The DeliveryDemon, like most people, has long been aware that the reason we get ‘free’ online stuff is because the providers are after our data. Few if any providers are clear about what data they gather and how they use it. If they provide that information at all, it’s hidden in Ts and Cs the length of a small, or not so small, novel. And of course, in those Ts and Cs they reserve for themselves the right to make unilateral changes to those Ts and Cs whenever they want.
They might sell it on, they might use it themselves. Sometimes they seem to give you some choice, but is it real? There are sites, quite a few, which offer a ‘Reject All’ option. Seems good, the DeliveryDemon still doesn’t feel comfortable. Clicking that button – does it really do what she expects? She can but hope! But some sites are a lot more obstructive when it comes to letting users have control of their data. And once your data gets out of your control, there’s no way to get it back.
The DeliveryDemon stopped using Huff Post some time ago, after seeing how they reacted to data protection legislation intended to give data subjects more control. They’re not the only one to take this approach, but they are a classic bad example. So what did they do, and are they still doing it?
They did, obviously, provide a mindless ‘Accept’ button. But if the user chose the alternative options button, what happened? A couple of layers down there was a list of third parties that Huff Post wanted to provide data to. And some of those third parties existed to provide that data to yet more third parties. How long was that list? Something like a hundred entries.
The options were set to the default of giving away data to each of those third parties. It was not possible with a single click to reset those defaults, that had to be done individually. And that was only a part of the story. Not all third parties had the toggle option. To opt out, it was necessary to go to the site for each of those third parties and SEARCH for how to opt out. Of course such lists are not set in stone, new entries can be added. Is the user, who would normally be using a lot more sites than just Huff Post, to track each site frequently, looking for changes in a long list? And to follow through to all those third parties who can’t be toggled off? Sleazy to put it mildly.
The DeliveryDemon has just gone back to see what Huff Post is doing now. No upfront information about permissions now, it was necessary to keep scrolling just to find where the options are. Guess what. Using the site implies acceptance of the Ts and Cs, though to find them requires site usage. The terms aka user agreement have the usual bias of absolving Huff Post of responsibility by shifting it to the user.
But the user agreement is only a small part of the story, there’s more hidden in a privacy policy. There are 15 topics in that privacy policy. And 20 products. And 11 ‘controls’ which look very like company names. And a dash board which looks very like the 11 controls. Plus a section on advertising which goes back to the controls, or maybe the dashboard.
Eventually some of those sections lead to multiple individual advertisers and the like, all with their own policies and opt out arrangements. The DeliveryDemon CBA to count through them all.
The HuffPost user agreement claims to be under the laws of England and Wales. The DeliveryDemon wonders how those laws apply to those many partners whose individual Ts and Cs claim to operate under completely different legal frameworks.
Of course HuffPost is not alone in using these underhand tactics to get at user data. Users are being groomed right, left, and centre, to participate in the normalisation of this sort of behaviour by a highly unethical use of nudge techniques. And the more they are normalised, the more readily they will be adopted by newcomers to the field.
What may be less obvious is the impact CORVID-19 is having. Yes, a viral pandemic can affect the technology we use, and not in the way of the common or garden computer bug.
It’s happening through the massive increase in the use of conferencing facilities at all levels. A lot of people are working from home. Pubs, gyms, and other gathering places have been closed down, depriving people of their normal social contact. The internet provides ways of offsetting that absence of face to face contact. There are well established conferencing apps, some designed for professional use, some embedded in better known social media. Niche apps are suddenly becoming highly popular. They are our work meetings, our social gathering places.
What are these apps doing with our data? Rigorous analysis would take so long it would never stay up to date so the DeliveryDemon is picking on one example – the Zoom conferencing app. You can’t sign up without accepting cookies. Even the Required Cookies refer to tracking your orders – with no indication of this being a shopping site. Functional and Advertising options are opted in by default – recognised bad behaviour in data privacy terms. And the Basic Settings option doesn’t actually allow you to change that, it’s necessary to choose an Advanced option to get at it.
Try to see Zoom’s privacy policy? It’s greyed out till you go through the cookies rigmarole. And it contains the statement ‘Whether you have a Zoom account or not we may collect personal data from or about you when you use or otherwise interact with our product’. That includes names, user names, physical address, phone number, job title, employer, Facebook information, your device, network and internet connection details. It also demands the right to grab data other users hold about you – and you may not even know what that data is.
Zoom is an egregious example, but it’s not the only one. The DeliveryDemon wonders just how many people know how much of their data has been grabbed, and what use it is being put to. Actually, she knows the answer. No-one knows how much of their data has been grabbed and how far it has been distributed. As soon as an app provider starts grabbing one person’s data from that person’s contacts, all control has been lost. It’s been happening for a long time, and the conferencing needs driven by CORVID-19 isolation are an absolute gift to organisations whose Ts and Cs are in breach of the letter and the spirit of common data protection legislation structures.