ACMA report highlights Australians’ lack of confidence in on line privacy
November 13, 2013 |
Zdnet reports, in Aussies’ lack of confidence in online privacy leads them to lie, on a ACMA commissioned report which found that almost half Australian’s provide inaccurate details on line to protect their data from misuse.
It provides:
Almost half of all Australians admit to providing fake details online to protect their actual details from misuse, according to a study conducted on behalf of the Australian Communications and Media Authority.
The research report, Digital footprints and identities, was conducted by Taverner Research and in addition to research conducted across nine online forums at the end of last year, surveyed 2509 Australians in March this year.
It found that respondents were generally aware that their personal information could be gathered, but were not aware, specifically, of how it could be used in malicious ways. As expected, the younger the participant, the more likely they were to generally trust privacy controls put in place by websites, but conversely, they were also more likely to provide false information.
“Users, especially younger users, appeared willing to replace anonymity with what might be termed ‘pseudonymity’. They would do this by withholding or misstating one or more of their real name, their actual age or date of birth, their email address or their physical address,” the report read.
Businesses appear to be failing to inspire confidence in their customers online in this regard. Only one in six respondents said they never felt the need to give inaccurate information. That could cost businesses dearly, with the report stating that one in three respondents said they would simply rather not use a site than have to provide inaccurate information.
While the size and existing reputation of an organisation contributed to customer confidence, there were other more subtle actions that businesses could take to put customers at ease. Using HTTPS (and therefore providing an in-browser padlock symbol), minimising third-party advertising, and evidence of proper grammar and spelling all contributed to raising consumer confidence.
Similarly, a clear understanding of why it was necessary to provide their personal information would serve a business well. However, if businesses thought they could point to their terms and conditions, the report showed that they were mistaken. Only 1 in 10 check the terms and conditions about how their personal information is protected and just 3 in 10 skim over the main points.
“Many participants objected to providing any information unless they could see a need for it, given the nature of the use they were making of the site, service or application. Participants felt that providers simply did not have the right to access some information and that users should have control over how their personal information was used.”
Although there are many ways in which businesses can boost consumer confidence, there were plenty of things they could do to further damage their reputation and trust.
At the top of the list of annoyances was losing customer credit card details. Mobile or home phone numbers being passed to telemarketers followed closely behind, along with private photos being posted in the public domain.
It has also been reported on in itwire (here), techworld (here) and Computerworld (here).
The ACMA’s media release is found here and provides:
New research released today suggests almost half of Australians (47 per cent) admit to giving false personal details to online sites.
The Australian Communications and Media Authority’s Digital footprints and identities research report indicates that Australians have three distinct online ‘identities’:
- a ‘social identity’—used for social networking and often including photos and other personal data that is shared with their online communities
- a ‘transactional identity’—the minimum identity information required by financial institutions, insurance companies, online retailers or government agencies to complete a specific task
- a ‘professional identity’—a positive picture of one’s skills, experience or business offering.
‘This research suggests Australians balance the rewards and risks of engaging in the online world and are putting some considerable thought into the construction of their digital identities. With personal data becoming a key asset in the digital economy, protecting against unwanted intrusions, embarrassment and financial loss is crucial to how individuals successfully manage their online interactions,’ said ACMA Chairman Chris Chapman.
Some Australians respond to unwelcome demands for online information by going to another service. But a significant number (47 per cent)—rising to 64 per cent of those aged 18 to 24—adopt a digital disguise by providing inaccurate or misleading information about themselves, effectively relying on anonymity and pseudonymity for protection.
The report also indicates that most of us (65 per cent) are managing between five and 50 login and password combinations for day-to-day online activities; however, and not surprisingly, half of us (51 per cent) sometimes have difficulty managing these. The research also suggests that Australians want to know more about why and how their personal information will be used, while almost half agree they are primarily responsible for protecting their online identity data.
‘Just as in the physical world, Australians want control over the way they share information about who they are and what they do online,’ said Mr Chapman.
There are a number of strategies to help Australians take control of their online identities including conducting a personal identity audit and consider using Privacy Enhancing tools (PETs) such as digital key-chains and password vaults. These are discussed in Managing your digital identity, also released today, the first of three short reports that drill down on the specific research findings.
Backgrounder
The Digital footprints and identities research is a product of researchacma, the ACMA’s program that identifies communications and media matters of continuing significance to society, markets and government. This particular research aims to understand the behaviours and attitudes relevant to the creation, use and management of an individual’s digital identity; the management of digital information online; and what makes an individual willing to provide personal information online.
The two reports released today about digital footprints and identities are:
- Digital footprints and identities—Community attitudinal research report: A detailed report of the qualitative and quantitative research undertaken by Taverner Research.
- Managing your digital identity—Digital footprints and identities research, Short report 1: Looks at strategies available to Australians to manage their digital identities.
- The two remaining papers in the series, to be published over the coming week, will discuss further details on the research:
- Sharing digital identity—Digital footprints and identities research, Short report : Focuses on the implications of consumer online behaviour and attitudes for service providers.
