Categories
General

Privacy made simple: translating EULAs into perfect prose

The problems with long-winded, small-printed EULAs and Terms of Service (TOS) have long been lamented. Packed with jargon and legalese, it’s well-known these lengthy documents receive a skim of the eye at best before users click “I agree.” According to Visual Capitalist, it can take longer to read the TOS of some online companies than it does to read an entire book. That’s great news for an organization trying to hide shady privacy practices. But what about users who care about how their data is used by the businesses they support?

Beyond the content itself, the timing and format of TOS and EULAs — typically served via pop-up once users have already decided to install the product — encourages users to blow past the fine print instead of stopping to educate themselves. In addition, some EULAs include sections in all capital letters, a throwback to when these contracts were written using a typewriter. Instead of having the intended effect of getting the reader to pay more attention to those sections, trying to scan all-caps paragraphs via browser is a visual nightmare.

But again, why should organizations care if most people click through and accept those terms blindly? Setting aside any moral obligations for a second, privacy is becoming more and more important to users in the wake of various abuses of personal data by organizations, such as social media giants, parental monitoring apps, and other online platforms. In early January, WhatsApp made changes to its privacy policy that allowed for more sharing of its users’ data between Facebook-owned apps. Its userbase promptly flocked to Telegram and Signal, driving downloads of those more private messengers into the millions. Organizations such as ProtonMail, DuckDuckGo, and Apple have also baked privacy into their brand identities, framing it as a commodity that gives them a competitive edge.

To help privacy-conscious users better understand how your organization is using their data, it’s important to simplify the language of privacy policies, TOS, and EULAs, or add plain language “translations” next to legal jargon. In addition, explaining why your organization needs to collect particular data — for certain functions of the software or for better metrics/performance — helps educate users on which data is critical for product functionality, which is optional, and which should be anonymous or discarded. Describing the why also helps users establish trust in your organization and keeps their confidence high should changes need to be made to the policy in the future.

If establishing trust in your data and privacy policies is of interest, you’ll want to revise your legal documents like Terms of Service, EULAs, and privacy policy, as well as portions of your website or even advertising campaigns to include readable prose. Some advice on how includes:

  • Section off portions of legal language required for a contract and list their plain language “translations” parallel to or below the sections they describe.
  • Clearly identify the types of data collected by your organization/product and explain why that data is needed.
  • Use both the company website and blog to outline your organization’s views on privacy to customers earlier in the buyer’s journey — before they are ready to install. In this way, users will spend more time with the content and absorb it in a visually appealing format (as opposed to a wall of text crammed into a small pop-up).
  • Raise awareness of your privacy-positive positioning through advertising and content marketing campaigns, SEO, press, or even through advocacy.

Ideally, by crafting smart privacy policies that protect users and clearly communicate which data you will use and why, your prospects will have a solid sense of where you stand on privacy long before they click “Install.” And if you manage to make privacy a commodity that your customers are willing to pay for: Congratulations! You’ve done the right thing by your users and you’ll profit from it. Win, win!

For a look at Malwarebytes’ privacy policy, check out our webpage: https://www.malwarebytes.com/privacy/

Happy Privacy Day!

Categories
Security

TIL what a warrant canary is

A warrant canary is a colloquial term for a regularly published statement that a service provider has not received legal process that it would be prohibited from saying it had received. Once a service provider does receive legal process, the speech prohibition goes into place, and the canary statement is removed. Source

In a nutshell, a “service provider” hoists a flag periodically that affirms they have not been subpoenaed for user information by a government agency. Often times these national security letters come with a gag order to not discuss the request. By not updating the warrant canary, or the canary disappearing, a provider can passively inform their users that an agency may have requested information and they’re now under a gag order. It’s a cute, and believed-to-be-legal way to inform users that their information may no longer be safe with the provider.

Canary Watch has even gone further and keeps an eye on any warrant canaries that are out there! Service providers watched on the site include reddit, tumblr, Adobe, and Cloudflare, among many others.

Categories
General

FCC to help protect your mobile privacy

On my way to Prague last month, I decided to pick up May’s print volume of PC Today. Coincidentally, the entire volume was focused on security.

The first article that caught my attention was about the Federal Communications Commission’s plans to help the victims of phone theft. The article goes on to say, “… when a given phone is reported stolen, wireless carriers can remotely shut down that phone.” What does this mean for you, the consumer?

First of all, the FCC is attempting to protect victims of data and identity theft. However, more than likely your data will be long retrieved by the time you notice your phone is stolen and call the wireless provider.

Secondly, the article cites the FCC’s statistic that 40% of New York City robberies are that of mobile phones. However, I doubt that the majority of those were for the purpose of data theft but rather for the theft of the hardware itself.

If you’re concerned about the data and identity theft aspect of losing your phone, you can take several steps to mitigate that risk:

  1. Don’t store sensitive data on your phone. This is pretty common sense. You wouldn’t want your credit card information easily accessible, but who stores that on their phone anyway? What’s more common is saving e-mail passwords and allowing the thief to gain easy access to your personal, or even more sensitive corporate e-mails.
  2. Another layer of passwords, such as locking access to your phone with a 4 digit number, is another excellent way to deter thieves.
  3. Use the software that comes with your phone. Instead of relying on the wireless carrier to deactivate the phone, or even to support the feature, use software that is prepackaged. For example, Apple’s iPhone comes with a nifty feature called Find My iPhone that can help you erase all of the data remotely. The article did not specify whether the FCC was going to require this for all wireless carriers.

In the digital age of today, our eyes are glued to our mobile phones. Don’t become a victim of mobile theft and make sure to have that phone glued to your side.

How else do you think the FCC can help?

Categories
Security

Check if you’re a digital pirate

With all of the SOPA talk this month, I figured an article on piracy was deserving. Being able to pinpoint users of pirated software is becoming easier and more accurate. For example, check out YouHaveDownloaded.com, a website that lists the torrents you may have downloaded in a certain time span. While the website is not perfect, for those who have static IP addresses, it can get pretty close and provide you a list.

In one article on CNET, it was mentioned that “someone in the home of French President Nicholas Sarkozy, a strong proponent of anti-piracy legislation, has been using BitTorrent to download pirated versions of music and movies.”

If the Stop Online Piracy Act passes in the United States, I’m sure technology to track torrents and other illegal downloads will improve. Consequently, imagine the privacy concerns I have for Internet users. This proof-of-concept website is scary enough!