Privacy decisions are prone to error

Updated: 2013-04-07 07:43

By Simini Sengupta (The New York Times)

  Print Mail Large Medium  Small 分享按钮 0

 Privacy decisions are prone to error

Intriguing experiments by Alessandro Acquisti, a behavioral economist at Carnegie Mellon University, suggest that people often reveal more than they mean to online and that the main cause of this practice is distraction. Jeff Swensen for The New York Times

In a series of provocative experiments, a researcher has shown that despite how much people say they value their privacy, they tend to act inconsistently.

Alessandro Acquisti, 40, a behavioral economist at Carnegie Mellon University in Pittsburgh, has shown that, over all, when it comes to privacy, people don't always act in their own best interest. They can be easily manipulated by how they are asked for information.

"The technologist in me loves the amazing things the Internet is allowing us to do," said Mr. Acquisti, who noted that he is an early adopter of technology himself. "The individual who cares about freedom is concerned about the technology being hijacked, from a technology of freedom into a technology of surveillance."

In 2003, Mr. Acquisti started tracking more than 5,000 Facebook users, most of them undergraduates. He noticed that although the users revealed more and more of their personal history - responding to Facebook's prompts about whether, say, they had just had a baby or had voted - they were also restricting who could see it. Over time, they were, on the whole, less likely to let "everyone" see their date of birth, for instance, and what high school they had attended.

The study suggested at least that some people valued their privacy enough to seek out the social network's evolving settings and to block strangers from seeing what they had posted.

To learn how consumers determine the value of their privacy, Mr. Acquisti dispatched a set of graduate students to a mall. To some shoppers, the students offered a $10 discount card, plus an extra $2 discount in exchange for their shopping data. Half declined the extra offer - they weren't willing to reveal the contents of their cart for a mere $2.

To other shoppers, however, the students offered a different choice: a $12 discount card and the option of trading it in for $10 if they wished to keep their shopping record private. This time, 90 percent of shoppers chose to keep the higher-value coupon - even if it meant revealing what they had bought.

The results offered a window into the tricks minds can play. If we have something, we are more likely to value it. If we don't have it at the outset, we aren't likely to pay extra to acquire it.

In one of Mr. Acquisti's most intriguing experiments, he summoned student volunteers to take an anonymous survey on vice.

The participants were asked whether they had ever stolen anything, lied or taken drugs. Some were told that their answers would be published in a research bulletin, others were asked for explicit permission to publish those answers, and still others were asked for permission to publish the answers as well as their age, sex and country of birth.

Those who were offered the least control over who would see their answers seemed most reluctant to reveal themselves: among them, only 15 percent answered all 10 questions. Those who were asked for consent were nearly twice as likely to answer all questions. And among those who were asked for demographic information, every single person gave permission to disclose the data, even though those details could have allowed a complete stranger a greater chance of identifying the participant.

Mr. Acquisti took note of the paradox: fine-grained controls had led people to "share more sensitive information with larger, and possibly riskier, audiences."

"What worries me," he said, "is that transparency and control are empty words that are used to push responsibility to the user for problems that are being created by others."

That sense of control can be undermined in other ways, too, principally by distractions.

In a study called "Sleights of Privacy," Mr. Acquisti's subjects were divided into two sets of two groups. Each group was asked to evaluate professors and was given questions about cheating. In the first set, half were told that only other students could see their answers; the others were told that faculty members, as well as students, could see the responses. As one might expect, the group with student-only viewers was more forthcoming than the group with student and faculty viewers.

With the other set of students, Mr. Acquisti offered the same questionnaire - but played a little trick. After again explaining the rules and procedures, he asked an unrelated question: Would they like to sign up to receive information from a college network? That little distraction had an impact: This time, the two subgroups were almost equally forthcoming in their answers.

Had the distraction made them forget? No. In exit interviews, they remembered the rules, but they behaved as though they didn't. "You remember somewhere in your brain," is how Mr. Acquisti put it, "but you kind of pay less attention to it."

A host of distractions - e-mails, tweets, text messages - can hinder our sense of self-protection when it comes to privacy.

Those who follow Mr. Acquisti's work say it has important policy implications as regulators in Washington, Brussels and elsewhere scrutinize the ways that companies leverage the personal data they collect from users.

The Federal Trade Commission in the United States last year settled with Facebook, resolving charges that it had deceived users with changes to its privacy settings. American state regulators recently fined Google for harvesting e-mails and passwords of unsuspecting users during its Street View mapping project.

Mr. Acquisti has been at the forefront, testifying in the United States Congress and conferring with the F.T.C.

"His work has gone a long way in trying to help us figure out how irrational we are in privacy related decisions," says Woodrow Hartzog, an assistant professor of law who studies digital privacy at Samford University in Birmingham, Alabama. "We have too much confidence in our ability to make decisions."

In 2011, Mr. Acquisti took snapshots with a webcam of nearly 100 students on campus. Within minutes, he had identified about one-third of them using facial recognition software. In addition, for about a fourth of the subjects whom he could identify, he found out enough about them on Facebook to guess at least a portion of their Social Security numbers.

Facebook can be especially valuable for identity thieves, particularly when a user's birth date is visible to the public.

"I reveal my date of birth and hometown on my Facebook profile and an identity thief can reconstruct my Social Security number and steal my identity," Mr. Acquisti said, "or someone can send me 'happy birthday' messages on the day of my birthday, which makes me feel very good."

Facebook, for its part, has said that users can control who sees their information on the network.

Mr. Acquisti is on Facebook. He is photographed wearing a motorcycle helmet, which makes him a bit harder to identify.

The New York Times