There was always reason to suspect that many people who sign up for online services never so much as glance at privacy policies -- which tend to be written in dense, nearly undecipherable, language.
But most of the support for that idea has been anecdotal.
Now, researchers at Michigan State University and the University of Connecticut have conducted a study that attempts to scientifically prove whether people read online privacy policies and other notifications.
The results strongly suggest that most people don't even attempt to do so.
For the study, "The Biggest Lie on the Internet," researchers gave 543 communications undergraduates the opportunity to test "Namedrop," a fictional social networking service.
The terms of service themselves contained two unusual clauses. One provided that all data could be shared with outside companies -- including ones that could assess eligibility for jobs and loans. The second unfamiliar clause said that participants agreed to give up their first born child to the site.
All of the participants clicked a box stating they agreed to all conditions -- strongly indicating that no one read the terms of service.
"The results of this study suggest that individuals often ignore privacy and terms of service policies for social networking services," the authors write. "If communications scholars-in-training cannot be bothered to read [social networking service] policies, let alone demonstrate concern about the implications of ignoring notice opportunities, it seems likely that the general public would commonly ignore policies as well."
The lead author, Michigan State University's Jonathan Obar, says in a letter to the Federal Communications Commission that the results cast doubt on the so-called "notice and choice" framework for online privacy. That model requires companies to notify consumers about how their data is collected and used, and allow them to opt out of certain uses.
"Transparency and access are terrific places to start, but terrible places to finish," Obar writes. "More needs to be done to ensure that users are aware of what they are agreeing to, and protected from threats associated with data sharing and data use."