Privacy Perceptions

Type "John Ashcroft" in the Google search engine, and you'll find links to the attorney general's official biography and a video of Ashcroft singing his self-penned patriotic hymn, "Let the Eagle Soar." But you'll also find an outlandish Web shock page that compares Ashcroft to a Nazi and myriad other sites calling him the single biggest threat to Americans' constitutional liberties, particularly their right to privacy.

Considering the histrionics of Ashcroft's Internet critics, one might assume they represent only a small, vocal minority. But that assumption would be wrong.

That, at least, is the finding of a new study by an Arizona-based think tank that asked 6,313 Americans whether they believe five dozen government organizations safeguard the personal information they collect and use about them. In the survey, the Office of the Attorney General ranked dead last, with less than one-fourth of respondents saying they were "confident" Ashcroft's office is "committed to protecting the privacy of my personal information."

Given the public outcry over privacy provisions in the USA Patriot Act that Ashcroft has backed, it's not surprising that some people report misgivings about his privacy ethics. But the survey, conducted by the independent Ponemon Institute, which studies privacy management practices in business and government, found that the rationale people's opinions about privacy often isn't realistic.

Privacy perception is largely formed by people's assumptions about an organization's character based on their personal experiences or commonly held beliefs, says Larry Ponemon, the institute's chairman. For example, the U.S. Postal Service tops the list of trusted federal organizations, with 78 percent saying they believe it's committed to privacy. "Most people love the Postal Service," says Ponemon, who also founded the business-ethics practice of consulting giant PricewaterhouseCoopers. Never mind that a letter carrier is the person best poised to snoop into people's mail. Citizens think their mail carrier is trustworthy, especially if it's someone they see daily or are friendly with, Ponemon says.

Public appearance helps, too. Some post offices hang written privacy policies on their walls. Thus, "It really looks like they do a very, very good job on privacy," Ponemon says.

But even when customers can't see an agency's commitment, they still form perceptions based on what they hope to be true. Take the Internal Revenue Service, arguably the most vilified of all federal agencies. It ranked third on the trust list, with 75 percent believing their personal data is safe with the Tax Man. Why? People want to believe that their tax returns are private documents, Ponemon says. But also, because the IRS presents itself as an all-powerful agency-the only certainties in life, after all, are death and taxes-people think it would take "an act of God" for a non-IRS employee to gain access to their tax returns, Ponemon says.

By and large, the IRS and the Postal Service do protect people's personal information. But it would be folly to presume that because citizens' perceptions jibe with the facts, their views are based on a wealth of knowledge about what information the government would like to collect.

Some of the most controversial counterterrorism initiatives are the furthest below the public's privacy radar, the study reveals. For example, the Defense Department's Total Information Awareness program-which theorized that databases of commercial transactions hold valuable clues about terrorist planning-was relatively unknown to most people. In fact, when asked to rate the Defense Advanced Research Projects Agency, TIA's overseer, 67 percent of people had no response at all, an indication that they knew nothing about the agency or had never heard of it. The study's authors omitted from the final results DARPA and 15 other organizations that elicited blank stares. Among the toss-outs were at least four organizations involved in counterterrorism initiatives that use personal information in some form.

"It's amazing how little people knew," says Ponemon. He says respondents "had an unrealistic expectation" about what agencies did with their information or why they were collecting it.

The study also suggests that people might not care. Rounding out the bottom of the trust list, above the Attorney General, were the Homeland Security Department and the Central Intelligence Agency, respectively. Ponemon's research team turned up a fair share of conspiracy theorists who believe security and intelligence agencies operate by their own sets of rules-those who think "a black helicopter lands on your lawn when you do something wrong," Ponemon says.

But when researchers probed why people rated those agencies so low, they found it wasn't because people assumed they were abusing privacy. Rather, they thought that for the agencies to be effective, they needed to operate outside traditional boundaries-and the respondents were comfortable with that.

Preventing terrorism, re-spondents assumed, requires a trade-off-privacy for protection. The only way Homeland Security can succeed is to play looser with the privacy rules, people said. The same holds for the CIA, the National Security Agency and the FBI.

This isn't only the opinion of a few people-it's a trend, Ponemon says. People's privacy perceptions correlate directly with how they want the government organizations in question to act. People want their mail to be private. They don't want anyone besides IRS employees looking at their tax returns. But they hope terror-fighting agencies aren't so hemmed in by privacy laws that they can't prevent attacks.

Ultimately, how people perceive the world has a lot to do with how they behave in it. Take automated teller machines, Ponemon says. Many respondents thought they were monitored in real time at ATMs. It's unrealistic, he says, but it affects how often people use cash machines. So, if banks want those customers to use that service, they'd better understand what might keep them away.

For government, even good privacy ratings don't ensure total trust. For instance, among those who expressed a favorable opinion of the IRS, some said they still wouldn't file their taxes electronically at the IRS' Web site, because they thought doing so would give the agency access to other financial information stored on their home computers.

But could there be an upside to disinformation? If people believe cameras are posted at every traffic intersection to catch speeders and red-light runners-they're not-might they slow down or think twice before zooming under a yellow light, Ponemon asks.

Homeland Security agencies aren't collecting data on hordes of people-yet-but the study indicates that people think they're doing just that. Does this change the way people behave? That's the subject for another study. But one has to wonder, especially as information collection increases, whether perception isn't what really defines reality.