Practical privacy and simple cybersecurity.
TheNewOil.org

How to Read a Privacy Policy

Perhaps one of the most underrated and feared things in the quest to protect your privacy is the dreaded privacy policy. Many a question I see – namely the “what do you guys think of [insert service here]?” on Reddit – could be quickly and easily solved by simply taking a couple short minutes to peruse the privacy policy. So this week, I want to talk about how to read a privacy policy – or more accurately, how I read a privacy policy. While privacy policies don’t hold all the answers to your questions, I strongly believe they are an invaluable starting point when researching any new product or service.

This blog post a little longer than usual, but it just didn’t feel right to break it up into two parts, so bear with me.

What is a Privacy Policy and Why Should You Read It?

Perhaps we should start at the beginning, just in case. A privacy policy is a document located on nearly every website, app, or service (if they don’t have one, that’s a huge red flag right there) that explains what information the service collects, what they do with that information, and any applicable laws or promises, like “we will delete your data 30 days after you submit a deletion request” or “here’s who to contact if you feel like you have a complaint.”

In my experience, there’s two main reasons people ignore privacy policies: they’re complicated, and companies lie. I’ve pointed that out many times in the past myself: Apple lied when they said that humans don’t listen to your Siri recordings, Google allegedly lies all the time about honoring the location data toggle in your account, Uber lied by omission when they covered up a data breach in 2016 for years rather than informing victims.

Having said that, I still believe privacy policies are worth reading. While companies lie, they never lie worse than the truth. What I mean by that is that if a privacy policy says “we track location data in real-time,” you can probably take that at face value. Never will a company say that and then it turns out they weren’t actually collecting or selling location data. Now, it’s entirely possible they’re collecting a lot more. Maybe they collect your contacts or what other apps you’ve got installed and they aren’t admitting to it. Maybe they’re selling the data to targeted advertisers and not disclosing that either. But there’s no way they aren’t collecting location data even though they said they are. Nobody will ever claim to be worse than they really are. This means that if you read a privacy policy that looks really bad, you can bet that it’s at least that bad. It might be worse, it might not be, but it definitely isn’t better than that, so if it’s full of things you don’t like, you can just skip it right off the bat.

Now, let’s move back to the first reason: privacy polices are complicated. Truthfully, I don’t believe that. In fact, I find most of them to be overly broad and vague. As the saying goes: this is not a bug, it’s a feature. Privacy policies – and Terms of Service – are intentionally written to be nonspecific to protect the company. Legally speaking, companies benefit from being both broad and specific. For example, if I said that “I always drive on the road,” and I defined a road legally as “any surface that is frequently traveled” (and then went onto to define travel as “any form of movement including but not limited to walking, running, bicycle riding, and car riding/driving”) then I could make a pretty compelling case that I do in fact always drive on the road, even as I’m crashing into the sidewalk. Notice how by being overly broad, I’ve given myself the freedom to do pretty much anything and get away with it. That’s the entire point of “legalese.” In this post, I hope to help dispel some of this vague legalese and help you look for key words that will help you make sense of nearly any privacy policy.

Things I Read (and What They Mean)

Unfortunately there is no standard privacy policy template. Some of them are thousands of words long and cover a company in every legal aspect. Others – more modern ones from startups, which I’ll get to shortly – try to be user-friendly by saying this like “We never share your data. Period. That’s the entire policy.” Most of them do contain a few commonalities though. For example, most of them are divided up into sections. The sections that I pay attention to are “What Data We Collect” and “What We Do With That Data.” These sections could have different names, for example “What We Do With That Data” could be called “How We Use Your Data,” or “When We Will Share Your Data.” It’s important that you be able to apply a little bit of independent thinking to be able to understand what you’re looking at so you can navigate it accordingly. I’ll explain in the next section why I ignore the other sections.

Let’s talk about keywords. Usually privacy policies will list a lot of things directly that they open admit to collecting to. For example, Bookshop.org clearly admits to collecting “name, email address, mailing address, or telephone number [when you sign up for the newsletter], time zone, language, screen resolution, and other usage preferences you select when using the website, device keyboard settings, the search terms you entered into a search engine that may have led you to the website, the Internet service provider (ISP) or mobile platform you use,” and “other device and website access information such as your browser type, operating system, Internet Protocol (IP) address, referring/exit pages, and other unique device identifiers.” While that’s a lot of data, in my opinion, it’s pretty self-explanatory. You may need to slow down and take it piece by piece to really understand what all that says, but none of it is complicated or overly technical. “Time zone, language, and telephone number” are all very common things, as are screen resolutions, keyboard settings, search terms, and a lot of the other data they cite.

In some cases, the privacy policies are obnoxiously vague to the point of being useless. Here you’ll have to learn to read between the lines. For example, a while back I wrote a blog about diet apps, and one of the privacy policies I cited as being abysmally vague was MyNetDiary. They state that they “collect personal information” and “may combine information about you that [they] have with information [they] obtain from business partners or other companies,” then go on to describe how they use that information to authenticate you, provide services, and more. But at no point do they specify what any of that personal data or information is, except for cookies later on down the page (note: I did later find a section under “access logs” that listed more detailed data, like IP address, OS, browser type, etc, but I stand by what I said because they buried this information in a place it’s not typically found). In cases like this, you’ll have to note phrases like “combining information about you.” They say this data is used for billing (among other things), so it’s likely in this case that they work with some sort of risk-management company to detect and flag potential fraudulent transactions, which means that they probably don’t personally have access to your identity data, but they work with companies who do to confirm your billing identity. They also cite using the data to “improve services” and “research.” A quick look at uBlock Origin shows that the site does indeed use Google Analtyics, as most sites do to “improve their services.” Unfortunately, I don’t have a comprehensive list of PR-Speak words and what they mean in plain English. You just have to learn how to see these words and think like the company. “What sort of external business partners would they work with to verify my data? What information would that require? Who would have access to it?” It pays to have a healthy bit of paranoia in these cases. Needless to say, this data can be used for multiple purposes: your name and location can be used to verify your card details, but can also be used to sell targeted ads.

