IV. FOCUS GROUP FINDINGS

IV. FOCUS GROUP FINDINGS

IV. FOCUS GROUP FINDINGS

A. Age Rejected: The Dog That Didn’t Bark!

We begin by acknowledging the rejection of the hypothesis about which we were most confident in its explanatory power. Specifically, it seemed to us that the age of the respondents would matter in a rather systematic way as we explored the implications of the “right to privacy” and technological developments. Our initial intragroup discussions led us to hypothesize that younger respondents were less agonized about privacy tradeoffs and were more accepting of a wide range of technological developments that, potentially, could lead to lessened privacy. To our surprise, this hypothesis was not confirmed. As each of us studied our focus group findings, we marveled at just how wrong we were. The themes discussed below did not characterize a specific age group but instead crosscut these groups. Delving into why the “dog didn’t bark” and why age was not a good explanatory variable (intriguing to speculate about) allows us a first peek into the general attitudes of the respondents—across all ages!

For instance, “consent” was one topic that we hypothesized would be particularly split by age.53 U.S. federal law permits the recording of individual-to-individual conversations by one party without the knowledge or consent of the other party or parties involved, as long as

⁵² See infra Appendix A.

⁵³ In our preliminary research discussions, there seemed to be a clear divide between older individuals, who favored two-party consent laws, and younger individuals, who were generally amicable to one-party. This anecdotal trend was not replicated in the focus groups.

at least one person is aware of the recording.⁵⁴ Thirty-eight states and the District of Columbia also have what are called “one-party consent laws.”⁵⁵ Even in two-party states, certain exceptional circumstances allow only one party to be privy to the knowledge of a recording taking place. Some exceptions may include recordings made by police or law enforcement officials, emergency or first responders, or communication service providers, as well as recordings made pursuant to a court order.⁵⁶ Individual states have their own exceptions.⁵⁷

We found that the majority of respondents, regardless of age, preferred a two-party system. While many acknowledged exceptional circumstances, such as in cases of domestic abuse or in situations with uneven power dynamics (e.g., employee-employer), the consensus was that two-party systems enabled transparency and trust, rather than the instilled sense of paranoia that they did not want to become the norm. Those exceptions, they argued, should not become the rule. The idea of “everyone going around recording each other,” as one respondent said, “would set up a dangerous precedent.”⁵⁸ Many others agreed that a slippery slope toward a “surveillance society” was an inherent threat to overall privacy, with one person making a principled argument that “privacy is [my] right, why should I have to give it up?”⁵⁹ In opposition, the minority that chose the one-party system claimed that if they had nothing to hide, they did not care who recorded them and why—saying that safety or protection was worth sacrificing privacy. Some

⁵⁴ Recording Phone Calls and Conversations, DIG. MEDIA L. PROJECT, https://www.dmlp.org/legal-guide/recording-phone-calls-and-conversations (last visited April 13, 2020) (citing 18 U.S.C. § 2511(2)(d)).

⁵⁵ Id. Two-party states also differ as to whether both parties must consent explicitly (i.e., “Yes, I consent to being recorded.”), or whether conversing after notification of recording has been provided is sufficient for implicit consent. The eleven other states (California, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, and Washington) have “two-party consent laws” (or “allparty”) in effect. State Law: Recording, DIG. MEDIA L. PROJECT, https://www.dmlp.org/ legal-guide/state-law-recording (last visited April 19, 2021).

⁵⁶ For a lengthier exploration of recording consent laws, see Rauvin Johl, Reassessing Wiretap and Eavesdropping Statutes: Making One-Party Consent the Default, 12 HARV. L. & POL’Y REV. 177, 178–80 (2018).

⁵⁷ Id. For example, Illinois and Oregon are two-party states except in cases of electronic recording. Another example is Hawaii, which only requires all-party consent in cases where the recording device is installed in a private place. Massachusetts, for instance, is the only state without a “public location” exception, meaning that a conversation occurring in a public place still requires two party consent. States also vary as to how consent is executed, and whether such recordings are admissible in court.

⁵⁸ Member of Focus Group 3 (Young Adults), Rutgers University (Sept. 15, 2019) (on file with author).

⁵⁹ Member of Focus Group 4 (Seniors), Rutgers University (Sept. 20, 2019) (on file with author).

respondents went as far as saying the so-called surveillance society already exists; privacy in the modern day is so far eroded that, as one respondent claimed, “everything is being recorded anyway.”⁶⁰ Despite preconceived notions concerning general familiarity with technology, attitudes toward recording consent laws, and privacy more broadly, participant’s ages could not explain this dynamic.

B. Protecting Privacy and Terms of Service Agreements: Reality or Illusion?

We can further deduce the extent to which society has prioritized other interests over privacy, such as leniency with business, through close examination of Terms of Service (TOS) agreements. Upon review of focus group attitudes about this issue, three facets of the agreements emerge as potentially problematic: (1) the actual policies that permit companies to collect vast quantities of personal data; (2) the mechanism employed to obtain consent from users; and (3) the societal costs incurred from not accepting these agreements, which in turn apply pressure on users to consent irrespective of the agreement’s provisions.

The first facet was only problematic for a minority of our respondents—those that viewed the mere act of data collection itself as invasive. This, however, is the most lucrative aspect of several companies’ business models, and the most necessary for others. Google turns a profit by using data collected from consumers to sell targeted advertising but also needs this data to power improvements to the Google search engine and Google maps.61 Amazon and Apple take voice recordings from Alexa ⁶² and Siri,⁶³ respectively, to improve the accuracy of their voice recognition software. Almost all companies use cookies when accessing their websites, which track consumer data as they move from webpage to webpage.⁶⁴ When viewed individually, this data seems small and innocuous. The issue is when these data are aggregated into a larger profile that tells companies more than what consumers

⁶⁰ Focus Group 2 (Middle Age), Rutgers University (Sept. 15, 2019) (on file with author).

⁶¹ Nicole Lindsey, Google Data Collection Is More Extensive and Intrusive Than You Ever Imagined, CPO MAGAZINE (Nov. 14, 2018), https://www.cpomagazine.com/dataprivacy/google-data-collection-is-more-extensive-and-intrusive-than-you-everimagined.

⁶² Alexa Terms of Use, Section 4.1, AMAZON, https://www.amazon.com/gp/help/customer/display.html?nodeId=201809740 (last visited Apr. 28, 2020).

⁶³ Ask Siri, Dictation, & Privacy, APPLE, https://support.apple.com/en-us/HT210657, (last updated Feb. 19, 2021).

⁶⁴ What are Cookies?, INDIANA UNIV., https://kb.iu.edu/d/agwm (last updated Jan. 18, 2018).

expected it would reveal. For instance, while individual facts about a person may confer little information when considered on their own, taken together, these facts may paint a more complete picture of that person than what the consumer intended to divulge.⁶⁵ One report demonstrated that merely going through normal life routines with an Android phone led Google to be able to collect enough user data to identify user interests accurately.⁶⁶ One participant was deeply troubled by this when he said, “I mean they know so much about you. They pretty much own you. I downloaded all of the data that Google had on me. I had so much data. I made the mistake of buying a Google Pixel.”⁶⁷ This is often the case—a person may believe they have a reasonable expectation of privacy, only to discover that their data had been collected consistently, and without their knowledge, over an extended period.

TOS Agreements are formatted as either “opt in” or “opt out.”⁶⁸ When a website prompts its users to agree, usually at the bottom of a page immediately upon opening the site, this specific site is using the opt-in style. If no such prompt appears, users must opt out of using the program entirely.⁶⁹ This may even be less clear in cases when the user interface is amorphous. While nearly all respondents understood that they had opted in to Google’s TOS when they used the search engine, significantly fewer respondents were aware of Alexa’s voice recordings being sent back to Amazon for analysis.⁷⁰

We hypothesized that many respondents would not be aware that, by using Google’s service, they were agreeing to the corporation’s data collection policies. Most respondents did appreciate, however, that by availing themselves of this service (and others), they had acquiesced to the corporation’s conditions on the ease with which the organization could aggregate data, sell data, and disseminate data.⁷¹ They were

⁶⁵ See Lindsey, supra note 61.

⁶⁶ Douglas C. Schmidt, Google Data Collection, DIGITAL CONTENT NEXT (Aug. 15, 2018), https://digitalcontentnext.org/wp-content/uploads/2018/08/DCN-Google-DataCollection-Paper.pdf.

⁶⁷ Focus Group 3 (Young Adults), Rutgers University (Sept. 15, 2019) (on file with author).

