Opinions on how private our online life “should be” are diverse. From former Google CEO Eric Schmidt’s famous or infamous (you decide) statement: “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”

To Facebook, who decided to replace “privacy” with “data use” in their statement: “Your privacy is very important to us. We designed our Privacy Policy Data Use Policy to make important disclosures about how you can use Facebook to share with others and how we collect and can use your content and information.”

Then there’s law enforcement. In a story that startled just about everyone, the New York Times described how law-enforcement agencies asked telco providers for subscriber information 1.3 million times last year: “AT&T alone now responds to an average of more than 700 requests a day, with about 230 of them regarded as emergencies that do not require the normal court orders and subpoena. That is roughly triple the number it fielded in 2007.”

The article quotes Peter Modafferi, chief of detectives for the Rockland County district attorney’s office in New York: At every crime scene, there’s some type of mobile device. The need for the police to exploit that technology has grown tremendously, and it’s absolutely vital.”

Are we forgetting someone?

What do users say?

Last time I checked there were over two-billion people using computers and mobile devices to access the Internet. Why isn’t any one asking them what’s important when it comes to online privacy? It’s their information after all.

It seems a group of researchers were wondering the same thing. Jennifer M. Urban, Chris Jay Hoofnagle, and Su Li, members of the Berkeley Center for Law and Technology, published “Mobile Phones and Privacy,” a paper that addresses my concern: “Mobile phones are a rich source of personal information about individuals. Both private and public sector actors seek to collect this information.”

The paper continues:

As these developments receive greater attention in the media, a public-policy debate has started concerning the collection and use of information by private and public actors.

To inform this debate and to better understand Americans’ attitudes towards privacy in data generated by or stored on mobile phones, we commissioned a nationwide, telephonic (both wireline and wireless) survey of 1,200 households focusing upon mobile privacy issues.

Now we’re talking. Still, surveys make me nervous. I struggled through enough statistics classes to be cautious. So I asked the researchers about the responder-selection process. They provided all the details I could ask for. Here are the highlights:

A combination of landline and cellular random digit dial samples were used to represent all adults in the continental United States who have access to either a landline or cellular telephone. All samples were provided by Survey Sampling International, LLC and abided by Princeton Survey Research Associates International specifications.

Interview procedures:

Interviews were conducted from January 27-February 12, 2012. As many as seven attempts were made to contact every sampled telephone number. Sample was released for interviewing in replicates, which are representative subsamples of the larger sample.

Calls were staggered over times of day and days of the week to maximize the chance of making contact with potential respondents. Each phone number received at least one daytime call when necessary.

Internet users:

Once a potential respondent was on the phone, interviewers then identified those who use the Internet. A total of 1,510 contacts were made while getting 1,203 internet users. Respondents who were not Internet users were asked certain demographic questions necessary for weighting the data. After the weighting these cases were dropped.

Survey says

The results are interesting enough that I’d like to share them with you along with additional comments made by the team. There are two questions at the end where I asked for additional information.

Figure 1: “We think it uncontroversial that Americans consider information on their home computers to be “private” and thus comparing its relative privacy to mobile phone data is likely to garner useful information about how private Americans consider that data to be.”

Figure 2: “We hypothesized Americans would respond differently if the information on the mobile phone were protected by a password. To test this, we asked whether officers should be able to guess the password on a password-protected phone without permission from a court or whether they should have to get permission from a court prior to guessing the password.”

Figure 3: “We asked respondents if they provided their cell phone number to a cashier, should the store be able to call them later to offer more information about products and services.”

Figure 4: “We asked about two scenarios. First, whether respondents would be willing to share contact list information on their phones with a social networking app so the app provider could suggest more connections. Second, whether respondents would be willing to share contact list information with a coupons app they already chosen to download so it could also offer coupons to people included in the contacts list.”

Figure 5: “We asked how long wireless service providers should retain the location data they collect about wireless phones on their network.”

The following graph surprised me. I thought users might like location-relevant ads. So I asked the research team if they had any thoughts as to why the respondents were adamant about not providing location data.


Figure 6: “The survey was not setup for comments, so we don’t have details on why respondents answered the way they did.

It is consistent with our 2009 survey where we found a majority of adult Americans (60%) do not want marketers to tailor advertisements to their interests.

Moreover, when Americans are informed of three common ways that marketers gather data in order to tailor ads, higher percentages (80%) say they would not want such advertising. It is also consistent with our other findings about location information from this survey.”

I read all the time that younger adults are not concerned about privacy. That doesn’t seem to agree with what the researchers found. So, I asked them about it.

Figure 7: “Our hypothesis was:

Younger adults are more likely to use smartphones, and are more likely to use phones for purposes like social networking and web browsing. That could indicate they are more comfortable with the privacy risks of these uses, and could also indicate that they are more likely to be interested in the benefits offered in our coupon and contact list scenarios.

However, this is not what we found. First, large majorities of all respondents consider data on their phones to be at least as private as data on home computers, and younger adults were no exception. In fact, those under 45 were more likely to respond that data on phones was more private than data on home computers.”

As I was reading the paper, I noticed a lack of legalese — the researchers are highly-qualified legal experts — for that I was thankful. Then:

As it is, services are sometimes resistant to clearly explaining the privacy implications of services. This means that in addition to ex ante interventions such as clearer disclosures and choice mechanisms, consumers should have ex post remedies that allow them to exit these exchanges whole.

Swallowing my ego, I asked what the above paragraph meant:

We’re suggesting that consumer protection in privacy generally attempts to better prepare consumers for transactions by giving them information about what to expect, but once those exchanges occur, consumers have few ways to address situations where companies act opportunistically.

For instance, one could read the privacy policy of Facebook in 2005 and decide to enroll in the service, but then have no effective remedy years later when Facebook changes its default settings to make more data available to more people. We need to think about giving consumers remedies post-transaction in order to make it possible for users to leave these services.

I had one final question for the research team. I wondered if anything in the results surprised them. Here’s what they said:

Almost all courts allow police officers to search phones of arrested persons, no matter what the underlying crime is or whether the officer has evidence that the phone is relevant to the crime.

For us, it was most surprising that a large majority of Americans (76%) supported requiring officers to get permission from a court prior to searching a mobile phone when a person is arrested.

Conclusions

Here are the researcher’s conclusions:

  • The market has produced few realistic, privacy-protective alternatives to the dominant privacy-invasive online services.
  • Greater transparency and consent requirements could help, but only if consumers can make decisions that align with their preferences.
  • The gulf between private-sector information demands and consumer preferences suggest that better disclosures and choice mechanisms will only preserve the status quo.
  • Aggressive interventions are necessary to create incentives for firms to reduce collection of personal information.
  • Privacy tradeoffs are not clear; consumers need the ability to change their minds and walk away from a service.

Final thoughts

I am thankful to the research team. Finally, someone asked the ones who count for their opinion.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday