Privacy Policies Are Great — For PhDs

An anonymous reader writes "Major Internet companies say that they inform their customers about privacy issues through specially written policies. What they don't say is that more often than not consumers would need college undergraduate educations or higher to easily wade through the verbiage. BNET looked at 20-some-odd privacy policies from Internet companies that received letters from the House about privacy practices. The easiest to read policy came from Yahoo, at a roughly 12th grade level. Most difficult? Insight Communications, which at a level of over 20 years of eduction officially puts it onto IRS Code territory."

It's Quite Obvious Why They're At This Level

Well--and this is all from the prospective of a geography ignorant non-lawyer American--the fact is that most policies are in place to avoid confusion. Ah, who am I kidding, they're there so nobody sues the hell out of anyone else. And a policy is there to stop the worst kind of lawsuits: class action. I'm sure you would notice this if you did the same analysis of other policies--like healthcare, dental or auto insurance policies. Yes, your health and your automobile might seem more important than your privacy but the United States Justice system (is supposed to--like in the NYTimes article) stop companies from swindling any of those.

And there's not a lot you can do about this, we're going to want to sue the pants off a bastard company if suddenly our name and address is being traded on a disc with 50,000 others on the black market. So they write these policies to be air tight and they use terms that have legal connotations because I'm sure the only time these things are scrutinized are in court anyway. And the second you take away that level of granularity, I'm sure you see yourself as a company open up to lawsuits.

Re:It's Quite Obvious Why They're At This Level

a policy is there to stop the worst kind of lawsuits

And that explains who the EULA is written for. It is is not written for Joe Sixpack. It is not for the user. It is to be used in lawsuits. This means it is written for the people who work with the law, lawers.

And those are the people who write them, because they are also the people who they are intended for.

Also often I see a lot of copy and paste. Especially on the bullshit attachments they put under an email.

In some countries an EULA is not even legal and most of them are written for US law. Well, many countries have different laws and if you don't like that, then you should not make the software available there from your website.

Then there is the fact that an EULA is not available in the language(s) of the country.

Yeah, it is a bitch that you should make the EULA available for all those laws, languages and countries, so cry me a river.

Re:It's Quite Obvious Why They're At This Level

No-Nonsense License Statement
This software is protected by both United States copyright law and international copyright treaty provisions. Therefore, you must treat this software just like a book, except that you may copy it onto a computer to be used and you may make archival copies of the software for the sole purpose of backing-up our software and protecting your investment from loss.
By saying "just like a book," Borland means, for example, that this software may be used by any number of people, and may be freely moved from one computer location to another, so long as there is no possibility of it being used at one location while it's being used at another or on a computer network by more than one user at one location. Just like a book can't be read by two different people in two different places at the same time, neither can the software be used by two different people in two different places at the same time.
(Unless, of course, Borland's copyright has been violated or the use is on a computer network by up to the number of users authorized by additional Borland licenses as explained below.)
LAN Pack Multiple-Use Network License
If this is a LAN Pack package, it allows you to increase the number of authorized users of your copy of the software on a single computer network by up to the number of users specified in the LAN Pack package (per LAN Pack -- see LAN Pack serial number).
Use on a Network
A "computer network" is any electronically linked configuration in which two or more users have common access to software or data. If more than one user wishes to use the software on a computer network at the same time, then you may add authorized users either by (a) paying for a separate software package for each additional user you wish to add or (b) if a LAN Pack is available for this product, paying for the multiple-use license available in the LAN Pack. You may use any combination of regular software packages or LAN Packs to increase the number of authorized users on a computer network. (In no event may the total number of concurrent users on a network exceed one for each software package plus the number of authorized users installed from the LAN Pack(s) that you have purchased. Otherwise, you are not using the software "just like a book.") The multiple-use network license for the LAN Pack may only be used to increase the number of concurrent permitted users of the software logged onto the network, and not to download copies of the software for local workstation use without being logged onto the network. You must purchase an individual copy of the software for each workstation at which you wish to use the software without being logged onto the network.
Further Explanation of Copyright Law Provisions and the Scope of This License Statement
You may not download or transmit the software electronically (either by direct connection or telecommunication transmission) from one computer to another, except as may be specifically allowed in using the software on a computer network. You may transfer all of your rights to use the software to another person, provided that you transfer to that person (or destroy) all of the software, diskettes and documentation provided in this package, together with all copies, tangible or intangible, including copies in RAM or installed on a disk, as well as all back-up copies. Remember, once you transfer the software, it may only be used at the single location to which it is transferred and, of course, only in accordance with copyright law and international treaty provisions. Except as stated in this paragraph, you may not otherwise transfer, rent, lease, sub-license, time-share, or lend the software, diskettes, or documentation. Your use of the software is limited to acts that are essential steps in the use of the software on your computer or computer network as described in the documentation. You may not otherwise modify, alter, adapt, merge, decompile or reverse-engineer the software, and you may not remove or obscure Borland copyright or trademark notices.
(From "Paradox for Windows")

