New Targets

Security Loopholes in Web Site User Agreements

By Kim Boatman

It’s the fine print that stands between you and your new web-based email account, your social networking site and your online photo storage site.

Most of us can’t wait to click through that bothersome web site user agreement. After all, who wants to read legalese when you can be setting up your Facebook profile and searching for friends?

“You always have to click through them. I think people have just gotten used to not even reading them,” says Matt Sarrel, an information security expert and executive director of the Sarrel Group, an information technology consulting firm. “People are making a mistake when they do that.”

The rise in cloud computing
Increasingly, more of us are using web sites that store our photos, videos and personal information. This trend of accessing software applications and information through the web is called cloud computing. While cloud computing is wildly popular with most of us because of its convenience, privacy experts such as Sarrel warn that you’re taking all sorts of risks when you post data on these sites.

A survey released in September by the Pew Internet and American Life project found that 69 percent of Internet users have participated in some form of cloud computing. At the same time, 68 percent of cloud computing users said they would be very concerned if their personal information was analyzed to provide targeted advertising -- a common practice among some web sites and online services.

“We saw a lot of people who use some of these cloud-like applications saying they’d be very concerned if the data was put to secondary uses,’’ says Pew study author John Horrigan, an associate director of research. “People are practical. But they’re weighing risks in a way that’s not always well-informed. They like to use these services because they’re convenient and they’re fun.”

The fine print
Understanding just what’s in that fine print is in your best interest. Sarrel and others offer these tips:

1. Know what to read.
   Generally, web site user agreements spell out what you can do, while privacy policies explain what the company can do with your information, says Sarrel. A web site user agreement might limit, for instance, your ability to criticize the cloud computing site or company. A site might reserve the right to remove your material if it receives a complaint about you -- whether the complaint is investigated or not. In cases like this, family photos on a photo-sharing site could be removed without explanation, or emails on a web-based email account could disappear without warning -- without recovery.
   
   So, if you’re really impatient, make sure you at least read the privacy policy, says attorney Josh King, vice president of development and legal counsel for Avvo, a legal advice web site. “Typically, they’re a lot shorter, so they’re easier to read,’’ he says.

2. Check out the company.
   Not sure what all that fine print really means? Do a little investigative work before you begin using a site. “Spend 15 minutes on Google. Check out people’s blogs and chat rooms,’’ says King. Seeing what people have to say about a site’s customer service and reliability can help you decide whether to use its service, particularly if it’s relatively new and has no established track record.

3. Find out what happens to your info.
   Understand what a company will gather and how they’ll analyze, record or sell your information, says Sarrel. A site might tell you that it will use the information in your profile without identifying you as an individual to third parties, but that worries Sarrel. If all they strip out is your name, others might ultimately be able to identify you by the information about where you live, where you went to school, and other personal details. “That’s a little iffy in my book. Someone could ultimately put it together,” he says. If a company does sell or pass on your data, it’s important to understand what that third party can do with it, too. Also, be aware of what happens when you use third-party applications related to a site. For example, one of the fun aspects of Facebook is using applications that let you poke or send gifts to other members. But Facebook doesn’t guarantee how those applications will access, publish or share your information, says Sarrel.

4. Know the end plan.
   What happens when the site shuts down, is sold or goes bankrupt? A site should spell out what will happen to your information, photos and the like, says Sarrel. You should know if the company will sell its database.

5. Check for update info.
   Many sites reserve the right to change web site user agreements and privacy policies. An agreement should spell out how, when or even if you’ll be notified of changes. “You should generally expect that if there is a meaningful change, you will get notice of it,’’ King says.

It’s obviously not a matter of avoiding cloud computing, says King. Too many of us enjoy using these services. It’s more about using good judgment and reading that fine print. And making sure that you have back up copies of anything you want to keep. “You can’t really rely on a company saying, ‘Just trust us,’’’ says King.