While I was at the RSA Conference I was invited to attend the 6th Annual Mini-Metricon which is an interactive forum for security personnel to discuss various areas of IT security- mainly Security Metrics, Privacy, and New Technologies. The first speaker, Alessandro Acquisiti, an Associate Professor of Information Technology and Public Policy at the Heinz College, Carnegie Mellon University, a member of Carnegie Mellon Cylab, and a fellow of the Ponemon Institute discussed his research on the value of privacy information as it relates to economic benefits. His research concluded that people will select economic benefits in relationship to maintaining their privacy information and disregarded the value of having their personal information protected.
His study provided a sample population with the choice between receiving a $10 gift card that they could spend without tracking their personal information; or receiving a $12 gift card that would track their personal information and transaction history. There were no details regarding how the information was going to be used provided to the participants. For a mere $2 dollars more, the sampled group most often selected to get the card which included disclosure of their personal information. It seems that more people are willing to disregard privacy information for the economic trade-off.
This finding raises several questions. First of all, if people do not value their personal information, then why does the government put forth requirements for public and private sector organizations to go to lengths to protect it? Also, if identify theft is the top category of crime, and cost Americans $1.52 billion (yes, that's with a "B") in 2011, then why do people not seem to care? I would think that 1.8 million people who reported being victims of identity theft in 2011 would probably not trade that $2 for their personal information.
Or would they?
Maybe the problem is not that people don't care, but that they've lost hope. This may only be anecdotal, but I think it does capture the feeling a lot of people out there have. When you look back over the past decade you see several huge stories regarding data breaches including:
- TJ Maxx
- Veterans Administration
- Play Station Network
Looking at the details of these cases we're certainly not getting better at protecting personal information, and in fact, the industry may actually be getting worse at it. In addition, the organization which suffered the breach is usually lacking in their disclosure, and the response is often inadequate at least as perceived by the public. For example, the breach concerning the Play Station Network last year involved a great deal of sensitive information, but the severity was initially downplayed by PSN. Initially, the public knew that the PSN was "down," but there was no indication from Sony that anything more than an outage had occurred. Then when a breach was finally admitted, they initially claimed that credit card information was not disclosed, but later it was believed that this information was in fact part of the breach.
Although Sony handled the breach extremely poorly, they are not unique in this respect. Most organizations do not want to come clean about the breach when it occurs, and want to minimize any negative publicity that results. However, at some point companies need to just accept that there is no good way to spin the fact that they lost the personal information of 77 million customers, and be more transparent in their reporting. Not doing so only results in the facts inevitably trickling out later only to make the company look like it was covering something up, or is simply too incompetent to really understand what even occurred.
On top of this, when you look at cases like Sony and ChoicePoint, the public is left thinking that these companies are basically giving the information away. In the case of ChoicePoint that's not true since technically they were selling it to the bad guys. But you get the drift: time goes by and despair sets in.
So in the end, I don't think it's that people don't think their personal information is only worth $2. I believe that they feel it has already been subject to a breach, or will be next week, so why not make $2 off of it anyway? This essentially summarizes the sad state of affairs for information security and privacy (especially in the commercial sector).
Think happy thoughts.