MTN’s misleading uncapped data bundle fine print

MTN’s uncapped data bundles are not what consumers think they are. They are complicated packages with rules that limit them dramatically.

EWN published a surprising story titled “The terms of MTN’s uncapped data explained”, in which MTN’s Chief Customer Experience Officer, Eddie Moyce, explains MTN’s activation requirement for its time based uncapped data bundle. Here is the radio segment:

The surprise is that this uncapped data offer doesn’t work the way you may expect. Consumers should pay careful attention to the fine print avoid being caught out, potentially at a substantial cost. Essentially, even though you have paid for the bundle, you still need to activate it by dialling a short-code which you receive by a SMS. If you don’t activate the bundle, you will use data at normal data rates and could wind up with a larger bill than you expected.

Two aspects of this story are problematic:

1. Why offer this sort of “uncapped” bundle that the customer still needs to activate in order to use it, even after paying for it?

This is really misleading. Most data bundles activate automatically when you have paid for them and the changes propagate across the network, don’t they?

The mechanism suggests that MTN intentionally created this activation mechanism knowing that many customers won’t actually realise they need to do it and will wind up paying far more. I checked the terms and conditions that apply to this package (I think – the MTN site is not exactly designed to find information easily) and it says the following:

  1. Activation of the MTN 1 Day Uncapped Internet Bundles

5.1 Customers may purchase an MTN 1 Day Uncapped Internet Bundle by dialing *141*2#.

5.2 Customers must activate the MTN 1 Day Uncapped Internet Bundle after purchase, by dialing *141*5#. The MTN 1 Day Uncapped Internet Bundle does not automatically activate .

5.3 Customers may only activate the MTN 1 Day Uncapped Internet Bundle if they have sufficient airtime in their airtime account or using their usage limit (for My MTNChoice customers). This excludes MTN Loyalty 1–4–1 Loyalty Points and any promotional airtime.

Data bundle details

These data bundles are typically “valid for a period of 24 (twenty four) hours”, although only “after [they are] activated”. I also wonder how many people are aware of when the data bundle kicks in? How many people assume (and reasonably so) that the package kicks in automatically and they start using the data right away?

The seemingly reasonable SMS from MTN with activation instructions is challenging. Many people ignore SMS messages they receive for various reasons and may not notice the significance of an activation message until long after their bill has hit triple digits.

This activation mechanism looks a lot like the dodgy tactics mobile content providers used to use before they were banned: automatically subscribing consumers to expensive content (think R5 or R7 per day until cancelled) subscription services without clear double opt-in mechanisms and pricing information. You wouldn’t expect major network operators to use misleading tactics such as these.

2. Why impose a “fair use value” cap of 150MB on an “uncapped” data bundle? That is tiny.

Then, to add to this, the notion that a bundle with a “fair use value” cap of 150MB is somehow an “uncapped” data bundle is ridiculous. That is a tiny amount of data when you consider that, as Eddie Moyce put it, people tend to buy these packages for specific reasons. One of those reasons would be that the customer needs to use a lot more data than his or her usual bundle allows (at least, cost effectively) in a short time period.

Here is an extract from the terms and conditions dealing with the “Fair Use Policy”:

9.1.4 Customers with an active MTN 1 Day Uncapped Internet Bundle shall be able to generate uncapped data usage, however, a fair use value/threshold as detailed in the table in clause 4 above will apply for the duration of the Validity Period.

9.1.5 Should the Customer exhaust the fair use value, as detailed in the table in clause 4 above, before the end of the Validity Period, the Customer’s data speeds will be reduced to 128kbps for the remainder of the Validity Period and the Fair Use Policy shall detailed in this clause 9 shall apply.

9.1.6 MTN further reserves the right to implement other measures and controls to ensure that the integrity of its systems is maintained, including but not limited to measures such as DPI (Deep Packet Inspection). DPI:

9.1.6.1 allows MTN to monitor aspects including, but not limited to, non-compliance with its Fair Use Policy and restricted protocols, prevent attacks from computer viruses/worms and identify SPAM. Such usage may be blocked or re-routed;

9.1.6.2 also allows MTN to throttle certain usage, such as peer to peer traffic;

9.1.6.3 shall also allow MTN to prioritize/filter certain activities, such as VoIP traffic, over other activities which are burdensome on the MTN network (such as video streaming);

9.1.6.4 in essence, this allows MTN to alleviate network congestion and improve service to all MTN customers.

9.1.7 This Fair Use Policy may be amended by MTN, whether by clarifying, modifying, adding to or deleting certain terms and conditions. This is subject to the Modification of Terms and Conditions, including notice being provided to you, as detailed in clause 16 below.

Not only does the available data speed slow to 128kbps when you hit that measly 150MB but MTN also imposes a series of restrictions on how you can use the data and when. The end result is that your “uncapped” data bundle is more like a “you can’t do much with this ISDN-like connection but thanks for paying anyway” bundle.

But wait, there’s more:

  • MTN hides all these restrictions and qualifications in terms and conditions which few consumers will ever read, and
  • these restrictions are couched in fairly dense language and presented in pale text on a white background that no-one over 45 can read without squinting says a lot too.

MTN terms

One more thing – no business use for you

Oh, by the way, this package isn’t available for “commercial use” so don’t think you are allowed to use this package to give your small business a little boost either:

9.2 The MTN 1 Day Uncapped Internet Bundles are intended for consumer use only. This means that the MTN 1 Day Uncapped Internet Bundles may not be used for commercial use (which includes, but is not limited to the intention of promoting, enabling, subscribing to, selling (directly or indirectly) the goods, services or image of any person pursuing a commercial, industrial, craft, religious, charitable or political activity or exercising a regulated profession).

