
Privacy Policies Are an Incomprehensible Disaster - tysone
https://www.nytimes.com/interactive/2019/06/12/opinion/facebook-google-privacy-policies.html
======
ebrewste
Pretty well written piece for a an intro to this issue. Same issue with cookie
acknowledgements. Some important quotes:

“These are documents created by lawyers, for lawyers. They were never created
as a consumer tool,” Dr. King said.

"The BBC has an unusually readable privacy policy. It’s written in short,
declarative sentences, using plain language. "

The BBC example shows that it is possible to write a readable policy, if a
company cares to.

~~~
lmkg
> These are documents created by lawyers, for lawyers. They were never created
> as a consumer tool

This, I think, is the core issue. The Privacy Policy is seen as the same type
of thing as the Terms of Service. Of course, this begs the question of why
does there need to be two different documents.

GDPR has pretty explicitly tried to reverse this. The Terms of Service can be
as legal-y as you want, but there must be a plain-language Privacy Policy for
the data subject. We'll see how much that happens in practice... the
regulators probably have much bigger fish to fry than unclear PP documents,
but a fine for a separate issue could include "no one could understand this,
so it doesn't count" as a way to side-step technical loopholes.

~~~
fmajid
More importantly GDPR grants statutory rights that cannot be waived by a
shrinkwrap agreement. Its only real weakness is that is does not grant a right
of private enforcement, and national regulatory agencies are too understaffed
to address even a small portion of abuses today.

~~~
tzs
> Its only real weakness is that is does not grant a right of private
> enforcement, and national regulatory agencies are too understaffed to
> address even a small portion of abuses today

Article 79, Right to an effective judicial remedy against a controller or
processor

1\. Without prejudice to any available administrative or non-judicial remedy,
including the right to lodge a complaint with a supervisory authority pursuant
to Article 77, each data subject shall have the right to an effective judicial
remedy where he or she considers that his or her rights under this Regulation
have been infringed as a result of the processing of his or her personal data
in non-compliance with this Regulation.

2\. Proceedings against a controller or a processor shall be brought before
the courts of the Member State where the controller or processor has an
establishment. Alternatively, such proceedings may be brought before the
courts of the Member State where the data subject has his or her habitual
residence, unless the controller or processor is a public authority of a
Member State acting in the exercise of its public powers.

------
ziddoap
"For comparison, here are the scores for some classic texts. Only Immanuel
Kant’s famously difficult “Critique of Pure Reason” registers a more
challenging readability score than Facebook’s privacy policy. (To calculate
their reading time, I measured the first chapter of each text.) "

I'm feeling an interesting mix of laughter and sadness. How can you not laugh
at the ridiculousness of a privacy policy being less legible than "Criqiue of
Pure Reason"? How can you not feel a tinge of sadness at the state of the
world when this is not only acceptable, but expected?

Yet, it doesn't surprise me that privacy policies are generally hot garbage.
And that's sad too.

~~~
testplzignore
The real measuring stick of readability should be The Silmarillion :)

There are plenty of ways privacy policies are bad, but I think the reading
scores NYT is using from Lexile are a bogus criticism. From a reading length
and vocabulary perspective, I don't see anything in the Facebook privacy
policy that I wouldn't expect a high school student to be able to comprehend.

My main criticism of privacy policies is that, after reading them, you realize
that there is practically no upper bound on how your data can actually be
used. You give the company a key to your house, and it is up to them to decide
if they want to trash the place.

~~~
fmajid
I read the Silmarillion when I was 11. It's hardly challenging reading like
dense and opaque German philosophy texts tend to be (I am looking at you,
Wittgenstein).

~~~
danaris
Agreed. The Silmarillion's language isn't _simple_ , but it is _lyrical_ , and
is intended to evoke great epics in its style.

I think the most uncharitable thing you can say about it is that it reads
somewhat like the King James Bible.

~~~
fmajid
Right, and unlike those philosophy texts, there is actually a payoff for the
reader.

------
gnicholas
> _The BBC has an unusually readable privacy policy. It’s written in short,
> declarative sentences, using plain language._

This is good to know. Startups often adapt language for their own privacy
policies from those of big companies (on the assumption that such policies are
good/vetted).

Hopefully founders who read this article will turn to the BBC's policy when
figuring out how to fashion their own.

