RSA 2012: Personal Information Has Little Value
While I was at the RSA Conference I was invited to attend the 6th Annual Mini-Metricon which is an interactive forum for security personnel to discuss various areas of IT security- mainly Security Metrics, Privacy, and New Technologies. The first speaker, Alessandro Acquisiti, an Associate Professor of Information Technology and Public Policy at the Heinz College, Carnegie Mellon University, a member of Carnegie Mellon Cylab, and a fellow of the Ponemon Institute discussed his research on the value of privacy information as it relates to economic benefits. His research concluded that people will select economic benefits in relationship to maintaining their privacy information and disregarded the value of having their personal information protected.
His study provided a sample population with the choice between receiving a $10 gift card that they could spend without tracking their personal information; or receiving a $12 gift card that would track their personal information and transaction history. There were no details regarding how the information was going to be used provided to the participants. For a mere $2 dollars more, the sampled group most often selected to get the card which included disclosure of their personal information. It seems that more people are willing to disregard privacy information for the economic trade-off.
This finding raises several questions. First of all, if people do not value their personal information, then why does the government put forth requirements for public and private sector organizations to go to lengths to protect it? Also, if identify theft is the top category of crime, and cost Americans $1.52 billion (yes, that’s with a “B”) in 2011, then why do people not seem to care? I would think that 1.8 million people who reported being victims of identity theft in 2011 would probably not trade that $2 for their personal information.
Or would they?
Maybe the problem is not that people don’t care, but that they’ve lost hope. This may only be anecdotal, but I think it does capture the feeling a lot of people out there have. When you look back over the past decade you see several huge stories regarding data breaches including:
- TJ Maxx
- Veterans Administration
- Play Station Network
- Whatever is currently streaming by on this ticker . . .