The calculus of consent?

A few years ago, two researchers, both then at Carnegie Mellon, decided to calculate how much time it would take to actually read every privacy policy you should.

First, Lorrie Faith Cranor and Aleecia McDonald needed a solid estimate for the average length of a privacy policy. The median length of a privacy policy from the top 75 websites turned out to be 2,514 words. A standard reading rate in the academic literature is about 250 words a minute, so each and every privacy policy costs each person 10 minutes to read.

Next, they had to figure out how many websites, each of which has a different privacy policy, the average American visits. Surprisingly, there was no really good estimate, but working from several sources including their own monthly tallies and other survey research, they came up with a range of between 1,354 and 1,518 with their best estimate sitting at 1,462.

So, each and every Internet user, were they to read every privacy policy on every website they visit would spend 25 days out of the year just reading privacy policies! If it was your job to read privacy policies for 8 hours per day, it would take you 76 work days to complete the task. Nationalized, that’s 53.8 BILLION HOURS of time required to read privacy policies.

That is Alexis Madrigal, the article is here, for the pointer I thank Jeffrey Deutsch.


Why should we read privacy policies when we have class-action attorneys to do it for us?

Who says a person should read internet privacy policies? Many users implicitly consider the length of time required to read the policies - coupled with the minimal stakes (at least in terms of each website visited) of assenting, the role of reputation costs / social and informal ways to discourage a site from abusing one's information, and the possibility of using self-help methods to ensure internet anonymity (such as TOR and anti-spyware software) - and conclude that it's not in their best interest to read the policies. There is a great discussion of this issue in Randy Barnett's introduction to U.S. Contract law:

Sometimes, it's ok to just take a deep breath, admit humans are not perfectly rational actors, and come to grips that once and a while market failures can happen. Saves a lot of stress and posturing.

What's not rational about the actions he posted? If anything it would be irrational to spend all your time reading them as any likely benefit is of far less probable value than taking the time to read all of them line by line.

Humans need not be perfectly rational actors to instinctively calculate that the benefits from skipping privacy policies outweigh the costs.

Right, but they're so long and confusing precisely because they want to discourage you from reading them. That's not the only reason, of course, but it's one of them.

Don't we just need one guy to read it and then we can trust him?


We already have volunteers. So long as at least a very small percentage of people read the thing and so long as those few people have a way of getting the word out, news of a sketchy privacy policy will spread in easy to digest form. I don't even use facebook but I've read summaries of what's wrong with their policies that are well written and to the point.

I would not take the word of a random person on the internet as gospel, but if I was told that site X has an extremely sketchy privacy policy then that would be my cue to read it for myself.

Argument #4 against minarchy.

Not really. If people cared about privacy policies (it seems clear most don't) it would be worth the while of someone with some credibility to distil them and summarise the important bits ... for a small fee .......

Yes, but who do we pay to read their fine print… ;)

Isn't your assumption that the government actually does something about this?

Since I think they don't I think it's an argument FOR minarchy.

This is where we need the advice of Frankobert, the Libertarian Barbarian. Frank is keen on barbarian honour and likes contracts which pin those promises down in clear black ink. But if some lawyer comes to him later making claiming that the contract means something totally different from the promise that Frank thought he was signing up to, then down will come the red mist of war.

I don't know how the law works in the real world, but in my perfect world Judges would be a bit like this barbarian -- he should enforce just about any contract between two consenting parties, *as it was understdood at the time it was made*, and the written document is only one piece of (rather good) evidence about what that promise was. If it seems the parties understood the contract differently, then we should *dis*favour whoever framed the contract in the first place.

Such principles would create an incentive to write clear, balanced contracts. It seems that instead we have incentives to write complicated, one-sided contracts and then protect the little guy through statutary limits on his freedom to make promises. Lawyers win on both sides of the deal.

If you adjudicated everything you'd quickly hit a bottleneck very similar to this one about privacy policies. So, you'd have to 'make an example' out of a few, which isn't really justice either.

