![[chart]](dark-privacy.gif)
25 June 2003
Wall Street Journal, June 25, 2003
Study Offers Ammunition to Backers Of Curbs on How Data Can Be Used
By YOCHI J. DREAZEN
Staff Reporter of THE WALL STREET JOURNAL
WASHINGTON -- A majority of Americans who see privacy policies on popular
Web sites mistakenly assume those sites aren't collecting or selling consumers'
personal information, leaving them unaware of the vast amounts of data being
shared with other companies, according to a new study.
The study [Americans and Online Privacy: The System is Broken, 37 pp., PDF, 1.7MB; excerpts below], to be released Wednesday by the Annenberg Public Policy Center of the University of Pennsylvania, comes as Congress is considering a flurry of bills that would put new restrictions on how consumer data can be collected and shared.
The report is likely to give ammunition to consumer advocates and other backers of the various bills, which most Web retailers and content companies strenuously oppose. Instead, the companies prefer voluntary guidelines that set modest limits on what businesses can do with the information they collect as long as the privacy policy is disclosed somewhere on the site.
But the study found that the policies are often dense and legalistic, and generally leave consumers in the dark about what actually happens to their personal information.
Almost 60% of adults who use the Internet at home mistakenly believe that Web sites with privacy policies aren't gathering or sharing personal information, even though the fine print of the policies generally allows the companies to do so.
When asked what they would do if a favored site adopted a widely used approach -- building profiles with data collected at the site or purchased from marketers, tracking what the person does at the site, and then sending targeted ads and e-mail -- 85% of those polled said they would either stop visiting that site or use a paid one that didn't collect as much data.
"It raises some basic questions about what people really understand about the cat-and-mouse game they play with sites when they try to protect their privacy ," said Joseph Turow, a professor who led the phone survey of 1,200 Americans over the age of 18. "The clear sense we get is that people really have no clue about how much elaborate data collection and sharing is going on behind the scenes."
Consider the privacy policy of Match.com, an Internet dating service that draws nearly eight million visitors a month. The five-page document says the site itself collects personal information such as a user's name, mailing address, e-mail address and phone number, though it only uses the data in limited ways.
But the company acknowledges the site links to pages that look like Match.com or use its name and logo, but are actually run by other companies. Such a practice raises questions about how users are supposed to know whether they are at Match.com, and protected by its privacy policy, or at another site that may not have similar restrictions on the personal information it gathers.
The company also says that it shares the personal information it collects with its business partners, who are again free to use it as they see fit.
Executives at the company defend the policy, which they said is prominently placed on the site and written as clearly as it can be. "The reality of the Web is that companies strike deals with other partners as extensions of their own sites," said Tim Sullivan, Match.com's president. "I think most users today understand that."
The study also found that few Internet users took steps to better protect their own privacy . Only 43% of those polled said they used filters to block so-called spam or other unwanted e-mail; 17% said they used programs that shield their identity; and 23% said they used software to disable the "spyware" programs that track the sites they visit and relay that information back to a third party.
Gator Corp., for example, puts tracking software into people's computers when they download free software like the popular DivX movie-sharing program. In its advertising materials to direct marketers, Gator, based in Redwood City, Calif., says it is in more than 35 million computers and has the ability "to ride along with consumers as they surf the Web" and "display targeted ads based on actual behavior." It cites the example of ads for baby food aimed at new parents -- identified by their visits to sites on childbirth and baby names.
A Gator spokeswoman says the company doesn't deceive users, noting that it asks users for their permission to download its software onto their computers, ensuring that users know Gator is in place.
Write to Yochi J. Dreazen at yochi.dreazen@wsj.com
Updated June 25, 2003
http://www.asc.upenn.edu/usr/jturow/internet-privacy-report/36-page-turow-version-9.pdf
By Joseph Turow
June 2003
OVERVIEW
This new national survey reveals that American adults who go online at home
misunderstand the very purpose of privacy policies. The study is also the
first to provide evidence that the overwhelming majority of U.S. adults who
use the internet at home have no clue about data flows—the invisible,
cutting edge techniques whereby online organizations extract, manipulate,
append, profile and share information about them. Even if they have a sense
that sites track them and collect individual bits of their data, they simply
don’t fathom how those bits can be used. In fact, when presented with
a common way that sites currently handle consumers’ information, they
say they would not accept it. The findings suggest that years into attempts
by governments and advocacy groups to educate people about internet privacy,
the system is more broken than ever.
