Privacy

Survey says: People do care about their privacy

Finally, someone asked users how important it was to remain private while online. Michael Kassner shares what the research team found, including some surprises.

Opinions on how private our online life "should be" are diverse. From former Google CEO Eric Schmidt's famous or infamous (you decide) statement: "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."

To Facebook, who decided to replace "privacy" with "data use" in their statement: "Your privacy is very important to us. We designed our Privacy Policy Data Use Policy to make important disclosures about how you can use Facebook to share with others and how we collect and can use your content and information."

Then there's law enforcement. In a story that startled just about everyone, the New York Times described how law-enforcement agencies asked telco providers for subscriber information 1.3 million times last year: "AT&T alone now responds to an average of more than 700 requests a day, with about 230 of them regarded as emergencies that do not require the normal court orders and subpoena. That is roughly triple the number it fielded in 2007."

The article quotes Peter Modafferi, chief of detectives for the Rockland County district attorney's office in New York: "At every crime scene, there's some type of mobile device. The need for the police to exploit that technology has grown tremendously, and it's absolutely vital."

Are we forgetting someone?

What do users say?

Last time I checked there were over two-billion people using computers and mobile devices to access the Internet. Why isn't any one asking them what's important when it comes to online privacy? It's their information after all.

It seems a group of researchers were wondering the same thing. Jennifer M. Urban, Chris Jay Hoofnagle, and Su Li, members of the Berkeley Center for Law and Technology, published "Mobile Phones and Privacy," a paper that addresses my concern: "Mobile phones are a rich source of personal information about individuals. Both private and public sector actors seek to collect this information."

The paper continues:

As these developments receive greater attention in the media, a public-policy debate has started concerning the collection and use of information by private and public actors.

To inform this debate and to better understand Americans' attitudes towards privacy in data generated by or stored on mobile phones, we commissioned a nationwide, telephonic (both wireline and wireless) survey of 1,200 households focusing upon mobile privacy issues.

Now we're talking. Still, surveys make me nervous. I struggled through enough statistics classes to be cautious. So I asked the researchers about the responder-selection process. They provided all the details I could ask for. Here are the highlights:

A combination of landline and cellular random digit dial samples were used to represent all adults in the continental United States who have access to either a landline or cellular telephone. All samples were provided by Survey Sampling International, LLC and abided by Princeton Survey Research Associates International specifications.

Interview procedures:

Interviews were conducted from January 27-February 12, 2012. As many as seven attempts were made to contact every sampled telephone number. Sample was released for interviewing in replicates, which are representative subsamples of the larger sample.

Calls were staggered over times of day and days of the week to maximize the chance of making contact with potential respondents. Each phone number received at least one daytime call when necessary.

Internet users:

Once a potential respondent was on the phone, interviewers then identified those who use the Internet. A total of 1,510 contacts were made while getting 1,203 internet users. Respondents who were not Internet users were asked certain demographic questions necessary for weighting the data. After the weighting these cases were dropped.

Survey says

The results are interesting enough that I'd like to share them with you along with additional comments made by the team. There are two questions at the end where I asked for additional information.

Figure 1: "We think it uncontroversial that Americans consider information on their home computers to be "private" and thus comparing its relative privacy to mobile phone data is likely to garner useful information about how private Americans consider that data to be."

Figure 2: "We hypothesized Americans would respond differently if the information on the mobile phone were protected by a password. To test this, we asked whether officers should be able to guess the password on a password-protected phone without permission from a court or whether they should have to get permission from a court prior to guessing the password."

Figure 3: "We asked respondents if they provided their cell phone number to a cashier, should the store be able to call them later to offer more information about products and services."

Figure 4: "We asked about two scenarios. First, whether respondents would be willing to share contact list information on their phones with a social networking app so the app provider could suggest more connections. Second, whether respondents would be willing to share contact list information with a coupons app they already chosen to download so it could also offer coupons to people included in the contacts list."

Figure 5: "We asked how long wireless service providers should retain the location data they collect about wireless phones on their network."

The following graph surprised me. I thought users might like location-relevant ads. So I asked the research team if they had any thoughts as to why the respondents were adamant about not providing location data.

Figure 6: "The survey was not setup for comments, so we don't have details on why respondents answered the way they did.

