Are Privacy Policies the greatest threat facing the future of the Internet?

We have a major problem with privacy policies.

Purple, a UK WiFi hotspot provider, hid a “Community Service Clause” into its service agreements. 22,000 people at coffee shops and restaurants across the UK agreed to 1,000 hours of menial labor when they signed onto use Purple’s WiFi. The labor included cleaning local parks of animal waste, cleaning portable lavatories at local festivals and events, and more.

Thankfully this “experiment” from a year ago was a joke meant to provoke conversation. However, our tendency to blindly agree to a company’s policies isn’t always harmless:

Alex Urbelis [a lawyer specializing in privacy] is concerned about Philips’ Sonicare electric toothbrush model that contains Bluetooth.

“When you sign up to use this particular toothbrush, it’s collecting information, sensitive information, about your brushing habits, where your cavities are located,” he said. “When you brush, it’s measuring things like the pressure that you’re using on a toothbrush, the frequency of your brushing habits.”

“What really terrified me was that in the Sonicare privacy policy, they tell you they’re going to share this information,”.

Jennifer Schlesinger, CNBC

What could companies possibly want with my brushing habits and cavity info? I don’t know but I’d prefer not to find out.

Privacy policies are created to protect companies. A combination of vague language, parachute terms, and legal jargon makes it nearly impossible to understand and a marathon of a read for the average person.

The New York Times created an incredible, interactive report (seriously, go check it out) showing that a Privacy Policy like Airbnb’s reads above a 1500 Lexile Score, which means it is harder to read than Immanuel Kant’s Critique of Pure Reason and Machiavelli’s The Prince. They analyzed 150 Privacy Policies of the most popular companies and most of them required more than a college reading level and at least 15 minutes to get through.

Tim Berners-Lee, the father of the World Wide Web, ranked his top worries for the future of the Internet – and his number one concern was that we’ve come to blindly accept the labyrinth terms of service for most technologies.

Privacy Policies Solved

There are a few ways we can beat around this bush.

First would be finding a way to simplify the policies that exist. Polisis, for example, is a website and browser extension that uses machine learning to automatically read and make sense of any online service’s privacy policy.

In just 30-seconds, Polisis extracts a readable summary of a privacy policy it’s never seen before. Best of all, the summary is displayed in a graphic flowchart outlining what kind of data a service collects, where that data could be sent, and whether a user can opt out of that collection or sharing. (See examples of CNBC, Amazon, and Uber).

The second solution lies in reframing how we create terms of service.

“These are documents created by lawyers, for lawyers. They were never created as a consumer tool,” Dr. King said. “What would we do if we actually started over and did this from a human-centric point of view, knowing what we know now about how humans process information online?”

Kevin Litman-Navarro, The New York Times

BBC is one of the examples they pointed to, using language like this in their privacy policy:

Any BBC apps you download to your mobile or TV can access certain data on your device. Some data gets collected automatically, like: The types of mobile device you’re using, a “unique identifier” (like the device ID or an IP address), info about how our apps are being used.

This lets the app remember you and give you whatever content you’ve asked for. For example, the BBC Weather app asks to use your device’s location to give you local weather.

This is something anyone can read and at least understand what they’re agreeing to. However, it doesn’t bode well for the company, who needs these policies for protecting.

Which leads me to the third potential solution: an independent privacy policy rating agency. One of the companies filling this role is Openly Operated, which has created a new set of guidelines for auditing how apps and web services deal with our data.

An OO-certified app or site must meet three criteria. First, it needs to demonstrate “a basic level of transparency” by making its code and infrastructure — among other things — public and fully documented. Second, it needs to lay out its policy in the form of “claims with proof,” establishing what user data is collected, who can access it, and how it’s being protected. Third, those claims must be evaluated by an OO-certified auditor who then makes the audit results public.

Adi Robertson, The Verge

Companies that meet these criteria will receive an OO-certified seal. I think it would be interesting if they evolved over time to rate the objective level of privacy on a grading scale – but I suppose you have to start somewhere.

Regardless, the kicker here is ensuring that they don’t lose their integrity or get lazy. I was just shopping for cars and I swear Consumer Reports have become useless in this sense because every car’s report is the same.

Ultimately, we live in a capitalist society. The Internet is an engine for data. To reconfigure the Internet around a new monetary, incentive structure would be very complex. I do believe we need to “bring a gun to a gunfight” and create more opportunities for companies to actually make money by providing privacy. Exactly how that happens is the real question.