Posted by Alexander Hanff on November 9, 2014.
Professor Alan Westin was a privacy giant with research dating back to the 1960s and a professional career seen by many privacy professionals as paramount to the development of the current legal regime regarding privacy and data processing.
It is without question that Westin dedicated his life to privacy law but his research was often private and unpublished, funded by large corporations with an agenda – so it was with great interest that I read a new position paper by Jennifer M. Urban & Chris Jay Hoofnagle from Berkley School of Law titled “The Privacy Pragmatic as Privacy Vulnerable”.
The abstract reads:
“Alan Westin’s well-known and often-used privacy segmentation fails to describe privacy markets or consumer choices accurately. The segmentation divides survey respondents into “privacy fundamentalists,” “privacy pragmatists,” and the “privacy unconcerned.” It describes the average consumer as a “privacy pragmatist” who influences market offerings by weighing the costs and benefits of services and making choices consistent with his or her privacy preferences. Yet, Westin’s segmentation methods cannot establish that users are pragmatic in theory or in practice. Textual analysis reveals that the segmentation fails theoretically. Original survey data suggests that, in practice, most consumers are not aware of privacy rules and practices, and make decisions in the marketplace with a flawed, yet optimistic, perception of protections. Instead of acting as “privacy pragmatists,” consumers experience a marketplace myopia that causes them to believe that they need not engage in privacy analysis of products and services. Westin’s work has been used to justify a regulatory system where the burden of taking action to protect privacy rests on the very individuals who think it is already protected strongly by law. Our findings begin to suggest reasons behind both the growth of some information-intensive marketplace activities and some prominent examples of consumer backlash. Based on knowledge-testing and attitudinal survey work, we suggest that Westin’s approach actually segments two recognizable privacy groups: the “privacy resilient” and the “privacy vulnerable.” We then trace the contours of a more usable segmentation and consider whether privacy segmentations contribute usefully to political discourse on privacy.”
The paper is described as a shortened version of their upcoming article “Alan Westin’s Privacy Homo Economicus” but it does a great job of illustrating some fundamental flaws in Westin’s “privacy segmentation” theory and this is incredibly important because Westin’s theory has been widely adopted by policy makers as explained in the paper “the segmentation has notably influenced United States privacy regulation by undergirding the predominant ‘notice and choice’ regime.”
To me, someone who has been engaged in the privacy debate as an advocate for many years now, many of the arguments presented by Urban & Hoofnagle are common sense and arguments myself and other advocates have been trying to push to policy makers for a long time. The critique is supported by other academic research as well – notably a joint research project between University of California, Berkely and Annenberg School for Communication, University of Pennsylvania in 2009 titled “Americans Reject Tailored Advertising and Three Activities That Enable It” which didn’t just ask participants how they felt about behavioural advertising but also measured their knowledge of existing laws and regulations with worrying results:
“Americans mistakenly believe that current government laws restrict companies from selling wide-ranging data about them. When asked true-false questions about companies’ rights to share and sell information about their activities online and off, respondents on average answer only 1.5 of 5 online laws and 1.7 of the 4 offline laws correctly because they falsely assume government regulations prohibit the sale of data.”
This alone is a clear illustration that there is something very wrong with Westin’s tripartite segmentation where he placed 55% of the population in the “privacy pragmatists” category. Urban and Hoofnagle rightly question Westin’s assertion that these people can be considered as pragmatic given the vast knowledge gap that exists between what these consumers think is happening with data relating to them and what the actual data processing practices are in the real world.
They use Westin’s own words against him who argued that these “privacy pragmatists” “weigh the potential pros and cons of sharing information, evaluate the protections that are in place and their trust in the company or organization . . . [and then] decide whether it makes sense for them to share their personal information.”
Again this is the position that has been taken by privacy advocates for years and it is widely accepted that most online consumers do not understand what data is being collected about them and how it is being used as illustrated by Cranor et al in their paper “Smart, Useful, Scary, Creepy: Perceptions of Online Behavioral Advertising“. It is the fundamental underlying argument against the Opt Out regime we currently see pushed by Big Data corporations and their lobbyists. For how can one make an informed choice (in other words be a “privacy pragmatist”) if such a knowledge gap exists.
