Tuesday, 30 June 2009

Privacy paradox & personal data – do people really care?

Added: see the excellent summary of this and other WEIS sessions by Ross Anderson.

There’s been some focus lately on the inconsistencies between what people say and what they actually do online, in terms of:

  • how much personal information they’re prepared to give away, and
  • what precautions they take in practice to safeguard their privacy or the security of their personal data on the internet.

The Policy Maker's Anguish: regulating personal data behaviour between paradoxes and dilemmas (full paper) is an interesting paper by Ramón Compañó and Wainer Lusoli of the European Commission - Directorate General Joint Research Centre, from The Eighth Workshop on the Economics of Information Security (WEIS 2009), London 24-25 June 2009.

It defines this (much studied) “privacy paradox” as:

users are concerned about privacy but they disclose a significant amount of personal data and take no action to protect themselves.

The paper confirmed the privacy paradox is still alive and kicking, based on an August 2008 survey of over 5000 young people from 4 EU countries (France, Germany, Spain, UK), and outlined existing research on the paradox, including in the US.

(On the position in the USA, see also the 2007 Pew Internet research Digital Footprints: Online Identity Management and Search in the Age of Transparency.)

The privacy paradox

“In general, the public is primarily concerned about loss of privacy that lead to security problems but few everyday activities are considered extremely or very private. Our results confirm as much, as disclosure of 'basic' biographic information is unrelated to privacy concern; on the other hand, there is a very weak negative correlation (Pearson's R2 -.04) between these and disclosure of potentially more sensitive data (medical history, etc). The survey confirms that social networkers, particularly younger users, may well be ill informed about the detail they are making publicly available, as it is often unrelated to their privacy concerns. But the need to appear seems to justify disclosure in young people's eyes. Online social networking, for instance, is more about enhanced and increased personal disclosure than about the maintenance of wider social networks (Cachia, 2008; The Economist, 2009).”

See part 4 of the paper for discussion about:

  • the “control paradox” (”People desire full control on their personal data, but avoid the hassle to keep it up to date. People know that there are technology tools to protect them and think they may be efficient, but they do not use them”)
  • the “responsibility paradox” (“While most people believe that it is either their own responsibility, they seem to admit that many users do not have the knowledge to do this effectively”), and
  • the “awareness paradox” (“Data protection (DP) legislation is unknown and unloved… “personal experience may matter more than understanding of the legal system. It is not surprising that young people should ask for 'hands-on' regulation. Young people desire reassurance, via practical tools more than via awareness raising. Tools such as guarantees (labels and logos) appeal to young people, while they also appreciate tools that may assist control of personal data provided to public or private authorities.”).

Overall the paper takes the view, which will surprise no one, that policy makers need to take into account that citizens do not always behave rationally, and that a multi-disciplinary approach is needed:

“trust in rules (fair play by service providers) emerged as an important factor in addition to traditional understandings of trust. Indeed, there are multiple enablers of identity disclosure. Guarantees, assurance of data protection law respect and precise information on systems are likely to encourage the adoption of services based on personal data disclosure. Solutions based on these principles need implementing, regulating and enforcing…

An obvious approach to increase trust is to reinforce safety concerning privacy and personal data online through technical improvements of personal data management systems. In parallel to technical improvements, there is a need to monitor usage patterns regarding such systems and to understand perceptions in order to identify ways to enhance the take up. Young users place great value on privacy, data control, and free services, but not at the expense of security of procedural fairness. The traditional security / privacy paradigm still prevalent in policy circles needs revising to include a wider variety of parameters. Guarantees, assurances that data protection law will be protected, and precise information, all of which should encourage the use of eID systems, should be promoted. Finally, there is a need to harness young people's current practices.”

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.