A few weeks ago, we decided to launch a US-based consumer study, focused on understanding how non-techie consumers think about both privacy and security. Our goal was to learn what consumers understand both these terms to mean, what core behavior changes do they make (if any) with products and services based on their privacy or security concerns, and which companies they trust more than others in both cases. Prior to launching the study, I looked at many different studies done by consulting companies, banks, and financial institutions, as well as government studies, to see what kind of questions had been asked before. I also spent some time interviewing consumers to hear how they talk about privacy and security when it came to different products and services. Even with all the prior work put in, this was still one of the hardest studies to get consumer participation. The difficulty of the subject matter itself, along with the high initial abandonment rate we suffered on the study, was a lesson in and of itself. We left comment boxes in certain places of the study and, quite frequently, consumers felt they weren’t adequately informed enough to participate, didn’t have strong opinions, didn’t want to think about it or just didn’t care. The open comments sections were some of the places we received the keenest insights into how consumers view these subjects. With with a few wording changes and adaptions to the study, we finally got enough people to complete it for it to be statistically representative.
Privacy and Security, Same or Different?
We broke the study out into two sections: one on privacy and the other on security. We asked consumers what they felt each term meant and left the same answer options for both questions. Below is the merged chart for both the privacy definition question and the security definition question.
As you can see, consumers felt the strongest definition of privacy was “Not selling personal data, or letting third parties access personal data.” When it came to security, consumers felt the strongest definition was “Secure and encrypt my data so no one can hack or steal it”. But, as our gut sense suggested, there is a fair amount of overlap in how consumers think about privacy and security with the same two answers being quite high in both questions. A core conclusion was, while privacy and security are two separate things, consumers tend to blend their understanding of them into the same definition. In the mind of the consumer, what is private is secure and what is secure is private.
Who Do You Trust With Your Privacy and Security?
Thanks to some other studies, I read quite a bit about how consumers trust things like government and financial institutions. We wanted to look at some of the bigger names in tech and social media as a start.
Apple and Microsoft were nearly neck and neck for the top spot of consumer trust when it came to privacy. Apple squeezed out the top spot overall and, not surprisingly, the top spot among iPhone owners. Microsoft was the most trusted company with privacy by Android owners followed by Apple. Google was in a solid third place regardless of age and smartphone owned, followed closely by Amazon and then Samsung. We asked consumers to rank these companies with a “1” being the most trusted and “8” being the least trusted. Facebook came in at 5.7 followed by Twitter at 6.2 and lastly, Snapchat at 6.7. Interestingly, the ranking did not change much even when we looked at younger consumers 18-25, who are within the Snapchat demographic. Snapchat moved up to the 7th place with this demographic and Twitter was last. Snapchat falling into last place overall is not surprising since a good portion of our respondents did not have a Snapchat account or use the service.
Here is the top line results on company rankings on privacy. The results for rankings with security were not much different.
Reading the comments about why consumers made some of the choices they did proved insightful. It is clear there is a understandable trade off consumers make when they use things which they know are more public, like Facebook. Consumers know what they post is open for anyone to see. Therefore, their feelings around privacy for these services are somewhat less strict. With companies where their actions and behavior are not public like Apple, Microsoft, and Google, they seem to embrace a higher degree of trust since what they do on their phones, PCs, and even what they search for, is not publicly tied back to them as an individual the same way what they do on social media can be tied directly back to who they are. This became clear when we examined behavioral changes they make on social media. The top answer was to be more intentional and careful about what they share/post on social media.
Google was an interesting one for us to explore. We created a few questions just around Google and what consumers believe Google knows about them and what they don’t. While most consumers use Google’s search, they acknowledge the creepiness factor of when you are on a different website seeing ads for things you searched for on Google. Interestingly, while Google was the third most trusted company in both privacy and security rankings, 52% of consumers said they really have no idea how much Google knows about them.
Privacy and Security Fanatics
We know there are some hard core consumers with very strong feelings about their privacy and security and, until now, we didn’t know what percent of the market these consumers made up. We asked some specific questions to help us narrow the field to those who are the most privacy and security conscious. For example, 20.3% of our respondents said they cover their device’s camera with a piece of tape. 13% said they have installed privacy enhancing plug-ins in their devices browser. 15% installed some kind of security software on their smartphone. 11% specifically switched their text/messaging service to one they consider more private and secure. We asked many more to narrow this down but, in each instance, we did not see responses go above the 20% mark. Which leads me to believe the percent of US-based consumers who are the most privacy and security conscious make up around 15-20% of the market, approximately. This demographic tends to skew older — 50+ and heavily female.
