Customer Commons Research: 92% of People Engage in Some Strategy to Hide Personal Data

We launched our first research paper today:  Lying and Hiding in the Name of Privacy (PDF here) by Mary Hodder and Elizabeth Churchill.

Our data supporting the paper is here:  Addendum Q&A and shortly we’ll upload a .xls of the data for those who want to do a deep dive into the results.

We all know that many people hide or submit incorrect data, click away from sites or refuse to install an app on a phone. We’ve all mostly done it.  But how many?  How much is this happening?

We’re at IIW today and of course, the age old dilemma is happening in sessions where one guy in the room says: “People will click through anything; they don’t care about privacy.”  And the next guy will say, “People are angry and frustrated and they don’t like what’s happening.”  But what’s real?  What’s right?

We conducted this survey to get a baseline about what people do now as they engage in strategies to create privacy for themselves, to try to control their personal data.

The amazing thing is.. 92 % hide, lie, refuse to install or click, some of the time. We surveyed 1704 people, and had an astonishing 95% completion rate for this survey. We also had 35% of these people writing comments in the “comment more” boxes at the bottom of the multiple choice answers. Also astonishingly high.

People expressed anger, cynicism, frustration. And they said overwhelmingly that the sites and services that ask for data DON’T NEED it.  Unless they have to get something shipped from a seller. But people don’t believe the sites. There is distrust.  The services have failed to enroll the people they want using their services that something necessary is happening, and the people who use the services are mad.

We know the numbers are high, and that it’s likely due to many not having a way to give feedback on this topic. So when we offered the survey, people did vent.

But we think it also indicates the need for qualitative and quantitative research on what is true now for people online. We want more nuanced information about what people believe, and how we might fix this problem.  Many sites only look at user logs to figure out what is happening on a site or with an app, and therefore, they miss this problem and the user feelings behind them. We want to see this studied much more seriously so that people no longer make the conflicting statements at conferences, so that developers say the user’s don’t care, so that business models are developed that think different than we do now, where sites and services just take personal data.  We want to get beyond the dispute over whether people care, to real solutions that involve customers and individuals in ways that respect them and their desires when they interact with companies.

 

 

 

Lying and Hiding in the Name of Privacy

Authors: Mary Hodder and Elizabeth Churchill

Creative Commons licenced: by-nc-nd CCLICENSE

©Customer Commons, 2013

Contact: Mary Hodder, hodder@gmail.com

Abstract

A large percentage of individuals employ artful dodges to avoid giving out requested personal information online when they believe at least some of that information is not required. These dodges include hiding personal details, intentionally submitting incorrect data, clicking away from sites or refusing to install phone applications. This suggests most people do not want to reveal more than they have to when all they want is to download apps, watch videos, shop or participate in social networking.

Keywords:  privacy, personal data, control, invasion, convergence

Download a PDF of the paper here.

 

Survey

Customer Commons’ purpose in conducting this research is to understand more fully the ways in which people manage their online identities and personal information. This survey, the first of a planned series of research efforts, explores self-reported behavior around disclosure of personal information to sites and services requesting that information online. We believe the results of this survey offer a useful starting point for a deeper conversation about the behaviors and concerns of individuals seeking to protect their privacy. Subsequent research will explore how people feel and behave toward online tracking.

This research is also intended to inform the development of software tools that give individuals ways to monitor and control the flow and use of personal data.

For this research project, Customer Commons in late 2012 surveyed a randomized group of 1,704 individuals within the United States (1,689 finished the survey, or 95%). Respondents were geographically distributed, aged 18 and up (see the appendix for specifics), and obtained through SurveyMonkey.com. The margin of error was 2.5%.

Respondents gave checkbox answers to questions and in some cases added remarks in a text box. (Survey questions and answers are in an addendum to this paper.)

Key Findings

Protecting personal data

This survey focused on the methods people use to restrict disclosure of requested personal information. Those methods include withholding, obscuring or falsifying the requested information.

