Professional Documents
Culture Documents
17.the Cost of Reading Privacy Policies
17.the Cost of Reading Privacy Policies
I. INTRODUCTION
4 Kenneth C. Laudon, "Markets and Privacy," Communications of the ACM 39, no. 9
(1996): 96.
Marketplace," 4, http://www.ftc.gov/reports/privacy20oo/privacy2ooo.pdf.
8 Ibid., 36.
10 Federal Trade Commission, "Internet Service Provider Settles FTC Privacy Charges,"
news release, March 10, 2005, http://www.ftc.gov/opa/2oo5/o3/cartmanager.shtm.
20o8] MCDONALD & CRANOR
11Federal Trade Commission, "Privacy Online: Fair Information Practices in the Electronic
14 Jamie McCarthy, "TRUSTe Decides Its Own Fate Today," Slashdot (November 8, 1999),
http://slashdot.org/yro/99/11/05/1021214.shtml.
15 Carlos Jensen and Colin Potts, "Privacy Policies Examined: Fair Warning or Fair
17Lorrie F. Cranor, Praveen Guduru, and Manjula Arjula, "User Interfaces for Privacy
Agents," ACM Transactionson Computer-HumanInteraction(TOCHI) 13, no. 2 (June
2006): 135.
18Carlos Jensen, Colin Potts, and Christian Jensen, "Privacy practices of Internet users:
Self-reports versus observed behavior," InternationalJournalof Human-Computer
Studies 63, no. 1-2 (2005): 212.
20Tony Vila, Rachel Greenstadt, and David Molnar, "Why We Can't Be Bothered to Read
Privacy Policies Models of Privacy Economics as a Lemons Market," ACM International
Conference ProceedingSeries 50 (2003): 403-407.
George A. Akerlof, "The Market for 'Lemons': Quality Uncertainty and the Market
21
22 Cranor, Guduru, and Arjula, "User Interfaces for Privacy Agents," 135-36 (see n. 17).
23 Alessandro Acquisti and Jens Grossklags, "Privacy and Rationality in Individual Decision
Making," IEEE Security & Privacy 3, no.i (January/February 2005): 24-30.
24Gary S. Becker, "A Theory of the Allocation of Time," The Economic Journal75, no. 299
(September 1965): 493-517, available at http://www.jstor.org/stable/2228949.
25Timothy Leunig, "Time is Money: A Re-Assessment of the Passenger Social Savings from
Victorian British Railways," The Journalof Economic History 66 (2oo6): 635-73, working
paper available at
http://www.lse.ac.uk/collections/economicHistory/pdf/LSTC/o9o5Leunig.pdf.
I/S: A JOURNAL OF LAW AND POLICY [Vol. 4:3
to estimate the time people spend traveling to parks and the value of
the time they spend enjoying the parks, which again requires
estimates of the value of time.26 We draw upon this body of work.
In this paper we look at societal and personal opportunity costs to
read privacy policies. Under the notion of industry self-regulation,
consumers should visit websites, read privacy policies, and choose
which websites offer the best privacy protections. In this way a
market place for online privacy can evolve, and through competition
and consumer pressure, companies have incentives to improve their
privacy protections to a socially optimal level. In practice, industry
self-regulation has fallen short of the FTC vision. First, the Internet is
far more than commercial sites or a place to buy goods. While it may
make sense to contrast the privacy policies of Amazon, Barnes and
Noble, and O'Reilly to purchase the same book, there is no direct
substitute for popular non-commercial sites like Wikipedia. Second,
8
studies show privacy policies are hard to read,27 read infrequently,2
and do not support rational decision making.29
Several scholars extended the FTC's vision of an implicit
marketplace for privacy by examining ways to explicitly buy and sell
personal information. Laudon proposed "[m]arket-based
mechanisms based on individual ownership of personal information
and a National Information Market ("NIM") in which individuals can
receive fair compensation for the use of information about
themselves." Under this plan, corporations could buy "baskets of
information" containing the financial, health, demographic or other
data that individuals were willing to sell about themselves.3O Varian
sees privacy as the "right not to be annoyed" and suggests web-based
26 Mira G. Baron and Liliya Blekhman, "Evaluating Outdoor Recreation Parks Using TCM:
On the Value of Time" (North American Regional Science Meeting, Charleston, South
Carolina, January 2002), http://ie.technion.ac.il/Home/Users/mbaron/E_21_Baron-
Blekhman_Jan2_2002.pdf.
27 Carlos Jensen and Colin Potts, "Privacy policies as decision-making tools: an evaluation
of online privacy notices" (Proceedingsof the SIGCHI Conference on Human Factors in
Computing Systems, Vienna, Austria, April 24-29, 2004); CHI 'o4ACM 6, no.1 (2004):
477.
