Archives

Yang Wang, Pedro Giovanni Leon, Kevin Scott, Xiaoxuan Chen, Alessandro Acquisti, and Lorrie Faith Cranor, Privacy Soft-paternalism: Facebook Users’ Reactions to Privacy Nudges

By privacylaw | Posted on

Yang Wang, Pedro Giovanni Leon, Kevin Scott, Xiaoxuan Chen, Alessandro Acquisti, and Lorrie Faith Cranor, Privacy Soft-paternalism: Facebook Users’ Reactions to Privacy Nudges

Comment by: Andrew Clearwater

PLSC 2013

Workshop draft abstract:

Anecdotal evidence and scholarly research have shown that a significant portion of Internet users experience regrets over disclosures they have made online. To explore ways to help individuals avoid or lessen regrets associated with online mistakes, we employed lessons from behavioral decision research and soft- paternalism to develop three Facebook interfaces that “nudge” users to consider the content and context of their online disclosures more carefully before posting. We implemented three nudging interfaces: profile picture, timer, and timer plus sentiment meter.

The picture nudge was designed to remind Facebook users of which individuals are in the audience for their posts. Depending on the particular post privacy setting, users were shown five profile pictures randomly selected from the pool of those who could see their posts. These profile pictures appeared under the status-updates and comment text boxes when users started typing. The timer

nudge was designed to encourage users to stop and think. The warning message

“You will have 10 seconds to cancel after you post the update” with a yellow background was displayed under the status-updates and comment text boxes when users started typing. After clicking on the “Post’” button, users were given the options to “Cancel” or “Edit” their post before it was automatically published after 10 seconds. The third nudge added a sentiment meter to the timer nudge, and the content of each post was analyzed by our sentiment algorithm. This nudge was designed to help make users more aware of how others might perceive their posts. For posts with a positive or negative score a warning message “Other people may perceive your post as {Very Positive, Positive, Negative, Very Negative}” was displayed during the countdown timer.

We tested these nudges in a 3-week field trial with 21 Facebook users, and conducted 13 follow-up interviews. By triangulating system logs of participants’ behavioral data with results from the exit survey and interviews, we found evidence that the nudges had positive influences on some users’ posting behavior, mitigating unintended disclosures. We also found limitations of the current nudge designs and identified future directions for improvement. Our results suggest that a soft-paternalistic approach to protect people’s privacy on social network sites could be potentially beneficial.

Andrew Clearwater, Reducing Data Security Breaches Through Enhancements in Property, Tort and Contract Law

By privacylaw | Posted on

Andrew Clearwater, Reducing Data Security Breaches Through Enhancements in Property, Tort and Contract Law

Comment by: Kristen Mathews

PLSC 2011

Workshop draft abstract:

The power inequalities that exist when information is transferred between individuals and bureaucracies have left consumers vulnerable to data breaches. While data breach disclosure laws have improved consumer protection and informed the marketplace of security risks, consumers are not entirely rational and they continue to suffer from behavioral biases that hinder their ability to reduce or avoid loss. Many breach notification letters go ignored, and those that are read provide little recourse as most consumers do not know how to act on the information. Many consumers whose data is exposed do not suffer any actual incident of identity theft, moreover, and are thus faced with the nearly impossible challenge of demonstrating a particularized injury under tort law. The mere fear of future identity theft is generally insufficient to warrant damages.

Courts applying tort and contract law generally incorporate prior assumptions about privacy that fail to mitigate or compensate for the rapid escalation of data breaches today. For instance, Bell v. Acxiom Corp. demonstrates that standing requirements can be hard to meet due to the lack of a concrete or particularized harm for many victims of data breaches. Additionally, Key v. DSW Inc. shows that courts are reluctant to analogize the need for credit monitoring in breach cases to the need for medical monitoring in product liability cases. Only where a special relationship exists, as it did in Bell v. Mich. Council, No. 246684, have courts found a duty to safeguard personal data.

This paper investigates the problem of data breaches through the lenses of property, tort, and contract law and analyzes proposals in each of these areas to reduce security breaches, or at least compensate consumers for their harm. Proposals investigated include: a right to personal information alienability paired with a well policed personal information market; the creation of new causes of action such as “breach of trust;” the creation of an affirmative duty to secure personal data for all data stewards that maintain consumers’ personal information; and improving the chances of consumer success under breach of contract theory by shifting the burden of proof on damages to the data steward.