Privacy Policy Analysis of

Popular Web
Platforms
Sherali Zeadally and Stephanie Winkler

P
Figure 1. Sign up screenshots from LinkedIn, Twitter, and Facebook.

Digital Object Identifier 10.1109/MTS.2016.2554419

Date of publication: 2 June 2016

june 2016

rivacy is a primary concern

of Internet users today, but
still ma ny users do not
seem to understand just
how much of their personal
i n for ma t ion i s pu bl ic l y
available. This could be ex
plained in part by the complexity of privacy
policies of most online web platforms.
When the Internet first became commer
cially available for use in the 1990s there
was no clear indication of how much this
platform would become integrated into the
lives of the population today. There was
not a significant need to think of privacy
online in the beginning because the tech
nology was not widespread and had little
commercial interest compared to the Int
ernet today. Commercial companies have
a long histor y of fa ilure when initia lly
attempting to advertise on a new media
medium [20]. The Internet has been no dif
ferent. Google fundamentally changed how
Internet marketing operates by introducing
a method that transforms its users into a
commodity that can be sold [26]. This par
ticular method was a mix between charg
ing advertisers per click for the clicks that
their advertisements received from users,
and collecting vast amounts of user infor
mation that could be sold to advertisers for

IEEE Technology and Society Magazine

1932-4529/162016IEEE

75

targeted marketing [27]. Googles service appears

to be free to users but in truth is bought with the
users information. This information is collected
from the user with their permission because when
using Goo g les ser v ice s user s must a g ree to
Googles privacy policy.
This new method of advertising was so successful
that many online platforms began to follow Googles
lead. Up until Google changed the game, many of
the popular platforms promised users complete pri
vacy by vowing in their privacy policies to not collect
any of the information generated by the user on their
platform [45]. This began to quickly change as vari
ous web platforms started to alter their privacy poli
cies with most of their users unaware that they had
been altered.
The users of web platforms started to gain aware
ness of the erosion of their privacy when Edward
Snowden revealed the massive United States govern
ment National Security Agency (NSA) surveillance
program in June 2013. The increase in online priva
cy concerns has been staggering [13]. This revelation
called into question of the way private information of
users is handled by many of the nations largest
technical star tups including Facebook, T witter,
LinkedIn, and Google. Thankfully for the companies,
the majority of the backlash has landed on the U.S.
NSA. However, the results of the privacy policy
changes they implemented does not put the compa
nies on the side of the users. Much of the data gath
ered by the NSA was actually first gathered from
popular web platforms with the consent of Internet
users thanks to privacy agreements [27]. Many priva
cy agreements today end up going unnoticed as
users quickly click the submit button without
thinking to read through the terms and conditions
first [37]. This leads to the question:
R1: If users actually read the privacy agreements
would they still willingly agree to terms that severely
violate their privacy?
The first step to answering this question is to exam
ine the content of privacy policies and assess users
ability to understand the content. If the user does not
understand the privacy policy, there is no informed con
sent when accepting the conditions. This inability to
comprehend the policy could also act as a deterrent to
reading the entire policy. At this point nearly every web
platform has some type of privacy policy. We will focus
on four of the most popular web platforms currently in
use: Google, LinkedIn, Twitter, and Facebook. In this
work, we focus on addressing the first step to answering
our research question by analyzing the content of the
four privacy policies and conducting a readability analy
sis on each policy.

76

Research Contributions
We summarize our main research contributions as fol
lows.
We analyze privacy agreements from four of the
most popular web platforms (i.e., Google, LinkedIn,
Twitter, and Facebook).
We compare and contrast the privacy agreements to
identify the platform that gathers the most informa
tion and the platform that offers the most informa
tion privacy for the user.
We analyze the privacy policies in order to deter
mine what the average user can comprehend.
We recommend some potential solutions for users
to increase their privacy in spite of these agree
ments.
Finally we identify future research opportunities
aimed at protecting consumer privacy.

Related Work
Privacy policies have been the focus of many researchers
over the years as the Internet has become more populat
ed by various companies. Many past studies have
focused on privacy policies in general, rather than on
only a few web platforms as we do in this article. Also,
prior research has examined one type of privacy policy at
a time. Graber et al. [18] examined the privacy policies of
80 different Internet health web platforms. Lewis et al.
[32] decided to focus on the financial industry by examin
ing 75 different online companies. The privacy policies
selected were comprised of an equal number of banks,
credit counseling companies, and check cashing compa
nies. The primary focus of both of these studies was to
analyze the readability of the privacy policies. The
researchers concluded in both cases that privacy policies
from these groups were not easily understood by the
majority of users and are not considered a good measure
by which to inform the user of their privacy rights [18],
[32]. Caramujo and Rodrigues Da Silva [4] was one of the
few efforts that came closest to our objectives in this
paper, as they focused on Facebook and LinkedIn. How
ever, they did not study other popular platforms such as
Google and Twitter and did not conduct an in depth anal
ysis of the privacy policies. Rather these researchers
used the privacy policies to inform their proposal of a pri
vacy-aware unified modeling language profile [4].
Our approach for analyzing the privacy policies is dif
ferent from the efforts of other researchers [4], [18], [32],
[42], [44] since we include a side by side comparison,
readability analysis, and what these mean for the users
of these platforms. Our readability analysis uses a simi
lar approach to [18] and Lewis et al. [32], since we use
the Flesch-Kincaid Grade Level Readability Formula. The
Flesch-Kincaid Grade Level Readability Formula mea
sures the grade level a text is written at by analyzing

IEEE Technology and Society Magazine

june 2016

Table 1. Comparing Data Collected According to Privacy Policies

Type of Information

Facebook

Google

Twitter

LinkedIn

Personally identifiable information

Yes

Yes

Yes

Yes

User-generated content

Yes

No

Yes

Yes

Device information

Yes

Yes

Yes

Yes

Location information

Yes

Yes

Yes

Yes

Payment information

Yes

No

Yes

Yes

Off-platform activities (other platforms visited and user engagement)

