Forwarded from: "eric wolbrom, CISSP" <ericat_private> http://news.com.com/2008-1082-887841.html By Rachel Konrad Staff Writer, CNET News.com April 22, 2002, 4:00 AM PT newsmakers Mark Hochhauser doesn't mince words. That's because the frank-talking psychologist is also an expert in "readability," who practices what he preaches. The 55-year-old resident of Golden Valley, Minn., pores over contracts, disclosure statements and privacy notices to determine whether real people--not lawyers or business executives--understand them. Then he tells companies, research groups and government agencies how to translate legalese into plain English. Hochhauser has spent the past several years studying the readability--or lack thereof--of online documents, particularly privacy agreements. Most of them require the user to click "I agree" before proceeding with their purchase or download. Hochhauser says people rarely understand what they're signing, mindlessly clicking contracts that could hijack their computers or make them targets of aggressive advertisers. The "I agree" frenzy has reached new levels as the popularity of file-swapping software mushrooms. Earlier this month, millions of consumers downloaded the Kazaa file-swapping program, only to realize later that they had unwittingly agreed to install software that could help turn their computers into nodes for a peer-to-peer network controlled by a third company, Brilliant Digital Entertainment. Hochhauser dissected Brilliant's 4,093-word privacy policy and terms of use statements, determining that the Internal Revenue Service's 1040 EZ form was simpler to read. He spoke to CNET News.com about why companies refuse to use plain English--and how consumers get lost in the translation. Q: How would you describe most contracts software companies require users to sign? A: It's legalese written by lawyers who want to protect the company, and they're using legal terms that the general public isn't familiar with. You have to scroll down through it, which makes it impossible to read. You can rarely click a button to get a printout, and in some cases you can't even cut and paste it into a document you can print out and read later. CNET, newspapers and other publications have had the "click to print" button for years, but I don't think I've ever seen one in a terms of service contract. One thing I've noticed is that these contracts are simply text--no interactive graphics or any other means of taking advantage of the Web as a medium of communication. How does that contribute to the problem? We've learned a lot about Web design. We know we should be using short paragraphs without too many pages because it's tough to keep people focused on text. But these consent forms are not developed with any sense of Web design or document design at all. These are the exact same forms that you could have gotten 10 years ago in a book. If you look at how visual the Web is, why do we have consent policies that are the equivalent of eight pages of text? It's no surprise that people ignore them. Take off your readability hat and put on your psychology hat. What are people thinking when they click "I agree"? Are they illiterate? Naive? Stupid? They're not stupid. They're trusting. It's actually quite similar behavior to sick people. Patients who are very sick can be given a 3,000-word consent form written by lawyers with the same level of complexity as these privacy notices...The sick people usually just sign it without reading it because their doctor said it was OK. Same thing here--the reader thinks, 'The FTC would close them down if they were doing something really bad.' There may be a basic element of trust that people bring into this. Let me play devil's advocate. Don't people who click "I accept" forfeit their rights? What happened to caveat emptor? To some extent, sure, the onus really is on the user to decide whether they want to read it. At the same time, there is some responsibility on the Web site to present the information in a form you can use without a dictionary, trying to figure out what every sentence really means. Sure, there's a responsibility on the reader, but there is such a thing as information overload. It seems ad-supported software preys on people's urge to try to get something for nothing. Do these adware companies appeal to our lowest urges? Yes. Anything that says "free," people want. But eventually people will realize there's not really such thing as "free" software. It comes with a price--in this case the annoyance of advertising, or possibly privacy violations. Clearly software companies need legal protection. How can they write policies that are both intelligible to teenagers--yet cover their legal backs? The real way to do this better is to have consumers involved in the writing and editing process. The companies need to sit down with a focus group of actual users and say, "Do you understand this? How could we make you understand this?" Real users, not lawyers, need to write the forms. Then they need to redesign the sites so that the consent forms are visual, not legalese text blocks. Why can't companies write in plain English? My guess is that writing in legalese gets them off the hook. The message is, "We asked you to scroll down, and you did, so we're not liable." They set it up so you had to scroll through it--even if you didn't read it. I don't know how often these companies get sued over issues in their privacy policy. I know if you go to terms of service, it pretty much says, "You can't sue us for anything." That's pretty much what they say in 8,000 words. Are