Extended Abstract: The Online Privacy Debate: Do Consumers Want to Be Tracked And Profiled? Should They Have a Real Choice? Eric K. Clemons ⎢ Steve Barnett ⎢ Josh Wilson ⎢ Fujie JIN 1. Introduction and Context Consumers and regulators have increasing concerns about online privacy, about consumers’ awareness of online threats, and about regulators’ ability to inform and protect them [11]. We believe that much of this dissatisfaction results from the current wide regulatory gap in which consumer-facing online information services companies operate, which requires profound need for improved privacy legislation around the world. This gap is described in more detail below. In the US, the FTC has been increasingly disturbed by the behavior of the online advertising industry [11]. This includes concerns caused by the absence of clear regulation and as well as by Google’s repeated violations even when clear policy, regulation, and consent decrees were in place. The FTC has long desired that the industry regulate itself [8], resulting in a meeting of online advertisers, and online search providers, including Google, Bing, and Yahoo. There were brutal disagreements within the industry on how to proceed. Some vendors, like Microsoft, felt that protecting consumer privacy could offer a competitive advantage for their planned release of Internet Explorer 10. Other vendors, especially Google, felt that Microsoft’s planned protections jeopardized their entire business model, and managed to convince many online advertisers that it threatened their businesses as well. The meeting reached a potentially unsatisfactory conclusion, declaring that if Microsoft’s IE 10 offered consumers the level of protection that Microsoft proposed, IE 10 would be declared non-conforming to the new self-regulation standard and all privacy protection setting offered by IE 10 would be over-ruled and Google’s default settings would be used instead [9]. There was no attempt to ascertain consumer preferences in the US or elsewhere, or to ascertain the preferences of regulators in the US or elsewhere. We believe that there is a need for a more comprehensive policy to protect consumers’ privacy online. This policy should be coordinated internationally to ensure at least a minimum level of privacy protection for consumers everywhere no matter where they are located, and to protect consumers no matter where the websites they visit are located. This policy should be informed by consumers’ preferences. The need for an informed policy led us to conduct focus groups and surveys to assess consumers’ beliefs and concerns, in the US, Japan, and Korea, the largest online markets in the free world. Our principal findings include the following: (1) Consumers are not satisfied with the amount of information they receive from their governments about online privacy, and are not satisfied with how well they understand online threats to their own privacy. (2) Consumers are not satisfied with the protection they receive from their governments. (3) Consumers’ concerns about information services companies’ intrusions into their private data varies, but only within a very limited range. Perhaps 80% of users object to social network operators mining their posts for marketing purposes. Objections to having texts read, or to having voice communications digitized and data mined for commercial purposes is slightly higher, between 83% and 85%. (4) Between 89% and 98% of users object to being tracked by a single website without their permission, depending on nation; there is an even higher level of resistance to having searches tracked and integrated with behavior at other websites, or to having data from multiple text streams integrated by a single information services operator. (5) Users’ privacy settings should never be ignored and it will be bad business practice to ignore them and bad regulatory policy to permit ignoring them. 2. Defining Privacy There are at least three different ways to characterize privacy and online invasions of privacy. [2, 14, 19] • Perhaps the least threatening form of privacy violation is represented by an uninvited intrusion into a user’s personal space. Online marketing, spam advertising, and pop-ups and sponsored sites around the edges of a web-page can all be seen as invasions of the user’s personal space. Our focus groups indicated that this was the form of privacy violation most salient in users’ minds, across age groups and across nations. When users though of privacy violations from their email, phone, search, or social network providers, they thought almost exclusively about unwanted ads and unwanted interruptions. • Surely the most extreme and most threatening form of privacy violation is represented by fraudulent ecommerce transactions, or even by identity theft. There is no indication that Google, Daum, Navor, Yahoo, or Bing have been associated with such threats to privacy, and there is no indication that consumers were concerned about this. • And surely the form of privacy violations most important to Google, Daum, Navor, and Yahoo are based on personal profiling for some form of commercial advantage. Interestingly, consumers at focus groups in Japan and Korea seemed to focus solely on the first form of privacy violation, the uninvited intrusion into personal space through various forms of spam and targeted marketing. A few hypothetical examples of integration and profiling were sufficient to around consumers’ concerns. What if your phone tracked your position and it was clear that you now had a new geographic center of activity, your home, your office, your favorite restaurants, and the apartment of your illicit lover? What if the phone read your text and knew whom you were seeing for lunch? What if it started suggesting her favorite restaurants? What if it started suggesting your lover’s favorite restaurants to your friends? To your spouse? A participant at one of the focus groups got truly agitated when one of the other participants described targeted ads based on his search history. He suddenly realized that shortly after he was diagnosed with cancer he started to get email ads for cancer treatments, nursing care, and hospices. He realized that this was not simply coincidence and random spam; his search engine provider had made his most personal and sensitive medical history public, based on his searching for information on his specific form of cancer. Participants at focus groups changed their attitudes towards privacy violations as they considered increasingly intrusive hypothetical examples of data mining and data integration. While these hypotheticals eventually became quite intrusive, none actually violated the published privacy policies of major search engine providers. Subjects came to realize during the course of the focus groups that if your search engine provider knows who you are and where you are and what you are going to do next and with whom what you are going to do it, this is potentially compromising. This is potentially compromising, no matter who you are, and no matter how unexceptional your life might appear at the moment. Since participants became increasingly aware of the full range of potential privacy violations only as the focus groups progressed, we believe that the level of awareness among survey subjects was actually lower than the level of awareness of focus group participants. We believe that the survey results are actually weaker than they appear and actually understate levels of concern among online users. Although the survey results appear quite strong, they understand concerns because they are based upon subjects’ thinking principally about the weakest of the three levels of privacy violation. 3. Understanding the Regulatory Gap in Which IS Companies Operate Information services companies operate in a regulatory vacuum, created by the difference between tight privacy regulations imposed upon traditional postal carriers and telecommunications carriers on one side, and the almost total absence of privacy regulation on many information systems companies like Google and Facebook. • A traditional postal carrier cannot read your mail, and a rogue individual mail carrier cannot intercept and read your US mail, nor can a curious neighbor; doing so is a felony. Even government agencies cannot read your mail in the process of a criminal investigation without a court order. In contrast, American companies like Google and Facebook, and foreign companies like Daum and Navor, have built much of their publicly presented business models on their right to read and data mine any and all of your writings, whether public, like a Facebook post, or private, like a gmail or a text from an Android phone. • A traditional telecommunications provider, like AT&T in the US, cannot eavesdrop on your communications or use your phone logs; indeed, it cannot allow a government agency to tap your phone or observe your phone call log without a court order. In contrast, Google can use your call logs from an Android phone to assess your social network, and Google has applied for patents that would allow it convert voice to text, and thus to text mine even your private voice communications. • Likewise, an ISP provider, like Yahoo in Japan, cannot examine your communications, because an ISP provider is treated as a telecommunications company; in contrast, Google Japan can do whatever it wants with the packets that it sees a user generate. We believe that “a packet is a packet is a packet” and similar packets should be treated similarly, whether they are carried by a traditional postal carrier, a package delivery service, an email vendor, the users’ ISPs, or the backbone network that moves that packet between ISPs. Whether the packet is hand written on a single sheet of paper, typed onto a single sheet of paper, typed and loaded into a single SMS frame, or typed and loaded into numerous packets for delivery over the internet, users’ communications should be protected. 4. Experimental Design Whether or not consumers actually believe that privacy is dead, it suits the companies that exploit private information to act as if this is so.