Those pop-up 'I agree' boxes aren't just annoying – they're potentially dangerous

Published Friday, December 7, 2018

File 20181207 128208 jtp1fn.jpg?ixlib=rb 1.1
Song About Summer/Shutterstock

Sabrina Rau, University of Essex

Have you noticed the increasing number of pop-ups asking you to consent or "agree" when you visit a website? Do you find these annoying and tend to just click accept without reading the policies? So do most people, and here's why that's a problem.

By "agreeing" to any of these particular policies, you are effectively allowing a website or app to collect various types of data on you that could violate some of your human rights, such as your right to privacy. To control what data the website or app can gather about you, you have to go through the tedious process of reading long, complex terms and conditions. Sometimes you might have to un-tick a few hundred boxes and navigate through complicated menus to choose your preferences.

This places a burden on you to become your own data manager. It would be much easier and quicker if there were standardised or comparable consent forms that would allow you to quickly identify processes or uses for your data that you may not want.

But first, why should you care about data collection in the first place? You might think that you are not doing anything illegal online and that therefore it doesn't really matter if someone knows that you read certain kinds of articles or order from a certain restaurant every night.

This is a dangerous way of thinking. Our internet data becomes valuable when it is collected to form a profile of us that can allow companies to infer other things about us - and open us up to manipulation, for example with targeted advertising. Seeing ads that are more relevant to us and show us things we really might be interested in buying might be convenient. But this kind of targeting can also enable companies to discriminate against people and deny them an equal chance of accessing basic human rights, such as housing and employment.

While this paints a grim picture of the collection of your data, there are ways to minimise the data collected about you and limit how it could be used against you.

Online data profiles can be used to reject people for housing or jobs. Rawpixel/Shutterstock

One step forward is the recent EU General Data Protection Regulation (GDPR). This demands that you must give free, informed, specific and unambiguous consent before anyone can collect your data. The immediate result has been the proliferation of pop-up consent boxes on websites you've probably noticed.

GDPR also comes with specific guidance about how consent requests should be designed and what information they must provide. But in practice when it comes to the design of genuinely user-friendly consent requests, too many website aren't implementing this guidance properly.

Skewed language

One of the major problems is the skewed language that is used for different options to consent. You may see a huge "I agree" button and in tiny letters underneath "select preferences" or "edit settings". This incentivises users to simply click "agree" and move on, rather than select their preferences in regard to the data they are comfortable sharing.

At the outset, users should be given a clear indication of what data is collected, how it will be processed and for what purposes. There should be no pre-ticked boxes, no clumping together of different data processes and no need to opt-out of anything. All consent that you give online should be by clear affirmative action by you, based on your informed preferences.

Another main component of the GDPR is the freedom of an individual to withdraw consent and the "right to erasure" of their data. That means you should be given the option to withdraw your consent at any time and it should be clear from the outset how to do this. Yet websites and apps rarely do this.

Part of the problem is that, after your data is collected, it is often anonymised and aggregated with that of thousands if not millions of other people, and might be sold to third parties for a variety of purposes. This can make it impossible to track or extract individual data points, although anonymisation does not mean that you cannot be identified another way.

Possible solution

One solution to the endless process of trying to understand tricky consent requests is for different websites and apps to standardise their requests. This would be in line with the UN Guiding Principles on Business and Human Rights on creating comparable rules between companies in order to create better overviews for consumers.

This way, users can more easily familiarise themselves with the information that can be expected in consent request and quickly identify oddities or problems. Among the important aspects to ultimately consider is whether the data requested is really necessary to serve the particular objectives of the website or app, which must be disclosed to you clearly beforehand.

So, when your Sudoku app requests access to your location, perhaps it's time to rethink giving consent.

The Conversation

Sabrina Rau, Senior Research Officer, University of Essex

This article is republished from The Conversation under a Creative Commons license. Read the original article.