Michael Kassner interviews two privacy researchers who feel we are spending too much to understand privacy policies.
After 4727 words and significant mental effort, I managed to grasp most of the Facebook changes. One particularly interesting alteration was the wholesale replacement of "privacy" with "data use." For example:
"Your privacy is very important to us. We designed our to make important disclosures about how you can use Facebook to share with others and how we collect and can use your content and information."
All in all, it was worth the sacrifice, as I enjoyed a pleasant (free) lunch with my friend while explaining Facebook's revisions.
Who reads them?
It seems I'm too late. Two privacy experts already figured it out. In the United States during 2008, reading privacy policies cost companies and individual users 781 billion dollars. My son, a business guru, said that figure is more than some states' GDP.
Dr. Aleecia M. McDonald and Dr. Lorrie Faith Cranor are the two who came up with the surprising figure. And their paper The Cost of Reading Privacy Policies uses a novel approach - diligent reading of privacy policies should be considered a cost:
"In this paper we explore a different way of looking at privacy transactions. What if online users actually followed the self-regulation vision? What would the cost be if all American Internet users took the time to read all of the privacy policies for every site they visit each year?"
Now I'd like to share some of the paper's results. The first slide graphs the privacy-policy word count of the 75 most popular websites:
"Economics literature suggests time should be valued as salary plus overhead, which is the value corporations lose. In the United States, overhead is estimated as twice the rate of take home pay.
Through revealed-presences and willingness-to-pay studies, studies estimate people value their leisure time at one quarter of their take home pay."
For March of 2008, the Bureau of Labor Statistics determined the average hourly wage to be 17.93 dollars. With that in mind, the researchers decided to use the following costs:
- At home: 4.48 dollars per hour
- At work: 35.86 dollars per hour
Next the two doctors determined how much time an individual - if diligent - would spend reading privacy policies in one year. Their results:
Finally, all the information was tossed into the hopper and here's what they came up with:
Kassner: Just to make sure, your research has determined the cost to read privacy policies is on the order of $781 billion using 2008 dollars?
McDonald: Yes, that was our estimate for the United States. We measured how long it takes to read and skim privacy policies. We estimated how many privacy policies US Internet users would need to read for all of the sites they visit in a year. Then we used economic estimates of how much their time would be worth, both at work and as leisure time. Putting that all together, we had an estimate of $781 billion as the value of peoples' time to read privacy policies in the United States, in 2008.
Kassner: In the paper's conclusion, were you trying to point out Internet users would read privacy policies if the time-cost was reduced?
McDonald: More Internet users might read privacy policies if policies took less time to read, but even doubling or tripling the rate of users who read privacy policies would still end with a very low readership rate. Improving the format only goes so far. But privacy policies are not going to go away, either, and even one percent of Internet users is a lot of people affected if we can make privacy policies work better.
Kassner: The paper was written in 2008, has anything changed since then?
McDonald: The idea for this paper came in 2007 when I heard someone interviewed say, "we know people don't care about privacy because they don't bother to read privacy policies." I think that notion has been put to rest: many people do care very much about their privacy, but reading privacy policies is an unworkable general solution. The Notice and Choice approach asks people to spend as much time reading policies as they do using the web. It does not work.
Now in 2012, I hear people talk about the benefits of privacy policies in terms of how the process of creating privacy policies helps companies think through their policies, how they create a legal minimum standard, and how they are useful for a very few, very dedicated people who read policies and highlight unusual practices in the press.
We were not the first authors to point out privacy policies are a huge burden on users. There is fantastic scholarship on how hard it is to read privacy policies written in legal jargon and technical jargon, and that users feel there is no point reading policies when they cannot make choices.
What was new in 2008 was that our findings suggest if you were able to cure those defects and write in plain English, that wouldn't help enough. We need a new plan. Since our work, there is solid progress on getting users more useful information by rethinking privacy notices altogether.
The Internet has changed over the past four years as well, with more third-party data gathering and more Americans online. If we were updating the study we would need to include the time to read policies from the approximately 120 third-parties that most Americans run across in a year, and multiply by more Americans online.
The second big change is a huge surge in mobile Internet use, often from cell phones. We could update with time estimates for how much longer it would take to read website policies on a tiny screen, but we cannot do a good job estimating the time to read privacy policies for mobile apps. That is because right now, the majority of mobile apps do not have privacy policies.
Thanks to work from the California Attorneys General that will change soon, and if we talk again in a few years it will be a different story again.
Kassner: Now for the tough question. If you had the ability to fix the problems surrounding user privacy while online, what would you do?
McDonald: That is an ambitious question! It is not as if there were an optimal level of privacy for all people, or if people want the same privacy in all contexts. It's so personal and particular. Let me give you a metric for how we know we are there, rather than an answer.
We can say we have "fixed" data privacy when users are able to make choices about how their data is collected and used, in ways that let them make tradeoffs and set the right level of privacy for them at that time. We will have some exceptions to picture: someone who had a car repossessed may not want a potential lender to know that, but for public policy reasons, they won't get to hide their mistakes on that one. But overall, privacy is fixed when people can make good choices for themselves.
Obviously we aren't spending 200 hours a year reading privacy policies. Does that mean we aren't being diligent or is it because privacy policies are so complex it's a waste of time to read them?
Thank you Dr. McDonald and Dr. Cranor for the thought-provoking research.