Name the Pink Elephants

There is a pink elephant in the room
not a small one either
There is a enormous pink elephant on the couch between us
and yet we both continue to ignore it…
Sammi

When we ‘accept’ terms of service ‘agreements’ we engage in this ceremony, ‘accept’ (as though we have a choice) contract terms that we neither read, understand nor accept. In a word, ‘we lie.”

Biggestlie.com is an awareness campaign aimed at calling out this ‘pink elephant’ and with folks Pär Lannerö, Lars-Erik Jakobsson (icon), Gregg Bernstein, Carl Törnquist, Hanna Arkestål, Max Walter, Mattias Aspelund, Anders Carlman and CommonTerms are to trying to change the status quo.

Likewise, ProjectVRM recently posted ‘Coming to terms’ where Doc Searls who has been talking about this problem for quite some time states:

“We lie every time we “accept” terms that we haven’t read — a pro forma behavior that is all but required by the calf-cow model of the Web that’s prevailed since 1995. We need to change that. And so we are.”

In the context of the web today not only has the relationship become compulsory, but who your are dealing with is totally cloaked. This ‘cloaked figure” (acting not only for itself but other cloaked figures) dictates all the terms of the relationship and on the other side there is just you (an individual). Take this ONE factor of compulsory relationship, with unknown parties, and alarm bells go off.

Let me give you an example: Mint.com.

First line in their TOS reads:

“This Agreement sets forth the terms and conditions that apply to your access and use of the Internet Web site located at http://www.mint.com (“Mint.com”), as owned and operated by Intuit Inc., a Delaware corporation, on behalf of those of its direct or indirect subsidiaries and/or affiliates, (collectively referred to as “Intuit”).”

Translation: This “agreement” is not between you and Intuit, Inc. RATHER this ‘agreement’ is AMOUNG you, Intuit, Inc. and ‘a whole bunch of other companies and people’ called *direct and indirect subsidiaries and affiliates. So every term that includes you granting rights to Intuit INCLUDES granting it to all of these other folks too. Oh, that is also true for every term that involves your agreement to limit Intuit’s liability for problems that arise. That, too, extends to this faceless crowd known as ‘direct or indirect subsidiaries and/or affiliates.’

*DON’T BE TRICKED BY MISLEADING LEGAL LANGUAGE: In this case people read subsidiary especially direct subsidiary and think that by law that means ‘companies under the direct control or owned by Intuit.” Often the interpretation is quite broad especially when the language includes “indirect.” Likewise, the term “affiliate’ may make you think that the relationship is limited but actually it can include a broader and more ‘distant’ (relationally) group of people and companies. When coupled with ‘indirect,’ the realm of possible parties could include just about any company and or person.

When we consider the Mint.com terms of service ‘agreement,” it is clear that privacy policies cannot be considered alone and often do not reflect the real story with respect to the use of your data. All of these projects would be wise to consider the role of what I call the “anti privacy/ anti-people” policies aka “terms of service agreements.” These terms of use allow greater insight into not only the data privacy issue in general, but also that particular organization’s real commitment to their customers’ rights. The terms of these agreements are at odds with the company’s marketing messages. Don’t be misled, just because a law or policy make some assurance that your privacy is protected or information is not shared, it is often not the way you think. Privacy statutes often permit use of data, subject to consent, which is garnered by agreement to the terms of use.

When a contract is written to include every known and unknown direct or indirect subsidiary and affiliate as FIRST party to the contract, who are third parties? Does knowing this clever legal trick change the way you read their Privacy Policy? Their terms of service agremeements? More importantly, does this fact change the way you think about Mint.com in general? In that vein, efforts like BiggestLie.com hit the bulls eye because they highlight the inherent dishonesty and manipulation. But it is not enough we need to understand it and demand change.

