New app requirements put the onus on developers, but long and legalese-filled privacy policies often leave users none the wiser

From early next month, Apple will require all new apps or app updates to include a privacy policy that explains what user data they’re collecting and what they plan to do with it.

The tech giant has always been known for taking user security seriously, and in light of the General Data Protection Regulation (GDPR), introduced in May, Apple is clearly feeling the need to tighten things up further.

Another big motivation is likely to be the Cambridge Analytica scandal earlier this year, which saw Mark Zuckerberg hauled in front of the US Senate after it was revealed that the personal data of 87 million people had been harvested inappropriately by Facebook apps.

While GDPR has prompted a flood of new or updated privacy policies across the web, there’s a strong sense among experts and campaigners that many of these are simply a box-ticking exercise.

“Privacy policies are not only long, they’re downright confusing – too much legalese, techspeak, and language unintelligible to non-native speakers or the average user,” comments Yale Privacy Lab.

By way of example, Twitter’s privacy policy runs to 12 pages, Instagram’s to 11, and Netflix’s to nine.

“Privacy policies are often very long and inaccessibly written,” Ed Johnson-Williams, policy and research officer at the Open Rights Group tells The Daily Swig. “They are not presented in a consistent structure or format.

“Some are PDFs, some multiple webpages, some a single webpage. This makes it very difficult to analyse and represent organisations’ privacy policies.”

Meanwhile, large numbers of privacy policies may not even be complying with the law, say researchers at the University of Michigan School of Information and Ruhr-Universität Bochum, noting that many do not give the user the option of deactivating cookies, as they should.

Cutting to the chase

For privacy advocates, the new app requirements have been hailed as a positive step forward, as the onus is now being placed on developers when it comes to issues surrounding data transparency and accountability.

But in a world where lengthy terms and conditions are considered more of an annoyance than a form of consumer empowerment, what more can be done to ensure the average user is fully aware of what they’re committing to when they click ‘agree’?

In an attempt to make privacy policies more comprehensible to users, several organisations have created tools designed to summarise and clarify them for users.

Polsis, created by the University of Michigan School of Information (UMSI), allows users to type in a URL and receive a visual presentation of what data’s being collected by that website, who it’s being shared with, and what choices are available.

Meanwhile, Terms Of Service Didn’t Read (TOSDR) is a crowd-sourcing project that highlights any particularly questionable aspects of a privacy policy – ‘Google can use your content for all their existing and future services’, for example – and assigns it an overall rating.

And more recently, the Open Rights Group has created Data Rights Finder, which analyses the privacy policies of more than 30 fintech organisations and helps users exercise their rights.

“We made the underlying data available through a public API and we’re actively looking for organisations who are interested in building on top of that API,” says Johnson-Williams.

One possible solution is the adoption of machine-readable privacy policies such as the now-defunct P3P project. This was designed to allow users to set their own parameters for the data they’re willing to share, and alert them if a site has a policy that contravenes them.

P3P was abandoned due implementation difficulties and a perceived lack of value. However, if ever there were potential for a program of this nature to succeed in the future, it would be in the closed ecosystem of Apple’s App Store.

“Machine-readable privacy policies are a really interesting idea that we should be exploring,” says Johnson-Williams.

“A machine-readable privacy policy with a common format and structure that is linked within organisations’ websites would go some way towards allowing comparison and analysis of privacy policies.”