This blog post a little longer than usual, but it just didn’t feel right to break it up into two parts, so bear with me.
In my experience, there’s two main reasons people ignore privacy policies: they’re complicated, and companies lie. I’ve pointed that out many times in the past myself: Apple lied when they said that humans don’t listen to your Siri recordings, Google allegedly lies all the time about honoring the location data toggle in your account, Uber lied by omission when they covered up a data breach in 2016 for years rather than informing victims.
Things I Read (and What They Mean)
Let’s talk about keywords. Usually privacy policies will list a lot of things directly that they open admit to collecting to. For example, Bookshop.org clearly admits to collecting “name, email address, mailing address, or telephone number [when you sign up for the newsletter], time zone, language, screen resolution, and other usage preferences you select when using the website, device keyboard settings, the search terms you entered into a search engine that may have led you to the website, the Internet service provider (ISP) or mobile platform you use,” and “other device and website access information such as your browser type, operating system, Internet Protocol (IP) address, referring/exit pages, and other unique device identifiers.” While that’s a lot of data, in my opinion, it’s pretty self-explanatory. You may need to slow down and take it piece by piece to really understand what all that says, but none of it is complicated or overly technical. “Time zone, language, and telephone number” are all very common things, as are screen resolutions, keyboard settings, search terms, and a lot of the other data they cite.
In some cases, the privacy policies are obnoxiously vague to the point of being useless. Here you’ll have to learn to read between the lines. For example, a while back I wrote a blog about diet apps, and one of the privacy policies I cited as being abysmally vague was MyNetDiary. They state that they “collect personal information” and “may combine information about you that [they] have with information [they] obtain from business partners or other companies,” then go on to describe how they use that information to authenticate you, provide services, and more. But at no point do they specify what any of that personal data or information is, except for cookies later on down the page (note: I did later find a section under “access logs” that listed more detailed data, like IP address, OS, browser type, etc, but I stand by what I said because they buried this information in a place it’s not typically found). In cases like this, you’ll have to note phrases like “combining information about you.” They say this data is used for billing (among other things), so it’s likely in this case that they work with some sort of risk-management company to detect and flag potential fraudulent transactions, which means that they probably don’t personally have access to your identity data, but they work with companies who do to confirm your billing identity. They also cite using the data to “improve services” and “research.” A quick look at uBlock Origin shows that the site does indeed use Google Analtyics, as most sites do to “improve their services.” Unfortunately, I don’t have a comprehensive list of PR-Speak words and what they mean in plain English. You just have to learn how to see these words and think like the company. “What sort of external business partners would they work with to verify my data? What information would that require? Who would have access to it?” It pays to have a healthy bit of paranoia in these cases. Needless to say, this data can be used for multiple purposes: your name and location can be used to verify your card details, but can also be used to sell targeted ads.
This brings us to the final thing I look at: how they use your data. Most companies have to comply with legal orders. Quite frankly, if you think a company won’t comply with legal orders, either you’re delusional, confused, or the company is catering specifically to criminals, in which case they will get shut down eventually. I wouldn’t use them lest you get caught in the crossfire. Some companies hand over data to law enforcement faster than others, but all of them will do it when given a legal, valid order. In my opinion, this is not concerning at all. (Reminder that this site does not focus on the “political activist in a repressive country” threat model. That’s a different story.)
Instead, I focus on things like ad partners. Some websites do flat out say that they share your data with advertisers. Others dress it up in pretty words like “trusted business partners.” Few – if any – admit to selling your data. They “share” it with “trusted business partners” whom they will not name or expand upon what the reason for and extent of this “sharing” includes. Make no mistake: in 90% of cases, that’s PR speak for “we sell your data to advertisers.”
In my opinion, this section is really the most important. You’ll be able to instantly see how fast and loose the company plays with your data. All of them will share with law enforcement – again, that doesn’t bother me. Most – if not all – also say they share some data with third-parties for the purposes of providing support (ex, ZenDesk) or improving the site (ex, Google Analytics). These also bother me very little because these can be easily blocked, lied to, or simply not used. But the ones who say “we share data with advertisers” or “trusted business partners” are the ones that I distrust. Another keyword to look for here is phrases like “improve your experience.” While this can sometimes refer to making the site better, it also frequently refers to targeted ads. This is especially obvious in phrases like “serving you more relevant content.” Once I know how comfortable the service is with sharing, then I compare that to the previous section of what they record. IP address and cookies? Not worried. Not much to share there between VPNs, Bleachbit, and clearing my cache regularly. Everything including the kitchen sink? Now I have to reconsider how much I want to use this service.
Things I Ignore (and Why)
Some of those, of course, are situational. In the case of a service promising end-to-end encryption, I want to know more about their encryption. What techniques and protocols are you using to ensure my data? Readers from the EU may wish to read the sections about “Your Rights in the EU.” I’m not a EU citizen, so these sections mean nothing to me. The only things I personally care about are what they collect and when they’ll share it.
The Rise of Plain-English Privacy Policies