Issue 37

Pathetic privacy policies

Delivered on 18 June 2019 by Justin Pyvis. About a 6 min read.

A question for you: have you read a privacy policy in the past year? If you answered yes, you're probably in the minority. For while important, privacy policies tend to be long-winded, lawyer-written junk that you have to accept to proceed anyway. Why bother?

Alas, I actually do read privacy policies, even though I accept the vast majority despite wishing they were less invasive. In my experience, other than the uniformly long length, the one consistency amongst privacy policies seems to be that they involve giving up any and all rights to your personal information.Here's an example from a privacy policy I read last week as part of a survey I was asked to complete (the company will remain unnamed to protect its... privacy). It wanted to:

  • Store my personal information, including name, email, address, date of birth, gender, country, IP address, relationships, education and "any other data we collect about you".
  • Send that information to the United States and Philippines.
  • Retain the data associated with my account indefinitely.
  • Share that data with third-party vendors "to enable them to perform services for us".
  • Disclose all data if required by law; if any part of the company is sold or transferred "in connection with a corporate merger, consolidation, restructuring, or other company change"; or "to our subsidiaries or affiliates if necessary for business and operational purposes".

Basically a licence to do whatever it wants. I wasn't happy with that, so I decided to decline the terms and conditions but lo and behold, it wouldn't let me proceed. Go figure! Unfortunately in my case I didn't really have a choice, as the "request" to complete it was more akin to an "order", so I reluctantly accepted its terms, populated it with as much dummy personal information as possible and proceeded to the survey.

Now to the point: that experience happened to coincide with an article published by the New York Times last week, which examined the privacy policies of just about all the major tech companies:

"I analyzed the length and readability of privacy policies from nearly 150 popular websites and apps. Facebook’s privacy policy, for example, takes around 18 minutes to read in its entirety – slightly above average for the policies I tested... For comparison, here are the scores for some classic texts. Only Immanuel Kant’s famously difficult “Critique of Pure Reason” registers a more challenging readability score than Facebook’s privacy policy."

What's the point of a privacy policy that takes 18 minutes to read and "exceed[s] the college reading level", to the extent that most Americans - let alone those for whom English may be a second language - would struggle to comprehend it? Two reasons: one, to confuse and obfuscate what the company actually does; and two, regulatory compliance.

Facebook mostly falls under the first category. It will "never sell your data", but it will happily give it all away to advertisers using its platform. Google? The second:

"Google’s privacy policy... became more readable at the expense of brevity after the introduction of the General Data Protection Regulation, the European Union data privacy protection framework that went into effect a year ago. The regulation includes a clause requiring privacy policies to be delivered in a 'concise, transparent and intelligible form, using clear and plain language.'"

Well, at least people can read it now; they'll just need to set aside a few hours before registering that new Gmail account. Unfortunately, it could be about to get even worse, with layers of duplication coming thanks to privacy regulations being passed at multiple levels of government:

"As data collection practices become more sophisticated (and invasive), it’s unlikely that privacy policies will become any easier to comprehend. And if states continue to draft their own data protection laws, as California is doing with its Consumer Privacy Act, privacy policies could balloon with location-specific addendums."

Today's privacy policies - which may soon become even longer - are so large and so vague that they may as well be replaced with a single line saying "by signing up you agree to let us do whatever the hell we want with your personal information". It's a sad state of affairs but there are at least a few exceptions, with the best privacy policy I have seen (by far) coming courtesy of Google search rival DuckDuckGo. It reads:

"DuckDuckGo does not collect or share personal information."

Simple and to the point; the perfect privacy policy. Now that obviously wouldn't work for a company like Facebook, which derives most of its revenue from collecting and sharing personal information. But there's definitely room to improve and the internet would be a much better place with less lawyer speak and more concise, to-the-point privacy policies like DuckDuckGo's.

Facebook's new cryptocurrency: Libra

Rumours have it that later today Facebook will announce its very own cryptocurrency, Libra (or the 'Libra Project', or 'GlobalCoin'). It has a consortium of companies lined up in support with a $10m minimum investment required. The list of investors is essentially a "who's who" of Silicon Valley venture capital, along with legacy fintech players such as MasterCard and Visa (see Image of the week below). With that kind of support and the network effects Facebook has in place, it doesn't even have to be the "best" option to pull this off (taking blockchain mainstream), although it hasn't been all smooth sailing and may still be a long way off:

"Sources attribute the delay to blockchain industry incumbents being reluctant to work on a project that doesn’t appear to have the hallmarks of a true cryptocurrency... [and] estimated that early 2020 would be a more realistic timeframe for testing, so any imminent announcements would merely be forward-looking plans."

Learn more:

This week's data breaches

Data breaches have become such a common occurrence that it's almost worth keeping this here as a permanent feature. I'm always wary of giant, centralised databases full of valuable information. The incentives just don't stack up well at all.

Learn more:

Training the machines

I'm a sceptic of artificial intelligence as there's no "intelligence" involved, at least as a normal person would define it. Does it have uses? Absolutely. But its achievements are over-played:

"Nearly every successful AI project has human beings behind it. You just don't see them until you look at the big picture."

Oh, and Google's ReCAPTCHA is bad news. Not only is it training AI (improving the accuracy of various algorithms) for free, but it has massive privacy implications. If you run a website, please don't use it:

"ReCAPTCHA collects enough information that it could reliably de-anonymize many users that simply wish to prove that they are Not A Robot.

Learn more:

More Huawei fallout

Apparently Huawei is "demanding" over $1 billion in licensing fees from Verizon, claiming it violated 238 of its patents. It's also developing its own mobile operating system to rival iOS and Android. Meanwhile, Big Tech is moving what it can out of China.

No matter what happens from here the bilateral US/China tariffs, along with the Huawei punishment and retaliation, is going to create long lasting (locked-in) inefficiencies in the form of the 'three internets' of Europe, China (including parts of Asia/Africa) and the rest of the world. We, as consumers, will all be worse off because of it.

Learn more:

Facebook is not going at this alone

"If successful, Facebook could net $1 billion from the 100 companies it hopes to include in the project. Each of these nodes will also reportedly get a seat in the Libra Association as node operators, sending a representative to the consortium."

If anyone was going to take blockchain mainstream, Facebook is as good a candidate as any.

Other bits of interest

Issue 37: Pathetic privacy policies was compiled by Justin Pyvis and delivered on 18 June 2019. Join the conversation on the fediverse at