you blaming lawyers or our litigious culture for the convoluted contracts? There's been a plain English movement in the legal profession for 20 years, but it's not very widely used. Lawyers tend to use the language they've always used because they're comfortable with it, and they say if they change it, it changes the meaning. I don't have a problem with this theory if they're writing for other lawyers. But if they're writing for kids online, it makes no sense to have a 3,000-word policy written at a college-reading level. Most of these policies that I've seen are first-year college to graduate school level. I've got a Ph.D. and even I've got a hard time understanding them--too many hard words, sentences that are too long. Maybe these contracts are perfectly understandable to someone with a business or law degree, but...most people aren't going to understand it. Is any company doing a decent job of writing in plain English? Yahoo changed its privacy policy recently, and it's not bad...They have a chart summarizing some of the privacy information. I'm a psychologist used to looking at charts and graphics, so I am naturally drawn to these things. But I really thought it was a wonderful summary and didn't force me to go through page after page. How did you determine that Brilliant's forms were less readable than a tax from the IRS? There are a couple dozen readability formulas that have been developed over the last 60 years, recently converted into software of grammar-checking and word processing programs. They pretty much rely on average number of words per sentence and syllables. According to those formulas, how many words and sentences can the average person digest and comprehend? Most research suggests that, on average, sentences should be 15 to 20 words, some shorter, longer. I've seen privacy policies where the average word count is 30 words. That's a problem because it's hard for people to hold that much info in "working memory," as psychologists say. You get to the end of the sentence and you can't remember information contained in the beginning of the sentence. What about big words? Does the average person simply not understand words beyond a certain number of syllables? It's not so much the number of syllables, though it might be a good idea to limit the number of words over three syllables in consent forms. It's how familiar the words are, especially complex words made up of one or more smaller words. You can throw together a bunch of words--the kind of words people use in daily conversation--and still make them complicated. Lawyers who draw up consent forms do this all the time...The financial privacy notices from the Gramm-Leach-Bliley Act talk about "nonpublic personal information." What does this mean? The point is you take three words, not necessarily big words, but most people don't know what it means. Same thing goes for sentences with double or triple negatives--so you can't figure if it means no or yes. How did you get interested in readability and consent? My real interest in readability started in 1985, when I worked at a psychiatric hospital. A colleague introduced me to readability formulas, and we tried to evaluate some of the materials that chemically dependent patients were expected to read. Not surprisingly, we found that some of the materials were too complicated for some of the patients. But staff refused to make adjustments in the reading lists, and some patients left "against medical advice" because they couldn't deal with being called "dumb" or "stupid" any more. A few years later I found that there were software programs that calculated readability, so I started analyzing everything in sight...Once you have a hammer, everything becomes a nail; once you have a readability program, everything written is fair game. You've been evaluating the informed-consent process for patients enrolled in medical device clinical trials since 1994. Are those forms better than those from software companies? The consent forms written by most major U.S. drug companies are just awful--they're about as bad as the online privacy policies. Lawyers in drug companies don't write any better than lawyers for Web-based companies. What motivates you professionally? My main interest is to try to ensure that things aren't done to people without their informed permission--whether that involves being involved in research or having personal information shared on the Internet. It all comes down to "Do no harm." Research ethics, online ethics--in some ways, it's all the same. By the way, what is "nonpublic personal information"? I'm not 100 percent clear. It has to do with information that banks collect about you that's not considered information in the public domain. _______________________________________________________________________ Eric Wolbrom, CISSP Safe Harbor Technologies President & CIO 190 Goldens Bridge Ct. Voice 914.767.9090 ext. 6000 Katonah, NY 10536 Fax 914.767.3911 http://www.shtech.net _______________________________________________________________________ This electronic transmission and the documents accompanying it contain information from Safe Harbor Technologies, LLC which is confidential. The information is intended only for the use of the individual or entity named on herein. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this email is strictly prohibited, and that the documents should be returned to this firm immediately so that we can arrange for the return of the original documents at no cost to you. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Apr 26 2002 - 04:57:39 PDT