Google's Nest deal highlights privacy-policy issues: Dan Misener

Last week, Google announced plansto acquire Nest for $3.2 billion US. Since then, there's been a lot of speculation about what Google might do with the data Nest's devices generate.

Nest Labs makes gadgets like thermostats and smoke alarms that are connected to the internet so that they can send you alerts and you can manage them remotely from a computer, tabletor phone.

As a Nest user, I had a lot of questions. Will Google now know when I'm home and when I'm not? Will I start to receive on-screen advertisements for sweaters if I adjust the temperature too low? Will push notifications about dangerous carbon monoxide levels require a Google+ account?

On Monday, NestCEO Tony Fadell assured users that there will be no immediate changes to the company's privacy policy. He also promised that any future privacy policy changes would be transparent, and opt-in.

Which got me thinking about terms of service and privacy policies more generally.

More often than not, I check the box labelled "I agree to the Terms of Service and Privacy Policy" without reading a single word of those documents. Afterwards, I rarely think about what I've agreed to, or how it might change.

I'm not alone.

"The average person doesn't read them," says Mark Hayes, a lawyer who specializes in privacy and technology. "In the vast majority of cases, even if they decided they were going to take the time to read them, they'd have a hard time actually understanding many of the policies."

The reasons are fairly obvious. Most privacy policies are written in nearly impenetrable legalese. Plus, they're long. Research from Carnegie Mellon in 2008estimated that the average American would need more than 200 hours to read the privacy policiesfor each site they use in a year.

"If you really want to know what privacy policies apply to you, you'd better make sure you have an awful lot of time on your hands to be able to dig through them," adds Hayes.

Policies change

What's more, privacy policies change. Often quietly.

"In most cases, unless there's a very significant change, for most organizations there is very little -if any -notice that a change has been made," says Hayes.

"Should you expect to get a heads-up? Probably not in most circumstances. If you read most of the privacy policies of companies online, they will say that they reserve the right to make changes and that you should check back often to determine what their current privacy policies are."

For Hugo Roy, that's an unreasonable expectation.

"It's impossible for a single individual to keep track," he says.

Roy is the project lead for Terms of Service; Didn't Read, which rates and labels website terms and privacy policies. ToS;DR uses a letter grade systemand breaks down website policies into topics.

For instance, the site gives YouTube a "D" and lists several reasons why ("Terms may be changed any time at their discretion, without notice to the user", "Deleted videos are not really deleted"). The search engine DuckDuckGo gets an "A" because it doesn't collect or share searches or personal information.

"There are many, many services, and many documents to track," Roy says. What's more, he adds, "these documents change a lot during the year."

To that end, ToS;DR partnered with the Electronic Frontier Foundation and the Internet Society on TOSBack, a project that tracks changes to website policies.

"We have a robot that crawls the websites and tries to find changes, so we can see if something important has changed," Roy says. "It's like a radar to look for changes in the terms, so we can be sure we don't miss anything important."

As privacy policies change over time, so too can their ratings on TOS;DR. "At one point, a service can have a good grade," explains Roy. "But later on, it can have something worse. So it's always subject to change."

What to look for

Most of us aren't lawyers, and parsing the legalese of privacy policies can be challenging. So I asked Mark Hayes what privacy-conscious Canadians should watch for if they decide to investigate a site's terms of service.

He highlighted three things:

• First, does the website share or sell the personal information it collects? If so, "that might result in an awful lot of spam and other email coming to you."
• Next, disclosures about foreign storage. Geographically-speaking, where are the servers that store personal information? In Canada? The US? Elsewhere?
• Finally, data matching. Does the site combine the personal information *they* collect with data from other companies? If so, Hayes says "that allows people to potentially to build a very significant profile of you by combining a number of databases."

Hugo Roy hopes that by demystifying website policies, users will be able to think more critically about their choices.

"The more people are informed about these issues, the more it gives me hope that people will make their own decisions, instead of blindly trusting a big website."