Carnegie Mellon University
January 29, 2015

Carnegie Mellon Team Finds Individuals May Fail To Navigate Complex Tradeoffs in Privacy Decision-Making

Researchers Call for Policies That Seek To Balance Power Between Individuals and Data Holders

By Abby Simmons / 412-268-4290 /  Shryansh Mehta / 412-268-5492 / Shilo Rea / 412-268-6094

Data PrivacyWe leave a trail of data, both knowingly and unwittingly, with every swipe of a credit card, post on social media and query on a search engine.

Carnegie Mellon University researchers detail the privacy hurdles people face while navigating in the information age, and what should be done about privacy at a policy level, in a review published in the Jan. 30 special issue of the journal Science.

The review challenges a number of claims that have become common in the ongoing debate over privacy, including the claim that privacy may be an historical anomaly, or that people do not really care for data protection.

"Privacy is not a modern invention, but a historically universal need," said lead author Alessandro Acquisti, professor of information technology and public policy at CMU's H. John Heinz III College. "In certain situations, individuals will care for privacy quite a lot and act to protect it, but advances in technology and the acceleration of data collection challenge our ability to make self-interested decisions in the face of increasingly complex tradeoffs."

Acquisti, along with CMU's Laura Brandimarte and George Loewenstein, identify three themes prevalent in empirical research on privacy decisions and behavior:

  • People are often uncertain about the consequences of privacy-related behaviors and their own preferences over these consequences;
  • People's concern, or lack thereof, about privacy is context dependent; and
  • Privacy concerns are malleable, particularly by commercial and government influences.    

People rarely know what information other individuals, organizations and governments have about them and how that information is used. Individuals may be aware of some of the consequences of privacy breaches, such as the costs of identity theft, but in other situations, such as sharing a family milestone online, the costs may be intangible. They also are likely to be uncertain about their own privacy preferences.

The researchers note that context dependence plays a major role in privacy decision-making, but that many of the cues that determine people's behavior provide a crude or even misleading guide to the costs and benefits of revelation or concealment. For example, email feels more anonymous than talking face-to-face, even though email leaves an indelible record of the conversation.

Privacy concerns are also malleable. People are easily influenced by outside forces, such as commercial or government interests, in what and how much they disclose. For example, default privacy options on websites are often accepted by users only because they seem more convenient or are perceived as implicitly recommended. Studies covered in the review also found that websites can employ so-called "malicious design" features that confuse users into disclosing personal information. Another study covered in the review found that individuals who were given more granular control over sharing options on a social network site ended up sharing more publicly than those not given such control — exactly the opposite of the pattern that control is intended to produce.

"Although control is the cornerstone of most policies designed to protect privacy, giving people more control increases trust and leads individuals to lower their guard and disclose more," said Brandimarte, a postdoctoral fellow at CMU's Heinz College.

Insights the team gathered from social and behavior research suggest that policy approaches that rely solely on informing individuals of privacy risks posed by information technologies are inadequate. Rather, effective policies should rely on minimal requirement of informed or rational decision making. Most importantly, policies should focus on achieving a greater balance of power between individuals and data holders such as governments and corporations.

"People cannot always be counted upon to navigate the complex tradeoffs involving privacy in a self-interested fashion," said Loewenstein, the Herbert A. Simon University Professor of Economics and Psychology at CMU's Dietrich College of Humanities and Social Sciences. "They may need assistance, and even protection, to balance what is at present a very uneven playing field."