Hello again, readers. It’s Ryan Tate, an editor here at The Markup.
I’d like to say a few words about privacy policies. Wait, don’t close this tab just yet!
An investigative data journalist and a former tech lawyer teach you how to spot tricks and hidden disclosures within these interminable documents—and even how to claw back some privacy
I know privacy policies have a reputation for being mind-numbing. In fact, our own Jon Keegan and Jesse Woo called them “horrible” documents in a guide we published this week about how to decipher them.
And they’re right! Privacy policies are horrible.They are horrible because they’re long—often, several thousand words. They’re horrible because they are filled with legal and technical jargon. (Do you know what a “web beacon” or a “basis for processing” is?)
But the most horrible thing about privacy policies, I’d argue, is how maddeningly nonspecific they can be.
For example, many of them won’t tell you what private information a company is collecting about you, but rather what information it may be collecting about you. Or they will tell you who they may share the information with, and those people may in turn share the information with others. Or they may “de-identify” your data, which in theory means taking out personally identifiable information—but often they don’t specify how this is done, which is important because researchers have found that many supposed anonymization techniques are reversible.
Often this vagueness is rooted in a lack of clarity among people in a large corporation about what everyone else is doing or may want to do in the future, said Sebastian Zimmeck, a privacy scholar and assistant professor of computer science at Wesleyan University. “For bigger companies, there is often a discrepancy between the policy writer, the business decision-makers making the call which ad networks to include, the software engineers implementing the code,” Zimmeck told us. “So, many policies try to be on the safe side by being overly broad.”
Part of the fun of putting together our guide was figuring out what tricks we could give readers for finding a signal in all this noise. And luckily we had two seasoned pros providing advice. Jon Keegan is an award-winning journalist who has helped define our privacy coverage here at The Markup.
Jesse Woo, meanwhile, is an attorney who has helped write many privacy policies himself—and who happens to be interning for us. I asked Jesse how his experience helped him craft the guide.
“I know how the rhetorical bodies are buried,” he wrote in an email. “Prior experience writing privacy policies made me familiar with the kinds of code phrases lawyers use to obscure what is really happening with user data.”
And it sounds like it’s not just the coders and business executives Zimmeck referenced who are confused about how to write privacy policies. Jesse told me that lawyers often don’t know where to start either—partly because there is very little privacy law in this country to guide them.
“One of the reasons privacy work can be frustrating as a lawyer is that, as a whole, we don’t have good laws on the books (California is a start, but it’s only one state),” he wrote. “And the laws that do exist have become so compliance-focused. Sometimes clients did want to do the right thing for reputational or other reasons, but it’s hard to even know where to set the bar when it’s such a free-for-all.”
Speaking of systematic change, I have two more story pointers for readers who want to help us illuminate problems in the tech world: Just as we’ve been breaking down privacy policies, we’ve also been breaking down the accuracy of the FCC’s National Broadband Map (while maybe saving you a few bucks) and illuminating ad-targeting techniques that are now undetectable by users and their devices. Part of The Markup’s goal is to restore everybody’s agency over technology, and both these efforts are great examples of what anyone can do to help make a difference. Check out those projects!