9.3 The MTN 1 Day Uncapped Internet Bundles exclude use of the following services:

9.3.1 Least Call Routing (LCR);

9.3.2 Routing devices; and/or

9.3.3 Commercial use.

9.4 Use of the above services shall be deemed abuse and/or fraudulent use of the MTN 1 Day Uncapped Internet Bundles and shall entitle MTN to immediately suspend and/or deactivate the Customer’s access to the MTN 1 Day Uncapped Internet Bundles.

So if you are a small business owner and you happened to buy this bundle and use it as part of your business (you could have sent a data message to a client telling them about your services, for example), you would be committing a fraud in addition to breaching the terms and conditions of the bundle. Talk about hostile to small business!

K.I.S.S MTN!

When I think about what is available outside South Africa, MTN’s approach to mobile services and pricing just doesn’t make sense to me. My current mobile service includes 5 000 minutes of calls, 5 000 SMS messages, 10GB of data a month and 500 minutes of calls to my family in SA (landlines in SA) for the equivalent of about R200 per month. It wasn’t always like this but regulatory changes and increased competition improved the situation for Israelis.

Instead of obfuscating an overly complex service, why not offer a simpler option that just let’s people pay their R40 for either a fixed amount of data or a realistic “fair use value” cap? Drop this silly activation mechanism and the ridiculous fine print. In other words, give people what they think they are getting or, if that is more than you want to offer, offer them something you are comfortable with and that makes sense to consumers.

Image credit: Pixabay

No, you can’t unilaterally opt out of Facebook’s terms and keep using it

Facebook has updated its terms of service and data use policy recently and the changes have upset many people. I’ve started seeing more declarations of users’ intention to opt-out of provisions of Facebook’s terms and conditions. These sorts of declarations seem to be legally binding with their fairly legalistic language but they don’t work except to help you feel better.

The only way to limit what Facebook can do with your content and your personal information is to stop using Facebook and to delete your profile. Unilateral declarations of your intention to opt-out of provisions you don’t agree with don’t make those provisions less binding on you.

If you use Facebook, you do so on Facebook’s terms. If you don’t want to be bound by those terms and conditions, stop using Facebook.

Facebook Messenger is not the privacy threat you should be concerned about

Many people are focused on the permissions they give Facebook when they install Facebook Messenger and are concerned that they are giving Facebook excessive access to their devices. This isn’t necessarily the case and this growing panic may be more a function of how Android permissions have to be obtained than a real privacy threat which many have read into those permissions.

Facebook _Messenger_iOS_6_RGB smallI found myself listening to a discussion on 94.7 this morning about Facebook Messenger. The breakfast team was talking about these permissions that have attracted so much attention as if installing Messenger instantly compromises users and leaves them exposed to all sorts of privacy invasions when microphones and cameras turn on at someone else’s behest.

The panic level rose a few more notches when the breakfast team received a call from an anonymous listener who told the team that part of his work involves remotely accessing people’s devices (presumably part of lawful investigations) and exploiting these sorts of permissions. It wouldn’t be unreasonable to draw the conclusion that giving Facebook these permissions to access your phone’s microphone, camera and other features somehow makes all of those features available to anyone wishing to exploit that level of access and spy on you.

Fortunately it isn’t as simple as that. Leaving aside the risk that Facebook, itself, grants access to your devices to 3rd parties without your knowledge or that its apps have vulnerabilities which are not patched and are exploited by unscrupulous 3rd parties, Facebook isn’t the threat. I spoke to Liron Segev, an IT Consultant and one of the first people I think about when I need some help with the technical aspects of IT security. He explained that the threats to consumers come from various sources and that poor security awareness on consumers’ part is a contributing factor.

To begin with, it is possible for a 3rd party developer to introduce apps to app stores that appear to have a particular functionality but, below the surface, these apps will scan installed apps on your device, attempt to impersonate or even supplant those apps and exploit the access permissions you gave to the legitimate app. These trojan apps would then take advantage of the sorts of permissions you grant Facebook Messenger to access your device microphone, camera and other features. Avoiding this risk largely comes down to only installing apps you trust and how well the app marketplace is regulated and protected from this sort of malware. More and more security experts recommend installing anti-virus software on your mobile devices to help protect you from these sorts of attacks.

A hidden threat few people outside the security industry are aware of comes from the mobile networks we use every day. Mobile networks have the technical ability to gather data from our devices and even remotely install applications without us being aware of this in order to use that data and access to our devices’ features for a variety of reasons ranging from network performance management to remote surveillance and law enforcement. On the one hand, there are good reasons for networks and governments to have the capability to monitor criminal threats (for example, the somewhat misunderstood capability Google has to monitor Gmail for child porn using an existing database of problematic images). We live in a world where the bad people use advanced encryption and digital tools to plan and conceal their activities. On the other hand, there is also scope for governments and companies to use these capabilities to spy on citizens, infringe their rights and exploit their personal information for profit. As I mentioned in my htxt.africa article “Much ado about Facebook Messenger privacy settings, but is it nothing?” –

Whether you use Messenger should be informed by the extent to which you trust Facebook, not by the very explicit and informative permissions Facebook seeks from you in order to use Messenger. If anything, Facebook is just proving that it has come to a long overdue realisation that there is no benefit in deceiving users.

It is possible that Facebook may turn on your phone’s camera and microphone while you are getting dressed in the morning but highly unlikely. What is more likely is that Facebook requires those permissions to enable Messenger to do what you want and expect it to do. That said, you can’t be complacent and install every app on your device that seems amusing. Take the time to satisfy yourself that the app is from a credible source and look into anti-malware software for your devices. As for mobile networks and governments, there is little you can do except reconsider your device choices if you are concerned about this. Segev pointed out that Blackberry devices are still secure options and Blackberry 10.x is a flexible option even if it isn’t popular media’s darling.