It is consistent with our 2009 survey where we found a majority of adult Americans (60%) do not want marketers to tailor advertisements to their interests.

Moreover, when Americans are informed of three common ways that marketers gather data in order to tailor ads, higher percentages (80%) say they would not want such advertising. It is also consistent with our other findings about location information from this survey."

I read all the time that younger adults are not concerned about privacy. That doesn't seem to agree with what the researchers found. So, I asked them about it.

Figure 7: "Our hypothesis was:

Younger adults are more likely to use smartphones, and are more likely to use phones for purposes like social networking and web browsing. That could indicate they are more comfortable with the privacy risks of these uses, and could also indicate that they are more likely to be interested in the benefits offered in our coupon and contact list scenarios.

However, this is not what we found. First, large majorities of all respondents consider data on their phones to be at least as private as data on home computers, and younger adults were no exception. In fact, those under 45 were more likely to respond that data on phones was more private than data on home computers."

As I was reading the paper, I noticed a lack of legalese -- the researchers are highly-qualified legal experts -- for that I was thankful. Then:

As it is, services are sometimes resistant to clearly explaining the privacy implications of services. This means that in addition to ex ante interventions such as clearer disclosures and choice mechanisms, consumers should have ex post remedies that allow them to exit these exchanges whole.

Swallowing my ego, I asked what the above paragraph meant:

We're suggesting that consumer protection in privacy generally attempts to better prepare consumers for transactions by giving them information about what to expect, but once those exchanges occur, consumers have few ways to address situations where companies act opportunistically.

For instance, one could read the privacy policy of Facebook in 2005 and decide to enroll in the service, but then have no effective remedy years later when Facebook changes its default settings to make more data available to more people. We need to think about giving consumers remedies post-transaction in order to make it possible for users to leave these services.

I had one final question for the research team. I wondered if anything in the results surprised them. Here's what they said:

Almost all courts allow police officers to search phones of arrested persons, no matter what the underlying crime is or whether the officer has evidence that the phone is relevant to the crime.

For us, it was most surprising that a large majority of Americans (76%) supported requiring officers to get permission from a court prior to searching a mobile phone when a person is arrested.

Conclusions

Here are the researcher's conclusions:

  • The market has produced few realistic, privacy-protective alternatives to the dominant privacy-invasive online services.
  • Greater transparency and consent requirements could help, but only if consumers can make decisions that align with their preferences.
  • The gulf between private-sector information demands and consumer preferences suggest that better disclosures and choice mechanisms will only preserve the status quo.
  • Aggressive interventions are necessary to create incentives for firms to reduce collection of personal information.
  • Privacy tradeoffs are not clear; consumers need the ability to change their minds and walk away from a service.

Final thoughts

I am thankful to the research team. Finally, someone asked the ones who count for their opinion.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

24 comments
Professor8
Professor8

Part of the problem is that the thinking of different surveyors is different. They're going to ask different questions, in different order, and get what ssseeeeeem to be conflicting results. Is "mobile device data" more, less, or as secure as data on desk-tops? Which data? There's no constant collecting of location sitting on the desk-top device to be tapped at later convenience. Sure, there's location data, but it's nowhere near as precise nor constantly updated. Should such location data be stored on desk-top devices, or stored on devices to which they connect on the net? Of course not... and yet they are. Is location data nearly frequently updated and very precise on mobile devices? Usually, yes. Of course they should not be, and yet they are. How long should phone companies keep your location? Milliseconds. Set up the connection, then delete. Update it, then delete. It shouldn't remember for longer than it takes to send/receive a few packets. For every ad you send, you've got to pay $20, and then index that for inflation, what with QEn, and I may increase my charges from time to time without notice and on an individual basis, e.g. to cope with especially obnoxious ads, maybe to charge extra for op-eds which are actually thinly disguised ads (which TR/ZD/CBS has been getting worse and worse about lately), to charge hospitals and specific employees thereof extra for exporting personal private information out of the building or out of state or out of the country or to any government officials or functionaries. Should "officers" or any other guberment thugs and nosies get permission before obtaining and recording in detail personal private information? Of course, that's what the US constitution, and many state constitutions strictly require. But corrupt judges and other government thugs usually ignore those explicit requirements for the sake of their own convenience. They should be locked away with the rest of the general jail/prison population for a few days for each and every such violation. Building up to the level of "probable cause" must be done by personal observation by multiple people, not with surveillance devices, taps, cameras, audio-recorders, etc. Should a store be able to call your phone? Once, and with that contact should be delivered information precise enough to include the location of the calling device and connected human, that human's "supervisor", the executive of the contractor in many cases, the executive in charge of the division of the firm behind the call, their home phone numbers and addresses, etc. Should they be able to find out your phone's or similar device's number or equivalent? Hardly ever. Should the government be able to find out your phone or other device's number? Hardly ever. What's good for the government is good for the citizenry. You want to know where we sleep, we have to know where all of you sleep. You want to know down to the inch where each of us was born, then we should have ready access down to the inch where every government official was born (or whipped up in the lab), etc. You want your domestic paramilitary squads to drive tanks and carry anti-tank weaponry paid for with our earnings, then we should be able to do the same. Would I allow apps to collect my contact info? Well, one app -- my "keep friends' and relatives' contact info" app, whose data store should not be accessible by anyone or anything else at all.

