Whilst the report was at pains to stress that such risks should be assessed appropriately rather than hasty bans put in place, it did nevertheless put the issue into the spotlight.  Some new research by Carnegie Mellon into information leaks should therefore be essential reading for anyone with an interest in this topic.

The study wanted to see how people responded to varying levels of privacy restrictions.  It found that when people had more control over their own information, they were much more likely to take privacy risks. 

“We found there was a paradox of control. People who felt more in control of their information took more privacy risks more often,” says Alessandro Acquisti, associate professor of information technology and public policy at Carnegie Mellon University.

“They felt more empowered and more in control of their personal information. But once the information is online, users can’t control what people do with it.”

The research used 600 people across three studies, two of which looked at the impact of increasing or decreasing control over the release of information.  The third study by contrast manipulated access but not usage of information.

All three studies showed that increasing perceived control over release or access of personal information can cause people to experience an illusory sense of security, and as a result, release more information.

Published in Social Psychological and Personality Science, the findings have important public policy implications. Some privacy experts have called for providing users with more controls as a way to protect their information, but this research suggests that such policies could backfire.

“The conventional wisdom is that control over personal information implies protection,” says co-author George Loewenstein, professor of psychology and economics. “Our results provide evidence that control over personal information may be a necessary but not sufficient condition for privacy protection, and can even produce perverse effects.”

Does this have implications to the release of confidential, but not personal, information?  Whilst there was no implied connection made in the study, it does underline the importance of training staff in the risks involved, especially when information is impossible to control or contain once it is published in the public domain online.