Schneier on Security
A blog covering security and security technology.
« Laptop Security while Crossing Borders |
| Pepper Spray–Equipped ATMs »
July 16, 2009
Privacy Salience and Social Networking Sites
Reassuring people about privacy makes them more, not less, concerned. It's called "privacy salience," and Leslie John, Alessandro Acquisti, and George Loewenstein -- all at Carnegie Mellon University -- demonstrated this in a series of clever experiments. In one, subjects completed an online survey consisting of a series of questions about their academic behavior -- "Have you ever cheated on an exam?" for example. Half of the subjects were first required to sign a consent warning -- designed to make privacy concerns more salient -- while the other half did not. Also, subjects were randomly assigned to receive either a privacy confidentiality assurance, or no such assurance. When the privacy concern was made salient (through the consent warning), people reacted negatively to the subsequent confidentiality assurance and were less likely to reveal personal information.
In another experiment, subjects completed an online survey where they were asked a series of personal questions, such as "Have you ever tried cocaine?" Half of the subjects completed a frivolous-looking survey -- "How BAD are U??" -- with a picture of a cute devil. The other half completed the same survey with the title "Carnegie Mellon University Survey of Ethical Standards," complete with a university seal and official privacy assurances. The results showed that people who were reminded about privacy were less likely to reveal personal information than those who were not.
Privacy salience does a lot to explain social networking sites and their attitudes towards privacy. From a business perspective, social networking sites don't want their members to exercise their privacy rights very much. They want members to be comfortable disclosing a lot of data about themselves.
Joseph Bonneau and Soeren Preibusch of Cambridge University have been studying privacy on 45 popular social networking sites around the world. (You may not have realized that there are 45 popular social networking sites around the world.) They found that privacy settings were often confusing and hard to access; Facebook, with its 61 privacy settings, is the worst. To understand some of the settings, they had to create accounts with different settings so they could compare the results. Privacy tends to increase with the age and popularity of a site. General-use sites tend to have more privacy features than niche sites.
But their most interesting finding was that sites consistently hide any mentions of privacy. Their splash pages talk about connecting with friends, meeting new people, sharing pictures: the benefits of disclosing personal data.
It's the Carnegie Mellon experimental result in the real world. Users care about privacy, but don't really think about it day to day. The social networking sites don't want to remind users about privacy, even if they talk about it positively, because any reminder will result in users remembering their privacy fears and becoming more cautious about sharing personal data. But the sites also need to reassure those "privacy fundamentalists" for whom privacy is always salient, so they have very strong pro-privacy rhetoric for those who take the time to search them out. The two different marketing messages are for two different audiences.
Social networking sites are improving their privacy controls as a result of public pressure. At the same time, there is a counterbalancing business pressure to decrease privacy; watch what's going on right now on Facebook, for example. Naively, we should expect companies to make their privacy policies clear to allow customers to make an informed choice. But the marketing need to reduce privacy salience will frustrate market solutions to improve privacy; sites would much rather obfuscate the issue than compete on it as a feature.
This essay originally appeared in the Guardian.
Posted on July 16, 2009 at 6:05 AM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I am a fan of behavioural economics officially slaying the myths of us being rational creatures.
Unfortunately, their consistent choice of lab rat means results cannot be considered globally applicable.
Namely '[American] University students' who were 'were recruited on campus and completed a survey'.
In other studies these same lab rats have been shown to enjoy 'beer' and 'big jugs'. Global norms? Oh really?
Oh sure, they work for me, and probably 80% of you readers too, but since when have we been representative!
Assuming the findings are right isn't this the same as the dentist saying "This wont hurt a bit", you tense up, and sure enough he's right... it hurts a lot.
Does priming a mind which is in a sceptical mode have the opposite effect?
Who hasn't gone out of their way to shatter something labelled 'shatterproof' ?
> since when have we been representative!
I'm failing to find the source for the quote I want here, but it was something like "Sure, I'm extrapolating from my own experience, but everybody does that".
"The results showed that people who were reminded about privacy were less likely to reveal personal information than those who were not."
I'm far from a social scientist, but I immediately wonder which of these surveys yielded more truthful information. Certainly, some men in locker-rooms boast of sexual conquests that never happened. Do "light-hearted-looking" surveys encourage the same kind of boasting?
I started reading the paper, but I'm no expert. Can anyone clarify this?
I am in agreement with Bill. I suspect culture plays a big roll in this. For example, Europe has much better privacy laws than the US does. I suspect that Europeans would trust the privacy statement more than Americans would.
Also, the "How BAD are U??" experiment was poorly done. You can't compare a "fun" looking website with an official one from CMU. If they had compared responses from the fun website without a privacy clause and the same one with a privacy clause, the results would have been much more reliable.
This sounds to me like people are less likely to share personal information with a large organization that is mature enough to need a fancy seal and a privacy notice.
But when people are dealing with "how bad R U", it is pretty obvious that their personal information is not going far... and on the off-chance that the information DOES get re-used, it is doubtful that others would trust the reliability of "how bad R U" as a source.
