[ISN] Stop! Look before you click

From: InfoSec News (isnat_private)
Date: Fri Apr 26 2002 - 01:04:21 PDT

  • Next message: InfoSec News: "[ISN] FAA hacked by patriots"

    Forwarded from: "eric wolbrom, CISSP" <ericat_private>
    By Rachel Konrad 
    Staff Writer, CNET News.com
    April 22, 2002, 4:00 AM PT
    newsmakers Mark Hochhauser doesn't mince words. 
    That's because the frank-talking psychologist is also an expert in
    "readability," who practices what he preaches. The 55-year-old
    resident of Golden Valley, Minn., pores over contracts, disclosure
    statements and privacy notices to determine whether real people--not
    lawyers or business executives--understand them. Then he tells
    companies, research groups and government agencies how to translate
    legalese into plain English.
    Hochhauser has spent the past several years studying the
    readability--or lack thereof--of online documents, particularly
    privacy agreements. Most of them require the user to click "I agree"  
    before proceeding with their purchase or download. Hochhauser says
    people rarely understand what they're signing, mindlessly clicking
    contracts that could hijack their computers or make them targets of
    aggressive advertisers.
    The "I agree" frenzy has reached new levels as the popularity of
    file-swapping software mushrooms. Earlier this month, millions of
    consumers downloaded the Kazaa file-swapping program, only to realize
    later that they had unwittingly agreed to install software that could
    help turn their computers into nodes for a peer-to-peer network
    controlled by a third company, Brilliant Digital Entertainment.
    Hochhauser dissected Brilliant's 4,093-word privacy policy and terms
    of use statements, determining that the Internal Revenue Service's
    1040 EZ form was simpler to read. He spoke to CNET News.com about why
    companies refuse to use plain English--and how consumers get lost in
    the translation.
    Q: How would you describe most contracts software companies require
    users to sign?
    A: It's legalese written by lawyers who want to protect the company,
    and they're using legal terms that the general public isn't familiar
    You have to scroll down through it, which makes it impossible to read.  
    You can rarely click a button to get a printout, and in some cases you
    can't even cut and paste it into a document you can print out and read
    later. CNET, newspapers and other publications have had the "click to
    print" button for years, but I don't think I've ever seen one in a
    terms of service contract.
    One thing I've noticed is that these contracts are simply text--no
    interactive graphics or any other means of taking advantage of the Web
    as a medium of communication. How does that contribute to the problem?
    We've learned a lot about Web design. We know we should be using short
    paragraphs without too many pages because it's tough to keep people
    focused on text. But these consent forms are not developed with any
    sense of Web design or document design at all. These are the exact
    same forms that you could have gotten 10 years ago in a book. If you
    look at how visual the Web is, why do we have consent policies that
    are the equivalent of eight pages of text? It's no surprise that
    people ignore them.
    Take off your readability hat and put on your psychology hat. What are
    people thinking when they click "I agree"? Are they illiterate? Naive?  
    They're not stupid. They're trusting. It's actually quite similar
    behavior to sick people. Patients who are very sick can be given a
    3,000-word consent form written by lawyers with the same level of
    complexity as these privacy notices...The sick people usually just
    sign it without reading it because their doctor said it was OK. Same
    thing here--the reader thinks, 'The FTC would close them down if they
    were doing something really bad.' There may be a basic element of
    trust that people bring into this.
    Let me play devil's advocate. Don't people who click "I accept"  
    forfeit their rights? What happened to caveat emptor?
    To some extent, sure, the onus really is on the user to decide whether
    they want to read it. At the same time, there is some responsibility
    on the Web site to present the information in a form you can use
    without a dictionary, trying to figure out what every sentence really
    means. Sure, there's a responsibility on the reader, but there is such
    a thing as information overload.
    It seems ad-supported software preys on people's urge to try to get
    something for nothing. Do these adware companies appeal to our lowest
    Yes. Anything that says "free," people want. But eventually people
    will realize there's not really such thing as "free" software. It
    comes with a price--in this case the annoyance of advertising, or
    possibly privacy violations.
    Clearly software companies need legal protection. How can they write
    policies that are both intelligible to teenagers--yet cover their
    legal backs?
    The real way to do this better is to have consumers involved in the
    writing and editing process. The companies need to sit down with a
    focus group of actual users and say, "Do you understand this? How
    could we make you understand this?" Real users, not lawyers, need to
    write the forms. Then they need to redesign the sites so that the
    consent forms are visual, not legalese text blocks.
    Why can't companies write in plain English?
    My guess is that writing in legalese gets them off the hook. The
    message is, "We asked you to scroll down, and you did, so we're not
    liable." They set it up so you had to scroll through it--even if you
    didn't read it.
    I don't know how often these companies get sued over issues in their
    privacy policy. I know if you go to terms of service, it pretty much
    says, "You can't sue us for anything." That's pretty much what they
