Alessandro Acquisti Heinz College/CyLab Carnegie Mellon University K. U. Leuven - Interdisciplinary...
-
Upload
eliana-halloway -
Category
Documents
-
view
214 -
download
0
Transcript of Alessandro Acquisti Heinz College/CyLab Carnegie Mellon University K. U. Leuven - Interdisciplinary...
Alessandro Acquisti
Heinz College/CyLabCarnegie Mellon University
K. U. Leuven - Interdisciplinary Privacy Course 2010June 2010
Privacy, Nudges, and the Illusion of Control
Overview
1. From the economics to the behavioral
economics of privacy
2. The illusion of control hypothesis
3. Soft paternalism and privacy nudges
Overview
1. From the economics to the
behavioral economics of privacy
2. The illusion of control hypothesis
3. Soft paternalism and privacy nudges
The economics of privacy
Protection & revelation of personal data flows involve tangible and intangible trade-offs for the data subject as well as the potential data holder
However….
The need for a behavioral economics of privacy
The privacy paradox: privacy attitudes/behavior dichotomy
Hurdles which hamper (privacy) decision making
1. Incomplete information2. Bounded rationality3. Psychological/behavioral biases
The need for a behavioral economics of privacy
Hence, the need for a behavioral, experimental economics of privacy (as well as information security) I.e., applying theory and methodologies from BE
and BDR to the understanding of how people (and organizations) make decisions about the security or privacy of their data
... and how cognitive and behavioral biases (negatively) affect those decisions
… in order to inform policy and technology design
Randomized experiments Randomly assigning subjects to different treatments (experimental
conditions)
For instance, different versions of a survey
Numerous unobservable factors impact privacy concerns and privacy
behavior
However: with large enough sample and proper randomization,
underlying distributions of traits (including privacy preferences,
concerns, and other factors which influence the former) are similar
across conditions
Furthermore: control econometrically for other observable traits; avoid
confounding effects
Testing for statistically significant differences in behavior (eg,
propensity to answer questions) as function of treatment Although we cannot interpret micro motivations (e.g., infer who is
lying or why a subject is/is not answering), we can compare aggregate
behaviors
Experimental approach
Hyperbolic discounting in privacy decision making (ACM EC 04)
Herding effects in information revelation (SJDM 2009)
Over-confidence, optimism bias in online social networks (WPES 05)
Confidentiality assurances inhibit information disclosure (SJDM 07)
Individuals more likely to disclose sensitive information to unprofessional sites than professional sites (SJDM 2007)
Endowment effects in privacy valuations (WISE 2009)
[…]
Some of our experiments
E.g.: Willingness to pay to protect privacy vs. willingness to accept to give data
Mall patrons asked to participated in a study. Offered compensation in the form of gift card(s) We manipulated trade-offs between privacy protection
and value of cards Endowed with either:
$10 Anonymous gift card. “Your name will not be linked to the transactions completed with the card, and its usage will not be tracked by the researchers.”
$12 Trackable, identified gift card. “Your name will be linked to the transactions completed with the card, and its usage will be tracked by the researchers.”
Then, asked whether they’d like to switch cards From $10 Anonymous to $12 Trackable (WTA) From $12 Trackable to $10 Anonymous (WTP)
WTP vs. WTA: Results
χ2(3) = 30.66, p < 0.0005
52.1
42.2
26.7
9.7
0
10
20
30
40
50
60
Endowed $10 (n=71) Choice $10 vs. $12(n=83)
Choice $12 vs. $10(n=57)
Endowed $12 (n=62)
% c
ho
osi
ng
an
on
ymo
us
$10
card
Overview
1. From the economics to the behavioral
economics of privacy
2. The illusion of control hypothesis
(joint work with Laura Brandimarte
and George Loewenstein)
3. Soft paternalism and privacy nudges
Giving users more control over disclosure and publication of personal information paradoxically causes them to disclose more sensitive information and expose themselves to heightened privacy risks
Conjecture: Individuals may confound control over publication of private information with control over access/use of that information by others Even though arguably threats to privacy derive from
access to/use of available information by others!