A transparent approach to privacy policies

Transparent definition

Richard Beaumont’s article “Transparency Should Be the New Privacy” echoes a point I’ve also been making recently: data protection or privacy is mostly about transparency and trust. Sure, compliance is essential but from a data subject or consumer’s perspective, how transparent you are about how your process the data subject’s personal information and whether your activities engender trust are arguably as important. Achieving that requires a varied approach to data protection and one of the key elements is the document you publish about this, namely the privacy policy (also known as a “data protection policy”, “privacy statement” and other titles).

As Beaumont points out:

The website privacy policy is the basis on which organisations can claim they have received consent from customers/visitors to collect whatever data they want and do what they like with it. In a data-driven world, they are important documents. Expensive lawyers are often paid large sums of money to write them in the full knowledge that they will rarely be read. Of necessity, it is written in legalese that most people won’t fully understand, and it is long because it has to cover all eventualities.

Of course, hardly anybody reads them. In the vast majority of cases, it would be a colossal waste of time.

I don’t agree with an approach that obscures privacy policy wording by using legalese and complex language but privacy policies are typically not read and understood before data subjects share their personal information. On the other hand, Beaumont makes a number of good points about the purpose of most privacy policies:

However, the problem is not really with the privacy policy itself as a document; it is the fact that it has been mis-sold to us. We are led to believe its purpose is to inform. We are told this because consent relies on us being informed about what we are consenting to. It is the basis of almost all privacy law throughout the world.

However, if that were true, it wouldn’t be buried in a link at the bottom of the page and written in dense text that is often also in a smaller font than the rest of the site. Website designers and copywriters know how to inform people online. The privacy policy is the document on any website least likely to inform the visitor in any meaningful way.

The reality is that the privacy policy is designed to protect the owners in the case of a dispute—which is what most legal documents are designed to do. There is nothing wrong with this—these documents are necessary in certain circumstances. It’s just that they don’t fulfil the more common need for accessible information about privacy practices at the company.

He goes on to propose a “transparency policy” as an alternative to a conventional privacy policy. I don’t think we need a new term for the document except where using a new name shifts our perception of the document’s role. I’ve been reading a lot more about more visual legal documents and I like Beaumont’s suggested approach, at least in part:

The transparency statement will be short, clear and simple to understand. It might borrow from the “layered” privacy policy model and would almost certainly involve a strong visual element. It will be easily accessible and you will be encouraged to look at it, especially on a first visit. It will be the basis on which the website will set your expectations for how you and your data will be treated.

His model involves a transparency statement operating alongside a privacy policy which would give the transparency statement important “legal weight”. I don’t think this is necessary, though. I prefer some lawyers’ approach of publishing a “privacy statement” rather than a privacy policy. Although privacy policies are frequently framed as documents you, as a data subject, agree to, they can function just as well as statements of what personal information is being collected; how it is being processed and under what circumstances that personal information may be disclosed and to whom.

When I prepare privacy policies, I usually pair them with a website’s terms and conditions which invoke the privacy policy as an explanation of what personal information is processed and how. The terms and conditions then reference the privacy policy and provide the “legal weight” Beaumont refers to. In that model, a privacy policy could be reframed as a streamlined privacy statement along similar lines to Beaumont’s suggested transparency statement and lawyers. Inferring agreement with a privacy statement becomes largely unnecessary and it would only really be important to establish that data subjects agreed to the terms and conditions themselves which, in turn, would point to the privacy statement for information about personal information processing.

A streamlined privacy statement would also be better suited to more visual representations of its contents which makes them far more intelligible and, by extension, a company’s data processing activities more transparent. With more transparency comes more accountability and trust. In addition –

Because the transparency statement is also more likely to be read, commented on and engaged with, it will likely improve over time, and accepted standards might emerge. This would potentially create a virtuous circle that further improves clarity for consumers.

Emerging standards have further benefits which I find really exciting. The bottom line, though, is Beaumont’s conclusion:

Transparency statements could be the vehicle to enable the majority of people to make better-informed choices than they currently do and use a truly market-driven approach to online privacy practice.

Why you may want to reconsider that co.za domain name

If you are thinking about registering a co.za domain name, you may want to consider your possible liability to ZA Central Registry NPC (formerly called Uniforum), the organisation which administers the co.za namespace. It could be substantial.

If you are thinking about registering a co.za domain name, you may want to consider your possible liability to ZA Central Registry NPC (formerly called Uniforum), the organisation which administers the co.za namespace. It could be substantial.

The starting point are the warranties you give when you apply to ZACR to register a co.za domain:

Applicant hereby irrevocably represents, warrants and agrees that:

  1. its statements in the Application are accurate and complete;
  2. it has the right without restriction to use and register the Domain Name;
  3. it has a bona fide intention to use the Domain Name on a regular basis on the Internet;
  4. the use or registration of the Domain Name by Applicant does not or will not interfere with, nor infringe the right of any third party in any jurisdiction with respect to trade mark, service mark, trade name, company name, close corporation name, copyright or any other intellectual property right;
  5. it is not seeking to use the Domain Name for any unlawful purpose whatsoever, including, without limitation, unfair competition, defamation, passing off or for the purpose of confusing or misleading any person;
  6. at the time of the initial submission of the Application, and at all material times thereafter, it shall have an operational name service from at least two operational Internet servers for the Domain Name. Each server is and will continue to be fully connected to the Internet and be capable of receiving queries relating to the Domain Name and responding thereto;
  7. it has selected the Domain Name without any input, influence or assistance from UniForum.

Of these warranties, points 4 and 6 could be problematic:

Warranty 4

In order to comply with this warranty, you should ideally conduct an exhaustive search of all jurisdictions in order to confirm that your proposed domain name “does not or will not interfere with, nor infringe the right of any third party in any jurisdiction”, whether that right be rooted in “trade mark, service mark, trade name, company name, close corporation name, copyright or any other intellectual property right”. That is very, very broad.