Re:It's Quite Obvious Why They're At This Level

So we need some standardisation for EULAs, just like foods must list their ingredients in some standard way.

Analyze the available EULAs, 90% of it boils probably down to the same few terms.
Make a list of these terms, label each with a descriptive short name, and maybe a symbol.
Then make a regulation that companies must use those labels if they want to describe terms equivalent to those labels in their EULA.

Every year, make a survey of EULAs to find parts that are not covered by any existing label to find wich new labels need to be added to the system.

Discourage companies from using terms not covered by labels, for example by a tax.

If this leads to mass lawsuits, fix the laws.

Re:It's Quite Obvious Why They're At This Level

But EULAs are mostly unreliable anyway. if I bought a part for my car that turned out to be unfit for purpose resulting in the destruction of my car's engine, I would be able to pursue the manufacturer for compensation. Even if the part came with a small piece of paper that had "By using this part you accept that it might not work and relinquish all legal rights" written on it. This is because national law supercedes small bits of paper with 'not my fault, honest' printed on them. Most software EULAs that have the standard "If you use this and your computer breaks then it's not our fault and you agree to not sue us and in any case you accept that the most you can sue us for is 99 cents" are likewise ineffectively illegal. In the UK at least. Products sold here, by any means, have to be fit for purpose and behave as advertised or the buyer is entitled to recompense. So if I buy a piece of software or hardware and it makes my computer fry, then EULA or no EULA my rights are protected.

Word length

The easiest to read policy came from Yahoo

Yes, but it's 5000 words long. Who has time to read 5000 words?

Re:Word length

Who has time to read 5000 words?

You just need to break the task down and come up with a manageable work plan - if you tackle 5 words a day, you'll be done in less than 3 years.

Re:Word length

Yeah, couldn't they just do it as 5 pictures?

Re:Word length

Most privacy policies, EULAs, etc could easily be done in pictures.

They could even do it in just 2.

The goatse guy subtitled "You" and the other guy with the company's logo on a placard hanging off his "contract penalty"

Re:Word length

Actually, in most case (although not a legal document, even an illegal legal document like a EULA) the lower the education level needed to read, the more intelligent the writer.

For example, Isaac Asimov's books are written at roughly an eighth grade level, and his nonfiction still managed to educate intelligent, learned people. He was actually called "the great educator". Dr. Asimov held a PhD in biochemistry and taught and did research at (IIRC) Boston University. Asimov was a very intelligent man with a great imagination, and was one hell of a writer.

OTOH I read a paper once by some dimwit PhD who used the word "enumerate" five times in a single paragraph without once using the word "count". Writing like this is intended to obfuscate rather than illuminate, and its sole purpose is usually to impress you with how intelligent the moron is.

In a EULA the obfuscation's purpose is obviously to make you think the damned people won't use your personal information when in fact it actually says the opposite. These people are just slimy.

The thesaurus entry for obfuscate says bewilder, blur, cloud, confuse, darken, dim, garble, hide, muddle, obscure, perplex, puzzle. None are exact synonyms, so sorry; I'm not smart enough to convey this information well.

One thing I've learned....

... in my over-20 years of education, is that some things just aren't worth reading.

Re:One thing I've learned....

and you visit Slashdot anyway.

Privacy issue

This company [geni.com] is jockeying to become a social website by allowing its registered users to construct their family trees. The idea seems to be once a vast tree is created the users will be able to find their rich and famous relatives etc. I could imagine this being a very useful service to many people. One of my relatives added my name to his tree and geni created an account in my name and added me to the tree and notified me about it. The email had options to opt out of more spam from them. I had a talk with my relative and expressed my concern about adding vast quantities of private info about our lives to a searchable, indexable database owned by some for-profit company over which we have absolutely no control. As it is the net has so much of our public information. Why compound the problem by adding our private information as well?

