CNET logo Why You Can Trust CNET

Our expert, award-winning staff selects the products we cover and rigorously researches and tests our top picks. If you buy through our links, we may get a commission. Reviews ethics statement

Look Out for These 3 Red Flags Before Downloading an App

Here's what you need to watch out for.

Shelby Brown Editor II
Shelby Brown (she/her/hers) is an editor for CNET's services team. She covers tips and tricks for apps, operating systems and devices, as well as mobile gaming and Apple Arcade news. Shelby also oversees Tech Tips coverage. Before joining CNET, she covered app news for Download.com and served as a freelancer for Louisville.com.
  • She received the Renau Writing Scholarship in 2016 from the University of Louisville's communication department.
Shelby Brown
5 min read

Don't download new apps without checking for these warning signs.

Sarah Tew/CNET
12 Days of Tips logo

If you don't read an app's terms of service agreement or privacy policy before you accept it, you're not alone. Research shows that very few people actually take the time to dive into the text and see just what an app or website is asking them to agree to. 

In one study, participants unknowingly agreed to give a fictional company their future firstborn children. These lengthy documents aren't always designed to be understood, other researchers have concluded. Even as companies like Apple and Google add new ways to stop apps from tracking you across iOS and Android, it's still important to pay attention to what you're agreeing to every time you download something new.

"The option of reading through the terms of service or privacy policy is not easy. It's not accessible," said Nader Henein, a senior research director and fellow of information privacy at Gartner. "If you've had lawyers write up the policy, there's a good chance that someone without a law degree and a good half hour of time to dedicate to it will not be able to decipher exactly what it's asking for." 

But don't worry -- we can help. Here are three red flags to look out for before you hit "agree" on a terms of service agreement to download an app or use a service. 

1. How complex is the app's privacy policy or terms of service?

In legal disputes over privacy policy and terms of service documents, many cases don't make it to litigation because there's no expectation that someone is actually going to read the fine print, Henein said. There's also no expectation that a reader will have the necessary training to understand the policy even if they did, he added. 

Apps with complex policies that bury exactly what a person is agreeing to (such as sharing their data with third parties) is disingenuous on the part of the company and should be avoided, Henein said. 

"If the language is complex, and you read the first paragraph and it makes no sense to the average person, that tells me that the company really hasn't considered people into the equation," Henein said. "You need to be on your guard." 


View an app's specific settings to double-check your privacy options. 

Jason Cipriani/CNET

2. Does it mention an 'implicit agreement'?

Policies that want an implicit agreement or implicit consent should raise a red flag. This means that you don't actually "give" your consent, but your consent is implied by a certain action or situation. Henein says this would look like a terms of service agreement that says "by browsing this webpage you agree to A, B and C." He said this type of language isn't enforceable and shouldn't be enforceable.


What permissions does accepting a service agreement grant the apps on your phone? 

James Martin/CNET

3. Is the app monetized by collecting and selling your data?

What a policy agreement says aboutdata collection is another important factor to consider before hitting download, according to Engin Kirda, a professor at Northeastern University's Khoury College of Computer Sciences. Going hand in hand with this is how the app makes money, Kirda said -- particularly if it's free to download. 

Monetizing an app with ads can mean it's providing a better service, but it can also mean that it's profiting by selling your data. There's a difference between collecting some necessary information to help the app be useful versus collecting lots of information that is sold to third-party advertisers -- or could potentially be stolen.

Other warning signs to watch for

While it's important to know what's in a policy agreement, Kirda said there are other red flags you can spot without reading the document. Another major red flag is what permissions an app requests: For example, a calculator app doesn't need access to your microphone or location. Also, pay attention to whether you can use the app after denying any permissions, he added. Asking for unnecessary permissions can signal nefarious activity like an app having access to your call logs or gathering data from your Wi-Fi connections, for example.

Michiel de Jong, one of the volunteers at Terms of Service; Didn't Read -- a grassroots project where anybody can help collaboratively review the terms and policies of any website -- said it's important to see that a policy won't be allowed to change at random.

"A lot of services will reserve the right to change the policy the day after you sign up and never comply with the version you read when you signed up," de Jong said.

In addition, de Jong said to be on the lookout for sites that make you sign a class action waiver -- which means they can sue you, but you can't sue them.


Privacy policies don't always mean an app will keep your data private. 

Angela Lang/CNET

Don't panic. You still have some control

To help you grapple with the legal jargon of service agreements and privacy policies, Henein suggested downloading the Terms of Service; Didn't Read browser extension, which digests the documents that might be asking for your compliance and turn them into something quick and readable. ToS;DR sorts privacy policies and website terms into different classes, with Class A being very good and Class E being the worst. In addition to the class score, contributors can rate sections of the terms as Good, Bad, Blocker or Neutral

For example, Google is rated Class C by the site for having the ability to read a user's private messages, track a user on other websites, and more. Stack Overflow was rated Class E for its third-party tracking practices, requiring a class action waiver and more. 

Watch this: Top 5 Reasons to Use a VPN

Henein noted Microsoft as a good example of how to present website terms: The tech company outlines its privacy policy in about three pages, which are broken into sections for structure and clarity. 

"Privacy policies should be written by a layperson and reviewed by a lawyer, not the other way around," Henein said. "The expectation now is that privacy policies should get as much focus in their drafting and design as the rest of the site. They're not something that's a necessary evil -- it's part of the overall site, because it's meant to be the commitment you're making to individuals regarding how you're going to handle their personal information."

In addition to ToS;DR, de Jong suggested DuckDuckGo's Privacy Essentials browser extension. The service combines data from ToS;DR with data from several other sources about encryption, trackers and more. LegiCrowd is another project demystifying terms of service that the ToS;DR team is collaborating with, but de Jong said it's aimed more toward researchers. 

Tosback.org is a site that keeps change logs of legal policies, sometimes going back years, according to de Jong. The project was started by the Electronic Frontier Foundation, but is now part of ToS;DR. 

Watch this: Let's talk about why privacy settings are a problem