You can’t possibly know every brand, company or trading name which you could possibly be stepping on when you register your domain. Trade marks tend to be somewhat geographically and thematically limited but copyright is pretty universal and “any intellectual property right” is a really broad catchall.

Every time you register a domain name, you take the chance that it may correspond with a brand, company or trading name and someone may contend that your domain name infringes his or her rights. If that happens, you are in breach of your warranty and it doesn’t matter whether you intentionally infringed anyone’s rights. The inquiry is a factual one.

Warranty 6

This warranty can be tricky because you not only require two operational name servers to register the domain (name servers map the domain name to IP addresses associated with actual servers) but you have to warrant that “[e]ach server will continue to be fully connected to the Internet and be capable of receiving queries relating to the Domain name and responding thereto”.

This is simply not in your control. You may register with an ISP, use its name servers to register your domain and your ISP’s servers could go offline temporarily or the ISP could go out of business without you being aware of it. Even if you are aware of this, you may have parked the domain for future use and you may forget to migrate it to another ISP in your rush to move all your other data off.

What could go wrong?

All this may not seem particularly problematic until you read a little further:

Pursuant to the above warranties, Applicant hereby agrees that it shall defend, indemnify and hold harmless UniForum, its directors, officers, members, employees and agents, for any loss, damage, expense or liability resulting from any claim, action or demand arising out of or related to a breach of the aforementioned warranties or the use or registration of the Domain Name, including reasonable attorneys fees on an attorney and own client basis. Such claims shall include, without limitation, those based upon trade mark infringement, copyright infringement, dilution, unfair competition, passing off, defamation or injury to reputation. UniForum agrees to give Applicant written notice of any such claim, action or demand within reasonable time of becoming aware thereof. Applicant agrees that UniForum shall be defended by attorneys of UniForum’s choice at Applicant’s expense, and that Applicant shall advance the costs incurred in such litigation, to UniForum on demand from time to time.

This indemnity is very broad. For starters it requires you to not only cover ZACR for any costs it incurs if you breach the warranty, you are also required to “defend” ZACR from “any claim, action or demand arising out of or related to a breach of the aforesaid warranties or the use or registration of the Domain Name”. It goes on to cover “reasonable attorneys fees on an attorney and own client basis” which is not reasonable at all. The “attorney and own client” scale of legal costs is used as a punitive costs scale in court proceedings. The attorneys who would defend ZACR from the envisaged claims will be “attorneys of [ZACR’s] choice at [your] expense, and … [you] shall advance the costs incurred in such litigation, to [ZACR] on demand from time to time.” It is a lot of text but the upshot is that you will be required to pay for ZACR’s lawyers, upfront, if there is a claim flowing from –

  • breach of your warranties (which I listed above);
  • “the use or registration of the Domain Name”;
  • “without limitation, those based upon trade mark infringement, copyright infringement, dilution, unfair competition, passing off, defamation or injury to reputation”.

A relatively cheap example is a company sending ZACR a deregister a domain name and transfer it across because the company believes your domain name infringes one or more of its rights. ZACR briefs its lawyers to consider the claim and charges, say, R1 500 (very conservative, probably more) an hour to review the demand, formulate a response, discuss the response with ZACR and send it along to the company. That exercise could cost, as a guess, R4 500 if the lawyers are working very efficiently. That cost could be passed along to you to pay. There could, of course, be further costs ZACR could pay to its lawyers for follow up communications, meetings and other action down the line. This is before you take into account possible losses the company may claim from ZACR and be awarded down the line.

<

p>Suddenly the domain you pay R50 to R60 could be much more expensive. What you should ask yourself is whether you can afford to take a chance (or have a truly unique domain name)?

Your email providers don’t require a warrant to read your email

Our email providers give themselves much more convenient access to your data through their terms of service or privacy policies. On one hand, this is level of access may be necessary to prevent disruptions and limit liability but, on the other hand, these permissions we, as users, grant providers like Microsoft, Google, Yahoo and others pretty broad access to our data without requiring them to obtain court orders or satisfy any external legal requirement.

The Verge recently published disturbing news about Microsoft’s respect for its users’ privacy:

It came out yesterday that the company had read through a user’s inbox as part of an internal leak investigation. Microsoft has spent today in damage-control mode, changing its internal policies and rushing to point out that they could have gotten a warrant if they’d needed one. By all indications, the fallout is just beginning.

Your provider is watching you

As disturbing as this is, there is a bigger picture. As The Verge’s Russell Brandom goes on to point out –

But while Microsoft is certainly having a bad week, the problem is much bigger than any single company. For the vast majority of people, our email system is based on third-party access, whether it’s Microsoft, Google, Apple or whoever else you decide to trust. Our data is held on their servers, routed by their protocols, and they hold the keys to any encryption that protects it. The deal works because they’re providing important services, paying our server bills, and for the most part, we trust them. But this week’s Microsoft news has chipped away at that trust, and for many, it’s made us realize just how frightening the system is without it.

People following the Oscar Pistorius trial in the last week would have discovered that private chats can become very public if law enforcement authorities believe they are relevant to an investigation.

Although law enforcement authorities are required to follow various procedures to gain access to messaging and social media users’ communications, the companies operating the chat and email services we use daily don’t have this hurdle in their way if they deem it necessary to access their users’ communications.

The right to privacy in the South African Bill of rights includes the right not to have the “privacy [your] communications infringed”. This right is not absolute and can be (and is) limited by various laws including the Regulation of Interception of Communications and Provision of Communication-related Information Act which is how local law enforcement can obtain access to your communications. What this means is that, for law enforcement at least, there are checks and balances in place to protect our communications both thanks to laws as well as service providers’ requirements.

