Say you’ve come across a discount online retailer promising a steal on hand-stitched espadrilles for spring. You start setting up an account by offering your email address – but before you can finish, there’s a ping on your phone. A text message. You read it and respond, then return to the website, enter your birth date, click “F” for female, agree to the company’s terms of service and carry on browsing.
But wait: What did you just agree to? Did you mean to reveal information as vital as your date of birth and email address? Most of us face such decisions daily. We are hurried and distracted and don’t pay close attention to what we are doing. Often, we turn over our data in exchange for a deal we can’t refuse.
Alessandro Acquisti, a behavioural economist at Carnegie Mellon University in Pittsburgh, studies how we make these choices. In a series of provocative experiments, he has shown that despite how much we say we value our privacy – and we do, again and again – we tend to act inconsistently.
Acquisti is something of a pioneer in this emerging field of research. His experiments can take time. The last one, revealing how Facebook users had tightened their privacy settings, took seven years. They can also be imaginative: He has been known to dispatch graduate students to a suburban mall in the name of science. And they are often unsettling: A 2011 study showed that it was possible to deduce portions of a person’s Social Security number from nothing but a photograph posted online. He is now studying how online social networks can enable employers to illegally discriminate in hiring.
Acquisti, 40, sees himself not as a nag, but as an observer holding up a mirror to the flaws we cannot always see ourselves. “Should people be worried? I don’t know,” he said with a shrug in his office at Carnegie Mellon. “My role is not telling people what to do. My role is showing why we do certain things and what may be certain consequences. Everyone will have to decide for themselves.”
Those who follow his work say it has important policy implications as regulators in Washington, Brussels and elsewhere scrutinise the ways that companies leverage the personal data they collect from users. The Federal Trade Commission last year settled with Facebook, resolving charges that it had deceived users with changes to its privacy settings. State regulators recently fined Google for harvesting emails and passwords of unsuspecting users during its Street View mapping project. Last year, the White House proposed a privacy bill of rights to give consumers greater control over how their personal data is used.
Acquisti has been at the forefront, testifying in Congress and conferring with the FTC. David C Vladeck, who until recently headed the agency’s Bureau of Consumer Protection, said Acquisti’s research on facial recognition spurred the commission to issue a report on the subject last year. “No question it’s been influential,” Vladeck said of Acquisti’s work.
Companies, too, are interested; Microsoft Research and Google have offered Acquisti research fellowships. Overall, his research argues that when it comes to privacy, policymakers should carefully consider how people actually behave. We don’t always act in our own best interest, his research suggests. We can be easily manipulated by how we are asked for information. Even something as simple as a playfully designed site can nudge us to reveal more of ourselves than a serious-looking one.
Too much confidence
“His work has gone a long way in trying to help us figure out how irrational we are in privacy-related decisions,” says Woodrow Hartzog, an assistant professor of law who studies digital privacy at Samford University in Birmingham, Ala. “We have too much confidence in our ability to make decisions.”
This is perhaps Acquisti’s most salient contribution to the discussion. Solutions to our leaky privacy system tend to focus on transparency and control – that our best hope is knowing what our data is being used for and choosing whether to participate. But a challenge to that conventional wisdom emerges in his research. Giving users control might be an essential step, but it might also be a bit of an illusion.
If iron ore was the raw material that enriched steel baron Andrew Carnegie in the Industrial Age, personal data is what fuels the barons of the Internet age. Acquisti investigates the trade-offs users make when they give up that data and who gains and who loses in those transactions. Often there are immediate rewards (cheap sandals) and sometimes intangible risks downstream (identity theft). “Privacy is delayed gratification,” he warned.
As the Web matured and became more commercialised, he grew increasingly concerned about Web services that demanded real names. He questioned why companies should track the online behaviour of users in order to tailor their ads. These concerns led him to his only foray into a business enterprise. In 2002, with a pair of fellow graduate students at Berkeley, he made a cryptographic tool that would allow people to make purchases anonymously from e-commerce sites. He quickly realised, however, that even though consumers claimed to want privacy, they didn’t want to pay for it. The startup failed. His interest in privacy economics deepened.
To think about privacy more clearly, he argues, technologists need to understand human behaviour better. With that end in mind, he will teach next fall in a new, interdisciplinary one-year master’s programme at Carnegie Mellon called privacy engineering. “The technologist in me loves the amazing things the Internet is allowing us to do,” he said. “The individual who cares about freedom is concerned about the technology being hijacked, from a technology of freedom into a technology of surveillance.”
At Carnegie Mellon, where he landed in 2003, he investigated the question with Facebook users. He started tracking a cohort of more than 5,000 people, most of them undergraduates at the time. He noticed that although people revealed more and more of their personal history – responding to Facebook’s prompts about whether, say, they had just had a baby or had voted – they were also restricting who could see it. Over time, they were, on the whole, less likely to let “everyone” see their date of birth, for instance, and what high school they had attended.
Experiments like this have their limits and are open to different interpretations. This study, for instance, focused largely on college undergraduates who might have become cautious about who could see information about them as they approached graduation and prepared to enter the job market.
Aiming to learn how consumers determine the value of their privacy, Acquisti dispatched a set of graduate students to a mall on the outskirts of Pittsburgh. To some shoppers, the students offered a $10 discount card, plus an extra $2 discount in exchange for their shopping data. Half declined the extra offer – apparently, they weren’t willing to reveal the contents of their shopping cart for a mere $2.
To other shoppers, however, the students offered a different choice: a $12 discount card and the option of trading it in for $10 if they wished to keep their shopping record private. Curiously, this time, 90 percent of shoppers chose to keep the higher-value coupon – even if it meant giving away the information about what they had bought.
Deccan Herald is on WhatsApp Channels| Join now for Breaking News & Editor's Picks