Looks like it had an impact and my relative decided to close his account and destroy the tree. But geni claims they need my permission to destroy my account. Is it reasonable for a company that bribes its users with free family tree service in exchange for private info about people to follow a opt-out policy? Shouldn't they be required to notify me and get my consent before they add my name? I have received invites from other social networking sites, but they all require me to create an account first. If I ignore the email, I hope, they would not add me to their databases. Probably they will just sell my email address to spammers and stop with that.

I believe there is neither a technological or legal solution to this problem. A new geni.com could easily be run by Russian mafia outside US borders and thumb their noses at us. I think the only solution is social. They are using social engineering to pry private info from the public by offering some service or the other for free. We need to educate the public about the implications of succumbing to the temptations by them. Today if I set up a stand in a fairground and ask people to give the names, addresses and phone numbers of their relatives and friends in exchange for small token gifts the response would not be overwhelming. Somehow people believe it is wrong to tell strangers such information. But set up the same stand in the internet and people are punching in the email addresses of their friends and relatives like gangbusters. What would it take to educate the public about the menace to privacy these companies pose?

I did my best. I pointed out the liability issues the company has like some stalker tracking down someone hiding in a relative's home or identity thieves making use of the mother's maiden names data etc. Told the company that they must disclose their liability to their investors and to anyone they are trying to sell to. Made it official and made it difficult for the company officers to claim later, "We never anticipated that development". If we keep raising the liability issue with these companies, may be we can get their venture capital to dry up. Just a thought.

From a lawyer's perspective...

I really don't see the point in these privacy policies. They are written in the most boring, impossible-to-comprehend way in the hopes that no one will actually take the time to figure out what the policy is. Because let's face it, if everyone knew that Slashdot's privacy policy allows them to sell your email address and first born child (just kidding!), no one would sign up on the site. So companies word these statements in a way that discourages anyone from reading them, yet still covers their ass if they get sued.

I really think something needs to be done about this, because 99.9% of people don't read lengthy EULAs and privacy policies simply because they are too long, boring, and difficult to understand, yet we are agreeing to conditions we probably would never agree to if we knew about them. Perhaps a law stating that the policies must be written at a sixth grade level, use small and non-legal words wherever possible, and come with a 1-page summary of the major rights. I think that would be a fantastic idea.

Re:From a lawyer's perspective...

They're mandated by the Children's Online Privacy Protection Act (COPPA).

There's also no reason for them to be hard to read. See, for example, the FTC's privacy policy: http://www.ftc.gov/ftc/privacy.shtm [ftc.gov]

Unfortunately, with Internet T&C, there are a few times where the requirements to be legally binding are at odds with being readable to the layman. For example, if you want to disclaim the implied warranty of merchantability, you generally need to put that disclaimer in all-caps and specifically mention that warranty. But, "Warranty of Merchantability" is really a term of art, and a lay person may not understand what it means.

But, absent those times, the fact that a websites T&C are hard to read is really a problem with the lawyer not drafting them for the appropriate audience. Sometimes that comes from the site operator, who doesn't want to be billed for the extra legal time.

That said, I'm not a big fan of your suggested law -- that's a lot of money spent on documents that nobody really reads. More often than not a typical user who slogged through the T&C will conclude "Yeah, that's about what I expected."

Funny story: my kid signed up for the Ty Beanie Baby on-line service. At the end of the sign-in process (which was clearly intended for children to read), there was a cartoon character that said "Be sure to read the terms and conditions and click accept!" The T&C were in a separate scrolling 4-line text box, and was written in absurd legalese. I have no idea how Ty things that's going to be binding.

Re:From a lawyer's perspective...

Because let's face it, if everyone knew that Slashdot's privacy policy allows them to sell your email address and first born child (just kidding!), no one would sign up on the site

You mean you didn't create a once off, disposable email address for the purposes of registering? There's a bin for your geek card on the left as you leave the building, thanks!

On a more serious note, Slashdot is probably one of the few forums of its size where a significant number of members would be able to figure out exactly who leaked/sold thier email addresses, and it probably wouldn't take too many people pointing fingers at SF for doing such a thing before they started leaking subscribers. There's a difference between having no legal recourse and being helpless.

Dubious measure.