- Identity and responsibility—Digital footprints and identities research, Short report 3: Looks at Australians’ expectations about responsibility for managing personal data.
These four reports also contribute to the ACMA’s research program on digital society to identify the regulatory settings and interventions that help citizens protect their personal information and digital data in an information economy.
The key findings of the report are:
Key findings
Personal information online
Participants in the qualitative research did not see themselves as managing digital identities but rather as performing tasks such as:
> identifying themselves
> minimising and controlling the personal information they provide
> protecting themselves from unwanted intrusions, embarrassment and financial loss.
Qualitative research participants and quantitative research respondents were generally aware that they risked having personal information that they provided when registering for sites, services and applications used in ways they did not want. Trust in assurances about privacy and in privacy settings was low, with many quite sceptical about current industry practices. Many also saw little point in checking assurances in terms and conditions of use. Participants in the qualitative research explained that, if you wanted to use a site, you had to agree. Reading terms and conditions was often made difficult by their length, complex language and the use of small font sizes. However, only a minority of those involved said this was a barrier to engaging in internet activity.
Context was important in determining how participants managed their personal information and what information they were willing to provide. Discussions with them revealed that they had ’transactional‘, ‘social’, and ‘professional’ identities. Their strategies for using these identities differed accordingly. As part of a transactional identity, participants tried to limit the information they provided to only what was necessary for the transaction. With their social identity, they may be more willing to provide personal information, but they were cautious about data that may be used to identify them publicly. They were generally careful about how they constructed their professional identity on sites such as LinkedIn.
Participants wanted to maintain control of their online identity, irrespective of the context.
Some who took part in the research were largely unaware of how digital footprint data can be gathered and packaged for commercial use, and found this possibility disturbing. The majority were aware what can be gathered, if not always of the full extent. While many worried about the use that could be made of their digital footprints, others took the view that privacy is limited or does not really exist for internet users. Still, being able to maintain a degree of anonymity and control over personal information remained important to them.
The types of breaches that would annoy them most included:
> having their personal images revealed or their reputation damaged by personal information being spread around
> potential financial loss through credit card details being compromised
> becoming the target of unwanted marketing, especially offline.
For most, the primary concern was online information, such as their physical address, being disclosed, which may pose a risk in the ‘real’ world.
Identity management
Respondents reported having a large number of unique logins or passwords—from fewer than five to more than 50. Only a minority considered keeping track of their logins and passwords a serious problem or something that was difficult to manage. Many found it no problem at all. However, taken with other research about how users manage identifiers, it appears that many were not aware that the identity management practices they adopted—such as reusing the same or similar logins and passwords for multiple sites—placed them at risk.
Respondents were divided about the level of protection accorded their personal information when using a password-protected site, service or application. They were more likely to be confident about the safety of information they provided if access relied on biometric identifiers.
In both parts of the research, older users were more likely to say they coped with unwanted requests for personal information by not giving information or not using a supplier. Younger users were more likely to say they would give inaccurate information or supply an email address they did not use or was invalid.
Providing information that was inaccurate, or withholding information not considered necessary, provided a degree of pseudonymity and anonymity, which can be a way to manage online identities. However, this has implications for those who collect or aggregate data based on digital footprints.
A majority of quantitative survey respondents were aware of facilities that enable logging in to third-party services through an existing digital identity, such as a webmail or social media account. Despite this high awareness, less than one in four had used these services. Many had major reservations about the security of the credentials or personal information they provided to a third-party login service. They also had reservations about the potential tracking of their use of other sites and the subsequent use of this information.
Respondents were sceptical about more complex identity tools and certification services. They recognised the convenience of being able to use a single identity certification service to access many sites and services. However, they had reservations about security against hacking and misuse of personal information. Consequently, most were not willing to consider using these services. Many preferred to continue using multiple logins and passwords, simply to minimise the damage that could result if all their personal data was found in one place. These concerns have implications for data-hosting and storage services, such as cloud services, that promote the benefits of easy access to data through a single storage facility.
What it means for citizens and providers
A range of barriers arising from identity management practices currently prevent citizens from engaging confidently with online services aimed at assisting them with the management of their online presence. These barriers are:
> Some users need to be persuaded that their current ways of keeping track of identifiers for multiple sites, services and applications potentially leave them vulnerable to data theft or fraud.
> Many need highly credible assurances that they will have control over the use of their personal information and digital footprints if they are to use such services.
Many require much greater confidence than they currently have that online identity management services are well protected against malicious intrusion.
When implementing changes, providers will need to take account of the strategies that individuals currently employ to manage their online identity and information. Providers need to understand why people want to remain anonymous or create pseudonyms.
Protective action
Internet users saw a role for government in educating them about managing their digital information generated by using the internet. They also saw government encouraging providers to promote safe use practices. About half of the online survey respondents believed government should take an active role and control how providers acquired and used personal information. A minority believed government had no role to play, while most recognised that users and service providers shared the primary responsibility for protecting information. Almost 40 per cent of respondents would complain about unwanted use to the service provider they considered responsible. Apart from this group, there was uncertainty about where (if anywhere) internet users could effectively complain about the unwanted use of their personal information.