It's the difference between complaining about your manager to the Human Resources department vs commiserating with a bartender.
I doubt it has as much to do with the privacy notice, as it does with the representation of the data-collector as a formal/informal entity.
People do not think about security until they feel they have to.
I recall the sketch by Marty Feldman who was playing an airline pilot who picked up the PA microphone during a flight and announced: "Ladies and gentlemen, there is no cause for alarm".
I think the warnings just remind people there may be a risk associated with revealing personal information. Once reminded, their perception of risk is adjusted. Once people treat these social sites as a familar tool, their perception of risk is lowered.
I read the CMU paper and it addition to conflicting variables pointed out by others, there are so many missing details of how the study was done it is hard to come to any conclusions about the meaning of the results.
I also wonder whether respondents are more likely to treat a survey the researchers describe as "frivolous" and "light-hearted-looking" as frivolous and make up answers. Didn't it occur to them that degree of truthfulness might be contextual as well?
And I wonder if their study was reviewed by their IRB and how they ensured in complied with federal research regulations. Normally institutions like CMU would be required by federal law to ensure that researchers explicitly state the risks and confidentiality protections. And the risks in this case are non-trivial as they are asking about illegal and sensitive behaviors. Researchers generally aren't permitted to treat privacy in the cavalier fashion of social networking sites.
Why else would Anon be so popular?
@David Alan Hjelle, I believe the ones where they were not reminded of privacy would have been more truthfull. Seeing a document with a seal and a big shpeal about privacy would lead me to believe my name was being attached along with it, where as the other servey would be anonamous with no repercussions and therefore no need for privacy.
@Petey B: Of course, it's possible that you are right. It's also possible that you are wrong. It seems to me that the authors of the study simply made the same assumption that you did—and I'm not convinced that it is valid without more information. I can fairly easily see reasonable explanations for both kinds of behavior.
Not to be a pedant, but labelling something "privacy salience" does not "explain" anything. It provides a descriptive label for an empirically observed phenomenon.
Hopefully, additional research can help is actually understand the underlying mechanisms at work here (as advances in neuroscience and imaging have for behavioral economics, for example).
Mr. Hjelle, AlanS, and others:
The "How BAD are U??" experiment did not, I believe, make any claims about the answers to one survey being more objectively truthful than another-- just that the one with lower perceived formality would elicit answers that people wouldn't feel comfortable giving to the other one, which seems to line up fine with what you think is obvious. (Still, someone needed to actually run the experiment to make sure.)
Why include a link to a New York Times article with a retraction? Maybe because the piece was inaccurate and inflammatory - but also a good proof point to the salience theory, since the authors were very concerned but couldn't understand the actual FB "feature" change, and jumped to the worst-case conclusion.
I think part of the entire social networking thing puts all of our personal lives in focus. What we share on blogs, FB and Twitter is so much more then our parent's generation could have ever imagined online.
In this case it's a good reminder, your privacy is ALWAYS at risk!
Reminds me of the studies where they ask college students to give their passwords in order to collect a candy bar. The fact that they will hand over a password doesn't necessarily mean they hand over a valid password. The hard part of these studies is determining if the data is truthful. Nor is this is a unique problem for behavioral studies.
Reminds me of the conversation at the beginning of a fitness class
Teacher: Do you have an injury? Well you should have a clearance of your doctor. (Translation: we are externalizing the litigation risk by tranferring it onto the client)
Student: Silent no. (Translation: That is none of your business. I'm not telling you that my body is falling appart because I want to do the class and I will take responsibility for my actions)
I appreciated your comments on this topic.
Oddly enough, I wrote a blog on the same topic this morning, as well, citing Acquisti and Grossklags’ brilliant work.
For an incredibly barefaced attempt to solicit marketing information from a wide cross section of New Zealand citizens, NZPost, a government owned company, has just sent out a very intrusive 'survey' form to thousands of households. You can do the survey online at http://www.nzpost.co.nz/Cultures/en-NZ/Personal/...
They have a 'privacy' statement that starts:
"By undertaking the New Zealand Post Survey, you and your partner's name and contact details may be provided to organisations from New Zealand and overseas to enable them to provide you and/or your partner, with information about products, services and offers relevant to your responses to this survey. New Zealand Post may also use this information for the same purpose.
New Zealand Post is committed to protecting your personal information....."
They do provide an assurance that they will look after your information so that no-one else can abuse it.
All respondants will go into a draw to win $15000 so I wonder how many will make the trade-off of exposing lots of personal details in return for a small chance to win.
@Jim Marketing info
Thanks. I'll always take a survey. Will you give me a candy bar for my password? Sure let's see the chocolate!
I just submitted one on behalf of John Gordon and the New Right. Apparently he is a 45 year old woman with a 18 year old "partner" and 4 children under 12, living with his parents and a great lover of water sports, and making over 150k a year in independent pharacueticle distribution and sales.