57% of U.S. adults who use the internet at home believe incorrectly that when a website has a privacy policy, it will not share their personal information with other websites or companies
47% of U.S. adults who use the internet at home say website privacy policies are easy to understand. However, 66% of those who are confident about their understanding of privacy policies also believe (incorrectly) that sites with a privacy policy won’t share data.
59% of adults who use the internet at home know that websites collect information about them even if they don’t register. They do not, however, understand that data flows behind their screens invisibly connect seemingly unrelated bits about them. When presented with a common version of the way sites track, extract, and share information to make money from advertising, 85% of adults who go online at home did not agree to accept it on even a valued site. When offered a choice to get content from a valued site with such a policy or pay for the site and not have it collect information, 54% of adults who go online at home said that they would rather leave the web for that content than do either.
Among the 85% who did not accept the policy, one in two (52%) had earlier said they gave or would likely give the valued site their real name and email address—the very information a site needs to begin creating a personally identifiable dataset about them.
Despite strong concerns about online information privacy, 64% of these online adults say they have never searched for information about how to protect their information on the web; 40% say that they know “almost nothing” about stopping sites from collecting information about them, and 26% say they know just “a little.” Only 9% of American adults who use the internet at home say they know a lot.
Overwhelmingly, however, they support policies that make learning what online companies know about them straightforward. 86% believe that laws that forces website policies to have a standard format will be effective in helping them protect their information.
Yet most Americans feel unsure or conflicted about whether key institutions will help them with their information privacy or take it away. Only 13% of American adults who use the web at home trust that the government will help them protect personal information online while not disclosing personal information about them without permission.
Similarly, only 18% trust their banks and credit card companies and only 18% trust their internet service providers (ISPs) to act that way.
Parents whose children go online are generally no different on these attitudes, knowledge or actions than the rest of U.S. adults who use the internet at home. Like the others, most parents are concerned, confused, and conflicted about internet privacy.
These are highlights from the most recent Annenberg national survey of internet attitudes and activities. The survey raises questions about the usefulness of trying to educate American consumers in the growing range of tools needed to protect their online information at a time when technologies to extract and manipulate that information are themselves growing and becoming ever-more complex. Our findings instead indicate that consumers want legislation that will help them easily gain access to and control over all information collected about them online. At the end of this report, we therefore suggest that the federal government needs to require online organizations to unambiguously disclose information-collection policies as well as to straightforwardly describe at the start of every online encounter what has and will happen to the specific user’s data.
Our examination of online Americans’ attitudes, knowledge, and actions regarding their online information was carried out by ICR/International Communication Research for the Annenberg Public Policy Center of the University of Pennylvania.1 The study was conducted by telephone from February 5 to March 21, 2003 among a nationally representative sample of 1,200 respondents 18 years and older who said they use the internet at home. 516 (43%) of the respondents were parents of a child age 17 or younger.
____________________
1 Thanks to Tara Jackson, Melissa Herrmann, and Jill Glather and Carol Cassel of ICR for survey and statistical help. Susannah Fox, Robert Hornik, Steve Jones, Mihir Kshirsagar, Deborah Linebarger, Mihaela Popescu, Lee Rainie, and Judith Turow generously listened at various stages of this project and provided useful suggestions. All responsibility for presentation and interpretation of findings rests with the author of this report.
Our aim was to address two critical public policy questions that had not previously been explored in depth: What level of understanding do Americans have regarding the way organizations handle information about them on the internet? And how much do they trust social institutions to help them control their information online?
BACKGROUND
An important reason that policy analysts need to know the answer to these questions relates to the absence of U.S. laws to control much of the extraction, manipulation, and sharing of data about people and what they do online. With the exception of certain personal health information,2 certain types of personal financial information held by certain types of firms3, and personally identifiable information from children younger than 13 years,4 online companies have virtually free reign to use individuals’ data in the U.S. for business purpose without their knowledge or consent. They can take, utilize and share personally identifiable information—that is, information that they link to individuals’ names and addresses. They can also create, package and sell detailed profiles of people whose names they do not know but whose interests and lifestyles they feel they can infer from their web-surfing activities.