Only 8.45% of respondents reported that they always accurately disclose personal information that is requested of them. The remaining 91.55% reported that they are less than fully disclosing. If they decide the site doesn’t need personal information such as names, birthdates, phone numbers, or zip codes, they leave blank answers, submit intentionally incorrect information, click away from the site, or — in the case of mobile applications, decline to install.­

Most people withhold at least some personal data. Specifically,

  • 75.7% of respondents avoid giving their mobile numbers
  • 74.8% avoid “social” login shortcuts such as those provided by Facebook or Twitter
  • 73.4% avoided giving sites or services access to a friend or contact list.
  • 58.3% don’t provide a primary email address
  • 49.3% don’t provide a real identity

The concept of trust was raised in 22% of the written responses explaining why people hide their information. Some examples include:

  • “I cannot trust a random website”
  • “I do not want spam and do not want to expose others to spam. I also don’t know how that information could be used or if the people running the site are trustworthy.”
  • “If I know why info is needed then I might provide, otherwise no way”
  • “I felt the need to cover my I.D. a little bit — like age and gender.  And I still withhold my social security #.”
  • “If I feel they don’t need it to provide a service to me they don’t get it even if I have to enter in fake info”
  • “Worries on identity theft and general privacy.”
  • “i would never give out my friends or and familys (sic) info ever”

Many respondents said sites and services request more data than required. Others suggested that providing requested information would result in an increased risk to their security. More results:

  • When the 71% of respondents who reported withholding information were asked why, they said they didn’t believe the sites needed the information. Specifically,
    • 68% reported they either didn’t know the site well when they withheld their data or didn’t trust the site.
    • 45% of those who felt they knew the site or service well still withheld information.

Respondents lied about various line items as a strategy to protect their privacy. For example, 34.2% intentionally provided an incorrect phone number, and 13.8% provided incorrect employment information. Here are some reasons they gave:

  • “I didn’t want them to have all my information, or feel it was necessary.”
  • “I have obscured various information so that I would not have further contact with a vendor who won’t leave me alone”
  • “Faking it is the best to avoid unwanted contact”
  • “Sometimes you just want to use a service without them knowing every thing about you.”
  • “I don’t like websites to have very much information on me. I regularly give out spam email addresses, bad birthday dates, and bad location information.”
  • “Registering for many mundane website often requires some pretty detailed personal info. I generally fudge this. None of their business”
  • “Because information is so easily found and transferred on the internet I do provide false info quite often to protect my identity.”

Even those who had never submitted incorrect information made statements such as:

  • “Have never made up info – just ignored requests :-)”
  • “i just don’t use that website”
  • “I have an email address that is purly (sic) for junk mail. I use this email address for websites that request my email address and then I go into that email and delete all email monthly.”
  • “I have never given incorrect information, but I have thought about it.”
  • “I don’t lie, but I omit as I feel appropriate.”

 

Going with the flow

Correcting already obscured or falsified information appears to be too much of a chore. Specifically,

  • Over 50% have rarely or never corrected data they submitted incorrectly
  • 30% correct their data “sometimes.” Of that 30%,
    • 55% said a purchase required correct information
    • 56% had a growing feeling of comfort with the site or service
    • 46% cited the ability to realize new benefits from the site with corrected information
    • 30% said they noticed others’ incorrect data at Facebook or other social sites, or in phone applications, and —
      • 80% of this group assumed that the data was falsified as a way to protect privacy
      • 40% believed the incorrect data was there to mislead marketers
      • 12% believed secretive associates were trying to mislead them
    • 13% believed services always needed correct personal information
    • 75% believed the services needed it only sometimes
    • 12% said it was never needed.

Respondents also believed that other users of these services always needed or expected correct personal data about each other 27% of the time, whereas 23% said it was sometimes needed, and 48% said it was never needed.

 

Privacy online

The results of this survey support the hypothesis that people limit, refuse to give or obfuscate personal information in an attempt to create a measure of privacy online.

On July 30, 2010, in the first article in its “What They Know” series, The Wall Street Journal reported, “One of the fastest-growing businesses on the Internet … is the business of spying on Internet users. The Journal conducted a comprehensive study that assesses and analyzes the broad array of cookies and other surveillance technology that companies are deploying on Internet users. It reveals that the tracking of consumers has grown both far more pervasive and far more intrusive than is realized by all but a handful of people in the vanguard of the industry.”[i]

Adds Doc Searls, in The Intention Economy, “Tracking and ‘personalizing’—the current frontier of online advertising—probe the limits of tolerance. While harvesting mountains of data about individuals and signaling nothing obvious about their methods, tracking and personalizing together ditch one of the few noble virtues to which advertising at its best aspires: respect for the prospect’s privacy and integrity, which has long included a default assumption of anonymity.”[ii]