Let thier algorithm choke on that.
The equivalent doesn't apply to groceries:
e.g think of all the "low fat" and "low calorie" products out there.
I wonder why "high fiber" is a positive sales message, if "high privacy" is negative?
indeed FB privacy settigns are a mess and I'm glad the canadian government is pushing forward on this issue. It's pretty obvious that as soon as you begin talking about something people will wonder about this same issue and start taking thing more seriously always with the thought on the back of their mind, it's not just privacy concerns.
More people are conscious of their weight and bowel regularity than of their privacy.
This reminds me of back in '90 when I was made responsible for IT antivirus infrastructure, which was a response to the fact that our company had sent out our product with a virus shrink-wrapped inside.
I set up a system whereby every machine had to run a (current) virus scanner first thing every day. Naturally, one of the salesmen forgot to bring his virus disk with him to a sales call and looked like a moron to the customer.
The company president made me remove me restrictions from the sales machines, (that would be the machines that travel to remote locations and run all kinds of unknown stuff). He was afraid that it would cause people would look down upon our company if they found out we took precautions to not catch or spread virii; since if we took precautions about having virii, that meant we were a greater risk to have them. Never understood that logic, but apparently there may be some validity to it. It's still stupid though. http://www.xkcd.net/610/
And of course the Milgram experiment (in its later stages after they initially scared the crap out of themselves by inadvertently showing that a Holocaust could have happened pretty much anywhere) demonstrated that people are more willing to do what a large prestigious organization tells them than a small private unknown one.
@Anton: And your comment reminds me of soldering irons. (how?) They typically come with a cord that is so short as to be completely useless - and then the fine print states that they are not responsible for a fire if you use an extension cord.
Why would anyone share private information in a social networking site? No matter what the site claims about its privacy controls, once you share private data it isn't private anymore. Don't share it in the first place, especially in a place where it will be documented and stored and most likely be breached one day!
Often people do not mind if some private data is shared with another, accidently or otherwise. Privacy fear arises if private information can be reproduced by the 'other' person in the original form and shared with others. And this is what technology is good at.
> And of course the Milgram experiment (in its later stages after they initially scared the crap out of themselves by inadvertently showing that a Holocaust could have happened pretty much anywhere) demonstrated that people are more willing to do what a large prestigious organization tells them than a small private unknown one.
That was Milgram's interpretation, but it has been questioned by other psychologists. Robert Shiller has suggested that Milgram's entire interpretation was incorrect, and in fact people continued to give the shocks not simply in obedience to the experimenter's orders, but because they believed the experimenter's assurances that the shocks were not really harmful. (The strongest evidence for this is that the only subject who refused to continue was also the only one who understood electricity.)
In this view, the lower acceptance rate in the case of the (fake) small company was because people were less confident of a small company's competence than that of Yale.
Security is trade-offs.
Trade-offs require agreements and perceptions.
Managing perceptions and agreements is politics.
You have avoided politics adroitly.
One role of political parties is to critically observe each other in the act.
What follows is an observation,
and then political rhetoric.
You may be interested in its beginning.
Someone clearly follows elements of your logic:
"By requesting citizens send 'fishy' e-mails to the White House,
it is inevitable that the names, e-mail addresses, IP addresses and private speech of U.S. citizens will be reported to
the White House,"[Senator] Cornyn wrote.
"You should not be surprised that these actions taken by your White House staff raise the specter of a data collection program."
in response to:
"These rumors often travel just below the surface via chain e-mails or through casual conversation.
Since we can't keep track of all of them here at the White House, we're asking for your help.
If you get an e-mail or see something on the web...that seems fishy, send it to email@example.com."
full article @
Subject: This is scary to me; White House wants you to snitch on people who send emails about health insurance reform that seems "fishy"--can you say Fascism? Where is the ACLU? Will you report me?
Date: Aug 8, 2009 6:41 AM
Who's behind the Internet Snitch Brigade?
Michelle Malkin - Syndicated Columnist - 8/7/2009 7:15:00 AM
I think this experiment does a much better job of demonstrating risk intuition than it does privacy salience. I think also think that's funny, because it appeared in your newsletter right after your essay called Risk Intuition! The students probably don't care what the university does with information about their own cocaine use from a privacy perspective. But I think it's highly likely that the students are responding to a (very small) risk that admitting illegal or unethical behavior on a survey to an authority at the school could have very severe consequences.
College students constantly send each other surveys asking each other about embarrassing or unsavory information. It's a normal part of modern undergraduate life. But it's rare for the school administration to ever ask those kinds of personal questions, so the researchers' questionnaire probably stuck out like a sore thumb. Most college kids (including CMU kids, based on my own CMU experience) are more than willing to brag about (and even exaggerate), say, their binge drinking experience when filling out a friends' survey. They're much less willing to do that with an authority figure from the school, and I think risk intuition explains that effect much better than privacy salience does.
facebook is shit boys and ladies
More people are conscious of their weight and bowel regularity than of their privacy.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.