What Do We Do Now? – Terms and Conditions Apply Podcast – Episode 5

In this final episode, we’ll discuss the options we have as users when it comes to securing our online privacy in response to terms and conditions agreements and privacy policies.

Listen now:


In Episode 4, we discussed potential solutions to the issues surrounding Terms and Conditions agreements that involved some sort of government intervention. Whether or not you agree that such a course is what’s best, we can all agree that it always takes the United States Congress an extremely long time to accomplish anything. So in the meantime, what other options are there?

Are there potentially ways companies could change their business models to improve the state of privacy for individual users? Ethan Zuckerman, whom we heard from in Episode 2, proposed one solution.

[ Ethan Zuckerman clip ]

It’s hard to tell whether other privacy-conscious users would also choose to pay a monthly or yearly fee to avoid surveillance, or if they would even trust Facebook to honor such an arrangement. However, this model is consistent with other subscription-based business models. But that’s just it. Facebook and Google probably don’t have an interest in changing their primary source of revenue. 

[ Ethan Zuckerman clip ]

To be fair, the stock price probably wouldn’t crash immediately, but a switch to a linear growth model would cause investors to become wary of Facebook or Google’s future growth. And if you return to Ethan’s remark about a paid model excluding lower-income users, it might indeed take government intervention to establish whether an individual has certain inherent privacy rights that he or she never should have to pay for.

And that’s a big question. Right now, it seems that this question has been left up to users and large companies to battle out in the court of public opinion. Chris Cotropia, the law professor from the University of Richmond we heard from in Episode 3, had some thoughts about how users’ willingness to pay can affect the marketplace for privacy.

[ Chris Cotropia clip ]

You’ll recall in Episode 3, Chris and Jim Gibson both discussed the ideas surrounding what marketplace signals would need to occur from consumers to cause meaningful change in a company’s terms of service offerings. They concluded that in order for anything to change, users have to read the terms. But we’ve seen that sometimes this doesn’t mean all users.

In 2012, Facebook announced its acquisition of Instagram for $1 billion. Unsurprisingly, late in 2012, Instagram shared a notice with its users that its data policies were changing to harmonize with Facebook’s established policies. The new Terms of Service were scheduled to go into effect in January 2013, but after several users raised the alarm about a controversial addition to the Terms, CNET ran an article in December 2012 with the byline, “In its first big policy shift since Facebook bought the photo-sharing site, Instagram claims the right to sell users’ photos without payment or notification. Oh, and there’s no way to opt out.” The article’s warning prompted concern from many Instagram users across the Web, and ultimately led to Instagram retracting the change and delaying major changes to its Terms. Now, as The Verge also reported around the time of this incident, Instagram’s CEO clarified that the company would not be selling users’ photos because each user owned their photos, but nevertheless, this incident remains an example of how when someone reads the terms and raises the alarm, it can cause companies to rethink changes to their user agreements.

However, as we’ve seen, it would take countless hours and resources for each user to be able to read and digest the many agreements it takes just to open a web browser or use his mobile phone, so what’s the solution?

As it turns out, there’s an organization that’s sole purpose is to make it easier for users to read and understand the nature of user agreements and privacy policies.

[ Madeline O’Leary clip ]

That’s Madeline O’Leary, a developer for Terms of Service; Didn’t Read, or TOSdr, a user-rights initiative that seeks to rate and label the terms agreements and privacy policies of websites so that users might be better informed about what’s in each agreement. The project began in 2012, and ever since, the team is attempting to build a database that rates terms agreements by class from A to E, with Class A being the best for users and Class E being the worst. At the project’s website, tosdr.org, you’ll find their browser add-on, which can be used across the Internet. Here’s how Madeline described a typical use for the service:

[ Madeline O’Leary clip ]

Once the curation team has processed each submission, the ratings become available on TOSdr’s website, and each rating is presented with a list of contributing factors. For example, TOSdr currently gives Google a Class C rating, citing the company’s collection of personal data, ability to read private messages, and tracking users across multiple sites, among other things. However, among the things that contribute negatively toward the rating, the website also displays positive things about each company, if they exist. Some of these for Google include each user’s ability to request deletion of data and the fact that Google notifies its users at least a week in advance of pending changes to the terms of service.

