— Gary LosHuertos parked himself in a New York City cafe last fall and fired up a new tool for snooping on people as they use free wireless. Within minutes, he had managed to spy on more than a dozen people as they used Facebook. It was just an experiment by the Web software expert, but he wanted to make a point — so he used the victims' own Facebook accounts to send them each an unnerving warning message. He told them he'd hacked their accounts, and he knew where they were.
He expected cursing, anger, perhaps some furious typing. Instead, many of his recipients just went right on surfing. So he prodded them a second time.
"Really wasn't kidding about the insecurity thing," he wrote. "I won't send another message after this — it's up to you to take your security seriously. You're at the [XYZ Street] Starbucks on an insecure connection, and absolutely anyone here can access your account with the right (free) tool."
Twenty minutes passed. He could see that recipients had read his notes — he had full access to their accounts. But on they went, surfing as if no one was watching. One even shopped at Amazon, despite his specific warning about that site.
Even his incredibly spooky message didn't change their behavior.
"What's absolutely incomprehensible is that after someone has been alerted to the danger (from their own account!) that they would casually ignore the warning, and continue about their day," said LosHuertos in his blog about the incident.
Welcome to the world of privacy experts like Larry Ponemon and Alessandro Acquisti. Their chosen field of work is an area where research can be pretty depressing. Consumer behavior shows, repeatedly, that people just don't care about privacy, no matter how much lip service they might give to the topic. Ponemon's research shows that most U.S. adults — 60 percent —claim they care about privacy but will barely lift a finger in an effort to preserve it. They don't alter Facebook privacy settings, they don't complain when supermarkets demand their phone numbers and they certainly don't insist on encrypted e-mail. LosHuertos' experiment underscores this point well. Even people who have experienced a "privacy mugging" often don't change their behavior.
While Congress and the Federal Trade Commission mull over the first real federal effort to protect Americans' privacy in the digital age, msnbc.com is trying to kick-start the conversation and draw attention to the prickly topic. In this series, Wilson Rothman is speaking to the crowd that deliberately doesn't care about privacy; Helen Popkin, to that small group of privacy elites who go to some trouble to avoid sharing information with government agencies and corporations. I'm starting off the third piece by addressing the largest group, the people in the middle who say they care, but contradict themselves daily with privacy-eroding choices.
(That human right stuff isn't hyperbole, by the way. The European Convention for the Protection of Human Rights declared privacy a basic human right back in 1950.)
The usual way to do grab attention to the topic is to trot out privacy nightmares, such as the secret dossiers that hundreds of companies keep on you (they do), the man who was accused of arson because his grocery store records showed he purchased fire starters (he was), or the idea that a potential employer may one day pass on you because your musical tastes suggest you will be late to work three time per week (they could). But privacy nightmares are beginning to feel a bit like the boy who cried wolf. Cyber experts have warned about both a Digital Pearl Harbor and an information Three Mile Island for more than a decade now; doesn't the absence of that kind of disaster show that perhaps privacy is no big deal?
"I think it's partly because people are part of a large herd, they take a 'the lion is not going to attack antelope' mentality," said Ponemon, who runs the privacy consulting firm The Ponemon Institute. "And people are more scared of physical dangers that privacy risks. When that whole issue about groping and scanning at the airport came up, we did a study and found that people were more worried about getting cancer from the machines, and weren't overly concerned about privacy. It shows me that people feel they can't live without social networking, and they have to go on flights. So they just surrender."
Behaviorists know: It's an unfair fight
Acquisti likes to stick up for consumers who might seem either too lazy or too disinterested to make changes to daily routines or Internet usage that might preserve their privacy.
"On one end is attitude, and on the other is behavior, but in between there are many steps. It's not obvious what you should do to protect your privacy," said Acquisti, who studies the intersection of privacy and economics at Carnegie-Mellon University. "And the more technology savvy among us have this feeling that we're giving it up, but we realize it is close to impossible to protect your personal information, not even if you start living like the Unabomber in a cabin. If you want to function as a normal person in society you have to."
For many, he thinks, there is a sense of learned helplessness — the feeling that their privacy is lost anyway, so why go through the hassle of faking a supermarket loyalty card application? For others, the decision tree is so complex that it's no surprise they usually take the easier option.
"There are so many mental steps we have to go through," he said. "Do I even know there is a potential privacy risk? If I do, do I know I there are alternative strategies, such as adjusting privacy settings? Do I know, or at least feel, that these will be effective, or are they a waste of time? And then, if they are effective, are they too costly in terms of time or effect? After all that, I may very well decide not to take those steps."
Every time consumers face a privacy-related choice — "May I have your phone number please?" or "Click here to agree to or terms of service" — they must go through this process. It's worn most of us down.
But even the most diligent small-print readers among us face an uphill battle to make the process meaningful. Students of behavioral economics, Acquisti says, know that human nature makes most privacy transactions an unfair fight.