This survey showed one result of this system. Respondents expressed a general lack of trust in their relationships with online businesses. Many feelings ran strong. Here are some of the comments:

  • “Scary world out there, and I am a bit angry about the fact that all these website ‘track me’ as if that is OK, and then they sell MY data, obviously making money in the process.  How is that OK or even legal?  Don’t I control MY information?  Apparently not…”
  • “So if I think it might be ‘harmful’ to give out info, I don’t do it.”
  • “I want cookies outlawed 🙁
  • “My ex-husband was abusive and has stalked me. I don’t need to let the greedy sellers of my personal information draw him a map to my front door.”
  • “While I doubt I have any real protection of privacy, I have a desire to try to send a message that I want my right to protection of privacy. I regret how much we as a society have lost to the powers of marketing.”
  • “I don’t trust the security procedures of most companies. Security costs money, which cuts into profits, thus most companies have limited incentive to protect PII from cyber criminals.”
  • “The web is far less secure than commonly known.”
  • “Just as I have disconnected my land line because of a flood of unwanted calls, I refuse to give online/ access information for the same reason.”

These survey responses show people resort to withholding data or submitting false data to avoid feeling exposed online. When deciding whether to share personal information, the majority of respondents doubt that sites or services need to collect more than a minimum of obviously necessary personal data.

Conclusion

When people withhold personal data, it is to create a sense of privacy and control of their personal lives.

People are afraid or distrustful of sites, services and phone apps that request their personal data. They withhold or falsify information because they do not believe the sites need their data, and because they do not want to disclose information that might lead to spamming or other intrusions. Moreover, the techniques that people employ to preserve their sense of privacy online are largely improvised, informed by fear, and based on their subjective evaluation of entities that solicit personal information.

For the sake of privacy, people contribute to and tolerate the presence of incorrect personal data online, and attempt to correct it only when they see the clear upsides of accuracy. And, despite the failure of businesses and other organizations to convince users of the need to provide personal details beyond an email address, most users remain comfortable disclosing additional personal data only with those they know and trust.

Research Funding Grant

This research project was funded with a grant from CommerceNet, a not-for-profit research institute working to fulfill the potential of the Internet since 1993.

Customer Commons

Customer Commons is a not-for-profit working to restore the balance of power, respect and trust between individuals and the organizations that serve them, especially in the online world. We stand with the individual and therefore do not take contributions from commercial entities.

ADDENDUM:  Questions and Answers

Click here to see the complete questions, answers and written answers offered by people to provide additional information.


[i] Julia Anguin, “The Web’s New Gold Mine: Your Secrets” The Wall Street Journal, July 30, 2010. http://online.wsj.com/article/SB10001424052748703940904575395073512989404.html

[ii] Doc Searls, The Intention Economy: When Customers Take Charge. (Cambridge, Massachusetts: Harvard Business Review Press, 2012). P. 28.

Join Customer Commons at our Salon on Personal Data and Identity — Ignite Style

Please come to the Customer Commons Salon, Monday, October 22  6-9pm !!

WHERE:   Singularity U at Moffett Field / NASA in Mountain View
WHAT:   Ignite sessions from 7-8pm on Personal Data and Identity projects
AGENDA:  Dinner: 6-7pm
7-8pm: Ignite talks including: Doc Searls on VRM, Jennifer Cobb on Customer Commons, Ben Adida on Persona — a Mozilla project for identity online, Salim Ismail on Big Data and Credit Reporting Agencies, Shelia Grady on Big Data and Advertising, Iain Henderson on Personal Data Stores .. and More!
8-9pm Dessert and networking
If you have a suggestion for a talk, please email me at hodder @ gmail.
Thanks and SIGN UP AT EVENTBRITE to cover your dinner:

Let’s help NBC prep for the 2014 Winter Olympics

ice crystals and olympics symbol

The 2012 Summer Olympics are almost over, but not the challenge of a world where more and more customers are looking to watch coverage — especially of the live kind — on devices other than TVs, and through connections other than cable and satellite.

This has proved hard for many cable and satellite TV customers (myself, for example.) who would also like to watch NBC’s coverage on computers, smartphones, tablets, or large screens connected directly over the Internet.

