Online terms of service agreements are the rarely-read but often-mocked daily annoyance of Internet users worldwide. A large (literally) barrier to the immediate gratification of access to online content, most of us are guilty of blindly clicking “I accept” when prompted. We do this, often with a very limited understanding that in exchange for “businesses giv[ing us] these fantastic services, Google Search, Facebook and many other things, for free[,]” we give those businesses information they then commercialize by, for example, selling to advertisers. Often unknown to us is exactly what information we are giving, who is seeing it, or how well it is protected. However, according to the Ranking Digital Rights (RDR) project, this is starting to change.
The RDR operates at the New America Foundation’s Open Technology Institute and was formed in the wake of the public’s growing concern over websites’ collection and security of user data. For example, a recent Pew study found that:
91% of adults in the survey “agree” or “strongly agree” that consumers have lost control over how personal information is collected and used by companies.
88% of adults “agree” or “strongly agree” that it would be very difficult to remove inaccurate information about them online.
80% of those who use social networking sites say they are concerned about third parties like advertisers or businesses accessing the data they share on these sites.
70% of social networking site users say that they are at least somewhat concerned about the government accessing some of the information they share on social networking sites without their knowledge.
Large-scale data theft is becoming increasingly common, and users are starting to pay attention to what information they are providing to companies online and how those companies use it. Some companies are even capitalizing on the increased attention their terms of service agreements are getting. In 2014 Tumblr, a popular “microblogging and social media” website, received positive attention when it included a number of humorous asides in its terms of service. This included informing surprised 12-year-olds that they were too young to use the service and suggesting they ask their parents for alternatives or “try books”:
Humor aside, a user’s actual understanding of what they are agreeing to share with websites online is still, at best, limited. This is where RDR steps in. Launched in October 2015, RDR offers an easy to digest ranking system called the “Corporate Accountability Index“, which evaluates “16 of the world’s most powerful [i]nternet and telecommunications companies on their public commitment and disclosed policies affecting users’ freedom of expression and privacy” and ranks them on a 100% scale.” Generally speaking, the goal of the Index is to allow normal users to make informed decisions about the businesses that collect, store, and sell their data. The RDR also hopes to prompt businesses to take a hard look at how their policies affect their users.
The straightforward “indicators” that form the foundation of the rankings are simple enough for any user to understand. Researchers evaluate corporate data and calculate a score based upon the answers to questions such as “Are the company’s privacy policies freely available and easy to understand?” and “Does the company disclose what user information it collects, how it collects this information, and why?”. A company’s aggregate score shows how it rates across three broad categories of “Privacy,” “Freedom of Expression,” and “Commitment.” Users can also dig further down and learn how a company ranks under each individual indicator.
The Corporate Accountability Index is currently limited to 16 companies that possess the Internet’s largest user base and garner the most online traffic. While this sample size targets the companies whose collection and use of user data is the most widespread, it is remarkably small in the context of the sheer volume of businesses operating online. Resources that monitor and assist the public in understanding the terms of service agreements and privacy policies of these smaller entities remain very limited. However, the Corporate Accountability Index is likely only the beginning. As public scrutiny of corporate policies continues to mount, it is entirely possible that over time the Index will continue to expand and extend its rating system to more companies. It is also reasonable to assume that other groups may begin to perform analyses similar to that performed by the RDR in select sectors, such as banking and health care, or for smaller companies.
The takeaway from the creation of the Index is that the answer to the question of how businesses gather and use data, as well as how much control over their own data users may have, is no longer something known only to lawyers and their clients. Companies now need to worry not only about how their policies impact their liability, but also how the public perceives those policies compared to those of their competitors. It may not be long before an informed public is making choices about what they do online based largely on what they understand and who they feel they can trust.