____________________
2 These regulations relate to Health Insurance Portability and Accountability Act of 1996 (HIPPA). They resulted in the first set of federal privacy rules to protect medical information online and elsewhere. See http://www.consumerprivacyguide.org/law/hipaa.shtml
3 These “opt-out” regulations relate to the Financial Modernization Act (Graham-Leach-Bliley Act). For an explanation, see the Privacy Rights Clearinghouse site: http://www.privacyrights.org/fs/fs24a-optout.htm
4 The Children’s Online Privacy Protection Act, which went into effect in 2000, requires online services directed at children 12 and under, or which collect information regarding users' age, to give parents notice of their information practices and obtain their consent prior to collecting personal information from children. The Act also requires sites to provide parents with the ability to review and correct information that they collect about their children. See Joseph Turow, Privacy Policies on Children's Websites: Do They Play By the Rules? Philadelphia: Annenberg Public Policy Center, 2001. http://www.appcpenn.org/internet/family/
Companies continually troll for, and exploit, personally identifiable and non-personally identifiable information on the internet. They often begin by getting the names and email addresses of people who sign up for web sites. They can then associate this basic information with a small text file called a cookie that can record the various activities that the registering individual has carried out online during that session and later sessions. Tracking with cookies is just the beginning, however. By using other technologies such as web bugs, spyware, chat-room analysis and transactional database software, web entities can follow people’s email and keyboard activities and serve ads to them even when they are off-line. Moreover, companies can extend their knowledge of personally identifiable individuals by purchasing information about them from list firms off the web and linking the information to their own databases. That added knowledge allows them to send targeted editorial matter or advertising to consumers. More specificity also increases the value of the databases when they are marketed to other interested datatrollers.
Marketers and media firms use consumer information in a broad gamut of ways and with varying concerns for how far the data travel. Some websites unabashedly collect all the information they can about visitors and market them as aggressively as they can to advertisers and other marketers. Though many of these emphasize personally identifiable 6 information, not all of them do. Tracking people anonymously can still lead to useful targeting. An important example is the Gator Corporation, which places its tracking files into people’s computers when they download free software such as the KaZaA musicsharing program.
The company claims to be in 35 million computers and says that once there, “The Gator Corporation has the ability to ride along with consumers as they surf the Web. That allows us to display targeted ads based on actual behavior and deliver incredible insights.”5 A pitch to potential clients continues:
Here’s an example: Gator knows this consumer is a new parent based on their real-time and historical online behavior—looking for information on childbirth, looking for baby names, shopping for baby products. . . .6
Let’s say you sell baby food. We know which consumers are displaying behaviors relevant to the baby food category through their online behavior. Instead of targeting primarily by demographics, you can target consumers who are showing or have shown an interest in your category. … Gator offers several vehicles to display your ad or promotional message. You decide when and how your message is displayed to consumers exhibiting a behavior in your category.7
____________________
5 [http://www.gatorcorporation.com/advertise/qtr/page_2.html?mp14], accessed on May 29, 2003.
6 [http://www.gatorcorporation.com/advertise/qtr/page_3.html?mp14], accessed on May 29, 2003.
7 [http://www.gatorcorporation.com/advertise/qtr/page_4.html?mp14], accessed on May 29, 2003.
Many individual sites aim to provide similar services to marketers, though on a more limited scale. Many collect names and email addresses and use an “opt out” approach to gather targets for email advertising by themselves or “affiliates” on topics that ostensibly relate to the site themes. Some sites link their online knowledge of individuals with data collected offline. Typically, the more prestigious sites sell that information only in aggregate to advertisers. So, for example, an online newspaper may offer to send an ad for a client to all its users who are male and own a home. Because the newspaper site serves the ad, the advertiser does not know the names of those who receive it—unless they click on the ad and respond with their names to an offer. Some well-known sites may also have deals with companies that serve ads on their sites and share the revenues.
