This action might not be possible to undo. Are you sure you want to continue?
Aleecia M. McDonald and Lorrie Faith Cranor Carnegie Mellon University
Revised September 26, 2008 for the Telecommunications Policy Research Conference
Economics Theories of Privacy Policies
(Laudon, 1996). Varian sees privacy as the “right not to be annoyed” and suggests webbased contracts to sell specific information for specific uses during a fixed time frame (Varian, 2008). Yet no such market of micropayments for personal information exists. Garfinkel notes that in the current market place, where corporations resell information to other corporations, payments are already low. He estimates that payments to individuals for their information would be worth about a penny per name, which is far lower than most people would be willing to accept (Garfinkel, 2001). Since Garfinkel’s analysis, the market for personal information has been flooded with readily available information. Even stolen information is worth only about a tenth what it used to fetch on the black market (Trevelyan, 2008.) With sellers demanding more than buyers will pay, there is no zone of possible agreement, and thus no transactions would take place. In this paper we explore a different way of looking at privacy transactions. What if online users actually followed the FTC’s vision? What would the cost be if all American Internet users took the time to read all of the privacy policies for every site they visit each year? We model this with calculations of the time to read or skim policies, the average number of unique websites that Internet users visit each year, and the average value of time, as we present in section 2. In section 3, we combine these elements to estimate the total annual time to read policies as well as the cost to do so, both for individuals and nationwide. We discuss our findings and present our conclusions in section 4.
Inputs to the Model
Time to Read Privacy Policies
We used two different methods to estimate the average time to read online privacy policies. First, we took the average word length of the most popular sites’ privacy policies and multiplied that by typical words per minute (WPM) reading speeds. Second, we performed an online study and measured the time it took participants to —5—
2.1.1 Calculated Estimate to Read Popular Website Privacy Policies
We measured the word count of the 75 most popular websites based on a list of 30,000 most frequently clicked on websites from AOL search data in October, 2005. Because these are the most popular sites, they encompass the sorts of policies Internet users would be most likely to encounter. As seen in Figure 1, we found a wide range of policy lengths from a low of only 144 words to a high of 7,669 words — about 15 pages of text. To avoid biasing our results based on outliers we used a range of word count values from the first quartile to the third quartile, with the mean value as a point estimate.
To avoid biasing our results based on outliers, we removed from consideration the highest 25% and lowest 25% results while considering a range of possible values. In this paper, the first quartile is the average of all data points below the median; the third quartile is the average of all data points above the median. These are single values and not a range of values. Point estimates are our single “best guess” in the face of uncertainty. —6—
Figure 1: Probability Density Function (PDF) and Cumulative Distribution Function (CDF) of Word Counts in Popular Website Privacy Policies
We calculated the time to read policies as the word length of common privacy policies times 250 WPM, which is a typical reading rate for people with a high school education (Carver, 1983).
Table 1: Times to read entire privacy policies for average readers
Word Count Short Policy (First Quartile Mean Length) Medium Policy (Mean Length) Long Policy (Third Quartile Mean Length) 2,071 /
Reading Rate 250 WPM =
Time to Read One Policy 8 minutes
250 WPM 250 WPM
10 minutes 12 minutes
As seen in Table 1, we find that it takes about eight to twelve minutes to read privacy policies on the most popular sites, with a point estimate of ten minutes per policy. These —7—
estimates may be slightly low due to the jargon and advanced vocabulary in privacy policies. In addition, some people read more slowly online than on paper, which may also make these time estimates slightly low.
2.1.2 Measured Time to Skim Policies
Measured Time to Skim Fast Readers (First Quartile) Average Readers (Mean) Slow Readers (Third Quartile) 3.0 minutes 5.6 minutes 5.8 minutes
Average WPM 311 167 161
Annual Number of Unique Websites Visited
Nielsen Online reported the average number of unique websites that United States Internet users visited at home and at work during March, 2008 (Nielsen, April 2008):
Table 3: Unique monthly and weekly websites visited by US Internet users show repeat visits to most sites week over week
Location Work Home
Unique sites / month 66 119
Unique sites / week 25 40
Scale factor 66% 74%
People visit some of the same sites each week: if not, we would see 100 unique sites per month at home (25 * 4) rather than 66 (see Table 3). From the Nielsen data we computed a scale factor, which is the percentage of sites that Internet users return to week over week. This likely does not scale linearly over a full year but it is a reasonable starting point for estimation. It is likely that people visit some sites both at work and at home and those are effectively double-counted. For instance, someone who visits Google from home and work would have Google show up both in the unique count for home and again for work. This affects the aggregate number of unique sites each person visits on average, which in turn affects the time people need to devote if they are to read all privacy policies. As we will discuss later, the value of time at work greatly exceeds the value of leisure time, so it matters not just how many sites people visit but also where they visit them. —9—
For an upper bound estimate of the number of annual unique websites, if we assume no overlap between sites visited at home and at work, we have 185 sites (66 + 119) in the first month (see Figure 2.) If we further assume each month brings a new unique set of sites, we expect no more than an average of 2220 unique sites per person per year (12 months * 185). Holding the percentage of work and home constant, we expect 792 privacy policies read from work and 1428 from home. For a lower bound estimate, if we assume 100% overlap between sites visited at home and work, we have a total of 119 unique sites (see Figure 4.) If we further assume no new unique sites after the first month, we expect no fewer than an average of 119 sites per year. If we further assume that when Internet users visit sites both at home and at work, they read all of the privacy policies from home, we have a lower bound estimate of 0 privacy policies read from work and 119 from home. As a point estimate, we arbitrarily assume an overlap of half the work sites are also viewed at home, for 33 sites just at work, 33 sites at work and at home, 86 sites just at home, and a total of 152 unique sites (see Figure 3.) We assume that each month people visit some of the same sites and some new sites. The annual scale factor is likely lower than the monthly scale factor, so we used the lower observed rate of 66% repeated sites to calculate an estimate of 1204 annual unique websites on average. We also assume that for sites Internet users visit both at work and at home, they read half of the privacy policies in each location. This yields an annual estimate of 392 privacy policies read from work and 812 from home (see Table 4).