ed
ed

I hope these surveyors didn't try to contact me and get rebuffed. If I was less than friendly, I'm sorry. I'd love to have participated, but I've about had it with phone calls that pretend to be surveys and then end up presenting information about a product or a candidate, issue, etc. Our landline may go days without a call from a "real" person, but we'll get close to a dozen of these "surveys" or "questions" a week. Many of them are pretty blatant attempts to get around the "Do Not Call" list. My current solution is to have the landline go to the answering machine after two rings, expecting that anyone who really wants to communicate with us will leave a message. Good article, Michael

hacker_jack
hacker_jack

What your headline should say is that "When people are asked directly the say they care about privacy". The truth is somewhat different as we all know. It's not that most people don't care, more that most people don't ever even think about whether to care or not. Even after being informed they rarely think about it on a regular basis.

Elteto
Elteto

I also suspect that many mobile users are not fully aware of just how much information they share. Survey respondents may incorrectly think they are effectively guarding their privacy through certain choices they make, or they may even say they are guarding their privacy to make themselves feel better after realizing--through taking the survey--that they are over-sharing. Whenever an app offers an easy and convenient social sharing function, users tend to take advantage of it before going through a lengthy thought process of just what they are agreeing to. It is sort of a virtual/social peer pressure. Everyone else is doing it, and you are not cool or up to speed if you are not participating.

wizard57m-cnet
wizard57m-cnet

Nothing scientific, but I have a feeling that a lot of people will answer a survey question differently from the way they behave in the actual circumstance. For instance, how many of those responders that answered "do not allow" on the question of cell phone apps collecting your contact data have already installed apps on their phones and blindly clicked "agree" when presented with the question (if presented at all) to allow access to your contacts? Many people will answer survey questions in a way that gives the impression that they are careful with their personal information, when in reality they are careless!

Craig_B
Craig_B

Good Points guys. It seems then we have a problem in that the people's expectations are that they have some privacy however the businesses do whatever they want and even though people had the expectation, they soon just go along with the crowd and give up. It seems the only solution is more laws to change things, sigh...

da philster
da philster

If you are not comfortable putting your personal information on a highway billboard, then don't put it on a device. Simple.

hippiekarl
hippiekarl

'user data'-sharing recipients; ie as long as the NSA et al are on that list (companies B,C, and D), data-gathering/dissemination policies are going to stay as they are--and only a few users (the commodity itself!) are really bothered by it. Most users (and data-pimps know *this* much about human nature), although 'upset' or 'bothered', will do nothing more than complain amongst themselves a bit in private (or, in the case of survey respondents, to academia)...users have shown, time and again as data-policies change out from under those under which they signed-up, that they whine a little *but continue to use the 'service'*. FB et al know their users better than the users know themselves! The FB faithful aren't going to quit until or unless they hear that all 5 to 50,000+ of their e-friends are quitting, too. Instead, they simply make the conscious and sub-conscious adjustments to 'assumed surveillance' that allow them to continue with their little hobby, or convienience, or e-social life. These adjustments to their outlook, knowing about themselves that they permit ongoing violations of their person and privacy, help them keep their composure when asked to 'show their papers' to some authority (for having carried a day-pack or somesuch), or while being felt up in public in the airport. They are learning to accept and accomodate all manner of privacy/freedom violations under the comical rubric of 'their overall security'. I don't think their discomfiture or rebellion goes much farther than venting at the water cooler, though, about privacy or anything else; if it did, policies would change overnight (as would TSA abuses, again) if users were to enact, say, a week-long boycott of the service in question..... (edit): EOR, and thank you for another interesting column, Michael!