Almost all adhesion contracts are written -- well, I don't want to say "to be as confusing as possible," but I will say "such that ease of understanding is always less important than something else."

I'll make a distinction with mortgages, though. I believe mortgages are written with the fewest number of forms legally required. Someone got screwed because they didn't tell the borrower that they couldn't store drums of mercury on their land, so all borrowers are required to sign a page saying that they won't. Someone got screwed because they didn't tell the borrower in an explicit page that they got an adjustable mortgage, so all borrowers of adjustable mortgages are required to sign a page saying that they understand their mortgage is adjustable.

I guess it's possible that all banks make it confusing on purpose, but it would require a lot of collusion to stop a defector from saying "we have a ten page closing you can read in ten minutes." (Or was there such a defector?)

The strongest argument for minarchy is that this made the top four list of arguments against it.

If it was your job to read privacy policies for 8 hours per day, it would take you 76 work days to complete the task.

No it wouldn't. You'd never finish, because you'd be driven out of your mind before you got anywhere near 76 days.

There are people who's job is to read privacy policies, and they work year round!

Someone should create a website which analyzes privacy policies.
You could see visually, by comparison, how privacy policies vary. Of course, you wouldn't get the nuance. But, you would get some big picture differences and decide where you wanted to transact business.

This depends, though, on how much value you place on privacy.

And, whether you would let that privacy website attach a cookie so it could pay for the privacy policy collation service.

Isn't it pretty reasonable to think that there are a handful of "privacy bundles" that consumers want. Then all you'd say is "our privacy policy conforms to Privacy Policy Orange (kind of like the terror alert colors, or use a number if you want to actually make some sense), if you want to read it we've reproduced it below."?

Exactly my thoughts! There ought to evolve (by diktat or voluntarily ) a few 'standard models' for privacy policies. Most firms will be happy to choose one of those and a few might say "Privacy Policy Orange with 2 modifying clauses" etc.

This isn't unheard of in other sectors; there are standard apartment rental agreements etc. in a lot of places.

If they ever get to the courts that's when we'd likely see standardization. The current bundled good is = "cool website, crappy tagalong policy." The government isn't going to put up with actually having to use judgment.

Good find!

I'm still puzzled how it works. e.g.

The TRUSTe seal does not indicate that a web site complies with any specific set of privacy rules, such as the European Union's Data Protection Directive. It indicates only that the site has self-certified as complying with the site's own privacy statement

So, essentially, we have the website's word?

Another fun tidbit:

Dr. Benjamin Edelman of the Harvard Business School found in January 2006 that sites with TRUSTe certification were 50% more likely to violate privacy policies than uncertified sites.

This is a good example of why there's too much blame on subprime mortgage borrowers who supposedly wrecked the economy being stupid and not understanding what they borrowed.

Like anyone, ANYONE, reads the pages of disclaimers on anything they sign. You trust who you are dealing with.

I'm not saying they deserve no blame, folks taking inappropriate mortgages were definitely PART OF the problem. But they get way more vitriol than they deserve.

Because there is of course no difference between a generic privacy policy on a website that pertains to the small amount of info you give them and a contract that puts you on the hook for tens of thousands of dollars. In the mortgage contract case if you're too lazy to read it then you might want to hire some one who will because the consequences are normally many orders of magnitudes higher than not reading a website's privacy policy.

I don't know that I disagree in spirit, but these were often folks with to little funds and too much trust. They aren't blameless, but they aren't the scourge of mankind either.

Oh I agree that their not a "scourge." But they probably shouldn't be given subsidies or incentives to be placed in that position in the first place.

They are the scourge. Maybe they are too naive to be so on purpose, but I guarantee they are the scourge.

They are the people who buy from telemarketers.

Generally, people who bought more house than they could afford didn't get tripped up by hidden fees or whatever in the fine print, they just bought more house than they could afford.

"What do you mean mortgages aren't free money?! Did these banksters shoe-horn this clause into the fine print or something?!"

