Privacy and Security of Personal Information: Technological Solutions and Economic Incentives Alessandro Acquisti Heinz School, CMU
Privacy and Security of Personal Information:
Technological Solutions and Economic Incentives
Alessandro AcquistiHeinz School, CMU
An APE Act?
• “On May 6, 2002, the Washington Post reported that
the National Zoo refused to release a deceased
giraffe’s medical records on grounds that it would
violate the animal’s right to privacy.” Politech, May
2002
• Soon, an Animal Privacy Entitlement Act?
Three myths about personal information
1. Is too much privacy bad for you?
• or, privacy can act against the interests of society or the individual
2. Do we have zero personal information security?
• or, the loss of control on personal information is simply necessary to make the networked society work
3. Do people really care about privacy?
• or, people would sell their DNA for a Big Mac
Question n.1: Is too much privacy bad for you?
• Free flow of information helps and economy
and the individual.
• True, but what else do the economic
arguments say?
Economic incentives
• Recent economic studies show something
interesting about the flow of personal
information:
• Acquisti and Varian (2001): allowing firms to use
cookies can make customers and society better off
• Calzolari and Pavan (2001): sharing information
between sellers reduces distortions
• Taylor (2002): with strategic customers, firms
better off respecting customer’s privacy
The economics of privacy
• Acquisti and Varian (2001)
• Monopolistic firm/competition case
• Customers can be “myopic” or “strategic”
• With and without “commitment”
• Customer can use anonymizing
technology, and suffer a certain cost
• What is the optimal strategy for the seller?
The economics of privacy cont’d
• Monopoly
• If firm just offers the same good, optimal
not to use cookies! I.e., behavior-based
price discrimination is not optimal.
• If firm can use customer information to
provide targeted services, price
discrimination will be optimal for seller, and
• Society can be better off
The economics of privacy cont’d
• Competition
• No flat price equilibria
• Lock-in equilibria
• Cost of anonymous technology
Off-line vs. on-line identities
• Previous results refer to information about the customer type being shared
• E.g., tastes, “risk aversion”, etc.
• Not necessarily her real identity
• Let’s separate:
• Friedmand and Resnick (2001): legal versus persistent identities
• Here:
• On-line identity
• Off-line identity
On-line identity: some trade-offs
Pros Cons
Customer No price discrimination
No targeted
services
No discounts in
exchange for
profile information
Individual on-line
information not
used by Merchant
Merchant Less customer
information
Customer Targeted offers
Discounts in exchange for
personal profile
Price
discrimination
Individual on-line
information used
by Merchant Merchant Ability to price discriminate,
knows customer better
Off-line and on-line: other trade-offs
Pros Cons
Customer No price discrimination
Sense of
security/protection
No targeted services
No discounts in exchange
for profile information
Individual off-
line
information
not used by
Merchant
Merchant More ‘customer
friendly’ reputation
Less customer information
Customer Targeted offers
Discounts in exchange
for personal profile
Price discrimination
Real or perceived risk of
incurring in future,
stochastic costs
Individual off-
line
information
used by
Merchant
Merchant Ability to price
discriminate, knows
customer better (better
customer relation)
Worse customer
relations?
On-line identities, linkages, and costs
• Confusion arises in the debate from mixing on-line and off-line identities
• Econ says:• more on-line info is good: market laws can allow
right amount of on-line info to be shared• not in contradiction with protection of privacy
(off-line identity)• Problem:
• Why are the two identities instead always linked?
• Getting there is costly
Question n. 2: Do we have zero personal information security?
“You Already Have Zero Privacy”
• Is loss of privacy necessary to make the networked society work?
• IT can:
• both link and unlink online and offline identities
• or make linkages costly enough
• PETs
For example: Anonymous payments
• For example, is it possible to have a ‘reliable’
(from charges to shipping) payment system
for goods and services which is also
anonymous?
• Yes: Tygar et al. (1999).
• Implementations:
• ECash (blind signatures)
• Probabilistic “acid mix” approach
“Acid mix” approach to anonymous payments
• The story:
• Bob, Alice, and Kevin enter a room….
• The Protocol:
• Let them ‘swap’ payment tokens with other customers, until satisfied
• Put customers in control of the operation!
• Let them decide how much privacy they want
• Problem: before swapping, customers cannot see/copy their own tokens…
• For details: Acquisti (2002)
And yet….
• Economic arguments show that trade-offs between sharing and protecting personal information can be reconciled
• Technology could do it
• So, why econ & technology did not do it?
• Solve the following equation:
Find a privacy combination convenient for customers (e.g. Bob), profitable for vendors (e.g. Amazon.com), advantageous for other existing players (e.g. credit card networks), non replicable by competitors
Question n. 3: Do people really care about privacy? Who should?
• Anedoctical evidence, Surveys, Experiments• Privacy “advocates” & cameras: Spiekermann, Grossklags,
and Berendt (2001)
• Independent Studies
• $18 Billion in lost e-tail sales (Jupiter)
• Top reason for not going online (Harris)
• PGuardian marketing studies
• Confirm privacy awareness, but
• Expect privacy at no cost offered by the merchant
How to conciliate the two views?
• Some ideas from economics:
• “Bounded rationalities” (how to calculate the negative financial shock of identity theft?)
• Economics of immediate gratification (enjoy now, worry later)
• Experiment. Hypothesis: individuals strategic wrt to on-line identity, myopic wrt to off-line identity
• So: free decision, but not necessarily optimal for individual or society
• A Parable: Geo Trust
• A second parable: Motorbikes and Helmets
Economics of off-line identity
• Costs• Both sides, both cases
• Customers:• Bounded rationalities, hyperbolic
discounting: • customer decides not to protect herself
• Other parties:• Asymmetric information, moral hazard:• seller decides not to protect customer
Economics of off-line identity cont’d
• Hence• too much off-line info re-distributed• not paid for• chilling effects• real effects:
• Lost sales• Unsatisfied demand• Identity thefts• Frauds
• Or, rich, disagreeable niche markets
The approaches
• Market
• Econ does not work alone
• Technology
• Dot-com death bed
• Does not work alone
• And Law?
Data Marketing Data Protection
Law
• Patriot Act (APE Act?)
• Or, different approaches:
• Liability
• Adapting trade secrecy rules to “licensing”
personal data - Samuelson (2000)
• Driven by economics, drives technology
• (third party market)
Seven (very personal) answers
1. Privacy easier to protect than to sell
2. We are all myopic, but not necessarily careless
3. Privacy is about trade-offs. Good trade-offs could satisfy
both ‘privacy advocates’ as well as ‘free data marketers’
4. Distinguish between on-line and off-line identities. Share
on-line identities, protect off-line identities. Make
linkages expensive
5. Econ to see what to protect, what to share
6. Law to send to signal the market
7. Technology to implement chosen directions
Backups
An economics of privacy?
• Difficulties in conceptualizing privacy:• A right? A need? A gift?
• Too many things for different people:• Price discrimination… • Telemarketing…• Blackmailing….
• …and even for the same person• web-cam in the house…• and refuses cookies when browsing cnn.com…
• Recognize: privacy is about trade-offs