Privacy and Security of Personal
Information:
Technological Solutions
and Economic Incentives
Alessandro Acquisti
Heinz School, CMU
An APE Act?
• “On May 6, 2002, the Washington Post reported that
the National Zoo refused to release a deceased
giraffe’s medical records on grounds that it would
violate the animal’s right to privacy.” Politech, May
2002
• Soon, an Animal Privacy Entitlement Act?
Three myths about personal information
1. Is too much privacy bad for you?
• or, privacy can act against the interests of
society or the individual
2. Do we have zero personal information security?
• or, the loss of control on personal information
is simply necessary to make the networked
society work
3. Do people really care about privacy?
• or, people would sell their DNA for a Big Mac
Question n.1:
Is too much privacy bad for you?
• Free flow of information helps and economy
and the individual.
• True, but what else do the economic
arguments say?
Economic incentives
• Recent economic studies show something
interesting about the flow of personal
information:
• Acquisti and Varian (2001): allowing firms to use
cookies can make customers and society better off
• Calzolari and Pavan (2001): sharing information
between sellers reduces distortions
• Taylor (2002): with strategic customers, firms
better off respecting customer’s privacy
The economics of privacy
• Acquisti and Varian (2001)
• Monopolistic firm/competition case
• Customers can be “myopic” or “strategic”
• With and without “commitment”
• Customer can use anonymizing
technology, and suffer a certain cost
• What is the optimal strategy for the seller?
The economics of privacy cont’d
• Monopoly
• If firm just offers the same good, optimal
not to use cookies! I.e., behavior-based
price discrimination is not optimal.
• If firm can use customer information to
provide targeted services, price
discrimination will be optimal for seller, and
• Society can be better off
The economics of privacy cont’d
• Competition
• No flat price equilibria
• Lock-in equilibria
• Cost of anonymous technology
Off-line vs. on-line identities
• Previous results refer to information about the
customer type being shared
• E.g., tastes, “risk aversion”, etc.
• Not necessarily her real identity
• Let’s separate:
• Friedmand and Resnick (2001): legal versus
persistent identities
• Here:
• On-line identity
• Off-line identity
On-line identity: some trade-offs
Pros
Customer
No price discrimination
Cons
No targeted
services
No discounts in
Individual on-line
exchange for
information not
used by Merchant
profile information
Merchant
Less customer
information
Customer
Targeted offers
Price
Individual on-line
Discounts in exchange for
discrimination
information used
personal profile
by Merchant
Merchant
Ability to price discriminate,
knows customer better
Off-line and on-line: other trade-offs
Pros
Individual off-
Customer
line
information
not used by
Merchant
Merchant
No price discrimination
No targeted services
Sense of
No discounts in exchange
security/protection
for profile information
More ‘customer
Less customer information
friendly’ reputation
Customer
Individual off-
Targeted offers
Price discrimination
Discounts in exchange
Real or perceived risk of
for personal profile
incurring in future,
line
stochastic costs
information
used by
Merchant
Cons
Merchant
Ability to price
Worse customer
discriminate, knows
relations?
customer better (better
customer relation)
On-line identities, linkages, and costs
• Confusion arises in the debate from mixing on-line
and off-line identities
• Econ says:
• more on-line info is good: market laws can allow
right amount of on-line info to be shared
• not in contradiction with protection of privacy
(off-line identity)
• Problem:
• Why are the two identities instead always
linked?
• Getting there is costly
Question n. 2:
Do we have zero personal information security?
“You Already Have Zero Privacy”
• Is loss of privacy necessary to make the
networked society work?
• IT can:
• both link and unlink online and offline
identities
• or make linkages costly enough
• PETs
For example: Anonymous payments
• For example, is it possible to have a ‘reliable’
(from charges to shipping) payment system
for goods and services which is also
anonymous?
• Yes: Tygar et al. (1999).
• Implementations:
• ECash (blind signatures)
• Probabilistic “acid mix” approach
“Acid mix” approach to anonymous payments
• The story:
• Bob, Alice, and Kevin enter a room….
• The Protocol:
• Let them ‘swap’ payment tokens with other
customers, until satisfied
• Put customers in control of the operation!
• Let them decide how much privacy they want
• Problem: before swapping, customers cannot
see/copy their own tokens…
• For details: Acquisti (2002)
And yet….
• Economic arguments show that trade-offs
between sharing and protecting personal
information can be reconciled
• Technology could do it
• So, why econ & technology did not do it?
• Solve the following equation:
Find a privacy combination convenient for customers
(e.g. Bob), profitable for vendors (e.g. Amazon.com),
advantageous for other existing players (e.g. credit card
networks), non replicable by competitors
Question n. 3:
Do people really care about privacy? Who should?
• Anedoctical evidence, Surveys, Experiments
• Privacy “advocates” & cameras: Spiekermann, Grossklags,
and Berendt (2001)
• Independent Studies
•
$18 Billion in lost e-tail sales (Jupiter)
•
Top reason for not going online (Harris)
• PGuardian marketing studies
•
Confirm privacy awareness, but
•
Expect privacy at no cost offered by the merchant
How to conciliate the two views?
• Some ideas from economics:
• “Bounded rationalities” (how to calculate the
negative financial shock of identity theft?)
• Economics of immediate gratification (enjoy now,
worry later)
• Experiment. Hypothesis: individuals strategic wrt to
on-line identity, myopic wrt to off-line identity
• So: free decision, but not necessarily optimal
for individual or society
• A Parable: Geo Trust
• A second parable: Motorbikes and Helmets
Economics of off-line identity
• Costs
• Both sides, both cases
• Customers:
• Bounded rationalities, hyperbolic
discounting:
• customer decides not to protect herself
• Other parties:
• Asymmetric information, moral hazard:
• seller decides not to protect customer
Economics of off-line identity cont’d
• Hence
• too much off-line info re-distributed
• not paid for
• chilling effects
• real effects:
• Lost sales
• Unsatisfied demand
• Identity thefts
• Frauds
• Or, rich, disagreeable niche markets
The approaches
• Market
Data Marketing
• Econ does not work alone
• Technology
• Dot-com death bed
• Does not work alone
• And Law?
Data Protection
Law
• Patriot Act (APE Act?)
• Or, different approaches:
• Liability
• Adapting trade secrecy rules to “licensing”
personal data - Samuelson (2000)
• Driven by economics, drives technology
• (third party market)
Seven (very personal) answers
1. Privacy easier to protect than to sell
2. We are all myopic, but not necessarily careless
3. Privacy is about trade-offs. Good trade-offs could satisfy
both ‘privacy advocates’ as well as ‘free data marketers’
4. Distinguish between on-line and off-line identities.
Share on-line identities, protect off-line identities. Make
linkages expensive
5. Econ to see what to protect, what to share
6. Law to send to signal the market
7. Technology to implement chosen directions
Backups
An economics of privacy?
• Difficulties in conceptualizing privacy:
• A right? A need? A gift?
• Too many things for different people:
• Price discrimination…
• Telemarketing…
• Blackmailing….
• …and even for the same person
• web-cam in the house…
• and refuses cookies when browsing cnn.com…
• Recognize: privacy is about trade-offs