Your personal information is out there. You did not put it there, so how did it get there? Internet websites provide visitors with different levels of interaction, ranging from delivering basic information to providing sophisticated features and tools such as profile management, interactive visual communication, and of course, advertising. Like many traditional businesses, websites turn to third party outsourcing to offer these features and tools. Such services include functionality (password and account control, social media integration, video hosting, chat and forum services, payment services, etc.), performance (backup service, security and firewalls, responsiveness tools, etc.) and targeting/advertising (advertising, lead generation, analytics, etc.). Use of third parties is ubiquitous among top websites; a website visitor is also making contact with all third parties enabled on the site. Much of this contact is hidden from view. A U.S. Senate report found that visits to online news sites may involve connecting with hundreds of other parties, and the sheer volume of such activity makes it difficult for even the most vigilant consumer to control the data being collected or protect against its malicious use.”
While many third parties provide utility or functionality for visitors, they also pose a potential privacy risk to visitors. A simple example is the integration of the Google Maps API within a website, where Google obtains valuable location data. Third parties often obtain visitor information in return for services they provide to the website. This is often done without explicit visitor consent and/or disclosure. Policies regarding how visitor information is shared with third parties are often hidden in obscure and lengthy privacy statements and/or terms of use and are often ignored or blindly accepted by visitors. Simply landing on a website can cause substantial and instantaneous sharing with third parties.
The convenience of easy sign-ins with Facebook, Google, or Twitter accounts results in immediate identification with these third parties. Third parties also use cookies and other emerging tracking technologies such as flash cookies and device IDs to track individuals across much of their online activity. The reduced cost of data storage and processing technologies has allowed third parties to stockpile large amounts of visitor data and run analytics on this data. Due to the sheer number of third parties that perform analytics and targeting, and the advanced technologies they use, it is now very hard to know who is tracking us online. Through rapid advancement in analytical techniques, third parties are able to create fairly comprehensive pictures of not only individual behavior, but also of individual psychological traits. An individual’s online activity is being tracked across the web, and through re-identification, this activity can be merged with other aspects of our lives. For many, this sounds like an Orwellian prophecy coming true.
This begs the question, “What’s going to limit this privacy intrusion?” Privacy issues related to online websites, third party use, and tracking an individual’s activity is a public concern. Regulatory organizations such as the Federal Trade Commission and the European Union are looking into policy enforcement strategies. The other method of limiting this privacy intrusion is through the invisible hand of the market itself.
Our work initially focuses on how market forces can curb the behavior of websites in sharing user information with third parties. Websites typically have two sources of income, subscriptions and selling visitor data to third parties. A website using the subscription model needs a large base of visitors, but it can also sell visitor information in secondary markets through advertising or other third parties. Therefore, the website must strike a balance between subscription and third party monetization in this two-sided market, which naturally sets limits on abusive behavior. Interestingly, market forces ensure that when privacy concerns are very high (for instance with health websites) websites exercise greater caution in information sharing which is beneficial to consumers. When users have moderate privacy concerns – not too low and not too high – websites benefit the most to the detriment of users. When privacy concerns are low, users do not care; when privacy concerns are high, websites exercise caution; it’s the moderate privacy settings where consumers stand to lose the most.
To be effective overall, market forces needed to be supplemented with effective regulatory policies. Government agencies have a number of policy options at their disposal – from a total ban of third party sharing to GDPR which is implemented in EU that enables users to know and control third party sharing, to non-commercial entities setting up competing sites with the explicit objective of curbing privacy violating behavior of commercial websites. Each of the policy interventions has varied impacts on the economic surplus of three key entities: consumers, websites, and third parties. The key starting point to regulatory interventions, however, is requiring transparency and informing consumers about which third parties and what information is being shared. Encouraging market competition, along with enacting sensible regulatory policies that are sensitive to implications to consumers, websites, and third parties would enable reaping maximum privacy-aware economic rewards.
This piece originally appeared in the London School of Economics blog at the following link.
Leave a Reply