[SOUND] In this video we're going to look at privacy policies and user understanding, of those policies. It's critical if users are to control their privacy that they understand privacy policies. This actually spells out how their data's going to be shared, what's collected, who gets access to it and so on. But do users actually understand, what these policies say? Well what we do know is that most people don't read privacy policies. About 16% of people say they read them all the time. But, the fact is that when people do read them, they don't necessarily understand them. And, in fact, about half of people who say they've read a privacy policy, say they know they don't understand what was in there. So we have a pretty good idea that, even when people take the time to read these privacy policies, they don't really know what's going on. And that's concerning. If we want people to have control over their privacy, they need to know whats being done with their data and what the options are. If the one document that spells that out is inaccessible and hard to read, then there can be a real problem in people understanding what's going on. How do we learn? Well, people can read the privacy policies, that's one way to learn what the policy is, though it can be difficult. But you can also discover through other sources. And there's one particular alternative source that we're going to look at in this video in a minute. [SOUND] What we're going to look at here is a quick experiment. And this is based on research that was done, with a few 100 users. This focused on, Facebook Apps. So these are things like games and quizzes that you install in your Facebook profile and that run in the Facebook platform. Those Apps can access a lot of personal data. And, the kind of data that's shared with those Apps is described in Facebook's privacy policy. So the experiment's pretty straightforward, we ask people, what data they think Apps can access. They are just given, a long list of data point, and asked, is this something Apps can potentially access or not? And then we asked them the same questions again about what data they think Apps can access. If they've, underestimated the data that can be accessed in the first step, and then learned something in the second step, hopefully we will see an increase, in the data that they think can be accessed, when we ask them a second time. So let's take a look at the two sources that we're looking at here, the privacy policy and the video. We'll start with the Facebook privacy policy. Facebook's privacy policy is spelled out in this page, called it's Daily Use Policy. It's written in pretty accessible English. There's not a lot of legalese in here, and if we just look at a few random sections, for example here it says your information, is the information that's required when you sign up for the site, as well as the information you choose to share. They go through and enumerate the types of information. And if we keep going, they for example have a section on public information, and they explain when we use the phrase public information, which we sometimes refer to as everyone information, we mean the information you choose to make public, as well as the information that's always publicly available. They explain how you make things public. What's always publicly available and so on. It's a pretty accessible policy, it definitely takes a while to read but it's not 100s of pages long. And it gives a pretty decent idea at a high level, of what information is shared. At the same time it doesn't go into detail, about what Apps or what people, can potentially access what parts of your profile. The video that we're going to look at is Take this Lollipop. There's a link, to this site so you can actually run this video yourself. It's an interactive kind of horror movie, that integrates data from your Facebook profile into, a prescripted film. What we're going to look at is information taken from my, Facebook page. so, it's going to be a little bit scary but also a little bit foreign. If you do it with your own privacy policy, [SOUND] it actually ends up being a very creepy experience. You ca, don't have to worry about your information being stolen, although the video is kind of creepy they have a very clear privacy policy. They don't collect anything and they really just use the access to your Facebook, page that you give them, in order to produce this film for you. It's not shared with anyone else. So, if you feel like it, go ahead and give that a try. In the mean time you can take a look at it running in my profile. [MUSIC] [SOUND] So we had users answer some questions about what data they thought Apps could access. They either watched that terrifying video or read a privacy policy. And then we asked them again, about what data they thought Apps could access. The results, first, every user, that participated in the study underestimated what data could be accessed, when they were first asked. So in the first round, nobody understood the full extent to which Apps could access data from Facebook. After they watched the video, or read the privacy policy, every user improved in their understanding of what data, Apps could access. They didn't all get it all right, but we saw a remarkable and significant improvement, in their understanding of how their data was shared. And, the video led to greater improvements in user understanding. So, even when people were forced to sit down and read Facebook's pretty accessible privacy policy, they missed a lot of things, that people understood after watching the video. Probably because the video, illustrates quite clearly what data can be pulled by Apps, because it shows it to the user in that case. So what are the implications of that study? First privacy policies are boring and hard to read, users tell us this all the time. And, that means they have poor usability. We talk about usability in terms of interfaces and user experience. But documents can have poor usability too. User preference is clearly against the privacy policy and in fact, they can lead to user not understanding things correctly, which we could consider an error. They have low efficiency. They're definitely, slow to read. It takes, a much longer time, in fact, to read the privacy policy. Than it does to watch than video, which lasts about two minutes and, the users don't like them but, we know that privacy policies are also, really important. So, we don't just want to give up on them, because users don't like them. There has to be some way to convey this information. So really what we really come away with is this question, are there more usable ways, to convey the information that's in a privacy policy? Can we make a privacy policy that has, higher usability? That video may be one step, but, the fact is that, this is an open question. We're just getting to the point, where, privacy policies are really important. It's something that the last five or ten years, has really sprung up on us where users are sharing so much data. So, this is something that you can go forward on as people who understand HCI, user needs and privacy. And, hopefully, try to find a better way, to convey the information privacy policies described. So that users can really understand that data. [SOUND]