Microsoft Study Finds Consumers Want Control Over Data

Wednesday, Jan. 28, 2009, is Data Privacy Day, and to mark the occasion, Microsoft is participating in a panel discussion in San Francisco with privacy experts from the California Office of Privacy Protection, the Center for Democracy and Technology, Intel, and MySpace.

Better this week than last, when Heartland Payment Systems and Monster.com disclosed major malware-driven data breaches that promise privacy headaches or worse for affected account holders.

It is such incidents that worry Peter Cullen, Microsoft's chief privacy strategist, because of the impact they can have on consumer trust. "Trust is becoming increasingly important," he said.

That's why Data Privacy Day exists. Microsoft and other organizations recognize that without trust, the online economy only gets worse for everyone. Cullen explained that Data Privacy Day represents a global opportunity for organizations and individuals to come together to discuss how to better educate consumers about data privacy issues.

One way to advance the discussion, Cullen said, was to commission some research, which Microsoft did in two cities, in California and Texas. "We wanted to understand how different segments of consumers, from teens to professionals to boomers, thought about privacy," he said. "There were some rather interesting results that came out of this."

"Our hypothesis is that across these three segments, there would be different ways of thinking about these things," said Cullen. "We were really surprised to learn there's a large degree of similarity in the way people think about privacy."

"There was a surprising degree of consensus in three things," he said. "One was that all of them felt this sense of resignation, meaning that they realized that once they put information online it's gone forever."

Consumers understand that there are risks, Cullen explained, but they don't really understand what those risks are.

Along similar lines, all three of the demographic segments surveyed said they take steps to protect their privacy, but they freely admit that they don't fully understand how privacy and security technologies work or what protection they're providing, Cullen said.

Cullen likened it to a placebo. "I took the pill and I feel better," was the way he described consumers' attitudes about privacy protection.

And in what Cullen said was a pleasant surprise, all three of the groups acknowledge they have some responsibility for their own online security and privacy. "They're not looking to the government or businesses to take care of them completely," he said. "They actually feel a sense of their own accountability for how their information is protected."

The problem is that they don't feel they understand how to do it.

Cullen said the findings represent a confirmation of Microsoft's investment in privacy-enhancing technology and education over the past five or six years. "It reaffirmed to us that this is absolutely what we have to continue to invest in," he said.

As an example of the impact of such investments, consider that the phishing filter in Internet Explorer blocks 40 million attempts to reach phishing sites per week.

The survey's findings, Cullen continued, "also reaffirmed that corporations need to step up their own consumer education efforts and to deploy their own sound policies to make sure that information is not only used appropriately but protected."

The top areas of concern for consumers in the Microsoft focus groups were identity theft (for all segments), child protection (for parents), and the sharing or selling of personal information without consent (for all segments).

"We have to think about different ways to educate and to put consumers in more control, because they view it as their responsibility, not just ours," he said.

In taking the position that consumers deserve to control their data, Microsoft stands atop the privacy high ground, a hill that has become increasingly slippery for Google.

Cullen goes so far as to suggest, as some privacy advocates have, that a broader set of data deserves protection than just the limit set of data designed as personally identifiable information.

"Even data that other may not think is personally identifying, we think consumers should have some control over that," he said. "For example, when we build our ad system, even through it's designed not to use any personally identifying information, we still give all consumers the ability to say, 'Hey, I don't want to receive targeted ads ... please don't use even behavioral data to deliver targeted ads to me.' So that's a level of control we think is appropriate and very consistent with what consumers are saying, because they do want this level of control."