Reading all the privacy policies you "agree" to would take a month per year

In The Cost of Reading Privacy Policies (PDF), by Aleecia M. McDonald and Lorrie Faith Cranor, the authors calculate that the average Internet user would have to spend one full working month per year in order to skim all the Internet privacy policies she encounters in a year. Mike Masnick reports on Techdirt:

In fact, a new report notes that if you actually bothered to read all the privacy policies you encounter on a daily basis, it would take you 250 working hours per year -- or about 30 workdays. The full study (pdf) by Aleecia M. McDonald and Lorrie Faith Cranor is quite interesting. They measure the length of privacy policies, ranging from just 144 words up to 7,669 words (median is around 2,500 words) and recognize that at a standard reading pace of 250 words per minute, most privacy policies take about eight to ten minutes to read. They also ran some tests to figure out how long it actually takes people to read and/or skim privacy policies.
They put all of this together and estimated that it would normally take a person about 244 hours per year to read every new privacy policy they encountered... and even 154 hours just to skim them.

Here's the key takeaway from the abstract: "Studies show privacy policies are hard to read, read infrequently, and do not support rational decision making."

Of course, that's just the privacy policies. Throw in the EULAs and other fine print and you've got yourself a full-time job.

To Read All Of The Privacy Policies You Encounter, You'd Need To Take A Month Off From Work Each Year

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: eulas • law • privacy • web theory

More at Boing Boing

Ants and Stars: Bruce Sterling and Jasmina Tesanovic visit the Sardinia Radio Telescope in Italy

The Snowden Principle

CastanhasDoPara

TL;DR
MiG

Woah, and that’s even without weekends off!
http://www.disoriented.net/ angusm

Many privacy policies (and EULAs) that we encounter are effectively identical. There’s definitely a case for someone working up a small set of ‘standard’ privacy policies and EULAs that would fit the majority of cases. Ideally, the ‘standard’ policies should be intuitively reasonable and respect the rights of users. Websites/software vendors could then simply display a badge that clearly indicates which policy is in force, so that users can know at a glance what the rules and their rights are.

Creative Commons provides a good model: there’s a small set of variants, clearly identified by name, the rules are intuitive and fair, and the legalese is summarized in easy-to-understand language.

“Off-the-shelf’ policies would save website owners/software producers time because they don’t need to draft their own. They’d be helpful to users because the badges would tell them what to expect simply and efficiently. And when a website owner/software producer felt that the standard policy didn’t fit their requirements and they needed to shoehorn in a few extra clauses, that would signal users that they need to pay a bit more attention and find out what exactly is different about this policy.
- CastanhasDoPara
  
  Your system assumes that these policies/EULAs are meant to be fair and consistent to the end user. Generally they are not. The intentional legal obfuscation is the means these companies use to sneak in little (and big) digs at the users and to keep them all on their toes (or flat on their asses in the likely event that they didn’t read it and now find themselves on the short end of the stick.)
  
  However, I do like your approach. It’s simple, easy and would work. Unfortunately that is exactly why none of these EULAs will be replaced with a sensible system such as the one you propose.
  - http://www.disoriented.net/ angusm
    
    You’re probably right, although I think that if the policies were well-designed you might find quite a lot of take up among businesses that aren’t looking to shaft the consumer.
    
    The goal, of course, is to get wide enough adoption that when a company isn’t able/willing to use a standard policy, it’s unusual and causes users to ask exactly why Company X didn’t feel that the policy fit their needs.
    
    I suspect that privacy policies and terms of service might be an easier sell than EULAs, which is where the lawyers really like to lay land-mines.
    
    “The large print giveth, and the small print taketh away!” ["Step Right Up", Tom Waits]
- Paul Renault
  
  Helen Nissenbaum (whose paper “Privacy as Contextual Integrity” I keep telling people to read (free to D/L, BTW)) argues that the idea that there are default sets of expectations which cover everyday interactions, needs to be extended to the online world.
  
  When you’re talking quietly to a friend on a street, you don’t expect that advertisers will get a hold of that conversation so that you can be targeted for, say, chemotherapy. Likewise on land-line telephones – you expect that the police, and even the phone company, need a warrant to listen in.
  
  This should also apply to, what you post on Facebook, your Google searches, your email. Rather than having a plethora of varying and changed-without-notice privacy agreements, one for each company, there needs to be laws which provide privacy, er, characteristic specific to the context (posting on Facebook, sending email, talking on the phone, talking to your lawyer…).
http://www.facebook.com/KBENBENEK Kurt Benbenek

This is frightening and disheartening. Think also of the myriad tiny disclaimers and voluminous instructions that are printed on every food and prescription drug container we buy. If I took the time to read every box of cereal and jug of milk in my kitchen I might be there days : )
- http://germanwotd.com Amelia_G
  
  Translators can make a pretty good living off those disclaimers and instructions, one reason why companies have been trying to rationalize those into identical, re-usable, machine-translateable text elements as well.
David Mohring

I would like to see a similar study on reading End User Licence Agreements on commonly used software products and services.
http://www.facebook.com/people/Sharon-Higbee-OConnor/1230642129 Sharon Higbee O’Connor

The Devil hides contracts for your soul in EULAs. Countless people have sold their souls for the privilege of using crappy software.
oasisob1

Ignoring them takes just a second.
http://www.facebook.com/willh Will Hirsch

My favourite is EULAs with a checkbox saying not only have you read it but you’ve understood it. Unless it’s software for qualified lawyers, I’d like to think that this makes the EULA completely unenforcable.
http://disqus.com/Kimmoth/ Kimmo

Yet another example of a priveleged minority screwing the rest of us over.

No, I don’t fucking agree to your bullshit EULA, largely because it was composed by arseholes who apparently regard End Users as the enemy, but I’m going to tick your stupid checkbox anyway, because I have no other option if I want to use the software.

I reckon pirate hackers should start replacing EULAs with parodies when they crack apps…
- Nick
  
  I only click yes with my left hand, which everyone knows does not count.
http://germanwotd.com Amelia_G

A few years ago Eddie Izzard said EULA’s make liars out of all adults.