28Jensen, Potts, and Jensen, "Privacy practices of Internet users: Self-reports versus
observed behavior," 215 (see n. 18).
29 Acquisti and Grossklags, "Privacy and Rationality in Individual Decision Making," 24-
30 (see n. 23).
33 Mark Trevelyan, "Stolen account prices fall as market flooded," news.com.au, July 15,
2008, http://www.news.com.au/technology/story/o,25642,24o23758-5o14111,oo.html.
34Henry Blodget, "Complete CEO: ISPs Sell Clickstreams for $5 a Month," Seeking Alpha,
March 13, 2007, http://seekingalpha.com/article/29449-compete-ceo-isps-sell-
clickstreams-for-5-a-month.
35 Andrew Kantor, "AOL search data release reveals a great deal," USA Today, August 17,
2006, http://www.usatoday.com/tech/columnist/andrewkantor/2oo6-o8-7-aol-
datax.htm.
I/S: A JOURNAL OF LAW AND POLICY 1Vol. 4:3
36 Robert W. Reeder, Lorrie Faith Cranor, Patrick G. Kelly, and Aleecia M. McDonald, "A
User Study of the Expandable Grid Applied to P3P Privacy Policy Visualization"
(Conferenceon Computer and CommunicationsSecurity, Washington, D.C., October
2008); Proceedingsof the 7th ACM Workshop on Privacy in the ElectronicSociety (WPES
'o8), Washington, D.C., Oct. 27, 2008: 53.
20o8] MCDONALD & CRANOR
websites, but also the proportion of sites that Internet users visit at
home and at work.
37 In this paper, the first quartile is the average of all data points below the median; the
third quartile is the average of all data points above the median. These are single values
and not a range of values. Point estimates are our single "best guess" in the face of
uncertainty.
38Serge Egelman, Lorrie Faith Cranor, and Abdur Chowdhury, "An Analysis of P3P-
Enabled Web Sites among Top-20 Search Results' (Proceedingsof the Eighth
InternationalConference on ElectronicCommerce, Fredericton, New Brunswick, Canada,
August 14-16, 2006).
IS: A JOURNAL OF LAW AND POLICY [Vol. 4:3
4....................
4......................,,......,..................................,
39 Ronald P. Carver, "Is Reading Rate Constant or Flexible?" Reading Research Quarterly
18, no. 2 (Winter 1983): 199, available at http://wwwoJstor.org/stable/747 5 , 7 .
20o8] MCDONALD & CRANOR
40 Cranor, Guduru, and Arjula, "User Interfaces for Privacy Agents," 167 (see n. 17).
40
35
30
25
10
0
0 1000 2000 3000 4000 5000 6000 7000
Number of Words in Policy
42 We contrasted the 2,550 word policy to the three similar length policies using two-sided
t-tests assuming unequal variance; 95% confidence interval; p = 0.518, o.69o, o.891.
2008] MCDONALD & CRANOR
exploring the full policy. In our second study we always started with a
warm up question that asked participants to identify the street
address for the company and that information was always in the last
few lines of the policy. Participants had to skim the full policy to
answer the question. As shown in Figure 3, median times ranged
from four minutes to eight minutes. The lowest first quartile of all six
policies was 4 minutes; the highest third quartile was 12 minutes.
14 !
12
10
4'
One disadvantage to using just the time for the first question is
that it underestimates because we only look at one question, and a
very basic question at that. When asked to identify why they read
privacy policies, our participants volunteered multiple interests
ranging from data security, to information sales, to spain, to opt-out
policies. These are captured better in the range of times reported in
Figure 2. However, one advantage to using just the time for the first
question is we eliminate the unsatisfying situation that we can
generate longer or shorter overall time estimates just by varying the
number of questions we ask.
We elected to report the more conservative estimates from just
looking at the times to answer the first question, with the caveat that
these numbers are lower estimates. If people were to read policies
I/S: A JOURNAL OF LAW AND POLICY [Vol. 4:3
44 Nielsen/Net Ratings, "Nielsen Online Reports Topline U.S. Data for March 2oo8," news
release, April 14, 2008, http://www.nielsen-online.com/pr/pr-o8o414.pdf.
2oo8] MCDONALD &CRANOR 559
People visit some of the same sites each week: if not, we would see
loo unique sites per month at home (25 * 4 weeks) rather than 66 (see
Table 4). Ideally we would only count such sites once. From the
Nielsen data we computed a scale factor, which is the percentage of
sites that Internet users return to week after week. While our scale
factor may not actually scale linearly over a full year it is a reasonable
starting point for estimation.