Yes

No

No

No

How the user interacts and uses the web platform

Yes

Yes

Yes

No

average words per sentence and average syllables per

word. These two calculations are used in conjunction
with three constants in order to determine the grade
level of the text [6]. The Flesch-Kincaid measure has
been established as tool to determine text readability in
numerous fields including health sciences, education
materials, finance, and governmental texts [17], [38],
[53]. However our comparison of privacy policies is dif
ferent from previous studies because we focus more on
what information is included or excluded and the pro
tections the platforms offer instead of purely focusing
on the user as done in [42] and [44]. While we still
examine the implications for the user, our approach
also investigates solutions for the lack of online privacy
that could potentially bridge the gap between the user
and social media/web company. In this context, our
approach also differs from other research such as [42]
and [44] which focuses more on who the privacy policy
benefits rather than recommending future solutions.

Web Platforms
Social media platforms have become one of the most
popular technologies on the Internet. By 2014, 71% of
adult Internet users [7] and 56% of the entire adult pop
ulation were using some form of social media [43].
While social media remains most popular among young
adults (ages 18-29), usage is steadily increasing each
year in other age groups [7]. Today some of the most
widely used social media platforms are Facebook, Twit
ter, Google, and LinkedIn [25]. Each of these platforms
are discussed more in depth below, along with the pri
vacy agreements that their users are required to agree
to before accessing the site and using the service it pro
vides. Special attention was paid to personally identifi
able information (i.e., information that could be used to
identify the user); user-generated content (anything that
the user may create while using the platform); device
information (e.g., IP address, if it is considered a mobile
device); location information; payment information (e.g.,
credit card number); off-platform activities (activity on
june 2016

platforms not covered in the privacy policy); and how

the user interacts and uses the web platform (e.g., post
ing content, content viewed, ads clicked).

Facebook
Facebook was initially launched in 2004 as an online
directory for college students. Since that initial launch,
Facebook has become a publicly traded company with a
market value of over 240 billion dollars [31]. This multibillion dollar corporation is a social networking site that
allows users to connect with people they know to share
photos, play games, and share information. Facebook
currently has over 1.2 billion monthly active users world
wide, making it one of the largest social media plat
forms today [28].
Facebooks privacy policy (last revised January 30,
2015) offers users very little actual privacy. According to
the policy, Facebook collects numerous forms of data,
which are summarized in Table 1. This immense amount
of data is used to better tailor their site to fit users needs
as well as to inform future site development [11]. This
means that users information is widely shared with many
parties, including with developers, advertisers, and other
third parties. In their cookie policy Facebook lists no less
than 10 separate companies that advertisers commonly
use, along with their contact information [11]. This list is
not exhaustive, but it does reveal that the companies that
have access to this information could be far larger than
this initial list. Any information that Facebook collects is
shared with these companies, though Facebook does not
mention the protocol third parties must follow in order to
access the information. Facebook stores this information
for as long as it is necessary to provide products and ser
vices to you and others ([11, para. 29. Essentially Face
book can store the information indefinitely since they are
the ones who decide how long it is necessary to keep the
data. When a user decides to delete their account, then
Facebook states they will delete all of the data that that
user posted. Any data that another member posted about
the user deleting the account, will remain on Facebook.

IEEE Technology and Society Magazine

77

Facebooks policy is rather in depth about what infor

mation is shared with advertisers; however, when exam
ining topics of security and law enforcement the written
policy is very short with fairly vague language. Only two
short paragraphs address issues of both security and
law enforcement combined. Facebook states that it
keeps users information secure through the use of
encryption and machine learning technology [11]. Face
book does not state what information is encrypted or
what type of encryption is used. Facebook states that it
will share any information with law enforcement if they
have a good faith belief that the law requires them to
share this information [11, para. 31]. This translates to
Facebook believing that the law enforcement agency is
honest, working within legal boundaries, and that they
have good intentions [22].

Facebook states that it will share

any information with law enforcement
if they have a good faith belief
that the law requires them to share
this information.

There is a separate statement dedicated to cookies

and other web tracking methods. Cookies are used on
Facebook for many reasons including making Facebook
easier for people to use; site security; research and ana
lytics; and advertising. Some of the ways that cookies
are used in order to make Facebook better for an indi
vidual user are user identification, track device location,
track site interactions, and to track site preferences [11].
A cookie storing this information allows the site to
remember passwords and other site preferences; to
make suggestions based on the individuals location;
and to alter the newsfeed to show people the individual
interacts with more often further up on the feed. The
ability for a cookie to be used as an identifier improves
security because if there is a login attempt on an unrec
ognized device, then the site can ask for more stringent
verification of identity before allowing access to the
account [11]. Some of the ways that Facebook uses
cookies for advertising purposes is to track buying pref
erences online and to see if the individual purchases an
item that they were shown an advertisement for. Face
book also uses cookies in their research in order to
help improve how the site functions and for research
into potential new features.

78

Facebook allows users to opt-out of having advertisers

pair their name and image with targeted advertisements
to their friends. Facebook also provides a link with
instructions detailing how users can opt-out of advertis
ing based on their activity on other web platforms and
applications outside of Facebook [11]. These are the only
two opt-out features that Facebook offers and both the
cookie policy and privacy policy do not mention if they
honor do not track requests.

