Many companies use tactics that intentionally discourage users from reading and understanding what they’re agreeing to, ultimately resulting in users giving broad access to their personal information, according to a recent paper by a Mercer University professor and alumnus. Federal regulations are needed to address the problems of these unfair contracts, they concluded.
“It’s just a risk that we accept in today’s society — that you might be signing your life away. But that’s not how it should be,” said Vaughan, who double-majored in information science and technology and cybersecurity at Mercer and now works as a cyber engineer at Raytheon Technologies. He started the paper as a project in his security laws, ethics and policies class, taught by Dr. Yerby, and it developed from there.
“People are confused by those terms of service and those privacy policies,” Dr. Yerby said. “We found several examples of companies that are intentionally confusing people, and they’re using something called an adhesion contract, which has regularly been found to be unfair.”
In an adhesion contract, one party, usually the service provider, has substantially more power than the second party, usually the user. The user is often compelled to agree to the contract while the company retains all the rights to accept, refuse or modify the agreement.
“You have no power. You have no room to negotiate,” Dr. Yerby said.
The paper identified several examples of hidden provisions found in terms of service documents. For example, in 2015, Spotify updated its terms of service to include a provision that gave the company access to everything stored on the phone that had Spotify installed. The provision was later removed.
To this day, Facebook’s terms of service give Facebook and parent company Meta wide-reaching permission to users’ content and personal data, even after the content is deleted. Users’ content and data may be used in advertising, sold to third parties or used in any number of other ways that make money for Facebook and Meta.
“The contracts are there only to protect the business at the expense of the customer’s privacy, awareness and power to do anything about it,” Dr. Yerby said.
Terms of service and privacy policies are not regulated at the federal level, though some states have begun enacting laws to give more rights to consumers. This method, though, can be problematic as laws inevitably will vary state-to-state.
“It’s just going to create a compliance nightmare, and companies aren’t going to be able to effectively do business from state-to-state,” Dr. Yerby said.
In their paper, Dr. Yerby and Vaughan suggested potential legislative solutions, including requiring plain-language contracts and creating an updated format so users can find, read and understand the terms that they are agreeing to. Updated Android permissions, which allow users to allow or deny an app access to certain functions on their phone, may also offer a framework that can be applied to the problem.
Dr. Yerby said that without sweeping reforms, users are subjected to the privacy practices of companies that they interact with and have little to no control.
“Unfortunately, it’s a case where the companies that we want or need to interact with have the power. So, the user can abstain, which might be a realistic solution for some things but not always,” he said. “The only real thing you can do is if you’re ever in a position where you can advocate for national reform, do that.”