Unfortunately, those same providers give themselves much more convenient access to your data through their terms of service or privacy policies. On one hand, this is level of access may be necessary to prevent disruptions and limit liability but, on the other hand, these permissions we, as users, grant providers like Microsoft, Google, Yahoo and others pretty broad access to our data without requiring them to obtain court orders or satisfy any external legal requirement.

Microsoft

As The Verge pointed out, if you use Hotmail/Outlook.com, you have granted Microsoft permission to access your data. Microsoft’s Privacy Statement includes these permissions:

We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the services; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers or the public.

Because you agree to the Privacy Statement as a condition of your use of Microsoft’s services, you have consented to these uses of your personal information. These consent enable Microsoft to circumvent any questions about privacy infringement because your legitimate expectation of privacy does not extend to these particular activities. This is the key rationale for a privacy policy and it is the same principle applies to the permissions you grant to other providers (I’ve referred to a couple more below).

Google

Google operates an enormously popular email service, Gmail, which is also probably one of the most secure from the perspective of external surveillance and attacks. While Google holds itself out as its users’ protector from external threats, it also has the option of accessing your data because you have agreed to this when you agreed to its Privacy Policy which includes these provisions:

We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users.

We may combine personal information from one service with information, including personal information, from other Google services – for example to make it easier to share things with people you know.

We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

  • meet any applicable law, regulation, legal process or enforceable governmental request.
  • enforce applicable Terms of Service, including investigation of potential violations.
  • detect, prevent, or otherwise address fraud, security or technical issues.
  • protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.

These three sections are drawn from different parts of Google’s Privacy Policy and, between them, they give Google permission to share fairly comprehensive information it has about you with law enforcement authorities as well as to use that information itself to, among other things, “protect” its services, itself and its users. This is a fairly broad term and this is likely intentional. When you write these sorts of policy documents, you don’t want to be too prescriptive if you anticipate requiring fairly broad consents for a wide range of foreseeable risks and to cater for unforeseen risks.

Yahoo

Yahoo’s webmail service is still very popular. While Yahoo’s privacy policy tends to be pretty good about handling users’ personal information, it also retains fairly broad permissions in its Privacy Policy (I added some emphasis):

Yahoo does not rent, sell, or share personal information about you with other people or non-affiliated companies except to provide products or services you’ve requested, when we have your permission, or under the following circumstances:

  • We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo’s terms of use, or as otherwise required by law.

Apple

Although not as popular as the other providers, Apple’s tight service and software integration makes its iCloud email service a convenient option, especially because its possible to create an email account on iCloud without requiring another email account first (which is increasingly rare). When you use Apple’s products and services, your consents include the following:

How we use your personal information

  • We also use personal information to help us create, develop, operate, deliver, and improve our products, services, content and advertising, and for loss prevention and anti-fraud purposes.

  • We may also use personal information for internal purposes such as auditing, data analysis, and research to improve Apple’s products, services, and customer communications.

Where this leaves you

<

p>Public events like the Oscar Pistorius trial and, before it, the ongoing revelations about state surveillance programs over the last year or so, have reminded us that our private communications are not quite as private as we may have hoped. Our privacy is protected more by obscurity and because our communications, for the most part, are not the sorts of things others would be terribly concerned about.

Our trust and the possibility of severe reputational harm keep the likes of Google, Yahoo, Microsoft, Facebook and others generally honest although, as we have seen with Microsoft, they may be prepared to break that trust if the reason is compelling enough to them. They will invariably point to the permissions we give them in our contracts with them and they’ll be quite right. We have agreed to this and we’ll continue being in agreement with them having this level of access to our data because the alternatives are not nearly as convenient.

Using Netflix in South Africa is illegal

South Africans continue to be frustrated by the paucity of legitimate and convenient TV and movie download or streaming options. At the moment DSTV and a limited South African iTunes store are the primary options. Unfortunately this doesn’t seem to be enough so more and more consumers are looking to popular video rental service, Netflix, for their entertainment needs. The problem is that Netflix content isn’t legally available in South Africa and its likely for the same reason that the local iTunes store lacks TV and some movie content: licensing restrictions.

South Africans continue to be frustrated by the paucity of legitimate and convenient TV and movie download or streaming options. At the moment DSTV and a limited South African iTunes store are the primary options. Unfortunately this doesn’t seem to be enough so more and more consumers are looking to popular video rental service, Netflix, for their entertainment needs. The problem is that Netflix content isn’t legally available in South Africa and its likely for the same reason that the local iTunes store lacks TV and some movie content: licensing restrictions. Brett Haggard, writing for htxt.africa a week or so ago, pointed this out:

Right now, we’re told by inside sources at the big pay TV service providers on the continent (take a guess who, I mean, there aren’t all that many to choose from) that the digital rights for the popular television series we all crave so badly haven’t been signed, sealed and delivered to any one party as yet. Our sources tell us that, should anyone express any interest in bringing that content to the continent in a digital form, the big pay TV service providers will have the first shot at the action, in effect blocking the attempts of other players to get their hands on vital content licenses.

What this means is that the only legitimate means of obtaining much of the TV content (and probably the movies missing from the South African iTunes store) is through the local pay TV providers. The reason is what appear to be exclusive or pre-emptive content licensing deals the local paid TV providers have struck with the content producers or distributors. In many respects, this is the same issue we faced when the iTunes store was not yet available in South Africa (or, at least, where certain content or channels are not available here) and which I wrote about in my 2009 post titled “Legalities of US iTunes Store vouchers in South Africa“:

What does this mean? Well, the license granted to users is the set of permissions that give users the lawful right to consume that content. This is primarily a copyright issue. The content available in the store is owned by 3rd party content creators, publishers and other rights holders. They own the content and, through a license, grant users the right to consume the content.

