Millions of people received an email from Twitter recently advising them to change their password. Apparently a bug allowed some employees inside the company to see users’ passwords in plain text, creating the possibility that private information could be compromised.
I received this email, read it and promptly deleted it. I forgot all about it until the subject came up by chance in a conversation with a colleague the next day.
Why was I so blase? Not because Twitter’s internal investigation showed the information never left Twitter’s systems and found no indication of a breach or evidence of bad conduct — though that is all true. Instead, the economist in me — inferring my preferences and beliefs from my conduct — concluded that I don’t really care whether someone has my Twitter password. Or, more precisely, that the cost — measured in time and hassle — of changing the password was greater than my expectation of the harm from not doing so.
My behavior was at odds with important assumptions in the public debate. The U.S. and Europe have been abuzz with discussion about privacy, driven in large part by the revelation that information from as many as 87 million Facebook users was sold to a private company. The question du jour: How can we protect information about ourselves that is on social media?
I’ve been asking a different question: Do we really care about privacy?
Consider whether you would trade the privacy of your friends for a free slice of pizza.
As part of an experimental study, economists Susan Athey, Christian Catalini and Catherine Tucker looked into the mismatch between stated preferences about privacy and actual privacy-related behavior among undergraduate students at the Massachusetts Institute of Technology. Students were asked to provide the email addresses of their friends to the researchers. To entice them to do so, some were offered free pizza.
The researchers were interested in whether the students would protect the privacy of their friends by handing over invalid email addresses. (The economists were able to verify whether the addresses were valid.) It turns out that if you offer the students free pizza, the likelihood that they will protect the privacy of their friends is cut in half. Surprisingly, this result was the same for students who reported high or low degrees of concern about protecting their privacy from businesses, the government and the public in general.
In addition to finding that small incentives to relinquish such data overpower stated preferences about privacy, the economists also found that the students made quite different choices in response to small factors.
Indeed, despite all the headlines about Facebook’s use of individual data in recent weeks, the company reports that users haven’t been making significant changes to their privacy settings. Speaking last month in London shortly after Facebook CEO Mark Zuckerberg testified before Congress, a vice president with the company, Carolyn Everson, reported “not anticipating major changes to our overall revenue and business model.”
I don’t consider anything on my Facebook page to be sensitive, private content. Judging by their behavior, it may be that most Facebook users feel the same.
That stands in contrast with the emails stored in my Gmail account, which have lots of private information that I wouldn’t want anyone other than my wife to read. To protect it, I have enabled “two-factor authentication,” a protocol that requires me to provide information in addition to my username and password to access my account.
I doubt I’m alone in wanting my email account to stay private. Which is why I was surprised to learn that less than 10 percent of active Gmail accounts use this two-step process. It seems that for the overwhelming majority of Gmail users, the benefit of extra security isn’t worth the small cost of providing a bit of extra information at the login stage.