
Nobody reads privacy policies, senator wants lawmakers to stop pretending we do - justin66
https://www.washingtonpost.com/technology/2020/06/18/data-privacy-law-sherrod-brown/
======
Wowfunhappy
If one party to a contract cannot reasonably expect (!) that the contract was
read by the other party, the contract should be invalid. Period, end of story.

This applies not just to Privacy Policies, but to just about every Terms of
Service. You're telling me that when Apple updates the App Store's terms of
use, they _in good faith_ expect their customers to spend half their workday
rereading the contract before clicking I Agree and downloading that new app?
It's completely nonsensical!

Only high-level business software should be able to force its users to sign a
contract, because that is the only circumstance in which it will be read.

~~~
nickff
One problem with your argument (from a political perspective) is that it
undermines the entire system of mandatory disclosures (for drug warnings,
investor relations, real estate, etc.). Accepting this argument means that all
the (many) disclosure-based lawsuits and regulatory actions taken against
companies are blatantly unjust, as they are based on the idea that consumers
can and should read lengthy, confusing documents.

I should add that despite what people here are saying, the complexity of the
wording is usually driven by legal requirements, not a desire to confuse
people.

~~~
AnthonyMouse
> One problem with your argument (from a political perspective) is that it
> undermines the entire system of mandatory disclosures (for drug warnings,
> investor relations, real estate, etc.).

A key factor here should be the complexity of the agreement compared to the
value of the transaction.

If you're buying a house, you're laying out at least six figures and can be
reasonably expected to read the fine print or hire somebody to do it for you,
even if it takes multiple hours or several hundred dollars. If you're buying a
$1 app or using a free service, expecting the same thing is facially absurd.

Meanwhile if you're buying a $5 bottle of drain cleaner, it's ridiculous to
expect someone to read 20 pages, but 20 words is not so unreasonable.

This also bodes ill for "we may update this agreement at any time" because
that's imposing the burden of re-reading the agreement every time you change
it, which is pretty unreasonable for anything where the other party isn't
paying you (or getting paid by you) hundreds or thousands of dollars a year.

~~~
Retric
That’s a reasonable idea. One issue is cheap real world products like
painkillers can be useful and dangerous.

~~~
coopsmgoops
Well what is reasonable for a $5 bottle of ibuprofen? How about:

"Misuse of this product is dangerous and may cause death. Advil is not
responsible for damages caused by misuse. Read and follow instructions on back
of bottle"

That's a bit wordy but it indicates who is responsible (you) and what the
gravity of the situation is (possible death). With that established, it means
the onus is on the user to do more reading.

IANAL but I would like to belive something like that would satisfy all
parties.

~~~
Wowfunhappy
I don't necessarily disagree, but the way you framed it is a little too close
to "Please read our privacy policy for more information", which doesn't get us
anywhere. It works for ibuprofen because those instructions on the back are
really quite short, so expecting customers to read them is more than
reasonable IMO.

------
lmkg
I view Privacy Policies as a type of a labeling law, like the ingredients
lists on all of your food. Even though only a small fraction of people
actually read it, it's still doing its job and its important that it's there.

Some people _care_ about the ingredients in their food, for a variety of
reasons. Maybe they're vegan, or Kosher, or allergic to bananas, or are wary
of processed sugar. Those people have the ability to make informed decisions,
because they are informed. Similarly, privacy-conscious consumers can choose
to avoid services based on their particular values when they are informed.

Another important use case is advocacy and/or journalism. If data-sharing
arrangements must be public, then a motivated researcher is able to connect
the dots, like finding how many sites send data to Facebook/Google, how many
of them are health or bank or porn sites, what non-public-brand companies are
actually collecting lots of data. Then it's possible for the gestalt "public"
to be informed even if each individual isn't doing the reading themselves.

[edit] People are rightly pointing out several of the differences between
ingredients lists and privacy policies, especially readability. I agree with
this, and view it as a _focus for regulation_. Ingredients lists are useful in
part because they're highly regulated in both contents and format. Privacy
policies _could_ be made more useful if they were to take some cues.

~~~
strictnein
A label on food is easily looked at and any important information can be found
within seconds.

The vast majority of Privacy Policies do the exact opposite. The function as a
method to obscure the important details.

~~~
leetcrew
> A label on food is easily looked at and any important information can be
> found within seconds.

I don't really agree. if I look at the label on a box of poptarts, I can see
the number of calories in a serving and the ratio of carbs, fat, and protein.
from this I can conclude that it is a relatively unhealthy food, but I have no
idea how to interpret the breakdown of exactly what types of fat they contain.
are polyunsaturated fats bad? what about monounsaturated? the nutrition facts
are right there on the box, but I don't really know what they mean without
doing a bunch of research.

the actual ingredients list is worse. there are at least ten ingredients in
poptarts that I just don't recognize. I can clearly tell that they are not an
"all natural" food, but not much else. if I had a food allergy or wanted to
avoid a specific additive for whatever reason, it would certainly be useful,
but otherwise not so much.