So, for example, a music company owns the rights to an album that is available for sale in the iTunes Store. This means it likely owns copyright in that album and the bundle of rights that give it the exclusive rights to do various things with the content. In the absence of a license from the music company, you may not do much with the music. The license contained in the iTunes terms of service grants you permission to buy the album and consume it. In this case the license comes from Apple which was, in turn, licensed by the music company to sell the album to you under the license in Apple’s terms of service. It is a little complicated but the bottom line here is that the license in the iTunes terms of service is a series of permissions and restrictions. One of those restrictions is the geographical limitation of the iTunes Store’s availability. What that means is that if you purchase content from the iTunes Store in violation you are doing so in breach of the license and that, in turn, is a breach of copyright and is illegal. It is also a breach of your contract with Apple in the form of the terms of service and Apple could effectively cut your access to the Store and potentially the content you purchased from the Store.

Netflix users face a similar challenge and for similar reasons. The document which governs much of a Netflix user’s service use is the Netflix Terms of Use which begins with the following:

Welcome to Netflix! We are a subscription service that provides our members with access to motion pictures, television and other audio-visual entertainment (“movies & TV shows”) streamed over the Internet to certain Internet-connected TV’s, computers and other devices (“Netflix ready devices”).

These Terms of Use govern your use of our service. As used in these Terms of Use, “Netflix service,” “our service” or “the service” means the service provided by Netflix for discovering and watching movies & TV shows, including all features and functionalities, website, and user interfaces, as well as all content and software associated with our service.

These Terms of Use cover a broad range of issues relating to your service use but if you skip to about halfway down, to section 6 titled “Netflix Service”, you will read these key clauses (parts c, e and f, respectively – I have highlighted the key sections):

You may view a movie or TV show through the Netflix service only in geographic locations where we offer our service and have licensed such movie or TV show. The content that may be available to watch will vary by geographic location. Netflix will use technologies to verify your geographic location. YOU MAY WATCH ON UP TO SIX UNIQUE AUTHORIZED NETFLIX READY DEVICES AND THE NUMBER OF DEVICES ON WHICH YOU MAY SIMULTANEOUSLY WATCH IS LIMITED. Go to the change plan information in the “Your Account” page to see the number of devices on which you may simultaneously watch. The number of devices available for use and the simultaneous streams may change from time to time at our discretion without notice.

You agree to use the Netflix service, including all features and functionalities associated therewith, in accordance with all applicable laws, rules and regulations, including public performance limitations or other restrictions on use of the service or content therein. You agree not to archive, download (other than through caching necessary for personal use), reproduce, distribute, modify, display, perform, publish, license, create derivative works from, offer for sale, or use (except as explicitly authorized in these Terms of Use) content and information contained on or obtained from or through the Netflix service without express written permission from Netflix or its licensors. You also agree not to: circumvent, remove, alter, deactivate, degrade or thwart any of the content protections in the Netflix service; use any robot, spider, scraper or other automated means to access the Netflix service; decompile, reverse engineer or disassemble any software or other products or processes accessible through the Netflix service; insert any code or product or manipulate the content of the Netflix service in any way; or, use any data mining, data gathering or extraction method. In addition, you agree not to upload, post, e-mail or otherwise send or transmit any material designed to interrupt, destroy or limit the functionality of any computer software or hardware or telecommunications equipment associated with the Netflix service, including any software viruses or any other computer code, files or programs.

The availability of movies & TV shows to watch will change from time to time, and from country to country. The quality of the display of the streaming movies & TV shows may vary from computer to computer, and device to device, and may be affected by a variety of factors, such as your location, the bandwidth available through and/or speed of your Internet connection. You are responsible for all Internet access charges. Please check with your Internet provider for information on possible Internet data usage charges. Netflix makes no representations or warranties about the quality of your watching experience on your display. The time it takes to begin watching a movie or TV show will vary based on a number of factors, including your location, available bandwidth at the time, the movie or TV show you have selected and the configuration of your Netflix ready device.

In other words:

  • Content availability is limited by geography (almost certainly because of the sorts of licensing deals Haggard alluded to in his htxt.africa article);
  • Netflix will use verification technologies to confirm you are in the country you say you are in (this is to help Netflix ensure it complies with its licensing obligations to its content providers);
  • You agree not to circumvent measures Netflix puts in place to limit access to its service or to make use of the content other than as permitted by these Terms of Use;
  • As we have seen with the local iTunes store, the range of content that is available in different regions will vary from country to country.

As with iTunes, there are ways to circumvent Netflix’s technologically-enforced geographical restrictions but having the capability to access Netflix’s content doesn’t equate to permission to access it. If you lack permission to access the Netflix content you lack a license to access that content and unlicensed or unauthorised access to the Netflix content is copyright infringement. In legal terms, this is tantamount to torrenting the content. The main difference is that consumers who go to the lengths of spoofing their locations to sign up to use Netflix are, at least, paying for the content. That should count for something but it doesn’t change the legalities of not complying with Netflix’s Terms of Use.

<

p>If you are accessing Netflix from South Africa, you are infringing copyright and likely to be branded a “pirate”. At least you’re paying.

You are a soldier in Google’s Cold War with Facebook for social dominance

The underlying dynamic that likely drives Facebook’s and Google’s amendments to their policy and terms frameworks is that we users tend to place more value on recommendations from our friends and family. Facebook and Google’s advertising and promotional models (as well as a number of other services that personalise ads) are increasingly designed to manufacture these recommendations using our activities on the various services without the need for us to actively apply our minds to what we are recommending and what we choose not to. At the moment, the dominant model is one in which we choose to signify our approval of a brand, product or service by Liking or +1’ing it. These changes start to make those actions less important as a recommendation signal and are made possible through contractual models which include privacy policy frameworks and terms and conditions.

