Alessandro AcquistiHeinz College/CyLab

Carnegie Mellon University

K. U. Leuven - Interdisciplinary Privacy Course 2010June 2010

Privacy, Nudges, and the Illusion of Control

Overview

1. From the economics to the behavioral economics of privacy

2. The illusion of control hypothesis3. Soft paternalism and privacy nudges

Overview

1. From the economics to the behavioral economics of privacy

2. The illusion of control hypothesis3. Soft paternalism and privacy nudges

The economics of privacy

Protection & revelation of personal data flows involve tangible and intangible trade-offs for the data subject as well as the potential data holder

However….

The need for a behavioral economics of privacy

The privacy paradox: privacy attitudes/behavior dichotomy

Hurdles which hamper (privacy) decision making

1. Incomplete information2. Bounded rationality3. Psychological/behavioral biases

The need for a behavioral economics of privacy

Hence, the need for a behavioral, experimental economics of privacy (as well as information security) I.e., applying theory and methodologies from BE

and BDR to the understanding of how people (and organizations) make decisions about the security or privacy of their data

... and how cognitive and behavioral biases (negatively) affect those decisions

… in order to inform policy and technology design

Randomized experiments Randomly assigning subjects to different treatments (experimental

conditions) For instance, different versions of a survey

Numerous unobservable factors impact privacy concerns and privacy behavior

However: with large enough sample and proper randomization, underlying distributions of traits (including privacy preferences, concerns, and other factors which influence the former) are similar across conditions Furthermore: control econometrically for other observable traits; avoid

confounding effects

Testing for statistically significant differences in behavior (eg, propensity to answer questions) as function of treatment Although we cannot interpret micro motivations (e.g., infer who is

lying or why a subject is/is not answering), we can compare aggregate behaviors

Experimental approach

Hyperbolic discounting in privacy decision making (ACM EC 04)

Herding effects in information revelation (SJDM 2009)

Over-confidence, optimism bias in online social networks (WPES 05)

Confidentiality assurances inhibit information disclosure (SJDM 07)

Individuals more likely to disclose sensitive information to unprofessional sites than professional sites (SJDM 2007)

Endowment effects in privacy valuations (WISE 2009)

[…]

Some of our experiments

E.g.: Willingness to pay to protect privacy vs. willingness to accept to give data

Mall patrons asked to participated in a study. Offered compensation in the form of gift card(s) We manipulated trade-offs between privacy protection

and value of cards Endowed with either:

$10 Anonymous gift card. “Your name will not be linked to the transactions completed with the card, and its usage will not be tracked by the researchers.”

$12 Trackable, identified gift card. “Your name will be linked to the transactions completed with the card, and its usage will be tracked by the researchers.”

Then, asked whether they’d like to switch cards From $10 Anonymous to $12 Trackable (WTA) From $12 Trackable to $10 Anonymous (WTP)

WTP vs. WTA: Results

χ2(3) = 30.66, p < 0.0005

52.1

42.2

26.7

9.7

0

10

20

30

40

50

60

Endowed $10 (n=71) Choice $10 vs. $12(n=83)

Choice $12 vs. $10(n=57)

Endowed $12 (n=62)

% c

hoos

ing

anon

ymou

s $1

0 ca

rd

Overview

1. From the economics to the behavioral economics of privacy

2. The illusion of control hypothesis (joint work with Laura Brandimarte and George Loewenstein)

3. Soft paternalism and privacy nudges

Giving users more control over disclosure and publication of personal information paradoxically causes them to disclose more sensitive information and expose themselves to heightened privacy risks

Conjecture: Individuals may confound control over publication of private information with control over access/use of that information by others Even though arguably threats to privacy derive from

access to/use of available information by others!

Why? Because the act of publication is more salient than later access/use by others

The Illusion of control in information disclosure (or: the privacy control paradox)

Privacy as control Westin, Samarjiva, Culnan, Solove, …

Normative vs. Positive interpretation

The Illusion of control in information disclosure (or: the privacy control paradox)

Hypotheses: Higher perceived control on publication will trigger

higher willingness to reveal, even when the objective risks associated with accessibility/usage do not change, or in fact increase

Lower perceived control on publication will trigger lower willingness to reveal, even when the objective risks associated with accessibility/usage do not change, or in fact decrease

Illusion of control Henslin (1967), Langer (1975)

Hypotheses

Study 1: Reducing (perceived) control over publication of personal information▪ Mediated vs. unmediated publication

Study 2: Reducing (perceived) control over publication of personal information▪ Certainty vs. probability of publication

Study 3: Increasing (perceived) control over publication of personal information▪ Explicit vs. implicit control

Three survey-based randomized experiments

Design Subjects: CMU students recruited on campus,

March 2008 Completed online survey Justification for the survey: creation of CMU

networking website Questions focused on students’ life on and off

campus▪ Multiple choice, Yes/No, Rating and open-end questions▪ Included quasi-identifiers + privacy intrusive and non-

intrusive questions▪ As rated by 31 subjects independently in a pre-study

Study 1

Examples of highly intrusive questions Email address Home address Have you ever cheated for homework/projects/exams (e.g. copy,

plagiarize)? Examples of moderately intrusive questions

Date of birth Do you have a girlfriend/boyfriend? Have you ever had troubles with your roommates?