Figure 2: Upper bound estimate of unique monthly websites
Figure 4: Lower bound estimate of unique monthly websites
Figure 3: Point estimate of unique monthly websites
— 10 —
Table 4: Estimates of the annual number of unique websites visited by US Internet users
Estimate Lower bound Point estimate Upper bound
Unique Websites 119 / year 1204 / year 2,220 / year
Policies read at work 0 / year 392 / year 792 / year
Policies read at home 119 / year 812 / year 1,428 / year
Value of Time
Just as the opportunity cost of time in school is a major part of the overall cost of education, Becker argued we should consider the value of time as an implicit cost of goods and services (Becker, 1965). The cost to see a play is not just the price of admission, but also the value that audience members place on their own time (Becker, 1965). Neo-classical economics literature suggests that time should be valued as salary plus overhead, which is the value corporations lose (Leunig, 2005). In the United States, overhead is estimated as twice the rate of take home pay (Kmetovicz, 1992). However, that approach may not be an accurate reflection for those who work a fixed number of hours or are not in the workforce (Baron, 2001). Furthermore, through revealedpresences and willingness-to-pay studies, people value their leisure time at one quarter of their take home pay (Leunig, 2005). Taken together, this suggests that reading privacy policies at work should be valued 2W while reading privacy policies at home should be valued as ¼W, where W is average wages. The Bureau of Labor Statistics finds an average hourly wage of $17.93 for March, 2008 (BLS, 2008). That gives us estimates of $35.86/hour for the value of reading privacy policies at work and $4.48/hour for the value of reading privacy policies at home as seen below in Table 5.
Table 5: Estimates for the value of time to read online privacy policies
Location Home Work
Average value of time $ 4.48 / hour $ 35.86 / hour
Time and Economic Value to Read Privacy Policies
In this section we use the inputs from section 2 to estimate how much time it would take for an individual to read the policies of each website she visits annually. We then use those time estimates as the basis for calculating the value of that time. In both cases we also look at national figures as well as individuals.
— 11 —
Amount of Time to Read Privacy Policies
We multiplied the estimates for the number of unique sites American Internet users visit annually (section 2.2) by the time to read or skim privacy policies (sections 2.1.1 and 2.1.2) and by the estimated 221 million Americans online (Nielsen, May 2008).
Table 6: Annual time estimates for reading and skimming online privacy policies
Estimate Lower bound Point Estimate Upper bound
Individual time to read 16 hours / year 201 hours / year 444 hours / year
Individual time to skim 6 hours / year 112 hours / year 215 hours / year
National time to read 3.5 billion hours / year 44.3 billion hours / year 98.1 billion hours / year
National time to skim 1.3 billion hours / year 24.8 billion hours / year 47.4 billion hours / year
We estimate that if all American Internet users were to annually read the online privacy policies word-for-word each time they visited a new site, the nation would spend about 44.3 billion hours reading privacy policies. To put this in perspective, using the point estimate of 201 hours / year to read privacy policies means an average of 33 minutes a day. This is approximately 46% of the estimated 72 minutes a day people spend using the Internet (Nie, 2005). This exceeds the combined percentage of Internet time devoted to shopping (1.9%) dealing with spam (6.2%) and playing games (13%) in 2005 (Nie, 2005). The estimated time to read privacy policies is on par with the percentage of time people currently spend surfing the web (45.3%).
Value of Time to Read Privacy Policies
We multiplied the time to read or skim policies by the number of policies read at work and the value of time at work, and added that value to the result from the same procedure for policies at home. For national costs, we again estimated 221 million Americans online (Nielsen, May 2008).