These firms place their own cookies into the computers of those who visit the websites and then track people’s activities into the many other sites that affiliate with the adserving firms. Some of them may try to coax names and email addresses from consumers that click on their ads even if the site on which their ads appeared did not.
The idea that consumers’ electronic actions are increasingly transparent has alarmed some. Critics of these sorts of activities come at them with a variety of concerns from a variety of viewpoints. Many emphasize the danger that some kinds of personal information may fall into the hands of companies or people who could take advantage of the consumer. In the wake of the anti-terror PATRIOT Act, critics also worry that various government agencies will expand the tracking and generalizing about consumers on the web that had until recently seemed to be the domain of business. They point out the profound damage that errors or names on suspect lists can cause individuals and families.
Others note that sites’ application of email addresses in the service of marketing has helped the proliferation of unwanted email on the web, adding to a spam epidemic that has internet users and their service providers steaming. More sociologically-inclined analysts underscore that the invisible nature of much of the tracking and sorting can lead marketers to make generalizations about consumers that the consumers don’t know and don’t agree with. Inferences drawn from demographics and web-surfing habits can encourage discrimination in the kinds of editorial and advertising materials a site shows consumers. Such activities will become more intense as technologies to mine data, analyze data, and tailor based on the conclusions become more efficient and costeffective.
As they expand, the activities may well lead people to feel anxious not only that they are being tracked but that they are being treated differently—for example, given different discounts—than others because of who they are and what their “clickstream” says about them.
Law professor Jeffrey Rosen poses the humanistic critique bluntly. Paraphrasing the Czech writer Milan Kundera, he suggests that “by requiring citizens to live in glass houses without curtains, totalitarian societies deny their status as individuals.” He goes on to note that spying on people without their knowledge is an indignity. It fails to treat its objects as fully deserving of respect, and treats them instead like animals in a zoo, deceiving them about the nature of their own surroundings.”8
____________________
8 Jeffrey Rosen, “The Eroded Self,” New York Times Magazine, April 30, 2000.
Those concerned about the secondary use and sharing of data about individuals point to the European Union’s rather stringent prohibitions against using data in ways for which they were not originally gathered. In the U.S., no such broad rules apply, though in the late 1990s the Federal Trade Commission advanced a set of “Fair Information Practices” reflective of principles that had been advanced in the early 1980s by the Office for Economic Cooperation and Development. These would mandate certain levels of data security on websites, provide notice to potential users of sites about the way data will be collected and used, give the users choice about allowing that collection, and provide them with access to data that have been collected to find out what firms know and determine their accuracy. They, in turn, had been the basis for guiding the FTC’s enforcement of a “Safe Harbor” agreement with the European Union, whereby U.S. companies wanting to use personally identifiable data about EU citizens in the U.S. had to recognize these practices in the EU though not in the U.S.9
____________________
9 See D. Brown, and J Blevins, “The safe-harbor agreement between the United States and Europe: a missed opportunity to balance the interests of e-commerce and privacy online?” Journal of Broadcasting and Electronic Media 46:4 (December 2002), p. 565.
As FTC Commissioner Orson Swindle recalled in late 2002, U.S. regulatory officials tended to encourage industry self-regulation rather than the legislative mandating of these practices. “Use of the Internet for marketing and attempts to address online privacy concerns were still in their infancy, and the Commission believed that the private sector would continue on its own toward better privacy practices than what federal regulation might require. More specifically, it seemed inappropriate in these formative years to prescribe regulations that would impose nontrivial costs without also achieving clear benefits.”10
____________________
10 Orson Swindle, “Perspectives on Privacy Law and Enforcement Activity in the United States,” Privacy & Information Law Report, 3:4 (December, 2002).
