Public Attitudes Towards Data Collection and Privacy
IndustryView | 2014
Many services we use on the Internet are free; or at least, they appear to be. In fact, we pay for accounts such as email and social media with our personal and business data, which we allow providers to gather and monetize every time we agree to a “terms of service” (ToS) contract. Lately, however, this model has come under scrutiny; in the aftermath of Edward Snowden's leaks, the public has grown more concerned about how much data is being gathered and who has access to it.
Or at least it seems that way, if you follow security and privacy issues in the media. While privacy advocates make a lot of noise, it’s unclear whether the public feels as strongly. Besides, while Snowden shone a spotlight on the government, according to his allegations, the government relied heavily on private companies for the data it amassed.
To learn how people feel about for-profit companies gathering personal data, Software Advice surveyed adults in the United States to gauge public opinions on data collection and privacy. Here’s what we found.
Every day, when we use the products and services of such companies as Google, Apple and Facebook, we agree to abide by their ToS and privacy policies. But these contracts are long and complicated—and there are so many, it’s difficult to believe that many of us ever actually read them.
So that was the first thing we wanted to find out: How many people read these documents all the way through before agreeing to their terms?
Unsurprisingly, very few people read ToS agreements all the way through: 49 percent “never” read them, while a further 34 percent “sometimes” read them. By contrast, 9 percent of respondents claimed that they “often” read them, while only 8 percent claimed that they “always” read them. Adding together the percentage of respondents who chose “never,” “sometimes” and “occasionally,” this gives us an overwhelming 83 percent who do not know what they are agreeing to the vast majority of the time.
In fact, even that figure of 8 percent who “always” read ToS agreements may be inflated. Johnny Lee, eDiscovery and data governance specialist at consultancy Grant Thornton, suggests the real figure may be lower.
“I’d say that’s probably twice as many as actually [do read them],” Lee says. He adds that there’s an important difference between just skimming these agreements and actually reading and understanding them: “I would guess the 8 percent skimmed ... and clicked the button.”
Lee may be correct. In 2012, researchers at Carnegie Mellon University estimated that the average time it takes to read a ToS policy is 10 minutes. Extrapolating from that figure, they calculated that individuals would have to spend 25 workdays out of each year to read all the privacy policies on the websites they visit. It seems likely that at least some of our 8 percent who “always” read the service contracts all the way through are actually skimming.
Next, we decided to gauge attitudes towards collecting data on website users. Although privacy advocates are concerned about the tracking and data collection practices of the likes of Google and Facebook, these firms (and many others following the same business model) argue that this is a benign practice. By tracking what their users buy or read about or by scanning what they write about in their emails, companies can build customer profiles that are used to make the advertising and content they deliver more targeted.
But how do the people being profiled feel? We allowed respondents to choose from several options we provided:
Forty-four percent of respondents answered that tracking users and collecting personal information was an “invasion of privacy.” So, no matter how benign companies claim this practice is, there obviously remains a lot of unease amongst consumers. However, this was not a majority opinion, and the remaining 56 percent expressed a conflicting array of attitudes.
First, only 5 percent stated unambiguously that they were at ease with the practice of data collection. A further 15 percent were somewhat sanguine, accepting that this was the “cost of using the Internet.” We also offered the option of “It should bother me, but it doesn’t” for those who may have read all of the articles about data gathering, and yet remain unable to muster outrage: 7 percent felt this described their opinion. Finally, 29 percent had no opinion on the matter.
A majority of people are willing to live with data collection, even if very few seem likely to give it a full-throated endorsement. When we broke down our results by age group, we discovered that this general pattern echoed across the generations: Only amongst those aged 65 and above was there a majority opinion (53 percent) that this was an invasion of privacy. Forty-three percent of “Generation X” aged 35-44 viewed it as an invasion of privacy. Millennials aged 25-34 were the most relaxed, with only 34 percent viewing it in such stark terms (interestingly, however, the figure was higher for the youngest, 18- to 24-year-old demographic: 47 percent).
