Deciphering the privacy policies of daily services

The recent and important security and privacy problems of a big company like Facebook, which manages the personal data of billions of people, have at least served to finally raise conscience and awareness of privacy in many people. Unfortunately, these cases can no longer be considered an exception. Therefore, we must ask ourselves, do we really know what extent the problem is and how are our personal data currently exposed?

As an example, a controversial artistic exhibition in China, which precisely aimed to draw attention to how unprotected our data are, showed personal information of almost 350,000 people (including names, gender, phone numbers, purchasing records, vehicle registration numbers, etc.) that had been easily acquired by the artist for just over 700 euros (5 people per cent).

We might think that it is an isolated case in a country with a laxer personal data protection rules, and we would have a higher protection in Europe, especially after the recent entry into force of the new General Data Protection Regulation (known as GDPR). However, how much do we really know about the privacy and data protection policies of the services we daily use? Are our data really protected? What do we know about the data they are using and their specific use? Can our personal data also be considered as open data? To what extent would we be willing to negotiate with our privacy? To what extent are we already consciously or unconsciously?

The answer to all these questions is relatively simple. Basically the companies are using all those personal data we have given consent in a more or less explicit way, always depending on the applicable legislation in each country - something that, on the other hand, is becoming more diffuse due to the ubiquity of these cloud services and the difficulty to sometimes determine our online citizenship.

In any case, a good personal exercise to be aware of what data we are giving is taking a look at the information that the most popular services know about us. For example, both Google and Facebook allow us, in a few simple steps, to access all the data they have stored on our personal profiles. Reviewing the results is very likely to be a cause of surprise because, in a large number of cases, in addition to our photos or videos, we can also find unexpected contents such as the detail of all our conversations through these platforms, information about our credit cards, our complete telephone book, the websites and advertisements that we have visited, our approximate location or the exact place where we have made each of our videos and Photos. It is also more than likely that we feel quite uncomfortable to see how an increasing number of websites follow each of our activities while we are surfing, being able to reconstruct each and every steps and even collecting sensitive information during that process.

And then, what could these companies do with all the personal data we have given them? This is the key question and also the one with the most difficult answer. Basically, everything that we have allowed. The key in this case are the famous terms and conditions of use that we must accept when we want to start using these services. Unfortunately the reality is a little more frustrating, because "most people read at a rate of 200 words per minute. A medium terms of use agreement contains almost 12,000 words. This means that to read the conditions before accepting them would take about 60 minutes on average", which in practice means that the vast majority of people accept these conditions directly and without reading, and, therefore, without knowing which the final use of the data will be.

It is difficult for this type of behavior to change in the short term, but fortunately we also have more and more services and tools that help us in this difficult task of deciphering the use conditions of the websites, such as those offered by Polisis and Usable Privacy, among others, that alert us in real time when we use sites that are potentially harmful to our privacy, as Didn’t Read services. Other tools, such as Ghostery, will also help us to easily identify what kind of services are following our online activity in each website we visit and for what purpose, while offering the option to block them, something very useful until more transparent policies are defined, such as those that we are beginning to see in some cases.

Open personal data? In fact, it is possible and in some fields, such as clinical trials, the opening of certain personal data could even be very useful, but always only and exclusively under our control and explicit and informed consent.

Regardless of this, we hope that the new European regulation will be consolidated as a useful tool to offer higher protection and its obligations are quickly adopted also by other countries.

Content prepared by Carlos Iglesias, Open data Researcher and consultan, World Wide Web Foundation.

Contents and points of view expressed in this publication are the exclusive responsibility of its author.