By 2000, however, three of the five members of the Commission believed that industry had made insufficient progress toward developing genuine, pragmatic privacy protections for consumers. They formally recommended that the Congress enact laws to codify the Fair Information Practice principles. Congress agreed with the naysayers, however, and no such law was passed. Instead, the Federal Trade Commission has used Section 5 of the Federal Trade Commission Act (which deals with unfair and deceptive practices) to prosecute websites that present fraudulent claims about information protection.11
____________________
11 Critics have argued that U.S. legislative venues for reinforcing consumer privacy rights in general are insufficient. The United States does not have a federal privacy law. Moreover, tort law does not protect the disclosure of personal data unless the data could be construed as libel or potentially embarrassing. The mere gathering of data is not actionable in courts unless the practice of gathering itself is arguably too intrusive. See Jessica Litman, "Information privacy/information property," Stanford Law Review, (2000) vol. 52, pp. 1283-1313.
An extreme example of the computer industry’s riposte to such concerns about privacy came from Sun Microsystems chief executive Scott McNealy in February 1999 when someone pointed out that a new Sun product might allow people to track its users’ movements. "You have zero privacy anyway," McNealy told a questioner. "Get over it."12 The comment, which The New York Times used as its quotation of the day not long after he made it,13 raised consternation within the business community as well as outside it.
____________________
12 Richard Morochove, “Sun Microsystems Lets Jini Out Of Bottle ,” Toronto Star, February 4, 1999.
13 “Quotation of the Day,” New York Times, March 3, 1999, Section A; Page 2; Column 6.
The more typical corporate response to concerns about online consumer privacy has been to express agreement with the goal of protecting personal information while at the same time arguing that government intervention on consumers’ behalf could be catastrophic to industry growth. A New York Times report in 2001 concluded that “Lawmakers . . . are bolstered in their efforts to slow the march of legislation by a flood of new studies and surveys sponsored by high-technology companies, questioning consumer attitudes about privacy and giving multibillion-dollar estimates of the costs of complying with such laws.”14 So, for example, a study in 2001 by Robert Hahn of the American Enterprise Institute, a conservative research center in Washington, concluded that complying with privacy legislation proposals would cost companies $30 billion. A spokesperson for the Association for Competitive Technology, which paid for the Hahn study, used the findings to argue that "the costs associated with regulation appear to be higher than the benefits achieved by regulation."15
____________________
14 John Schwartz, “Government is Wary of Tackling Online Privacy,” New York Times, September 6, 2002, Section C, page 1.
15 Schwartz, “Government is Wary of Tackling Online Privacy,” page 1.
The Times report pointedly mentioned surveys “sponsored by high technology companies, questioning consumer attitudes about privacy.” These studies argue consistently that although much of the public had certainly become concerned about online privacy, Americans are quite alert to the particulars of their information environment. They typically understand their information options, are aware of privacy policies, and are willing to negotiate privacy demands with companies who could offer them something in return.16 Alan Westin’s Privacy and American Business consultancy has been an important promulgator of this notion that Americans make cost-benefit analyses about whether to release their information online. Beginning 1995, his analyses of surveys conducted with the Harris research organization have promulgated a tri-partite division of the online public—privacy unconcerned, privacy fundamentalists, and privacy pragmatists.17
____________________
16 On the development of this contention, see Oscar Gandy, “Public Opinion Surveys and the Formation of Public Policy,” Journal of Social Issues 59:2 (2003) 283-299.
17 A good summary is in Alan F. Westin, “Social and Political Dimensions of Privacy,” Journal of Social Issues 59:2 (2003) 431-453.
Looking back in 2003, Westin noted a sharp drop in the percentage of his privacy unconcerned group from 22% in 1999 to 8% two years later. A correspondingly higher percentage of Americans (56% in 2002 versus 34% in 1999) believed that most businesses did not “handle personal information they collect in a proper and confidential way.” Nevertheless, Westin noted that the privacy pragmatists still formed by far the largest group of internet consumers, 58% in 2002. His description of their outlook reflects his position that most Americans take an informed cost-benefit tack in relation to their online information: “They examined the benefits to them or society of the data collection and use, wanted to know the privacy risks and how organizations proposed to control those, and then decided whether to trust the organization or seek legal oversight.”18
____________________
18 Westin, “Social and Political Dimensions of Privacy,” pp. 445-446.
This description of most Americans as aware of their online privacy options supported the line by internet industry players that an accurate privacy policy on every site is sufficient for allowing consumers to understand their information options in different sites. As a result of the Children’s Online Privacy Protection Act (COPPA), the Federal Trade Commission mandated specific privacy practices and disclosures regarding children younger than 13 years. With respect to everyone else, however, the presence, form and content of privacy policies is optional, subject only to broad prescriptions for members of industry groups such as the Internet Advertising Bureau and the Direct Marketing Association. The result is a world of legalistically phrased privacy policies that typically start by assuring the consumer that the site cares about his or her privacy.