Next, we decided to drill into the topic in more detail, extracting some very specific terms and conditions from those contracts that go largely unread, and gauging the degree to which the public found such practices to be acceptable.
Our goal was to effect what the novelist William Burroughs referred to as a “naked lunch” moment: "... A frozen moment when everyone sees what is on the end of every fork." In other words: People claim to not have terribly strong feelings about companies’ data collection practices, but we wanted to see if their feelings would change if we presented them with a clear description of what is happening to their online identities as they surf the Web.
The results were eye opening.
Many people may be willing to live with the fact that companies track you when you are on their website; there is an implicit trade-off in this, of “you use this, we ask for that in return.” But of course, many firms also track you after you leave their site. After all, how complete can a user profile be if it is only based on data collected from one website?
When we asked respondents how they felt about firms tracking them on external websites if the intention was to provide more targeted advertising, attitudes shifted towards the negative:
Here, a majority of respondents—51 percent—were strongly opposed, describing the practice as “completely unacceptable.” A further 13 percent found the practice “somewhat unacceptable,” giving us a combined negative result of 64 percent.
In fact, only a grand total of 3 percent of respondents said that they found this common practice “completely acceptable.” A further 10 percent found it “somewhat acceptable.”
This shift is not hard to comprehend, of course. The quid pro quo of trading data for use of a service becomes much less relevant once a user is no longer using that service, but rather is happily engaged with (for instance) somebody else’s website. The stated goal of enhanced advertising and content targeted at users’ interests may seem benign, but the method by which that goal is achieved seems to cross a line for many consumers.
For our next “naked lunch” moment, we asked respondents if it was acceptable for companies to reuse content they submit to one site on other sites those companies own without notifying them first. (For instance, this appears in Google’s terms of service, where it is even broader—Google states that its rights even extend to “those we work with,” and thus, may be referring to sites it doesn’t even necessarily own.)
Once again, 46 percent thought it was "completely unacceptable," and 14 percent thought it was "somewhat unacceptable." By contrast, only a very small percentage of respondents were at ease with this practice, with only 5 percent saying it was “completely acceptable.”
Even when we broke the results down by age and looked at Millennials aged 25-34—who have grown up with the Internet and are supposedly less concerned about privacy—we still found that the number opposed was high (41 percent), and here, too, only 5 percent found it "completely acceptable." Compare that with older respondents and the differences are not great: 45 percent of 35-44 year olds viewed the practice as “completely unacceptable,” while again 5 percent found it “completely acceptable.”
In other words: consumers are not that relaxed about privacy. Quite the opposite, in fact.
Our next question, rather than gauging attitudes about privacy, was aimed at gauging whether people want to be informed when the rules of the service they use, including the rules governing how and what data is collected about them change. As it turns out, some ToS contracts—including Yahoo’s—state that they can change the contracts without notifying users.
So, we asked people how they felt about companies changing the ToS contracts they probably haven’t read without prior notification.
Most people wanted to be notified even when a contract they probably hadn't read was changed. A clear majority—58 percent—said that changing the contract without notification was “completely unacceptable,” while 11 percent found this “somewhat unacceptable.” A vanishingly small 4 percent found the practice “completely acceptable," while 25 percent were unsure how they felt about the practice.
Of course, changing the terms of a contract without notifying users is the very opposite of transparency, and it's difficult to envision how this could ever be conducive to building trust between user and service—so it is not surprising that this particular question evoked such a strong negative response.
Another policy we found in those largely unread ToS contracts was the retainment of a broad usage license on your content—even after your account has been deleted. Although Facebook states that its (broad-ranging) license expires upon deletion of an account, this only actually happens if everyone who has ever shared your content also deletes it. In other words, you have to coordinate with all your friends, associates and random acquaintances to make your content disappear, which is incredibly difficult, if not impossible, to achieve—and if you can’t, Facebook retains its license on your content.
Perhaps users should be paying more attention to those terms of service, after all—because the vast majority disapproved of this practice.
