Is It True Nobody Reads the T&Cs?

By Lucy Purdon, adapted for the IX audience from her original Substack article.

In 2014, a group of security researchers set up a free Wi-Fi hotspot in and around busy London stations to conduct a novel experiment. Before connecting to the hotspot, members of the public had to accept the Terms and Conditions (T&Cs) for using the service. In return for free Wi-Fi, the user agreed to assign their first born child to the Wi-Fi provider “for the duration of eternity”. Referred to in the T&Cs as the “Herod Clause," it was a stunt to highlight the lack of awareness of public Wi-Fi security issues, and the fact that nobody reads the small print.

Also known as Terms of Service, Terms of Use, User Agreements or Service Agreements, it is true that most are a case of clicked-accept-but-didn’t-read. According to a 2024 Ofcom survey, between half and two-thirds of users reported signing up to online platforms without reading the T&Cs. No wonder, with Microsoft’s combined T&Cs and privacy policy in Europe clocking in at a hefty 22,360 words, estimated to take at least two hours to read. 

Not only are they lengthy, they’re also complex. In 2018, the BBC undertook a readability test of the T&Cs and privacy policies of 15 popular websites and found they were written at a university reading level and more complicated than Charles Dickens’ A Tale of Two Cities. This is a problem, especially given that some of these websites allow users as young as 13.

An Ethical AND a Legal Mess

This alone could be a breach of data protection rules, which require a clear explanation of how companies are using data. Article 12 of GDPR says that communications to individuals about their data must be presented in a "concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child". Expectations are further outlined by the UK’s Information Commissioner’s Office (ICO) Age Appropriate Design Code, likely to be updated in light of increased protection for children under the The Data (Use and Access Act) 2025 which came into force on June 19th. 

There have been attempts to address overly complex T&Cs and contracts generally in order to protect consumers from signing up to something they don’t understand. The UK Consumer Rights Act (2015) includes a transparency requirement, mandating that the terms of consumer contracts are expressed in plain language.

On the government side, The US Plain Writing Act of 2010 required federal agencies to communicate in clear language and mandated all staff undergo “plain language” training. The goal was to ensure government documents are easy to read, enhancing public understanding and trust in institutions. 

So Who Does Read the T&Cs?

Eagle-eyed readers of T&Cs are likely digital rights advocates and journalists mainly looking out for what data is being collected and with whom it is shared, which has led to some memorable discoveries.

When the first smart TVs with voice recognition went on sale in 2015, Samsung’s policies warned users "If your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party." This was interpreted by many to read “IT’S OUT OF CONTROL, RUN FOR YOUR LIVES.” Warning people not to have sensitive conversations in front of the TV gave the impression that Samsung was not fully in control of their own creation.

A good catch by journalist Samantha Cole in 2022 forced the period tracking app Stardust to change their privacy policy. At a time of heightened tension and increased reproductive surveillance just after Roe v. Wade was overturned, when women feared their menstrual data could be used to investigate or prosecute abortions, the company seemed happy to hand over data on periods to law enforcement without a warrant. Being tone deaf to your customer base is a theme we will return to.

And in 2023, Mozilla Foundation found in the small print of some connected car policies that they had gone full voyeur and collected information about the driver’s sex life, taking all the fun out of back seat canoodling.

In the AI Era, T&Cs Are Receiving Renewed Scrutiny

Now, with the majority of tech companies figuring out how to capitalise on the vast amount of data collected over many years and pivot their business model to cash in on the AI goldrush, updates to T&Cs reveal clues about future business plans and test the limits of what users are willing to accept. 

On July 1st, WeTransfer notified customers about an update to their T&Cs regarding licensing which included utilizing user content for possible new technologies such as “machine learning models that enhance our content moderation process”. This was widely interpreted to mean that WeTransfer could capture any content transferred over the WeTransfer platform and use it to train their AI models. For free, as the clause also specifies there would be no compensation for this.

WeTransfer is a platform that allows very large digital files to be sent quickly and is used by the creative industries to send design/illustration files, photos and videos. The creative industries are VERY sensitive to their work being used to train AI models and this update came across as tone deaf to the concerns of their core customer base. The backlash was instant after the offending article was published widely on social media, with users making it clear this was not OK and they would be shuttering their accounts.

WeTransfer apologized and amended their policy to be clearer, saying:

“Such a feature [machine learning for content moderation] hasn’t been built or used in practice, but it was under consideration for the future. To avoid confusion, we’ve removed this reference.”

Online conferencing platform Zoom tried something similar back in 2023 when it updated its T&Cs to allow the company to use customer data to train AI models “with no opt out” and rolled it back after intense customer backlash.

