Security

Reading online privacy policies cost us $781 billion per year

Michael Kassner interviews two privacy researchers who feel we are spending too much to understand privacy policies.

A close friend called a few weeks ago, asking for my opinion on Facebook's proposed changes to their Privacy Policy. I felt a certain obligation; my friend has patiently endured my online-security sermons for as long as I can remember. Besides, there was mention of a free meal.  

After 4727 words and significant mental effort, I managed to grasp most of the Facebook changes. One particularly interesting alteration was the wholesale replacement of "privacy" with "data use." For example:

"Your privacy is very important to us. We designed our Privacy Policy Data Use Policy to make important disclosures about how you can use Facebook to share with others and how we collect and can use your content and information."

All in all, it was worth the sacrifice, as I enjoyed a pleasant (free) lunch with my friend while explaining Facebook's revisions.

Who reads them?

On the drive home, I wondered how many people would actually read nine pages of legalese. My next thought - are they all that long? I checked. TechRepublic's privacy policy contained 2872 words or six pages; others were in the same ballpark.

Now multiply 3000 words (rough average) by the number of websites you visit, it gets a bit daunting. Besides, time and effort spent deciphering a privacy policy is a tangible cost. Hey, I might be on to something here - visions of a journalistic scoop came to mind.

Too late

It seems I'm too late. Two privacy experts already figured it out. In the United States during 2008, reading privacy policies cost companies and individual users 781 billion dollars. My son, a business guru, said that figure is more than some states' GDP.

Dr. Aleecia M. McDonald and Dr. Lorrie Faith Cranor are the two who came up with the surprising figure. And their paper The Cost of Reading Privacy Policies uses a novel approach - diligent reading of privacy policies should be considered a cost:

"In this paper we explore a different way of looking at privacy transactions. What if online users actually followed the self-regulation vision? What would the cost be if all American Internet users took the time to read all of the privacy policies for every site they visit each year?"

Determine parameters

Now I'd like to share some of the paper's results. The first slide graphs the privacy-policy word count of the 75 most popular websites:

I was curious how the researchers would determine the cost associated with time spent reading a privacy policy. The paper explains:

"Economics literature suggests time should be valued as salary plus overhead, which is the value corporations lose. In the United States, overhead is estimated as twice the rate of take home pay.

Through revealed-presences and willingness-to-pay studies, studies estimate people value their leisure time at one quarter of their take home pay."

For March of 2008, the Bureau of Labor Statistics determined the average hourly wage to be 17.93 dollars. With that in mind, the researchers decided to use the following costs:

  • At home: 4.48 dollars per hour
  • At work: 35.86 dollars per hour

Next the two doctors determined how much time an individual - if diligent - would spend reading privacy policies in one year. Their results:

Finally, all the information was tossed into the hopper and here's what they came up with:

I also had some questions Dr. McDonald gladly answered. But before getting to them, I wanted to mention this article mentions only a few of the parameters looked at. An example of the researcher's thoroughness is their consideration of whether an individual is likely to skim the privacy policy or read it in its entirety.

Kassner: Just to make sure, your research has determined the cost to read privacy policies is on the order of $781 billion using 2008 dollars? McDonald: Yes, that was our estimate for the United States. We measured how long it takes to read and skim privacy policies. We estimated how many privacy policies US Internet users would need to read for all of the sites they visit in a year. Then we used economic estimates of how much their time would be worth, both at work and as leisure time. Putting that all together, we had an estimate of $781 billion as the value of peoples' time to read privacy policies in the United States, in 2008. Kassner: In the paper's conclusion, were you trying to point out Internet users would read privacy policies if the time-cost was reduced? McDonald: More Internet users might read privacy policies if policies took less time to read, but even doubling or tripling the rate of users who read privacy policies would still end with a very low readership rate.  Improving the format only goes so far. But privacy policies are not going to go away, either, and even one percent of Internet users is a lot of people affected if we can make privacy policies work better. Kassner: The paper was written in 2008, has anything changed since then? McDonald: The idea for this paper came in 2007 when I heard someone interviewed say, "we know people don't care about privacy because they don't bother to read privacy policies." I think that notion has been put to rest: many people do care very much about their privacy, but reading privacy policies is an unworkable general solution. The Notice and Choice approach asks people to spend as much time reading policies as they do using the web. It does not work.

