email cookiesThe cookies — actual cookies — in Risa Puno's experiment.
(Talisman Brolin/Courtesy of Risa Puno)

In a highly unscientific but delicious experiment last weekend, 380 New Yorkers gave up sensitive personal information from fingerprints to partial Social Security numbers for a cookie.

"It is crazy what people were willing to give me," said artist Risa Puno, who conducted the experiment, which she called "Please Enable Cookies," at a Brooklyn arts festival. The cookies, actual cookies, came in flavors such as "Chocolate Chili Fleur de Sel" and "Pink Pistachio Peppercorn."

To get a cookie, people had to turn over personal data that could include their address, driver's license number, phone number and mother's maiden name.

More than half of the people allowed Puno to take their photographs. Just under half -- or 162 people -- gave what they said were the last four digits of their Social Security numbers. And about one-third -- 117 people - allowed her to take their fingerprints. She examined people's driver's licenses to verify some of the information they provided.

innerself subscribe graphic

When people asked Puno what she was going to do with their information, she refused to say. Instead, she referred them to her terms of service, a full page of legal boilerplate displayed in tiny print, which gives her the right to display the information and share it with others.

How Much Is Your Personal Data Worth?

Puno's performance art experiment highlights what privacy experts already know: Many Americans are not sure how much their personal data is worth, and that consumer judgments about what price to put on privacy can be swayed by all kinds of factors.

While most people will say they value privacy, there's a clear dichotomy between "what we say about privacy and what we do," said Alessandro Acquisti, a Carnegie Mellon privacy expert.

A study published last year by Acquisti and other researchers found that people's willingness to pay for privacy depended on whether they perceived that their data was already protected. In one experiment, one group of people were given a free $10 Visa gift card and told their spending would be anonymous. Another group was given a $12 gift card and told their purchases would be tracked. The groups were then given an opportunity to trade gift cards. It turned out that the vast majority people with the higher-value but tracked card were not willing to give up $2 for privacy. But about half of the people who started out with the higher privacy lower value cards wanted to keep them.

"The answers to questions such as 'What is privacy worth?" and 'Do people really care for privacy?' depend not just on whom but how you ask," the authors wrote.

Because the Brooklyn data giveaway was part of a performance art piece, Acquisti said, participants may have felt that "it was very low-risk to provide information."  The giveaway was part of a game: it would seem fun to play along, and also seem unlikely that the data would be abused.

"Traded all my personal data for a social media cookie," one participant tweeted, along with a photo of a cookie frosted with the Facebook logo.

Puno said some participants did not even eat their cookies u2014 they just wanted to take pictures of them. Cookies decorated with the Instagram logo were so popular among photographers that Puno required "purchasers" to give their fingerprints, the last four digits of their Social Security numbers and their driver's license information. Many still agreed. "They wanted to hold it against the sky with the bridge in the background," she said.

While she's happy with the response to her project, the 33-year-old artist was shocked that people seemed very comfortable giving away the kind of data that's often used in security questions: pet's name, mother's maiden name, place of birth, the name of your first teacher.

People called those questions "easy points," she said.

"They didn't recognize them as security questions, or they didn't care, but that's how people 'hack' into celebrity iClouds, by guessing their security questions."

She was also surprised to find that people would give her more data than they actually needed to earn a given cookie.

"That to me was baffling," she said. "If I were thinking about giving away my information, I wasn't giving away more than I had to."

Puno still won't say what she's going to do with the data. She says she's considered destroying it. On the other hand, she said, the disclosure forms are also "precious artifacts of what people are willing to do. I kind of want to hold onto them forever."

original article from ProPublica.

About the Author

beckett loisLois Beckett has been a reporter for ProPublica since 2011. She covers the intersection of data, technology and politics. She is a frequent guest on nationally syndicated TV and radio programs, including CNN Newsroom, NPR’s On Point, KQED’s Forum and WAMU’s Kojo Nnamdi Show, and also speaks about her reporting at conferences, most recently at the World Forum for Democracy in Strasbourg.

Recommended book:

Cybersecurity and Cyberwar: What Everyone Needs to Know
by Peter W. Singer and Allan Friedman.

Cybersecurity and Cyberwar: What Everyone Needs to Know by Peter W. Singer and Allan Friedman.In Cybersecurity and CyberWar: What Everyone Needs to Know®, New York Times best-selling author P. W. Singer and noted cyber expert Allan Friedman team up to provide the kind of easy-to-read, yet deeply informative resource book that has been missing on this crucial issue of 21st century life. Written in a lively, accessible style, filled with engaging stories and illustrative anecdotes, the book is structured around the key question areas of cyberspace and its security: how it all works, why it all matters, and what can we do? Cybersecurity and CyberWar: What Everyone Needs to Know® is the definitive account on the subject for us all, which comes not a moment too soon.

Click here for more info and/or to order this book on Amazon.