~~~
mulmen
Imagine a “Privacy facts” label at facebook.com/privacy.

The format of the page is mandated by the government, including the font and
margins. It is easily scraped and must be by law. This label is required in
place of a privacy policy.

Facebook.com will:

Store data about you forever in a profile.

Share data about you with 3rd parties.

Show you advertisements based on a profile.

Show you content based on a profile.

Share profile about you information with law enforcement.

Facebook.com’s top five markets by revenue are:

Advertising

News Redistribution

Device Development

This may still be opaque and ignored by most people. Standardizing the
language and format in a way that laypeople can read delivers actual value to
consumers.

~~~
augustt
Would be cool if it was required that such a label needs to be placed
prominently on any signup page.

------
colanderman
This is good, but "nobody reads the privacy policies" is the wrong reason.
"Due to market pressures, consumers have little meaningful choice of service
providers without onerous policies, and invasion of consumer privacy on a
nationwide scale is a net social negative" is a better reason.

~~~
whatshisface
If people read privacy policies, then why don't we start clones of every major
online service, but with good privacy policies?

~~~
notatoad
because most people don't actually care what's in the privacy policy. "X but
with better privacy" is not a selling feature outside of a very small group of
people.

~~~
kleiba
How do you know that?

~~~
ihumanable
Name one company that has dominated a market by creating a similar product but
with better privacy.

Plenty have tried.

Protonmail is Gmail with better privacy, Gmail dominates the market.

Telegram / Signal is messaging with better privacy, Slack dominates the
market.

Zoom dominated the video conferencing market with poor privacy, although they
seem to maybe be trying to make it better.

Ultimately, "better privacy" does not seem to be a differentiator the market
cares about.

I would welcome some counter examples though, where a competitor was launched
with the differentiator being better privacy and won the market segment.

------
chooseaname
Even if you _do_ read them, what good does it do you when practically the only
ISP in your area is Comcast?

------
jt2190
I’ll add a plug for the Privacy Essentials browser add on:

Chrome: [https://chrome.google.com/webstore/detail/duckduckgo-
privacy...](https://chrome.google.com/webstore/detail/duckduckgo-privacy-
essent/bkdgflcldnnnapblkhphbgpggdiikppg)

Safari: [https://apps.apple.com/us/app/duckduckgo-privacy-
essentials/...](https://apps.apple.com/us/app/duckduckgo-privacy-
essentials/id1482920575?mt=12)

Firefox: [https://addons.mozilla.org/en-US/firefox/addon/duckduckgo-
fo...](https://addons.mozilla.org/en-US/firefox/addon/duckduckgo-for-firefox/)

~~~
notatoad
the privacy grading is a cool idea and i'd love to have that displayed in my
address bar for every site i visit, but bundling it with a "tracker blocker"
means that the extension needs full access to all my data on every webpage i
visit. i think my privacy is better protected by having one fewer extension
installed with such broad permissions.

~~~
jt2190
The add on is bringing in data from Terms of Service, Didn’t Read
[https://tosdr.org/](https://tosdr.org/), so you can always refer to that if
you don’t like add ons.

~~~
notatoad
oh, and they have their own add on that doesn't require any access to the page
contents. that's exactly what i wanted, thanks!

------
tehjoker
I feel like much of the debate about this topic focuses on how corporations
hide what they are doing to us, and reforms would focus on making the language
easy to understand like a nutrition label. However, if that reform passes, all
that will happen is that all major corporations will in lockstep offer nearly
the same terms and force us to take them.

The problem isn't their sneakiness, it's their power. You can't even begin to
conceive of a possible solution to this that won't be undone within a few
years without asserting popular control over the decisions of a corporation.

------
Animats
Maybe there should be standard privacy policies.

Medicare did something like this. Insurance companies are limited to 10
standard supplement plans. Each covers exactly the same thing, regardless of
insurer. So there are direct comparison charts, and policies are mostly sold
on price. Insurance companies hated that. It's worked out well.

We should have standard privacy policies, graded A through F. Companies get to
pick freely, and users get to see which one they picked before signing up.

------
yodelshady
I'm struggling to think of a way in which a business, operating in good faith,
would benefit from its customers not knowing what they signed up for. In fact
I think it's tautological that they wouldn't.

Good regulation won't guarantee that a privacy-friendly business will succeed,
but at least they could differentiate themselves as such, because the claims
they make would _mean_ something.

~~~
Nextgrid
> operating in good faith

Nowadays this is a very big "if".

------
echlebek
It's completely pointless to read privacy policies or really any EULA because
they can change at any time. Sometimes they change monthly. It doesn't matter
if they are easy to read or not, and it doesn't matter if they are simple or
complex, when the other side can just change the rules out of nowhere. That's
not an agreement, in the way that most people understand agreements
intuitively.

------
rjmunro
I think there should be an absolute limit on the length. 1kb seems about
right. Any more than that and the whole document is too long to possibly read.

Severability clauses (like "If a provision of this Agreement is or becomes
illegal, invalid or unenforceable in any jurisdiction, other provisions should
still hold") should be explicitly banned. If something isn't legal, companies
shouldn't be asking for it.

