November 21, 2024

It can be rational to sell your private information cheaply, even if you value privacy

One of the standard claims about privacy is that people say they value their privacy but behave as if they don’t value it. The standard example involves people trading away private information for something of relatively little value. This argument is often put forth to rebut the notion that privacy is an important policy value. Alternatively, it is posed as a “what could they be thinking” puzzle.

I used to be impressed by this argument, but lately I have come to doubt its power. Let me explain why.

Suppose you offer to buy a piece of information about me, such as my location at this moment. I’ll accept the offer if the payment you offer me is more than the harm I would experience due to disclosing the information. What matters here is the marginal harm, defined as amount of privacy-goodness I would have if I withheld the information, minus the amount I would have if I disclosed it.

The key word here is marginal. If I assume that my life would be utterly private, unless I gave this one piece of information to you, then I might require a high price from you. But if I assume that I have very little privacy to start with, then selling this one piece of information to you makes little difference, and I might as well sell it cheaply. Indeed, the more I assume that my privacy is lost no matter what I do, the lower a price I’ll demand from you. In the limit, where I expect you can get the information for free elsewhere even if I withhold if from you, I’ll be willing to sell you the information for a penny.

Viewed this way, the price I charge you tells you at least as much about how well I think my privacy is protected, as it does about how badly I want to keep my location private. So the answer to “what could they be thinking” is “they could be thinking they have no privacy in the first place”.

And in case you’re wondering: At this moment, I’m sitting in my office at Princeton.

Comments

  1. Do you think it can be rational to donate private information gratis into the public domain?

  2. One large problem with selling our private information is the ratchet effect. Once you have divulged a piece of personal information to a party, it is out of your control for all time, since no piece of information is ever forgotten anymore (the ratchet). That party now can sell the information bit along, as well as aggregate it with other information you previously sold (or they otherwise obtained) to draw a much more detailed picture of you than you might wish to be known. What is the cost to me of this aggregated dataset about me that will exist into perpetuity? I have no way to even begin calculating that. So I try to never give anyone any information anymore.

  3. Whenever you’re selling something, you have to consider the transaction costs as well. Imagine for a moment that I take the time to read someone’s privacy policy and do a quick search to see if they’ve violated it lately every time before I decide whether to sell them my personal information. Unless I’m selling it for $10 a pop or more, that’s just not worth it. So people make rules, usually based on the high-value transactions, and carry them over to the rest of their behavior.

  4. I think the problem is that most people are not in a very good position to evaluate what their information is really worth. Until they find out the hard way.

    For example, I might think that the fact that I am sitting in some office building in Town X at 9:52 AM on Monday is not worth very much. I might be willing to trade that for a penny to one vendor. I might think that the fact I live in Town Y is not worth much at all (it’s in the phone book, after all), and I might be glad to get a penny for it from a third vendor. Each of the vendors would be glad to sell those pieces of information for $1.00 (ROI of 99%!!!). And a thief would be glad to buy that information for just $2.00, especially if they have some knowledge of Town X and understand that the likely reason that I’m in that office building is that I work there, and my house is probably empty right now.

    I’m oversimplifying, of course, but the fact remains that people are notoriously bad at figuring out the value of information — hence the effectiveness of social engineering.

    When anybody offers me money for my information, even if it’s stuff that I figure they could track without my assistance (e.g. loyalty cards), I almost always decline. I’m not prepared to spend the time to figure out whether it’s a good deal for me or not. Time is money.

  5. Also, the price of the “where are you” information will increase the more often the question is asked: if I’m to be be tracked in real time then I’ll demand a very high price for each piece of location information. Whereas, if someone is asking a one off silly question to prove a pet theory, the price charged will be negligible.

  6. Liam Hegarty says

    I’m sitting in my office posting a comment on a blog instead of doing my work.

    Your post made me think. Perhaps there is a contextual component as well.

    I work at a public library. We often have patrons who want to know what they have taken out in the past so they can recommend the book to a friend or some such thing. However, we cannot tell them because we delete the record once the item is returned and all fines (if any) are paid. At first they are miffed but, when we explain we do this automatically to protect their privacy, they are mollified if not pleased. That is because they expect the library to protect their privacy. The same goes with our public computers.

    I don’t think they expect the internet to protect privacy so they give it up. When I teach people about the web, I tell them it is not free. They are paying for it with their eyeballs or with personal information.

  7. Ah if that were only the case, a nice villa in Greece! The reality is that our information is not our information. At least from the perspective of the marketers. The marketers believe that they own it and that they are ones entitled to any transaction royalties in the sharing/trading/buying/and selling of that data.

    Given the current trends with so-called “intellectual property”, it would be difficult for the consumer to have their “property rights” recognized.