Every now and then, we get a story telling us how gullible people are when it comes to security practices. We’ve been told that people will give away their passwords (or pretend to) for chocolate or cheap pens, and that they’ll use thumb drives they find lying in the streets. But how much do we actually learn from these studies?
The latest is a survey out of the UK, in which most respondents disclosed their income brackets even though they said they protect their income details. Aha! People say they care about privacy, but they really don’t! Gotcha!
But wait a moment. The survey asked if people protect income details, then asked for an income bracket. The former is specific, the latter is general. We could as easily make another “Gotcha!” survey that claimed people don’t really want their unlisted numbers protected because they give out their area codes.
Even ignoring the bracket/details distinction, we shouldn’t read too much into this survey. It’s easy to lie on an income bracket question. Internet users have become accustomed to web forms that require all fields to be filled out. Because not filling out a required field means seeing the page again—and sometimes having to re-enter all the fields on the page—it’s easier just to pretend to answer everything on the page. After a while, that sort of behavior can train us to fill out all fields by default. A proper study would need to check whether the reported salary bracket information is within a certain error margin of an expected salary distribution; that could help discover whether people are really divulging their salary brackets, or just making them up.
It would be a fundamental misunderstanding of privacy to draw a conclusion from this study that people don’t care as much about privacy as they claim. Daniel Solove’s privacy taxonomy shows that defining what privacy is is a slippery task, but it’s easier to say what privacy is not. Privacy is not keeping the world from knowing anything about me. It’s about my ability to decide for myself what to disclose and to whom.
It’s time to move past “Gotcha!” studies. If people trade their passwords for candy, or use strange thumb drives, or click through multiple warnings that they’re about to do something really bad, it’s not because the users are stupid. It’s because they’re people, and people have this odd habit of acting like people. The fault lies with those of us in the security and privacy world who haven’t figured out a way to make computer security adapt to people instead of the other way around.