The policies then run for many paragraphs; hedge with respect to many of their assurances; are ambiguous when it comes to the “affiliates” with whom they share information; don’t necessarily report whether a site purchases data offline about its registered users; generally caution that the privacy policy can change at any time (sometimes telling consumers that the site will inform them when that happens); and often note that by clicking on an ad link a consumer may be entering a world with a privacy policy totally different from the one they are reading.
Anecdotal conversations suggest that internet experts find privacy policies hard to read and difficult to understand.19 A bold technological solution that has gained industry traction during the past few years is the Platform for Privacy Preferences (P3P). Its goal is to provide a web-wide computer-readable standard manner for websites to communicate their privacy policies automatically to people’s computers. In that way visitors can know immediately when they get to a site whether they feel comfortable with its information policy.20 A recent report by an AT&T Labs group found that while P3P’s adoption by websites is growing, especially on the most popular sites, fewer than 10% of websites offer it.21
____________________
19 For an examination of privacy policies in children’s websites, see Joseph Turow, Privacy Policies on Children’s Websites: Do They Play By the Rules?” Philadelphia: Annenberg Public Policy Center, March 2002. [http://www.appcpenn.org/internet/family]
20 P3P “user agents” are built into the Internet Explorer 6.0 and Netscape Navigator web browsers. An ingenious AT&T program called Privacy Bird is a P3P user agent that works with Internet Explorer 5.01 and higher. It displays a bird icon on the browser that changes color and shape to indicate whether or not a web site’s P3P policy matches a user’s privacy preferences. The beta-version software is free. See http://www.privacybird.com/.
21 Lorrie Faith Cranor, Simon Byers, and David Kormann, “An Analysis of P3P Deployment on Commercial, Government and Children’s Web Sites as of May 2003.” Technical report prepared for the may 14, 2003 Federal Trade Commission Workshop on Technologies for Protecting Personal Information. [http://www.research.att.com/projects/p3p/]
One reason that sites eschew P3P is that it requires them to transform their privacy policies into a number of straightforward answers to multiple choice questions. P3P consequently does not allow for the ambiguities, evasions and legal disclaimers that are hallmarks of such documents. Note, too, that the P3P approach does not have a facility for ensuring that websites answer the questions accurately or truthfully.
In the absence of a widespread technological solution, those concerned about the state of information privacy on the internet lobby for legislation22 at the same time that they try to educate people about how to understand what goes on. There certainly are lots of places for people to learn what happens to their information online and how to keep it secure.
____________________
22 For a list of “privacy, speech, and cyber-liberties bills in the 108th Congress,” see the Electronic Privacy Information Center’s site: http://www.epic.org/privacy/bill_track.html
The popular press continually beats a refrain about the dangers of the internet for information privacy, sometimes with links to online locations to learn more. Websites of organizations as varied as the Electronic Privacy Information Center (EPIC), Privacy.org (a joint project of EPIC and Privacy International), the Center for Democracy and Technology, Internet Education Foundation, AARP, Consumer’s Union and the U.S. Federal Trade Commission have exhorted consumers (and citizens) to take specific steps to protect their privacy online.
ConsumerPrivacy.org, for example, provides an online guide to help readers “take control of the way your information is used.”23 Sections include a “how to” guide to privacy, top things you can do to protect your privacy, kids’ privacy, frequently asked questions, and a privacy glossary. The Internet Education Foundation has a similarly wide-ranging resource called GetNetWise that is supported by various corporations. AARP provides a guide called “Online Shopping: A Checklist for Safer Cybershopping.” The Federal Trade Commission issues FTC FACTS for Consumers that deal with internet privacy with such titles as “Dialing Up to the Internet: How to Stay Safe Online” and “Safe at Any Speed: How to Stay Safe Online If You Use High-Speed Internet Access.” And EPIC provides an online guide to “practical privacy tools” that help internet users with such activities as surfing anonymously, eliminating cookies, achieving email and file privacy, and deleting files so that they can never be read.24
____________________
23 “Protect Your Privacy Now—Welcome to ConsumerPrivacyGuide!” ConsumerPrivacyGuide.org [http://www.consumerprivacyguide.org/], accessed on May 28, 2003.