Once again the result was clear: a microscopic minority of 3 percent found this “completely acceptable,” while an overwhelming 63 percent considered the practice to be “completely unacceptable.”
Again, it is not difficult to imagine why: It’s one thing to grant a website owner some rights in exchange for the use of their product while you are using it; but it’s difficult to understand why those rights should persist once you no longer use that service.
As our survey results make clear, the more the public knows about data collection and the contents of ToS agreements, the more concerned they become about the erosion of privacy and the rights they are surrendering. Very common practices that hundreds of millions of people have ostensibly agreed to receive very weak support—once they are actually explained.
Having established this, we next wanted to know precisely what it is about data collection, in particular, that concerns people the most.
Slightly over one-third—37 percent—answered that they had “no concerns.” However, a combined majority did have some issues. The highest percentage of those concerned (36 percent) were worried about who had access to their data; this is not surprising, given the publicity given to this question following Snowden’s revelations. In those disclosures, it was alleged that many private companies were sharing user data with the government; the ensuing debate over the rights and wrongs of this has been in the news for over a year now.
The next-largest group (15 percent) was concerned about the type of data collected; 8 percent were worried about the volume collected, and 3 percent worried about how long the information was stored for. Given that some service contracts explicitly allow the provider to continue using your content after you have stopped using the service, this is a legitimate concern. We also left open an “other” category: Respondents there had a variety of specific concerns, although one reason for choosing “other” was an unwillingness to accord any of these privacy worries a priority over the others, as everything was equally troubling.
So, are these concerns well founded? Are human eyes poring over our data?
“The really disconcerting thread,” says Lee, “is that we don’t know. We know who the data collectors are, but we don’t know the data consumers in every case, and we don’t know the uses for which that collection is happening … [so] as well-informed as you try to be, there’s an ignorance about how your data are being used and for what purposes.”
So having probed respondents for their attitudes on different practices, we thought it would be interesting to see how they felt about specific companies and the degree to which they caused concerns about privacy—to create a “Creepy Index,” if you will. So we selected some of the biggest, most popular names providing online products and services, and asked respondents to tell us how concerned they were about that company invading their privacy.
The "creepiness scores" in the chart below have been assigned by weighting respondents' levels of concern. The lowest level of concern was assigned a value of 1, the highest a value of 100 and each midpoint an evenly distributed value in-between. Thus, the higher the weighted score, the greater the level of concern associated with that company.
It will come as no revelation to those who follow privacy issues closely that the firm people were most concerned about was Facebook, with a score of 65.4. Facebook has historically been quite proactive in its pursuit of customer data, and has received negative publicity as a result. Earlier this year, for instance, the public was outraged when it was revealed that Facebook had been conducting “experiments” on its users’ emotional states.
Nor is it surprising to see Google (scoring 60) and Microsoft (61) close to the top: Both are enormous firms with search engines, not to mention email and a multitude of other personalized services, and their doings are regularly reported on in the press. It is somewhat baffling, however, to see the perennially struggling Yahoo in second place, with a score of 64.9—a mere 0.6 of a point behind Facebook.
This former champion of search has been slipping in popularity for some time now; on the other hand, Yahoo was affected by the Heartbleed bug earlier this year, and in the words of security researcher Graham Cluly, was “leaking user credentials.” Perhaps this and other negative publicity has taken a toll on consumer concerns with Yahoo more generally.
Meanwhile, LinkedIn (59), Apple (57) and Amazon (54) give users the least cause for concern (despite the fact that LinkedIn is currently being sued over allegations that it illegally sold its users’ professional data).
Perhaps what is most interesting, however, is how close together all the firms are on the scale. Barely more than 10 points separate the number-one source of privacy alarm, Facebook, from the least alarming firm, Amazon. That is not a huge amount of distance. Given that very few people read the ToS contracts, perhaps this is a reflection of the great degree of ambiguity people feel on the topic. Nobody really knows what is being done with his or her data, so the “unease” is spread generally.
