Playing the Privacy Blame Game, or the Fallacy of the “stupid user”

Meet the “Stupid User”

We’ve all heard it.

Whenever and wherever there are discussions about personal information and reputation related to online spaces—in media reports, discussions, at conferences—it’s there, the spectre of the “stupid user.”

Posting “risky” information, “failure” to use built-in online privacy tools, “failure” to appropriately understand the permanence of online activities and govern one’s conduct and information accordingly—these actions (or lack of action) are characteristic of the “stupid user” shibboleth. 

These days when the question of online privacy comes up it seems like everyone is an expert.  Conventional wisdom dictates that that once we put information online, to expect privacy is ridiculous.  “That ship has sailed,” people explain, information online is information you’ve released into the wild. There is no privacy, you have no control over your information, and – most damning of all – it’s your own fault! 

Here is a sampling of some recent cautionary tales,

·         Stupid Shopper:  After purchasing an electronic device with data capture capabilities, a consumer returns it to the store.  Weeks later, s/he is horrified to discover that a stranger purchased the same device from the store and found the consumer’s personal information still on the hard drive. Surely only a “stupid user” would fail to delete their personal information before returning the device, right?

·         Stupid Employee: A woman is on medical leave from work due to depression and receiving disability benefits.  While off work, after consultation with her psychiatrist, she engages in a number of activities intended to raise her spirits, including a visit to a Chippendale’s revue, a birthday party, and a tropical beach vacation.  Her benefits are abruptly terminated and the insurance company justifies this by indicating that upon viewing photos on her Facebook page showing her looking cheerful they considered her to not be depressed and able to return to work.  I mean, really – if you’re going to post all these happy pictures, surely you were asking for such a result?  Stupid not to protect yourself, isn’t it?

·         Stupid Online Slut: An RCMP Corporal is suspended and investigated when sexually explicit photographs in which he allegedly appears are posted to a sexual fetish websiteSurely anyone who is in a position of responsibility should know better than to take such photos, let alone post them online.  How can we trust someone who makes such a stupid error to do his job and protect us?

How Are These Users “Stupid”?

The fallacy of the stupid user is based on the misconception that individuals bear exclusive and primary responsibility for protecting themselves and their own privacy. This belief ignores an important reality–our actions do not take place in isolation but rather within a larger context of community, business, and even government. There are laws, regulations, policies and established social norms that must be considered in any examination of online privacy and reputation.

Taking context into consideration, let’s examine these three cautionary tales more closely:

·         Consumer protection: Despite the existence of laws and policies at multiple levels regulating how the business is required to deal with consumers’ personal information, the focus here was shifted to the failure of the individual customer to take extra measures in order to protect their own information.  Any consideration of whether the law governing this circumstance is sufficient or the failure on the part of the store to meet its legal responsibilities, or even follow its own stated policies, is sidetracked in favour of demonizing the customer.

·         Patient privacy: An individual, while acting on medical advice, posts information and photos on Facebook—which has a Terms of Use that specifically limits the uses to which information on the site may be used—and loses her disability benefits due to inferences drawn by the insurance company based on that information and those photos.  There are multiple players (employer, insurance company, regulators, as well as the employee) and issues (personal health information, business interests, government interests) involved this situation–but the focus is exclusively on the user’s perceived lack of judgment.  We see little to no consideration of the appropriateness of the insurer’s action. No regard for the fact that social networks have a business model based on eliciting and encouraging disclosure of personal information in order to exploit it, as well as architecture specifically designed to further that model.  Instead, all attention focuses on the individual affected and her responsibilities—the user’s decision to put the information online.

·         Private life: Criminal law, a federal employer, administrative bodies, and the media—all these were implicated when an RCMP officer was suspended and subjected to multiple investigations as well as media scrutiny after sexually explicit photographs in which he allegedly appears were posted on a membership-only sexual fetish website. In this case yet again the focus is on the individual, ignoring the fact that even were he to have participated in and allowed photographs to be taken of legal, consensual activities in off-work hours, there is no legal or ethical basis for these activities to be open to review and inspection by employers or the media. 


Powerful new tools for online surveillance and scrutiny can enable institutions—government and business—to become virtual voyeurs. Meanwhile, privacy policies are generally written by lawyers tasked with protecting the business interests of a company or institution. Typically multiple pages of legal jargon must be reviewed and “accepted” before proceeding to use software and services – it’s worth pointing out that a recent study says reading all the privacy policies a person typically encounters in a given year would take 76 days!

Not only are they long, the concepts and jargon in these Terms and Conditions are not readily accessible to the layperson. This contributes to a sense of vulnerability and guilt, making the average person feel like a “stupid user”. Typically we cross our fingers and click “I have read the terms and conditions, accept.”

My “Stupid User” theory is more than a difference of opinion about privacy and responsibility.  It’s not restricted to (or even about) expressions of advice or concern. There are, obviously, steps everyone can and should take to secure their information against malicious expropriation/exploitation of personal information. That said, not doing so – whether by virtue of conscious choice or failure to understand or use tools appropriately – does not and must not be considered as license for the appropriation and exploitation of personal information.

Rather than blame the apocryphal “Stupid User”, criticism must instead be aimed squarely at the approach and mind-set that focuses on the actions, errors, omissions, and above all, responsibility of the individual user to the exclusion of recognizing and identifying the larger issues at work.  This is especially important when those whose actions and roles are being obfuscated are in fact the very same entities who have explicit legal and ethical responsibilities to not abuse user privacy.