Google
Google was initially launched in 1997 [16], and its
founders Larry Page and Sergey Brin filed for incorpora
tion in 1998 [30]. Googles main function is a search
engine that indexes the information on the Internet and
makes it searchable by Internet users. Since then
Google has expanded into many other areas including
mobile phones, operating systems, wearable technolo
gy, entertainment, and the company acquired the popu
lar video sharing site YouTube in 2006 [48]. At this
point Google has grown into a multinational company
with its search engine dominating in nearly every mar
ket. This dominance has led to the company being
charged with holding a monopoly on searching in
Europe, with many people stating that we live in a
Google age [55].
Googles privacy policy is universal for all of their
platforms and describes the information collected from
its users, how that information is shared, and options
the user has to control what information is collected
[16]. Google collects many types of information, which
are summarized in Table 1. The server log information
that Google collects includes telephone logs, device
crash reports, Internet Protocol (IP) address, and cook
ies [16]. The information that Google collects is only
shared within Google unless certain conditions apply. If
the user has a domain administrator, then that adminis
trator has access to the users personal information.
Google also shares information with advertisers, but
only after personally identifiable information has been
stripped from the data. Any information that has been
generated while using a Google account Google consid
ers to be public, making it possible for the information
to be indexed by search and found by other users.
Google uses the data in order to help improve their
products and services [14].
Information is also shared with other parties with the
users explicit consent to share the information. This is
in contrast to other web platforms that focus on having
the option for users to opt-out of consumer tracking and
collection. Googles default function is for user informa
tion to remain private in reference to third parties. The
user must consciously choose if they wish to share their
information with advertisers.

IEEE Technology and Society Magazine

june 2016

Googles privacy policy stresses information security,

with many of the services encrypted using Secured
Sockets Layer (SSL) [54], and personal identifying infor
mation restricted to Google employees and data proces
sors that need to know the information. Google uses
external data processors to handle most of its data for
research and strips the information of personally identi
fiable information before sending it to the processor
[16]. To provide a higher level of security for Google
account holders, Google offers a two-step verification
for account access.
However, there is a questionable policy included in
Googles email service that allows their automated sys
tem to scan all of a users email [16, para. 16]. This
information is then used to assign targeted ads to the
page, identify spam messages, and target potential mal
ware. The terms of service does not mention if any of
this information is saved; however it is a worrying prac
tice in regards to user privacy [16].
Google will share information with agencies if they
believe that the information is needed in order to meet
a governmental request; enforce Terms of Service;
detect or prevent security issues, fraud, or technical
problems; or protect users rights or prevent harm.
While Google seems to collect and share a reasonable
amount of information, there remains a question of how
long Google will store this information. When a user
decides to delete their account or terminate use of
Google, their information may not be immediately delet
ed from active servers, and there is a chance that the
information will remain on their backup servers
because it would require a disproportionate effort to
remove the information [16, section 6, para. 3].

LinkedIn
LinkedIn is a social networking site geared more
towards a professional network than friends. Users cre
ate a profile that can serve as a resume with informa
tion including past work experience, current job, special
skills, awards, and group affiliations. Users also have
the option to allow contacts to endorse them on particu
lar skills. The platform launched in 2003 and reached
225 million users in 2013 [46].
LinkedIns privacy policy is not very specific on the
types of information they collect from users. According
to their statement LinkedIn collects various forms of
information which are summarized in Table 1. In addi
tion to these types of information, LinkedIn also uses
cookies to track user habits on and off their services,
but the statement does not specifically mention what
types of information these cookies help them collect
[33]. Instead, LinkedIn directs the user to a list of eight
different third party web platforms that use cookies
through LinkedIn for the user to view their privacy
june 2016

policies. The opt-out link is also provided for each of

these web platforms [33]. LinkedIn places all informa
tion the user posts on their site or one of their other ser
vices as public and viewable by others. LinkedIn keeps
all contact information private and does not share it
with other users or third parties. There is no reference
to how LinkedIn handles information related to the user
device, Internet Protocol (IP) address, and Internet Ser
vice Provider (ISP)/mobile carrier [33].
LinkedIn does provide access to its Application Pro
tocol Interface (API) for third parties providing they pay
for the access, with which they can use to look up a

The user may opt out of most

any information disclosure
at any time.

users profile based on their name and email address.

All of the users data is protected by SSL encryption
over mobile devices. For non-mobile devices LinkedIn
has the option of Secure Hypertext Transfer Protocol
(HTTPS) and uses SSL encryption for all sensitive infor
mation such as payment information. However, no com
munications between LinkedIn members are encrypted
on LinkedIn regardless of the type of information that is
exchanged [33].
In the case of information disclosure to law enforce
ment, LinkedIn will share any information necessary in
the case of a subpoena, to protect safety/rights of oth
ers, enforce the privacy policies, and to respond to the
violation of third partys rights [33]. The user may optout of most any information disclosure at any time, as
well as tracking for advertising purposes. The privacy
policy frequently references the ability to opt-out and
directs the user to the correct place to do so. When a
user decides to delete their account their information is
removed from their services in 24 hours. Within 30 days
all information located in back up servers has all per
sonally identifiable information stripped, though the rest
of the data remains intact [33].

Twitter
Twitter is a micro-blogging site that allows users to cre
ate profiles and instantly broadcast short statements to
the world. These statements have a limit of 140 charac
ters and can include hyperlinks, videos, pictures, and
hashtags. Hashtags help sort tweets into categories for
users to easily find later. Twitter was founded in 2006