For starters, people almost always engage in "hyperbolic discounting" when faced with a privacy choice — they overvalue present benefits and undervalue future costs. You probably do that every day when you convince yourself that an extra cookie or scoop of ice cream is worth the bargain with your waistline. In the realm of privacy, judging such bargains can be impossible. What's the future cost of sharing your phone number with a grocery store? It could be nothing. It could be annoying phone calls or junk mail. It could be intense profiling by a marketer. It could ultimately be an increase to your health premium, as a medical insurance company one day decides you buy too much ice cream every month.
In reality, there is no good way to do a cost-benefit analysis when facing a privacy choice.
"Giving away privacy has been compared to giving a company a blank check," Acquisti says. "You don't know how they're going to fill it in, or what's going to happen when it comes back to you."
Consumers also tend to make rotten personal safety choices. Research shows they nearly always engage in what's called an "optimism bias" — those awful things I've read about probably wouldn't happen to me.
And finally, they also suffer from an "illusion of control" over their personal information — an illusion that's been cultivated by dozens of Web and marketing companies.
Certainly, consumers can control what they initially share directly with companies. But they rarely maintain control of the information once it's divulged. Sale and other sharing of such information with third parties is commonplace; privacy policies that promise otherwise are routinely changed on a whim; and anyone who's ever tried to expunge shared information knows it's rarely a practical option.
"Control is a code word that companies like Facebook use, and policymakers use, as a way to address privacy problems," Acquisti said. "They say, 'Look, we gave users control, and so there is no privacy problem. My point is that control is not a sufficient condition for the preservation of privacy ... and we have plenty of evidence to that effect."
Can the government save you from yourself?
Despite recent rhetoric to the contrary, long ago America decided that there are realms where it's not OK to let consumers make decisions that guaranteed to cause self-harm. We don't let people eat in restaurants that fail health inspections; we don't let people buy buildings that aren't earthquake proof near fault lines; we don't let them buy cars without seat belts — even if all these options were cheaper, or somehow more enjoyable. Why? It's impossible for consumers to really understand the consequences of such actions at the time of the choice. We wouldn't expect every San Francisco home buyer to become an expert seismologist, or every eater to become a biologist. Even if you care nothing for personal safety, it would be a terribly inefficient way to run an economy.
Acquisti thinks it's time that society erected some strict safety rules around privacy issues, and end the charade of 27-page end user license agreements that no one — not even Acquisti — reads. The right answer for the majority of Americans who care about privacy but don't know what to do about it is for leaders to make some tough choices.
There are some efforts under way in that direction. There are no fewer than seven pieces of privacy-related legislation that have either been introduced in the U.S. House of Representatives, or soon will be. The most significant involves creation of the Do Not Track legislation, which would authorize the Federal Trade Commission to create a regime that forced companies to allow users to opt out of various data collection efforts. It would also give consumers a "right of access" to personal information stored by any company — a right Europeans have enjoyed for years. While the law is meant to evoke the very popular Do Not Call list, critics worry that few consumers would take the time required to opt out.
The Financial Information Privacy Act of 2011 would prevent banks from sharing customer information with third parties unless consumers opt-in, a significant step further along in privacy protection. Banks would then have to sell people on the idea of information sharing. (A detailed look at these proposals.)
Timid as they are, virtually all these bills have run up against ferocious industry lobbying. Facebook, among many other firms, has told the FTC it's worried that the Do Not Track initiative would stifle innovation.
Technology firms are trying to fill some of the void, with Web browser makers Microsoft, Google and Mozilla all experimenting with Do Not Track options. So far, however, these efforts have been clunky and require voluntary participation from advertisers, a route privacy advocates aren't optimistic about.
One problem: Tracking is only the beginning of the thorny legal issues that need to be addressed deftly, Acquisti warns.
For example, in the U.S. it's illegal for employers to ask about certain topics during employee interviews, such as questions surrounding sexual preferences or political views. It's perfectly legal, however, for a company to stumble on such information using Google or Facebook. In Germany, that kind of Web cruising by companies has been affirmatively banned, maintaining the spirit of the original prohibition.
"These are truly challenging questions, but this type of dilemma will become more and more common," Acquisti said. "We need to prepare for that."
No equivalent yet of two-headed fish
Of course, no privacy advocate would make the claim that U.S. citizens are clamoring for enhanced privacy. Most evidence, in fact, points to the contrary. No matter, says Ponemon. There are plenty of societal ills that need fixing which didn't initially arrive with widespread public support. The Environmental Protection Agency, for example, faced a long and difficult birthing process, and still struggles to find balance between immediate business benefits (such as manufacturing output) and future, more subtle costs (like polluted rivers). In privacy, costs are even more subtle, Ponemon said.
"The problem for privacy is that there hasn't been the equivalent of a two-headed fish yet," he said. "It's more like we're saying there's stuff in the lake that might kill you in 10 years." There have been widespread leaks of customer data, and there's been millions of identity theft victims. Still, it's hard to equate any privacy disaster so far with closed beaches or poisoned wildlife.