A misunderstanding when T&Cs/privacy policies are written in inaccessible language for the average user is one thing, but are companies legally allowed to use data collected to train AI models?

The implications for copyright are an issue currently being played out in court in both the US and UK. Once again, data protection is having to do some of the heavy lifting, where the use of data for training AI hinges on consent. From recent examples, users are not clear what they are consenting to and they don’t like what they see. 

The flood of AI tools coming to market, particularly agents, will demand access to a wide range of personal information and data points and users need to be crystal clear about what this means. The ICO already had a word with Microsoft regarding the “Recall” tool embedded into Co-Pilot after the “privacy nightmare” of it taking screenshots of a user desktop every few seconds.

Tick the Box to Do Better

Does it have to be like this? Volunteer projects like “Terms of Service; Didn't Read” (ToS;DR) provide legal analysis of T&C’s/Privacy Policies and assign a score. Ranking Digital Rights provides an annual index and analysis of the transparency and trends of the world's largest platforms. 

But it is on the companies themselves to commit to using plain language and stop hiding controversial elements of the business in the T&Cs with the presumption that it provides legal cover and anyway no-one will notice. Legal protection for a wide range of liabilities relating to a wide range of services does not lend itself to simplicity in online platforms’ T&C’s. But lengthy and complex T&Cs can lead to confusion and misunderstanding among users, which is ultimately bad for business. Investing in co-creation of terms of service, where users play a role from beginning to end and centering those most impacted, could go some way to improve understanding and trust. 

We are still in a space of resistance figuring out what AI means in our lives—what it will give and what it will take. Giving users a raw deal might work in the short term, but could backfire in the longer term as competition increases. Time to tick that box to accept we can do better. 

IEEE Just Standardised Inclusive Language 🎉 🥳

IEEE SA has published a new standard, IEEE 3400-2025, aimed at improving the use of inclusive language in its technical documents. It covers everything from policies and procedures to code and machine-readable formats. The standard provides guidance for identifying and replacing outdated or non-inclusive terms, along with a list of preferred alternatives. Created by the Inclusive Language Working Group, it’s part of a broader push to make technical communication clearer and more respectful.

From the Group Chat 👥 💬

This week in our Signal community, we talked about:

OpenAI’s announcement of its most advanced open-weight models, allowing developers, governments, and nonprofits to run and customize AI systems on their own infrastructure, and framed as supporting “democratic values” and “the global buildout of AI on US-led rails.” But should countries aiming to build sovereign LLMs be concerned if the foundation model is Gemini, Llama, or ChatGPT? And is OpenAI still co-opting the word “open” without following the Open Source Initiative’s definition of open source to troll them? We’re just asking questions.

This Week's Links

Open Social Web

• The next major version of Ghost has arrived, and the 6.0 release has upgrades and improvements including built in distribution across federated platforms and a native analytics suite. https://ghost.org/changelog/6 
• At FediCon 2025, Evan S. Prodromou gives a keynote talk on Connecting the Social Web. https://spectra.video/w/eg35Kne91oEHcgyfvQWMhM 