IEEE Technology and Society Magazine

79

and went public in 2013 [36]. The company is now

worth over 10 billion dollars and has 230 million active
users per month [36].
Twitter takes a different approach to privacy than its
other social media counterparts. Twitter assumes that
any information posted on their service is information
the individual wishes to make public. As such, Twitter
collects nearly any type of information possible to gen
erate using their platform. For a complete summary of
the information that Twitter collects see Table 1. All
information on profiles, tweets, people followed,
retweets, favorites, the users name, and username is
considered public by default. Twitter only allows the
option to keep one-on-one messages private [51]. All
meta-data generated by the user can also be accessed
easily by third parties using the Twitter application pro
graming interface (API), which Twitter makes available
to universities and other institutions that conduct
research. Accessible information can include the users
Internet Protocol (IP) address and his/her location. Twit
ter reserves the right to share all information within the
company as well as with third parties in order to use tar
geted advertising, improve their services, and comply
with law enforcement agencies [51].
Twitter will disclose any information to law enforce
ment as long as they believe it is necessary to comply
with the law/regulation; protect persons from harm and
their rights; protect the rights and property of Twitter;
and to prevent fraud, technical, and security issues [51].
Cookies are used on Twitter to collect information
about users browsing habits when not active on the
Twitter platform, as well as to track what links are
clicked in relation to advertisements. However, cookies
are not required as part of Twitter with many services
still functioning properly if the user decides to disable
them [51]
There is no mention in Twitters policy of security
measures used to protect the users data. This could
possibly be because Twitter is public by default, and
they do not feel there is a need to invest in forms of
information security. The user has some control over
making certain aspects of their profile private, however,
there is not any opt-out function in regards to the data
that Twitter collects [51]. The best practice for this plat
form is to abstain from sharing information that is
deemed private. The user is given the option to disable
their account. If a user decides to disable their account
they have 30 days to reinstate it before Twitter starts to
process of deleting the account which can take up to
seven days [51]. After the account is deleted, tweets
could still be accessed through search engines and
other third parties if they saved the account informa
tion. There is no guarantee that the information will ever
truly be deleted.

80

Analysis of Privacy Policies

The privacy policies of each web platform discussed are
extensive and have a few areas that are relatively the
same. Each privacy policy has a section on data collec
tion, data storage, use of collected data, data sharing,
law enforcement, and account deletion. In addition to
these main areas, each platform has a separate policy
dedicated to the use of cookies. For the most part the
sections on law enforcement and cookies do not devi
ate much from platform to platform. The platforms do
vary on other aspects of the privacy policies. There are
minor differences in how the privacy policies address
information storage and account deletion. The major dif
ferences in the privacy policies are found in data collec
tion, sharing of data, and data security.

Data Collection
Each web platform collects data on the device used by
the user, user location, and information used in account
creation. This data collection breaks down to the users
IP address, general location (city, state, and country),
email address, name, birthdate, type of computer, oper
ating system, and web browser. Beyond those basic ele
ments each privacy policy varies widely on the specific
data they collect. Part of this is due to each platform
having its own uses and expectations by the users. How
ever, every platform uses the same three main methods
of collecting user information: registration, user IP
address trace, and search track recording cookies [5].
We found that the platform that collects the largest
variety of data is Facebook. Facebook collects every
piece of information that the user posts on the site, any
information posted about that user, payment informa
tion, and also stretches to collect information about
their general Internet usage. Since the main purpose of
Facebook is social networking, the type of information
that the user posts can vary widely and is likely to
include potentially stigmatizing information [52]. Cur
rently Facebook has the largest membership of all of
the platforms discussed, with users disclosing in depth
details of their lives. These circumstances make it pos
sible that Facebook could also be collecting the largest
amount of data of any platform discussed here.
Even though Googles privacy policy covers all of
their web platforms, they collect the least amount of
information. Google has two different social media plat
forms, Google+ and YouTube. Google+s adoption has
not been nearly as widespread as the other web plat
forms and consequently there is less information there
to collected [43]. YouTube would allow for a large
amount of data collection, but Google does not collect
user generated content unlike all of the other web plat
forms discussed. The majority of data that Google col
lects originates from its main function: search. Google

IEEE Technology and Society Magazine

june 2016

functions mainly as a search engine and has been

accused of holding a monopoly over the industry in
Europe [19]. Their privacy policy reflects this as most of
the data collection specified deals with web browsing
habits, search history, and web interaction [16].
Googles privacy policy does not state that they collect
any of the content a user generates on their platforms,
which is a major departure from the norm of the other
platforms discussed in this work.

Data Sharing
The second major area that exhibits differences across
the platforms is how user data is shared. Google, Linke
dIn, Facebook, and Twitter share data within their orga
nizations for research purposes and site improvement.
Facebook, Twitter, and LinkedIn all share their collect
ed user data with third parties for the purposes of
advertising. Google does not always share information
with third parties. However, this could be due to the
fact that Google now owns at least four advertising
companies [3], [56] and does not have a need to
include third parties. In addition to using data for adver
tising purposes, Twitter and LinkedIn provide research
ers with access to their API to help further academic
and professional research. Twitter offers this free of
charge while LinkedIn charges a fee. Facebook is the
one platform that has worded their privacy policy in
such a way that they have the right to do anything with
a users data [11, para. 8-12].

Data Security
Data security is one of the more interesting aspects of
the platforms privacy policies because none of the plat
forms extensively cover how a users data is kept secure
once it is collected. Twitter has the least secure policy
of the four platforms because data security is not even
mentioned once in their privacy policy. This could be
because Twitter deviates from the other platforms by
assuming that any content generated on their site is
considered public anyway. They are completely up front
about this and state in the first paragraph of their policy
that Any registered user of the Twitter Services can
send a Tweet, which is a message of 140 characters or
less that is public by default and can include other con
tent like photos, videos, and links to other websites
[51]. This distinction puts them in a different position
than LinkedIn, Google, or Facebook where there is an
implicit assumption that the information shared on the
platform remains private between the individuals it is
shared with [58].
LinkedIn and Facebook offer about the same level of
protection. When it comes to data security however,
Facebook is vague about the protection it offers. Face
book states that it protects the users data by using a
june 2016

combination of encryption and machine learning [10],

but does not state anything else about its security proto
cols. LinkedIn is slightly higher on the scale by specify
ing that it uses SSL encryption to protect user
information on both mobile and non-mobile devices
with the added security of a HTTPS option on nonmobile devices [33], as mentioned earlier.
Compared to the other three platforms, Google
appears to offer the highest amount of data protection
for users. Google states that many of their services use
SSL encryption, but does not specify how many services
use it and which ones. In order to protect against unau
thorized access they engage in internal monitoring of
their own practices, including physical security mea
sures [16]. They also state that information is to be kept
strictly confidential to all parties it is shared with and
that divulging such information is grounds for immedi
ate termination. The language used by Google suggests
that it has better security measures than the other plat
forms but does not offer any concrete evidence that
they do more than appear more secure.

