Privacy Rationality and the Economics of Immediate Gratification

Privacy, Rationality, and the Economics of Immediate Gratification Alessandro Acquisti Heinz School, CMU acquisti@andrew. cmu. edu

The economics of privacy: (some of many) Open questions l l Why have researchers created great privacy technologies… that almost nobody seems to use? Do people care about privacy? – l What explains the attitudes/behavior dichotomy? Who should protect your privacy? – The government? l – Self regulation? l – Samuelson 2003, the social cost of confusing privacy policies Fails under pressure The individual? l Can individuals protect their own privacy?

GMail debate It is true that there are potential costs of using Gmail for email storage […] The question is whether consumers should have the right to make that choice and balance the tradeoffs, or whether it will be preemptively denied to them by privacy fundamentalists out to deny consumers that choice. -- (from Politech)

Privacy and rationality l Forward looking agent, utility maximizer, Bayesian updater, fully informed – – – Theoretical models Empirical studies Policy debate Explanation of attitudes/behavior dichotomy “It's rational anyway” (Syverson 2003) “Only when it really matters” (Shostack 2003) l

Goals l l l Critique the “rationality” approach to the study of privacy behavior Propose alternative model based on bounded rationality and immediate gratification bias Test the model through surveys and experimental approach – Theory: Acquisti ACM EC 04 – Empirical approach Acquisti and Grossklags WEIS 04

Theory

Privacy trade-offs l Protect: – – l Immediate costs or loss of immediate benefits Future (uncertain) benefits Do not protect: – – Immediate benefits Future (uncertain) costs (sometimes, the reverse may be true)

Why is this problematic? 1. 2. 3. Incomplete information Bounded rationality Psychological/behavioral distortions

1. Incomplete information l What information has the individual access to when she takes privacy sensitive decisions? – – – l For instance, is she aware of privacy invasions and associated risks? Is she aware of benefits she may miss by protecting her personal data? What is her knowledge of the existence and characteristics of protective technologies? Privacy: – Asymmetric information l – – Exacerbating: e. g. , RFIDS, GPS Material and immaterial costs and benefits Uncertainty, ex post evaluations

2. Bounded rationality l Is the individual able to calculate all the parameters relevant to her choice? – l Or is she limited by bounded rationality? Privacy: – – – Decisions must be based on several stochastic assessments and intricate “anonymity sets” Inability to process all the stochastic information related to risks and probabilities of events leading to privacy costs and benefits E. g. , HIPAA

3. Psychological/behavioral distortions l Privacy and deviations from rationality – – – Optimism bias Complacency towards large risks Inability to deal with prolonged accumulation of small risks Coherent arbitrariness “Hot/cold” theory Hyperbolic discounting, immediate gratification

Hyperbolic discounting

Hyperbolic discounting l Can explain: – – – l Survey time vs. decision time dichotomies Time consistency vs. time inconsistency Sophisticated vs. naïve time inconsistent individuals Laibson (1994), Rabin and O’Donoghue (2000, 2001)

Survey time vs. decision time

Theory: hypotheses • Rationality model not appropriate to describe individual privacy behavior • Time inconsistencies lead to under protection and over release of personal information • Genuinely privacy concerned individuals may end up not protecting their privacy • Also sophisticated users will not protect themselves against risks • Large risks accumulate through small steps • Not knowing the risk is not the issue

Empirical approach

Survey & experiment l Survey phase: ~100 questions, 119 subjects Paid, online survey (CMU Berkman Fund) l Contrast three sets of data l – Privacy attitudes Generic and specific – Privacy behavior Stated and actual past behavior – Market characteristics and psychological distortions Risk aversion, strategic behavior, hyperbolic discounting, etc. l Next: experiment phase

Demographics l Age: – l Education: – l From <15, 000 (35. 54%) to >120, 000 (6. 61%) Nationalities: – l College, then Masters degrees, Ph. D, JD or MD Household income: – l 19 -55 (average: 24) USA 83%, then China, India, Belgium, Venezuela, … Jobs: – Student (full-time) (41. 32%), then part-time, IT, medical, public sector, educational, unemployed, …