Internet Governance

• Senator Edward J. Markey released a discussion draft of legislation that would address the national security risks posed by ByteDance’s ownership of TikTok without banning it. https://www.markey.senate.gov/news/press-releases/senator-markey-releases-discussion-draft-of-legislation-to-keep-tiktok-online-and-protect-national-security 
• Downloads of VPNs have surged in Britain since new age‑verification rules came into force designed to prevent children from accessing pornography and harmful content. https://www.ft.com/content/915d380a-7d1f-46b3-9dcb-536e832114fd?shareType=nongift 
• Does your AI model fall under the EU AI Act? As of August 2, 2025, new rules apply to general-purpose AI (GPAI) models, with some exemptions for research and open-source projects. This guide helps developers understand their obligations and how to comply. https://huggingface.co/blog/yjernite/eu-act-os-guideai 
• The report Funding Europe’s Open Digital Infrastructure outlines a roadmap for an EU Sovereign Tech Fund to support critical open source technologies key to Europe's digital sovereignty, cybersecurity, and competitiveness. https://eu-stf.openforumeurope.org 
• The internet depends on aging and expanding undersea infrastructure, at the same time the submarine cable industry faces challenges in maintenance, security, and sustainability. This report by TeleGeography and Infra-Analytics, with contributions from Tim Stronge, Alan Mauldin, and Michael Ruddy, explores what’s needed to keep the world connected beneath the waves. https://www2.telegeography.com/hubfs/LP-Assets/Ebooks/The%20Future%20of%20Submarine%20Cable%20Maintenance_%20Trends%2c%20Challenges%2c%20and%20Strategies.pdf 
• Canada’s algorithmic impact assessments reveal major accountability gaps, with limited compliance, no civil society input, and a tendency to frame negative impacts positively, find Ana Brandusescu & Renée E. Sieber. https://link.springer.com/article/10.1007/s44206-025-00221-7 
• Since April 7, 2024, China’s Great Firewall (GFW) has started blocking QUIC connections to certain domains, despite the encryption of QUIC handshake packets. This study investigates how the GFW censors QUIC. https://gfw.report/publications/usenixsecurity25/data/paper/quic-sni.pdf 
• The W3C Advisory Board has published a W3C Statement the document Vision for W3C, which articulates W3C’s core vision for the Web. https://www.w3.org/news/2025/vision-for-w3c-is-a-w3c-statement 
• Meta is replacing fact-checkers with a crowdsourced notes system, but early tests show it rarely works. https://www.washingtonpost.com/technology/2025/08/04/meta-fact-check-community-notes-test-facebook-instagram 
• ETSI advances new standards to support trusted, interoperable, and AI-ready data sharing across sectors. https://www.etsi.org/newsroom/press-releases/2569-etsi-moves-forward-with-standards-for-trusted-interoperable-data-ecosystem 
• President Trump's administration has instructed US diplomats in Europe to lobby against the Services Act, which they say stifles free speech and imposes costs on US tech companies. https://www.reuters.com/sustainability/society-equity/rubio-orders-us-diplomats-launch-lobbying-blitz-against-europes-tech-law-2025-08-07 
• New EU-backed research project will assess how Pornhub, XVideos, and XNXX comply with the Digital Services Act, focusing on user safety, content moderation, and performer protections. https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/opportunities/tender-details/149afd0b-26bf-435f-a95d-0c0f94e6de6d-EXA 

Digital Rights

• Israel used Microsoft’s Azure cloud to store and analyze millions of Palestinians’ phone calls daily, enabling mass surveillance and targeted military actions from a system built with the tech giant’s support. Satya Nadella reportedly even met with the commander of Israel’s military surveillance agency. https://www.theguardian.com/world/2025/aug/06/microsoft-israeli-military-palestinian-phone-calls-cloud 
• A jury found that Meta violated the California Invasion of Privacy Act when it recorded the sensitive health information of millions of women through the period tracking app Flo. https://www.courthousenews.com/meta-violated-privacy-law-jury-says-in-menstrual-data-fight 
• The Trump administration is pushing for access to state-held data from food stamps, Medicaid, and voter rolls. Critics fear it could be used to surveil immigrants and political opponents. CDT’s Elizabeth Laird quoted saying information held by the states “is the largest piece of that [data] puzzle.” https://www.nytimes.com/2025/08/01/upshot/trump-states-data-privacy.html 
• A forthcoming USENIX Security 2025 paper investigates the growing ecosystem of cheap, accessible, and heavily commercialized AI “nudification” tools that use generative AI to create non-consensual nude and sexual images, primarily of women. https://www.usenix.org/publications/loginonline/tools-and-tolls-ai-nudification-1 
• New report from Digitally Right and OONI sheds light on the July–August 2024 internet shutdowns in Bangladesh. https://ooni.org/post/2025-bangladesh-report/ 

Technology for Society 

• Wikipedia editors adopted a new policy giving an administrator the authority to quickly delete an AI-generated article that meets a certain criteria, helping manage the growing AI slop problem. https://www.404media.co/wikipedia-editors-adopt-speedy-deletion-policy-for-ai-slop-articles 
• Gone are the days when Google, Apple, Meta and Netflix were the dream destinations for tech workers. It’s the shut up and grind era as tech giants age into large bureaucracies writes Kate Conger. https://www.nytimes.com/2025/08/04/technology/tech-jobs-silicon-valley-changes.html
• Google, OpenAI, Meta and venture capitalists, many of whom had once forsworn involvement in war, have embraced the military industrial complex writes Sheera Frenkel. https://www.nytimes.com/2025/08/04/technology/google-meta-openai-military-war.html 
• Meta brought AI bots to rural Colombia through its apps, but instead of improving education, they're now being blamed for a decline in student exam performance. https://restofworld.org/2025/colombia-meta-ai-education 
• A new report from Project Liberty argues that data co-operatives offer a democratic, community-driven alternative to today’s centralized digital economy. https://www.thenews.coop/as-the-tech-revolution-accelerates-project-liberty-calls-for-mutualised-data 
• The Tucson city council voted unanimously against bringing the massive and water-devouring Project Blue data center, tied to tech giant Amazon, into city limits. https://azluminaria.org/2025/08/06/tucson-city-council-rejects-project-blue-amid-intense-community-pressure 
• At IETF 123, PhD students Haarika Manda and Hendrik Cech were awarded the Internet Research Task Force’s Applied Networking Research Prize for impactful work in applied internet research. https://www.ietf.org/blog/ietf123-anrp 
• Escape newsletter inbox chaos and algorithmic surveillance by building your own enshittification-proof newspaper with RSS from the writers you already read, suggests Molly White. https://www.citationneeded.news/curate-with-rss 