This ratings system, combined with the ability of anyone to contribute to the project makes it a potentially valuable tool in addressing the problem of user agreements. Madeline sees the tool as an opportunity to create an extremely impactful service.

[Madeline O’Leary clip]

Having a Wikipedia-like database where users can look for trustworthy information about online privacy practices is a great idea in theory, and the team at TOSdr is well on its way to achieving this. However, if any meaningful change is to happen, it will require large-scale action, or perhaps major changes in habits for everyday users- and this is most definitely easier said than done.

Users are responsible for sharing much of the information that is collected online, so what would it take for major changes to happen? Could we as users have an impact on the information that is collected by simply changing our habits? For some answers, I sat down with someone who has been studying these questions for years.

[ France Belanger clip ]

France began her research career studying communications, specifically telecommuting via early Internet technology. To place this in context, some of her earliest work was with modems that transferred data at speeds 23 times slower than a typical dial-up connection, so she’s no stranger to changes in technology. During the rise of the Web, France helped companies build websites from scratch with HTML, and thus became more and more aware of both information privacy and security.

[ France Belanger clip ]

France has been part of many academic research studies, which seek to observe users’ privacy habits, especially in relation to smartphone use. One of her favorite areas of study is the sharing of location data.

[ France Belanger clip ]

From this study, it’s clear that when users were made aware of potential privacy concerns in their settings, they expressed a desire to change the settings. However, as France found out, it’s more difficult to maintain this mindset.

[ France Belanger clip ]

You, too, might now be considering whether or not you’ve checked your smartphone settings over the past month, and if so, that’s great. Awareness is the first step. However, there are other factors that play into whether a user is going to put time and effort into controlling privacy.

France’s research studies have revealed possible causes for why people neglect their privacy when using online or in-app services.

[ France Belanger clip ]

Many of us can identify with these reasons, especially since we enjoy the services provided by the apps and websites which we know to be data collectors. Despite producing a privacy-focused podcast, I am a Facebook user, I make frequent use of Google services, and I have a Twitter account for this show. It would be difficult to completely stop using these services. Difficult, but not impossible.

Consider also the implications of choosing to change your habits online. You’ve listened to this podcast, you’re concerned about what you’re sharing, and you’re ready to act. Unfortunately, a gigantic barrier looms in front of you in the form of all of the terms and conditions agreements and privacy policies of the services you’re currently using. Remember Jim Gibson’s study involving terms and the purchase of a computer? It’s likely that if you’ve been using online services for several years, you wouldn’t just have to read terms equal to the length of the first Harry Potter novel, it would likely be closer to reading the entire series.

As an example, consider how many agreements I’ve had to accept during the process of creating this podcast. All of the websites I’ve obtained information from have had terms and privacy policies, I’m writing the script in Microsoft Word, which has a lengthy end user license agreement, the software I use to record and the music behind the show both have license agreements, and when I release each episode, I use a service which has both a terms and conditions agreement and a privacy policy.

It’s also likely that you had to accept a few agreements just to listen to this show, especially if you’re listening through an app on your smartphone. In fact, take a moment to think about any action you take on the web or on your phone. As we discussed in Episode 2, most services are collecting data for some purpose, whether it’s targeted advertising, or to make improvements to your experience based on your age or interests.

Now, I certainly don’t want you to stop listening to the show, and this is just one example of how it would be difficult to just cancel or quit any service that has uneven terms that we don’t like. But when it comes to regaining control of your online privacy, there are many simple steps you can take today that would make a difference, on both your computer and smartphone. I’ll talk about those, and more, right after this.