24 Electronic Privacy Information Center, EPIC Online Guide to Practical Privacy Tools,” [http://www.epic.org/privacy/tools.html], accessed May 28, 2003.
A question unanswered through all the debates about information privacy and
the web is whether consumers understand these approaches and how to implement
them. Marketers argue that privacy notices are invaluable in helping to ease
concerns over sharing information. They look with optimism to a study conducted
in Spring 2001 for the Privacy Leadership Initiative (a coalition of CEOs
and organizations dedicated to improving consumer privacy online). It found
that consumers were increasingly paying attention to online privacy statements
(82% in April 2001 vs. 73% in December 2000).25
But does concern over privacy and increased “attention” to privacy policies mean that people really understand what is happening to their information on the web?
Are writers such as Alan Westin correct to suggest that Americans make knowledgeable, pragmatic cost-benefit analyses when they disclose data about themselves online?
____________________
25 Beth Mack, “Keep It To Yourself,” Marketing News, November 25, 2002, p. 21.
This study explores these and other key questions.
. . .
[pp. 33-35.]
CONCLUDING REMARKS
The findings in this report must be dispiriting for those who believe in giving citizens the wherewithal to control their information on the internet. We found that despite their strong concerns about online privacy, most adults who use the internet at home misunderstand the purpose of a privacy policy. Just as important, our findings indicate that despite fairly wide awareness that websites collect information about them, adults who use the internet at home are fundamentally unaware of data flow: how organizations glean bits of knowledge about individuals online, interconnect those bits, link them to other sources of information, and share them with other organizations.
This ignorance of data flow stands at the heart of the imbalance of power that currently exists when it comes to controlling personal information online. In many ways, it is the ability to mine and manipulate data about individuals that makes interactive digital media such as the internet so attractive to marketers and governments. The activity is in relative infancy, but it is likely to grow enormously in presence and profits during the coming decades. Marketers and media firms, for example, see increased sophistication in realtime transactional databases as critical to the success of audience targeting, contenttailoring, and customer relationship management activities of the twenty-first century.38
____________________
38 See Joseph Turow, “Marketing Trust and Surveillance in the New Media World,” presented at The New Politics of Surveillance and Visibility conference, University of British Columbia, May 23-25, 2003.
When consumers are unaware of the data flows that take place behind their screens, they cannot really engage in the kinds of informed cost-benefit analyses that writers such as Alan Westin suggest take place when consumers “pragmatically” give up information about themselves. What consumers can’t evaluate are the costs involved when marketers or governments hitch seemingly trivial information the consumers have allowed them to track, such TV viewing habits or fashion interests, to other knowledge in order to create powerful profiles about them. Correct or not, the profiles can impact people’s lives in ways they can’t control for lack of knowledge. Online and offline media might change content depending on what the media firms and their advertisers “know” about them. The consumers might receive different ads and different discounts than they had in the past. Government agencies might pay more or less attention to them than to others.
This study found that when adults who use the internet at home are brought face-to-face with a common approach to collecting, interconnecting and using their online information, they overwhelmingly reject it. It is also important to note, however, that these people don’t go out of their way to learn what is going on with their online information. 64% say they have never searched for instructions on how to “protect information” about themselves on the web. Large percentages of online-at-home adults have little, if any, experience with basic internet privacy tools.
Why haven’t these people tried to understand what happens to their information online and what to do about it? One reason may simply be that they have many other things to do—56% are parents of a child under age 18, for example. Our survey also suggests a more basic, though related, reason: so far, they personally haven’t suffered from it. Recall that 82% of those interviewed said they had never had an incident where they worried about something a family member told a website. Recall, too, our finding that 77% of the respondents said that the more years they have the web, the more interesting it becomes. Add to those findings both a misperception that all privacy policies provide at least some security and the fact that data flows take place invisibly, behind the screen, while a person is engaged with what is on it. In this context, it is not at all difficult to understand why adults who say they are concerned about the collection of information online without their permission nevertheless know and do little about it.