Why? Because the act of publication is more salient than later access/use by others
The Illusion of control in information disclosure (or: the privacy control paradox)
Privacy as control
Westin, Samarjiva, Culnan, Solove, …
Normative vs. Positive interpretation
The Illusion of control in information disclosure (or: the privacy control paradox)
Hypotheses: Higher perceived control on publication will trigger
higher willingness to reveal, even when the objective risks associated with accessibility/usage do not change, or in fact increase
Lower perceived control on publication will trigger lower willingness to reveal, even when the objective risks associated with accessibility/usage do not change, or in fact decrease
Illusion of control Henslin (1967), Langer (1975)
Hypotheses
Study 1: Reducing (perceived) control over publication of personal information▪ Mediated vs. unmediated publication
Study 2: Reducing (perceived) control over publication of personal information▪ Certainty vs. probability of publication
Study 3: Increasing (perceived) control over publication of personal information▪ Explicit vs. implicit control
Three survey-based randomized experiments
Design Subjects: CMU students recruited on campus,
March 2008 Completed online survey Justification for the survey: creation of CMU
networking website Questions focused on students’ life on and off
campus▪ Multiple choice, Yes/No, Rating and open-end questions▪ Included quasi-identifiers + privacy intrusive and non-
intrusive questions▪ As rated by 31 subjects independently in a pre-study
Study 1
Examples of highly intrusive questions Email address Home address Have you ever cheated for homework/projects/exams (e.g. copy,
plagiarize)? Examples of moderately intrusive questions
Date of birth Do you have a girlfriend/boyfriend? Have you ever had troubles with your roommates?
Examples of non intrusive questions Do you do any sport on campus? Which courses are you taking at the moment? How would you rate the quality of the education you are receiving?
Study 1
Manipulation: Profile automatically created vs. profile created by researcher (less control)
Control group
“No question/field is required. With the answers you provide, a profile will be automatically created for you, with no intervention by the researcher, and published on a new CMU networking website, which will only be accessible by members of the CMU community, starting from the end of April. The data will not be used in any other way.”
Treatment group
“No question/field is required. The answers you provide will be collected by the researcher, who will create a profile for you and publish it on a new CMU networking website, which will only be accessible by members of the CMU community, starting from the end of April. The data will not be used in any other way.”
Study 1
Dependent variables Response rate (whether subject answered or not) Admission rate (whether subject admitted to some
behaviors)
Explanatory variables Treatment Intrusiveness Demographics (age, gender)
Study 1
Hypothesis: Loss of control over publication should decrease willingness to disclose private information, and especially so for the most sensitive questions It is not the publication of private information per se that
disturbs people, but the fact that someone else will publish it for them
Confounding factors
Study 1
Participants: 29 subjects in control condition, 32 subjects in treatment condition
– 30 males (17 in control condition), 28 females (15 in control condition), 3 missing
– Average age: 21.8 in control group, 21 in treatment group (difference not significant)
Study 1
Figure 1: Percentage of subjects answering each question in control and treatment condition
Study 1
Table 1.
RE Probit coefficients of panel regression of response rate on treatment with dummy for most intrusive questions,
interaction and demographics
* indicates significance at 10% level; ** indicates significance at 5% level
Coeff P-value
Treatment -.37* .08
Intrusive -.43** .00
Treat_Int -.03 .19
Age .00 .98
Male .08 .32
N= 61 Prob > χ2 = .000
Study 1
Treatment has hypothesized effect on 4 of the questions that were rated as highly intrusive
(email, cheating at school, others cheating, informing instructor)
1 moderately intrusive question (girlfriend) Treatment did not push subjects to admit more:
The percentage of subjects answering “No” to questions about sensitive behaviors didn’t change significantly (10% level) between the control and the treatment conditions
However, possible confounding factor: trust in researcher
Study 1
Design Similar to Study 1
Study 2
Manipulation: Profile automatically published vs. profile published with 50% probability (less control)
Control group“The information you provide will appear on a profile that will be automatically created for you. The profile will be published on a new CMU networking website, which will only be accessible by members of the CMU community, starting at the end of this semester. The data will not be used in any other way. NO QUESTION/FIELD REQUIRES AN ANSWER.”
