Privacy and Control

OFF THE WIRE
Privacy and Control

In January, Facebook Chief Executive Mark Zuckerberg declared the age of privacy to be over. A month earlier, Google Chief Eric Schmidt expressed a similar sentiment. Add Scott McNealy's and Larry Ellison's comments from a few years earlier, and you've got a whole lot of tech CEOs proclaiming the death of privacy -- especially when it comes to young people.

It's just not true. People, including the younger generation, still care about privacy. Yes, they're far more public on the Internet than their parents: writing personal details on Facebook, posting embarrassing photos on Flickr and having intimate conversations on Twitter. But they take steps to protect their privacy and vociferously complain when they feel it violated. They're not technically sophisticated about privacy and make mistakes all the time, but that's mostly the fault of companies and Web sites that try to manipulate them for financial gain.

To the older generation, privacy is about secrecy. And, as the Supreme Court said, once something is no longer secret, it's no longer private. But that's not how privacy works, and it's not how the younger generation thinks about it. Privacy is about control. When your health records are sold to a pharmaceutical company without your permission; when a social-networking site changes your privacy settings to make what used to be visible only to your friends visible to everyone; when the NSA eavesdrops on everyone's e-mail conversations -- your loss of control over that information is the issue. We may not mind sharing our personal lives and thoughts, but we want to control how, where and with whom. A privacy failure is a control failure.

People's relationship with privacy is socially complicated. Salience matters: People are more likely to protect their privacy if they're thinking about it, and less likely to if they're thinking about something else. Social-networking sites know this, constantly reminding people about how much fun it is to share photos and comments and conversations while downplaying the privacy risks. Some sites go even further, deliberately hiding information about how little control -- and privacy -- users have over their data. We all give up our privacy when we're not thinking about it.

Group behavior matters; we're more likely to expose personal information when our peers are doing it. We object more to losing privacy than we value its return once it's gone. Even if we don't have control over our data, an illusion of control reassures us. And we are poor judges of risk. All sorts of academic research backs up these findings.

Here's the problem: The very companies whose CEOs eulogize privacy make their money by controlling vast amounts of their users' information. Whether through targeted advertising, cross-selling or simply convincing their users to spend more time on their site and sign up their friends, more information shared in more ways, more publicly means more profits. This means these companies are motivated to continually ratchet down the privacy of their services, while at the same time pronouncing privacy erosions as inevitable and giving users the illusion of control.

You can see these forces in play with Google's launch of Buzz. Buzz is a Twitter-like chatting service, and when Google launched it in February, the defaults were set so people would follow the people they corresponded with frequently in Gmail, with the list publicly available. Yes, users could change these options, but -- and Google knew this -- changing options is hard and most people accept the defaults, especially when they're trying out something new. People were upset that their previously private e-mail contacts list was suddenly public. A Federal Trade Commission commissioner even threatened penalties. And though Google changed its defaults, resentment remained.

Facebook tried a similar control grab when it changed people's default privacy settings last December to make them more public. While users could, in theory, keep their previous settings, it took an effort. Many people just wanted to chat with their friends and clicked through the new defaults without realizing it.

Facebook has a history of this sort of thing. In 2006 it introduced News Feeds, which changed the way people viewed information about their friends. There was no true privacy change in that users could not see more information than before; the change was in control -- or arguably, just in the illusion of control. Still, there was a large uproar. And Facebook is doing it again; last month, the company announced new privacy changes that will make it easier for it to collect location data on users and sell that data to third parties.

With all this privacy erosion, those CEOs may actually be right -- but only because they're working to kill privacy. On the Internet, our privacy options are limited to the options those companies give us and how easy they are to find. We have Gmail and Facebook accounts because that's where we socialize these days, and it's hard -- especially for the younger generation -- to opt out. As long as privacy isn't salient, and as long as these companies are allowed to forcibly change social norms by limiting options, people will increasingly get used to less and less privacy. There's no malice on anyone's part here; it's just market forces in action. If we believe privacy is a social good, something necessary for democracy, liberty and human dignity, then we can't rely on market forces to maintain it. Broad legislation protecting personal privacy by giving people control over their personal data is the only solution.

This essay originally appeared on Forbes.com.
http://www.forbes.com/2010/04/05/google-facebook-twitter-technology-security-10-privacy.html or http://tinyurl.com/yb3qkj7

Zuckerberg on privacy:
http://www.guardian.co.uk/technology/2010/jan/11/facebook-privacy

Schmidt on privacy:
http://gawker.com/5419271/google-ceo-secrets-are-for-filthy-people

McNealy on privacy:
http://www.wired.com/politics/law/news/1999/01/17538

Ellison on privacy:
http://www.businessweek.com/bwdaily/dnflash/oct2001/nf2001104_7412.htm

Danah Boyd on privacy and younger people:
http://www.danah.org/papers/talks/2010/SXSW2010.html

The Supreme Court on privacy and secrecy:
http://www.rbs2.com/privacy.htm

Privacy and salience:
http://www.computer.org/cms/Computer.org/ComputingNow/homepage/2009/1209/W_SP_NudgingPrivacy.pdf or http://tinyurl.com/yfm4jh9

Social networking sites downplaying privacy concerns:
http://www.schneier.com/essay-278.html

Sites that make misleading privacy claims:
http://www.schneier.com/essay-276.html

Humans are a poor judge of risk:
http://www.schneier.com/essay-162.html

Academic research on how people make privacy decisions:
http://www.heinz.cmu.edu/~acquisti/economics-privacy.htm

Google's Buzz:
http://news.cnet.com/8301-31322_3-10451428-256.html
http://www.businessinsider.com/warning-google-buzz-has-a-huge-privacy-flaw-2010-2 or http://tinyurl.com/ydqq8ql
http://finapps.forbes.com/finapps/jsp/finance/compinfo/CIAtAGlance.jsp?tkr=GOOG or http://tinyurl.com/fuoxw
http://www.lightbluetouchpaper.org/2010/02/12/whats-the-buzz-about-studying-user-reactions/ or http://tinyurl.com/yh8weef
http://www.computerworld.com/s/article/9172079/FTC_member_rips_privacy_efforts_by_Google_Facebook or http://tinyurl.com/y8szb2j

Facebook's privacy problems:
http://www.eff.org/deeplinks/2009/12/facebooks-new-privacy-changes-good-bad-and-ugly or http://tinyurl.com/yffmwmn

Facebook News Feeds:
http://blog.facebook.com/blog.php?post=2207967130
http://www.facebook.com/group.php?gid=2208288769

Facebook's latest privacy changes:
http://blog.facebook.com/blog.php?post=376904492130

The value of privacy:
http://www.schneier.com/essay-114.html

Privacy legislation:
http://www.schneier.com/blog/archives/2006/02/a_model_regime.html

Google responds:
http://www.forbes.com/2010/04/12/privacy-facebook-gmail-technology-security-google.html or http://tinyurl.com/ydvwpva

Another essay on the topic:
http://www.secureconsulting.net/2009/05/the_new_school_of_privacy.html
__._,_.___