It only looks like a paradox

Reports say we care a lot about our personal data privacy but do almost nothing about it. This was described as a paradox… but is it?

I don’t think so.

No comments

An Axios story on the “paradox” of privacy caught my interest this morning. The paradox that Kim Hart illustrates there is that, even though studies show that people are very concerned about their online privacy, very few people actually do anything about it.

The article cites a Pricewaterhouse Coopers report which notes that 85% of consumers will not do business with a company if they have concerns about their security practices, and that 92% think companies should be proactive about data protection (p.3); it then pairs that with an IBM survey finding that fewer than half of consumers have updated privacy settings, and only 16% have stopped doing business with a company due to its misuse of data.

Another apparent contradiction in the PWC report is that 72% of consumers think that businesses, and not government, should protect privacy (p.2). I think the paradox, then, is here: does all of this mean that people don’t trust Silicon Valley to protect their privacy and won’t take personal action to protect themselves but still think that Silicon Valley will magically learn to keep their privacy instact and data secure?

I do not see a true paradox (a logically-unacceptable condition) in these contradictions because I think calling it a paradox is an oversimplification. A few of my thoughts on added complexity are that the problem is fraught with a lack of awareness, confusion about value, and a paucity of alternatives. A tangential reaction, about the inability of high-tech to self-regulate, may become evident once these other ideas have been illustrated.

Limited awareness may be the most obvious explanation for apparent inaction on the topic of personal privacy. Online services and connected technology vendors publish privacy policies [Shoshana Zuboff prefers the term “surveillance policies”], but people don’t read them. By corollary, then: although most people do not want their personal data to be collected and used, they are not fully-aware of how online services and connected devices are collecting and using their personal data.

This is not a personal failure. A ten year old study [see p.562-64] estimated that it would take a United States resident 244 hours per year to read all of the privacy policies associated with their services and devices; a recent analysis of the Nest thermostat’s terms of use and privacy statements [in section 4] showed that reading them all would require starting with 13 separate documents and then, by tracing all of the third-party relationships and connections to other organizations, demand additional inspection of up to a thousand documents overall.

The truth is that most companies, operating within the leaky bounds of outdated legislation, declare what a user’s right to privacy (or protection from surveillance) is, and expect that these terms will be accepted. They also know that most people will accept the terms without reading them. This is a form of unilateral agreement-making that most of us have come to accept as part of the price of accessing services; the use of the service implies consent, and the only alternative to consent is the decision not to use the service.

This leads to the second thought: due to massive concentration of ownership in the world of online services, complicated by barriers to competition, user lock-in and economies of scale, there are no alternatives to many of the services and devices on which we have come to rely. An inexpensive Android phone may track your location even with GPS disabled, but it may not be within your means to buy a $1000-plus phone that does not record and transmit this data. There is no large-scale alternative to Reddit, or to Facebook/Instagram, and almost no way to opt out of Google’s ubiquity. If you do not approve of the privacy invasions the “free market” has brought you, the “free market” has few alternatives to offer.

Since viable alternatives often do not exist, the only choice in many cases is to go without the device or service you want to use. Here we encounter the third explanation: people like these services, find value in them, and are willing, at least in some small way, to trade the collection of personal data in exchange for personalized experiences. A recent study from the Centre for Data Innovation shows that people want services to collect less personal data, but that only one in four people are willing to pay for a service in order to keep their data private. Is this a “have your cake and eat it too” problem, or is there more nuance?

I opt for nuance because of this question: what would a fair price for these services be? These services do not disclose how much they earn from your participation (though per-user revenue estimates have been made), and the saturation of “free” online services makes it difficult to estimate a fair price. A true “free market” is transparent about product, value, and pricing… and Silicon Valley culture is none of these things. As a result: assuming we know what data is being collected (refer back to “lack of awareness:” we don’t), we are each engaged an an individual negotiation over whether or not the value we get from Facebook, Google, Amazon, etc. is worth the sacrifice of personal information. No market exists where this negotiation can take place, and so the options appear binary when they are not.

I enjoyed Hart’s article, but I think the survey and report it references actually highlight something other than a paradox: that our ability to make informed decisions about privacy choices is hindered by the volume of choices that must be made, the complexity of those choices, and by a high-tech culture that opaquely-asserts ownership over data for the sake of “personalization.” All of this suggests that the scales are terribly out of balance, with a leaden finger on the side of high-tech enterprise. Silicon Valley has demonstrated through its actions (and, on occasion, lack of actions) that it is incapable of meaningful self-governance in this area. It’s time for a discussion about privacy and surveillance rights, and it’s time for government to make some declarations of its own.