Privacy policies are used as a

contract between the user
and the company that is offering
their services.

User Comprehension
Privacy policies are used as a contract between the user
and the company that is offering their services. These
companies offer their services to millions of people with
varying levels of education, skill, background, and age.
Privacy policies are meant to inform the user about
what privacy is given when using a particular service.
However, privacy policies cannot do their job if the aver
age member of the population cannot understand them.
Currently in the United States up to 50% of adults can
not understand literature written at an eighth grade
reading level [35]. This is problematic given that most
privacy policies would be written at a level higher than
eighth grade. In order to examine the potential compre
hension expected of adults in the United States, each of
these privacy policies were analyzed using the FleschKincaid Grade Level Readability Formula. This analysis
was completed using an open source online readability
test tool that allows for the full text of the document to

IEEE Technology and Society Magazine

81

be input and examined. The tool provides statistics on

character count, syllable count, word count, sentence
count, characters per word, syllables per word, and
words per sentence, in addition to the reading level
score [50].
The privacy policies of Facebook, Google, LinkedIn,
and Twitter were all analyzed using this measure, with
every statement having a reading level of above eighth
grade. The resulting readings levels of each privacy poli
cy after using the Flesch-Kincaid Grade Level Readabili
ty Formula are 12.8 for Twitter, 11.9 for Facebook, 11.3
for LinkedIn, and 13.5 for Google. These levels corre
spond with the school grade levels (e.g., 9-12 are high
school reading levels). The higher the number the more
difficult it is for the individual to comprehend. For the
majority of users to comprehend these statements the
levels would have to be at 8 or lower. This means that
over half the population of users for these platforms
cannot understand what they are agreeing to when they
sign up for an account since these platforms allow
accounts to be created at as early as 13 years old.

Recommendations
Concerns for online privacy have been building for years
as more people have transferred their lives into the digi

Over half the population of users for

these platforms cannot understand
what they are agreeing to when they
sign up for an account.

tal world. Unfortunately, as concerns about online priva

cy have continued to increase, the privacy policies of
various web platforms have increasingly given users less
privacy. This does not happen in a bubble; there are var
ious forces that influence both sides of the equation. On
the side of the Internet companies is the necessity to
generate increasing revenues so that they can continue
to pay their operating expenses and earn maximum
possible profit. Most Internet companies offer a service
to users free of monetary cost, but request information
from the consumer in return. This information can allow
advertisers to easily target users to display the adver
tisements that would be most relevant to them.
Currently the Internet is the fastest growing market
for advertising [21]. When more information is collected
from the consumer, advertisers can build more in-depth

82

profiles and target advertisements more effectively.

Over time, privacy agreements have steadily eroded to
allow for more information collection.

Privacy Policy Displays

Users, who have been using various platforms with an
expectation of privacy, have started to become aware of
the erosion of online privacy [41]. However, most of the
time this increased awareness happens after a user
already has an account with a particular service. This cir
cumstance can occur for a few reasons: the user does
not read the privacy policy, the user reads the statement
but does not understand it, or the statement changes
after the user already has an account. Many online ser
vices, including the ones included in this analysis, only
place a link to their privacy policy next to the button (see
Figure 1) that allows users to submit their information for
account creation. Google has possibly the most hidden
privacy policy since their search function does not
require the user to sign up and does not state that the
user is agreeing to terms and conditions each time a
search is conducted. However, the privacy policy still
applies to the search service. This causes many users to
skip over looking at a privacy policy, even though they
are agreeing to its terms. A small-scale study found that
out of a sample of over 200 users, only 7 for a particular
site clicked the privacy policy before hitting the submit
button [37]. While this was barely a drop in the bucket
compared to the web traffic that a platform like Google
or Facebook receives, it is still a small indication that pri
vacy policies may not be doing their job of informing
users. Currently signing up for these services is so easy
that the consumer does not have the time to consider
the possible repercussions [24].
A possible change that could allow users to at least
be aware of the lengthy privacy policies is place the pri
vacy policy within the signup form. Before the user can
click sign up, require them to scroll through the entire
ty of the privacy policy. While this cannot force the user
to read the statement, it at least gives the information to
them up front.

Information Technology Literacy of Users

The second potential roadblock is the comprehension
level of the users who do read the privacy policies. As
stated earlier 50% of U.S. adults do not understand text
written at an eighth grade level [35]; however, the priva
cy policies are typically written at eleventh grade or
higher. Some of the comprehension problem cannot be
blamed solely on the company since there is no getting
around the use of technical terms like cookies and IP
address. Without the computer knowledge to know what
these terms mean sections of the statement might as
well be gibberish.

IEEE Technology and Society Magazine

june 2016

Privacy Policy Changes and User Notification

The last issue is the privacy policy changing once the
user already has an account. Sometimes the user is not
aware of the change since, like Facebooks statement,
the burden could be passed to the user to check for pri
vacy policy updates [10]. This is an easy way to make
unpopular changes without them being noticed right
away. Google, LinkedIn, and Twitter have a hybrid policy
that states they will notify the user if there are signifi
cant changes to their privacy policies. However, these
companies are the ones that decide what is significant,
not the user. Any other changes the user must go back
to the privacy page to find [14], [34], [51].
There is also the possibility that a user may be aware
of the changes, but is not in a position where they can
switch services if they do not like the changes. This is
most likely the case with services like Google and Face
book. In the case of Google, many companies use their
email service. If a user does not like the new privacy
policy, it would be difficult to switch from using Google
when the company they work for still uses it for their
employee service. Facebook is currently the largest
social media site today with no other social networking
site close to the user base that Facebook has. If Face
book decided to change their policy to something unfa
vorable to users, there are no viable alternatives.
Companies are aware of this.
When a privacy policy is changed in such a way that it
harms users, there is little chance for users to fight
against the change, especially if they do not know about
it. This is a major problem since at this point any correc
tion of the mistake is not likely to be because of self-reg
ulation, but rather the result of a class action lawsuit [8].