Treatment group“The information you provide will appear on a profile that will be automatically created for you. Half of the profiles created for the participants will be randomly picked to be published on a new CMU networking website, which will only be accessible by members of the CMU community, starting at the end of this semester. The data will not be used in any other way. NO QUESTION/FIELD REQUIRES AN ANSWER.”
Study 2
Figure 2: Percentage of subjects answering each question in control and treatment condition
First
Name
Last N
ame
Gender DoB
Age PoBEm
ail
Address
Phone #
On FB
How long i
n Pitt
Like t
he cityHap
pySp
ort
Which
sport
Sport
on campus
Rate fa
cilities
Group
Which
group
Frien
ds
Frien
ds at C
MU?
Frien
ds else
where
Spare
timeFa
mily
See f
amily
Married
Girlfrie
nd
Cheated
on partner
Accommodati
on
Roommates
Move out
Progra
m
Courses
Cheated
at sc
hool
Others ch
eated
Instructo
r
Rate pro
gram
Competitive
Hours stu
dying
Job0.0%
20.0%
40.0%
60.0%
80.0%
100.0%
Study 2
RE Probit coefficients of panel regression of response rate on treatment with dummy for most intrusive questions,
interaction and demographics
* indicates significance at 10% level, ** indicates significance at 5% level;*** indicates significance at 1% level
Table 2.
Coeff P-value
Treatment -.25** .05
Intrusive -.64** .00
Treat_Int -.67** .00
Age -.02 .28
Male .20* .10
N= 132 Prob > χ2 = .000
Study 2
Possible confounding factors
Study 2 took care of one of the possible confounding factor in Study 1. However…
Subjects may reveal less because they care less, since the probability of publication is lower▪ If that were the case, we should observe an effect on those
types of questions that required effort (program, courses). No such effect
Study 2
Design Subjects: CMU students recruited on campus,
March 2010 Completed online survey Justification for the survey: study on ethical
behaviors Ten Yes/No questions that focused on sensitive
behaviors (e.g. drug use, stealing)▪ Included demographics + privacy intrusive and non-intrusive
questions▪ As rated by 49 subjects independently in a pre-study
Study 3
• Manipulations– Condition 1 (only implicit control)
“All answers are voluntary. By answering a question, you agree to give the researchers permission to publish your answer.”
– Condition 2 (high explicit control)“All answers are voluntary. In order to give the researchers permission to publish your answer to a question, you will be asked to check the corresponding box in the following page.”
– Condition 3 (medium control)“All answers are voluntary. In order to give the researchers permission to publish your answers to the questions, you will be asked to check a box in the following page.”
– Condition 4 (same as Condition 2, but the default is that answers will be published)“All answers are voluntary. In order to prevent the researchers from publishing your answer to a question, you will be asked to check the corresponding box in the following page.”
– Condition 5 (some control + extra demographics)“All answers are voluntary. In order to give the researchers permission to publish your answers to the questions, you will be asked to check a box in the following page. Please notice that the answers to the demographic questions that you provided in the previous page will NOT be published without your explicit agreement: you will be asked permission to publish those answers separately.”
Study 3
Study 3
Table 3.