Results

Privacy attitudes (excerpts)

Privacy attitudes (excerpts)

Privacy importance and privacy concerns

Privacy risks and bundles Privacy concern Data about offline identity (excerpts) Bundled data about offline identity Low concern 27. 30% 6. 70% Medium concern 26. 70% 27. 20% High concern 20. 00% 39. 50% Missing data 26. 00% 26. 60%

Knowledge of privacy risks (excerpts)

Knowledge of privacy risks (excerpts)

Knowledge of privacy risks (excerpts) “Nobody, assuming an SSL transaction, without which I would not commit an online transaction using my credit card”

Knowledge of privacy risks and bundles (excerpts) l Sweeney (CMU): 87% of the population of the United States is likely to be uniquely identified by 5 -digit ZIP code, birth date, and sex

Privacy knowledge and overconfidence (excerpts)

Knowledge of privacy protection (excerpts) l Privacy law: – l 54% cannot quote a law or even just describe it OECD Fair information principles: – 38% believe they include ”litigation against wrongful behavior” l Goal: browse anonymously – l 51% would not know how Goal: browse the Internet with warnings if a website has an incompatible privacy policy – 67% would not know how (but most use IE 6!)

Knowledge of privacy risks and attitude (excerpts) Are you informed about the policy regarding monitoring activities of employees/students in your organization? Yes, I am informed I don’t know how such monitoring could take place I somewhat know … but don’t know the details There is a policy, but I don’t know its details Low concern 0. 00% 6. 70% 0. 00% Medium concern 0. 00% 13. 40% 19. 60% 6. 70% 19. 50% 0. 00% 6. 70% 20. 00% High concern

Economic rationality l (excerpts) Evidence of: – – – Risk aversion Hyperbolic discounting Non game strategic behavior (guessing game)

Analysis

Attitudes/behavior dichotomy (excerpts)

Recall of past behavior (excerpts)

Password for chocolate? Info. Sec Europe 2004 experiment: l – 71% of office workers at Liverpool Street Station (claimed) they were willing to reveal their (true? ) password for a chocolate bar l Loewenstein “hot/cold” theory

“Buy” behavior l 74% adopted some strategy or technology or otherwise took some particular action to protect their privacy: – – Do-not-call list – Interrupt purchase – Provide fake information – l Encryption, PGP […] However, when you look at details, percentages go down… – 8% encrypt emails regularly – Similar results for shredders, do-not-call lists, caller-IDs, etc.

“Buy” vs. “sell” price

Clusters l Multivariate clustering techniques (k-means) l Privacy attitudes – 4 clusters: privacy fundamentalists with high concern towards all collection categories, two medium groups with concerns either focused on the accumulation of data belonging to online or offline identity, and a group with low concerns in all fields l Self reported behavior of privacy relevance – 2 clusters: group with a substantially high degree of information revelation and risk exposure, group with low revelation and exposure l Knowledge of privacy risks – 3 clusters: group with an average knowledge of privacy threats, group with high unawareness of even simple forms of risk, and “aware” group l Knowledge of privacy protection and security – 2 clusters: small group very knowledgeable about various technologies or strategies to protect themselves, larger group showing a blatant lack of awareness of even simple strategies to reduce leakage of personal information

Regressions l l l Fixed effects models Logit/m. Logit models Dependent variables: – – – l Explanatory variables: – – – l Privacy attitudes Privacy behavior Dichotomy attitudes vs. behavior Demographics Knowledge Economic variables (risk attitude, rational behavior, discounting behavior) Ongoing

So. . . who should protect your privacy?

Conclusions l l Theory – Time inconsistencies may lead to under-protection and over-release of personal information – Genuinely privacy concerned individuals may end up not protecting their privacy – Not knowing the risk is not always the issue Preliminary evidence – Rationality model not appropriate to describe individual privacy behavior – Preliminary evidence of: l l Incomplete information Bounded rationality Psychological distortions Policy implications…