Furthermore, a study by McDonald and Cranor in 2008 titled “The Cost of Reading Privacy Policies” illustrates as can be seen in the image left, the amount of time it would take (and the associated costs) for each online American citizen to read the privacy policies for all the online services they use in a year. It would be ridiculous for Westin or anyone else to even suggest that “privacy pragmatists” are actively reading privacy policies and making informed decisions on them – if Westin’s 55% were in fact to “evaluate the protections which are in place” they would have to read these privacy policies to do so at a cost of $429.55 Billion per year – given the US advertising economy (offline and online) is currently only valued at $177.8 Billion one has to question where the economic value comes from these practices? If it is costing the “privacy pragmatists” three times the economic benefit of this data collection in order to just understand it – is it not the case that such activities are a significant drain on the economy as opposed to actually being a benefit?
But of course we all know that in general people do not read privacy policies and do not understand what data is collected about them or how it is used – one could cite dozens of peer reviewed academic papers from across the globe supporting such an argument. Why then, do we have a global policy regime which is so reliant on the “privacy pragmatist” to support its existence, when we know they simply do not exist. The entire Opt-Out regime that we see growing in national policies and self-regulation argues that people do understand and that they do make decisions based on their knowledge of how data is collected and processed – and it is all a blatant lie.
Urban and Hoofnagle’s paper offers us nothing new, at least nothing we haven’t known as advocates for many years but what it does do is highlight, with empirical data and a methodology which can be scrutinised and replicated, the fundamental flaws in Westin’s “privacy segmentation” theory and it goes on to offer more precise categorisations and a more realistic understanding of how the general population perceive data collection and processing.
Urban and Hoofnagle propose that the privacy segmentation should instead be summarised in two groups (as opposed to Westin’s three) and replace Westin’s “privacy fundamentalists” (which I find to be a term deliberately loaded to paint this group as some type of extremists or dissidents) with “privacy resilient” which is a much more neutral term that I feel more correctly describes those who would actively seek to protect their privacy.
They propose to replace Westin’s “privacy unconcerned” and “privacy pragmatists” with a single group; “The second group—made up of Westin’s privacy pragmatists and ‘unconcerned’—labors in the marketplace with fundamentally misinformed views about privacy rules and is less likely to take self-help measures. We could think of these consumers as the “privacy vulnerable”—less knowledgeable and less likely to take steps to protect privacy.”
Urban and Hoofnagle also believe that consumers suffer from a “myopic view of their duties as consumers” given that they “both misunderstand the scope of data collection and falsely believe that relevant privacy rights are enshrined in privacy policies and guaranteed by law.” and that because of this myopia “individuals may find little reason to bargain for privacy in the marketplace“.
Given such choices it is highly unlikely that a consumer is going to refuse to accept terms with regards to privacy antagonistic data practices if it means they will be ostracised or excluded from digital society. Therefore even if they are completely opposed to the data practices of a specific service, they are still likely to agree to those practices to prevent the consequence of exclusion.
It would have been useful for Urban and Hoofnagle to have explored this problem in their paper as it would seem to be a critical component of the decision making process and one which rarely seems to be mentioned in privacy research papers. It is further complicated by the “bait and switch” behaviour we so often see with organisations (Facebook is a prime example) changing their privacy policies on a regular basis – often to the detriment of their user base, but that user base has an investment in that digital space making it difficult to leave – which again, creates a duress-like situation.
The paper is useful and will hopefully help to open the eyes of policy makers – but it is likely to face fierce opposition from Big Data and Westin fans not least because it illustrates the absurd lie that is responsible for the privacy dilemma we currently find ourselves in – that lie being the defining characteristics of Westin’s pragmatists; that they “weigh the potential pros and cons of sharing information, evaluate the protections that are in place and their trust in the company or organization . . . [and then] decide whether it makes sense for them to share their personal information.”
I look forward to any comments readers would like to make – it is an important and interesting topic.Submitted in: Alexander Hanff, Expert Views, News_privacy |