Thu, Aug 12 2010 7:42 PM

Privacy and the Illusion of Control

One of the keynote talks at the IFIP/PrimeLife Summer School last week was by Allesandro Acquisti from Carnegie Mellon University. He was talking about "Privacy and the Illusion of Control" and reporting on some of the research he had been doing into behavioural economics of privacy. I found this talk particularly fascinating and thought provoking. I'll attempt to write up a few of my notes on it below, and provide some links if you find it as interesting as I did.

One of the things Acquisti talked about in this keynote was a series of experiments he was involved in (and which you can read about in a paper here). What is privacy worth to people? A survey was conducted in a shopping mall of the shoppers coming past. As an incentive to fill out the survey, the shoppers were offered a VISA gift card when they were finished. Of course, as all these things go, the survey was not the real point of the experiment: it was the decision the shoppers made about the gift card.

The shoppers had the choice of:

  1. A gift card worth $12, the use of which was tracked ("no privacy"), or
  2. A gift card worth $10, but anonymous ("with privacy").

(The reasoning for the value is discussed in the papers.)

The researchers then added in another dimension:

  1. The shopper was given one certificate ("endowed"), then offered the choice to switch to the other, or
  2. The shopper was offered the choice between the two (the ordering of the choices was also randomised, so the $10 card could be offered first or second).

They also had a control where there was an anonymous $12 card and a tracked $10 card.

Although all participants had the ultimate choice between a $10 anonymised card and a $12 tracked card, the way that the questions were framed in the offering of the cards got the participants making a choice between selling their information to the researchers for $2, or paying the researchers in order to avoid giving away their purchasing information.

So, the results of the experiment were quite interesting. I will summarise them as follows:

  • 52.1% of shoppers endowed with the $10 card did not want to change their card to the $12 card after it was offered to them.
  • 42.2% of shoppers, given the choice between the $10 and the $12 card, with the $10 card presented first, chose the $10 card.
  • 26.7% of shoppers, given the choice between the $10 and the $12 card, with the $12 card presented first, chose the $10 card.

and perhaps surprisingly...

  • only 9.7% of shoppers endowed with the $12 card wanted to change to the $10 card after it was offered to them.

Acquisti explained that this shows that people can be "primed" to accept less privacy than otherwise might be available. There's also the importance of the endowment of a card: a significant number of people who were offered the $10 card upfront wanted to keep "their" card. This ownership feeling, Acquisti said, significantly biased shoppers' perceptions of the value of the card/their data.

I thought this was really interesting. People in this experiment were five times more likely to reject the extra $2 if they thought their privacy would be protected. Apparently (according to Acquisti) this goes against the status quo understanding that "ordinary people don't care about privacy". Unfortunately they weren't able to ask why people chose the card that they did, as they couldn't be involved with the experiment directly. However, what it does show is that many ways that people are offered privacy options are highly problematic. Waiting for people to discover privacy options in software "primes" people to accept lower levels of privacy if the defaults are set to be open. The mere fact that people don't request privacy options doesn't mean that they don't care about them.

This wasn't the end of the talk, as Acquisti went on to talk about his more recent research into the "Illusion of Control" over personal information, in which he presented some more recent research into how perceived control users had over their personal data caused them to actually reveal more about themselves than if they didn't. I won't go into the details of the study as much, but you can find an (as yet unpublished) paper on it here.

Essentially the outcomes of this study, which was done with university students revealing information about themselves that either would be published on a website (i.e. the user had a lot of perceived control over the information that could be published about them), or had a 50% chance of being published on a website (i.e. the user did not have as much perceived control, since it was random whether or not they would be published), found a couple of interesting things:

  • the more sensitive questions were less likely to be answered (all round), however:
  • if the student had more control (i.e. it would be published), more questions were answered
  • if the student had more control, more sensitive questions were likely to be answered

So this has some further interesting outcomes for privacy advocates: more control over publication of information doesn't necessarily mean that users will exercise that control to restrict their information -- in fact they are more likely to reveal more about themselves if they know that their information will be published than if they are uncertain!

Finally, Acquisti rounded off the talk with some very recent research into longevity of your good and bad deeds, and whether you were more likely to be judged by your past good or bad deeds. I haven't found a paper that I can link to about this, but if someone else can find one and let me know, that'd be great (I have a new comment system so even if you don't have a Twitter account you can now comment! Yay!).

In this research, Acquisti was looking at whether people pay more attention to bad information about someone than good information. That is, do someone's past bad deeds have more weight than someone's past good deeds?

Acquisti's team conducted an experiment with scenarios about a fictional person who did/did not report having found $10,000 5 years/12 months ago. There was also a neutral description about this person used as a control. The results were as follows:

  • neutral opinion on "do you like this person?": 4.5/7 on the "like" scale
  • reported $10,000 5 years ago: same as neutral opinion
  • reported $10,000 12 months ago: high on the "like" scale (5.5/7)
  • did not report (i.e. kept) $10,000 5 years ago: low on the "like scale (2.2/7)
  • did not report $10,000 12 months ago: disliked even more than the 5 year bad deed (1.9/7)

There were similar results for the question "would you want to work with this person?"

So the outcome from this was that old good information is not very important when someone judges you, but old bad information is very important. This, according to Acquisti, also works with companies and their reputations!

So: people who upload incriminating photos or write silly things on the internet: beware! Not only do we have a feeling that these sorts of things can come back to haunt you, there is some interesting work that shows that even if what you did was a long time ago, it'll still have a big impact on peoples' judgements about you.

What Acquisti is working on now is a series of experiments to determine whether good recent deeds can overwrite bad deeds. My gut feeling is that it really depends! For example: Bill Gates was fairly well reviled in many areas, yet his charitable contributions have been so immense that perhaps it might be worth looking past the anti-competitiveness and monopolisation, and the fact that he's the world's richest man. :) But for politicians? It might not be that simple. What price on forgiveness?

Fascinating stuff, and a fascinating talk! I look forward to finding out more about our attitudes to privacy and behaviour.



Comments

Add a Comment