One of my favourite web sites is Not Always Right. This is a user-contributed site with stories – many funny, some disturbing – about the trials and tribulations of working with customers – the premise being that despite the often-quoted saying, the customer is not always right. My father was a cobbler, and I often spent time behind the till in his shop; when I was in high school, and in university, I had summer jobs in retail. I have a few stories of my own.
However, the reason for mentioning this here is that occasionally, people demonstrate how terribly wrong they are about privacy.
The stories you can find will make you laugh, or shake your head. One is an overzealousness in providing information that becomes the retailer’s fault; another demonstrates the willingness to give up on principles for the sake of coupons. People go to some lengths refusing to provide information that would seem innocuous, like a ZIP code, only to offer something up even worse like banking information – and even worse, their social security number. Clearly some people are very unclear on the concept of privacy – offering up ZIP, SSN willingly, but then, refusing to provide a proof of age when it is actually required to buy alcohol. Or going all out paranoid on a poor clerk trying to process a credit card transaction, merely for doing her job.
Why are people so horrible at protecting themselves? (One might also ask why they’re so horrible, generally, after reading a few of these stories – my advice is to read them in measured doses, so you don’t want to give up on humanity altogether). The stories illustrate that people think privacy is important – but that they’re clueless about what to do about it.
A very good book I would recommend is The Drunkard’s Walk: How Randomness Rules our Lives. I have often used this in my talks because in reading this fascinating exploration of the connection between statistics, gambling, history, baseball scores and wine tasting, the author concludes that people are really bad at understanding risk in mathematical way – we’re just not wired that way. For proof we don’t understand risk, you only need to go to a casino.
Because of this, we understand risk only from our personal experience; the conclusions we draw are different, for example from when we just think about identity theft as a topic, and experience it ourselves or close-hand through a friend or relative. This is why people on the streets of London and New York could be persuaded to give up their e-mail passwords for chocolate. (There are too many stories on this for me to link to; just Google “passwords for chocolate”).
What’s the moral? I think it’s a somewhat paternalistic one; privacy professionals have to be the ones to be the risk managers for the public, whether or not the risks are understood, and do our very best to educate what risks they really do run. At the same time, as you can see from the stories I’ve linked to, we need to also avoid being too alarmist as this seems to lead to unreasoning paranoia…and to rudeness to people in the service industry.