Overcoming the privacy paradox

Daniel Tkacik

Jun 28, 2019

Why do some people say they value their privacy, but then willingly give up personal information when downloading an app? Understanding this so-called “privacy paradox” would help answer lots of questions about how privacy could be better dealt with.

Man standing at podium at a conference with two people listening from a long table on stage

Source: Lujo Bauer

CyLab researcher and Ph.D. student Mahmood Sharif presents at PrivacyCon 2019 in Washington, D.C

In a recent study out of Carnegie Mellon University’s CyLab, researchers exposed participants to an online marketplace where they could sell their personal information at any price they wished. Some participants were tricked into thinking the marketplace was real, while others were told to think of it as hypothetical. 

“Our goal was to figure out how to ask users about the value of their personal information such that their answers accurately represented how they would behave,” says Mahmood Sharif, a Ph.D. student in the department of Electrical and Computer Engineering (ECE). “Doing this successfully would mean overcoming the privacy paradox.”

The study was presented at the Federal Trade Commission’s PrivacyCon conference held yesterday in Washington, D.C.

Turns out, participants thought their information was worth roughly $2 to $25, depending on the type of information and who was buying it. More importantly, participants in general valued their information roughly the same whether they were asked hypothetically or whether they were asked to actually sell their information on a marketplace. 

“This says that additional factors may be at play in explaining the privacy paradox,” Sharif says.

Those factors, Sharif says, could include things like social desirability, where people may be more inclined to give up their personal information for an app that their friends also use. Another factor could be convenience – users may be more willing to share personal information if they can, for example, have groceries shipped to their home address.

The researchers also confirmed what previous studies have shown: that people’s valuations of their information change depending on who their information would be sold to. For example, people valued their information less when sharing it with research pools or federal agencies compared with sharing it with insurance companies, political parties, market research companies, or ad networks.

“We think the reason for this may be that users value their information more up against organizations that could monetize their information,” says Sharif.

Doing this successfully would mean overcoming the privacy paradox.

Mahmood Sharif, Ph.D. student, Electrical and Computer Engineering

Sharif says their findings will help inform systems designers build systems that ask for people’s information, as some information, it seems, is less okay to ask about than others. Policymakers can also benefit.

“There might be certain kinds of information that people are really against sharing,” Sharif says. “Policymakers could help disincentivize such sharing.”

In the study, participants aged 18 to 76 (median age of 29) were asked to assign dollar values to seven different pieces of personal information: age, email address, gender, home address, occupation, phone number, and relationship status. Six different dollar values were given for each, corresponding to six entities who might be interested in buying: ad networks, federal agencies, insurance companies, market research companies, political parties, or research pools.

Under the most realistic setting, participants were deceptively told that the information marketplace was operational and that they had an opportunity to earn additional money by choosing to sell their information. They were provided with a URL to a mock-up website describing the information marketplace. Under the most hypothetical setting, participants were asked to merely imagine selling their information on a marketplace. 

Other researchers involved in the study included Institute for Software Research (ISR) graduate student Joshua Tan, ISR Ph.D. student Sruti Bhagavatula, former CyLab postdoctoral researcher Matthias Beckerle, University of Maryland professor Michelle Mazurek, and ECE and ISR professor Lujo Bauer.