So what options are available for the privacy-minded? Well, there are lots of them, though we can only mention a few here; it is a developing market, and new solutions are appearing all the time.
As Johnny Lee puts it: “There is an entire cottage industry around privacy tools which didn’t even exist two or three years ago.”
For example, tools such as Ghostery and Ad Block block trackers that follow you on websites, with the result that you will see far fewer ads when browsing. Ello is a social networking site that does not sell user data or show advertising—and it even comes with a manifesto.
There are also privacy-minded search options, such as Tor or DuckDuckGo. Tor is software that enables anonymous browsing; commonly associated with political dissidents and the criminal underworld, it is not the most user-friendly option. DuckDuckGo is a search engine as simple to use as Google—only it does not track you. On the other hand, it is less powerful than the market leader, and switching over to using it is a bit like going vegan after a lifetime of eating enormous hamburgers.
Lee, however, recommends caution when using these alternatives.
“So-called ad blockers, in many cases, are actually malware,” he says. “Criminals aren’t stupid; they’re very savvy about exploiting these anti-virus and anti-malware tools and making them seem like something that they’re not. If they’re free and with an untested company you might want to do your homework before installing it.”
“Having products delivered to an office or a post office box ... can defeat some of this. People can use shortened versions of their names. They can do Web purchasing at a library computer if they do not want their IP address tracked. They can request that their personal information not be used for marketing purposes. They can ask that personal information be deleted after a reasonable period. They can ask to be notified if a government agency seeks the information.”
And then there is another option: What if people stopped assuming Internet services should be free, and actually paid for a service that protected their privacy? These services do exist. Ad Block allows users to decide how much they will pay, while Golden Frog offers a suite of products for safe Web browsing, including a Virtual Private Network (VPN) service, an encrypted messaging app that is an alternative to texting and a secure cloud storage app.
So, how many respondents would be willing to pay, as we asked them, “a small fee” for an online service that did not collect personal data? As it turns out, not too many.
The culture of “free” has deep roots. The largest number, 37 percent, admitted they were “not at all likely” to pay a fee for services. Thirty-two percent didn’t know, while 14 percent were “minimally likely” to pay a fee instead of trading their personal data.
Those who expressed any degree of willingness to pay for privacy were few in number. Ten percent were at least “moderately likely,” while a mere 8 percent of respondents said they would be “very likely” to pay for a service. Add those two numbers together and you have a grand total of 18 percent at least somewhat willing to consider switching from a data collection model to a paid model for services.
Still, this is not a terrible result for entrepreneurs.
Lee perceives a “growing trend towards greater awareness” at both a consumer and an industry level. Indeed, 18 percent of the U.S. adult population is actually tens of millions of people. And besides, not everything online is free now: People are willing to pay for software and for film- and music-streaming services, even though that content can often be found (in pirated form) for free. Indeed, a 2011 Pew survey found that the average consumer spends $10 a month on online content.
Thus, Smith suggests that there may be opportunities: “The number agreeing to a ‘small fee’ will increase when people realize that health information, employment information, arrest information and sometimes credit information is sold and bartered online. Right now, most respondents think that the release of personal data is annoying, but not really threatening.”
In fact, as the results of our survey show, anybody considering a privacy-based startup has a powerful, ready-made marketing tool to hand: The actual contents of those terms of service agreements hardly anyone reads.
To find the data in this report, we conducted a two-day online survey of 16 questions, and gathered 6,160 responses from random consumers within the United States. We worded the questions to ensure that each respondent fully understood their meaning and the topic at hand.
Sources attributed and products referenced in this article may or may not represent partner vendors of Software Advice, but vendor status is never used as a basis for selection. Interview sources are chosen for their expertise on the subject matter, and software choices are selected based on popularity and relevance.
Expert commentary solely represents the views of the individual. Chart values are rounded to the nearest whole number.
If you’d like to further discuss this report or obtain access to any of the charts above, please contact firstname.lastname@example.org.