Microsoft Study: Users Worry About Privacy But Know Little About Threats

Microsoft today released its findings from user focus groups on privacy that raise questions about whether consumers are saddled with too much responsibility in protecting their information online.

The focus group results, which were released in conjunction with Microsoft-hosted International Data Privacy Day celebrations in the U.S. and U.K., indicate that industry, government, and other organizations may not be doing enough to protect user privacy. International Data Privacy Day was established last year as a day dedicated to educating people about online privacy issues and protection.

"What these findings tell us is that we must do more to educate consumers. People are making privacy decisions all the time and may not even know it. They must have the right resources from industry, government, and nongovernmental organizations so they can better educate themselves about privacy, threats to personal information, and ways to safely navigate online," said Peter Cullen, chief privacy strategist for Microsoft, in an interview on Microsoft's Website.

Microsoft's research found that many users are concerned about protecting their privacy online, but they have only a basic understanding of the threats out there. They deploy spam filters, delete their cookies, and run antivirus software, but they don't necessarily understand the real threats and privacy decisions they make online. "People also have a perception that once their information is online, there isn't much they can do to protect it," Cullen said. "Many people aren't aware of the controls they have, such as the ability to opt out of behaviorally targeted advertising or new tools in Internet browsers."

But the big question raised by the research is whether this means businesses and government are leaving too much of the responsibility for privacy protection to the user, who may not be informed enough about the issue to protect himself.

Security researcher Nathan Hamiel, who, along with colleague Shawn Moyer, has demonstrated the ease of social networking hacks, says that, in part, users have been expected to do more than their share to protect their privacy. "In some ways, they have been left with too much responsibility, mainly because they don't know what data about themselves should be private," Hamiel says. However, that doesn't mean Website operators have to do it all, he says.

"I don't believe it is the responsibility of a site owner to 'protect the Internet,' so to speak. [But] I think that sites need to do a bit of education with their users about the features -- which, sadly enough, many people won't read," he says.

What would also help is for sites like social networks to make profile data -- think birth dates and location -- and communications private by default. "I believe there is a baseline responsibility that sites have to protect the individuals," Hamiel says.

But what one user considers private, another may not, he cautions. "Some of this is perception, and it's hard to put controls around that," he says.

Microsoft's focus groups also said they worry about identity theft, look out for Secure Sockets Layer (SSL) certificates on Websites, and run antiphishing filters. But Microsoft's Cullen said the rapid evolution of social engineering and phishing techniques makes it difficult for users to grasp these attack techniques. He advocates teaching these methods to users: "If consumers understand the methods employed by cybercriminals, they will more easily identify when and where their personal information is potentially at risk. They can actively avoid those situations rather than merely relying on technology to protect them," he said. "While technology is helpful, it must be coupled with consumer awareness."

The users in the focus groups said that the convenience of online commerce, banking, and communicating via email, blogs, and other venues usually outweighs the risks. Among other findings: Users are aware of the risks associated with social networking and said they are responsible for making decisions about what data they do share on these sites.

Even with more education and built-in privacy activated by default on Websites, protecting a user's data privacy is ultimately the responsibility of that user, Hamiel says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message