Gayblack Canadian Man

Foreign Policy Analysis
How to read privacy policies like a lawyer

How to read privacy policies like a lawyer


– What’s the deal
(mellow music) with privacy policies? We’ve all received a bunch of them lately because of the new GDPR
privacy regulation in Europe, but what am I supposed
to do with all this info? How do I even begin to process this thing? Privacy policies are legal documents that are designed to shield
companies from lawsuits. And because of this most of us probably don’t even read
these privacy policies. If we’re being totally honest, we’re also probably going
to use these services regardless of what their
privacy policies say anyway. But you should try to care about your data because it’s not only important to know who you’re giving it to, in light of the Facebook
Cambridge Analytica scandal and major data breaches like Equifax, but also because you might
find some interesting tools in these policies that’ll
give you more control over your information. – Privacy policies do have some value. – That’s Joseph Jerome.
(energetic spacey music) He is going to help us learn
about privacy policies, as is Nate Cardozo, the
Senior Staff Attorney at the Electronic Frontier Foundation. So, before we get into their
hot privacy policy tips, let’s first establish who
actually has a privacy policy. It’s basically every company. – You know, when you’re signing up for a loyalty card in your grocery store, that’s a huge data collection point. – Your grocery store might
not seem like the pinnacle of technological achievement,
but if they’re collecting your information, they
have to let you know some parameters around how they use it. Understanding what’s
written, though, isn’t easy. – Humans write them with the notion to not make them clear and readable, but to make them legally bulletproof. – Joseph suggests looking
for the word control to find what data settings you can change. He also looks for bullet
points that sum up a policy. – If a company can’t even give you some high level highlights
of what’s going on, that suggests that they probably aren’t as mature in
their privacy thinking. – You can also easily check the date the privacy policy was
published or last updated. You’ll wanna see something
relatively recent to show the company
takes privacy seriously. Finally and crucially, Joseph
says we’ll wanna figure out what information is collected about us. He’s skeptical of companies that collect location information, even if it’s technically
stored in the aggregate, meaning that location data isn’t directly tied to your account. Basically, he just treats
location information as sensitive and doesn’t readily share it. Nate searches for the phrase
such as in the policy, which is actually a bad thing. – If a privacy policy
uses the term such as, that means they’re
collecting all sorts of stuff and they’re not gonna tell
you what they’re collecting. – Just out of curiosity, let’s look at some
(curious music) of these privacy policies
and try out these tips. Alright, so let’s, of course,
(shuffling) start with Instagram’s privacy policy. One word that Joseph
mentioned is the word not. The reason you wanna search for not is because companies
typically won’t put that in, because that means they
cannot do something and that really limits them. This is interesting. It says we will not rent
or sell your information to third parties outside Instagram. But then it lists a bunch of exceptions, including giving this information to third party advertising
partners, which is not good, and that’s probably what
you’re most interested in. How about trying such as. There is a such as, there is a such as. There’s five such ases here. So here we have a such as that means we also share certain
information such as cookie data. So that means they could
be sharing cookie data, but it also leaves it very open. It could be other stuff, too. Nate would not be happy. Now, what’s interesting about Instagram is they actually have a separate policy called the Data Policy, and
we’re gonna check that out. I am interested in the controls that Instagram offers,
like Joseph mentioned, so I’m searching control.
(tapping) And immediately, you can see learn more about how you can control who
can see the things you share. So it brought me to this page
on Facebook because Instagram is owned by Facebook,
and I can actually go to my privacy settings and change them. And I can actually edit who
can see my future posts. Right now it’s public, which is not good. We can actually make it to friends. So now only friends will
see my future posts. Go back to this data policy. This is interesting. It says facial recognition. So if I click that, it takes me straight to this facial
recognition settings page, and it says do you want
Facebook to be able to recognize you in photos and videos? I’m uncomfortable with
that, so I would say no. A lot of people probably don’t
know that these pages exist, so it’s actually a nice feature that Instagram slash Facebook
calls your attention to these if you know what to search
for in the data policy. Again, is any of this
(shuffling) going to make me not use Instagram? Probably not, because I like Instagram! But it’s good info to have. Plus, maybe vocal users can make a difference in company policies. Alright. Is there nothing else we can do? What if I really, really hate this policy? Keep in mind, you could always say no to giving a retail store
your e-mail or phone number. You could even ask why they need it. You could also set up
a burner e-mail account that you only use for spam mail. That at least segments your
online identity a little bit. Nate also says we can request
our data from companies, because after GDPR was enacted, they have to give you your
data if you request it. They’ll often still give it to you even if you don’t live in Europe. So now we’re privacy policy
professionals, sort of. But honestly, even still,
privacy policies are a mess, and no one wants to spend
forever reading them, except for maybe Joseph and Nate. Now, this is where things get interesting. Joseph believes AI will help us eventually parse through these policies
and make sense of them. – I really hope we can get to what I think are standardized machine-readable
privacy policies. Long-term, we really need these policies to be machine readable so
they can be digested at scale. – Nate and the EFF,
however, aren’t proponents of these AI-assisted readings. Nate believes that AI
would actually be terrible and could easily gamed. Certain phrases like such as and not would trick the system,
which does make sense given that we’re just looking
for those phrases too. Instead, he thinks that
privacy policy itself needs to be solved with more information on data and how it’s used. “Maybe then,” he says, “AI would work.” For now, we’re going to just have to use our brains a little bit
and try to understand what these privacy
policies are telling us. – When advocates,
(digital zipping) or researchers, or even
the general public, reads something in a privacy policy that is alarming to them, that has a way of trickling upward to companies. And a lot of the stories
that we read about that are like what is this company doing, that usually is first
revealed through some sort of public statement they’ve made, oftentimes in their privacy policy.