RE Probit coefficients of panel regression of response rate on treatment with dummy for most intrusive questions, interaction and
demographics
* indicates significance at 10% level; ** indicates significance at 5% level
Comparing conditions:
1 and 2 1 and 3 1 and 4 1 and 5
Treatment 1.51**(.000)
1.92**(.000)
1.52**(.000)
.91**(.000)
Intrusive -.85**(.000)
-.85**(.000)
-.85**(.000)
-.84**(.000)
Treat_Int .59*(.071)
-1.21**(.002)
.44(.177)
-.08(.741)
Age .01(.753)
.03(.521)
.003(.942)
.05(.158)
Male .10(.653)
-.11(.593)
-.08(.684)
-.03(.861)
N
Prob > χ269
.000
65
.000
68
.000
66
.000
Study 3
The coefficient on Treatment is always positive and significant: providing subjects with control over information publication increases their willingness to answer a question (results are similar if we only consider answers that subjects were willing to publish)
The coefficient on the interaction is only significant when comparing condition 1 with condition 2
The negative coefficient on the interaction in condition 3 may be due to the very nature of the treatment: makes publication of very sensitive information more salient, but does not allow the prohibition of the publication of specific questions
Adding a dummy variable for the provision of an email address, which should have made subjects feel more identifiable, doesn’t affect our results
Study 3
Our results suggest the following: Control over publication leads to more
revelation of private info This effect is stronger for privacy intrusive
questions
Summarizing the results
People seem to care more for control over publication of private information than for control over access and use of that information When someone other tha n themselves is responsible
for the publication, or when the publication itself becomes uncertain – which reduces the probability of access/use by others – people refrain from disclosing
Results call into questions OSNs’ arguments that privacy is protected by providing more control to members Giving more control to users over information
publication seems to generate higher willingness to disclose sensitive information
Implications
Overview
1. From the economics to the behavioral
economics of privacy
2. The illusion of control hypothesis
3. Soft paternalism and privacy
nudges
Nudging users towards privacy
Our research highlights cognitive and behavioral biases that make it difficult for users to make the “right” privacy (and security) decision
However, those results can also used for “soft,” or asymmetric, paternalistic solutions: Designing systems to “nudge” individuals, by
anticipating – or even exploiting - the very fallacies and biases that research has uncovered; tweaking with their incentives, without diminish user’s freedom (IEEE S&P 2009)
Soft vs. strong paternalism vs. usability
Consider online social networks users who post dates of birth online
Imagine that a study shows some risks associated with revealing DOBs (e.g., SSN predictions) Strong paternalistic solution: ban public provision of
dates of birth in online profiles “Usability” solution : design a system to make it
intuitive/ easy to change DOB visibility settings Soft paternalistic solution?
Nudging privacy through soft paternalism: some examples
Saliency of information Provide context to aid the user’s decision - such as
visually representing how many other users (or types of users) may be able to access that information
Default settings By default, DOBs not visible, unless settings are
modified by user Hyperbolic discounting
Predict and show immediately SSN based on information provided
… and so forth
For more info
Google: economics privacy
Visit:
http://www.heinz.cmu.edu/~acquisti/economics-
privacy.htm
Email: [email protected]
Backup Slides
Experimental
condition
Number of
subjects
Average
age
% Male
Averageresponse rate (%)
Subjectsprovidingemail (%)
Subjectsanswering all
questions
Subjectspublishing all
questions
Subjectspublishingno question
1 33 22.03 45.4 60.6 78.8 5 (15.1%) - -
2 36 22.11 50.0 96.1 80.5 28 (75.0%) 10 (27.8%) 10 (27.8%)
3 32 21.87 46.9 84.4 81.2 12 (37.5%) 32 (100%) -
4 35 21.80 48.6 96.0 80.0 26 (74.3%) 19 (54.3%) 0 (0%)
5 33 22.09 54.5 83.3 87.9 13 (39.4%) 33 (100%) -
Total 169 21.98 49.1 86.0 81.6 83 (49.1%) 94 (69.1%)
Descriptive statistics and qualitative results
Study 3