Kirsten Martin, An empirical study of factors driving privacy expectations online

Kirsten Martin, An empirical study of factors driving privacy expectations online

Comment by: Annie Anton

PLSC 2013

Workshop draft abstract:

Recent work suggests that conforming to privacy notices online is neither necessary nor sufficient to meeting privacy expectations of users; however, a direct comparison between the two types of privacy judgments has not been performed.  In order to examine whether and how judgments about privacy expectations differ from judgments about privacy notice compliance, four factorial vignette studies were conducted covering targeted advertising and tracking information online for both the degree scenarios were judged to meet privacy expectations and judged to comply with privacy notices.  The study tests the hypotheses that (a) individuals hold different privacy expectations based on the context of their online activity and (b) notice and consent varies in tis effectiveness in addressing online privacy expectations across different contexts.  The general goal of the larger project is to better understand privacy expectations across contexts online leveraging a contextual approach to privacy.

The initial findings through pilot studies have identified factors – such as using data for friends, the time the data is stored, the type of information captured, etc – that vary in importance to privacy judgments depending on the context online.  In addition, the analysis around privacy notices suggests that users have an expectations premium whereby a given scenario meets the privacy expectations to a lesser extent than the scenario is judged to comply with the privacy notice.  In particular, using and tracking click information, using an individual’s name, and using the information for advertising is judged to comply with the privacy notice yet do not meet privacy expectations.

In this paper for PLSC, judgments about privacy expectations online will be compared to judgments about compliance to privacy notices along three dimensions:  the judgments themselves, the factors that contribute to the judgments, and how the judgments are made.  The findings will (1) identify important online contexts with similar privacy expectations (e.g., gaming, shopping, socializing, blogging, researching, etc), (2) prioritize the role of notice and consent in addressing privacy expectations within different contexts, and (3) identify the factors and their relative importance in developing privacy expectations for specific contexts online.

The findings have implications to how firms should attempt to meet the privacy expectations of users.  When privacy notices are found to be insufficient to meeting privacy expectations, individuals have attempted to pull out of this information exchange and obfuscate their behavior using tools such as CacheCloak,, Bit Torrent Hydra, TOR,  and TrackMeNot, which work to allow users to maintain their privacy expectations regardless of the privacy policy of a website.  Understanding how, if at all, judgments about privacy notices are related to privacy expectations should help firms avoid unnecessary and unintentional privacy violations caused by an over reliance on privacy notices.

Deven Desai, Data Hoarding: Privacy in the Age of Artificial Intelligence

Deven Desai, Data Hoarding: Privacy in the Age of Artificial Intelligence

Comment by: Kirsten Martin

PLSC 2013

Work draft abstract:

We live in an age of data hoarding. Those who have data never wish to release it. Those who don’t have data want to grab it and increase their stores. In both cases—refusing to release data and gathering data—the mosaic theory, which accepts that “seemingly insignificant information may become significant when combined with other information,”1 seems to explain the result. Discussions of mosaic theory focus on executive power. In national security cases the government refuses to share data lest it reveal secrets. Yet recent Fourth Amendment cases limit the state’s ability to gather location data, because under the mosaic theory the aggregate the data could reveal more than what isolated surveillance would reveal.2 The theory describes a problem but yields wildly different results. Worse it does not explain what to do about data collection, retention, and release in different contexts. Furthermore, if data hoarding is a problem for the state, it is one for the private sector too. Private companies, such as Amazon, Google, Facebook, and Wal-Mart, gather and keep as much data as possible, because they wish to learn more about consumers and how to sell to them. Researchers gather and mine data to open new doors in almost every scientific discipline. Like the government, neither group is likely to share the data they collect or increase transparency for in data is power.

I argue that just as we have started to look at the implications of mosaic theory for the state, we must do so for the private sector. So far, privacy scholarship has separated government and private sector data practices. That division is less tenable today. Not only governments, but also companies and scientists assemble digital dossiers. The digital dossiers of just ten years ago emerge faster than ever and with deeper information about us. Individualized data sets matter, but they are now part of something bigger. Large, networked data sets—so-called Big Data—and data mining techniques  simultaneously allow someone to study large groups, to know what an individual has done in the past, and to predict certain future outcomes.3 In all sectors, the vast wave of automatically gathered data points is no longer a barrier to such analysis. Instead, it fuels and improves the analysis, because new systems learn from data sets. Thanks to artificial intelligence, the fantasy of a few data points connecting to and revealing a larger picture may be a reality.

Put differently, discussions about privacy and technology in all contexts miss a simple, yet fundamental, point: artificial intelligence changes everything about privacy. Given that large data sets are here to stay and artificial intelligence techniques promise to revolutionize what we learn from those data sets, the law must understand the rules for these new avenues of information. To address this challenge, I draw on computer science literature to test claims about the harms or benefits of data collection and use. By showing the parallels between state and private sector claims about data and mapping the boundaries of those claims, this Article offers a way to understand and manage what is at stake in the age of pervasive data hoarding and automatic analysis possible with artificial intelligence.

1 Jameel Jaffer, The Mosaic Theory, 77 SOCIAL RESEARCH 873, 873 (2010)

2 See e.g., Orin Kerr, The Mosaic Theory of the Fourth Amendment, 110 MICH. L. REV. __ (2012)

(forthcoming) (criticizing application of mosaic theory to analysis of when collective surveillance steps

constitute a search)

3 See e.g., Hyunyoung Choi and Hal Varian, Predicting the Present with Google Trends, Google, Inc. (April,

2009) available at