Privacy Paradox 2.0

As a starting point, this essay offers six basic propositions. First, the \u27privacy paradox\u27 refers to inconsistencies between individuals\u27 [asserted] intentions to disclose personal information and [individuals\u27] actual ... disclosure behaviors. Put simply, we indicate-at a granular level-specific items of personal information that we will not disclose, but we then give away that same data with what appears to be little regard for the risks of doing so and for little in return. Second, the privacy paradox is a wellestablished concept in many fields of the social sciences, even though the precise contours and causes of the paradox are quite controversial. Third, broadly speaking, legal scholarship has failed to adequately consider either the various conceptions of the privacy paradox set forth in other fields of scholarship or the import of these conceptions to what may be intended or perceived as more normative legal works. Fourth, this failure creates a significant gap in what might be termed relevance, credibility, or practical effect, marginalizing the impact of legal scholarship in the formation of privacy policy. Fifth, this space in the sphere of influence elevates the role of fields that are traditionally less concerned with the core privacy values of personhood, autonomy, and control-inter alia, economics, contract law, marketing theory, and computer science. Sixth, the emergence of social network sites both alters the conditions of the privacy paradox and intensifies the rate and depth of uncontrolled disclosure, further marginalizing legal scholarship that fails to seriously consider the role of the law in privacy policy. Focusing on this final point, the goal of this essay is to describe both the current market in personal information and the privacy paradox as a product of market distortion. Part I identifies two unique phenomena that modify the conditions of the privacy paradox by creating new and powerful distortions in the market, thereby intensifying the rate and depth of personal data disclosure. The first is a transformation in social organization, which drives individuals to join social network sites and to disclose a great deal of personal information on those networks. The second is an alteration of the basic structure of the information exchange agreement that permits social networking sites to recede into the background as third-party beneficiaries to the social exchange of personal information. Part II addresses the necessity to account for the effect of these phenomena in the formation of privacy policies by briefly addressing various proposals for regulating the collection, storage, use, and transfer of personal information. This section argues that many of these proposals are misguided, either because they under-protect personal information by failing to adequately address the problems of valuation and consent or because they overprotect personal information by failing to adequately preserve functionality in socially valuable communications platforms. Part III attempts to briefly conceptualize the broad outline of a more workable solution that, rather than reforming the current notice-and-choice system of privacy protection, is guided by user expectations in imposing minimal restraints on the margins of data collection, storage, use, and transfer practices. Although a solution would impose certain boundaries on the scope of consent, significant space would remain for the negotiation and development of social norms around privacy practices

Privacy Paradox 2.0

As a starting point, this essay offers six basic propositions. First, the \u27privacy paradox\u27 refers to inconsistencies between individuals\u27 [asserted] intentions to disclose personal information and [individuals\u27] actual ... disclosure behaviors. Put simply, we indicate-at a granular level-specific items of personal information that we will not disclose, but we then give away that same data with what appears to be little regard for the risks of doing so and for little in return. Second, the privacy paradox is a wellestablished concept in many fields of the social sciences, even though the precise contours and causes of the paradox are quite controversial. Third, broadly speaking, legal scholarship has failed to adequately consider either the various conceptions of the privacy paradox set forth in other fields of scholarship or the import of these conceptions to what may be intended or perceived as more normative legal works. Fourth, this failure creates a significant gap in what might be termed relevance, credibility, or practical effect, marginalizing the impact of legal scholarship in the formation of privacy policy. Fifth, this space in the sphere of influence elevates the role of fields that are traditionally less concerned with the core privacy values of personhood, autonomy, and control-inter alia, economics, contract law, marketing theory, and computer science. Sixth, the emergence of social network sites both alters the conditions of the privacy paradox and intensifies the rate and depth of uncontrolled disclosure, further marginalizing legal scholarship that fails to seriously consider the role of the law in privacy policy. Focusing on this final point, the goal of this essay is to describe both the current market in personal information and the privacy paradox as a product of market distortion. Part I identifies two unique phenomena that modify the conditions of the privacy paradox by creating new and powerful distortions in the market, thereby intensifying the rate and depth of personal data disclosure. The first is a transformation in social organization, which drives individuals to join social network sites and to disclose a great deal of personal information on those networks. The second is an alteration of the basic structure of the information exchange agreement that permits social networking sites to recede into the background as third-party beneficiaries to the social exchange of personal information. Part II addresses the necessity to account for the effect of these phenomena in the formation of privacy policies by briefly addressing various proposals for regulating the collection, storage, use, and transfer of personal information. This section argues that many of these proposals are misguided, either because they under-protect personal information by failing to adequately address the problems of valuation and consent or because they overprotect personal information by failing to adequately preserve functionality in socially valuable communications platforms. Part III attempts to briefly conceptualize the broad outline of a more workable solution that, rather than reforming the current notice-and-choice system of privacy protection, is guided by user expectations in imposing minimal restraints on the margins of data collection, storage, use, and transfer practices. Although a solution would impose certain boundaries on the scope of consent, significant space would remain for the negotiation and development of social norms around privacy practices

