Are people failing to understand privacy, or is the industry failing to explain it?

Privacy can be an emotional topic. Many people have an opinion about it, but is there a lack of understanding around privacy policies? Recently, Facebook updated its WhatsApp privacy policy, causing many users to leave the platform, claiming that new rules would mean that Facebook would gain access to their information, messages, and contacts. This is a good example of people making a judgment about a privacy policy without being fully informed. Now, for the record, I don’t share my life on social media, and I don’t understand why people are so addicted, but everyone is entitled to an opinion on the merits and business models of social media companies and whether to remain a user.  

During the past week, a colleague in the cybersecurity industry – someone I respect – messaged me, stating, “they [Facebook] will be able to read my WhatsApp messages. I expect to see targeted ads based on my chat.” I did, of course, point out that the end-to-end encryption meant this was not possible; however, I did add that caution should be used when using Facebook Messenger.

The new change, as clarified since the confusion, means that WhatsApp is being commercialized in the sense that business communications and transactions may use a hybrid of Facebook servers and WhatsApp. And given that most of WhatsApp users are likely to also have the Facebook app installed, then it’s probable that contacts and device information are already being shared with Facebook, so leaving WhatsApp does little to prevent Facebook from accessing the data in question anyway.  

The exodus of people switching to Telegram, Signal, and similar apps due to privacy concerns over the change in policy actually demonstrates a lack of understanding, or more importantly, a lack of willingness to understand the actual changes being made. Changes that, incidentally, are now being delayed from February to May due to the backlash.  

In moving to other apps, I wonder how many people took the time to read the privacy policies of the apps they are moving to? My hunch is ‘not many’. Did they jump from the frying pan into the fire? And did they ask how these reportedly more privacy-conscious apps are going to monetize their service and become profitable companies? After all, they are not doing it just for fun.

January 28 is International Data Privacy Day, an effort that is designed to engage and drive awareness with individuals and businesses to respect privacy, safeguard data, and enable trust. Given that WhatsApp is not the first – and likely not the last – company to make a change to its, currently misunderstood, privacy policy, it is essential that companies become better at engaging with their customers or users on what exactly their privacy policy means. And let it be noted, I am not endorsing WhatsApp’s current privacy policy nor its new one; I am simply pointing out that people need to make an informed decision when something changes rather than just follow a crowd that may be walking in the wrong direction based on a lack of understanding.

For consumers, especially the younger audience, to understand a privacy policy, it needs to be written in simple language. It should not require a lawyer to explain it, and it needs to be short enough that users are willing to read it. Keeping the theme to messaging apps as above, the privacy policies of WhatsApp, Telegram, and Signal have approximately 2,900, 3,750 and 525 words, respectively. The average reading speed is around 250 words per minute, which equates to a little over 2 minutes for Signal and 11-15 minutes for WhatsApp and Telegram. In the spirit of transparency, the privacy policy of ESET, the company I work for, is just under 1,000 words, a 4-minute read.

There have been industry groups that have attempted to create a standard to simplify the language and readability of privacy policies, but as the privacy policies above show, there is still significant room for improvement. For example, the financial services industry in some countries has been regulated to ensure financial products explain terms in short, easy-to-understand statements to avoid the mis-selling of products to consumers. It seems prudent for other sectors to adopt such policies as well.

The education system, in most areas, teaches the fundamentals of cybersecurity and internet safety, even when it’s not mandatory. In some places in the world, they are even teaching how to fact-check in order to avoid the bias caused by fake news. But are students taught how to dissect a privacy policy in order to understand what data they may be sharing, with who and for what reason, so that they can make an informed decision on whether it’s appropriate, or in this case, whether a free service provides enough value in exchange for personal data? And this is an important point: Your personal data has a value to a company, so handing over that data is a transaction, and there should be a product or service of an acceptable value handed over in exchange. 

While regulation can stifle innovation, in this case there is little to innovate in the writing of a privacy policy, so it is time for privacy legislation to include the requirement that companies create privacy policies that are understandable, simple to read, and of a length that keeps a consumer’s focus and engagement. Personally, I think this is an essential evolution in the data-driven world we are living in.