Letting Down Our Guard With Web Privacy
Say you've come across a discount online retailer promising a steal on hand-stitched espadrilles for spring. You start setting up an account by offering your e-mail address — but before you can finish, there's a ping on your phone. A text message. You read it and respond, then return to the Web site, enter your birth date, click "F" for female, agree to the company's terms of service and carry on browsing.
But wait: What did you just agree to? Did you mean to reveal information as vital as your date of birth and e-mail address?
Most of us face such decisions daily. We are hurried and distracted and don't pay close attention to what we are doing. Often, we turn over our data in exchange for a deal we can't refuse.
Alessandro Acquisti, a behavioral economist at Carnegie Mellon University in Pittsburgh, studies how we make these choices. In a series of provocative experiments, he has shown that despite how much we say we value our privacy — and we do, again and again — we tend to act inconsistently.
(Read More: Obama Warns Hacking Against US 'Ramping Up')
Mr. Acquisti is something of a pioneer in this emerging field of research. His experiments can take time. The last one, revealing how Facebook users had tightened their privacy settings, took seven years. They can also be imaginative: he has been known to dispatch graduate students to a suburban mall in the name of science. And they are often unsettling: A 2011 study showed that it was possible to deduce portions of a person's Social Security number from nothing but a photograph posted online. He is now studying how online social networks can enable employers to illegally discriminate in hiring.
Mr. Acquisti, 40, sees himself not as a nag, but as an observer holding up a mirror to the flaws we cannot always see ourselves. "Should people be worried? I don't know," he said with a shrug in his office at Carnegie Mellon. "My role is not telling people what to do. My role is showing why we do certain things and what may be certain consequences. Everyone will have to decide for themselves."
Those who follow his work say it has important policy implications as regulators in Washington, Brussels and elsewhere scrutinize the ways that companies leverage the personal data they collect from users. The Federal Trade Commission last year settled with Facebook, resolving charges that it had deceived users with changes to its privacy settings. State regulators recently fined Google for harvesting e-mails and passwords of unsuspecting users during its Street View mapping project. Last year, the White House proposed a privacy bill of rights to give consumers greater control over how their personal data is used.
(Read More: 10 Ways Companies Get Hacked)
Mr. Acquisti has been at the forefront, testifying in Congress and conferring with the F.T.C. David C. Vladeck, who until recently headed the agency's Bureau of Consumer Protection, said Mr. Acquisti's research on facial recognition spurred the commission to issue a report on the subject last year. "No question it's been influential," Mr. Vladeck said of Mr. Acquisti's work.
Companies, too, are interested; Microsoft Research and Google have offered Mr. Acquisti research fellowships. Over all, his research argues that when it comes to privacy, policy makers should carefully consider how people actually behave. We don't always act in our own best interest, his research suggests. We can be easily manipulated by how we are asked for information. Even something as simple as a playfully designed site can nudge us to reveal more of ourselves than a serious-looking one.
"His work has gone a long way in trying to help us figure out how irrational we are in privacy related decisions," says Woodrow Hartzog, an assistant professor of law who studies digital privacy at Samford University in Birmingham, Ala. "We have too much confidence in our ability to make decisions."
This is perhaps Mr. Acquisti's most salient contribution to the discussion. Solutions to our leaky privacy system tend to focus on transparency and control — that our best hope is knowing what our data is being used for and choosing whether to participate. But a challenge to that conventional wisdom emerges in his research. Giving users control may be an essential step, but it may also be a bit of an illusion.
If iron ore was the raw material that enriched the steel baron Andrew Carnegie in the Industrial Age, personal data is what fuels the barons of the Internet age. Mr. Acquisti investigates the trade-offs that users make when they give up that data, and who gains and loses in those transactions. Often there are immediate rewards (cheap sandals) and sometimes intangible risks downstream (identity theft). "Privacy is delayed gratification," he warned.
Mr. Acquisti, lean and loquacious, grew up in Italy. His father, Giancarlo, was a banker by profession and a pianist on the side. Mr. Acquisti inherited his father's passion for music; last year he helped him write an opera about Margherita Luti, the woman believed to be the painter Raphael's lover and muse. Mr. Acquisti's other passion is motorcycle racing — he rides a red Ducati — though the pursuit of tenure, which he acquired last year, has lately kept him off the racing circuit.
