Image Image Image Image Image Image Image Image Image

Dec 06, 2018

I read the Terms of Service, so that you don’t have to

December 6, 2018

Whenever I open my computer these days, another website wants me to agree to their new terms of service agreement (TOS). Blame it on the European Union (EU), specifically its General Data Protection Regulation (GDPR), a law that came into force in May that tightens privacy protections.

TOS are the epitome of a Too Long Didn’t Read document; they’re boring, technical, and pop up like weeds. Even people who have the legal savvy to read them don’t have the time. As an experiment, I decided to actually read the fine print for a week. Here’s my story.

The Experiment


Day 1

The first thing I did was google “terms of service agreements.” However, I used the Duckduckgo search engine instead of Google. Duckduckgo’s privacy policy says they don’t need a privacy policy, because they don’t track your browsing history. It’s illustrated with cartoon dragons breathing fire on legal documents.

I clicked on a link to a South Park episode that pokes fun at the iTunes TOS — infamous for changing often and being so ridiculously long you could turn them into a graphic novel.

Of course, a window popped up asking me to agree to the South Park website’s TOS. So before getting to do some hard-nosed TV-watching, I had to read a legal document.

At the top of the document you waive the right be part of a class-action lawsuit. You can opt out, but instructions for doing so are inconveniently located at the very end of the document. Also, opting out requires sending notice in writing within 45 days by first class, certified mail, or overnight courier.

Ultimately, it took me about an hour to skim-read the whole document. I found 3 typos, proving that even South Park’s lawyers haven’t read the whole thing!

When I finally agreed, I was immediately re-directed to the Canadian site, which didn’t have the episode I wanted to watch.

There’s nothing inherently wrong with copyright licensing, tracking users, disclosing personal information, or indemnification agreements. The problem is that we don’t give informed consent when we click Agree without reading the TOS, and uninformed consent hardly deserves the name.

Day 2

I was home alone on Saturday night, so I decided to check out the dating site, Tinder.

Tinder’s TOS declare that by creating an account, you warrant that you are at least 18 years old, and can form a binding contract. But if you’re not at least 18 and capable of forming a binding contract, you probably wouldn’t understand the legalese, so wouldn’t know not to use the site.

The next requirement is that you warrant that you have never been convicted of a felony, a violent crime, or a sex crime. I suppose it’s some consolation that at least violent convicts who are responsible enough to read and abide by the TOS will be weeded out.

What concerned me most was that you agree to let Tinder do pretty much anything it wants with the content you post (”host, store, use, copy, display, reproduce, adapt, edit, publish, modify and distribute”). That was enough for me to swipe left on Tinder.

Day 3

At 5:59 PM on Sunday, I checked whether I could make it to the LCBO before closing. I opened Google Maps just in time to see the virtual OPEN sign turn to CLOSED.

What I found in Google’s fine print was just as sobering.

Put simply, Google’s TOS and privacy policy are creepy. In a friendly tone, they basically tell you that they’re no better than cyberstalkers. They keep track of everything you type or click or watch or say into an audio tool, everyone you interact with, anything you do in their Chrome browser or on sites that use their services, which apps you use on their Android mobile devices, your GPS location, as well as everything their search engine turns up about you online. Throughout they try to pass this off as a reasonable thing to do in order to be able to recommend YouTube videos you’ll like.

After reading the TOS and privacy policy, I went through my settings and turned everything off that had an off switch.

I also deleted the very detailed history of every time I’ve ever looked up the opening hours for the LCBO.

Day 4

On Monday morning, I was seriously regretting the plan to do this for a whole week.

Poking around for a shortcut that could end the torture, I found Terms of Service; Didn’t Read. It’s the TLDR to this TLDR.

They’ve broken down the common features of TOS into categories, and use a rating system of:

for each feature so that you can see at a glance which sites have evil policies. For instance, Tumblr is rated thumbs down on copyright, but thumbs up on third-party confidentiality, while Soundcloud is the reverse.

Depending on which intrusions you care about most, you can see which sites to avoid.

What I learned

Even though I aborted the mission early, I discovered a few common tricks that digital firms use in their TOS. Here’s what to watch out for:

Using your stuff

When you post a photo to sites like Instagram or Twitter that have broad copyright licenses, you are giving them carte blanche to use your intellectual property. They can use it in advertising, sell it to a stock photo company, or release it to the media if you one day become newsworthy. The same goes for that clever one-liner that got you all those likes; you may own the copyright, but once it’s posted, it’s Twitter’s to use as they like.

copyright, license

Acting like cyberstalkers

Sites like Google and Facebook compile huge files on their users, and non-users too. You can ask them to delete those files, which stops them serving you personalized ads, but many sites don’t actually delete the files, even when you close your account.

tracking, cookies

Ratting you out

While some services only give away your data when forced to by law enforcement, others sell or give it away to partners. Typically those partners want to sell you stuff, but occasionally they want to sway elections.

third-party, disclosure, partners

Being legally untouchable

Let’s say a website decides to send the phone numbers of all their users to anyone who they’ve blocked, and a bunch of people get violent visits from trolls and cyberstalkers. That would be horrible and people might want to sue for damages or start a class action lawsuit against the website. However, it’s becoming increasingly common for TOS to require users to waive those rights. Moreover, services that don’t have such a clause in their TOS often reserve the right to change their TOS with little notice.

arbitration, class-action, indemnity

The takeaway

There’s nothing inherently wrong with copyright licensing, tracking users, disclosing personal information, or indemnification agreements. If you’re publishing a book, it’s normal to transfer copyright to the publisher. If you sign up for a cage fight, you expect to sign a waiver agreeing not to sue if you get hurt. The problem is that we don’t give INFORMED consent when we click AGREE without reading the TOS, and uninformed consent hardly deserves the name.

But the larger problem is that the consent model for data privacy is breaking down. Given how ubiquitous digital data collection and surveillance have become in our everyday lives, regular people can’t keep track of it all. Nobody wants a solution where all of our online time is spent being forced to actually read legal documents and giving meaningful consent to every nuance of any digital service we use. I couldn’t even handle it for a week.

Part of the solution is instead to clarify the illegality of the shadiest practices, like gaining access to data through purposely obscure settings (see the recent revelation that Google tracks your location even when location tracking is off), forcing you to enter personal information like your birthdate when it’s not at all necessary for the service, and using single clicks as proxies for complex legal decisions. We have strong privacy protections when personal data is collected by government agencies and healthcare providers, but private companies have been acting with impunity. These practices might not survive a legal challenge, but individuals have little motivation to take large corporations to court.

Shifting responsibility for enforcement away from individuals is another part of the solution. This is where GDPR’s real strength lies. Companies operating in the EU have a new set of auditing and reporting responsibilities, and there are stiff fines for those who don’t follow the rules. Europeans can be old-fashioned when it comes to things like cobblestone streets, manual transmission, and not having screens on their windows, but in this case we should follow their lead. Our Office of the Privacy Commissioner (OPC) has been asking for greater powers to levy fines and conduct audits, so that the responsibility for keeping digital firms in check won’t lie with individual internet users. But the OPC needs more resources to tackle this job.

I don’t want to live in a nanny state where you can’t even put hummus in school lunches because it looks like peanut butter, but when the public can’t effectively protect itself using common sense and reasonable precautions, the government needs to step in.



Catherine Stinson

Release Date

December 6, 2018

Related Reading