Privacy review blasts app terms

A privacy researcher and visiting academic at the University of NSW has called for consumer protections to counter poor terms of service by mainstream cloud services and internet providers.

Senator Joe Ludwig hands Roger Clarke (right) the Australian Privacy Medal, 2009.

Cyberspace law and policy professor Roger Clarke reviewed the terms of use for six applications - Google Apps, Yahoo!, Microsoft Live, Dropbox, LinkedIn, Zoho Apps - and internet providers Internode, iiNet and Infinite.

Eight of the nine providers made their terms of service available on their websites but each site asserted a right to unilaterally change terms, found Clarke who is a visiting academic in the law faculty at UNSW and runs policy consultancy Xamax.

For three of those services - iiNet, Internode and Microsoft Live - notice was provided in advance and by user-convenient means and the change was to be explained rather than the new terms being declared.

For Google, Infinite, LinkedIn, Yahoo! and Zoho, notice was not provided. Instead, an announcement was made somewhere on the website which had immediate effect.

“Hence, for at least five of the nine suppliers in the sample, consumers are unlikely to even know, let alone understand, the terms that are applicable at any given time,” Clarke's review found.

Dropbox did not publish terms of use on its website.

The review found Google's terms were scattered “across about 80 documents” and in many circumstances it was unclear when terms were applicable.

User-generated data

Clarke deemed protections for user-generated data in apps were poor.

"My findings are that none of the nine providers satisfy all of the reasonable expectations of users and that the terms of two major players - Google and LinkedIn - satisfy none of the expectations," he said.

Only Internode, iiNet and Yahoo! had terms that provided them no right to use a customer's data.

Dropbox limited use of customer data to "access" - although it was unclear what that meant.

Infinite and Zoho authorised use of customer data related to their contract with the user.

Microsoft Live's terms authorised use of customer data "to provide the service", which Clarke said could be interpreted as being the service as a whole not just that provided to the user.

Google and LinkedIn claimed substantial rights against user data.

Clarke also found each app or service provider asserted rights to disclose customer data to a business partner. The scope of that term was capable of "very liberal interpretation", he said.

“In the case of Google and LinkedIn – basically they can do anything they want. It’s just not limited. It’s absolutely horrendous,” he said.

Regulation calls

Clarke concluded that consumer protections would "appear to be essential, given the power imbalance" and the importance of internet services and apps.

But he was pessimistic at the prospect of regulators acting.

Attempts to regulate would be undermined by the transnational nature of services, the dominance of US marketing, the pro-corporate and anti-consumer stance of US regulators and meek regulators in other countries, he said.

Most of all there was "a lack of organised resistance by consumer representative and advocacy bodies" on the issue.

“Serious consumer disappointments and recriminations against outsourcing and cloud-sourcing providers would seem to be inevitable,” Clarke said.