Two weeks ago we ran another of our LinkedIn polls, querying the cyber, identity and access management community around a perennial question the industry has yet to consistently provide an answer for – in both user behaviour and technical solutions – “would you pay for privacy?”.
The answer was clear. 79% of the respondents answered with a resounding yes. On face value, that would be seem a reasonable response. We all want to protect our personal identifiable information (PII), financial transaction history, medical wearable data, our locations or even our music listening history – 80’s disco people, you know who you are!
However, this result needs unpacking a little. Many of us act irrationally when it comes to privacy and data security. It can be compared to our attitudes towards health and well being. Think of issues like smoking, or healthy eating, drinking 6 pints of water a day or exercising 5 times a week. Individually we know the benefits. We know that exercise and low fat diets are good for us – yet the benefits are not necessarily seen with each incremental or marginal cost we invest in those activities. “Another glass of wine wont hurt”. “Another Christmas mince pie”. All incremental, yet the benefit of abstaining is more subtle and often only seen in the long term. The same could be said about the privacy of our data. We all want to protect our data, yet we often behave to the contrary.
Who reads the terms and conditions of the web sites we sign up for to get a seasonal bargain during cyber Friday? Who selects long and complex passwords for every different website? Who downloads and removes their account data from a cloud service when they no longer use an app on their mobile? Who uses different sites for purchases in order to strict profiling and adverts?
We often see future utility (economics term for benefits and happiness) as having less value to us, than the more immediate. This concept gets amplified when it comes to our data in my opinion. We are prepared to make decisions with short term impacts when it comes to data handling.
We start to see a conflict (other than the long standing security versus usability one) which emerges between privacy and personalisation. I wrote a section on this topic in detail when researching my book on consumer identity and access management. Personalisation for the recommendations we want to see, the data that belongs to us, our transaction history, or preferences and likes – we want a service to deliver the same empathy a good physical interaction may deliver from a nice restaurant or top department store. We want personal touches. However, for that level of service to be delivered online – the service needs to know who it is interacting with. That “knowing” comes from the sacrificing of personal data. Hence we see this personalisation versus privacy spiral – combined with the toxic data problem being parked as a future concern.
This in turn brings a second issue – what is the incentive for the service provider to protect and uphold privacy, if that in turn means they can no longer deliver a personal experience, or leverage analytics and tracking that can be used to cross sell, or share data with a broader ecosystem for more powerful insights and service deliver? The sight of privacy regulation (enter stage left GDPR, CCPA and others) indicates they have no incentive and require a pretty big compliance stick to make them listen and behave.
So back to the concept of paying for privacy. This likely indicates that many users feel that many services are not upholding privacy – otherwise paying for it becomes a moot point. A deeper question becomes how can that privacy enhanced service be created and in turn monetized? Does your favourite streaming service have another “premium” subscription with higher rates per month? Does your bank give reduced rates if you accept your transaction data will be shared? How does privacy get measured? How can the consumer of the service compare and contrast service offerings?
Many identity and access management suppliers often talk about consent – providing services for capturing, storing and revoking consent that the end user needs to provide to the service provider to allow some sort of privacy contract to exist.
A quick anecdotal search of keywords on some of the leading IAM vendors provides some interesting anecdotal stats.
|Vendor / Keyword / No. of Hits||Authentication||Privacy||Consent||MFA|
So what does the above table show? Well some interesting stats..namely that authentication is still typically more relevant for many vendors, with consent scoring highly as well. It seems there is certainly a market for privacy and consent related features within the IAM fold, just perhaps not as mature as some other major components.
A final comment refers to whether privacy is now becoming a competitive differentiator? The likes of Apple and Samsung have gone head to head in recent months using privacy as part of global advertising campaigns attempting to convince end users that their data will be safe with them. Clearly it’s difficult to tell the impact, but clearly big brands see privacy as a new competitive battlefield.