⁶⁸ See Berkson v. GoGo, 97 F. Supp. 3d 359, 366–67 (E.D.N.Y. 2015) (discussing the legality of various methods of obtaining consent).

⁶⁹ Id. at 376.

⁷⁰ See Matt Day et al., Amazon Workers Are Listening to What You Tell Alexa, BLOOMBERG (Apr. 10, 2019), https://www.bloomberg.com/news/articles/2019-04-10/is-anyone-listening-to-you-on-alexa-a-global-team-reviews-audio.

⁷¹ See Daniel J. Solove, Privacy Self-Management and the Consent Dilemma, 126HARV. L. REV. 1880, 1881 (2013) (discussing what individuals lay observers understand in terms of data consent laws).

aware that they had “opted in” without being given an option to “opt out.” Most respondents were resigned to the fact that this is how TOS agreements functioned in practice.

Taking it one step further, we asked about situations in which the organization did ask for explicit authorization to its terms and conditions, meaning a person had to affirmatively “opt in” rather than being automatically assumed to agree to terms and conditions by using the service. The assumption was that by being given explicit statements about what they were agreeing to, respondents would have more choice and would have a better handle on what would be done with their information, effectively providing more control over the dissemination of the information they provided. A priori, this sounded more than plausible, and indeed suggested a policy for addressing privacy issues moving forward (we will turn to these in the last section of this paper).⁷² But once again, what we assumed was obvious—that a choice to “opt in” with specific explanations as to what was being agreed upon would enhance an individual’s control over private information—was incorrect.

Of our respondents across all six focus groups, almost no respondents claimed to read any parts of the TOS.⁷³ Signing these was routine; ignoring their language was universal. Some bemoaned the length of these agreement sheets; some the difficulty of reading them.⁷⁴ Even when we probed deeper and suggested altering the terms of the agreement in ways consistent with policies being adopted in Europe and some states,⁷⁵ we found at best a grudging response from a few of the respondents that maybe one change or another (i.e., highlighting key points, shorter forms) might make them give more than a mere cursory look to the documents. A few of these comments are illustrative of these themes:

⁷² See infra Section VI.B.

⁷³ See Ian Ayres & Alan Schwartz, The No-Reading Problem in Consumer Contract Law, 66 STAN. L. REV. 545, 546 (2014) (discussing issues surrounding the lack of reading within the context of consumer contract law).

⁷⁴ One Focus Group Participant (from our sixth group, Middle Aged individuals), specifically noted that the determining factor behind his reasoning for not reading TOS agreements was the perceived complexity of these document’s language. This participant suggested using lower Lexile levels as a standard for encouraging broader understanding of these documents.

⁷⁵ See infra Section VI.B.

I skim through the TOS agreements, but that is ultimately not going to make much of a difference. If you don’t sign it, you don’t get to use the service. And if it is an electronic copy there even isn’t an opportunity to modify it[.]⁷⁶

There are sometimes 60 pages of TOS . . . you can’t read them . . . few know what they say. You assume they are collecting data . . . if there was more of a choice to opt in, just in theory a difference, since if you don’t opt in, you can’t use the service. . . . The European Union efforts to change TOS [i.e., highlighting, underlining, shortening] won’t matter—no one reads them.⁷⁷

Somewhat facetiously, another respondent claimed that “all the terms and services really need to say is ‘We’re taking all your stuff, we’re making money off it, good luck.’”⁷⁸ His point, of course, was that clients really have a sense of what they are giving away but will not change their behavior in any case.

This turns general contract theory on its head, as contracts are generally predicated on the idea of consent being given actively as an opt in. In a 1994 Yale Law Journal article, Peter Schuck wrote, “[t]o say that one cannot be bound by a promise that one did not voluntarily and knowingly make is to say that the individual should be the author of her own undertakings, that a genuine respect for her dignity requires a broad deference to her choices.”⁷⁹ The issue today is that many people cannot opt out of terms such as Google’s or Apple’s without incurring opportunity and productivity costs. Putting together the various services and websites respondents visited that had TOS, almost no one felt that they could live today without being bound by these contracts.⁸⁰ When asked why they continued to use Google despite expressing dismay with the way Google collected their data, they replied, “Because it’s convenient, and I will be left behind socially.”⁸¹ It does not matter if

⁷⁶ Focus Group 1 (Seniors), Rutgers University (Sept. 13, 2019) (on file with author).