Now in 2012, I hear people talk about the benefits of privacy policies in terms of how the process of creating privacy policies helps companies think through their policies, how they create a legal minimum standard, and how they are useful for a very few, very dedicated people who read policies and highlight unusual practices in the press.

We were not the first authors to point out privacy policies are a huge burden on users. There is fantastic scholarship on how hard it is to read privacy policies written in legal jargon and technical jargon, and that users feel there is no point reading policies when they cannot make choices.

What was new in 2008 was that our findings suggest if you were able to cure those defects and write in plain English, that wouldn't help enough. We need a new plan. Since our work, there is solid progress on getting users more useful information by rethinking privacy notices altogether.

The Internet has changed over the past four years as well, with more third-party data gathering and more Americans online. If we were updating the study we would need to include the time to read policies from the approximately 120 third-parties that most Americans run across in a year, and multiply by more Americans online.

The second big change is a huge surge in mobile Internet use, often from cell phones. We could update with time estimates for how much longer it would take to read website policies on a tiny screen, but we cannot do a good job estimating the time to read privacy policies for mobile apps. That is because right now, the majority of mobile apps do not have privacy policies.

Thanks to work from the California Attorneys General that will change soon, and if we talk again in a few years it will be a different story again.

Kassner: Now for the tough question. If you had the ability to fix the problems surrounding user privacy while online, what would you do? McDonald: That is an ambitious question! It is not as if there were an optimal level of privacy for all people, or if people want the same privacy in all contexts. It's so personal and particular. Let me give you a metric for how we know we are there, rather than an answer.

We can say we have "fixed" data privacy when users are able to make choices about how their data is collected and used, in ways that let them make tradeoffs and set the right level of privacy for them at that time. We will have some exceptions to picture: someone who had a car repossessed may not want a potential lender to know that, but for public policy reasons, they won't get to hide their mistakes on that one. But overall, privacy is fixed when people can make good choices for themselves.

Final thoughts

Obviously we aren’t spending 200 hours a year reading privacy policies. Does that mean we aren’t being diligent or is it because privacy policies are so complex it’s a waste of time to read them?

Thank you Dr. McDonald and Dr. Cranor for the thought-provoking research.

Also read:

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");

document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));

// -->

try {

var pageTracker = _gat._getTracker("UA-9822996-4");

pageTracker._trackPageview();

} catch(err) {}

// -->

About

Information is my field...Writing is my passion...Coupling the two is my mission.

79 comments
andrew232006
andrew232006

I skip the privacy policies and assume they'll use my information in any way that will profits them. I try as much as possible not to give them any information I don't want to be public. If they make some information I feel they don't need a required field, I lie. I apologize to the people at the addresses "1 main street, smalltown, USA" and a@a.com for the spam you've received.

Professor8
Professor8

There's just one little error in the article. These are not privacy policies, but privacy violation policies: "These are the ways will will violate your privacy... and there may be more we make up from time to time."

JoeCatterall
JoeCatterall

A recent survey conducted (February) in the UK showed that only 12% of Google users had read their new privacy policy. The Consumer Association here in the UK then did a follow piece counting the total number of words in the full Terms & Conditions of some internet sites. In their survey Paypal come out top with a total word count of 36,275 for its privacy policy, acceptable use policy, shipping policy and UK billing policy, making it longer than Shakespeare's Hamlet. Relevant web links are: http://conversation.which.co.uk/technology/length-of-website-terms-and-conditions/ http://www.bigbrotherwatch.org.uk/home/2012/02/ten-people-havent-read-googles.html#.T04AHIcaPw0 Regards Joe

