Privacy Policy Research Deserves a Much Wider Audience

The Federal Trade Commission (FTC) hosted its fifth annual PrivacyCon on July 21, 2020.  This was the first time the one-day conference was fully remote, rather than in person at the FTC’s Bureau of Consumer Protection in Washington, D.C.

PrivacyCon should not be confused with Comic-Con, the annual pop culture extravaganza that began the following day with over 350 virtual panels extending over nearly a week.  Perhaps the thousands who show up there each year in San Diego with colorful costumes will not miss a beat as they turn on their Zoom cameras to participate in a way never imagined when this year’s Comic-Con was organized.

PrivacyCon clearly is a world away, both figuratively and literally.  It brings together some of the best privacy researchers each year to present outstanding papers that have been selected through a rigorous process.  It is a unique opportunity for them to discuss their methodologies and findings with peers, and most importantly, to provide an incredible learning opportunity for key legal, economic, and technological FTC staffers who are involved in privacy policy development and implementation.

A review of the papers that were presented this year reflects its usual consistent high level of quality.  The authors were from a range of leading U.S. research universities, including Harvard, Columbia, Princeton, NYU, and UC Berkeley.  And the FTC recognizes that good works need not be limited by national boundaries, so it included authors from the University of Toronto and Ruhr University Bochum, as well.

Given the constant pace of developments in this field, many of the studies are based on limited experiments or surveys that suggest possible research routes for others to develop over time.  They will be especially valuable to pick up on through broader studies that then can form the basis for more informed FTC policymaking.  This outcome in itself is beneficial since it links the academic world to real-world policy formulation, creating a feedback loop that serves both interests well.

Here are some examples of this year’s research that deserve greater exposure, both in the academic community and beyond:

  • “Proposed and enacted privacy regulations have not included cost benefit analyses.  The research discussed in this paper is one approach to estimating some of the benefits that might be obtained from privacy regulations.  The approach could be used to estimate the value of keeping all manner of data private, and somewhat more complex work could explore how the different pieces of data interact.  But a full accounting requires estimates of the costs of such regulation.  Our estimates are therefore not an estimate of the net value of privacy.  For example, we estimate that in the U.S., on average, consumers value keeping location data at $1.20 per month on a smartphone.  Suppose that keeping location data private meant no less accurate driving directions on the person’s smartphone.  The net benefits of requiring smartphones to keep location data private would, therefore, be $1.20 minus however much people value high-quality directions on their phones.  The same argument is true for all types of data….  More research is necessary to do full cost benefit analyses.… [Given] the importance of data in the digital economy and the amount of data people share, it would seem prudent to continue this work.” –Jeff Prince, Indiana University Kelley School of Business, How Much Is Privacy Worth Around the World and Across Platforms?
  • “We have provided a first glimpse on how tracking is behaving differently in different social contexts.  We showed how advertisers value healthcare data and increasingly deploy persistent identification practices from this context to others.  Also, there are certain bonds between trackers who operate simultaneously in different social contexts (e.g. health and education) and utilize that to deploy practices against our privacy expectations.  Looking ahead, we aim to empirically uncover more of the conflation of contextual informational norms by the advertising industry, with a hope to remove the curtain between individuals and websites for better understanding of the ‘invisible contracts’ that we currently have with our digital service providers and ensuring they do not undermine our natural right to privacy.” –Ido Sivan-Sevilla, Wenyi Chu, Xiaoyu Liang, Helen Nissenbaum, Cornell Tech, Unaccounted Privacy Violation: A Comparative Analysis of Persistent Identification of Users Across Social Contexts.
  • “We conducted an in-depth empirical analysis of data deletion mechanisms and opt-outs for email communications and targeted advertising available to US consumers on 150 websites sampled across three ranges of web traffic.  It is encouraging that opt-outs for email communications and targeted advertising were present on the majority of websites that used these practices, and that almost three-quarters of websites offered data deletion mechanisms.  However, our analysis revealed that presence of choices is not the same as enabling visitors to execute the choice.…  [W]e identified several issues that may make it difficult for visitors to find or exercise their choices, including broken links and inconsistent placement of choices within policies … some policy text describing choices is potentially misleading or likely does not provide visitors with enough information to act.  Design decisions may also impact the ability of visitors to find and exercise available opt-outs and deletion mechanisms.” –Hana Habib, Carnegie Mellon University, An Empirical Analysis of Data Deletion and Opt-Out Choices on 150 Websites.
  • “Users struggle to adhere to expert-recommended security and privacy practices.  While prior work has studied initial adoption of such practices, little is known about the subsequent implementation and abandonment.…  Security practices were more widely adopted than privacy and identity theft protection practices.  Manual and fully automatic practices were more widely adopted than practices requiring recurring user interaction.  Participants’ gender, education, technical background, and prior negative experience are correlated with their levels of adoption.  Furthermore, practices were abandoned when they were perceived as low-value, inconvenient, or when users overrode them with subjective judgment.…

“While prior work has primarily advocated for improving the usability of assisted security practices, more usability research is needed for frequently abandoned or rejected privacy and identity protection practices to lower their barriers for adoption.…

“Required user effort should also be reduced where possible.  For instance, most participants who adopted password managers chose those built into their browsers due to direct integration into the browsing experience, whereas dedicated password managers often require extra steps to retrieve passwords.  Even eliminating a few clicks can make a big difference as users’ compliance budgets are extremely limited.…  [R]ecurring interactions should be designed to convey the value of associated protection so they are not just perceived as a nuisance.” –Yixin Zou, University of Michigan School of Information, Examining the Adoption and Abandonment of Security, Privacy, and Identity Theft Protection Practices.

Although the event was free and open to the public and available online, it is unclear how many people generally were aware that it was happening.  Greater visibility now and in the future is warranted.  The conversations in the academic and policymaking communities should continue apace.  But PrivacyCon also needs to be more like Comic-Con – that is, it should build a broader bridge to the public at large, which is the real beneficiary of any current or future FTC privacy policies.  This can be done through the FTC’s website and social media, which can highlight in simpler terms this year’s research discoveries that would be interesting for consumers to know about.  And perhaps going forward, the event should continue to have a simulcast live stream so that a larger number of people also can tune in to hear the presentations and the real-time reactions to them.

Let the planning for 2021 begin, focusing on expanded ways to make relevant research accessible to a range of stakeholders interested in privacy policy, including the public at large.

Stuart N. Brotman is a Distinguished Fellow at The Media Institute.  He is the author of Privacy’s Perfect Storm: Digital Privacy for Post-Pandemic Times.