    say in 8,000 words.
    Are you blaming lawyers or our litigious culture for the convoluted
    There's been a plain English movement in the legal profession for 20
    years, but it's not very widely used. Lawyers tend to use the language
    they've always used because they're comfortable with it, and they say
    if they change it, it changes the meaning.
    I don't have a problem with this theory if they're writing for other
    lawyers. But if they're writing for kids online, it makes no sense to
    have a 3,000-word policy written at a college-reading level. Most of
    these policies that I've seen are first-year college to graduate
    school level. I've got a Ph.D. and even I've got a hard time
    understanding them--too many hard words, sentences that are too long.  
    Maybe these contracts are perfectly understandable to someone with a
    business or law degree, but...most people aren't going to understand
    Is any company doing a decent job of writing in plain English?
    Yahoo changed its privacy policy recently, and it's not bad...They
    have a chart summarizing some of the privacy information. I'm a
    psychologist used to looking at charts and graphics, so I am naturally
    drawn to these things. But I really thought it was a wonderful summary
    and didn't force me to go through page after page.
    How did you determine that Brilliant's forms were less readable than a
    tax from the IRS?
    There are a couple dozen readability formulas that have been developed
    over the last 60 years, recently converted into software of
    grammar-checking and word processing programs. They pretty much rely
    on average number of words per sentence and syllables.
    According to those formulas, how many words and sentences can the
    average person digest and comprehend?
    Most research suggests that, on average, sentences should be 15 to 20
    words, some shorter, longer. I've seen privacy policies where the
    average word count is 30 words. That's a problem because it's hard for
    people to hold that much info in "working memory," as psychologists
    say. You get to the end of the sentence and you can't remember
    information contained in the beginning of the sentence.
    What about big words? Does the average person simply not understand
    words beyond a certain number of syllables?
    It's not so much the number of syllables, though it might be a good
    idea to limit the number of words over three syllables in consent
    forms. It's how familiar the words are, especially complex words made
    up of one or more smaller words.
    You can throw together a bunch of words--the kind of words people use
    in daily conversation--and still make them complicated. Lawyers who
    draw up consent forms do this all the time...The financial privacy
    notices from the Gramm-Leach-Bliley Act talk about "nonpublic personal
    information." What does this mean? The point is you take three words,
    not necessarily big words, but most people don't know what it means.  
    Same thing goes for sentences with double or triple negatives--so you
    can't figure if it means no or yes.
    How did you get interested in readability and consent?
    My real interest in readability started in 1985, when I worked at a
    psychiatric hospital. A colleague introduced me to readability
    formulas, and we tried to evaluate some of the materials that
    chemically dependent patients were expected to read. Not surprisingly,
    we found that some of the materials were too complicated for some of
    the patients. But staff refused to make adjustments in the reading
    lists, and some patients left "against medical advice" because they
    couldn't deal with being called "dumb" or "stupid" any more.
    A few years later I found that there were software programs that
    calculated readability, so I started analyzing everything in
    sight...Once you have a hammer, everything becomes a nail; once you
    have a readability program, everything written is fair game.
    You've been evaluating the informed-consent process for patients
    enrolled in medical device clinical trials since 1994. Are those forms
    better than those from software companies?
    The consent forms written by most major U.S. drug companies are just
    awful--they're about as bad as the online privacy policies. Lawyers in
    drug companies don't write any better than lawyers for Web-based
    What motivates you professionally?
    My main interest is to try to ensure that things aren't done to people
    without their informed permission--whether that involves being
    involved in research or having personal information shared on the
    Internet. It all comes down to "Do no harm." Research ethics, online
    ethics--in some ways, it's all the same.
    By the way, what is "nonpublic personal information"?
    I'm not 100 percent clear. It has to do with information that banks
    collect about you that's not considered information in the public
    Eric Wolbrom, CISSP                     Safe Harbor Technologies
    President & CIO                         190 Goldens Bridge Ct.
    Voice 914.767.9090 ext. 6000            Katonah, NY 10536
    Fax   914.767.3911                              http://www.shtech.net
    This electronic transmission and the documents accompanying it 
    contain information from Safe Harbor Technologies, LLC which is 
    confidential. The information is intended only for the use of the 
    individual or entity named on herein. If you are not the intended 
    recipient, you are hereby notified that any disclosure, copying, 
    distribution or the taking of any action in reliance on the contents 
    of this email is strictly prohibited, and that the documents should 
    be returned to this firm immediately so that we can arrange for the 
    return of the original documents at no cost to you.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Apr 26 2002 - 04:57:39 PDT