April 18, 2006 at 10:00 AM ET
When it came to light last year that tax preparation firms were sending thousands of customers' returns to India for processing, a small firestorm ensued. But during the discussions that followed, it became clear that such international outsourcing of private information is now common practice for U.S. firms.
One year later, despite the negative reaction outsourcing evokes, one researcher says consumers may be warming slightly to the idea of globe-trotting data.
Obviously, if it's cheaper to do the work overseas, the information has to go overseas. So it's now standard practice that telephone operators in Ireland or Canada have access to intimate details about Americans' lives. Ditto for transcribers who type in medical records.
Privacy wonks raise alarm bells about such practices. After all, a company that loses data in India may not be subject to American laws. This raises troubling questions. For example, there are no international data loss disclosure requirements of the sort that exist in California, which forced the revelations that made us all aware of what happened at ChoicePoint Inc. last year.
Nor are the concerns about information outsourcing just theoretical. In one celebrated case, a Pakistani transcriber who felt she hadn't been paid for her work threatened to expose a wide swath of Americans' medical records unless her company paid up. Such criminal acts couldn't be prosecuted in the U.S., even if U.S. data was involved.
Researcher Larry Ponemon of The Ponemon Institute recently set out to find out just how much this data outsourcing bothers a typical American. The answers he got are a bit surprising. While there was universal concern about the outsourcing of personal medical information, people were a bit less bothered by the shipping of financial information and other kinds of data overseas.
And in perhaps the most surprising result of the survey, India ranked third as the country consumers feel most trustworthy for outsourced information, behind only Ireland and Canada. The least-trusted countries were the Philippines, Mexico and Haiti.
Given the negative publicity surrounding India and outsourcing, even Ponemon was surprised at the result -- so surprised that he wasn't quite sure it could be trusted.
"It seems like people might have a more positive view of India than my initial hunch," he said. "It is puzzling. I don't think this tracks against the gut test."
What those surveyed said
One possibility, Ponemon said, is that most Americans are familiar with India as a major outsourcing center for American companies. Familiarity can sometimes breed trust. On the other hand, those who gave negative marks to India indicated very strong negative scores, Ponemon said, so it may be that India evokes strong sentiments on both sides of the conversation.
Some of the supplemental comments supplied by survey respondents shed a bit of light on this dichotomy.
From those who distrust India came comments like this:
"In the 800-pound gorilla category for outsourcing, India is King Kong. Why should they care about me, my family and our personal information?"
"I never trusted them (China and India). ... I think that their cultures are all about greed and corruption. All they want are our jobs."
On the other hand, people's personal experiences clearly color their broader perceptions. One respondent who scored India as very trustworthy did so because of someone she knew:
"My daughter's boyfriend is from India and his grandfather owns a huge textile company in Hyderabad. They are pretty honest people with strong family values. I don't worry much about it."
Another knew several Indian-born professionals, which gave her a favorable impression:
"In my experience as a teacher these people (Indians) are very smart, hard-working and have excellent technical training. I think they are very practical in business too. ... It doesn't make sense for them to sell my data."
For yet another, language commonality also led to reassurance.
"I tend to trust countries that speak my language. ... I favor Canada, England, Ireland, and India, over most others with my personal information."
Ponemon's study, which was conducted using an Internet-based sample group and claims an accuracy of plus or minus 2 percent, had other surprising results. The chief one: While still a minority, a large percentage of people said they had few problems with international data sharing. More than one-third said they had no problem with companies sharing basic personally identifying information; 25 percent said it was OK to share data on Internet behaviors and 22 percent said it was OK to share employee records.
And while three-quarters of people said they were strongly against most information sharing, only 10 percent said they'd be willing to pay companies more to keep their information from flying beyond American borders.
Can people make informed choices?
To understand these results, I spoke to economist Alessandro Acquisti, a professor at Carnegie Mellon University. He's one of the few scientists currently researching the economics of privacy. In his research, Acquisti consistently shows that consumers simply don't have enough information to make judgments about their own privacy or to evauate bargains they make with companies regarding their privacy. For example, when consumers sign up for a loyalty card discount program at a grocery store, they know they may be receiving regular 20 and 30 cent coupons. But they do not know what they are trading away -- perhaps more junk mail, perhaps a future data leak causing identity theft, perhaps nothing.
As a result, it's very hard for consumers to make informed privacy choices, and it's very hard for researchers to interpret privacy sentiment surveys, he said
One thing that's consistent in all his surveys: A certain group of Americans have little interest in the issue of privacy. They're called "the unconcerned," and can be counted on to give researchers some version of "it's not a big deal" when asked a question like, "Are you concerned about your private information being shared with foreign companies?"
The first to identify this group was Dr. Alan Westin, publisher of Privacy & American Business. In a 2003 Harris Survey, 10 percent of adults were identified as "privacy unconcerned."
Perhaps that's apathy; or perhaps that's pragmatic. Michael Corbett, executive director of the International Association of Outsourcing Professionals, thinks it doesn't really matter where personal information is processed. All that matters is how it's handled, he said.
"You can create just as safe an environment overseas as in the United States and, as we've seen, the information can be mismanaged in the U.S.," he said, referring to last year's string of data leaks by major U.S. companies.
Legislative efforts stall
Corbett thinks Ponemon's survey shows Americans have increased sophistication about the outsourcing of personal information and, in some areas, increased comfort levels with the practice.
That seems like an optimistic interpretation. One thing that survey respondents made very clear is the whole idea still makes many of them queasy in certain circumstances. For example, 83 percent said they did not want a U.S. organization to send their patient health records to a company in another country.
That's why laws dealing with information outsourcing continue to bubble up in state legislatures. Both California and Illinois, for example, have entertained laws that require call center employees to disclose their locations when talking to customers (most now won't admit they are overseas when asked). In 2004, the California Legislature passed a measure that would have attempted to extend state privacy consumer protections to companies that process California citizens' medical information overseas. It was vetoed by Gov. Arnold Schwarzenegger, who said the law was too vague. The bill has not been reintroduced.
Inevitable or simply unexamined?
In a world where the Internet makes it roughly equal to process information down the hall or half-way round the world, where most of the world's computers are really one big computer, perhaps it's inevitable that consumer information will globetrot. And perhaps, as Ponemon's survey suggests, consumers are becoming more comfortable with that. Or perhaps, as Acquisti suggests, confusion and apathy complicate the issue. But whatever the current conventional wisdom, it would be far better to think about the implications of outsourced private information now, before this sharing becomes the de facto.
For that, readers would do well to dive into a report issued last fall by Rep. Ed Markey's office about offshore processing of information and privacy laws. Markey's office ranked the privacy protection laws in 20 countries that do the bulk of the overseas information processing for U.S. companies and concluded that in 14 countries (including India), privacy laws are weaker than U.S. law.
That leads to an important but rarely asked question: If there was an international data leak on the scale of last year's ChoicePoint incident, would we ever find out? Has such a leak already occurred? Such questions are better asked sooner rather than later.