~~~
ceejayoz
I was pretty impressed with Basecamp's.
[https://basecamp.com/about/policies/privacy](https://basecamp.com/about/policies/privacy)

------
rosterface
The New York Times is as bad at privacy as anyone. Here is their policy:

[https://help.nytimes.com/hc/en-
us/articles/115014892108-Priv...](https://help.nytimes.com/hc/en-
us/articles/115014892108-Privacy-policy)

They make extremely illegitimate claims about "needing" to collect your
personal information to provide their "services". Which is absolutely untrue
since they're a newspaper you could read completely anonymously with zero
degradation to experience (except where they've deliberately hobbled that
option).

~~~
toby-
Do you suppose the author of this opinion piece wrote the New York Times'
privacy policy?

Edit: some fair counterpoints to me, below. But publishing an opinion piece
does not necessarily imply endorsement, and nor does it diminish the author's
point(s) one iota.

~~~
arkades
I keep hearing this. Every time the NYT writes an article on X, while being a
hypocrite on X, "Do you think the guy who wrote this was also in charge of X
at the NYT?"

It's a valid counterpoint. The guy who wrote about X is not, usually, in
charge of X. Agreed. The criticism, however, is not about the author - it's
about the organization that endorses both the action X, and the criticism of
X.

The NYT is an opinionated organization, not a public wall open to whoever
wants to throw things at it. They have an editorial stance. When they write
criticisms of X, they are implicitly - as an organization - criticizing X.
When they do X themselves, they are - as an organization - implicitly
endorsing X. When they wish to distance themselves from a criticism in an
article, they explicitly point out - hey, this is an Op-Ed from such-and-such
author, and doesn't represent the views of the NYT. When it's not an Op-Ed,
and/or when it's not disavowed, they are saying: this article represents the
views of the NYT.

The writer is not a hypocrite. The organization, however, is.

There's nothing illogical or invalid about holding the organization
accountable for doing bad things, and for pointing out that the organization
is trying to earn goodwill from the public by being "against X" while
perpetrating the act themselves.

~~~
inscionent
> The writer is not a hypocrite. The organization, however, is.

This is not how how a functioning news room works. That's not how any of this
works. You don't check your individuality at the door. A good publication can
and should promote well reasoned work, especially if it conflicts with the
status quo or view points of other writes in the org.

~~~
AstralStorm
Can and should, yet so didn't and still acts contrary? Sounds almost exactly
like hypocrisy to me.

------
0xffff2
>The vast majority of these privacy policies exceed the college reading level.
And according to the most recent literacy survey conducted by the National
Center for Education Statistics, over half of Americans may struggle to
comprehend dense, lengthy texts. That means a significant chunk of the data
collection economy is based on consenting to complicated documents that many
Americans can’t understand.

How is this different to law itself? If we're going to argue that it's
problematic for something as (relatively) inconsequential as privacy policies
to be unintelligible, shouldn't we start with something more basic?

~~~
icebraining
That the legibility of the law could and should be improved is a fair point.
That said, humanity isn't incapable of concurrency - there's no reason to have
to wait for the law before tackling privacy policies, which while a lesser
issue, are also easier to change.

------
the_snooze
There's an ongoing study whose early results found that even if people read
and understood privacy policies (for mobile apps), those policies are
incomplete, wrong, or self-contradictory a decent chunk of the time:
[https://www.ieee-
security.org/TC/SPW2019/ConPro/papers/okoyo...](https://www.ieee-
security.org/TC/SPW2019/ConPro/papers/okoyomon-conpro19.pdf)

It's hard to see privacy policies being written in good faith. In my opinion,
they're little more than declarations of "I'm going to do all these sketchy
things with your data, and it's _your_ responsibility to protect yourself from
me."

------
7402
Whether or not they are incomprehensible, I worry more that most of them seem
to boil down to:

"We can do whatever we want with any data we have about you. Your only
alternative is to not use our services and not use any other business or
organization that uses our services."

Any privacy policy that has the usual clause saying, "We can change this
policy at any time by posting an update to our website," is saying essentially
the above.

I suppose it would help if they were forced simply to put their policy in
those terms - then more people might push back against it.

------
samdixon
I have recently been wondering if, instead of a company having a privacy
policy, they could instead use a privacy license. This way you could easily
discern their stance on privacy from the name of the license. Not sure if
anything like this exists or if it would be worth looking into.