For example, in spite of NBC’s good efforts (in the form, for example, of smartphone and tablet apps), it has often proven hard for cable and satellite TV customers to authenticate with their providers, or to find what programming packages are required to obtain NBC’s coverage services for the olympics.

No doubt NBC will soon be sitting down with itself, and with its distribution partners, to discuss what they have learned over the last few weeks, and to begin preparing for the 2014 Winter Games in Sochi, Russia. Customer Commons wishes to help with that, by convening an independent forum where all of us can discuss what we’ve learned, and where customers can offer constructive help.

This will not be the place to complain, or to assume that the only parties in a position to come up with good ideas and solutions are NBC and its distribution partners. Out here in the long tail, we have plenty of good ideas too, and are willing to help any way we can. (In fact, I did that for NBC’s Winter 2010 Olympics in Vancouver, by contributing ice crystal images that appeared on screen throughout the event.) We are mindful that the goods are not free for the taking, and that improvements must be worthwhile for everybody, starting with NBC and its bottom line.

We’ll start with comments here, while we set up the forum. If the forum proves successful, we will also have a body of experience that can be leveraged in other markets where meeting demands of a fast-arriving future are daunting for everybody involved. We also invite ProjectVRM and PDE.Cc developers to come help out too. (These are developers working to solve market problems from the customer side, in cooperation with sellers.)

We have a unique opportunity here, while the olympics are still going on, to direct everybody’s interests in a positive and mutually helpful direction, a year and a half before the next olympics begin. So let’s go for it.

Privacy is personal

In the physical world, we govern privacy with clothes and walls, buttons, zippers, windows and doors. (See Clothing as a privacy system.)

We also see privacy as a thing that can be possessed. That’s the framing for statements like, “Give me some privacy, and “Don’t take away my privacy.”

On another hand (there can be many), we also see privacy as a state of being: “This is private.” “Keep this private.”

The American Heritage Dictionary defines privacy as “1. a) The quality or condition of being secluded from the presence or view of others; b) The state of being free from unsanctioned intrusion: a person’s right to privacy”; and  “2. The state of being concealed; secrecy.” The Collins English Dictionary (at that same link) adds one more: “3. (Philosophy) Philosophy the condition of being necessarily restricted to a single person.” The boldface is mine. I like that one. (And not just because I majored in philosophy, back in the decade.)

That’s the noun. To mine the derivational vein, we must also dig the adjective. Here’s American Heritage on private:

  1. a. Secluded from the sight, presence, or intrusion of others: a private hideaway; b. Designed or intended for one’s exclusive use: a private room.
  2. a. Of or confined to the individual; personal: a private joke; private opinions.private road b. Undertaken on an individual basis: private studies; private research. c. Of, relating to, or receiving special hospital services and privileges: a private patient.
  3. Not available for public use, control, or participation: a private club; a private party.
  4. a. Belonging to a particular person or persons, as opposed to the public or the government: private property. b. Of, relating to, or derived from nongovernment sources: private funding. c. Conducted and supported primarily by individuals or groups not affiliated with governmental agencies or corporations: a private college; a private sanatorium. d. Enrolled in or attending a private school: a private student.
  5. Not holding an official or public position: a private citizen.
  6. a. Not for public knowledge or disclosure; secret: private papers; a private communication. b. Not appropriate for use or display in public; intimate: private behavior; a private tragedy. c. Placing a high value on personal privacy: a private person.

Here’s what it says about deep sources for private (and also for privacy): “Middle English privat from Latin privatusnot in public life, past participle of privare, to release, deprive, from privussingle, alone… Indo-European roots.”

Thus, here in the everyday vernacular of the physical world, privacy is well understood, and has been since before we had History. But “here” now also constitutes the virtual world, where you are equally present, and reading this text right now. In the physical “here,” your privacy is provided by what you’re wearing and where you locate yourself. Your choices in the virtual “here” are not so plain and clear. Not yet, anyway. At best we can only hope that the stuff we try to keep private will stay that way. And it is best lately to hope less than you used to, because there is a large and growing business in abusing your privacy in the virtual world. That business is advertising. For that business, your privacy is a problem that can only be solved with a promise: Trust us. We not only respect your privacy, but are in business to help you. Buy stuff, that is.