Craig_B
Craig_B

Thanks for the information. Maybe privacy policies need to use some real world examples, like this, assume you are User A and Company A is the company you are using for a service: Example Policy: Using this service User A's searches we be stored for 2 years with Company A and provided to Company B, C, D. during this period. User A's contacts will be scanned and things you like with the service will automatically be offered as ads to all your contacts, which will also be stored with Company A for 2 years. When you terminate your account, no additional data will be created however all existing data will remain for a period of 2 years. Basically show the results or actions of agreeing to the polices upfront and not just burried in legalize in a 20 page document several sub-links from the sign up form. Of course as mentioned we need a way to deal with changes to the policies. Policy Change: We will be saving data for 3 years and sharing it with the Government. If you wish to continue with this service, please confirm by... or your account will be terminated. All this seems to come down to, inform people what is going on and allow them to make choices (opt-in) as opposed to hide what you are doing and automatically sign up (opt-out). It seems like this conversation will go back and forth until enough people complain and new laws are created to fix the situation as companies may try to take advantage of you.

Michael Kassner
Michael Kassner

All good points. I guess my main thought remains; at least someone finally asked users for their opinion.

Michael Kassner
Michael Kassner

That is one reason I like my mobile. I have an app that filters. I also have Google Voice setup giving me more options than the typical landline.

Michael Kassner
Michael Kassner

You may be right, but how are you going to prove it? I see that as a problem with all surveys. Kind of like quantum theory, where measuring is enough to alter the activity.

Michael Kassner
Michael Kassner

I was in a discussion group that debated whether it was better to enlist the advice of friends via social media or research a product on the Internet (reviews and company adverts). I wonder if the unconditional acceptance of a privacy policy is the results of taking advice from non-expert friends.

Michael Kassner
Michael Kassner

I will forward your question to the research team. And post here with the answer.

Michael Kassner
Michael Kassner

I know intelligent people that listen to me, then ignore all of it. I guess everyone is doing their own risk assessment -- with can't happen to me winning most the time.

gscratchtr
gscratchtr

is also known as "letting the market decide"

Michael Kassner
Michael Kassner

History proves you right. Have you looked into the psychology behind it at all? I'm trying to find research on that aspect, as it is certainly fascinating.

HAL 9000
HAL 9000

[b]Company B, C, D. during this period[/b] will not be included in the Fair Usage Policy. They are are free to do as they please with the data that they are given by Company A and do not have to directly do anything to get approval from User A. Officially Company B C or D are free to do what they please with User A's details and you have better believe that they will be sharing that data with other companies so what User A originally signed up for and accepted is meaningless when Companies E F G H I J K L M N O P Q R S T U V W X Y Z and others get passed that data to do as they please with. Provided that the Governments are reasonable which none currently are they will be getting the same information from many sources all around the world and building up their Surveillance Lists on whoever is of interest to them. So you join Face Book Today and by tomorrow Russia, China and Cuba will likely have your details to do as they please with and not one of them has any Acceptable Usage Policy to comply with. ;) Col

Michael Kassner
Michael Kassner

I think you have a good idea. The research team was concerned about that, but what concerned them more was the lack of transparency when companies made policy changes.

hippiekarl
hippiekarl

the mark(et) is psychologically directed to 'its choice', and has no inkling that it was led. (Do you see what I did there?) ;)

Michael Kassner
Michael Kassner

Do you feel that an informed market would react the same?

hippiekarl
hippiekarl

introduction to the societal psychology of marketing both products (sales) and ideas (propaganda). Equally interesting is the list of some of his famous clients. That should help, provided I spelled his last name correctly (I just woke up)!

Michael Kassner
Michael Kassner

I recently read that Google is at least now requiring that developers must design their app to give the ad networks the same permissions as the app gets. I would have thought that was a given from the start.