~~~
tomcatfish
This actually sounds like an interesting deal, as it would make figuring out
what a company does with your data easier to understand, but I'm fearful of 2
main things: 1\. It's still a battle to explain to non-technically minded
people whether an image is Creative Commons or free use or to get them to
understand that there are different kinds of CC. 2\. It will mean there is
less to read through, but many companies will still fit blocks together (ie.
General Use+Advertising Third Party+Server Backup in Other Country) or resort
to using a license that is more general than they need, but definitely
includes the things they want to do.

It's a _really_ cool idea though, and I'm curious whether anyone has ever
tried anything like it before.

------
Dajsvaro
Twilio does an excellent job with their Terms of Service and Privacy Policies.
For example, their Terms of Service has a "plain english" version in a right
hand column, along with the legalese in the right:

[https://www.twilio.com/legal/tos](https://www.twilio.com/legal/tos)

~~~
cdubzzz
But it is still maddeningly long. Even with the plain English version, who
would ever read and digest that before signing up for Twilio (other than a
lawyer)?

~~~
morpheuskafka
I'd hope who is about to build their business around the service and sign a
contract in the name of their business to use it could take some time to read
it... if not they shouldn't be signing their company up for it.

~~~
cdubzzz
Sure, that is the ideal. I'm more curious about the reality...

Check out this page --

[https://www.twilio.com/try-twilio](https://www.twilio.com/try-twilio)

At the bottom it says, "By clicking the button, you agree to our legal
policies."

Ignoring the ambiguity of that statement, it seems that someone can't even
sign up for a free trial without agreeing to the full set of terms. Does that
mean a business needs to make a complete legal review of the policies before
an employee can sign up to _test_ the service and decide if they want to use
it? How often does that actually happen?

~~~
morpheuskafka
If it's not going to be used in production, which a free trial presumably
wouldn't be, then you probably don't need a full review of the terms although
it would be a good idea to take care of it.

------
reaperducer
Working in healthcare, we have a privacy department that is adjunct to the
legal department. It did an audit of all of my web sites last year and I was
surprised to find out that they recommended that the privacy policies be
removed from some of them.

The reason was simple: The sites in question didn't do any tracking. So if
you're not gathering information, there's no need to warn.

~~~
groovybits
I disagree with this sentiment.

If you do not track any user activity on your site, then perhaps there is not
need to have a pop-up warning in your face.

But the fact that you willingly do NOT track user activity IS your privacy
policy. The policy does not go away. As a user visiting a site, I would much
rather have the policy accessible, even if it says that the website does not
have any tracking enabled.

Edit:

And I'm surprised that a legal advisor would recommend to remove the policy
entirely. Isn't it generally better to be explicit and forthcoming, rather
than say nothing at all?

~~~
LinuxBender
I agree with this. If you really don't collect data, then state it as such.
That should certainly bolster confidence by the end users of the system.

------
Animats
It's not that hard to read most EULAs and privacy policies, because they're
usually plagarized from someone else's documents, and contain much the same
clauses.

...Overreaching indemnification clause, bleah...disputes must be resolved in
courts of Northern California, OK (Outer Nowhere, not so OK, offshore tax
haven island, very bad) ... arbitration required under AAA consumer rules, not
too bad (National Arbitration Forum was very bad) ... no class actions, all
too common ... "sole discretion" termination, run away in a B2B context ...
vagueness in what can be done with your data, all too common, and often where
privacy rights go away ... mention of "affilates" having access, not good ...
limitation of liability, common for ordinary websites but inappropriate for
anybody you keep money with ....

After you read about ten of these things, a pattern emerges.

------
johnny313
This really raises the question of what it means to "consent" to something. If
you don't actually understand what you are consenting too, is it legally
binding?

~~~
kevin_b_er
A meeting of the minds is no longer really a requirement in American contract
law. You do not have to understand what you're being legally bound to. You
don't even have to understand if your human rights are being signed away
either.

~~~
rhino369
The idea is that you have a meeting of the minds that the document you are
signing contains the terms. If you could later argue that you didn't
understand it and therefore shouldn't be bound, it would make contracts
impossible to uphold.

