If you are a regular online shopper, you probably scoured Cyber Monday deals with eagle eyes. But did you also carefully go through the privacy policies you were consenting to before clicking “I Agree” on those business-to-consumer websites and apps?
People tend to ignore the fine print in online Terms of Service (ToS) contracts, according to York University Professor Jonathan Obar. In a recent study he co-authored, participants aged 50 and up expressed caution and concern for their privacy yet ignored the fine print, the communications and media studies researcher points out.
“We conducted an experimental survey to evaluate older adults’ engagement with an online consent process to assess their privacy behaviours and found that a majority rushed through, including many who chose the clickwrap – agreeing to the privacy policy without accessing it,” says Obar, who researches information and communication policy in York’s Faculty of Liberal Arts & Professional Studies.
The study, Older Adults and “the Biggest Lie on the Internet”: From Ignoring Social Media Policies to the Privacy Paradox, was published in the International Journal of Communication (open access). Five hundred people aged 50 and up saw the front page of a fake social media company called NameDrop and were then directed to an online consent process. The privacy policy included two "gotcha" clauses: a data-collection clause allowing the company to turn on a device’s camera and microphone, and another allowing data sharing with the National Security Agency and data brokers (91.4 per cent accepted).
The data-broker clause specifically said data use could lead to "the development of data products designed to assess eligibility. This could impact eligibility in the following areas: employment, financial service (bank loans, insurance, etc.), university entrance, international travel, the criminal justice system, etc. Under no circumstances will NameDrop be liable for any eventual decision made as a result of NameDrop data sharing.”
The terms also included an extreme clause requiring a kidney/arm/leg, etc. in exchange for service (83.4 per cent accepted).
“Some of the participants said you ‘should’ read policies, suggesting that many want to protect privacy but perhaps not enough is being done to support meaningful consent processes,” says Obar, noting clickwrap designs are a primary reason people ignore policies. (Clickwrap agreements are where users are allowed to agree to terms by clicking a button.)
Long and complicated policies are also a problem, notes Obar, who created The Clickwrap and The Biggest Lie on the Internet, an informative video about clickwrap agreements.
The study found that 77.6 per cent of participants agreed to the privacy policy by accepting the clickwrap – agreeing to the policy without accessing it. For those accessing policies, average time spent reading the privacy policy was about 70 seconds, while 81.4 seconds were spent on ToS.
“Results also suggest two examples of the privacy paradox: for clickwrap use and for policy reading time,” says Obar, explaining how even though participants conveyed an interest in privacy protections, they found policies long and complicated, and impeding their desire to join services quickly.
According to Obar and his co-author Anne Oeldorf-Hirsch, associate professor in communication at University of Connecticut, digital service providers should address problematic designs like clickwraps and revise long, complicated policies.
Obar recently launched a website to engage policymakers, platform providers and the general public in meaningful online consent research, noting “hopefully this will help support the changes necessary for the realization of online privacy deliverables.”