Based on these findings, one wonders whether it is realistic to believe that most American consumers can be educated successfully about ways to protect their online information. The ignorance we found comes at a time when news and entertainment media constantly din people about online dangers. Moreover, there are currently many places online and off for people to learn about privacy protection tools. It may be that it will take a data-gleaning disaster—with publicity matching that of Enron’s meltdown—to energize people to learn how to control their information. An alternative view is that technologies to extract and manipulate information about audiences for digital interactive media are becoming ever-more complex. Competitors vie with each other for the best approaches while trying to get around privacy-enhancing technologies. Perhaps it may be too much to expect ordinary people to keep up. It seems clear that, at the very least, that people need active help in protecting their information.
From that standpoint, it is particularly disconcerting that we found that such a small percentage of adults who use the internet at home trust key internet-related institutions to actively aid them protect their information while not also disclosing it without their consent. The largest percentage claims no strong stance on the subject—they neither trust nor distrust—while the second-largest proportion believes that institutions talk differently from different sides of their mouths: one side helps protect personal information while the other accidentally or purposefully releases personal information to outsiders without permission.
Adults who use the internet at home, then, know that they do not have the knowledge to control their information and are not sure whether major entities who have that knowledge will act in consumers’ best interests. It therefore makes sense that when offered policy choices our respondents overwhelmingly agree with solutions that let them know straightforwardly what is going on. They strongly support regulations that force more disclosure from online entities. They also strongly agree on the effectiveness of government regulations that give people leverage with online entities to control information about themselves.
Bringing together this study’s findings suggests that three policy initiatives are needed to address citizens’ desire to control their information in direct, straightforward ways:
First, federal legislation ought to require all websites to integrate the P3P protocols into their privacy policies. That will provide a web-wide computerreadable standard for websites to communicate their privacy policies automatically to people’s computers. Visitors can know immediately when they get to a site whether they feel comfortable with its information policy. An added advantage of mandating P3P is that the propositional logic that makes it work will force companies to be straightforward in presenting their positions about using data. It will greatly reduce ambiguities and obfuscations about whether and where personal information is taken.
Second, federal legislation ought to mandate data-flow disclosure for any entity that represents an organization online. The law would work this way: When an internet user begins an online encounter with a website or commercial email, that site or email should prominently notify the person of an immediately accessible place that will straightforwardly present (1) exactly what information the organization collected about that specific individual during their last encounter, if there was one; (2) whether and how that information was linked to other information; (3) specifically what other organizations, if any, received the information; and (4) what the entity expects will happen to the specific individual’s data during this new (or first) encounter. Some organizations may then choose to allow the individuals to negotiate which of forthcoming data-extraction, manipulation and sharing activities they will or won’t allow for that visit.
Third, the government should assign auditing organizations to verify through random tests that both forms of disclosure are correct—and to reveal the results at the start of each encounter. The organizations that collect the data should bear the expense of the audits. Inaccuracies should be considered deceptive practices by the Federal Trade Commission.
The three proposals follow the widely recognized Federal Trade Commission goals of providing users with access, notice, choice, and security over their information. Companies will undoubtedly protest that these activities might scare people from allowing them to track information and raise the cost of maintaining databases about people online. One response is that people, not the companies, own their personal information. Another response is that perhaps consumers’ new analyses of the situation will lead them to conclude that such sharing is not often in their benefit. If that happens, it might lead companies that want to retain customers to change their information tracking-and-sharing approaches.
The issues raised here about citizen understanding of privacy policies and data flow are already reaching beyond the web to the larger digital interactive world of personal video recorders (such as TiVo), cell phones, and personal digital assistants. At a time when technologies to extract and manipulate consumer information are becoming ever-more complex, citizens’ ability to control their personal information must be both more straightforward and yet more wide-ranging than previously contemplated.