(Read More: Chinese Espionage on the Rise in US, Experts Warn)
He earned a bachelor's degree in economics in Rome and master's degrees in the subject from Trinity College in Dublin and the London School of Economics, and he became interested in the economics of privacy while studying for a doctorate in the interdisciplinary School of Information at the University of California, Berkeley.
He describes himself as an early adopter of technology. He dabbled in programming in his youth and was an early and avid user of Friendster and Second Life. He had planned to study the economics of artificial intelligence.
But as the Web matured and became more commercialized, he grew increasingly concerned about Web services that demanded real names. He questioned why companies should track the online behavior of users in order to tailor their ads.
These concerns led him to his one and only foray into a business enterprise. In 2002, with a pair of fellow graduate students at Berkeley, he made a cryptographic tool that would allow people to make purchases anonymously from e-commerce sites. He quickly realized, however, that even though consumers claimed to want privacy, they didn't want to pay for it. The start-up failed. His interest in privacy economics deepened.
To think about privacy more clearly, he argues, technologists need to understand human behavior better. With that end in mind, he will teach next fall in a new, interdisciplinary one-year master's program at Carnegie Mellon called privacy engineering.
"The technologist in me loves the amazing things the Internet is allowing us to do," he said. "The individual who cares about freedom is concerned about the technology being hijacked, from a technology of freedom into a technology of surveillance."
Early in his sojourn in this country, Mr. Acquisti asked himself a question that would become the guiding force of his career: Do Americans value their privacy?
(Read More: Luring Young Web Warriors Is a Priority--and a Game)
At Carnegie Mellon, where he landed in 2003, he investigated the question with Facebook users. He started tracking a cohort of more than 5,000 people, most of them undergraduates at the time. He noticed that although people revealed more and more of their personal history — responding to Facebook's prompts about whether, say, they had just had a baby or had voted — they were also restricting who could see it. Over time, they were, on the whole, less likely to let "everyone" see their date of birth, for instance, and what high school they had attended.
Experiments like this have their limits and are open to different interpretations. This study, for instance, focused largely on college undergraduates who may have become cautious about who could see information about them as they approached graduation and prepared to enter the job market. But the Facebook study suggested at least that some people valued their privacy enough to seek out the social network's evolving settings and to block strangers from seeing what they had posted.
Aiming to learn how consumers determine the value of their privacy, Mr. Acquisti dispatched a set of graduate students to a suburban mall on the outskirts of Pittsburgh. To some shoppers, the students offered a $10 discount card, plus an extra $2 discount in exchange for their shopping data. Half declined the extra offer — apparently, they weren't willing to reveal the contents of their shopping cart for a mere $2.
To other shoppers, however, the students offered a different choice: a $12 discount card and the option of trading it in for $10 if they wished to keep their shopping record private. Curiously, this time, 90 percent of shoppers chose to keep the higher-value coupon — even if it meant giving away the information about what they had bought.
Why such contradictory responses?
To Mr. Acquisti, the results offered a window into the tricks our minds can play. If we have something — in this case, ownership of our purchase data — we are more likely to value it. If we don't have it at the outset, we aren't likely to pay extra to acquire it. Context matters.
It also matters how we define privacy. Conventional wisdom around Web privacy policies rests on the notion that consumers will make intelligent choices. At a recent industry conference in San Francisco, Erin Egan, the chief privacy officer for Facebook, defined privacy as "understanding what happens to your data and having the ability to control it."
Mr. Acquisti, however, suggests that control can be false comfort. In one of his most intriguing experiments, he summoned student volunteers to take an anonymous survey on vice.
The participants were asked whether they had ever stolen anything, lied or taken drugs. Some were told that their answers would be published in a research bulletin, others were asked for explicit permission to publish those answers, and still others were asked for permission to publish the answers as well as their age, sex and country of birth.
The results revealed the imperfection of human reasoning. Those who were offered the least control over who would see their answers seemed most reluctant to reveal themselves: among them, only 15 percent answered all 10 questions. Those who were asked for consent were nearly twice as likely to answer all questions. And among those who were asked for demographic information, every single person gave permission to disclose the data, even though those details could have allowed a complete stranger a greater chance of identifying the participant.