Kieron Seymour-Howell
Kieron Seymour-Howell

If they restrained the text to simple point form with straightforward wording, it would save everyone a lot of problems. Lawyers, it seems, are hired to confuse and annoy people instead of making issues clear. If you cannot explain something with simplicity and clarity, then you do not know what you are talking about.

emenau
emenau

Apart from peoples time that is wasted by facebook now it is good to see how much money they waste on a simple thing that they made over-complicated. Privacy polacy should be as short and simple as this: Our privacy policy: We respect ALL of your privacy all of the time. But but no, Big greedy FB even changes privacy policy into data use policy???? thus ignoring privacy alltogether???? They should not only be boycotted, someone should tell Obama to fly a few planes into this tower aswell. Brutality policy is what i call it. Was Zuckerberg as a kid also this brutal? How can it be possible that idiots like this may run destructive companies like that? How to delete this madness? Lowlevel format the damn thing and then strike it with a hammer.

Ocie3
Ocie3

Personally, I usually don't bother to read Privacy Policy statements anymore, if only because they usually proceed to detail exactly what I don't want the policy-makers to do with the data that they collect about me. I do, however, adopt some measures to frustrate, and perhaps prevent, their efforts to collect such data. Ordinarily I run Firefox 12 with Do Not Track Plus, and with No Script, which I configure to universally block Java Script from some 3rd-party collectors in particular. To the extent that I succeed, it doesn't matter what their Privacy Policy may be. There are, however, some firms with whom I have declined to "register" a website "account", and others whose websites I rarely, if ever, visit because I have read and don't accept their Privacy Policy and/or their "Terms of Service / Terms of Use". What we really need is a law, perhaps a Constitutional amendment, which declares that our personal data is our personal property, and, among other provisions, declares that no person or organization has any right to acquire or to use such data without our prior knowledge and consent.

sholcombe
sholcombe

The first example of do we pay attention to these kind of things is that you state he article that the cost is $781 million, and then in the section "Too Late" you state that the cost is $781 BILLION dollars. Who do we believe? This just shows it is hard to grasp what we are reading.

pgit
pgit

"McDonald: The idea for this paper came in 2007 when I heard someone interviewed say, ???we know people don???t care about privacy because they don???t bother to read privacy policies.??? I think that notion has been put to rest: many people do care very much about their privacy, but reading privacy policies is an unworkable general solution." I'd put money on that this 'people don't care' attitude persists among corporate exec types. BTW I know it's possible to determine how long someone has lingered on a given web page, though I don't know how often (or why) such capability is deployed. I always imagined "they knew" whether someone spent enough time to actually read the policies or not. Has any data of that type, eg actual dwell times on policy pages been collected? I'm one of those stick-in-the-mud types that reads these things and I try to comprehend everything. There have been many policies and EULAs I've turned down. I've also chided users for violating spirit and letter of an agreement, and even 'fired' a client or two over the issue. (in those cases the EULA in question was hatched in Redmond, Washington... ) People are adopting technologies in droves, without the slightest clue whether there are any long term, fundamental consequences, let alone whether any of those consequences are bad. To update the classic, "They were the most interesting of times, they were the scariest of times..." There you go, Michael, making me thing again. :D

