Last week Google launched Google Buzz, a new status update and social network aggregation feature for Gmail users. Within minutes of its launch, digerati took to Twitter and blogs to discuss their first impressions of Buzz. Early reviews were generally positive, but my mid-week, the tone had shifted dramatically. It began to surface that Buzz had a fatal privacy flaw that could potentially jeopardize the real-world safety its early adopters. As one widely shared op-ed piece on Gizmodo.com explained, “Fuck you, Google. My privacy concerns are not trite. They are linked to my actual physical safety . . . You have destroyed over ten years of my goodwill and adoration.”
Fueling this vitriol was a naive design decision to eliminate signup procedures allowing users to choose with whom they would like to share information. As the Google Buzz landing page describes, “No setup needed. Automatically follow the people you email and chat with the most in Gmail.” (In the case of the writer above, her abusive ex-husband could now view her status updates and items she shared with her current boyfriend.)
This incident underscores the importance of understanding the behavioral economics of privacy in online settings. Had Google designed buzz to better account for how users make decisions as to the degree of personal information they feel comfortable sharing in initiating a service, this scenario could have been avoided.
Understanding behavioral economics to design for privacy
In Alessandro Acquisti and Jens Grossklags’ 2006 paper, “What Can Behavioral Economics Teach Us About Privacy?,” the authors address the complex and often contradictory behaviors surrounding online privacy. As Acquisti and Grossklags describe, “we feel entitled to protection of information about ourselves that we do not control, yet willingly trade away the same information for small rewards; we worry about privacy invasions of little significance, yet overlook those that may cause significant damages.” The authors explore the behavioral principles that impair or aid individuals in making privacy decisions online, concluding that behavioral economics can improve privacy policy decision making and technology design for end users and data holding entities.
The case of Google Buzz is a clear example of asymmetry of information in decision making. In opting in to the service, users had no way of understanding the algorithm Google was using to automatically link contacts nor the extent of data that would be shared between contacts (at least at the outset). Users were not guided through procedures at signup that would make this clear.
In addition, users were subject to status quo bias due to the simplicity of opting in to the service. To make signup simple, Google intentionally made the “automatic follow” feature a default setting. Thus, many users failed to realize what and with whom they were sharing information until hours or even days after signup. This agrees with Acquisti and Grossklags’ findings, whereby their study of online social networks revealed that the vast majority of users do not change their default (and very permeable) privacy settings (likely due to status quo bias).
But why all the vitriol? While the personal safety violation described above represents an extreme case, negative opinions of Google Buzz circulated widely. It is widely known how Google benefits from the personal data of users of iGoogle and Gmail. In the case of Buzz, Google was looking to capitalize on real-time social data by stealing users from other popular social networking services like Twitter and Facebook. But as Facebook has learned from its own privacy issues, the fungibility of user data and free services is a complex and sensitive issue. Acquisti and Grossklags found the behavioral economics of inequity aversion to be at play when users make decisions to share their personal data: “In the privacy arena, it is possible that individuals are particularly sensitive to privacy invasions of companies when they feel companies are unfairly gaining from the use of their personal data, without offering adequate consideration to the individual.” With Google Buzz, it’s likely the case that users felt they were receiving relatively little in the way of new functionality (beyond what services like Facebook and Twitter currently offer), in exchange for automatically (and often unknowingly) giving up personal and social data. Hence, a sense of privacy violation is apparent in much of the negative backlash.
Privacy principles to consider in future design projects
Setting a user’s expectations of what and with whom their personal information is shared is clearly a critical step in developing a service. And in most cases, it’s not enough to provide a privacy policy at signup. Often, the economic principle of rational ignorance comes into play. As posited by Acquisti and Grossklags:
Ignorance can be considered rational when the cost of learning about a situation enough to inform a rational decision would be higher than the potential benefit one may derive from that decision. Individuals may avoid assessing their privacy risks for similar reasons: for instance, they may disregard reading a data holder’s privacy policy as they believe that the time cost associated with inspecting the notice would not be compensated by the expected benefit.
Privacy policies, often lengthy and rife with legalese, are generally not designed to give online service users greater understanding of the tradeoffs or probability of risks associated with opting in to a service or service feature.
As designers, we must also consider what Google learned from crossing two distinct modes of online social interaction. While Google stood to gain traction quickly by offering Google Buzz to its large installed base of Gmail users, crossing the modes of email and social networking through the “automatic follow” default was shortsighted. Users share different types of information through these two channels and communicate with different degrees of intimacy. This teaches us that when developing services that combine multiple modes of online communication, we need a clear picture of the behavioral norms of each of the channels incorporated into the design.
