Privacy Surveys Privacy Surveys Week 12 - April 6, 8 1 Privacy - - PowerPoint PPT Presentation

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

1

Privacy Surveys Privacy Surveys

Week 12 - April 6, 8

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

2

Current events Current events

nGmail

´Good, bad, or ugly… what do you think? ´Ads are customized based on content of email, but no human ever reads the email … are privacy concerns satisfied?

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

3

GPS GPS

nClarifying a misconception… nGPS is a one-way system

´GPS receivers listen for radio beacons and triangulate their position ´If receivers are to report their location back they must use another system, for example cellular phone network

nGPS does not work indoors

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

4

Privacy Surveys - Questions to Ask Privacy Surveys - Questions to Ask

nWho conducted the survey and why? nWhat population was sampled and how?

´What is this sample representative of?

nWhen was this study done?

´Are there more recent studies? ´Are results still applicable today?

nHow was this study done? nHow are the results being spun?

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

5

The role of surveys in public policy The role of surveys in public policy

nSurvey respondents may be

´Misinformed ´Confused ´Not randomly sampled ´Non-expert ´Unaware of alternatives, impacts, etc… ´Biased

nBut then again, so might other sources of information that feed into policy process

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

6

Beyond Concern Beyond Concern

nStudy by Cranor, Ackerman, and Reagle, 1999

´http://www.research.att.com/projects/ privacystudy/

nMotivation: Design better P3P user agent

´What data elements are users most sensitive about? ´What aspects of privacy policies do users care most about? ´Would users like data to be transferred automatically?

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

7

Privacy surveys Privacy surveys

nMany surveys show high levels of concern about privacy, BUT “Despite this wide range of interests in privacy as a topic, we have little idea of the ways in which people in their ordinary lives conceive of privacy and their reactions to the collection and use of personal information” (Hine and Eve 1998).

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

8

Design for a new survey Design for a new survey

nHow people respond to situations in which personal info is collected online nSensitivity to particular privacy practices nGeneral attitudes and demographics

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

9

Methodology & sample Methodology & sample

nInvitations to complete a Web-based survey emailed to 1,500 DRI Family Panel members n523 surveys completed - 381 US respondents nOur US sample differed from nationally representative sample:

´More educated ´More Internet experience ´More concerned about Internet privacy issues

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

10

Clusters Clusters

nPrivacy fundamentalists (17%)

´extremely concerned about any use of data

nPragmatic majority (56%)

´often had specific concerns and tactics for addressing them

nMarginally concerned (27%)

´willing to provide data under most circumstances, but had mild general concern and some specific concerns

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

11

Users prefer to be anonymous Users prefer to be anonymous

nIn two scenarios, respondents were more likely to provide information when they were not identified

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

12

82% 80% 76% 69% 63% 54% 44% 18% 17% 11% 3% 1% 52% 50% 16% 14% 28% 9% 6% 4% 1% 0%

0% 20% 40% 60% 80% 100%

Favorite TV show Favorite snack Email address Age Computer info Full name Postal address Medical info Income Phone number Credit card # Social security #

Comfort level for child Comfort level for self

N/A N/A

Data sensitivity varies Data sensitivity varies

Respondents who are always or usually comfortable providing information

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

13

Many factors important Many factors important

68% 69% 72% 80% 93% 92% 87% 95% 97% 95% 29% 39% 50% 62% 65% 70% 71% 73% 77% 82% 22% 24% 35% 52% 51% 59% 76% 68% 59% 68%

0% 20% 40% 60% 80% 100%

disclosure of data retention policy privacy seal of approval privacy policy site run by trusted company access to stored information kind of information mailing list removal upon request purpose of information collection identifiable use sharing of information

Marginally concerned Pragmatic majority Privacy fundamentalis ts

Respondents who consider factor very important

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

14

Acceptance of persistent IDs Acceptance of persistent IDs

96% 90% 77% 80% 55% 37% 43% 27% 14%

0% 20% 40% 60% 80% 100%

for customized service for customized advertising for customized advertising across many Web sites

Marginally concerned Pragmatic majority Privacy fundamentalists

Respondents who would probably or definitely agree to a site assigning persistent identifier

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

15

Dislike of auto data transfer Dislike of auto data transfer

61% 51% 39% 14% 6%

0% 10% 20% 30% 40% 50% 60% 70%

"Auto-fill" button for filling in form fields - user intervention required to submit form Automatic "auto- fill" - no button click required to fill form, user intervention required to submit form Automatic transfer of data already provided back to site on return visit Automatic data transfer to sites with acceptable privacy policies - accompanied by notice to user Automatic data transfer to sites with acceptable privacy policies

Respondents who would use proposed browser features

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

16

Technical implications Technical implications

nExtremely simplified interfaces might work for some users but most will need more sophisticated interfaces nAutomatic data transfer unlikely to be of interest nNeed for different views of information (treat phone number different from postal address)

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

17

Policy & business implications Policy & business implications

nNeed flexibility nNeed trust-enhancement approach nExpressed concerns can help policy- makers prioritize nBUT don’t make policy based solely on survey results

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

18

Privacy Bird User Survey Privacy Bird User Survey

n Cranor, Guduru, Arjula 2002

´http://lorrie.cranor.org/pubs/wpes02/

n About 20,000 downloads in first six months of public beta trial n Users asked whether they were willing to participate in survey when they downloaded software n We randomly selected 2000 email addresses from those willing to participate in surveys and sent invitation to fill out online 35-question questionnaire n 17% response rate

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

19

Demographics and Internet use Demographics and Internet use

n Compared to random sample surveys of Internet users,

• ur sample was older, more predominantly male, better

educated, and had more Internet experience n Most of our respondents from English speaking countries – 70% from US, 14% from Australia, 6% from Canada n US respondents had more Internet experience than other respondents and were more likely to have made purchases from web sites n Are our skewed survey respondent demographics representative of Privacy Bird users? n Are our demographics similar to demographics of users

• f other privacy software?