Credit where due: the Internet Advertising Bureau (IAB) is deeply concerned about privacy, and requires that its members adhere to a raft of privacy principles. Here’s one: “Businesses collecting or using information about individual consumers for interactive advertising purposes should provide choice, where appropriate, to that individual. Consumers also should receive relevant education regarding cross-industry opportunities to opt out of the collection or use of individual information or other methods to exercise choice.”

However well-intended this might be, it’s a window fan blowing against the storm of wealth-creation that the “interactive” advertising business has become. On Friday, Facebook went public with a valuation exceeding $100 billion. Its business is advertising. So is Google’s, with a market cap hovering around $200 billion. The goal for both companies is to “personalize” advertising as much as possible. This requires making their machines learn all they can about you, whether you know it or not. And, for all their talk about providing choices, they’d rather you not shut out their tentacles or cover their prying eyes.

If you want to operate on the Web today, it is almost impossible to avoid either company, or the thousands of other that are in the business of knowing as much as possible about you, so that information can be sold to advertisers and their agencies. Wanting to maximize the sum and quality of information about individuals is at absolute odds with those companies’ stated commitments to privacy — as well as individuals’ own sense, based on experience in the physical world, of what privacy is and how it should work.

Did you know that, when you go to a site that has a Facebook “like” button, Facebook will know you were there, even if you don’t click on the button? Also, says Consumer Reports, “Even if you have restricted your information to be seen by friends only, a friend who is using a Facebook app could allow your data to be transferred to a third party without your knowledge.” And, adds Abine, “You know those Facebook Like and Connect buttons you see on almost every website?  They’re not just for sharing: they’re tracking devices.  Facebook buttons can track both members and non-members of Facebook, even if you never click them.  They transmit your clicks, browsing history, IP address, and more to Facebook.”

Is Facebook going to stop doing that kind of thing on their own, when they believe it’s also the very thing that makes them the most money?

Not surprisingly, Consumer Reports’ parent, Consumers Union, wants a policy solution. That is, new laws that restrict the ability of Facebook and others to, for example, track us without our permission. Meanwhile CU has also put up the HearUsNow site, as a way for individuals to demand better treatment by Facebook. The White House has also issued a Privacy Bill of Rights, which offers guidelines for lawmaking.

In his landmark book, Understanding Privacy, Raymond Solove details the many ways that privacy is nearly impossible to pin down in legal argument, much less in policy. So, while he notes in the first sentence of his first chapter, “Supreme Court Justice Louis Brandeis pronounced it ‘the most comprehensive of rights and the right most valued by civilized men,'” he later adds that “legal scholar Arthur Miller has declared that privacy is ‘difficult to define because it is exasperatingly vague and evanescent.'” Solove’s own case is that “the value of privacy must be determined on the basis of its importance to society, not in terms of individual rights.” He adds, “the value of privacy in a particular context depends on the social importance of the activities it facilitates.” The prescriptive chapters of the book are devoted to laying out a taxonomic framework for understanding privacy problems. Because, sensibly, “A lucid, comprehensive, and concrete understanding of privacy will aid the creation of law and policy to address privacy issues.”

Which is fine, if you think corporations and governments are the only actors in the marketplace with full agency. That is, with the ability to act, and to cause effects. As individuals on the Web, we don’t have that ability today. (Imagine having a website agree to your terms and conditions, rather than the reverse.) One symptom of that is the call for legislative protection, which we wouldn’t have if we had full agency. So, the thinking goes, “We can’t protect ourselves, so the government should step in.”

I’m against that, at least for now, because I don’t believe we’ve done enough to empower individuals on their own. I’d rather we work on equipping individuals to enjoy full agency, as independent and sovereign beings, in the online marketplace as well as in the offline one. Or, in other words, to break out of the calf-cow system (called “client-server”) that we’ve been stuck in since 1995. I believe the personal nature of privacy, as it has been understood plainly since the late Pleistocene, requires that.

Some of the tools are already there. Public key cryptography, for example. Link contracts in XDI. The stuff Alec Muffett starts talking about in Slide 47 of his presentation here. Same goes for much of the work being done by the ProjectVRM development community. As ordinary folk we don’t need to understand the technologies behind all that work, but it helps to know that we’re not starting from zero.

At the very least we need some perspective here, based on the fact that we have hardly begun to explore what it will take to create physical-grade privacy on the Net. And that as we do, we need to keep it personal. That’s where privacy is best understood and measured. There is also cause and effect. If you and I don’t have privacy online, society won’t either.