[Ad break]

Welcome back. You’ve listened to this podcast, and now you find that you’re interested in taking major steps toward securing your online privacy, whether that’s in a web browser on your computer or on your smartphone. Based on my research for the show, I want to offer a few practical next steps for how to control your data and achieve a better sense of privacy when using online services.

Let’s start with smartphones, since they are where companies may collect the most data on individuals. One of the easiest things to do is navigate to the main settings for the operating system, whether that’s iOS or Android, and explore what privacy options you have. Both iOS and Android allow you to control which third party apps have access to things like your camera, contacts, and microphone. This may take some time, but look through the list of apps and disable any of these permissions that you are uncomfortable with. Location services are a good place to start. Most apps do not need your precise location to operate.

Additionally, when installing an app for the first time, Android and iOS both notify you about the permissions each app desires for operation. You are in control of these from the start. Don’t be shy about disabling an app’s access to your camera or microphone if it’s a news app, a game, or some other app where these permissions don’t seem necessary.

It’s also important to note that if you record audio and video inside an app like Instagram or Twitter, once you grant the app permissions to access your camera and microphone, it’s perpetual. This means you must go into the settings and revoke the permissions after each use, or Twitter and Instagram will have access to your microphone and camera all the time. Be aware when this happens, and take a few extra moments to lock them out again.

If we shift to using a desktop or laptop computer, one of the single best actions you can take to ensure your privacy online is the use of ad blocking software. These are generally extensions that may be added onto your desktop browser, which will remove advertisements from web pages and in some cases block the associated tracking scripts and cookies. A great example of this is the open source extension uBlock Origin, which is available for all major browsers.

There are even entire browsers with built-in protections by default such as ad-blocking, cookie blocking, and other security features. A good example of this is the privacy-centered browser Brave, which also has built in options for private browsing and completely anonymous browsing.

As an aside, if you do most of your browsing from your smartphone, you’ll find that you’re unable to add extensions to Chrome or Safari like you can on the desktop versions. Instead, you can install the mobile version of Mozilla Firefox, which, at the time I’m recording this show, does allow the installation of extensions, specifically uBlock origin, which means you can indeed block mobile ads while browsing the Web from your phone.

Another area in which you might desire the utmost privacy is in your messages to others. More and more services are moving toward end-to-end encryption as a standard for messaging, which means that only the device originally sending the message and the device that the message is sent to may read and interpret the message, effectively eliminating the possibility that messages may be intercepted and read by third parties. However, it’s still important to evaluate the privacy protections promised by these services, as evidenced by WhatsApp, which does offer end-to-end encryption, but is also owned by Facebook, which doesn’t have the greatest track record when it comes to handling private data. One popular encrypted messaging app is Signal, which is available for both Android and iOS, and offers encrypted and disappearing messages.

Then, there are the search engines. Google overwhelmingly dominates this space, accounting for around 75% of all online searches. But ever since 2008, Web users have had the option to use a privacy-centered search engine called DuckDuckGo. Searches on DuckDuckGo currently only account for 0.4% of all queries, but the service takes pride in not tracking its users. So much so that Madeline O’Leary considers DuckDuckGo’s privacy policy to be her favorite.

[ Madeline O’Leary clip ]

I encourage you to read the policy yourself at duckduckgo.com/privacy. It’s fairly short in comparison to other policies we’ve discussed, and the majority of it is an informative look at how search engine data are used and why you should care. For this reason, DuckDuckGo has a Class A rank on TOSdr, so if you’re interested in keeping your web searches from following you around the Internet, you might want to give DuckDuckGo a try. If you’re a Google Chrome user, DuckDuckGo can now be set as your default search engine, making it easier than ever to use frequently.