Mr. Acquisti took note of the paradox: fine-grained controls had led people to "share more sensitive information with larger, and possibly riskier, audiences." He titled the paper, which he wrote with his colleagues Laura Brandimarte and George Loewenstein, "Misplaced Confidences: Privacy and the Control Paradox."
"What worries me," he said, "is that transparency and control are empty words that are used to push responsibility to the user for problems that are being created by others."
That sense of control can be undermined in other ways, too, principally by distractions: they apparently play the most powerful tricks of all.
In a study called "Sleights of Privacy," Mr. Acquisti's subjects — students at Carnegie Mellon — were divided into two sets of two groups. Each group was asked to evaluate professors and were given additional questions about cheating. In the first set, half were told that only other students could see their answers; the others were told that faculty members, as well as students, could see the responses. As one might expect, the group with student-only viewers was more forthcoming than the group with student and faculty viewers. The participants seemed concerned about who could see their evaluations.
With the other set of students, Mr. Acquisti offered the same questionnaire — but played a little trick. After again explaining the response rules and procedures, he asked an unrelated question: Would they like to sign up to receive information from a college network? That little distraction had an impact: This time, the two subgroups were almost equally forthcoming in their answers.
Had the distraction made them forget? No. In exit interviews, they remembered the rules, but they behaved as though they didn't. "You remember somewhere in your brain," is how Mr. Acquisti put it, "but you kind of pay less attention to it."
We are constantly asked to make decisions about personal data amid a host of distractions, like an e-mail, a Twitter notification or a text message. If Mr. Acquisti is correct, those distractions may hinder our sense of self-protection when it comes to privacy.
Mr. Acquisti acknowledges being as easily distracted as the rest of us. He loses focus, darts from one task to the other and finds himself working all the time. His latest weapon against distraction is an iPad application, which lets him create a to-do list every morning and set timers for each task: 30 minutes for e-mail, 60 minutes to grade student papers, and so on.
Given his work, it is not surprising that he is cautious in revealing himself online. He says he doesn't feel compelled to post a picture of his meals on Instagram. He uses different browsers for different activities. He sometimes uses tools that show which ad networks are tracking him. But he knows he cannot hide entirely, which is why some people, he says, follow a policy of "rational ignorance." He has a professional page on the Carnegie Mellon Web site — if he didn't, how would he attract students or signal his academic legitimacy? — that describes his research and includes a photograph. And it contains an intriguing bit of information: his interest in Nutella.
Our browsing habits, search terms, e-mail communication — even our offering of our ZIP codes at the supermarket checkout — reveal bits of information that can be assembled by data companies, usually for the purpose of knowing what sorts of products we're most likely to buy. The online advertising industry insists that the data is scrambled to make it impossible to identify individuals.
Mr. Acquisti offers a sobering counterpoint. In 2011, he took snapshots with a webcam of nearly 100 students on campus. Within minutes, he had identified about one-third of them using facial recognition software. In addition, for about a fourth of the subjects whom he could identify, he found out enough about them on Facebook to guess at least a portion of their Social Security numbers.
(Read More: Hacking America - Special Coverage)
The point of the experiment was to show how easy it is to identify people from the rich trail of data they scatter around the Web, including seemingly harmless pictures. Facebook can be especially valuable for identity thieves, particularly when a user's birth date is visible to the public.
Does that mean Facebook users should lie about their birthdays (and break Facebook's terms of service)? Mr. Acquisti demurred. He would say only that there are "complex trade-offs" to be made.
"I reveal my date of birth and hometown on my Facebook profile and an identity thief can reconstruct my Social Security number and steal my identity," he said, "or someone can send me 'happy birthday' messages on the day of my birthday, which makes me feel very good."
Facebook, for its part, has said that users can control who sees their information on the network.
Mr. Acquisti is on Facebook. He is photographed wearing a motorcycle helmet, which makes him a bit harder to identify.
Intriguing experiments by Alessandro Acquisti, a behavioral economist, suggest that people often reveal more than they mean to online. Shoppers at a mall were offered $10 discount card — and an extra $2 discount if they agreed to share their shopping data. Half declined the extra offer. Others were offered a $12 discount card and the option of trading it in for a $10 card to keep their shopping record private. Ninety percent chose to trade privacy for $2. Students were given survey questions about cheating. They were less forthcoming when they thought professors would see their answers. Students were given surveys about cheating, but distracted before they answered. They were more forthcoming than the first group.