By Katherine Teitler

January 10, 2016

Empire state of mind

The Children’s Commissioner for England released a report last week stating the need for sweeping changes to terms and conditions on social networking sites, particularly those with audiences largely comprised of children and young adults. The report begins, “The internet is an extraordinary force for good but it is not designed with children in mind.” And while, according to the report, children as young as 3-4 years are now spending an average of 8 hours and 18 minutes per week online (!!), greater transparency around how users’ data is collected and consumed is warranted in general.

There’s nothing you can’t do

One of the most illuminating sections of the report featured the results of a study conducted with children 8-15 years old. The Commissioner wanted to gauge how well children, the primary users of Instagram, understood the terms and conditions to which they are agreeing when they access and use the social media site. After launching into the first few of the approximately 17 pages of Ts & Cs, the children were ready to give up, didn’t fully comprehend what was being asked of them, and asked to be allowed to stop. Their responses to what they’d read included:

“Boring! It doesn’t make any sense.”

“Are you sure this is necessary? There are, like, 100 pages.”

“Do we have to read the whole thing? We’re not taking it in, we’re just reading sentences. You could have, like, toned it down for us.”

And there’s the crux of the problem with terms and conditions of social media (as well as other sites that collect and use visitor information in covert ways): Very, very few people, especially kids, are going to thoroughly read thousands of words of intentionally convoluted legalese just to chat with friends online. If you’re a security practitioner you might be thinking, “Well I do!” Maybe, but for every site you use? And all the time?

Many security practitioners admit to choosing convenience over security and privacy, not to mention, if security/privacy is your life, of course, you’ll be more attuned to security and privacy issues. This is true of any field in which a person works—nutritionists are more attuned to nutrition issues, plumbers are more attuned to plumbing issues, and mortgage brokers are more attuned to mortgage issues (eh hem, mortgage crisis of 2008)—and just because someone doesn’t work in security, that doesn’t mean they are stupid or lazy or any one of the other names end users have been called over the years.

Terms and ConditionsThese streets will make you feel brand new

The fact is, people from all industries, varying levels of education, and across age groups use the internet for significant aspects of their life, and usage is only going to expand as IoT becomes commonplace—as new houses are built with connectivity by default, as cars and appliances are ubiquitously equipped with “smart” features. Security and privacy practitioners cannot expect every-day users to be experts, but we can help them become well versed.

As shown in the report, the Children’s Commissioner contracted a UK privacy-focused law firm to re-write Instagram’s terms and conditions to make them more kid-friendly and accessible. Instead of long, rambling sentences and paragraphs, such as:

“You must not defame, stalk, bully, abuse, harass, threaten, impersonate or intimidate people or entities and you must not post private or confidential information via the Service, including, without limitation, your or any other person's credit card information, social security or alternate national identity numbers, non-public phone numbers or non-public email addresses.”

The lawyers simplified messaging to:

  • Don’t bully anyone or post anything horrible about people.
  • Don’t post other peoples’ private or personal information.
  • Don’t use Instagram to do anything illegal or that we tell you not to.

The re-written version not only simplifies language, but it uses nomenclature familiar to and accessible for teens and pre-teens.

Big lights will inspire you

Does this mean that enterprise security practitioners have to button up the terms and conditions of every website or application they anticipate end users will access? That would be unreasonable and nearly impossible. What security practitioners can and should do, however, is work with end users to make them universally aware of the problems and provide examples, like simplified language in the Children’s Commissioner’s report. Because you can’t write a new set of terms and conditions for every site, that doesn’t mean you can’t use one as an example and explain that, while the specificity of each site/app will change, guiding principles are fairly consistent across similar types of sites.

Don’t have time to do this by yourself? Ask your friendly in-house legal team for assistance. Approach them in a way that helps them see the business benefits: Users who understand and take data security and privacy into their own hands are less likely to put the organization at risk since they will input highly sensitive personal information fewer places. Discuss the financial implications that result from a lower potential of mass data breach or leak. In other words, speak in terms that resonate with them, just as you’re asking the lawyer(s) to write a new set of Ts & Cs that resonate with end users. Think of this as a collaborative project that hits at the heart of user awareness.

The best case scenario is that technology providers—or anyone maintaining a website/app that collects and manipulates user data—will magically become more security minded. Since that’s unlikely to happen (it’s not in companies’ benefit), the security industry, along with privacy, legal, and human resources colleagues, can start to make these changes.

Street lights, big dreams, all lookin’ pretty

The average end user is slowly gaining greater security awareness, and as years pass and more users have never lived without the internet and the reality of data breaches, things will naturally get better. An organic shift, though, will take a long time while untold amounts of data will be lost and stolen.

Security can make positive changes in small increments—by creating practical tools people can understand and use. We know that spreading fear, uncertainty, and doubt (FUD) isn’t working, but yet FUD is the focus of so many current awareness programs. Building new, simple tools with concrete examples is more effective, not to mention pleasant for the end user. When people like something (whatever that thing may be), when they find it easy to use and applicable, they’re more likely to adopt it.

This is the opportunity for educating end users. Starting with young people means future generations will be more secure, but don’t forget about those who are online every day, all the time as a job requirement. Security can affect change with just a little extra—and different—effort on the awareness front. 


More Infosec Articles

Maximizing Your Security Conference Experience in 2017 (part 3)

Maximizing Your Security Conference Experience in 2017 (part 2)

Maximizing Your Security Conference Experience in 2017

The Best of InfoSec Insider in 2016