If you want your searches and browsing history to remain private, many browsers offer modes that do not save any of your activity. Often called private browsing, or incognito windows, these may be opened by using keyboard shortcuts (for Chrome, it’s Ctrl+Shift+N), or by clicking the options menu in your browser. However, private browsing is only as good as your trust in your browser. If you truly want your activity to be masked, you might need to make use of other tools, one of which is a Virtual Private Network, or a VPN. VPNs mask your signature online, making it appear as if your computer is browsing from another location. Some services will recognize that you’re using a VPN, but your traffic will be masked. This isn’t perfect, but it does offer a step of privacy above using just a private browsing window. Keep in mind that like private browsing, VPNs are only as good as the trust you place in the company which provides the VPN service. Almost all VPNs come with Terms and Conditions as well as Privacy Policies that describe how they treat your activity while using the service. Be wary of VPNs that offer free services, as they may collect your data in exchange for the free service. There are many excellent paid VPNs that offer desktop and mobile access, so I’ll leave it to you to do some research and find one that is best for you.

And if private browsing behind a VPN isn’t enough, there’s the so-called nuclear option, which is to use a service called The Onion Router, or TOR. Tor is a browsing app that seeks to completely anonymize your online presence. It’s not perfect, as the project’s founders have had to deal with some vulnerabilities, but as Ars Technica reported in 2016, the odds of being de-anonymized while using TOR are around two million to one. It’s available in more places than ever today, but has also been the source of controversy due to its association with the Dark Web or Darknet. If you want to learn more about TOR, visit the project’s website at torproject.org.

TOR is probably overkill for the average user, so if we back up slightly, another fairly simple step you can take is to participate in security and data reviews within your most-used apps. We’ve already mentioned Google’s privacy checkup, which allows you to see a full record of what Google has collected and toggle on and off what types of data are collected. Simply navigate to myaccount.google.com while logged in, and you’ll see a link to Privacy Checkup. In the same way, you can see similar information about Facebook’s data collection at facebook.com/your_information, and there are many settings you can change about tailored advertising from this console.

But those are just two services. You’ll need to check each service you use to see what options are available to you in relation to privacy controls.

As more and more consumers become privacy-conscious, alternatives to data-collecting services will continue to spring up, but it’s also important to realize that just because a service says it protects your privacy, it’s still up to you to be aware of what you agree to when you sign up. This is why inspecting Terms and Conditions is still important regardless of the product or service.

In my talk with Madeline O’Leary, while she did mention DuckDuckGo as having her favorite privacy policy, she just as readily offered an example of one that is, in her opinion, one of the worst.

[ Madeline O’Leary clip ]

After hearing this, I headed over to Snapchat’s website, looking for a Privacy Policy link, and I found a link to what they call their “Privacy Center.” After following the link, it’s clear Snapchat has taken major steps to provide an easy-to-read and understand privacy statement. Most of the sentences in their privacy policy are closer to plain language than the typical legalese, and this is likely due to the GDPR, as we discussed in the last episode. However, in some cases, the language seems a bit too casual when discussing policies that have a huge impact on the company’s users. In the section titled, “Information You Provide,” the policy states, “Of course, you’ll also provide us whatever information you send through our services, such as Snaps and Chats. Keep in mind that the users who view your Snaps, Chats, and any other content can always save that content or copy it outside the app. So, the same common sense that applies to the internet at large applies to Snapchat as well: Don’t send messages or share content that you wouldn’t want someone to save or share.”

The first sentence is an extremely flippant way of saying that Snapchat is going to collect anything you send through the service. The “of course” at the beginning of the sentence was probably chosen because of the logical connection between you providing data freely so therefore they collect it, but in the context of this show, it sounds more like they should have just said “of course we’re going to harvest all of your data and use it for our interests. Did you think we wouldn’t?”

Anyhow, if you continue scrolling, you will indeed see that Snapchat collects usage data on every aspect of the app, similar to what we discussed back in Episode 2 with tracking pixels. And, just like Madeline pointed out, Snapchat says it may share information with the general public, its affiliates, and its business partners.

I’ve veered away from our discussion on actions you can take to protect yourself, but I just couldn’t resist going through the Snapchat policies as yet another example of how being aware of the agreements you’ve consented to is the most important step to securing your online privacy. Snapchat’s policies on data retention and deletion even say, “we hope you’ll remain a lifelong Snapchatter,” because of course they do.