— 12 —
Estimate Lower bound Point Upper bound
Individual cost to read $71 / year $2,949 / year $6,960 / year
Individual cost to skim $27 / year $1,652 / year $3,364 / year
National cost to read $15.7 billion / year $651.7 billion / year $1.5 trillion / year
National cost to skim $5.9 billion / year $365.0 billion / year $743.4 million / year
We estimate that if all American Internet users were to annually read the online privacy policies word-for-word each time they visited a new site, the nation would lose about $652 billion from the value of the time to read privacy policies. Again to put this in perspective, in 2005 the average cost to connect to the Internet was $237/year for dial up and $508/year for high speed access (Savage, 2005). This suggests the value of time lost to reading privacy policies would eclipse the cost of even high speed Internet access.
Discussion and Conclusions
Finally, some corporations take the view that their users should read privacy policies and if they fail to do so, it is evidence of lack of concern about privacy. Instead, we counter that websites need to do a better job of conveying their practices in useable ways, which includes reducing the time it takes to read policies. If corporations cannot do so, regulation may be necessary to provide basic privacy protections. Disclosure legislation may be insufficient: adding more text to policies that most consumers do not read does increase transparency, but may otherwise be of limited practical utility.
— 15 —
Federal Trade Commission. Internet Service Provider Settles FTC Privacy Charges, March 10, 2005. < http://www.ftc.gov/opa/2005/03/cartmanager.shtm> Accessed 14 August 2008. Federal Trade Commission. Prepared Statement of The Federal Trade Commission on "Privacy Online: Fair Information Practices In the Electronic Marketplace" Before the Committee on Commerce, Science, and Transportation United States Senate, May 25, 2000. <http://www.ftc.gov/os/2000/05/testimonyprivacy.htm> Federal Trade Commission. Federal Trade Commission Testifies on Online Profiling Report, June 13, 2000. <http://www.ftc.gov/opa/2000/06/profiling.shtm> Federal Trade Commission. Protecting Consumers in the Next Tech-ade: A Report by the Staff of the Federal Trade Commission, March 2008. <http://www.ftc.gov/os/2008/03/P064101tech.pdf> Garfinkel, S. Database nation: the death of privacy in the 21st century, O'Reilly & Associates, Inc., Sebastopol, CA, 2001 Interactive Advertising Bureau. Internet Advertising Revenues Top $21 Billion in ’07, Reaching Record High, May 15, 2008. <http://www.iab.net/about_the_iab/recent_press_releases/press_release_archi ve/press_release/299609> Accessed 15 May 2008. Jensen, C. and Potts, C. 2004. Privacy policies as decision-making tools: an evaluation of online privacy notices. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Vienna, Austria, April 24 - 29, 2004). CHI '04. ACM, New York, NY, 471-478. Jensen, C., Potts, C., and Jensen, C. 2005. Privacy practices of Internet users: Self-reports versus observed behavior. International Journal of Human-Computer Studies. Kmetovicz, R. E. New Product Development: Design and Analysis. New York: WileyIEEE (1992), p. 141. Krishnamurthy, S. and Miyazaki, A., “Internet Seals of Approval: Effects on Online Privacy Policies and Consumer Perceptions”. Journal of Consumer Affairs, Vol. 36, No. 1, pp. 28-49, Summer 2002 Leunig, T. Time is money: a re-assessment of the passenger social savings from Victorian British Railways. Working Paper No. 09/05, London School of Economics, LargeScale Technological Change series (2005). <http://www.lse.ac.uk/collections/ economicHistory/pdf/LSTC/0905Leunig.pdf> Laudon, K. C. Markets and Privacy. Communications of the ACM, 39, 9, 1996. McCarthy, Jamie. TRUSTe Decides Its Own Fate Today. Slashdot, 8 November 1999 <http://slashdot.org/yro/99/11/05/1021214.shtml> Accessed August 14 2008.
— 16 —
Universal Declaration of Human Rights, December, 1948. Available from <http://www.unhchr.ch/udhr/lang/eng.htm>. Accessed 16 July 2008. Varian, H. R. Economic Aspects of Personal Privacy. December 6, 1996. <http://people.ischool.berkeley.edu/~hal/Papers/privacy/> Accessed 14 May, 2008. Vila, T., Greenstadt, R., and Molnar, D. 2003. Why we can't be bothered to read privacy policies models of privacy economics as a lemons market. In Proceedings of the 5th international Conference on Electronic Commerce (Pittsburgh, Pennsylvania, September 30 - October 03, 2003). ICEC '03, vol. 50. ACM, New York, NY, 403407. W3C Working Group. The platform for privacy preferences 1.1 (P3P1.1) specification, November 2006.
— 18 —
This action might not be possible to undo. Are you sure you want to continue?