Shifting Publicity Policies

Between Facebook and Google, these two companies have voluntold[1] us that we are now part of their sales teams. It started with Facebook’s announcement on 29 August 2013 that it intends amending it’s Statement of Rights and Responsibilities (I’ll call it the “Statement” below) and the Data Use Policy which included an expanded section describing what personal information it intends using to, essentially, sell products and services using you to make that happen. Before I go into more detail, it’s important to note something about how these policy changes bind you.

Whenever services like Google and Facebook explain changes to policy frameworks and their terms and conditions, they explain that they won’t use your personal information in certain ways unless you give them permission to do so. They don’t but this is really just a ruse. You have already given them permission when you signed up to use the service and your permission takes the form of privacy policies that include your agreement that they can amend the policies and other terms and conditions pretty much at will. If they are going to be truly transparent, they should say something along the lines of –

unless you give us your permission to do so (which you have already, so thanks for that)

The underlying dynamic that likely drives Facebook’s and Google’s amendments to their policy and terms frameworks is that we users tend to place more value on recommendations from our friends and family. Facebook and Google’s advertising and promotional models (as well as a number of other services that personalise ads) are increasingly designed to manufacture these recommendations using our activities on the various services without the need for us to actively apply our minds to what we are recommending and what we choose not to. At the moment, the dominant model is one in which we choose to signify our approval of a brand, product or service by Liking or +1’ing it. These changes start to make those actions less important as a recommendation signal and are made possible through contractual models which include privacy policy frameworks and terms and conditions.

How You Are Selling for Facebook

The current Statement currently includes the following clauses dealing “About Advertisements and Other Commercial Content Served or Enhanced by Facebook” –

Our goal is to deliver ads and commercial content that are valuable to our users and advertisers. In order to help us do that, you agree to the following:

  1. You can use your privacy settings to limit how your name and profile picture may be associated with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us. You give us permission to use your name and profile picture in connection with that content, subject to the limits you place.
  2. We do not give your content or information to advertisers without your consent.
  3. You understand that we may not always identify paid services and communications as such.

Note that you have already given your permission for Facebook to use “your name and profile picture” in connection with ads and sponsored content. The new, proposed version, goes even further and may (it hasn’t been finalised yet) state the following:

Our goal is to deliver advertisings and other commercial or sponsored content that are is valuable to our users and advertisers. In order to help us do that, you agree to the following[2]:

  1. You can use your privacy settings to limit how your name and profile picture may be associated with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us. You give us permission to use your name, and profile picture, content, and information in connection with commercial, sponsored, or relatedthat content (such as a brand you like) served or enhanced by us, subject to the limits you place[3]. This means, for example, that you permit a business or other entity to pay us to display your name and/or profile picture with your content or information, without any compensation to you. If you have selected a specific audience for your content or information, we will respect your choice when we use it.

If you are under the age of eighteen (18), or under any other applicable age of majority, you represent that at least one of your parents or legal guardians has also agreed to the terms of this section (and the use of your name, profile picture, content, and information) on your behalf.[4]

  1. We do not give your content or information to advertisers without your consent.

  2. You understand that we may not always identify paid services and communications as such.

The other changes to the Statement addressed issues such as software installation, dispute resolution and a reminder that using mobile data could incur charges. The proposed changes to the Data Use Policy are pretty extensive and you have to read through the whole document to get a sense of the overall picture. For example, one of the edited clauses states the following:

As described in “How we use the information we receive,” We we also put together data from the information we already have about you,and your friends, and others, so we can offer and suggest a variety of services and features. For example, we may put together data about you to determine make friend suggestions, pick storieswhich for friends we should show you in your News Feed, or suggest people you to tag in the photos you post. We may put together your current city with GPS and other location information we have about you to, for example, tell you and your friends about people or events nearby, or offer deals to you in which that you might be interested in. We may also put together data about you to serve you ads or other content that might be more relevant to you.

Further down the marked up Data Use Policy, under part IV, one of the paragraphs begins with the following:

When we deliver ads, we do not share your information (information that personally identifies you, such as your name or contact information) with advertisers unless you give us permission.

It then goes on to describe how Facebook personalises ads. It is a very interesting read because it describes, in a fair amount of detail, how Facebook uses your personal information to sell relevant ads. It is a powerful model and the proposed changes to allow Facebook to incorporate more of your personal information into what are effectively personal endorsements is likely to be even more lucrative for Facebook.

The comment period for these changes closed on the 7th of September and we will have to wait and see to what extent these proposed changes will be applied. Of course these changes are not isolated. Facebook made a number of additional announcements recently which reinforce this trend.

The first change was fairly innocuous. On 30 September, Facebook published a post titled “Graph Search Now Includes Posts and Status Updates” which is fairly self-explanatory –

Starting today, Graph Search will include posts and status updates. Now you will be able to search for status updates, photo captions, check-ins and comments to find things shared with you.

Search for the topics you’re interested in and see what your friends are saying, like “Dancing with the Stars“ or ”Posts about Dancing with the Stars by my friends.”

The next announcement which attracted more interest was the announcement on 10 October which was styled as a reminder and is titled “Reminder: Finishing the Removal of an Old Search Setting” –

Last year we announced the removal of an old setting called “Who can look up your Timeline by name?” along with new controls for managing content on Facebook.

The search setting was removed last year for people who weren’t using it. For the small percentage of people still using the setting, they will see reminders about it being removed in the coming weeks.

Whether you’ve been using the setting or not, the best way to control what people can find about you on Facebook is to choose who can see the individual things you share.