That said, efforts toward transparency and “iconization” of terms are actually quite troubling. In an effort to simplify they often lack context and fail to address the larger more anti-customer framework housing these policies taking it as immutable. Moreover, the messaging can be misleading. For example, Aza Raskin’s Privacy Icons includes the following statement under one of the icons:

“Your Data is Used for the Intended Use,” “Mint.com uses your login information to import your financial data from your banks — with your explicit permission.”

With that statement alone, a person may be led to trust Mint.com in a way he or she would not if they also read the terms effectively turning third party data collectors into first parties with all the accompanying rights and privileges.

Context with comprehensive understanding is critical. If they are exploiting my data, and they are honest about it; I will weigh the costs and benefits and make a decision on whether or not to agree. . What I am told in a privacy policy and in marketing messages, that my privacy is important to a company and as a result, they do not sell my data etc., I expect the terms of service ‘agreement’ to support these claims. When, instead, I see the sneaky legalese, I present above, it is completely misleading. The term ‘bait and switch’ comes to mind, I am wondering out loud if this is a possible cause of action against some of these companies; especially those proclaiming to be acting on the customer’s behalf, while maintaining terms as egregious as the blatantly privacy exploitative companies. It seems that companies who intend to market themselves as unique because they protect the customer need to back it up in their legal policies, agreements and practices.

For example let’s consider Personal.com:

Central to their business proposition is that they are unique in their approach to privacy and relationships with customers. Reviewing their recently updated terms of service reveals clauses like this:

“You agree to defend, indemnify and hold Personal, its directors, officers, employees, agents and affiliates harmless from any and all claims, liabilities, damages, costs and expenses, including reasonable attorneys’ fees, in any way arising from, related to or in connection with your use of the Sites and/or Personal Service, your violation of these Terms or the posting or transmission of any materials on or through the Site and/or Personal Service by you, including, but not limited to, any third party claim that any information or materials you provide infringes any third party proprietary right.”

Translation: I as the user must indemnify this company and their affiliates for ANY claim that in ANY way is connected with my use of this service.

In general, I am not opposed to indemnification clauses because they aim to have the people responsible for certain conduct step up to the plate and deal with issues that arise from their failure to do just that, HOWEVER, I do not agree to provisions as broad and sweeping as this provision. This folks, is what lawyers call ‘boilerplate’ that is drafted as broadly as possible forcing the other side to narrow it and customize it to suit the context of the situation. The problem here is that you don’t get to negotiate and even if you did you don’t have a legal department at your fingertips negotiating on your behalf.

If I were the lawyer for the people, I imagine the conversation would go something like this:

Personal.com Lawyer: “We put that provision in the contract because if your use of the services causes us to get sued then you should have to pay.”

Lawyer for the People: “What could they possibly do to get you sued?”

Personal.com Lawyer: “They could (fill in the blank personal.com)”

Lawyer for the People: “Personal, while you are thinking of ‘something’ people could do to get you sued, I’d like to remind you that in a business to business deal this provision would not fly. So trying to cram it down the throat of a customer is wrong!”

Second and more important, where is the Indemnity from Personal.com to the user? If you are promising that your service offers something more than the others out there shouldn’t you stand behind that promise? Not to mention, also that, in a typical business-to-business negotiation, the indemnity goes two way, a la ‘what’s good for the goose is good for the gander’. That said, at a minimum, Personal should step up and provide an indemnification for damages arising from their failure to protect your data.

Once again, the Devil is in the details. It is really terrific to see all of these efforts aimed at providing transparency of privacy or legal terms, pushing for awareness (and accountability, I hope) and new tools to foster customer understanding of those terms. However, I think that ‘privacy policies’ and terms of service ‘agreements’ as they are commonly written reflect an utter and complete disrespect for the individuals’ importance and role in commercial relationships. While it is not my goal to resolve this existential matter today, or in my lifetime perhaps, I believe that there is a lot to be gained by examining the matter thoroughly from the individuals’ side of the ‘agreement.’

The post was originally posted at Those Sneaky Bastards.