Nobody reads privacy policies before joining a platform like Facebook or Google. They constitute thousands of words of legalese, a construction that literally requires a law degree to parse and begin to understand. It’s frightening to consider that most of us are signing away our rights when we click “accept” on those terms and conditions.

But you know what’s even worse? About half of Americans don’t even recognize that privacy policies are a binding contract between websites and their users in the first place.

The findings come courtesy of a new report by Pew Research, which polled 4,727 U.S. adults with a straightforward, 10-question test. It checked for basic knowledge about phishing, online advertising, and cookies. Only 20% of people answered 7 of 10 questions correctly. Just as devastating? Only 2% of people got all 10 questions right.

One of the questions that was answered incorrectly most often was “Privacy policies are contracts between websites and users about how those sites will use their data.” That’s a big one! Twenty-five percent of respondents answered incorrectly, and another 27% weren’t sure. It’s simply crazy to comprehend that half of America doesn’t even realize they’re entering a legal contract when tapping away at that text, a contract which typically signs away all sorts of personal privacy rights.

The least-understood question, however, was about protecting your privacy from hackers. Fifty-five percent of people couldn’t identify an example of two-factor authentication (which is when you might use a password to log into a service like Twitter, but then Twitter also texts your phone to double check it’s you—the two-factor just adds a second step to proving your identity). Two-factor authentication is basically the gold standard in simple account protection that everyone can enable on most of their important services like email and social media. It’s not perfect, but it’s pretty effective at stopping a hacker who has gotten a hold of your password and wants to load your account from halfway across the world. Simply put, people need to know two-factor exists and use it.

The final, most disappointing finding was about private modes in web browsers, like Chrome’s Incognito mode. Only a quarter of people recognized that these modes only protect your data from being seen by other people on your own computer, and that they didn’t necessarily shield all other forms of trackers (like, for instance, your internet service provider, which can see everywhere you visit on your phone or laptop!). That means about 75% of all Americans don’t get that Incognito mode isn’t protecting them.

It’s easy to blame people in these situations. Get educated about technology already! Learn your privacy rights! Isn’t it obvious all that legalese constitutes a binding contract? But the fact is, people are pretty smart when given the right opportunity. Everyone you know understands, more or less, how to use relatively complicated platforms like email and social media. They understand both how to pull the levers and what those levers do. What they don’t understand is who might be watching those levers being pulled, why they’re allowed to be watching, and for what purpose they are watching in the first place.