'Inspected every instant of time'
The closest thing to a two-headed fish might be an image. In this month's U.K. version of Wired magazine, Cult of the Amateur author Andrew Keen argues that compulsive sharing of everything through e-mail, Facebook, and Twitter is really a trap. The logical conclusion of all this personal diarrhea — Keen says "we are our own Wikileakers" — creates a frightening world in which private lives all but disappear.
Keen offers a metaphor for this: the "panopticon," or Inspection House, imagined by 18th-century Utilitarian Jeremy Bentham as a tool to "improve the management of social institutions, from prisons and asylums to workhouses and schools." The "panopticon" is basically a high-tech glass house that would lay bare everything its occupants do.
"A physical network of small rooms in which we would be inspected every instant of time," Bentham, speaking as only Utilitarians can, says of the device.
'The end of second chances'
Ponemon doesn't see Facebook as a panopticon — yet. But it doesn't have to go that far to put a serious dent in the American dream, he worries. People no longer expect to keep secrets, Ponemon said, which means that every stupid thing you do in high school will follow you around for the rest of your life. He is scared about the implications of that.
"The end of privacy is the end of second chances," Ponemon said. "Some people may think I'm just being a cranky old guy ... but the thing about what made this country great is our ancestors came with nothing. They didn't have a reputation, positive or negative. They could, like my dad, go to Arizona and become a dentist, something he couldn't do in his home country. The ability to reinvent ourselves has made great fortunes. The ability to do that today is significantly diminished because of all the information that is attached to us. Could we have another Thomas Edison now, who dropped out of elementary school in his first year (at age 7)? Maybe not."
Acquisti isn't just worried about the American way of life; he's worried about humanity itself.
"What I fear is the normalization of privacy invasions in a world where we become so adjusted to being public in everything that it is normal," he said. "I fear that world will be a world where we will be less human. Part of being human is having a private sphere and things you only share with special people, or with no one. I fear for the future of that world."
Acquisti, despite his exhaustive research on the subject, said he has no desire to persuade others to change their privacy-related behaviors. People make rational choices every day to share themselves with others, and to great benefit — they form relationships, find work and in extreme cases use social networking tools to fight for freedom, he said. People who want to share everything with everyone have the freedom to do so.
Preserving the 'right to be left alone'
But it's freedom he's most interested in preserving — the freedom of some people to keep their lives private in a world while the costs of doing so are increasingly rising.
"It will become increasingly costly not to be on a social network, just as not having a mobile phone now is," he said. "It will dramatically cut people off from professional and personal life opportunities. The more people who join the social networks, the more costly it becomes for others to be loyal to their views."
In economics, it's called an "externality" — the costs of your choices go up because of factors that have nothing to do with you. On the Internet, it's called the network effect. In reality, it means that someone who has no interest in being on Facebook is now the last to know about last-minute parties, new romances, even weddings and funerals. (We've all heard at least once: "Didn't you see my Facebook post?")
As the network effect deepens, and the majority speeds down its road toward a completely open second life in the virtual world, society must work to preserve the right of the minority's desire to stay private in the first life — not unlike efforts we make today to preserve rights of other minority groups, such as the handicapped, Acquisti said.
"Freedom means making sure people have the option to stay off the grid; the more people surrender, the deeper the network effect, the more the punishment for being disconnected," Acquisti says.
If you care, here's what you can do
If you are in this middle group — you care about privacy, but don't know what to do about it — there are some very simple steps you should consider. Despite all the negative things privacy experts say about Facebook, the site does offer some important tools for erecting walls around the information you post there. Spend 10 minutes getting to know them — it's probably the most important 10 minutes you could spend on privacy protection.
Here's a link that will help you: "10 privacy settings everyone should know about"
And here's another: "Manage Facebook's privacy and security settings"
The other must-do task is an annual peek at your credit report, which is free at Annual Credit Report.
For most people, the worst consequence of a privacy leak is identity theft or a bad credit score based on inaccurate information. Your credit report is the only place you'll find out about such costly errors.
If you have one more hour this year to devote to your privacy, consider going down the list of the World Privacy Forum's Top 10 Opt Outs. There, you'll find ways to get rid of junk mail, unwanted credit offers, telemarketing phone calls and other nuisances. You'll also be making your preference known: that you are willing to take some steps to protect your personal space.
Ponemon says everyone should spend a little time Googling themselves every few months, in an effort to determine "what your Internet presence is." You want to be aware of what others see about you when they go looking for you online.
"It's a basic blocking and tackling thing. You want to know, 'What am I doing that could get me into trouble?'" he said. He also advised paying close attention to junk mail, spam and even personalize Web ads to get a sense of that firms know about you, and what categories you've been pegged into.
Acquisti recommends that even the privacy lazy look into some basic privacy-enhancing tools, such as software tools that anonymize Web browsing, like Tor: Anonymity online. Pretty Good Privacy software makes it relatively easy to encrypt e-mails.
But truthfully, even simple encryption is a bridge too far for most people who simply want to finish writing that last e-mail so they can go home and take care of their kids. That's why, for Acquisti, there is really only one good solution.
"Participation in the public debate on privacy, put pressure on policymakers to provide some baseline protection for personal data," he said. "Technology can only do so much."