Necessity for Change

The troubling aspect of companies collecting a vast
amount of information from users is that two other
groups end up benefiting from their effort. Currently
information is one of the most valued commodities [29].
Consumer information is packaged and sold by data
brokers to companies for any number of reasons (e.g.,
advertising, pre-employment check) which may or may
not violate an individuals privacy depending upon the
method [57]. Data brokers in combination with the vari
ous web platforms end up making life easier for cyber
criminals to steal data if it is all in one place. The
potential consequences of a cybercriminal retrieving
information from one of these platforms should not be
taken likely. For many of these web platforms the user
has handed over their name, phone number, email
address, birthdate, and even credit card information.
This is more than enough information for identity theft,
which can take anywhere from a few hours to a few days
to solve, and more than a month to fully recover [12]. In
june 2016

other cases cybercriminals might choose to fully

release the information to the public, which was the
case with the Ashley Madison hack in 2015. Ashley Mad
ison is a dating site geared towards helping married
individuals to have affairs. This security breach resulted
in over 33 million accounts becoming public knowl
edge, which led to problems in interpersonal relation
ships and suicides among some of the users [3].
The second group that benefits the most from the
massive collection of data is law enforcement agencies.
Each one of the web platforms analyzed earlier stated
that they would cooperate with law enforcement when
ever they had a good faith belief to do so. The amount
of evidence that can be obtained through an individu
als online track record is substantial but what is worse
is that the only thing standing between law enforcement
and consumer data is the company that houses it. In
the United States any form of web communication is not

Evidence that can be obtained

through an individuals online track
record is substantial.

considered private according to the law [59]. Online

communication is not considered private because the
information has been viewed by a third party [49], which
in most cases is the website itself. This means the law
does not extend any fourth amendment rights (warrant
requirements for search and seizure) to individuals in
the case of online communication [49]. The amount of
data available from one of these sources is enough to
make even innocent people look guilty when the data is
taken out of context.

User Recommendations
These issue leave users in a bind. While Twitter and
LinkedIn might be optional for consumers, Facebook
and Google are increasingly more difficult to get along
without. If the user does not like the privacy agreement
but is forced to use the platform, then they are left in a
no-win situation. There are a few of unconventional
methods available if a user wants to protect their priva
cy such as private browsing, do not track signatures,
and browsing using Tor. If users decide that they do not
want cookies to be used when they access web plat
forms, they can choose to block them with their web
browser, but this might cause some web platforms to

IEEE Technology and Society Magazine

83

not function. They could also use a browse privately

option. Both Google Chrome and Mozilla Firefox offer
these options for users on their browser. The user sim
ply has to click the option when on the drop down
options menu and the web browser will not save any of
the cookies or data from that session. If cookies are the
main problem, then users also have the option to use a

The public needs to be educated

as to what informational privacy
they have.

grew, the companies evolved along with their privacy poli

cies. However, many users remained unware of changes
in privacy policies. Popular web platforms such as
Google, Facebook, Twitter, and LinkedIn are not under
the same amount of scrutiny as other surveillance institu
tions, even though their business model is very similar.
This situation has allowed users to be left in the dark in
regards to their privacy rights and what information is
seen by others. The public needs to be educated in what
informational privacy they have. The first step to accom
plishing this education is changing the privacy policy doc
uments meant to inform users. From there, we hope that
web platforms will be held to a higher standard, with
users demanding transparency and more control over
their own privacy.

Author Information
do not track signature when they are accessing the
Internet. This notifies the website that the user does not
wish for cookies to be placed on their computer.
The drawback to these approaches is that they are
not very effective because the majority of web platforms
do not honor do not track signatures [40]. The last
option available to users to circumvent the privacy agree
ments is to use the Tor browser [1], [60]. The Tor brows
er offers completely anonymous browsing so the user
does not have to worry about a website tracking them
online or knowing their IP address [47]. However, this
does not fix the problems with creating user accounts on
web platforms or posting on them since the users identi
ty is tied to the account.
Sadly the problems with user accounts and use of
web platform cannot be solved by the user alone. Fur
ther research should examine ways users could take
control of their own privacy, or at a minimum, explore
better ways to keep users informed about information
they are giving away. Self-regulation with web platforms
has had some success in the United States; however
only 14% of companies that collect consumer informa
tion provide notice of their information policies [5]. Out
side of academic research, governmental agencies
should consider changing how the law applies to Inter
net communications because regardless what the law
states, users consider what they state on social media
and in email to be private information [2], [39]. If there
is such a large disconnect between the majority of the
public and the law, something should change.

Improve Privacy Policies and

Increase Awareness
Internet platforms such as Google, Facebook, Twitter,
and LinkedIn are nearly fully integrated into the lives of
users worldwide. As the user base of these companies

84

The authors are with the College of Communication

and Information, University of Kentucky, Lexington, KY
40506. Email: Stephanie.winkler@uky.edu, szeadally@
uky.edu.