Examples of non intrusive questions Do you do any sport on campus? Which courses are you taking at the moment? How would you rate the quality of the education you are receiving?

Study 1

Manipulation: Profile automatically created vs. profile created by researcher (less control) Control group

“No question/field is required. With the answers you provide, a profile will be automatically created for you, with no intervention by the researcher, and published on a new CMU networking website, which will only be accessible by members of the CMU community, starting from the end of April. The data will not be used in any other way.”

Treatment group“No question/field is required. The answers you provide will be collected by the researcher, who will create a profile for you and publish it on a new CMU networking website, which will only be accessible by members of the CMU community, starting from the end of April. The data will not be used in any other way.”

Study 1

Dependent variables Response rate (whether subject answered or not) Admission rate (whether subject admitted to some

behaviors)

Explanatory variables Treatment Intrusiveness Demographics (age, gender)

Study 1

Hypothesis: Loss of control over publication should decrease willingness to disclose private information, and especially so for the most sensitive questions It is not the publication of private information per se that

disturbs people, but the fact that someone else will publish it for them

Confounding factors

Study 1

Participants: 29 subjects in control condition, 32 subjects in treatment condition

– 30 males (17 in control condition), 28 females (15 in control condition), 3 missing

– Average age: 21.8 in control group, 21 in treatment group (difference not significant)

Study 1

Figure 1: Percentage of subjects answering each question in control and treatment condition

Study 1

Table 1.

RE Probit coefficients of panel regression of response rate on treatment with dummy for most intrusive questions,

interaction and demographics* indicates significance at 10% level; ** indicates significance at 5% level

Coeff P-value

Treatment -.37* .08

Intrusive -.43** .00

Treat_Int -.03 .19

Age .00 .98

Male .08 .32

N= 61 Prob > χ2 = .000

Study 1

Treatment has hypothesized effect on 4 of the questions that were rated as highly intrusive

(email, cheating at school, others cheating, informing instructor)

1 moderately intrusive question (girlfriend) Treatment did not push subjects to admit more:

The percentage of subjects answering “No” to questions about sensitive behaviors didn’t change significantly (10% level) between the control and the treatment conditions

However, possible confounding factor: trust in researcher

Study 1

Design Similar to Study 1

Study 2

Manipulation: Profile automatically published vs. profile published with 50% probability (less control)Control group“The information you provide will appear on a profile that will be automatically created for you. The profile will be published on a new CMU networking website, which will only be accessible by members of the CMU community, starting at the end of this semester. The data will not be used in any other way. NO QUESTION/FIELD REQUIRES AN ANSWER.”

Treatment group“The information you provide will appear on a profile that will be automatically created for you. Half of the profiles created for the participants will be randomly picked to be published on a new CMU networking website, which will only be accessible by members of the CMU community, starting at the end of this semester. The data will not be used in any other way. NO QUESTION/FIELD REQUIRES AN ANSWER.”

Study 2

Figure 2: Percentage of subjects answering each question in control and treatment condition

First N

ame

Last N

ame

Gender DoB

Age PoBEm

ail

Address

Phone # On FB

How long i

n Pitt

Like t

he cityHap

pySp

ort

Which sp

ort

Sport

on campus

Rate fa

cilities

Group

Which gr

oup

Frien

ds

Frien

ds at C

MU?

Frien

ds else

where

Spare

timeFam

ily

See fa

mily

Married

Girlfrie

nd

Cheated

on partner

Accommodati

on

Roommates

Move out

Progra

m

Courses

Cheated

at sc

hool

Others ch

eated

Instructo

r

Rate progra

m

Competitive

Hours stu

dying Job

0.0%

20.0%

40.0%

60.0%

80.0%

100.0%

Study 2

RE Probit coefficients of panel regression of response rate on treatment with dummy for most intrusive questions,

interaction and demographics* indicates significance at 10% level, ** indicates significance at 5% level;

*** indicates significance at 1% level

Table 2.Coeff P-value

Treatment -.25** .05

Intrusive -.64** .00

Treat_Int -.67** .00

Age -.02 .28

Male .20* .10

N= 132 Prob > χ2 = .000

Study 2

Possible confounding factors

Study 2 took care of one of the possible confounding factor in Study 1. However…

Subjects may reveal less because they care less, since the probability of publication is lower▪ If that were the case, we should observe an effect on those

types of questions that required effort (program, courses). No such effect

Study 2

Design Subjects: CMU students recruited on campus,

March 2010 Completed online survey Justification for the survey: study on ethical

behaviors Ten Yes/No questions that focused on sensitive

behaviors (e.g. drug use, stealing)▪ Included demographics + privacy intrusive and non-intrusive

questions▪ As rated by 49 subjects independently in a pre-study

Study 3

• Manipulations– Condition 1 (only implicit control)

“All answers are voluntary. By answering a question, you agree to give the researchers permission to publish your answer.”

