you interact with, anything you do in their Chrome browser or on sites that use their services, which apps you use on their Android mobile devices, your GPS location, as well as everything their search engine turns up about you online. Throughout they try to pass this off as a reasonable thing to do in order to be able to recommend YouTube videos you’ll like.
After reading the TOS and privacy policy, I went through my settings and turned everything off that had an off switch.
I also deleted the very detailed history of every time I’ve ever looked up the opening hours for the LCBO.
Day 4
On Monday morning, I was seriously regretting the plan to do this for a whole week.
Poking around for a shortcut that could end the torture, I found Terms of Service; Didn’t Read. It’s the TLDR to this TLDR.
They’ve broken down the common features of TOS into categories, and use a rating system of:
for each feature so that you can see at a glance which sites have evil policies. For instance, Tumblr is rated thumbs down on copyright, but thumbs up on third-party confidentiality, while Soundcloud is the reverse.
Depending on which intrusions you care about most, you can see which sites to avoid.
What I learned
Even though I aborted the mission early, I discovered a few common tricks that digital firms use in their TOS. Here’s what to watch out for:
Using your stuff
Keywords
copyright, license
Acting like cyberstalkers
Keywords
tracking, cookies
Ratting you out
Keywords
third-party, disclosure, partners
Being legally untouchable
Keywords
arbitration, class-action, indemnity
The takeaway
There’s nothing inherently wrong with copyright licensing, tracking users, disclosing personal information, or indemnification agreements. If you’re publishing a book, it’s normal to transfer copyright to the publisher. If you sign up for a cage fight, you expect to sign a waiver agreeing not to sue if you get hurt. The problem is that we don’t give INFORMED consent when we click AGREE without reading the TOS, and uninformed consent hardly deserves the name.
But the larger problem is that the consent model for data privacy is breaking down. Given how ubiquitous digital data collection and surveillance have become in our everyday lives, regular people can’t keep track of it all. Nobody wants a solution where all of our online time is spent being forced to actually read legal documents and giving meaningful consent to every nuance of any digital service we use. I couldn’t even handle it for a week.
Part of the solution is instead to clarify the illegality of the shadiest practices, like gaining access to data through purposely obscure settings (see the recent revelation that Google tracks your location even when location tracking is off), forcing you to enter personal information like your birthdate when it’s not at all necessary for the service, and using single clicks as proxies for complex legal decisions. We have strong privacy protections when personal data is collected by government agencies and healthcare providers, but private companies have been acting with impunity. These practices might not survive a legal challenge, but individuals have little motivation to take large corporations to court.
Shifting responsibility for enforcement away from individuals is another part of the solution. This is where GDPR’s real strength lies. Companies operating in the EU have a new set of auditing and reporting responsibilities, and there are stiff fines for those who don’t follow the rules. Europeans can be old-fashioned when it comes to things like cobblestone streets, manual transmission, and not having screens on their windows, but in this case we should follow their lead. Our Office of the Privacy Commissioner (OPC) has been asking for greater powers to levy fines and conduct audits, so that the responsibility for keeping digital firms in check won’t lie with individual internet users. But the OPC needs more resources to tackle this job.
I don’t want to live in a nanny state where you can’t even put hummus in school lunches because it looks like peanut butter, but when the public can’t effectively protect itself using common sense and reasonable precautions, the government needs to step in.