At the Help Desk, we read privacy policies so you never have to. But what if you really want to? We do our best to look into the privacy practices of the apps, websites and devices you use the most. We have done deep dives on tax software, medical records and cellphone carriers.
But keeping track of corporate privacy habits is an uphill battle. Technology columnist Geoffrey A. Fowler recently tried to read all the privacy policies for the apps on his phone. It added up to 1 million words, twice the length of “War and Peace.”
Jen Caltrider, lead researcher on Privacy Not Included, a scoring system for apps and gadgets from the nonprofit Mozilla Foundation, unpacks privacy policies for a living, she said, and she has a whole bag of tricks. I have read quite a few privacy policies, and I always start with the same checks.
Being an expert in the subtleties of confusing legal documents is not necessary to earn our right to privacy. The burden of protecting privacy should be on the firms that build the technology, not the people who use it, privacy advocates argue.
Find the darn thing
At this point, you might be tempted to just rely on the privacy label Apple or Google displays. Despite good intentions and simple formats, these labels are not reliable, Caltrider said. The information is reported by the companies, and the labels are not always accurate. For instance, my investigation into photo widgets LiveIn and Locket Widget found that the LiveIn label in the Apple store failed to disclose that it collects data to track you. It was fixed afterward.
See what data is used
The first chunk of most privacy policies outlines what data the company collects from you. Scan this section for anything that does not sit right. You may not be surprised to see that the company is collecting the email address you signed up with, for instance, but if it is collecting your precise location or audio from your microphone, that is worth a pause. Is this technology collecting information without a clear purpose?
Search for key terms
Now time to bust out your keyword search and look for some common offenders. On a computer, use “control find” on your keyboard. On a smartphone, your browser app may have a “find on page” function in its menu. First, search for “sell.” Will this company sell your data to third parties?
If it not, search next for “affiliates” and “partners.” Companies love bragging about not selling your data when they share it liberally with third parties. Does this company carve out room to share your data with “business affiliates” or “partners?” Does it list who those entities are?
Last, search for “advertising.” If this company does sell or share your data, is it to target you with ads? Sometimes, companies artfully avoid the words “targeted advertising” by saying they use your data to “personalize” or “improve” the service or to make sure the content you see is “based on interests.” You should search for those terms as well.
Speaking of fancy linguistic footwork, look out for terms like “may” and “for example.” If a company “may” share your data with third parties, “for example” to check for security threats, there are likely some shadier cases of data collection happening there that the company declined to call out, Caltrider said.
Trust your instincts
Likewise, if the policy feels too good to be true, it might be, at least when it is seen in a format friendly to consumers written by corporate communications professionals. If you are working your way through a fun privacy game or a beautifully rendered “privacy center,” be wary of vague language, Caltrider advised. Finally, know your rights. If you live in California or the European Union, for instance, you get extra privacy protections that many policies outline in a separate section toward the bottom.
Try to have some fun