By Christopher Hoofnagle, Technology | Academics | Policy
As part of our ongoing project on consumer attitudes towards privacy, Jennifer Urban, Su Li, and I just published a new study focusing upon mobile phones.
This survey comes at a time where there is controversy in mobile phone privacy—mobile phones are essentially tracking devices. And both public and private sector actors seek access to information collected by phones. Our survey explores both consumer and law enforcement issues surrounding mobile phones.
As with our other studies, our study is a telephonic (landline and wireless) survey of Americans with a sample size of about 1,200 people. Here are the highlights:
What People Say and What They Do
We asked American consumers whether they thought information on their mobile phones was private in three different ways. First, we simply asked whether they thought information stored on their phone was as private as data in a home computer. Fifty-nine percent consider it “about as private” and 19 percent consider it “more private.” And picking up a theme from previous work, we found that younger respondents care about privacy. Those under 45 were more likely than those over 45 to respond that data on phones was more private than data on home computers.
Before going on, I want to call attention to an important subtlety here. Some have critiqued privacy surveys as incomplete because they do not present the tradeoffs consumers experience in transactions. These critics argue that without a value judgment in terms of provision of services, consumers will always say that they value privacy but act contrary to their aspirations in real marketplace transactions. Under this critique, the fact that 78 percent of consumers thought data on their mobiles to be private simply does not matter, because they are likely to give up that privacy in the marketplace.
We think that critique is limited in two respects: first, we have frequently included a value proposition, such as informing the respondent that they are receiving free services in exchange for providing their attention and personal data. Second, consumers often have no realistic privacy-friendly option in the marketplace. Popular services are almost always offered on a take-it-or-leave-it basis. Thus, the marketplace makes consumers give up privacy, often unilaterally and out of proportion with business needs.
Informed by these critiques, we posed a question where consumers could make a realistic choice to preserve privacy: whether they would be willing to lend their mobile phone to others. Consumers can clearly understand the risks and benefits of lending their phone, and decide to share or not. We found that most would lend a mobile phone to a spouse or close friend, but most would not lend their phone to an acquaintance or work colleague. When we probed for explanations, privacy rationales dominated the resistance to lending the phone to others. Of course, lending a phone is a similar decision to installing an app that has permissions allowing it to peek at data on the device.
Finally, we asked about law enforcement searches of phones at arrest. Under a series of recent decisions, courts have allowed police to search phones of arrestees without court oversight. A large majority rejected the idea that law enforcement should be automatically able to search a cell phone of someone who is arrested. Seventy-six percent supported requiring officers to get permission from a court prior to searching a mobile phone in this situation.
Mobile Phones and Business Practices
In addition to determining individuals’ expectations around privacy, we asked a number of specific questions about business practices:
A large majority objected to the basic premise behind the established business relationship exception. This allows businesses to call any consumer—even if the consumer has enrolled in the Telemarketing Do-Not-Call Registry—if the consumer makes any purchase (no matter how small) or any inquiry at the business. Seventy-four percent said that businesses that they frequent should not be able to call them, even if the consumer provides the cashier with her phone number.
We asked about the information practices of apps and found rejection of common business models. Eighty-one percent of respondents said they would “definitely not allow” (51%) or “probably not allow” (30%) sharing contact lists in order to receive more connection suggestions.
Americans support strong limits on data retention by wireless service providers. Forty-six percent answered that wireless phone location data should not be kept at all. The next largest group—twenty-eight percent of respondents—answered that the data should be kept less than a year. Given that a Congressional investigation recently found that law enforcement agencies sought access to wireless phone records over one million times in 2011, data retention rules may be a viable strategy to bound government access to citizen data.
The gulf between private sector information demands and consumer preferences suggest that better disclosures and choice mechanisms alone will simply preserve the status quo. More aggressive interventions are necessary to create incentives for firms to reduce collection of personal information.
Particularly where privacy tradeoffs have not been made clear, consumers need the ability to change their minds and walk away from a service. While the Federal Trade Commission has so far focused upon improving consumers’ positions ex ante, increasingly we need to consider ex post interventions, such as a right to delete information associated with an account, so that the consumer can exit whole.