I don't believe it for a second - the measures used are dubious at best (try the Word readability macros and see for yourself - they do Fleisch-Kincaid scores too). At minimum, they have to be used properly. For instance, the single word text "communication" is so unutterably high on all the indices that it skews the results completely. And the text of Alice in Wonderland on Project Gutenberg scored:

Coleman Liau index : 28.19
Flesh Kincaid Grade level : 11.95
ARI (Automated Readability Index) : 21.61
SMOG : 11.68

So that's a hefty margin of error, removes all use of any average and says that you have to be a virtual genius to read Alice in Wonderland, or a 11th-grader. Mmm. Yes. Accurate measure.

Re:Dubious measure.

I did - with several PG texts. Alice shows the most "variability" of the ones I tried between the different scores. Are these same grading schemes designed to cope with pages of numbered T&C's? I don't know. The point is that the measures are useless unless used under certain conditions and no effort has been made to ensure those conditions were met.

It's a poor application of what are basically statistical formulae on the lengths of certain words. What if the ISP's name was "BT" compared to "International Communications"? What if one ISP uses the "hereafter referred to as THE COMPANY" trick and one states the company name each time? It's a totally bogus measure. I could easily form any conclusion I felt like by playing with this "experiment" and it would be hard to argue against it without a basic knowledge of statistics. However, the article's approach is completely rubbish and anyone who looks at what those grades measure can see it's a waste of time.

That said, most ISP T&C's don't follow the "plain English" doctrine more than "we use long words". They HAVE to use long words, the technical descriptions demand it most of the time. I could reword any of those T&C's to be MORE difficult to understand, despite being perfect English, and get a lower reading score.

If you're gonna quote numbers about something, know what the numbers mean and how they apply.

Writing quality...

Insight Communications, which at a level of over 20 years of eduction officially puts it onto IRS Code territory.

Slashdot, on the other hand, is sitting somewhere around a grade 3 level.... :)

Re:Writing quality...

Am I the only one who thought that IRS Code territory is actually pretty simple. Pretty much a bunch of 4th grade arithmitic with some logic operators. Disclaimer: I only have ever had to work on my personal taxes, not corporate taxes.

That depends entirely on whether you're trying to follow the rules or circumvent the rules. I'm guessing 90% of the "misunderstandings" are more like "we thought we could get away with this, you mean we can't?"

This is news ...Why?

Um, as far as I can understand, privacy policies are there for legal reasons, written in legalese to give them a quasi-legal basis for defending their policies.

Unless you're a lawyer or have a lawyer present each and every time you agree to a privacy policy (assuming you even agree to it, most are just implied to "work"), then it's basically just embedded, textual bullshit to somehow protect the company from lawsuits.

I seriously doubt that a privacy policy would stand up very well in court, unless the judge is completely in the dark on matters of technology, in which case it's simply a matter of presenting the test case as a physical contract and seeing how it would stand up, or limiting the amount of power a privacy policy holds on a public website.

Disclaimer: IANAL

Re:This is news ...Why?

Um, as far as I can understand, privacy policies are there for legal reasons, written in legalese to give them a quasi-legal basis for defending their policies.

All contracts and contractual condutions are. Because in an ideal world they will never be used at all, because both parties have understood what the other party expected of them and are behaving accordingly. Those written things called contracts and conditions and licenses and stuff are there if something goes wrong, to actually define the scope and the limits of the contract or license or whatever.

But exactly because they are defining scope and limits, each party has to actually understand what they are defining as scopes and limits. So yes, on the one hand they are written for the lawyers to sort things out afterwards if something derails. But at first they should give the parties of the contract an idea what behaviour is actually expected of each of them. So it has to be understandable by the signing parties at first, and usable for lawyers as a second thought.

and they're only published in english

Given that most of the internet only has english as a second (or higher) language, you need to assess the language in terms of education. Also you should add on the time needed to get to the level of linguistic proficiency to read the terms, as well as understand the legal system of the foreign countries that present these policies.

Once this is taken into account is it any surprise that the vast majority of web users simply click "I agree" to anything they see

BIG NEWS!!!

Are these privacy policies any more difficult to read than the rules to McDonalds' annual Monopoly game? Come on, they are worded in a way so as to protect the company posting them, not to genuinely inform their customers.

I wonder?

A year or so ago a man was being sued by M$ for having one copy of XP running on 3 computers (one purchased key). His defence was the EULA was unenforceable since it was only understandable by a lawyer and nobody has a lawyer looking over their shoulder when installing software. His lawyer (go figure) did a masterful job of saying that since the average person could not understand the EULA it was meaningless and unenforceable.

Does anyone know the outcome of that case?