Is It True That Nobody Reads The T&Cs?
The latest 'oopsie' from WeTransfer suggests otherwise.
In 2014, a group of security researchers set up a free wi-fi hotspot in and around busy London stations to conduct a novel experiment. Before connecting to the hotspot, members of the public had to accept the Terms and Conditions (T&Cs) for using the service. In return for free wi-fi, the user agreed to assign their first born child to the wi-fi provider “for the duration of eternity”. Referred to in the T&Cs as the “Herod Clause”, it was a stunt to highlight public unawareness of security issues connected with wi-fi usage and the fact that nobody reads the small print.
The unpopularity of online T&Cs are well documented and reflected in classic articles like “I read all the small print on the internet and it made me want to die.”
Also known as Terms of Service, Terms of Use, or User Agreements, it is true that most are a case of clicked-accept-but-didn’t-read. According to a 2024 OFCOM survey, between half and two thirds of users reported signing up to online platforms without reading the T&Cs. No wonder, with Microsoft’s clocking in at a hefty 15,260 words and well over an hour to read, and other popular services hovering around 6,000-8,000 words.
Tech companies LOVE nobody reading the T&Cs. Hiding in plain sight, this is where they can stick all sorts of nonsense and be legally covered because, well, you clicked accept and anyway no-one will notice.
And that’s not all- there’s also privacy policies to contend with. T&Cs and privacy policies are two distinct legal documents and requirements and I shall be very brief in describing the difference. The T&Cs define the legal relationship between the service provider and the user and outline the rules of using the service, primarily protecting the service provider. Users typically must accept or agree to the T&Cs before being able to proceed with using a service.
A privacy policy has a narrower focus and provides information to the user about their privacy rights and how the service provider collects, uses, shares and stores personal data based on established data protection law and principles. Users don’t have to “accept” this because the user has rights under privacy/data protection to object or opt out of certain actions taken by the service provider.
Hope that wasn’t too painful.
It’s kind of part of the job of a privacy advocate to notice changes in tech companies’ T&Cs and privacy policies and be a bit noisy about it. Journalists are quite partial to reading them too.
When the first smart TVs with voice recognition went on sale around 2015, Samsung’s policies were interpreted by many to read “IT’S OUT OF CONTROL, RUN FOR YOUR LIVES”. Warning people not to have sensitive conversations in front of the TV gave the impression of not being fully in control of their own creation.
A good catch by journalist Samantha Cole in 2022 forced the period tracking app Stardust to change their privacy policy. At a time of heightened tension and increased reproductive surveillance just after Roe v. Wade was overturned, the company nevertheless seemed happy to hand over data on periods to law enforcement without a warrant. Being tone deaf to your customer base is a theme we will return to.
And in 2023, Mozilla Foundation found in the small print of some connected car policies that they had gone full voyeur and collected information about the driver’s sex life, taking all the fun out of back seat canoodling.
The small print in the age of AI
The majority of tech companies are figuring out how to capitalise on the vast amount of data collected over many years and pivot their business model to cash in on the AI goldrush- if only you’ll click accept. Updates to T&Cs reveal major clues about future business plans.
The latest company under fire is the file sharing platform WeTransfer whose recent T&Cs update caused a riot and a rollback. WeTransfer is a platform that allows very large digital files to be sent quickly and is used by many in the creative industries to send design/illustration files, photos and videos. On July 1st, WeTransfer notified customers about an update to their T&Cs with clause 6.3 regarding granting a license. I’m just going to focus on the AI part.
“You hereby grant us a perpetual, worldwide, non-exclusive, royalty-free, transferable, sub-licensable license to use your Content for the purposes of operating, developing, commercializing, and improving the Service or new technologies or services, including to improve performance of machine learning models that enhance our content moderation process, in accordance with the Privacy & Cookie Policy.”
This was read pretty widely and interpreted to mean that WeTransfer could capture any content transferred over the WeTransfer platform and use it to train their AI models. For free, as the clause also specifies there would be no compensation for this.
The backlash was pretty instant after the offending article was published widely on social media and users made it clear this was not OK and they would be shuttering their accounts.
WeTransfer published a great big sorry two weeks later and amended their policy to be clearer that is not the plan, saying:
“We don’t use machine learning or any form of AI to process content shared via WeTransfer.
The passage that caught most people’s eye was initially updated to include the possibility of using AI to improve content moderation and further enhance our measures to prevent the distribution of illegal or harmful content on the WeTransfer platform. Such a feature hasn’t been built or used in practice, but it was under consideration for the future. To avoid confusion, we’ve removed this reference.”
*Whisper* Removed for now…
As I’ve written before, the creative industries are VERY sensitive to their work being used to train AI models and this T&Cs update was tone deaf to say the least. This is what happens when T&Cs/privacy policies are written in inaccesible language for the average user and fail to consider core customer base needs and expectations.
Online conferencing platform Zoom tried something similar back in 2023 when it updated its T&Cs to allow the company to use customer data to train AI models “with no opt out” and rolled it back- sorry, clarified- after intense customer backlash.
So, tech companies take note. There are watchdogs out there, including civil society, journalists and everyday users protecting their businesses who will catch the wild try-ons buried in the T&Cs.
We are still in a space of resistance figuring out what AI means in our lives- what it will give and what it will take. Maybe next time you sign up for a service or receive an update, try Control-F to search for keywords in the T&C’s such as “machine learning” “train” “models” “AI” and see what comes up.
Let me know what you find and let’s make some noise!