While not a large group, it is helpful to get an idea of the size of the market for more privacy and security conscious consumers, especially as more companies are looking to sell products and services with a heavy emphasis on these issues.
As I mentioned at the start, the most interesting takeaway was the difficulty of the subject matter and that it is a difficult topic, one where there is more uncertainty than certainty. I am convinced that any company’s message that over-indexes on the privacy or security angle will only resonate with a portion of the market. Still, I encourage companies to keep pushing both privacy and security forward on behalf of the consumer simply because it is the right thing to do. Consumers will appreciate it, even if they don’t fully understand, or care, about all that is involved.
I think one of the key issues is that privacy and security don’t exist in a vacuum. In theory, everyone wants them. In theory, everyone can have them: setup your own mail server, your own… OwnCloud server, subscribe to a VPN, install Privacy Badger and Ublock Origin, when you register on any site do it from a dedicated mail account, avoid the most egregious stuff, etc …
In practice, not only is that too much trouble/time/money, but I’m wondering if people aren’t actually happy to relinquish some privacy in exchange for free stuff, better AI, more friends, better push articles…. Even for security which is a wholly different issue with no upside, people take woeful shortcuts (123456 is still the most common password, and it doesn’t get better further down the list)
As an aside, I’m worried about MS: they used to monetize directly, but with Windows 10 they’ve gone ad+tracking-heavy. I haven’t seen a detailed privacy scorecard, that would be interesting, especially if it compared all major players. I’m fairly sure all of them (including Apple) track location, searches/interests, social graph… The question only becomes how safe the data is, and whom they share it with.
I guess I am in the <20%. I block my device cameras with tape, because
I have absolutely no use for them, so the only purpose they would have
is if someone managed to hack in. I know the odds are very low, but I have piece of mind that it is now zero instead of low. I also use noscript to control what runs on Web pages. I have Facebook and Google Analytics actively set as untrusted. I never use Facebook, but I still use some Google services.
I am also more concerned about Microsoft. With Google, we aren't the customers, we are the product, and MS seems intent in following them into that line of business.
On that list, I only trust Apple, but I don't actually use Apple products, because their higher prices but that may change (I was very disappointed in my Android tablet).
When support for Windows 7 ends I may switch to Linux (note I have installed it dozens of times, so this is not an idle whim for me), and move my trust from companies to a community of somewhat like minded individuals.
And I don’t block my camera because my ugly mug is of no interest to anyone ^^
Maybe I should try Linux again. I’ve given up on it a decade ago after several attempts, because a) too many failed installs (because drivers…), too many niggles (I like my App bar on the right side of my main screen, which was only doable with very ugly sideways text last time I tried), and above all extremely bad documentation (I ended up using the wrong terminal multiplexer, the wrong startup manager, wasting hours because SMB support wasn’t in the kernel…). At the end of the day I was spending hours not even reaching my goals but hunting for documentation to do stuff I can do in 2 minutes in Windows.
Privacy issues aside, Win10 is very nice. And most of the tracking can be disabled: https://arstechnica.com/information-technology/2015/08/windows-10-doesnt-offer-much-privacy-by-default-heres-how-to-fix-it/
.
Is it your “ugly mug” that might be interesting to someone?
Similar experience here. Linux is never really as good as proponents would have you believe. When Windows 7 expires, it will be time to look at all options.
It’s not just privacy. I don’t want Microsoft in control of updates, especially given that they utterly destroyed what little trust they had accumulated by practically trying to Malware Windows 10 on to my computer.
Only by removing the offending update, and blocking it for the next few months did I keep the Windows 10 Malware/Nagware off my PC.
What happens when I get an OS from Microsoft, where I no longer control updates and Microsoft decides to do things I don’t like, and by that point I am powerless to stop them? Microsoft’s heavy handed Approach trying to force Windows 10 on me, is evidence they shouldn’t have the extra power they have given themselves in Windows 10.
I don’t see Microsoft relenting on this, so I think odds are good, I will be switching OS in 2020. I am hoping for many Linux improvements by then. Though I will probably keep Windows 7 around offline for my Legacy software.
Apparently you can stop Win10 from auto-updating by a) setting your Internet connection as “metered” or b) setting the WindowsUpdate service to to “disabled”. And they supply a tool to block individual updates. They did disable the config option and the registry hack to disable all updates globally, except in the Entreprise version (so in Home, and Pro, not sure about Edu)
I don’t think MS’s goals are primarily nefarious, the overwhelming majority of people will benefit from being always up to date. But combined with MS’s rollback of privacy, that is indeed concerning.
Sure, they were trying to cram Windows 10 onto my computer, malware style, because that’s what good guys do. 😉
Any benefit of the doubt I gave to Microsoft ended with that move.
