Categories: Privacy & Security

The privacy paradox is a privacy dilemma

From the beginning, Firefox was designed to help people experience the internet on their own terms. Mozilla believed that the online experience would be at its best if people were free to  choose who they wanted to be online and to discover things that they would not dare to seek in real life. Firefox has built-in privacy and that has never changed ever since.

The internet however has changed the concept of privacy dramatically both online and offline. As privacy is considered a core element of open societies, this change has raised concerns and inspired scientific research. From time to time we want to update our community on the latest news and results that come from that territory.

I spoke to Prof. Dr. Spyros Kokolakis, the Dean of the School of Engineering at University of the Aegean in Greece. Kokolakis has evaluated existing research models to understand and explain the privacy paradox, a term used to describe the inconsistency between our concerns about privacy vs. our actual online behaviour.

~ ~ ~ ~

When we talk about online privacy we refer to random things like photographs that we don’t want to be breached or location tracking, about our bank account number that could get stolen, about secret services reading our emails and even about fake news. Is this a bit much for one word?  

It’s true, there are many different aspects of privacy, and the term privacy summarizes various topics that have different levels of impact on people’s lives. However, all these topics are strongly interrelated and even if privacy seems to be a vague term in the first place, it describes the size of the challenge that we are facing quite well.

A 2001 study about online shopping revealed something of a privacy paradox for the first time. It stated that people have great privacy concerns, but they don’t act accordingly. Does this term still apply? Is the behaviour a paradox?

The privacy paradox describes an inconsistency between the concerns of people regarding privacy and their actual behaviour. This inconsistency still exists, but it can be well explained. In fact, there are many explanations. It should not be considered a paradox anymore. It’s maybe more of a privacy dilemma, because people would like to do more but they also want to use services that would not exist without sharing their data.

Studies suggest that people think their browser history is worth the equivalent of a Big Mac Meal. Could it be that people do understand that they pay with personal data, but believe they get a fair deal?

Well, the value of data is difficult to define. There is no equivalent of a stock-market for personal information. On top of it, the value is fluid. From an economic point of view, it is higher when a data-set is combined with other data, which means — on a functional level — the value of data increases if Google or Facebook have it. Also, if you share information now it will be on the internet for a long time. It is hard to predict what a data set from 2018 is worth in 2022, taking into account the speed and the progress that the tech industry has made in the last decade.

Has the internet changed what we understand when we hear the word “private”? How would you distinguish between online and offline privacy?

The traditional understanding of privacy was very much connected to a physical space, like a house. If someone looked through your window people would have considered that a violation of privacy. What people did in their homes was private. If they did the same thing outside, in public, that was a different thing.

Cyberspace is completely different from that understanding. With the internet we lost a concept of space that defined a playing field for activities that we wanted to keep for ourselves. As soon as you connect to the internet, you are public.

Maybe one of the reasons the US did not follow the EU laws on information privacy, is that privacy in the US is strongly connected to the concept of “private space.” There are many cases where US courts did not accept that a person may have privacy expectations in public spaces, such as the internet, or even at workplace.

How could it have happened in the first place that companies collect personal information without being stopped? Was this sort of information not perceived as personal information back then?

Because we did not have enough time to react. The companies were moving very fast. Facebook became an internet giant in only ten years. It was just too fast for people to understand the risks and for governments to regulate the companies. It took the EU commission years to draft an update of the data protection regulation, didn’t it?

So there is no hope for an effective regulation?

I wouldn’t go that far. The legal system is just very slow and people are also very slow in understanding the implications of something like sharing personal information. The regulators needed to move much faster and the laws needed to be far more flexible and updated more often to keep up with the speed of tech companies.

Do you see a turning point? When did people and regulators change their perception of tech companies?

I don’t think there was a specific turning point. I believe it was a process that started with Google’s acquisition of YouTube in 2006. Microsoft bought Skype in 2011, Facebook bought WhatsApp in 2014 and Microsoft bought LinkedIn in 2016. There were less and less alternatives and opportunities to be online without sharing data with some of these big companies.

What could be a reason why people younger than 40 have less concerns even though their whole life is online, whereas older people have probably less information online? 

There is no evidence for the thesis that younger people have less concerns. What is true is that younger people post more things that we would consider as private, but they also do more to protect themselves. And this is not only a matter of competence.

Young people need to accumulate social capital, meaning that they need to build an identity and a network. This is a long process and when you are young you need to do more. Young people need to talk about themselves to form their personality and they need to test the image that they created for themselves. Women and men alike, in that sense there is no significant difference.

Few Europeans have negative experiences with data abuse. I am assuming this figures among the main reasons for non protective behaviour?
 But why are they so concerned then?

Because they think not only of themselves but of others. In the western world privacy is considered a human right. It seems evident to me that we see high concerns for privacy issues in countries that have a tradition of strong civil rights movements.

The debate has many parallels to the ecological movement. It has a tendency to position an individual in a bigger context, and it is about preserving a space for future generations. This could be an explanation for why we see higher concern in Germany. Germans see privacy as a risk not only for themselves as individuals, but as a threat for society and democracy.

And when people get concerned, media covers the story, people become more concerned and so on.

Where do you see the biggest risk? Secret services, tech companies or individuals?

Secret services and anything that is related to governments can get controlled, at least in democratic countries. Also, tech companies can be regulated, as it happens now in the EU with the GDPR. Therefore, I believe that cyber-crime is the biggest challenge that we are facing. Another significant risk occurs when government agencies and tech companies do not keep their roles distinct. We have seen companies and secret services working hand in hand already and I don’t think that is a good sign.