The Privacy Paradox

A new study shows most people don’t read the fine print when agreeing to terms of service on the Internet.

Terms and conditions of use is the concept on the screen of computer. (iStock)

Computer users don't read the terms and conditions, according to a UConn researcher. (iStock)

In a new study by a UConn communication professor and co-authors, hundreds of university students agreed to give up their first-born child and turn their personal data over to the National Security Agency in return for access to what they thought was a new social networking site.

The study is believed to be one of the first to empirically prove what many have long suspected – most people simply don’t bother reading the dense terms of service and privacy policies they encounter on the Internet. In fact, many have come to view the policies as a necessary but inconvenient step delaying their quest to download such things as the latest mobile app, videogame, or dating site.

The fact that so many of us automatically click on the “I agree to these terms and conditions” tab without fully appreciating what we are doing could be viewed as “the biggest lie on the Internet,” the study’s authors say.

“This study shows that the ‘notice and choice’ practice, where companies notify individuals about the data that is to be collected from them, and then individuals can make an informed choice is broken,” says Anne Oeldorf-Hirsch, assistant professor of communication at UConn, who co-authored the study. Jonathan Obar from York University in Toronto served as the lead author.

The findings are compelling, considering that most of us value our privacy and want to protect it. But that caution, the study revealed, goes by the wayside when it comes to our engagement on the Internet.

It’s called the ‘privacy paradox.’

“The privacy paradox is basically the idea that we say one thing and do another when it comes to privacy,” says Oeldorf-Hirsch. “Individuals may state that privacy is important and that they are interested in protecting their information, but their behavior does not corroborate those intentions. People generally share more information or share it more widely than they claim to.”

It’s a hassle to deal with a massive amount of boring pages about privacy and security … — Study participant

In the study, 543 undergraduate students – who were communication students no less – were told their university had been asked to evaluate a new social networking site known as NameDrop. The site was completely fictitious. In order to access the site, students were asked to give their consent to specific terms of service and privacy policies as part of the sign-up process.

The policies, between 4,000 and 8,000 words long, were patterned after those found on popular sites like LinkedIn and Facebook, except they were modified to include “gotcha” clauses to see if readers were paying close attention. One clause said that any and all data collected by NameDrop may be shared with third parties including the U.S. National Security Agency, and that this could impact an individual’s future employment, ability to receive a bank loan, and entrance into a university. Another clause included in the terms of service agreement stated that participants, by accepting the terms, would give up their first-born to NameDrop in addition to any monetary payment. If they did not yet have children, the agreement was enforceable until 2050.

Ninety-eight percent of the participants agreed to the child assignment clause and the data-sharing policy without raising any concerns.

Drilling deeper, the results revealed that 74 percent of the students skipped reading the privacy policy, selecting instead a quick “join” option that allowed them to bypass the policies. Those that did bother to scan the policy spent about a minute doing so when, the researchers determined, it would take the average adult reader about 30 minutes to read it in its entirety. When it came to the Terms of Service, 86 percent of the students spent less than a minute reading it.

Of all the students who participated, only nine mentioned the child assignment clause and 11 raised concerns about data sharing, with only one person specifically mentioning the NSA.

Some of the comments from the study’s participants confirmed what researchers suspected were the reasons people were not paying attention to the policies.

“It’s a hassle to deal with a massive amount of boring pages about privacy and security when the site you are joining is there to do something much more interesting,” one student wrote.

“It feels like a cultural norm not to read them, and I’m too lazy to read them in detail,” another student said.

As far back as 2007, then-FTC Commissioner Jon Lebowitz expressed doubt about the effectiveness of such policies. “Initially, privacy policies seemed like a good idea,” Lebowitz said at an FTC Town Hall Meeting on the technology. “But in practice, they often leave a lot to be desired. In many cases, consumers don’t notice, read, or understand the privacy policies.”

Yet nearly 10 years later, not much has changed.

“Our study shows that much more needs to be done to improve the consent process when individuals sign up for social media sites and digital services,” Oeldorf-Hirsch says. “The ongoing conversation about these policy issues suggests that very little is being done to accomplish that. We hope that our definitive evidence that these policies are being ignored makes it clear that newer ideas about how to inform citizens about the services they use are needed.”

At a time when there is growing concern about the use and potential misuse of big data, data mining, and the sharing of client information across industries, Oeldorf-Hirsch says it is especially important that people remain vigilant when agreeing to terms of service online.

“Beyond understanding what information is collected and where it is going, the biggest reason to pay close attention to these policies is eligibility determinations,” she says. “Increasingly, data collected by these companies are being used to create digital dossiers, which are being used to make decisions about who gets into universities, who gets to cross the board, who gets a bank loan at what rate, etc.”

But she admits that simply encouraging people to take the time to read the policies closely isn’t enough, given the study’s findings. Asking individuals to develop a better understanding of the current privacy landscape may be more realistic.

“We suggest that people engage more in the unfolding debate about digital privacy and reputation,” Oeldorf-Hirsch says. “This includes choosing Internet service providers and mobile carriers that care about privacy, educating others about the issues, and contacting policymakers to let them know more needs to be done.”