The improvements in readability of Snapchat’s policy admittedly helped a great deal. I was able to quickly and easily find the sections I was interested in for reporting in the show, and I hope that other companies will do the same so that it’s easy to see what protections you have and what data are being collected, even if it’s all of them.

I’ve covered a lot of information here, so let’s do a quick recap. If you want to take steps to control your privacy, you may want to first check all of your current apps or websites for potential privacy settings that you can change. Start with Google and Facebook and keep going. If you want to lower the amount of data collected during browsing, consider using either private browsing, or make use of a VPN or TOR to mask your online presence. Switch to DuckDuckGo or another search engine that doesn’t save your searches, and install an ad-blocking extension like uBlock to block tracking scripts and other annoying ads.

This is a lot to do by anyone’s standards, but if anything, this show has shown that it’s difficult to trust anyone but yourself when it comes to what data are being shared and how they are being used online. So, taking control of your online privacy is going to involve some work, and it’s definitely not a one-time chore. Take Dr. Belanger, for example:

[ France Belanger clip ]

No matter what steps you take, services you use, or habits you instill, according to Dr. Belanger, your online privacy boils down to just one thing.

[France Belanger clip]

So, if someone who has researched data privacy as a career has been breached, is there any hope for the rest of us?

As we draw this podcast to a close, I hope you’ve begun to reflect on questions like this. Who is actually in control of your personal data online? What have I consented to in the hundreds of Terms and Conditions agreements and Privacy Policies I’ve never bothered to read? What habits can I change to secure my online presence?

I hope I’ve convinced you that while all of these questions have complicated answers, they are extremely necessary to think about in today’s climate. It remains to be seen how the digital privacy landscape will shift in the near future, especially as we await the outcome of California’s privacy legislation, but one thing will always be for sure. Privacy is a lifestyle, and in the end, it’s up to you.

My sincere hope is that you don’t end up in the same position as Napster, the Los Angeles Rams, Mark Zuckerberg in a Congressional hearing, or all of the people who lost their firstborn children after that academic research study. So, in the future when you’re signing up for a new service, installing an app or software, or even making a large financial commitment, I hope you’ll take the time to make yourself aware of the details of the transaction, because, of course, as you know, Terms and Conditions Apply.

And that’s the show. It’s been a fun and informative adventure for me, and I hope you’ve learned as much as I have. There are many people to thank, and I’ll start with you, the listener. If you’ve made it this far, you’ve listened to the culmination of hours of research, interviews, voiceovers, and editing, and I can’t thank you enough. I’m humbled that you chose to spend so much time with me, so you have my sincere gratitude. I also want to thank all of my interviewees for taking time to talk to me and for use of their comments to enhance the narrative. Those people are Ethan Zuckerman, Madeline O’Leary, Austin Chandler, Chris Cotropia, Jim Gibson, Phyllis Weber, and France Belanger.

A big shout out to my original test audience for providing feedback and encouragement to greenlight four more episodes. Specifically, to Jeff Noble, Joseph Scoggins, Jody Bruchon, Dylan Lischau, Ezra Richards, Jake and Meredith Martinez, my parents, Dwayne and Cindy Smith, and finally thanks to my wife Sarah for her encouragement and small laughs every time she would respond from across the house when I was playing back narration because she thought I was talking to her.  

I’m also incredibly grateful to Lee Rosevere and Kevin MacLeod for releasing their wonderful music under Creative Commons licenses. The show wouldn’t have been the same without its score, so if you’re in need of music for a project, be sure to check out the links to more of their material in the show notes. Thanks also to Josh Lippi for answering my unsolicited message on Twitter about using one of his songs for the show.

If you’re sad that the show is over, never fear. I plan on returning to this project eventually. Right now, there are so many clips from my interviews that are worth sharing, and there were also many other news items I didn’t get a chance to cover during my time working on the show. Make sure you’re subscribed if you don’t want to miss any of the bonus episodes.