I agree with you, yet no mention of the even more stern influence iOS has over your devices.
Well, I have no iOS devices. I also consider them a different class of device than a desktop computer.
Thanks. I agree they are a different class of device, though I still object over what I consider undue influence as you’ve described on Windows. Also they are not to be confused with PCs as some would spin it.
“Though I will probably keep Windows 7 around offline for my Legacy software.”
With Wine, you probably don’t need to do that.
I have looked into Wine. Lots of fiddling, no guarantees and a performance hit if it works. I think it would just be easier to keep a Windows boot.
On Mac OS, there’s winebottler, which does away with most of the fiddling and in my limited experience, just works for a significant number of windows apps.
And the performance hit doesn’t really matter for most apps, and it’s a lot more convenient than constantly rebooting or maintaining a VM install of Windows.
Linux? KMN! What a giant pain. I can’t believe the time I wasted with various flavours and versions of that.
At work, almost everyone was a Windows devotee, but a major change in the work environment and special staff deals resulted in almost everyone (I can’t remember if it turned out to be close to 100%) dipped their toes in the Mac pool, mostly MacBook pros. Within months they barely even bothered with boot camp, some even tooled around with hackintoshes for fun. It apparently isn’t as bad as you think, although they loved to come around and tell me when things went wrong or about stuff they didn’t like, like it was my fault. They all went on to second or third macs though.
I didn’t mind 2000, XP and 7 and could get a few things done, but 10 must be excruciating. You could always go commando, er, command line in terminal.
Even my Apple hating friends are moving slowly across, one phone or ipad at a time, then the harder stuff, with no input or prompting from me, because that would never go down well. I’d be snapping up pre 2016 macs though, with hackintoshes more as a hobby, especially if you want to keep 7 running in bootcamp or a virtual machine (which run surprisingly well).
Actually 10 is the best one yet. Vista was an abomination.
This is very interesting and I too follow the studies on privacy and security. As you mention in this article, many people are simply unaware of how much data is being gathered about them.
On the other hand, we are seeing more and more security breaches, and now with the Yahoo one, a large proportion of internet users will have encountered one first hand. Given current trends, the number of breaches will likely increase and more people will become aware of security issues. Also with smart assistants, more people will become aware that their devices collect a lot of data about themselves. This is likely to result in more people becoming awareness of the issues.
For this reason, I am interested in the people who only recently learned about how much personal information is being gathered. These are the people that will shape future sentiment. Do they tend to be more alarmed when they realise what’s happening?
One of the biggest issue I have is that people keep conflating Security and Privacy. The two barely intersect:
– the threats come from different entities (hackers vs merchants/governments)
– the issues originate from different weak points (mostly end-user vs mostly provider)
– the involved data is different (mostly declarative data vs mostly tracking data)
Sure, they do intersect some, for example where precisely targeting an individual is worth the effort, or when private data is hosted by a provider in the cloud. But that’s <1% of the cases I'd guess. Mostly, the 2 issues are unrelated, and the biggest combo threat is government, which is a political, not a technical/commercial issue.
I'm fairly sure Google isn't a champion of Privacy. I'm also fairly sure they're excellent at Security.
I understand your point from a technical point of view, but this article clearly shows that most people do confuse privacy and security. Unless somebody launches a grand marketing campaign to educate consumers, I expect this to continue to be the case.
Therefore, breaches of security which are all too common nowadays, will cause consumers to worry about privacy and vice versa.
Sometimes the education is done by schools. I keep being floored at how schools don’t deal with Marketing nor IT.
Counting on marketing for education is… ass-backwards. And fake-news-inducing.
The education that currently IS being done in Japanese schools emphasises staying safe. That means not trusting the Internet.
I would not hold my breath waiting for when schools teach ordinary folk about the differences between security and privacy. If anything, they’ll probably tell you how to use an ad blocker as if they’re teaching safe sex.
Yep. We’ve had around 40 years of eduction being dumbed down, because, you know, you don’t want to have the general public thinking, or they’ll figure out what’s happening to them.
I would have had more respect for the research and the article if you did not have a section entitled “Privacy and Security Fanatics”.
Irrelevant since it doesn’t skew the data. But, honestly, the write in answers we reviewed this was a term this group used quite often as a self-selecting qualifier. They acknolwedge they are more hard core than others when it came to their views.
Very well presented. Every quote was awesome and thanks for sharing the content. Keep sharing and keep motivating others.
Excellent article! We will be linking to this particularly great article on our website. Keep up the good writing.
This is my first time pay a quick visit at here and i am really happy to read everthing at one place