References

[1] R. Abbot, An onion a day keeps the NSA away, J. Internet Law,
vol. 13, no. 11, pp. 22-28, 2010.
[2] T. Allmer, C. Fuchs, V. Kreilinger, and S. Sevignani, Social net
working sites in the surveillance society, in Media, Surveillance,
and Identity: Social Perspectives, A. Jansson and M. Christensen,
Eds. New York, NY: Peter Lang, 2014, pp. 49-70.
[3] M. Arrington, Google acquires AdMeld for $400 million, TechCrunch, June 6, 2011; http://techcrunch.com/2011/06/09/googleacquires-admeld-for-400-million/, accessed Oct. 10, 2015.
[3] C. Baraniuk, Ashley Madison: Suicides Over Website
Hack, BBC, Aug. 24, 2015; http://www.bbc.com/news/technol
ogy-34044506, accessed Oct. 10, 2015.
[4] J. Caramujo and A.M. Rodrigues Da Silva, Analyzing privacy poli
cies based on a privacy-aware profile: The Facebook and LinkedIn
case studies, in Proc. 2015 IEEE 17th Conf. Business Informatics (CBI), 2015, pp. 77-84.
[5] X. Chen and K. Michael, Privacy issues and solutions in social
network sites, IEEE Technology and Society Mag., vol. 31, no. 4,
pp. 43-53, Dec. 2012.
[6] K. Collins-Thompson and J. Callan, Predicting reading difficulty
with statistical language models, J. American Society for Information Science & Technology, vol. 56, pp. 1448-1462, 2015.
[7] M. Duggan, N.B. Ellison, C. Lampe, A. Lenhart, and M. Madden,
Social media update 2014, Pew Research Center, Jan. 9, 2015;
http://www.pewinternet.org/2015/01/09/frequency-of-social-mediause-2/, accessed Nov. 7. 2015.
[8] C. Dwyer, Privacy in the age of Google and Facebook, IEEE
Technology and Society Mag., vol. 30, no. 3, pp. 58-63, Sept. 13,
2011.
[9] Facebook, Cookies, pixels, & similar technologies, 2015; https://
www.facebook.com/help/cookies/update, accessed Oct. 10, 2015.
[10] Facebook, Data policy, Jan. 30, 2015; https://www.facebook.
com/privacy/explanation, accessed Oct. 10, 2015.
[11] Facebook, Facebook ads, 2015; https://www.facebook.com/
settings?tab=ads&view, accessed Oct. 10, 2015.
[12] Federal Trade Commission, FTC releases survey of identity theft
in the U.S. study shows 8.3 million victims in 2003, Nov. 27,
2007; https://www.ftc.gov/news-events/press-releases/2007/11/
ftc-releases-survey-identity-theft-usstudy-shows-83-million, accessed
Oct. 10, 2015.

IEEE Technology and Society Magazine

june 2016

[13] C. Friedersdorf, The vindication of Edward Snowden, The

Atlantic, May. 11, 2015; http://www.theatlantic.com/politics/
archive/2015/05/the-vindication-of-edward-snowden/392741/,
accessed Oct. 10, 2015.
[14] Google, Privacy policy, Aug. 19, 2015; https://www.google.
com/intl/en/policies/privacy/?fg=1, accessed Nov. 7, 2015.
[15] Google, Google terms of service, Apr. 14, 2014; https://www.
google.com/intl/en/policies/terms/, accessed Nov. 7, 2015.
[16] Google, Our history in depth, 2014; https://www.google.com/
about/company/history/, accessed Nov. 7, 2015.
[17] E.J. Gordon et al., Are informed consent forms for organ trans
plantation and donation too difficult to read?, Clinical Transplantation, vol. 26, no. 2, pp. 275-283, 2012.
[18] J. Graber, D. DAlessandro, and J. Johnson-West, Reading level
of privacy policies on Internet health web sites, J. Family Practice, vol. 51, no. 7, pp. 642-645, 2002.
[19] J. Grimmelmann, What to do about Google?, Commun. ACM,
vol. 56, pp. 28-30, 2013.
[20] J. Groskopf, Profit margins: Silent era precursors of online
advertising tactics, Film History, vol. 24, pp. 82-96, 2012.
[21] L. Ha, Online advertising research in advertising journals: A
review, J. Current Issues & Research in Advertising, vol. 30, no. 1,
pp. 31-48, 2008.
[22] E. Houh, The doctrine of good faith in contract law: A (near
ly) empty vessel?, Faculty Articles and Other Publications,
pp. 1-56, 2005; http://scholarship.law.uc.edu/cgi/viewcontent.
cgi?article=1101&context=fac_pubs.
[23] N. Jabeur, S. Zeadally, and B. Sayed, Mobile social network
ing applications: Requirements, architectures, and opportunities,
Commun. ACM, vol. 56, no. 3, 2013.
[24] A. Johnston and S. Wilson, Privacy compliance risks for Face
book, IEEE Technology and Society Mag., vol. 31, no. 2, pp. 59-64,
Jun. 6, 2012.
[25] G.C. Kane, M. Alavi, G. Labianca, and S.P. Borgatti, Whats dif
ferent about social media networks? A framework and research
agenda, MIS Quart., vol. 38, pp. 275-304, 2014.
[26] H. Kang and M.P. McAllister, Selling you and your clicks: Examining
the audience commodification of Google, TripleC (Cognition, Communication, Co-Operation): Open Access J. Global Sustainable Information Society, vol. 9, no. 2, pp. 141-153, 2011.
[27] M. Kirk (writer) and M. Wiser, (writer & director), United States of
secrets (Part two): Privacy lost [Television series episode], Frontline.
Arlington, VA: PBS, 2014.
[28] J. Kiss, Facebook: 10 years of social networking in numbers,
The Guardian, Feb. 4, 2014; http://www.theguardian.com/news/
datablog/2014/feb/04/facebook-in-numbers-statistics, accessed Oct.
10, 2015.
[29] S. Kroft, (correspondent), G. Messick and M. Gavrilovic, (producers),
The data brokers [Television series episode], 60 Minutes. New York,
NY: CBS Broadcasting, Mar. 9, 2014.
[30] J. Latson, Google firsts from the companys early days,
Time, Sept. 4, 2015; http://time.com/4011935/google-firsts/,
accessed Oct. 10, 2015.
[31] P.R. La Monica, Facebook now worth more than Walmart,
CNN Money, Jun. 3, 2015; http://money.cnn.com/2015/06/23/
investing/facebook-walmart-market-value/, accessed Oct. 10, 2015.
[32] S.D. Lewis, R.G. Colvard, and N.C. Adams, A comparison of the
readability of privacy statements of banks, credit counseling com
panies, and check cashing companies, J. Organizational Culture,
Communication & Conflict, vol. 12, no. 2, pp. 87-93, 2008.
[33] LinkedIn, Cookies on the LinkedIn site, Sept. 18, 2014;
https://www.linkedin.com/legal/cookie-policy?trk=uno-reg-guesthome-cookie-policy, accessed Oct. 10, 2015.
[34] LinkedIn, Your privacy matters, Oct. 23, 2014; https://www.
linkedin.com/legal/privacy-policy?trk=uno-reg-guest-home-privacypolicy, accessed Oct. 10, 2015.
[35] Literacy Project Foundation, Staggering illiteracy statistics, 2007;
http://literacyprojectfoundation.org/community/statistics/, accessed
Oct. 10, 2015.
[36] V. Luckerson, The 7 most important moments in Twitter histo
ry, Time, Nov. 7, 2013; http://business.time.com/2013/11/07/the7-most-important-moments-in-twitter-history/, accessed Oct. 10, 2015.