– Condition 2 (high explicit control)“All answers are voluntary. In order to give the researchers permission to publish your answer to a question, you will be asked to check the corresponding box in the following page.”

– Condition 3 (medium control)“All answers are voluntary. In order to give the researchers permission to publish your answers to the questions, you will be asked to check a box in the following page.”

– Condition 4 (same as Condition 2, but the default is that answers will be published)“All answers are voluntary. In order to prevent the researchers from publishing your answer to a question, you will be asked to check the corresponding box in the following page.”

– Condition 5 (some control + extra demographics)“All answers are voluntary. In order to give the researchers permission to publish your answers to the questions, you will be asked to check a box in the following page. Please notice that the answers to the demographic questions that you provided in the previous page will NOT be published without your explicit agreement: you will be asked permission to publish those answers separately.”

Study 3

Study 3

Table 3.

RE Probit coefficients of panel regression of response rate on treatment with dummy for most intrusive questions, interaction and

demographics* indicates significance at 10% level; ** indicates significance at 5% level

Comparing conditions:

1 and 2 1 and 3 1 and 4 1 and 5

Treatment 1.51**(.000)

1.92**(.000)

1.52**(.000)

.91**(.000)

Intrusive -.85**(.000)

-.85**(.000)

-.85**(.000)

-.84**(.000)

Treat_Int .59*(.071)

-1.21**(.002)

.44(.177)

-.08(.741)

Age .01(.753)

.03(.521)

.003(.942)

.05(.158)

Male .10(.653)

-.11(.593)

-.08(.684)

-.03(.861)

N

Prob > χ269

.000

65

.000

68

.000

66

.000

Study 3

The coefficient on Treatment is always positive and significant: providing subjects with control over information publication increases their willingness to answer a question (results are similar if we only consider answers that subjects were willing to publish)

The coefficient on the interaction is only significant when comparing condition 1 with condition 2

The negative coefficient on the interaction in condition 3 may be due to the very nature of the treatment: makes publication of very sensitive information more salient, but does not allow the prohibition of the publication of specific questions

Adding a dummy variable for the provision of an email address, which should have made subjects feel more identifiable, doesn’t affect our results

Study 3

Our results suggest the following: Control over publication leads to more

revelation of private info This effect is stronger for privacy intrusive

questions

Summarizing the results

People seem to care more for control over publication of private information than for control over access and use of that information When someone other tha n themselves is responsible

for the publication, or when the publication itself becomes uncertain – which reduces the probability of access/use by others – people refrain from disclosing

Results call into questions OSNs’ arguments that privacy is protected by providing more control to members Giving more control to users over information

publication seems to generate higher willingness to disclose sensitive information

Implications

Overview

1. From the economics to the behavioral economics of privacy

2. The illusion of control hypothesis3. Soft paternalism and privacy

nudges

Nudging users towards privacy

Our research highlights cognitive and behavioral biases that make it difficult for users to make the “right” privacy (and security) decision

However, those results can also used for “soft,” or asymmetric, paternalistic solutions: Designing systems to “nudge” individuals, by

anticipating – or even exploiting - the very fallacies and biases that research has uncovered; tweaking with their incentives, without diminish user’s freedom (IEEE S&P 2009)

Soft vs. strong paternalism vs. usability

Consider online social networks users who post dates of birth online

Imagine that a study shows some risks associated with revealing DOBs (e.g., SSN predictions) Strong paternalistic solution: ban public provision of

dates of birth in online profiles “Usability” solution : design a system to make it

intuitive/ easy to change DOB visibility settings Soft paternalistic solution?

Nudging privacy through soft paternalism: some examples

Saliency of information Provide context to aid the user’s decision - such as

visually representing how many other users (or types of users) may be able to access that information

Default settings By default, DOBs not visible, unless settings are

modified by user Hyperbolic discounting

Predict and show immediately SSN based on information provided

… and so forth

For more info

Google: economics privacy Visit:

http://www.heinz.cmu.edu/~acquisti/economics-privacy.htm

Email: acquisti@andrew.cmu.edu

Backup Slides

Experimental

condition

Number of

subjects

Average

age

% Male

Averageresponse rate (%)

Subjectsprovidingemail (%)

Subjectsanswering all

questions

Subjectspublishing all

questions

Subjectspublishingno question

1 33 22.03 45.4 60.6 78.8 5 (15.1%) - -

2 36 22.11 50.0 96.1 80.5 28 (75.0%) 10 (27.8%) 10 (27.8%)

3 32 21.87 46.9 84.4 81.2 12 (37.5%) 32 (100%) -

4 35 21.80 48.6 96.0 80.0 26 (74.3%) 19 (54.3%) 0 (0%)

5 33 22.09 54.5 83.3 87.9 13 (39.4%) 33 (100%) -

Total 169 21.98 49.1 86.0 81.6 83 (49.1%) 94 (69.1%)

Descriptive statistics and qualitative results

Study 3