When individual users are required to first accept usage policies and then interact with the website/application/tool by allowing it to collect information, both the user and the enterprise for which the user works are put in a position of risk. Why? Because the likelihood that he or she will read the policy is slim to none.

A little less conversation

Privacy and terms of service policies appear on every website, every app with which users interact. Enterprise- and consumer-focused tools alike include equal amounts of legalese. When individual users are required to first accept usage policies and then interact with the website/application/tool by allowing it to collect information (either automatically or through manual input), both the user and the enterprise for which the user works are put in a position of risk. Why? Because the likelihood that he or she will read the policy is slim to none.

Information security professionals, theoretically individuals with heightened sensitivity to data misuse and abuse, are not excluded from this group of non-readers and click-to-accepters. The ease of technology is just too compelling, and who (aside from lawyers) has time (or inclination) to slog through pages and pages of fine print? According to two researchers from York University and the University of Connecticut, actually reading terms of end user agreements would take individuals 40 minutes every day. This is for new sites or apps only and not the repeats; presumably, once a user has read and understands a provider’s terms of use, those terms have not changed since the last visit. But they could. And they do.

In a social experiment, the aforementioned researchers created a fictitious social networking website similar to Facebook. The terms and conditions of the phony website stipulated that users must agree to give up their first-born child and that all entered data would be sent directly to the NSA with consent. Ninety-eight percent of users clicked “agree” and began using the site.

This experiment is hardly the first to slip whacky or outrageous terms into policies; these researchers are not the first to watch and shake their heads as people blindly click “accept” without reading what they’re agreeing to.

A little more action, please

Now, a cynical person could argue that end users must be responsible for their own online data, much in the same way people must be responsible for their own healthcare. This theory only holds water to an extent. Much like doctors and nurses who gain years of education and training which allow them to analyze a person’s health in a way that reading WebMD.com does not, companies collecting data should employ sufficiently trained and knowledgeable staff to advise on terms, conditions, and privacy policies. Some of those experts are security practitioners.

Security practitioners span both sides of the coin as users and protectors, and they know firsthand that lengthy terms and policies are ineffective. Whether users should be more aware of how their data is being used, the fact is that they’re not and it’s security responsibility to help educate non-security people and to protect end user data when it becomes part of an enterprise-owned database. Even if the user isn’t manually inputting enterprise data to an external service, internal security teams need to be concerned with what information is being silently collected as the user browses across a site or through an app.

The amount of data collected from digital usage everywhere is astounding. Organizations depend on it, so the tracking and/or collection is never going to stop. In fact, it’s likely that even more sensitive data will be collected in the future (as amazing as it seems when you think about what else is left to collect).

A little more bite and a little less bark

Security professionals have to become part of the solution and help organizations revamp Ts&Cs of online use. The overly lengthy, CYA from a liability perspective, pages upon pages of verbiage isn’t helping protect anyone, really. If you work for an organization that lists interminable policies, even if those policies say that your organization is zero-percent liable if anything goes wrong, data is lost or stolen, or data is used in an inappropriate way, court cases overriding those terms are already surfacing. If you work for an organization that has end users who might agree to long-winded terms without scrutinizing the details (who doesn’t), and you’re concerned about security and privacy of your organization (you should be), it’s time to get involved.

Security needs to become more effective in what it does versus what it says it does. Simplifying and clarifying terms of use and privacy policies is just one way to accomplish that. I know, I know—those pesky lawyers will say agreements are about more than security, and legal liability is, of course, a concern. If security can help clean up understanding of how data is used and protected, though, we’re starting to cover all the bases instead of only focusing on making sure the company doesn’t end up in a lengthy, expensive battle. Making information security more user-friendly is one way to make security more effective, and security certainly needs to improve efficacy in this out-of-hand world of cybercrime.