june 2016

[37] R. Malaga, Do web privacy policies still matter?, Acad. of

Information & Management Sciences J., vol. 17, no. 1, pp. 95-99,
2014.
[38] T.L. Marsh and L.G. Montondon, A comparison of the readabil
ity of governmental annual financial reports popular reports and
management discussion and analysis, J. Accounting & Financial
Research, vol. 13, no. 3, pp. 153-161, 2005.
[39] A.E. Marwick and D. Boyd, Networked privacy: How teenagers
negotiate context in social media, New Media & Society, vol. 16,
pp. 1051-1067, 2014.
[40] J. Mayer, Tracking the trackers: Early results, [Web log entry],
July 2011; http://cyberlaw.stanford.edu/blog/2011/07/trackingtrackers-early-results, accessed Oct. 15, 2015.
[41] R. Mekovec, Online privacy: Overview and preliminary research,
J. Information & Organizational Sciences, vol. 34, pp. 195-209, 2010.
[42] Z. Papacharissi and J. Fernback, Online privacy and consumer
protection: An analysis of portal privacy statements, J. Broadcasting & Electronic Media, vol. 43, no. 3, pp. 259-281, 2015.
[43] A. Perrin, Social media usage: 2005-2015, Pew Research
Center, Oct. 8, 2015; http://www.pewinternet.org/2015/10/08/
social-networking-usage-2005-2015/, accessed Nov. 7, 2015.
[44] I. Pollach, A typology of communicative strategies in online
privacy policies: Ethics, power and informed consent, J. Business
Ethics, vol. 62, no. 3, pp. 221-235, 2005.
[45] Public CIO, Facebooks privacy policy timeline, Public CIO, vol.
9, no. 1, p. 11, Feb. 1, 2011.
[46] S. Rodriguez, LinkedIn reaches 225 million users as it
marks its 10th birthday, Los Angeles Times, May 6, 2013; http://
articles.latimes.com/2013/may/06/business/la-fi-tn-linkedinturns-10-20130506, accessed Oct. 10, 2015.
[47] V. Sassone, S. Hamadou, and M. Yang, Trust in anonymity net
works, in Proc. 21th Int. Conf., CONCUR 2010 (Paris, France), Aug.
31 Sept. 3, 2010, pp. 48-70.
[48] A.R. Sorkin and J.W. Peters, Google to acquire YouTube for
$1.65 billion, New York Times, Oct. 9, 2006; http://www.nytimes.
com/2006/10/09/business/09cnd-deal.html, accessed Oct. 10, 2015.
[49] M. Trabsky, J. Thomas, and M. Richardson, The faulty door of
cyberspace and implications for privacy law, Law in Context, vol.
29, no. 1, pp. 13-25, 2013.
[50] Text Statistics Project Readability score.com, https://readabilityscore.com/; accessed Jan. 31, 2016.
[51] Twitter, Twitter privacy policy, May 18, 2014; https://twitter.
com/privacy?lang=en, accessed Oct. 10, 2015.
[52] K. Varnali and A. Toker, Self-disclosure on social-networking
sites, Social Behavior and Personality, vol. 43, no. 1, pp. 1-14, 2015.
[53] S. Walfish and K. Pinholster, Reading level of overeaters anony
mous primary education material, Eating Disorders, vol. 16, pp.
212-216, 2008.
[54] A.C. Weaver, Secure sockets layer, IEEE Computer, vol. 39,
no. 4, pp. 88-90, 2006.
[55] C. Williams, Google charged with monopoly abuse,
The Telegraph, Apr. 15,2015; http://www.telegraph.co.uk/
finance/newsbysector/mediatechnologyandtelecoms/digitalmedia/11537546/Google-charged-with-monopoly-abuse.html,
accessed Oct. 10, 2015.
[56] B. Womack, Google acquires mobile startup that manages
Facebook ads, Bloomberg Business, Feb. 24, 2015; http://www.
bloomberg.com/news/articles/2015-02-24/google-acquires-mobilestartup-that-manages-facebook-ads, accessed Oct. 10, 2015.
[57] E. Wyatt, F.T.C. warns data firms on selling information, New York
Times, May 7, 2013; http://www.nytimes.com/2013/05/08/business/
ftc-warns-data-firms-on-selling-information.html, accessed Oct. 10, 2015.
[58] H. Yang, Young American consumers online privacy con
cerns, trust, risk, social media use, and regulatory support, J.
New Communications Res., vol. 5, no. 1, pp. 1-30, 2013.
[59] M. Bedi, Facebook and interpersonal privacy: Why the third party
doctrine should not apply, Boston College Law Rev., vol. 54, no. 1,
pp.1-71, 2013.
[60] S. Winkler and S. Zeadally, An analysis of tools for online anonymity,
Int. J. Pervasive Computing and Communication, vol. 11, no. 4, pp. 436453, 2015.


IEEE Technology and Society Magazine

85