80 comments on “How to read privacy policies like a lawyer

  1. Now if I can force those cold callers and spammers to force to agree to a privacy policy when they call my number…

  2. Help us to change privacy settings on different popular sites as it's different on every site and guide us briefly what to share and what not to share help us

  3. +The Verge there's an app for Windows that will read an EULA and do what you're saying AI will do. I've been using it for years, it's called EULAlyzer by Brightfort. Maybe they can develop it for privacy policies too.

  4. In theory, machine-readable policies would be great — because they wouldn't need any AI to work. Instead, you could make simple rules, such as (tee hee) "don't even show me any apps that require access to my address book just to play some game".

    But a regulation mandating something like that would have to be worked out very carefully before implementation. As the situation is now, the less scrupulous companies would just use the full strength of their analytics and dark patterns to strong-arm users into accepting pretty much anything anyway.

    We as users have to become more active first; block more cookies ourselves instead of ticking hundreds of pesky boxes, seek out services that don't collect more data than they need to do their thing, etc. Only then will they have an incentive to make finding what you want simple and easy.

  5. If you want a glimpse of how AI analyzes any privacy policy, check https://pribot.org/polisis or watch this video: https://www.youtube.com/watch?v=iR4NswRrl2Y. Having websites themselves provide machine-readable policies has been long envisioned as a solution, but a challenging one to scale. AI has the potential to help in achieving that point.

  6. Everyone there's a big threat coming from EU. It will destroy the internet this copyright law. Its worse than the loss of net neutrality. You thought Ajit Pai was bad wait until you meet Axel Voss.

  7. +The Verge
    Someone should make a company with a AI bot, that can set all your privacy policy settings on all the internet!
    We now have software like ad-blockers, that make list of websites in details for blocking harming software.
    I think we are advanced enough to make this for Privacy Policies too.

    Go ahead steal my idea and make the world a more human place. Please do.

  8. If Apple copies 'Mein Kampf' and paste it into iTunes' privacy policy, people will still click on Accept, Yes and Ok.

  9. The bullshit with this: all though the internet is connected world wide, you have national privacy policies. We should have a universal standard for every website on earth

  10. Can someone explain to me what will happen to me if companies sell my data? Plus they have the right to do so giving the fact that I'm using their service free.
    A lot of people say it because they don't want targeted ads. But the point of ads is getting you something interesting so you get more options etc. Targeted ads are like the YouTubers you're subscribed to that are supposed(You're interested in the content of the youtuber, and his sponsor is something related to his content).

  11. Just a tip: I'd you search "not" you'll get results for words like note, but if you search for "not " with a space afterwards, you'll get the results you want

  12. I don't think he meant AI when he said the policies should be machine readable, that's a huge leap of faith. Non tech people should understand that AI is not like a programming language which is implied everytime. Mostly, it will be mentioned explicitly if the system does use AI. I think he meant that privacy policies should have a fix syntactical structure like JSON or a Markup language.

  13. Thank you Ashley, your vids are always interesting, informing and highlight issues that everybody should know about!

  14. Really important subject — BUT! Ashley, your new glasses are stunning and i can't stop staring at them! Now i need to re-watch the vid with a giant post-it covering half the screen!

    (only slightly joking of course 🙂

  15. Yeah AI gonna help us 😄 but we human are so fast and We phrase things in a way 😂 that makes it sound Different , complicated .
    Which sometimes AI won't be able to recognise

  16. What if there is something unacceptable? Are you going to stop using google? Or Facebook? Or YouTube?
    If the answer is no then reading privacy policy is really a waste of time 🤧

  17. I've been disagreeing with a specific policy at facebook for a while. They haven't even given me the respect to write back. So I am not on facebook.

Leave a Reply

Your email address will not be published. Required fields are marked *