The Biggest Lie on the Internet: Ignoring the Privacy Policies and Terms of Service Policies of Social Networking Services

Jonathan A. Obar (York University)

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

---

This submission to the OPC’s dialogue on consent and privacy provides an overview of a study I recently co-authored with Dr. Anne Oeldorf-Hirsch (University of Connecticut) entitled “The Biggest Lie on the Internet: Ignoring the Privacy Policies and Terms of Service Policies of Social Networking Services” (working version). Anecdotally, the biggest lie is referred to as “I agree to these terms of service”. The study is currently under academic review. If interested, the study was discussed in an Ars Technica piece entitled “TOS agreements require giving up first born-and users gladly consent: Study participants also agreed to allow data sharing with the NSA and employers”. The contents of this document respond to OPC question (2) briefly discussed below.

The study abstract:

This paper addresses ‘the biggest lie on the internet’ with an empirical investigation of privacy policy (PP) and terms of service (TOS) policy reading behavior. An experimental survey (N=543) assessed the extent to which individuals ignore PP and TOS when joining a fictitious social networking site, NameDrop. Results reveal 74% skipped PP, selecting ‘quick join.’ For readers, average PP reading time was 73 seconds, and average TOS reading time was 51 seconds. Based on average adult reading speed (250-280 words per minute), PP should have taken 30 minutes to read, TOS 16 minutes. A regression analysis revealed information overload as a significant negative predictor of reading TOS upon signup, when TOS changes, and when PP changes. Qualitative findings further suggest that participants view policies as nuisance, ignoring them to pursue the ends of digital production, without being inhibited by the means. Implications were revealed as 98% missed NameDrop TOS ‘gotcha clauses’ about data sharing with the NSA and employers, and about providing a first-born child as payment for SNS access.

An excerpt from the discussion section (p. 23):

While a small minority of participants did express privacy concerns, the vast majority praised quick-join options for helping them by-pass notice components. It’s not just that privacy and TOS policies are perceived as boring or even pointless, it’s that users are going online and engaging with SNS to complete a list of desired tasks, namely, engaging with friends and family online, and all of the other affordances offered by SNS. As one participant noted, “my friends use this social media in oder (sic) to catch up with their life i (sic) signup for this as quick as possible” while another said “its a hassle to deal with a massive amount of boring pages about privacy and security when the site you are joining is there to do something much more interesting.”

It is clear that getting into a legal discussion about data sharing, the NSA and privacy in general is far from the reason that individuals choose to go online. Solove […] properly analogizes engagement with policies to the process of students receiving homework. […] Users aren’t looking for homework when they go online, quite the contrary, it is likely that many users are looking for an escape from their homework when accessing SNS. Users want to engage with the ends of digital production, without being inhibited by an education or a discussion about the means.

OPC Question “2. What solutions have we not identified that would be helpful in addressing consent challenges and why?”

Pragmatic solutions are made possible when challenges are accurately identified. One of the goals of our study is to demonstrate empirically the extent to which individuals ignore privacy and terms of service policies. Too often scholars and policymakers make assumptions in this area without referring to empirical evidence or nuanced explanations. Our research suggests that most individuals view notice components as unnecessary burden while on the path to online engagement. Users prefer quick-join options where possible so that digital ends can be reached quickly. This suggests the consent challenge is not limited to addressing the length of policies, the number of policies, the complexity of policies or even the accessibility of policies. One point the study highlights is the considerable challenge of having to change people’s attitudes towards notice. What incentives exist that motivate people to protect their digital privacy and reputation? Without clear incentives and a cultural shift that includes a clear narrative as to why notice matters, little will change.

Notice and choice policy is a great place to start, but a terrible place to finish. Without tools to make providing consent possible, engagement levels will remain unchanged. Canadians access, review, manage, correct and submit financial data to the government every year during tax season. This would be a formidable challenge if support systems did not exist to provide assistance. Taxes are required by the government, digital privacy and reputation management are not. If the OPC wants to support further engagement with consent processes, much can be learned from the methods that successfully engage millions of Canadians in the tax system. This could include infomediation services and government support systems. The infomediation question is one that I am currently researching and would be happy to discuss this further as a possible direction for further inquiry.

I have read an understood the consultation procedures. These comments are meant to implicate the OPC and the Federal government.

Thank you for your consideration.

Sincerely,

Jonathan A. Obar, PhD
Assistant Professor, York University