Privacy and Security

• AI chatbots lack the privacy protections we take for granted in therapy or medicine, raising urgent questions about encryption, data use, and model safety, writes Celine Liu. https://celinexinyiliu.substack.com/p/what-i-learnt-this-week-c96?r=5odpxh 
• A guide to making use of disposable email addresses to protect yourself from unwanted spam and phishing attempts in your personal email inbox, online tracking, and other forms of data abuse. https://privacyinternational.org/guide-step/5534/guide-making-use-disposable-email-addresses 

Upcoming Events

• The EFF Benefit Poker Tournament is back for DEF CON 33! Your buy-in is paired with a donation to support EFF’s mission to protect online privacy and free expression for all. August 8, 12pm PT. Las Vegas, NV. https://www.eff.org/event/betting-your-digital-rights-eff-benefit-poker-tournament-def-con-33

Careers and Funding Opportunities

United States

• Internet Society: Foundation Vice President of Philanthropy. Washington, DC (Remote). https://internetsociety.bamboohr.com/careers/294
• American Association of People with Disabilities: Technology Policy Associate. Washington, DC or Remote US. https://ats.rippling.com/en-GB/aapd-jobs/jobs/329e56b7-d03a-4a11-a4fa-9b28666e6d86 
• Consumer Reports: Lead AI / ML Engineer. Remote US. https://job-boards.greenhouse.io/consumerreports/jobs/4531209007 
• Partnership on AI (PAI): Head of Corporate Governance, Risk, and Responsible Practice. Remote US or CA. https://ats.rippling.com/en-GB/pai-job-board/jobs/af43b214-f5ab-4f9b-ae02-b34d8136fcb5 

Global

• UNESCO: Consultant (AI for the Public Sector). Paris, France. https://careers.unesco.org/job/Paris-Consultant-%28AI-for-the-Public-Sector%29/825474702 
• Digital Futures Lab: 
  • Senior Research Manager - Technology Policy & AI. Goa, India. https://www.digitalfutureslab.in/careers/senior-research-manager-technology-policy-and-ai 
  • Consultant: Capacity Strengthening Lead – Responsible AI. Location Flexible. https://www.digitalfutureslab.in/careers/consultant-capacity-strengthening-lead-responsible-ai
• Dutch Government (CIO Rijk): Deputy CTO Rijk / Coordinating Policy Officer. The Hague, Netherlands. https://www.werkenvoornederland.nl/vacatures/plaatsvervangend-cto-rijk-coordinerend-beleidsmedewerker-s14-BZK-2025-0527 
• Current AI: CEO. Paris, France. https://www.currentai.org/vacancy-ceo-current-ai 
• The Better Information Project: Executive Assistant. Remote Europe. https://careers.meliorefoundation.org/en/postings/84913943-292e-469e-83db-f9ad1d7de64e 
• Access Now: Senior Coordinator, Community Support & Accessibility - Limited term Contractor. Multiple Locations. https://accessnow.bamboohr.com/careers/226 
• Tech Equity: Chief Program Officer. Remote. https://techequity.us/our-team/chief-program-officer 
• New_ Public: Marketing Consultant, Local Lab. Remote. https://newpublic.org/jobs/marketing-consultant 

Opportunities to Get Involved

• Stand up for children’s rights in the digital classroom! Children aged 13–17 and based in the UK, can join the EdTech Youth Advisory Board to shape research, influence policy, and ensure tech in schools works for students, not against them. August 15. https://forms.office.com/pages/responsepage.aspx?id=FXmI014-yUuCgsvn4qzHYHFfpY5n5SZEjoTXEC93lthURjVKM1hFSElXM0k3TVhCTElZVUpaS1FXUiQlQCN0PWcu&route=shorturl 
• Apply to join the next cohort of India’s Digital Defenders Network and receive training, support, and opportunities to lead strategic litigation to protect online freedoms. India. Apply by August 17. https://ddn.sflc.in 
• Call for Proposals is now open for RightsCon 2026 until September 12. https://rightscon.secure-platform.com/a 

What did we miss? Please send us a reply or write to editor@exchangepoint.tech.