⁷⁷ Focus Group 3 (Young Adults), Rutgers University (Sept. 15, 2019) (on file with author).

⁷⁸ Focus Group 6 (Middle Age), Rutgers University (Oct. 6, 2019) (on file with author).

⁷⁹ Peter H. Shuck, Rethinking Informed Consent, 103 YALE L.J. 899, 900 (1994).

⁸⁰ Focus Groups 1–6, Rutgers University (Sept. 13–Oct. 6, 2019).

⁸¹ Focus Group 2 (Middle Age), Rutgers University (Sept. 15, 2019 (on file with author).

consent is questionably obtained if people do not have alternatives that allow them to “voluntarily and knowingly make” other choices.⁸²

C. The Role of Government and Corporate Giants: Trust and Tradeoffs

To contextualize privacy and, more importantly, how people conceive privacy, we deemed it necessary to decipher the difference between the expectations people have of public versus private entities. Since many people hold double standards, we found that it was beneficial to partake in a simple voting process, revealing the results to the group after the voting was completed. Then, we allowed people to attempt to defend their clear contradictions in their conceptions.

⁸² See Joseph V. Demarco & Brian A. Fox, Data Rights and Data Wrongs: Civil Litigation and the New Privacy Norms, 128 YALE L.J. F. 1016, 1024–26 (2019) (discussing lawsuits involving private parties and data storage).

Question 1: Who do you trust more with your private information?

Question 2: In general, who do you trust more with the following sets of data: private companies or the government?

Consistent with our other findings,⁸³ responses were coherent across age groups. We found that, overall, public entities received more support, or “trust,” from our focus groups. We tested this by first varying the entities (i.e., the Treasury or credit card companies), but asking about a general sense of trust, and then by varying the information obtained (i.e., your location), but asking generally “public or private.” We found that when naming specific entities, an overwhelming majority selected the public option over the private option. When asking about specific information, though, “the government” either won by a very slim majority or even lost the vote. A factor that could be influencing this contradiction is the negative stigma attributed to “the government.” People have always been distrusting of this ominous entity, and that is a likely reason for the voting discrepancy. When we asked about specific government agencies, though, people realized that these agencies do not warrant a sense of fear or distrust, voting in their favor. Another factor that likely influenced our participants in their voting habits is the overwhelming news coverage relating to breaches of data by private corporations. Focus group participants reported that stories about privacy issues with Facebook, Google, and Amazon influenced their decision to pick the government agency rather than the specific company. This could also explain why—in an opposite pattern to that of the government—private companies generally performed better in the collective than as individual companies.

The one noticeable outlier from the aforementioned trends was in the “Associations” question in the second round, where a majority of respondents said that they trusted private companies to know this information more than the government. During the focus groups, respondents would sometimes respond that they picked private companies when they could rationalize the private company knowing this information.⁸⁴ Given the prevalence of social media networks as a primary online interface across all generations, it is conceivable that the public has largely accepted private companies having detailed information on a person’s friend and family network.

This model of analysis was designed to gauge the “trust,” an often-immeasurable feeling, that participants had in various agencies, groups, etc. By seeking a justification as to why the entity would need the information we were asking about, participants unveiled their reasoning skills, ultimately seeming to draw objective conclusions. If

⁸³ See supra Section IV.A.

⁸⁴ Focus group notes, Rutgers University (Sept. 13–Oct. 6, 2019) (on file with author).

they were able to see a reason for an entity to know that information, the decision was made clearer.⁸⁵ One participant, though, articulated the true design of our questioning, stating, “[a] lot of this comes down to trust. How much do you trust the government not to abuse security cameras, how much do you trust Apple to do what they say they will do.”⁸⁶ Reinforcing other theories of ours as well, this participant categorized the entire government as one entity, while distinguishing Apple from other tech giants. This participant did not pick a side in this statement but instead discussed the idea of trading off some privacy for increased security. The government, as he referred to it, is often thought of as an entity that strips the general population of privacy with a sweeping promise of safety.⁸⁷ Apple, though, promises security at its forefront.⁸⁸ The participant draws a similarity with these two, proposing that they both need to prove their efficacy and their reliability in order to gain the trust of the American people.