If you do need something to fill the podcast void left by this show, I encourage you to listen to my other podcast, Life, Experienced, in which I sit down with some of the most interesting people I’ve ever met to discuss their unique and interesting life experiences. You can listen to all 23 episodes right now at lifeexperienced.org or wherever you get your podcasts.

As always, Terms and Conditions Apply is written and produced by Ethan D. Smith. The narration for the show was recorded on a Shure Beta 87a microphone (thanks Jesse Chan for the loan), edited in Audacity, and mastered with iZotope Ozone Elements 8.

Thank you again so much for listening. You can find more information about the show, as well as references and further reading on termsconditionsapply.com. I hope you’ll share the show with others, and let me know if you end up changing any of your online habits after listening. You can contact me via the show’s Twitter account @TermsCondPod or my personal Twitter @ethandsmith. I’d love for you to share the show with your friends and leave a rating and review wherever you download the show.

Until next time, I’m Ethan Smith, and this has been Terms and Conditions Apply.

References and Further Reading

Instagram’s TOS change in 2012: https://www.theverge.com/2012/12/18/3780158/instagrams-new-terms-of-service-what-they-really-mean

and retraction: https://www.forbes.com/sites/tomiogeron/2012/12/20/after-backlash-instagram-changes-back-to-original-terms-of-service/#41a2e6be2ede

Terms of Service; Didn’t Read: https://tosdr.org

France Belanger

Virginia Tech Faculty Page: https://acis.pamplin.vt.edu/directory/Belanger.html

“Why Would I Use Location-Protective Settings on My Smartphone? Motivating Protective Behaviors and the Existence of the Privacy Knowledge–Belief Gap” 2019 Publication: https://pubsonline.informs.org/doi/abs/10.1287/isre.2019.0846

“The Mobile Privacy-Security Knowledge Gap Model: Understanding Behaviors” https://vtechworks.lib.vt.edu/handle/10919/81983

Privacy Services and Software

uBlock Origin: https://github.com/gorhill/uBlock

Brave Browser: https://brave.com

TOR Project: https://torproject.org

Google Privacy Checkup: https://accounts.google.com/privacycheckup

Facebook Account Information: https://facebook.com/your_information

“The Best VPN Services for 2019” CNET.com: https://www.cnet.com/best-vpn-services-directory/

Article about TOR security: https://arstechnica.com/information-technology/2016/08/building-a-new-tor-that-withstands-next-generation-state-surveillance/


From https://filmmusic.io:

“Lobby Time” by Kevin MacLeod (https://incompetech.com)

License: CC BY (http://creativecommons.org/licenses/by/4.0/)

“Backbay Lounge” by Kevin MacLeod (https://incompetech.com)

License: CC BY (http://creativecommons.org/licenses/by/4.0/)

“George Street Shuffle” by Kevin MacLeod (https://incompetech.com)

License: CC BY (http://creativecommons.org/licenses/by/4.0/)

“Sneaky Snitch” by Kevin MacLeod (https://incompetech.com)

License: CC BY (http://creativecommons.org/licenses/by/4.0/)

“Samba Isobel” by Kevin MacLeod (https://incompetech.com)

License: CC BY (http://creativecommons.org/licenses/by/4.0/)

“Airport Lounge” by Kevin MacLeod (https://incompetech.com)

License: CC BY (http://creativecommons.org/licenses/by/4.0/)

“Dreamer” by Kevin MacLeod (https://incompetech.com)

License: CC BY (http://creativecommons.org/licenses/by/4.0/)

“On My Way” by Kevin MacLeod (https://incompetech.com)

License: CC BY (http://creativecommons.org/licenses/by/4.0/)

Other music:

“Let That Sink In,” composed by Lee Rosevere. https://leerosevere.bandcamp.com/

Used under a Creative Commons Attribution 4.0 International License https://creativecommons.org/licenses/by/4.0/

“Royale,” performed by Josh Lippi & the Overtimers https://joshlippi.bandcamp.com/