More publicly shared profile data coupled with all that profile data being indexed by Facebook’s powerful Graph Search means that even more users’ personal information becomes accessible for use in personalised ads with the only limitation being selective sharing by choosing whether to share updates publicly or friends (this can be further delineated using friends lists if you use them). Assuming Facebook’s proposed changes to its Statement and Data Use Policy are implemented (and they likely will be, in some form or another), you can expect even more personalised ads that include what appear to be more personal recommendations from your Facebook connections. It is both very sneaking and, at the same time, very clever and you have agreed to this (whatever this turns out to be) already.

Yes, You Work for Google Too

Google’s approach is far more nuanced than Facebook’s and users do appear to have an option to opt-out of its personalisation model (and it is an opt-out, you are opted-in by default). The changes were announced on 11 October in a document that summarises the changes that Google will implement on 11 November 2013. In contrast to Facebook’s governance model which still allows for some degree of community involvement, Google tends to announce changes and implement them without much public consultation. Google explains its “Shared Endorsements” model as follows:

We want to give you – and your friends and connections – the most useful information. Recommendations from people you know can really help. So your friends, family and others may see your Profile name and photo, and content like the reviews you share or the ads you +1’d. This only happens when you take an action (things like +1’ing, commenting or following) – and the only people who see it are the people you’ve chosen to share that content with. On Google, you’re in control of what you share. This update to our Terms of Service doesn’t change in any way who you’ve shared things with in the past or your ability to control who you want to share things with in the future.

Feedback from people you know can save you time and improve results for you and your friends across all Google services, including Search, Maps, Play and in advertising. For example, your friends might see that you rated an album 4 stars on the band’s Google Play page. And the +1 you gave your favorite local bakery could be included in an ad that the bakery runs through Google. We call these recommendations shared endorsements and you can learn more about them here.

When it comes to shared endorsements in ads, you can control the use of your Profile name and photo via the Shared Endorsements setting. If you turn the setting to “off,” your Profile name and photo will not show up on that ad for your favorite bakery or any other ads. This setting only applies to use in ads, and doesn’t change whether your Profile name or photo may be used in other places such as Google Play.

If you previously told Google that you did not want your +1’s to appear in ads, then of course we’ll continue to respect that choice as a part of this updated setting. For users under 18, their actions won’t appear in shared endorsements in ads and certain other contexts.

For greater control over your experience with ads on Google, you can also use Google’s Ads Settings tool to manage ads you see. Learn more.

The main change to Google’s Terms of Service is this insertion under the heading “Your Content in our Services”:

If you have a Google Account, we may display your Profile name, Profile photo, and actions you take on Google or on third-party applications connected to your Google Account (such as +1’s, reviews you write and comments you post) in our Services, including displaying in ads and other commercial contexts. We will respect the choices you make to limit sharing or visibility settings in your Google Account. For example, you can choose your settings so your name and photo do not appear in an ad.

Google users can opt-out of this option and a help page explains the process. An interesting part of the process is the following (I highlighted the interesting bit):

Go to the Shared Endorsements setting page. If you are not already a Google+ user, you will be asked to upgrade your account.

Why is this interesting? Because it is a pretty devious way to persuade more Google services users to “upgrade” their Google accounts to Google+ accounts and integrate deeper into the broader Google platform. Driving Google+ user adoption (in other words, persuading users to activate Google+ integration) is how Google is going to make meaningful inroads into Facebook’s dominance on the social Web. It is Google’s metaphorical arms build up in its battle with Facebook for dominance on the social Web and for a larger stake in the social marketing space.

I imagine that even if you opt-out of the Shared Endorsements program, you will still see personalised ad suggestions. Reducing the likelihood of your personal information being used to personalise ads will probably require browsing the Web anonymously or, at the very least, reviewing your privacy settings very carefully and customising them to suit your preferences.

Caught in the Cross-Fire

When the media covers these sorts of changes, the implication tends to be that personalisation is bad and should be resisted at all costs. That isn’t necessarily the case. If you accept that you will be faced with ads in a service you find truly useful and don’t pay for, being presented with more relevant ads is probably going to enhance your experience of those ads. The real question is whether users have meaningful control over their personal information and can opt-out of personalised ads and still have use of these services. I think that answer will increasingly become “no” as more and more functionality becomes dependent on your participation, willing or not.

Facebook frequently talks about features it is removing and which were only used by a small percentage of users. Most recently one of those features is the option of not being included in Graph Search. The fact that so few users have enabled that option says more about how aware users are of these sorts of “features” and whether they are adequately informed about their value. The answer is overwhelmingly “very few” and “definitely not”. For the most part, users just want to post fun photos and videos and share stuff. They don’t think about how their rights are affected and that only changes when there is significant attention on major changes. To combat this, services like Google and Facebook have adopted the legal equivalent of stealth weapons and make use of nuanced language, misdirection and selective emphasis to deflect attention from the problematic changes.

What we see is a sort of war by proxy between the major social services and in which users could find themselves fuelling various services’ efforts to gain market share without being aware of much more than more personalised ads and begin prodded to “upgrade” their accounts to take advantage of the new flashy options. For so long as users feel they benefit more than they are prejudiced, this deal works for them but the challenge has always been whether users are aware of the extent to which their options are being limited and they are being traded for bigger weapons in this digital battlefield? The answer for the most part is “no” and that is not likely to change any time soon.


  1. It’s a made-up word for what happens when you sort of volunteer and are also told that you are signing up for something, especially when you don’t usually have much choice.  ↩
  2. I have marked up the proposed edits with strikethrough for deletions and bold for insertions.  ↩
  3. Isn’t this an interesting deletion?  ↩
  4. This is a challenging one. If you are under the age of 18 in South African law you may lack the legal capacity to agree to this so the consent Facebook takes may still amount to a violation of children’s rights to privacy.  ↩