This brings us to the final thing I look at: how they use your data. Most companies have to comply with legal orders. Quite frankly, if you think a company won’t comply with legal orders, either you’re delusional, confused, or the company is catering specifically to criminals, in which case they will get shut down eventually. I wouldn’t use them lest you get caught in the crossfire. Some companies hand over data to law enforcement faster than others, but all of them will do it when given a legal, valid order. In my opinion, this is not concerning at all. (Reminder that this site does not focus on the “political activist in a repressive country” threat model. That’s a different story.)

Instead, I focus on things like ad partners. Some websites do flat out say that they share your data with advertisers. Others dress it up in pretty words like “trusted business partners.” Few – if any – admit to selling your data. They “share” it with “trusted business partners” whom they will not name or expand upon what the reason for and extent of this “sharing” includes. Make no mistake: in 90% of cases, that’s PR speak for “we sell your data to advertisers.”

In my opinion, this section is really the most important. You’ll be able to instantly see how fast and loose the company plays with your data. All of them will share with law enforcement – again, that doesn’t bother me. Most – if not all – also say they share some data with third-parties for the purposes of providing support (ex, ZenDesk) or improving the site (ex, Google Analytics). These also bother me very little because these can be easily blocked, lied to, or simply not used. But the ones who say “we share data with advertisers” or “trusted business partners” are the ones that I distrust. Another keyword to look for here is phrases like “improve your experience.” While this can sometimes refer to making the site better, it also frequently refers to targeted ads. This is especially obvious in phrases like “serving you more relevant content.” Once I know how comfortable the service is with sharing, then I compare that to the previous section of what they record. IP address and cookies? Not worried. Not much to share there between VPNs, Bleachbit, and clearing my cache regularly. Everything including the kitchen sink? Now I have to reconsider how much I want to use this service.

Things I Ignore (and Why)

I ignore basically everything else in the privacy policy. In some cases, this is because I simply don’t care. Some of it is obvious to me as an experienced internet user, stuff like “we contain links to other websites and are not responsible for what those sites contain.” Duh? Or “if we get bought by another company, all your data will be transferred to them.” Yeah, makes sense. I typically ignore “How We Secure Your Data.” It’s usually vague, and even if it’s not it rarely says anything useful. You can use SSL and 128-bit encryption all day long (both of which are outdated, btw) but unless my data is zero-knowledge it’ll be exposed the first time your salesperson falls for a phishing scam. I just don’t care.

Some of those, of course, are situational. In the case of a service promising end-to-end encryption, I want to know more about their encryption. What techniques and protocols are you using to ensure my data? Readers from the EU may wish to read the sections about “Your Rights in the EU.” I’m not a EU citizen, so these sections mean nothing to me. The only things I personally care about are what they collect and when they’ll share it.

The Rise of Plain-English Privacy Policies

Let’s go back real quick to the new chic startups who say “we don’t share anything, ever, period.” In my opinion, that’s just as misleading as MyNetDiary’s vague privacy policy because I don’t think any of these startups are going to resist a lawful court order for data. What companies consider a lawful order may vary. Proton claims they will only respect court orders that they legally have to: orders that come from Swiss police. If the FBI, RCMP, or any other agency asks for data, Proton tells them to go through the Swiss police or else they won’t even consider it. A smaller company may not have the resources to tell every single foreign agency to kick rocks, so they might consider any valid police order as reason enough. So when these companies say “we don’t share anything, ever, period,” the unspoken caveat there is “except when we have to,” and now I want to know more about that. It makes me wonder what else they’re not saying that they expect you to just know even though they never said it. “Obviously we use Google Analytics and tracking cookies, everyone does,” even though their policy didn’t say it.

For the record, it’s one thing to say “we won’t share anything cause we have nothing to share,” though usually even encrypted services will still say “we do have the last IP address you logged in from” or “we have your username on file” because they need to store this to maintain and authenticate your account or it’s technologically required to make the service work. I’ve actually seen multiple privacy-focused startups who’s privacy policy flat out says “we never collect or share anything” but if you scroll down you’ll eventually see “we share data with law enforcement if it’s a legal, valid order.” Whoops. Contradiction much? The point is that they need to be consistent, and if they aren’t being consistent, that’s a huge red flag for me. I’ve had a lot of back and forth with companies asking multiple questions about their privacy policies because they’re contradictory, which makes them even more confusing and potentially damaging to end users.

I respect the idea of a plain-English privacy policy, and I think more companies should use them. But I would beware of companies who take it too far in the other direction and make overly-broad claims about your safety, like “we never share data ever, end of story.” That’s blatantly untrue. These companies need to be more honest.

Conclusion

I know this post ran a bit long and was a bit all over the place. This, like many topics I cover, is complicated with no clear-cut, easy answers. No “do XYZ and you’re set.” But hopefully it helped to dispel some of the confusion and fear surrounding this topic. Again, privacy policies are not perfect. They are not the end-all, be-all. Companies lie, policies are written vaguely, and terms are misleading on purpose. But again, things will never be better than what’s painted in the policy. If a policy promises they collect and verify your social security number, you can guarantee things are at least that bad and decide accordingly if that’s a risk you’re willing to accept. It’s vital that people learn how to read a privacy policy so they can decide if that’s a minimum risk they want to accept. Always be cautious, but be smart.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...