Last month, a number of stories in publications such as Pro Publica, Mashable, Slate, and The Smithsonian Magazine covered an “experiment” by artist Risa Puno, who asked attendees at an art festival to disclose bits of personal information about themselves in exchange for cookies. ProPublica described the event as a “highly unscientific but delicious experiment” in which “380 New Yorkers gave up sensitive personal information—from fingerprints to partial Social Security numbers—for a cookie.” Of course, we are given no count of the number of people who refused the offer, and the article notes that “[j]ust under half—or 162 people—gave what they said were the last four digits of their Social Security numbers”—with that rather important “what they said” caveat casually buried mid-sentence.
“To get a cookie,” according to the Pro Publica story, “people had to turn over personal data that could include their address, driver's license number, phone number and mother's maiden name”—the accuracy of most of which, of course, Puno could also not confirm.
All of this is shocking only if one assumes that people are not capable of lying (especially to artists offering cookies). But the artist declared herself shocked, and Pro Publica somberly concluded that “Puno's performance art experiment highlights what privacy experts already know: Many Americans are not sure how much their personal data is worth, and that consumer judgments about what price to put on privacy can be swayed by all kinds of factors.”
In this case, I am at least thankful for the claim that the non-experiment “highlights,” rather than “proves” something. Other stories, however, argued that the people convinced to give up information “demonstrated just how much their personal information was worth
.” The Smithsonian
argued that the “artistic experiment is confirmation of the idea that people really just have no sense of what information and privacy is worth other than, variably, a whole lot, or, apparently, a cookie.” The headline in The Consumerist
blared, “Forget Computer Cookies: People Happily Give Up Personal Data For The Baked Kind
” (though, in all fairness, The Consumerist
article did highlight the “what they said” bit, and noted that the “finely-honed Brooklynite sense of modern irony may have played a role, too. Plenty of purchasers didn’t even eat their cookies…. They ‘bought’ them so they could post photos on Twitter and Instagram saying things like, ‘Traded all my personal data for a social media cookie’…”—which suggests rather more awareness than Puno gives people credit for).
In any case, prompted by those stories, I decided that a flip-side “artistic experiment” was in order. Last week, together with my partner in privacy-protective performance art—Robert Henry, who is Santa Clara University’s Chief Information Security Officer—I set up a table in between the campus bookstore and the dining area. Bob had recently sent out a campus-wide email reminding people to change their passwords, and we decided that we would offer folks cookies in return for password changes. We printed out a sign that read “Treats for Password Changes,” and we set out two types of treats: cookies and free USB drives. The USB drives all came pre-loaded with a file explaining the security dangers associated with picking up free USB drives. The cookies came pre-loaded with chocolate chips.
We are now happy to report our results. First, a lot of people don’t trust any offers of free cookies. We got a lot of very suspicious looks. Second, within the space of about an hour and a half, about 110 people were easily convinced to change one of their passwords—something that is a good privacy/security practice in itself—in exchange for a cookie. Does this mean people do care about privacy? (To anticipate your question: some people pulled out their phones or computers and appeared to be changing a password right there; others promised to change a password when they got to their computer; we have no way of knowing if they did—just like Puno had no way of knowing whether much of the “information” she got was true. Collected fingerprints aside…) Third, cookies were much, much more popular than the free USB drives. Of course, the cookies were cheaper than the USB drives. Does this mean that people are aware of the security dangers posed by USB drives and are willing to “pay” for privacy?
Responses from the students, parents, and others who stopped to talk with us and enjoy the soft warm chocolate-chip cookies ranged from “I’m a cryptography student and I change my passwords every three months” to “I only have one password—should I change that?” to “I didn’t know you were supposed to change passwords” to “But I just changed my password in response to your email” (which made Bob really happy). It was, if nothing else, an educational experience—in some cases for us, in others for them.
So what does our “artistic experiment” prove? Absolutely nothing, of course—just like Puno’s “experiment,” which prompted so much coverage. (Or maybe they both prove that people like free cookies.)
The danger with projects like hers, though, is that their “conclusions” are often echoed in discussions about business, regulation, or public policy in general: If people give up personal information for a cookie, the argument goes, why should we protect privacy? That is the argument that needs to be refuted—again and again. Poll after poll finds that people say they do value their privacy
, are deeply concerned by its erosion, and want more laws to protect it; but some refuse to believe them and turn, instead, to “evidence” from silly “experiments.” If so, we need more flip-side “experiments”—complete, of course, with baked goods.