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

20

Attitudes about privacy Attitudes about privacy

n 34% never heard of P3P (you don’t have to know about P3P to use Privacy Bird!) n 21% identified as “P3P experts” n Most never or occasionally read privacy policies before installing Privacy Bird (similar to what other surveys found) n Level of privacy concern similar to other studies n Our respondents appear more knowledgeable and concerned about cookies than typical Internet users n Our respondents are not very knowledgeable about third-party cookies – 18% never heard of them, 41% heard of them but don’t really know what they are n P3P experts more knowledgeable about third-party cookies and less concerned about cookies

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

21

General evaluation of Privacy Bird General evaluation of Privacy Bird

n Beta had some installation and stability problems that showed up on

• nly some systems

n Frequent criticism: too many yellow birds!

´ In August 2002, E& Y reported 24% of to 100 domains visited by US Internet users were P3P enabled

n Average usefulness on 5 point scale (5=very useful)

´ Today: 2.9 ´ If most web sites P3P-enabled: 4.0 ´ If Privacy Bird could block cookies at sites with red bird: 4.1

n Women and non-US respondents found Privacy Bird most useful and more likely to recommend to a friend n Average ease-of-use on 5 point scale (5=very easy)

´ Installation: 4.6 ´ Changing privacy settings: 3.9 ´ Understanding policy summary: 3.3

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

22

Policy summary Policy summary

n Amount of information in policy summary

´ Right amount: 64% ´ Too much: 15% ´ Not enough: 20%

n No specific suggestions about what additional information to include n How often did you look at policy summary?

´ Never: 15% ´ Once or twice: 34% ´ Several times: 36% ´ Ten or more times: 15%

n Focus of future work should be on wording of policy summary to make it easier to understand

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

23

Privacy settings Privacy settings

nHow often did you change your privacy settings?

´Never: 25% ´Once or twice: 52% ´Several times: 21% ´Ten or more times: 2%

nP3P experts changed their settings more frequently nA few comments that people did not fully understand what all the choices mean

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

24

Icon and sounds Icon and sounds

nWhat sound setting did you use?

´Play sounds at all web sites: 19% ´Play sounds with certain birds: 37% ´No sounds: 45% “Oh, how we love the squawking red crow” “I was driven almost to a state of collapse, I used to jump when I heard the same bird call in my yard”

nSome complaints about location of bird in title bar

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

25

Impact on online behavior Impact on online behavior

n 88% of respondents indicated some change in

• nline behavior as a result of using Privacy Bird

´Fill out fewer online forms: 37% ´Take advantage of opt-outs: 37% ´Stopped visiting some web sites: 29% ´Comparing privacy policies at similar sites and frequenting sites with better policies: 18% “Basically, I use Privacy Bird like a warning light. Whenever it’s red I treat the website as hostile and am extra careful about the information I provide and activities I perform there” “I told one mutual fund web site about Privacy Bird’s findings, and they improed their pages because of it!”

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

26

Respondents who read privacy policies Respondents who read privacy policies

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

1 2 3 4 5 6

Before installing Privacy Bird After installing Privacy Bird

Never Occasionally At most sites where I see a red bird At most sites where I see a red bird AND I was considering providing personal information At most sites where I was considering providing personal information At most or all web sites I visited

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

27

Impact on online purchasing Impact on online purchasing

n If you could find out before making an online purchase which of the websites that had the item you wanted had the best privacy policy, would you be likely to purchase the item form the site with the best privacy policy?

´Almost always purchase from site with best privacy policy: 33% ´Probably purchase from site with best privacy policy as long as price and services similar to other sites: 54% ´Always purchase from site with best price: 6% ´Do not plan to make online purchases: 7%

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

28

Discussion Discussion

n More work needed to study how people use privacy software and determine how to make privacy concepts accessible to end users n Women and people outside the US like Privacy Bird best, but they represent minority of our users n Policy summary is aspect of UI most in need of improvement – providing short and long views may help n Privacy software has potential as educational tool n Usefulness of P3P software limited until more sites adopt P3P n Search engines and comparison shopping services that use privacy policy as a criteria would be useful

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

29

CMU Privacy Policy Drafts CMU Privacy Policy Drafts

nhttp://lorrie.cranor.org/courses/sp04/ policy-drafts.html

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

30

Your project presentations Your project presentations

n April 29, May 7

´Everyone is expected to attend both days

n 8-10 minute presentation, followed by discussion n Present an overview of your project

´Use visual aids ´Organize your presentation ´Practice ´Be prepared to answer questions ´You will be graded on your presentation skills!

n Your project reports are due April 29 (regardless

• f which day you present)

Privacy Policy, Law and Technology • Carnegie Mellon University • Spring 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/sp04/

31

Sign up Sign up

n April 29

´1. ´2. ´3.Christina ´4.

n May 7

´1.Candice ´2.Bella ´3.Ben ´4.Indrani ´5. ´6. ´7.