Privacy attitudes, incentives and behaviours


Published on

Presentation at Data Protection Governance symposium, IViR, University of Amsterdam, 20 June 2011, and at Hong Kong University law school seminar on 2 Mar 2012

Published in: Technology, News & Politics
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Imposes cost of future invasive advertising
  • Privacy attitudes, incentives and behaviours

    1. 1. Privacy attitudes, incentives and behaviours Dr Ian Brown Oxford Internet Institute
    2. 2. Overview <ul><li>The privacy paradox </li></ul><ul><li>Younger people and privacy </li></ul><ul><li>Location privacy </li></ul><ul><li>Medical privacy </li></ul><ul><li>Behavioural economics and market failure </li></ul><ul><li>Lessons for data protection governance </li></ul>
    3. 3. Privacy concerns Source: Flash Eurobarometer #225 (2008: 7)
    4. 4. Attitudes vs. disclosure Spiekermann, Grossklags and Berendt (2002)
    5. 5. Young people and privacy <ul><li>Most young people see Internet as private space for talking to (already-known) friends, and target information to peer group </li></ul><ul><li>Lenhart et al. (2007) found stricter access controls on photos/videos by teens than adults (76% v 58% most of time/sometimes) </li></ul><ul><li>Teens showed higher privacy concerns with parental monitoring; parental discussions increased privacy concerns and reduced disclosure </li></ul><ul><li>Adult users of social media are developing similar behaviours – consequence of mediation, not age (Marwick et al. 2010) </li></ul>
    6. 6. Young adults and privacy <ul><li>Hoofnagle et al. (2010) found very limited understanding of privacy laws among young adults – 42% answered all 5 questions incorrectly </li></ul><ul><li>Jones et al. surveyed 7,421 students at 40 US colleges. 75% concerned about passwords, SSNs, credit card numbers but few about SNSes due to insignificant consequences (2009) </li></ul>
    7. 7. Student information disclosure What kind of personal information do you post online? (first year N=177, final year N=133) Oostveen (2010)
    8. 8. Sampling Facebook Experiences <ul><li>Mobile phones carried by students </li></ul><ul><li>Location retrieved with embedded GPS </li></ul><ul><li>Subjects answer questions (e.g., sharing choices) </li></ul><ul><li>Facebook Application </li></ul><ul><li>Location disclosed to friends </li></ul><ul><li>Server </li></ul><ul><li>Data are collected in our server </li></ul><ul><li>Questions are sent to participants through SMS </li></ul><ul><li>Aims </li></ul><ul><li>To understand: </li></ul><ul><li>Why do students share their location </li></ul><ul><li>How (text, picture) </li></ul><ul><li>When, to whom they share this location </li></ul><ul><li>At what locations are they more willing to share </li></ul>
    9. 9. Location sharing <ul><li>40 participants responded to over 2000 questions over 2 weeks </li></ul><ul><li>Participants are more willing to share their location when they are in ‘Leisure’ or ‘Academic’ locations than in the ‘Library’ or in ‘Residential’ areas. </li></ul>Abdesslem, Parris & Henderson (2010)
    10. 10. HIV record privacy <ul><li>Interviews with 41 African women living with HIV in London who use the internet in relation to their health </li></ul><ul><li>6 months of fieldwork in 3 HIV clinics in London </li></ul><ul><li>2 focus groups at community support groups </li></ul><ul><li>Participants asked about their experiences of being diagnosed and living with HIV, information seeking and internet use </li></ul><ul><li>Privacy not mentioned by interviewer </li></ul><ul><li>Aimed at ‘foregrounding practicalities’ in interviews (Mol, 2002), and interviews were analysed and coded for how participants spoke about ‘doing privacy’ </li></ul>Manzanderani and Brown (2011)
    11. 11. Patient preferences <ul><li>Strong preference for HIV physicians over others such as GPs due to perceptions of different types of confidentiality practices and professionalism </li></ul><ul><li>Strong resistance to moving practitioners </li></ul><ul><li>Continuity of care stressed as important for privacy </li></ul><ul><li>Took a long time to develop relationships of trust with a given practitioner </li></ul><ul><li>People from similar ethnic and cultural background often resisted as a information source for fear of knowledge of a HIV positive diagnosis spreading to community and country of origin </li></ul>Manzanderani and Brown (2011)
    12. 12. Sharing medical data Source: The Use of Personal Health Information in Medical Research, Medical Research Council, June 2007 pp.54-55
    13. 13. Privacy is contextual <ul><li>“ Contrary to the assumption … that people have stable, coherent, preferences with respect to privacy, we find that concern about privacy … is highly sensitive to contextual factors” </li></ul><ul><ul><li>Privacy salience primes concerns </li></ul></ul><ul><ul><li>“ People, it seems, feel more comfortable providing personal information on unprofessional sites that are arguably particularly likely to misuse it.” </li></ul></ul><ul><ul><li>“ Covert inquiries … do not trigger concerns about privacy, and hence promote disclosure.” </li></ul></ul>John, Acquisti and Loewenstein (2011)
    14. 14. Homo economicus vs. sapiens <ul><li>Bounded rationality </li></ul><ul><li>Privacy risks are highly probabilistic, cumulative, and difficult to calculate </li></ul><ul><li>Most individuals bad at deferred gratification, and have time-inconsistent preferences </li></ul>Acquisti (2009)
    15. 15. Market failures in privacy <ul><li>Negative externalities – sale of personal data without compensation to subject </li></ul><ul><li>Information asymmetry – data gathered ubiquitously and invisibly in a way few consumers understand </li></ul><ul><li>Privacy policies unreadable and difficult to verify/enforce, with unstable equilibrium. Seals and lemon markets </li></ul><ul><li>Information industries are highly concentrated; privacy ignored by competition regulators </li></ul>
    16. 16. Correcting market failure <ul><li>Minimum standards of care – organisational and technical protections </li></ul><ul><li>Simplified privacy policies and breach disclosure reduce information asymmetry </li></ul><ul><li>More effective enforcement (group actions?) internalises cost of harms </li></ul><ul><li>New focus by privacy regulators on interoperability and defaults? </li></ul>Romanosky and Acquisti (2009), Brown and Marsden (2008)
    17. 17. Lessons for DP governance <ul><li>Basing privacy protections on fully-rational individual behaviour will have limited impact </li></ul><ul><li>Privacy and competition regulators may have to work together to ensure consumers have meaningful privacy choices </li></ul><ul><li>Continued regulatory intervention is needed to protect individual and societal interests in privacy </li></ul>
    18. 18. References