What do consumers expect in the way of data security and privacy protections when they sign up for a premium subscription service?
I was reading up on the class action lawsuit against LinkedIn following their breach last year, and discovered that the plaintiff had retained Serge Egelman, who conducted two new surveys in April on this question. His survey methodology and results were submitted to the court as exhibits, and I’ve uploaded the whole filing here (Exhibit A starts on p. 32, Exhibit A-2 with methodology begins on p. 43). In his declaration, Egelman states:
First, through a review of the existing academic literature, I determined that consumers incorporate data security and privacy concerns, costs, and benefits into their purchasing and consumption decisions, and that consumers are often willing to pay a premium for information security.
Second, through a survey I conducted the week of April 1, 2013, I determined that when consumers pay for a “premium” social networking service, they expect their information to be protected with a heightened level of security, and that, at a bare minimum, industry-standard security protocols will be used to guard their information.
Third, through a survey conducted the week of April 22, 2013, I determined that an internet service using industry-standard security practices has higher utility to consumers than a service with substandard security. I also determined that when consumers are evaluating the utility of a website or internet service, privacy and security concerns factor heavily into that evaluation, and that consumers will choose a website or internet service with industry-standard security practices over an otherwise identical service with substandard security.
Reading his methodology and results, I think his data support a conclusion that when thinking about data security and privacy is prompted (as by the wording of survey response alternatives), consumers will consider a business’s security standards and expect – and be willing to pay more for – better data security. These two surveys do not, however, show that consumers actually consider data security at all in making their decisions about a premium subscription service, outside of a structured survey. Then, too, the correlations he reports for some findings, while statistically significant, do not actually account for much of the variance in respondents’ answers (effect sizes were not reported, but are easily estimated for Pearson correlations). Egelman addresses the fact that many people do not actually read privacy policies or security assurances in his discussion, where he notes how when security or privacy concerns are noted by experts or the media, the word spreads quickly and people will voice their concerns or put pressure on businesses. He uses this to argue that had LinkedIn not overstated their data security, their allegedly substandard security would have been noted, discussed publicly, and would have influenced subscribers’ decisions as to whether to pay for premium services. I suspect he’s probably right on that.
The litigation aside, I think it’s unfortunate that his research on consumer expectations is first being presented as a court exhibit instead of in a privacy or security forum where it might receive greater discussion, and I hope this blog post serves to make others aware of his research so we can discuss it.
A long tme ago, I read a book about how a large car company would appraoch a person that bought a new car and they would offer “three different levels of undercoating” that would help protect the life of their newly purchased investment. The author of the book interviewed one of the mechanics that performed the feat of doing te undercoatings, and basically said, there wasn’t much difference between each of the undercoatings. The mechanic felt guilty about the potential defrauding, and he would do such things as stand on one foot and undercoat the car should someone choose the highest undercoating price.
I would figure a big networking corporation that services professionals would know better. Its one thing to have a heighten awareness and security standards for some one who pays for it, but eventually, if you have improved secuirty for a portion of people, how do you segregate this newer technology? Do you have two complete networks? Offer one log in to a higher state of security for those who paid and another network for those who opt to use the system for free? To me, in my opinion, that does not make any sense at all. I believe it would drive costs way up, even if done in a virtual environment.
It would make more sense to upgrade the security services to all, and advertise that for a premium that users can take advantage of the newer security features at the site. Sure, some would sign up, and no one is the wiser, other than the network designers, staff and CEO. Its better to have the security in place that people will pay for, rather than say you have a premium service that does not effectively offer what is advertised.
I personally gave up on Linked in as soon as it went from a simple professional networking site to a all out mass emailing machine. I simply opted out of all emails, but they still came. I finally opened up a trouble ticket and had my account deleted. It’s much better now. = )
It is tough to define what adequate security measures are. The only way to determine if security is accurate is to have an organization hire some hackers and they try difference attack vectors over the course of a period of time ( say 3 months to a year) and try to break in at infrequent intervals. If the site maintains its integrity, then it may be deemed “secure”. There are a ton of ways that a corporation can have issues….. insider threat, accidental internal misconfigurations, an internal priviledge host is compromised, and so forth. No matter what level of software and hardware security configurations are raised to, all it takes is one small act and the castle can come crumbling down.
Businesses need to rely on the people they hire to do what is best for the company, and sometimes that can go sour. Sometimes its malicious, other times it purely by accident. In both cases, these may never be discovered, or, they may be taken advantage by a malicious group or entity. As a corporation grows bigger and bigger, the avenues for loss grow. Honestly? Its nearly impossible to watch every potential security risk each day and squelch any potential issue(s). You’d need hundreds – if not more – of security professionals looking over modified code, modified web pages, incoming and outgoing content and more. You’d have to profile the staff and try to predict when some one may go off the deep end. In todays world, its a tall order to get just one of these done in a company’s lifetime.
I think a premium service may remove the stereotypical ads, offer more enahnced social networking features, and allow the person to opt out of unwanted content. I would think, no mater the organization, I doubt any one of the millions would say “If you pay for our services, you will be adequately protected”. To me that throws up a red flag in the air saying, if you don’t pay – your information could be at risk. Is that a mild form of coersion? electronic blackmail? admitting their guilty demise ?
More than likely the same staff works for the non-paid as well as paid. Unless they go through a very rigid security awareness training and have a strict configuration management program and two person integrity on every single task that may affect security and privacy its not “adequate” enough. Going too far and it will be farther than most of the most secure establishments go. Define adequate. Then, look at corporate examples and see who follows these examples. Many do not. They’d rather accept the risk and stay within the comfort of operating in a semi secure environment than throw a lot of money at some technology that may or may not reach that “adequate” level. It costs alot for the hardware and software secuirty, and add it talent to effectively monitor and squelch all security related issues.
Even the great NSA and all the think pots they have is vulnerable to issues – so, what is considered “adequate” ?
Is it terms that are written out saying “if you purchase our premium service, we will do the following”……
add in “to the best of our ability” or ” within reasonable revenue constraints” or any other caveat and dissecting this is no longer satisfied by finger pointing.
This is a mess – everywhere – Its never going to be clearcut, there aren’t any cookie cutter solutions for all organizations to follow. The ONLY way to ensure security is for a HUGE very respectible establishment to offer website services that have the ultimate in security standards. Everyone operatig in specific fields needs is grouped together and services are standard amongst all. All the software is up to date, all the staff is trained until they are gagging at the sight of another round of training. blah, blah, blah. Without some sort of absolute strict configuation management, this is all a big foul odored food fight. No one has a clear direction, let alone the definition of “adequate”.