Mary Culnan and privacy ala 1999

Self-Regulation and Privacy Online,” FTC Report to Congress

Culnan, M. J., & Armstrong, P. K. (1999). Information privacy concerns, procedural fairness, and impersonal trust: An empirical investigation. Organization science, 10(1), 104-115.

Culnan, M. J. (1993). “How did they get my name?”: an exploratory investigation of consumer attitudes toward secondary information use. MIS Q., 17(3), 341-363. doi:10.2307/249775

I’ve been looking up more information about Fair Information Practices. One of the searches lead to the above FTC document from July 13, 1999. In it, they mentioned the researcher from Georgetown, Mary Culnan. Taking it further, I searched for papers by her on the ACM citation database and found the paper coauthored by her. Searching further on Google scholar, I found the other.

One paper was about corporate good favor and how people react to giving a company information. She found that there were two groups of people, those who are concerned actively about privacy and those who aren’t. When the business asks for information, the two groups are different. However, when the survey participants were told that the information was going to be processed by fair information practices, the groups were both the same.

Her recommendation is that to promote good will and minimize ill will, a service provider should have explicit policies as to where there information is going to go. Another point she mentioned is that having fair procedures (in general) for conflicts leads to less disgruntled customers, even when the result is against them.

The other paper, from 1993, is before even the dotcom boom in the 1990s. This paper was talking about direct mail instead of online services and asking college students about their attitudes. The results were more complicated and less generalizable because the subjects were all college students. An issue affecting attitudes of users is past interactions with direct mail. Presumably now peoples attitudes are affected by experience with data sharing.

The theme of the second paper is about secondary use. The question “how did they get my name” is an example of the disconnect between what is possible with technology and what people are comfortable with. The paper’s introduction that gave the motivation as it recounted some big incidents where there was backlash against secondary use of information.

So, these two studies are interesting especially because they are from before the times of widespread internet use. No smart phones, the Tablet: The Personal Computer of the year 2000) was no where to be found. People were not numb to the possibilities of information reuse, aggregation, secondary use (yet).

So, to me, the privacy insights from the papers are that people in their “natural” state value that there information is being used only in the ways that they are told it will be. Culnan explains that data privacy is more than a policy. It needs to be integrated into a company’s culture. The Chief Information Officer should not just rubber stamp what the managers want and should instead push back when the others in the company want to go further than their customers would be comfortable. Assume there was full, 100% transparent disclosure: would users still be ok with it? Employees should only have access to the information that they need to do their duties. (In analogy to the security principle of least privilege)

I’m way past my tl;dr quota but I’m almost done.

One attribute of a model company’s decisions: their standard is based on what users would be ok with when presented a 100% transparent, fully disclosed explanation of where their information is going.

So, these papers indicate that people do care about their information’s use and secondary use. Most privacy policy is “TL;DR” in capital letters so people go on blindly and blindly give away the “farm.”

Federal forms must have a footnote giving the time needed to collect the needed information and complete the form. Perhaps terms of service and privacy notices should have similar notices. How long will it take to read? What is the reading level of the material?

Basic messages like that at the top of the privacy policy will let people assign a “cost” value of the privacy notice. Without even reading the policy, seeing that it will take 45 minutes to read and a 12th grade level of English could be factored into whether they open an account.

When I decide whether to sign up, I don’t just factor in that I can create the account with my twitter or gmail account so that it only takes 1 minute to sign on. I also say “I’ve spent too much (virtual) time on terms of service & privacy notices this week. I don’t need the benefits of the site that badly. Let’s wait.”

[Google scholar was pretty powerful because it found .PDFs of both papers. They should be available to anyone without needed library research tools.]

[For the casual reader, Culnan’s papers use sophisticated statistical as well as proper survey designs. She is comfortable with Varimax analysis, using Cronbach’s Alpha and Likert scales. In one survey, she strategically placed the order of the questions to maximize their relevance. Her analysis in the 1999 paper includes analysis of the user responses found that the subjects could be partitioned into two groups: privacy concerned individuals and non-privacy concerned individuals. These papers are a lesson that one should use the right tools for analyzing research data and that more thought is required than calculating averages and corresponding p values. Perhaps selection committees should be more demanding on this point.]