We are unaware of any scholarly work that measures how many
websites people visit annually. However, a 2008 study examined 25
subjects over a variable length of time and found an average of 390
unique sites during 52 to 195 days of observation.45 The mean length
of observation was 105 days. Using our point estimate of 112 unique
sites per month, 390 unique sites suggests nearly all new sites each
month. It seems more likely that these 25 participants, drawn from
the researchers' pool of acquaintance, simply visited more sites per
month than the Nielsen population. We can draw no firm
conclusions. But this study does suggest, even if anecdotally, that our
scale factor is not absurdly low. If anything, we may be conservative
in our estimates.
45Harald Weinreich and others, "Not quite the average: An empirical study of Web use,"
ACM Transactionson the Trans Web 2, no. 1 (February 2008): 4.
20o8] MCDONALD & CRANOR
46 Gary S. Becker, "A Theory of the Allocation of Time," The Economic Journal75, no. 299
(Sept. 1965): 493, available at http://www.jstor.org/stable/2228949.
47 Ibid., 495.
49 Ronald Eugen Kmetovicz, New ProductDevelopment: Design and Analysis (New York:
Wiley-IEEE, 1992): 141.
50 Baron and Blekhman, "Evaluating Outdoor Recreation Parks Using TCM: On The Value
of Time,"2 (see n. 26).
52 Bureau of Labor Statistics, Table B-3. Average hourly and weekly earnings of production
and nonsupervisory workers on private nonfarm payrolls by industry sector and selected
industry detail, http://stats.bls.gov/news.release/empsit.tl6.htm.
2008] MCDONALD & CRANOR
read or skim privacy policies (sections II.A.1 and II.A.2) and by the
estimated 221 million Americans online.53
54 Norman H. Nie and others, "Ten Years After the Birth of the Internet: How Do
Americans Use the Internet in Their Daily Lives?" (faculty Working Paper Stanford
Institute for the Quantitative Study of Society, 2005): 4,
http://www.stanford.edu/group/siqss/research/time-study-files/ProjectRepOrt205.pdf.
ss Ibid., 6.
56 Ibid., 5.
57Roger Thompson, "Minimizing liability and productivity risks: How to control the
impacts of spyware, hacker tools and other harmful applications," ComputerAssociates,
Oct. 2004, http://www.ameinfo.com/pdfdocs/51515.pdf.
I/S: A JOURNAL OF LAW AND POLICY [Vol. 4:3
58John L. Guyton, Adam K. Korobow, Peter S. Lee, and Eric J. Toder, "The Effects of Tax
Software and Paid Preparers on Compliance Costs," National Tax Journal58, no. 3
(2005): 441.
Scott J. Savage and Donald Waldman, "Broadband Internet access, awareness, and use:
60
privacy policies would eclipse the cost of high speed Internet access,
several times over. In 2007, United States online sales were
approximately $260 billion 6 1- more than the cost to businesses if
their employees were to read privacy policies on corporate time.
63 Ross D. Petty, "Marketing without consent: Consumer choice and costs, privacy, and
public policy," Journalof Public Policy and Marketing 19, no. i (Spring 2000): 45.
6
4 Gary S. Becker and Kevin M. Murphy, "A Simple Theory of Advertising as a Good or
Bad," The QuarterlyJournalof Economics 1o8, no. 4 (Nov. 1993): 961, available at
http://www.jstor.org/stable/2118455.
66 Center for Information Policy Leadership, "Ten steps to develop a multilayered privacy
policy," 2007,
http://www.hunton.com/files/tbl-s47details%5Cfileupload265%5C14o5%5Cten-steps-w
hitepaper.pdf.
W3C Working Group, "The Platform for Privacy Preferences 1.1 (P3P1.1) Specification,"
67
November 2006, http://www.w3.org/TR/P3P11.
68
Cranor, Guduru, and Arjula, "User Interfaces for Privacy Agents," 149 (see n. 17).
69 Reeder, and others, "A User Study of the Expandable Grid Applied to P3P Privacy Policy
Visualization," 9 (see n. 36)
70Janice Tsai, Serge Egelman, Lorrie F. Cranor, and AlessandroAcquisti, "The Effect of
Online Privacy Information on Purchasing Behavior: An Experimental Study" (Workshop
on the Economics of InformationSecurity, Pittsburgh, PA, June 7-8, 2007), 15,
http://weis2oo7.econinfosec.org/papers/57.pdf.
568 I/S: A JOURNAL OF IAW AND POLICY [Vol. 4:3
Finally, some corporations take the view that their users should
read privacy policies and if they fail to do so, it is evidence of lack of
concern about privacy. Instead, we counter that websites need to do a
better job of conveying their practices in useable ways, which includes
reducing the time it takes to read policies. If corporations cannot do
so, regulation may be necessary to provide basic privacy protections.
Disclosure legislation may be insufficient: adding more text to policies
that most consumers do not read does increase transparency, but may
otherwise be of limited practical utility.