FPF Advisory Board member Lorrie Cranor, Director of CUPS (CyLab Usable Privacy and Security Lab) at Carnegie Mellon University informs us that the Lab has issued two new technical reports and submitted them as public comments to the FTC’s exploring privacy roundtable series. Here are the abstracts, but the full studies are definitely worth reading!
Standardizing Privacy Notices: An Online Study of the Nutrition Label
Approach Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, Lorrie Faith Cranor November 10, 2009
An Empirical Study of How People Perceive Online Behavioral Advertising
Aleecia M. McDonald and Lorrie Faith Cranor November 10,2009
We performed a series of in-depth qualitative interviews with 14 subjects who answered advertisements to participate in a university study about Internet advertising. Subjects were not informed this study had to do with behavioral advertising privacy, but raised privacy concerns on their own unprompted. We asked, “what are the best and worst things about Internet advertising?” and “what do you think about Internet advertising?” Participants held a wide range of views ranging from enthusiasm about ads that inform them of new products and discounts they would not otherwise know about, to resignation that ads are “a fact of life,” to resentment of ads that they find “insulting.” Many participants raised privacy issues in the first few minutes of discussion without any prompting about privacy. We discovered that many participants have a poor understanding of how Internet advertising works, do not understand the use of first-party cookies,let alone third-party cookies, did not realize that behavioral advertising already takes place, believe that their actions online are completely anonymous unless they are logged into a website, and believe that there are legal protections that prohibit companies from sharing information they collect online. We found that participants have substantial confusion about the results of the actions they take within their browsers, do not understand the technology they work with now, and clear cookies as much out of a notion of hygiene as for privacy. When we asked participants to read the NAI opt-out cookie description, only one understood the text. One participant expressed concern the NAI opt-out program was actually a scam to gather additional personal information. No participants had heard of opt-out cookies or flash cookies. We also found divergent views on what constitutes advertising. Industry self-regulation guidelines assume consumers can distinguish third-party widgets from first-party content, and further assume that consumers understand data flows to third-party advertisers. Instead, we find some people are not even aware of when they are being advertised to, let alone aware of what data is collected or how it is used.