Though I do think there should be some sort of loosening of the requirements
for a contract to be found unconscionable or deceptive.

------
solomatov
It's not only about privacy policies. Terms of service and other contracts
which people use are equally incomprehensible and full of legalese.

~~~
solomatov
A good example of how far the situation came is described here:
[https://abovethelaw.com/2010/06/do-lawyers-actaully-read-
boi...](https://abovethelaw.com/2010/06/do-lawyers-actaully-read-boilerplate-
contracts-judge-richard-posner-doesnt-do-you/)

>Judge Posner at ACS panel: For my home equity loan, I got 100s of pages of
documentation; I didn’t read, I just signed. #ACS10 #Posner #LOL

~~~
howard941
Isn't that a more efficient use of time? The terms aren't negotiable other
than walking away.

~~~
solomatov
I am not so sure about it. The contract might contain something substantially
adverse to you and still be enforceable. For example, in some EULAs I saw a
paragraphs completely forbidding you to compete with any products of the
company.

------
selectout
Did an analysis on Alexa's top 1000 sites and their privacy policies a few
years back. A brief infographic of the high level of this
[https://mashable.com/2011/01/27/the-real-reason-no-one-
reads...](https://mashable.com/2011/01/27/the-real-reason-no-one-reads-
privacy-policies-infographic/)

------
morpheuskafka
I don't think it's really fair to compare a privacy policy to A Critique of
Pure Reason. One is hard to read because it references laws and has a lot of
boilerplate stuff that you can skip over, the other involves abstract
philosophical questions that are difficult to consider in terms of the subject
matter itself.

------
bediger4000
All or nearly all privacy policies are incomprehensible. The main exceptions
appear to be European, or non-profit's.

Does this uniform incomprehensibility come from an identifiable root cause, or
is it just emergent because of a variety of factors, not all of which afflict
every company?

~~~
lmkg
Key quote from the article:

> These are documents created by lawyers, for lawyers. They were never created
> as a consumer tool

They are generally treated as the responsibility of the legal team, so they
are written as legal documents. Companies treat them as a way to pro-actively
defend against lawsuits (much like the Terms of Service), and _not_ as a way
to inform or educate users.

The reason why many readable privacy policies come from Europe is because GDPR
makes it literally a legal requirement that they are written "using clear and
plain language." Source: GDPR Article 12 [https://gdpr-
info.eu/art-12-gdpr/](https://gdpr-info.eu/art-12-gdpr/)

------
zelon88
I'm pretty proud of this one.....
[https://www.honestrepair.net/index.php/privacy-
policy/](https://www.honestrepair.net/index.php/privacy-policy/)

~~~
mLuby
That _is_ shockingly comprehensible and concise; you are right to be proud!

(BTW "it’s" should be "its" in the second sentence.)

------
svachalek
I don't see why they can't just follow the example of open source licenses.
GPL is powerful and complicated, but when you see something is GPL you know
what you're getting into because you've seen it before. There are a handful of
well-known policies that have varying levels of generosity, and anyone can
always make up a new one -- but if they do it's a bit of a red flag and people
will dig in to find out what it's about.

The problem with current policies is only partly that they're complicated, it
also has a lot to do with them being snowflakes too.

------
michaelaiello
Built [http://www.privacyparrot.com](http://www.privacyparrot.com) which uses
ML to simplify privacy policies back in 2011 and it continues to grow in
usage.

Thank you HN community for the feedback back then
[https://news.ycombinator.com/item?id=3222334](https://news.ycombinator.com/item?id=3222334)

------
droithomme
My preferred privacy policy is as follows:

"Privacy Policy: We will not share your private information with anyone."

~~~
akersten
Yes, but what does that mean?

What does your site define as private information? If the data got sent to
you, it's no longer "private," at least in one sense of the word.

Is "selling" information considering "sharing"?

