‘ToSDR’ Ramps Up Efforts to End ‘Gotcha’ Privacy Policies, Terms

By Sue Treiman

A grassroots website is reigniting its campaign against the so-called “biggest lie on the internet” — the assumption that people actually read and agree to the “terms of service” and the privacy policies they accept.

The ToSDR site — “Terms of Service; Didn’t Read” — was conceived at a 2011 European open software conference to warn consumers that what they didn’t know (and didn’t read) could hurt them.

Grassroots activists wanted to educate consumers about the policy “traps” frequently hidden within provisions they tended to overlook.

“We wanted people to understand what they agree to when they click to ‘accept’ them.”

Michiel de Jong, ToSDR.

“Since there are no consistent standards for practices covered by website privacy policies and terms of service, we wanted people to understand what they agree to when they click to ‘accept’ them,” said site co-founder Michiel de Jong of Utrecht, Netherlands. 

The site initially was linked from the Electronic Frontier Foundation’s (EFF) site, where it offered a free “ToSBack” application that notified users of ToS changes.

No longer formally affiliated with ToSDR, EFF still subscribes to the same goal, and TosBack remains available on ToSDR’s site.

Making the Grade

From the start, ToSDR invited visitors to suggest websites for evaluation. 

IndieGoGo Inc., DuckDuckGo Inc., Google and individual donors helped finance the review process, as each internet site was studied for its policies in 23 different areas that affected tracking, sharing and use of personal data, privacy, and legal protections.

“Then, the volunteer reviewers ‘met’ to discuss and assign a grade,” said curator Evan Mullen, who lives in San Antonio.

Completed sites are graded by “class” — from “A” (very good) to “E” (very bad).

Although thousands of sites were submitted for evaluation, only 100 were fully vetted, as of the middle of this year. Among those, 28 attained a letter grade, the last step in the painstaking review process.

None of the top 150 internet destinations were listed in “Class A.”

Wikipedia won praise, however.  

“It’s the only big website that doesn’t use third-party tracking cookies,” de Jong told Digital Privacy News.

YouTube and Twitter were placed in “Class D” for ignoring “do not track” requests, among other things, while behemoths Amazon, IMDB and Google landed in “Class C.”

“Consolidations at places like Google, which incorporates YouTube and Gmail, collect so much that data that people can be tracked everywhere, all the time — which really scares me,” de Jong said. 

Facebook, with its ever-changing policies, was examined but has not yet received a grade.

Reviewers, however, criticized it for tracking users too closely, accessing too much personal information and permitting global data distribution. 

Valuable oversight

Other leading privacy advocates are equally concerned about ToS policies.

“There’s plenty of abuse out there by companies that use alleged ‘terms of service’ violations to censor online speech, justify data-collection, or accuse someone of a computer break-in,” said EFF’s Karen Gullo.

Access Now, the global-rights nonprofit, warned that unwieldly website provisions actively discouraged users from understanding what they sign.

“ToSDR addresses website provisions that are famously known for being lengthy, full of jargon and largely not read,” Estelle Masse, Access Now senior policy analyst, told Digital Privacy News.

The ‘gotcha’ issue

A 2018 study dramatically illustrated the potential peril posed by wordy and confusing policies. Among research subjects asked to explore a fake social-media site, 98% — apparently unwittingly — agreed to provide their “firstborn child” as payment for access. 

“There’s plenty of abuse out there by companies.”

Karen Gullo, Electronic Frontier Foundation.

Such “gotcha” provisions are likely to become tougher to conceal, experts told Digital Privacy News.

The European General Data Protection Regulation, which took effect in 2018, expanded user control over personal data — and California’s new Consumer Privacy Act also limits personal data-sharing.

Since the California provision affects any site doing business in the nation’s most-populous state, it could become the closest thing to a de facto American standard, the experts said. 

Understanding privacy pitfalls

ToSDR is broadening its mandate.

Flush with new volunteers who discovered the site while self-isolating during COVID-19, the site recently pledged to publish one fully graded website evaluation every week, effectively tripling the number of fully vetted websites, by the middle of next year.

Meanwhile, de Jong reminded consumers that when they “agree” to a website’s provisions without reading them, they could lose more than admission to that site.

“If you’re not careful,” curator Mullen said, “you can pay for access to ‘free’ websites with your identity.”

Sue Treiman is a writer in Dobbs Ferry, N.Y.

Sources (external links):