~~~
eximius
That's a thousand letters. I'm not against the concept but that's implausibly
small.

~~~
nybble41
A thousand letters should be plenty for almost every contract the average
consumer is likely to encounter if they stick to well-known and standardized
terms instead of writing every contract from scratch in impenetrable legalese.
I wouldn't set a hard limit of 1KB, but it's not a bad goal to strive for.

People can reasonably be expected to learn the nuances of a small set of
common contracts; we could include this as part of the standard school
curriculum. They cannot be expected to read and fully understand separate one-
off contracts full of legal jargon for every company they happen to deal with.
As such, deviation from the standards should be expensive. I would consider it
perfectly reasonable to require companies to submit any custom contract terms
to the courts in advance if they want them to be enforced against arbitrary
members of the public, and to reject any non-standard terms which would not be
readily comprehensible to at least 80-90% of the target audience.

~~~
eximius
Your comment is a thousand characters (983).

I think your ideas are good. Standard terms, civil education, court oversight.

At that point I think arbitrary limits would do more harm than good

~~~
nybble41
I agree with not imposing arbitrary limits. The point was simply to keep the
text as short as possible. For example, anything with a Creative Commons
license can be described in at most eleven characters: the longest and most
restrictive version is "CC BY-NC-ND". When you see those eleven characters you
know exactly what the terms are for that work, without reading the full
license text on each occasion.

I doubt we could compress _all_ standard contract terms down to that length,
but I do think most could be written in 1KB—or perhaps one printed page,
double-spaced with decent margins—if we're only spelling out the truly unique
parts.

------
naugtur
Do for privacy policies and ToS what we did for software licenses.

So that I read the lawyer explain ApachePrivacy1.0 and can reuse that
knowledge going forward. And it seems like startups would benefit from that a
lot. They tend to copy-paste the lawyery bits anyway.

I'm scrolling the comments looking for this and having trouble believing
nobody thought of it. Is it obviously impossible or something?

~~~
novok
A set of standard contracts where you can read explainers about them can go a
long way without needing really hard to change societal reforms like this. I
hope one day creative commons makes a privacy policy wizard that most people
understand.

------
mark_l_watson
Instead of calling these Privacy Policies, I wish there was some honesty in
the industry and call them Surveillance Policies.

Off topic, but I have been on a war path, talking to family and friends about
the surveillance economy, and how the tech giants collecting personal info is
to their benefit not ours. Most people have been receptive to at least using
FireFox and containers.

------
vegetablepotpie
When my apartment installed a Luxor One locker for packages, I tried to read
the privacy policy on the kiosk. The interface timed out on me while I was
reading it. The designers did not consider that customers would read the fine
print for their service.

------
surfsvammel
I’ve heard somewhere that Warren Buffett never signs a contract that’s more
than a page or two.

If the authors where interested in having their users read and understand
their agreements, policies, and such. Then why not create a very simple,
readable, one. Then present the content of it, and have the user accept the
terms, in part, spread out over time. Such that the user only have to read a
sentence, or paragraph, or so. If they did it like that, I would probably read
the ToS of the apps that I use.

~~~
saagarjha
Even a page or two of the most straightforward language would tie up Warren
Buffet's time enough to be worth tens of thousands of dollars. So I'm sure
he's picky of whatever he chooses to read anyhow.

------
robotburrito
Back when I was a contractor I often wondered if it would be OK to bill a few
hours a day reading the 20 page legal documents required to hit OK on lol.

------
bttrfl
I'd love to see particular policies as a list of exceptions from THE standard
policy rather than a solid text.

------
advisedwang
[https://outline.com/EEgJNA](https://outline.com/EEgJNA)

------
neonate
[https://archive.vn/oGOcW](https://archive.vn/oGOcW)

------
nyxtom
There are some privacy policies out there that are well organized and even
summarize a lot of the legal jargon into bite sized chunks.

500px is a good example for instance.

[https://web.500px.com/privacy](https://web.500px.com/privacy)

~~~
robertlagrant
Why these things aren't completely standardised (i.e. pick from options 1-5
for your privacy policy) is beyond me.

------
meristem
Clickwrapping is an actual UI pattern at this point, and click-and-go an
expected behaviour.

------
newman8r
HN users do (well, sometimes), and that's why I love the users here. Any time
I share a startup, I get at least a little bit of feedback about my
TOS/privacy policy.

------
awinter-py
I read privacy / TOS from time to time (and write up notable findings), and
believe that most users click without reading -- including most of my lawyer
friends whom I've asked

I think most policies don't say exactly what they do with the data, even post-
GDPR -- like they're not docs of the app's RBAC system

They all just say 'your privacy is important to us and we won't share your
data with anyone (other than our business partners and for reasons of
business)'

I think any service you pay for should be obligated by law to reveal what data
they have about you, where they got it, and how it factors into a decision
(weights / PCA if not precise algorithm).

------
brightball
Enterprise customers do as part of their vendor management process, but
general public users certainly do not.

