Study on User Consent and Spyware

Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware by Nathaniel Good et al. I’ve already lauded this study after I heard Deirdre Mulligan present the findings at the Boalt Spyware conference in April. If we agree with its findings, then this paper destroys many of the foundational assumptions of regulators and anti-spyware advocates about consumer behavior and psychology, thus highlighting how many current regulatory/consumer protection efforts are misdirected.

The key findings (from the abstract):

“Our study indicates that while notice is important, notice alone may not be enough to affect users’ decisions to install an application. We found that users have limited understanding of EULA content and little desire to read lengthy notices. Users found short, concise notices more useful, and noticed them more often, yet they did not have a significant effect on installation for our population. When users were informed of the actual contents of the EULAs to which they agreed, we found that users often regret their installation decisions.

We discovered that regardless of the bundled content, users will often install an application if they believe the utility is high enough. However, we discovered that privacy and security become important factors when choosing between two applications with similar functionality. Given two similar programs (e.g., KaZaA and Edonkey), consumers will choose the one they believe to be less invasive and more stable. We also found that providing vague information in EULAs and short notices can create an unwarranted impression of increased security. In these cases, it may be helpful to have a standardized format for assessing the possible options and trade-offs between applications.”

Highly recommended reading.

UPDATE: Eric L. Howes does a careful analysis of the study and, not surprisingly, identifies some possible limitations of the study. No study is perfect, and that includes a limited-scale ethnographic study. Instead, I look at this study as a challenge to the anti-spyware community to question some deeply-held views about what users are doing in the field and what will help those users make good (better?) choices.