Questions like these are why the legalese of privacy policies _needs_ to be
complicated - it's simply ambiguous otherwise.

~~~
droithomme
_> Yes, but what does that mean?_

It means exactly what people would expect it to mean. In such cases of plain
and simple language in a contract, courts go with that.

 _> What does your site define as private information?_

If a site defines what is private information that is different from a common
sense understanding, the site is being dishonest and tricky.

 _> If the data got sent to you, it's no longer "private," at least in one
sense of the word._

That is an absurd and disingenuous interpretation that no reasonable person
would ever expect to mean to be the definition of private.

 _> Is "selling" information considering "sharing"?_

Yes, selling information is sharing it. Obviously. As any court would rule.

 _> Questions like these are why the legalese of privacy policies needs to be
complicated - it's simply ambiguous otherwise._

Complicated contracts are always bullshit 10,000% of the time, designed to
cheat and trick in all of the cases, without any exception ever.

The most simple language possible is needed. Complex wording hides a multitude
of sins.

------
jiveturkey
Graphs done right! I can't imagine how this article could be better.

I wish they would make their privacy analysis tools available to the public.
So you could plug in the URL of your favorite policy and see how it ranks.

------
mirimir
This is not exactly news, but having a NYT statement is cool.

They're obviously legalistic bullshit. So whatever privacy and rights I need,
I create myself. And so I can entirely ignore ToS and privacy policies.

------
diveanon
"I agree" is the biggest lie of the information age.

------
lacker
Meanwhile, the New York Times privacy policy is also enormously long and
unreadable. It even links to the Google privacy policies, saying that by
reading the NYT you also have to be aware of the Google privacy policies,
because the NYT uses both Google Ads and Google Analytics.

[https://help.nytimes.com/hc/en-
us/articles/115014892108-Priv...](https://help.nytimes.com/hc/en-
us/articles/115014892108-Privacy-policy)

~~~
Alex3917
> It even links to the Google privacy policies, saying that by reading the NYT
> you also have to be aware of the Google privacy policies, because the NYT
> uses both Google Ads and Google Analytics.

In order to build apps on Google APIs, your end users are required to agree to
Google's API terms. In this case I'm not sure they were required to do this,
but it's pretty normal to have your users agree to third-party terms as part
of your terms.

------
dougk16
I spent a ton of time on making my site's privacy policy easy to read, while
also discussing philosophy and some technical aspects, meant to be read by
anyone who can understand simple English.

[https://aytwit.com/about#privacy](https://aytwit.com/about#privacy)

Feedback welcome! It's time to come up with solutions! So post yours below as
well!

------
ticmasta
I did a similar, deeper review of less policies for my course work in Privacy
Protection and Freedom of Information with some of the same conclusions around
length & required reading level. It's worse than this though; Orgs like
Facebook have dozens of documents that deal with what data they collect and
how they will use it. Even identifying what comprises their "privacy policy"
is a huge task.

Another _massive_ issue: unilateral, largely uncommunicated changes. Stack
Exchange used to have a very handy regular (read: legalese) policy and a
parallel "plain language" version that I can't find anymore. They still have a
relatively decent policy but that's only because the average quality is so
low.

for context I was using Canada's The Personal Information Protection and
Electronic Documents Act (PIPEDA) and Alberta's PIPA which is a scope similar
to GDPR in many ways. PIPEDA is an interesting document; it's based on a set
of expectations or statements that are decidedly "non legal" in nature which
makes it very different from most laws

------
davidw
I've never used the service, but these guys have tried to standardize and
automate the generation of privacy policies:

[https://www.iubenda.com/en/](https://www.iubenda.com/en/)

~~~
hadrien01
You need an account just to generate text?

~~~
davidw
I just recalled it existed and posted it - you can go argue with the people at
the company about how their site works.

I would imagine that it's kind of vulnerable to people just ripping the text
off if they're not careful.

------
lixtra
Creative Commons like modular privacy policies could be a solution:
[https://www.achtungtechnik.de/english/2018/GDPR-statement-
li...](https://www.achtungtechnik.de/english/2018/GDPR-statement-like-CC.html)

------
heisenbit
My understanding of the GDPR in Europe is that these policies inform consumers
but do not bind them. There is a widespread practice to let consumers sign
them everywhere but this piece of paper does not change much the requirements
for the company under the law.

------
eitland
For me it was very interesting to see what GDPR did did to Googles privacy
policy: it seems to have forced them to simplify and shorten it.

------
itsaidpens
Lawyers are awful.

------
13415
Luckily, these "contracts" are void in most European countries.