dl_wraith
dl_wraith

This has been a growing trend and I think it will continue for many years before someone gets bitten hard by the misuse of their info before we see our test case. Right now it seems to me that all website owners, service providers, software producers and similar make the assumption that because you're using their product, reading their pages, playing their game, watching their media or what-have-you, that they have a right to collect any info they can about you and the experience you are having and use it in any way they see fit. This includes, but is certainly not limited to, behaviour tracking and the wholesale selling of your information for the purposes of advertising and marketing. To me, this situation is wrong. Just because I want to use a particular website it doesn't mean I consent to you tracking my movements and selling my details to advertisers.Even telling me up front that by visiting the site I agree to these terms is rubbish - if I opened a book and the first page was "By reading this book you are agreeing to us collecting information about you. This may include your e-mail address, address of where you read this book from, the pages you turn over the most, the words you linger on and other similar information. We reserve the right to pass such information to selected third parties in either our, or your, interest. We also reserve the right to change these terms at any time without prior notification and without calling your attention to it", I WOULDN'T READ IT. Take the same idea about shops. If I walk into a real shop I know security are watching me and I know that the store and my card provider records what I've purchased. I know this information is used to stock the right sorts of things in the right quantities and to provide new items hat I may like next time I visit. I also know that from time to time someone may analyse the layout of the store and typical consumer behaviour to optimise the layout and to boost sales and convenience for visitors. Now, apply that to a website - analysis of purchased items and of visitor experience to improve the site and stock the right sort of things. Totally acceptable and expected - even without a stupid user agreement. I suppose I could come out and state that if I'm on your site go ahead and watch what I'm doing there, where I click, what I buy. Use it to improve your site and boost your sales and readership. Do it without my express consent - it's a reasonable thing to do. Don't then collect every bit of data about me you can and potentially share that with other entities for whatever purpose. That isn't cool and you wouldn't get away with that in the physical realm. Digitality (which isn't a word but just roll with it) doesn't excuse grubby practices. You don't own me or what I do so don't assume that you do on the web. Right now the Internet is a data-miner/advertiser's wet dream. All the power is with those who are watching us. There ARE NO ALTERNATIVES right now (other than 'don't use the Internet'). Wherever you go you're tracked, your data is collected in various ways and sold or used with your assumed consent. No other environment we consume media in is like this and we need to start thinking about how this affects us seriously before we find ourselves in a world where to use any service you have to give up all your personal details to some grubby marketing company to be endlessly advertised at. You thought spam was bad - try aggressively targeting advertisement, all with your own consent. For a vague idea about how power is shifting firmly into the hands of the producer rather than the consumer, check out what's happening in the games industry right now. The current trend in online passes and such to combat second hand game sales and ever increasing digital distribution channels has led to the rise of the game that the gamer never actually owns. Free to play and microtransaction fuelled games are already at a state where the real costs are the data you feed them with - and the subsequent advertising you then receive. Right now it all seems benign enough and it's a long way off "We're all doomed! They own us! There is no privacy!" but the debate must be had early enough that we don't complacently slip into a world where assumptions about what data companies and producers own about us are far beyond what most of us would have been comfortable with. PHEW! Sorry about the long post. Guess I had my wheetabix this morning. If you got this far, thanks for putting up with this!! :)

bboyd
bboyd

whose only purpose is to protect the other side from litigation. They don't improve our privacy they only sell our rights to protection off for the sake of convenience. Right now at least if I say to the judge that I did not read it and would never have given up those rights if I had he'll likely agree with me and throw the thing out of consideration. In the US its pretty iffy that a EULA or any kind of Click-wrapping is enforceable and even varies from district to district. No district has ruled on them generally and the supreme court has never held the issue up. http://en.wikipedia.org/wiki/Contracts_of_adhesion#Contracts_of_adhesion Wall of text to follow: "Section 211 of the American Law Institute's Restatement (Second) of Contracts, which has persuasive though non-binding force in courts, provides: Where the other party has reason to believe that the party manifesting such assent would not do so if he knew that the writing contained a particular term, the term is not part of the agreement. This is a subjective test focusing on the mind of the seller and has been adopted by only a few state courts. The doctrine of unconscionability is a fact-specific doctrine arising from equitable[citation needed] principles. Unconscionability in standard form contracts usually arises where there is an "absence of meaningful choice on the part of one party due to one-sided contract provisions, together with terms which are so oppressive that no reasonable person would make them and no fair and honest person would accept them." (Fanning v. Fritz's Pontiac-Cadillac-Buick Inc.)"

Editor's Picks