Fiduciary Boilerplate: Locating Fiduciary Relationships in Information Age Consumer Transactions

The result of applying general contract principles to consumer boilerplate has been a mass transfer of unrestricted rights to use and sell personal information from consumers to companies. This has enriched companies and enhanced their ability to manipulate consumers. It has also contributed to the modern data insecurity crisis. Information age consumer transactions should create fiduciary relationships between firm and consumer as a matter of law. Recognizing this fiduciary relationship at law honors the existence of consumer agreements while also putting adaptable, contextsensitive limits on opportunistic behavior by firms. In a world of ubiquitous, interconnected, and mutable contracts, consumers must trust the companies with which they transact not to expose them to economic exploitation and undue security risks: the very essence of a fiduciary relationship. Firms owe fiduciary duties of loyalty and care to their customers that cannot be displaced by assent to boilerplate. History, doctrine, and pragmatism all support this positio

Policy Notice Readership on the Web

Both privacy policies and end-user licensing agreements (EULAs) are ubiquitous in today's computing environment. Users are frequently prompted to agree to privacy policies and EULAs, and often do so without even looking at them. This is in seemingly direct contradiction to the documented concern consumers feel regarding the capture, storage and handling of their personal information by websites and mobile applications. This study explores why users may choose to disregard the single document that describes the level of privacy they can expect from websites and software companies. In particular, the interface, by which these policies are communicated to the user, is addressed, as previous research has noted its many deficiencies. The survey results indicate that users have a desire for increased control over their own personal information and that barriers, such as long blocks of legal text, should be addressed in order to increase policy notice readership on the web.Master of Science in Information Scienc

Desperately seeking assurances: segmenting users by their information-seeking preferences: A Q methodology study of users’ ranking of privacy, security & trust cues

Users of technology services try to evaluate the risks of disclosing personal information in light of the benefits they believe they will receive. However, because of cognitive, time or other constraints, users concentrate on minimizing the uncertainties of disclosure – reducing their level of privacy concern – by using a limited set of information cues. We suggest an individual’s information-seeking behavior is focused on those cues which are important to them. Q methodology was used to determine if users of technology services can be segmented, based on the type of information cues they consider important – many of which are related to technology services’ privacy behavior. The study consisted of 58 participants split into two cohorts, who rank-ordered 40 statements describing the attributes of a technology service. In our study, 69% of participants loaded significantly into only one of five groups: 1) Information Controllers; 2) Security Concerned; 3) Benefits Seekers; 4) Crowd Followers; and 5) Organizational Assurance Seekers. Only 12% of participants did not load significantly into any of the five groups. Our findings assist practitioners in understanding how their privacy behavior (e.g. repurposing information) and privacy-sensitive technology design (e.g. providing feedback and control mechanisms) could encourage or discourage the adoption of technology services by different types of users. We argue the user segmentation identified by this study can inform the construction of more holistic privacy persona

Digital privacy and new media: an empirical study assessing the impact of privacy seals on personal information disclosure.