I've asked this in the context of consumer protection as well. Why do we expect the peon at firm X to be smarter than the guy sitting across the table from him? Maybe this is the legal construct we work under, but why would we expect it as reasonable people shooting the bull?

Setting aside the mortgage analogy (which personally I like), I agree that trust has been a key element to dealing with the flood of privacy policies. Few care about privacy policies until their data gets sold off...or they realize just how much they are being "tracked and targeted" by the sites they frequent. Few people are careful with password best practices and then, on rare occasion, have to deal with the consequences.

It's pretty amazing that trust is so widespread among Internet users. There's really not much in the way of law enforcement. And there are some shady practices. And what happens when people figure out that their privacy offline is hard to preserve online.? Now that doesn't seem like a trust booster.

After reading the replies to your comment, msgkings, I believe we should decompose "trust."

There's trust that something/someone is inherently good, and there's "trust" that you'll be signaled if something/someone isn't inherently good even if you yourself are unable or unwilling to discern. Savvier people (frequent internet privacy "readers") tend to have more of the latter and less savvier people (subprime borrowers) more of the former.

It's the difference between believing that your girlfriend is a devoted angel who would never cheat on you, and believing that you would be signaled if she were cheating on you by suspicious behavior from her (banks/internet sites) or her friends (market color/consumer reviews).

Miley, I think you could argue that households reasonably, but in the end incorrectly, "trusted" that banks would only sell them products that they could afford. The explosion of securitization seems to have weakened a longstanding signal from banks to mortgage buyers...Subprime borrowers may have been less savy, focusing on initial monthly payments, but I doubt they came with a "banks are good" bias. But your point that trust is multi faceted is well taken.

Where did that signal come from again?

House Financial Services Committee hearing, Sept. 25, 2003. Rep. Frank: I do think I do not want the same kind of focus on safety and soundness that we have in OCC [Office of the Comptroller of the Currency] and OTS [Office of Thrift Supervision]. I want to roll the dice a little bit more in this situation towards subsidized housing. . . .

Asides from the above, an agent that analyzes privacy policies could be developed and programmed. The problem is there no market because people don't care enough.

In health care we have the same problem with informed consents for surgery etc. There at least physicians are forced to discuss them with patient's until they consent (or not). But the written consent form patients don't care about *at all*.

I think the estimate of reading rate is too low. These are legal documents, not articles in the Wall Street Journal. Many people are unable to read them with comprehension at any rate.

More than once I've read a privacy policy with placeholders still held in place. Like "<PUT YOUR COMPANY NA&ME HERE>".

Googling "policy" and "your company name here" gets almost half a million hits, a few of which are templates but many of which are as you describe. Write it? We didn't even read it!

Fresh out of law school, I drafted a privacy policy for a website, and some months later, out of idle curiosity, visited it to find out that they hadn't filled in any of the blanks where I had put [FILL IN BLANK]. Even though I expressly warned them, when sending it, that they needed to fill in xyz blank.

That website went kaput shortly thereafter anyway, so I doubt anyone was any the worse for wear.

At some point, shouldn't a contract that is, for all practical purposes, incomprehensible to the counter-party be deemed irrelevant?

there may be worth in the incomprehension

1000+ different websites/year seems absurdly high. I bet that 99% of usage for a given person is concentrated in < 20 websites, such as Facebook, Google, etc.

Moreover, most people care very little if sells their personal information, because Bob doesn't have any their personal information worth anything more than a trivial amount.

I mean, if they bought any buillion cubes he does. Credit card # for instance.

I think "legalese BS" should be a defense and an actionable defense.

There's also this study that examines the reasons why people don't read form contracts (rational / irrational?) and the conditions under which people will read them. One of the experimental conditions includes the ability to "purchase" a better privacy policy.

Forget privacy policies, how much time would it take to read all the licenses of all the software you use? All those click through "you agree that if you re-install your operating system, you will purchase a new copy of this software, not re-use the old copy..." licenses.

Comments for this post are closed