Advances in technology have facilitated the rapid growth of a global new media industry. Many new media firms rely heavily on networked technologies to enable a primary income driver based on advertising revenues. This has attracted criticisms from privacy campaigners who argue that elements of the way some of these firms operate constitute an invasion of user’s privacy. Early economic approaches to privacy are primarily informed by the rational choice theory and viewed individuals as utility maximizers when making decisions involving personal information disclosure. Theoretical approaches have since developed to account for factors explored by bounded rationality and behavioural economics where individuals engage in complex trade-offs when making privacy disclosure decisions. Both EU and US regulators believe rapid technological advances have rendered existing regulatory provisions inadequate. In the EU, the 2018 General Data Protection Regulation (GDPR) set out to improve ‘information transparency’ and give individuals to exercise greater ‘control’ over their personal data. The regulation set out provisions for the establishment of a privacy seal accreditation scheme. There is little empirical evidence to demonstrate that the use of privacy seals is privacy enhancing. Existing research reveals inconsistent and at times counter-intuitive findings. This research conducted online experimental research to establish if a causal link exists between the presence of a privacy seals and personal information disclose. Experiment results show that contrary to previous research in this area, the presence of privacy seals does not result in lower personal information disclosure. Survey findings also show that the GDPR has failed to expand ‘sensitive’ categories of data in line with both EU and US data subjects expectations. This research makes a number of original contributions to knowledge. Information disclosure is examined in relation to sensitive data categories as defined in the GDPR. Using commercially available privacy seals, it adds to the existing body of literature on the impact of iconography on user behaviour. The findings suggest there is an opportunity for new media firms to use independently accredited privacy seals as a differentiator in this industry sector

State-of-the-Art of the Economics of Cyber-Security and Privacy

This document is an overview of the state-of-the-art in the economics of Privacy and Cyber-security (PACS). It is the Deliverable D4.1 under the FP7-financed project \u201cInnovation Framework for Privacy and Cyber-security Market Opportunities.\u201d This is the most comprehensive overview on the economics of PACS to date. This document is intended for a diverse readership. Policymakers may use it in order to obtain an overview of the most recent research and insights that can be derived on the effectiveness of specific policy measures (such as data breach notifications). Researchers can use it as introductory reading and to obtain an overview of the field. Innovators and entrepreneurs may use this report to obtain a better understanding of the market they are operating in. It is stated that Privacy and Cyber-security markets differ from bricks-and-mortar markets because of the immateriality of the products and services provided and because of amplified network externalities that exist in these markets. These can lead to inefficiencies in terms of social welfare, misleading price signals or even market breakdown. The first chapter of this report introduces the reader to the basic concepts of economics, economic incentives and incentivization as well as to decision-making in the cyber-security domain. It covers proactive and reactive investment strategies, components of the cost/benefits of PACS investments and the security returns on investment model. The diverse field of cyber-economics is then mapped by sorting the research works into 5 areas: (1) game-theoretical approaches to cyber-security; (2) Experimental and psychological research; (3) Victim studies; (4) Methodological Advances; and (5) Other research. One of the most important parts of the document is the discussion of market failures in cyber-security markets and problems such as information asymmetries, networks externalities, public goods, interdependent security and natural monopoly cost structures. In the chapter on the economics of privacy, basic concepts are discussed such as the different types of transactions that exist. The literatures in this field are sorted into the following categories: (1) Empirical works (laboratory experiments and surveys); (2) Hypothetical scenarios; (3) Field experiments (including survey-based experiments); and other research (including methodological advances). Market failure problems are also discussed for markets for personal data products/services and privacy products/services. Other topics covered in that chapter span from the challenges of privacy preference measurement to the development of privacy metrics. Moreover, attention is also devoted to the monetization of privacy and the economic value of personal data with different methods to obtain estimates of valuations. The conclusion from these sections is that it is a great challenge if not impossible to obtain an unbiased and exact estimate of the valuation of personal data. Much more effort needs to be invested in developing robust market mechanisms, where data subjects can actively participate. The report further covers policy-instruments and incentive schemes in the area of PACS, ranging from mandatory to voluntary instruments. Finally, the report concludes with an overview of research challenges for further work and for the future H2020 agenda

April 13, 1989

The Breeze is the student newspaper of James Madison University in Harrisonburg, Virginia