This story was co-published with Mashable .
In a highly unscientific but delicious experiment last weekend, 380 New Yorkers gave up sensitive personal information — from fingerprints to partial Social Security numbers — for a cookie.
"It is crazy what people were willing to give me," said artist Risa Puno, who conducted the experiment, which she called "Please Enable Cookies," at a Brooklyn arts festival. The cookies — actual cookies — came in flavors such as "Chocolate Chili Fleur de Sel" and "Pink Pistachio Peppercorn."
READ ALSO: 4 Benefits of a World with Less Privacy
To get a cookie, people had to turn over personal data that could include their address, driver's license number, phone number and mother's maiden name.
More than half of the people allowed Puno to take their photographs. Just under half — or 162 people — gave what they said were the last four digits of their Social Security numbers. And about one-third — 117 people — allowed her to take their fingerprints. She examined people's driver's licenses to verify some of the information they provided.
When people asked Puno what she was going to do with their information, she refused to say. Instead, she referred them to her terms of service, a full page of legal boilerplate displayed in tiny print, which gives her the right to display the information and share it with others.
Puno's performance art experiment highlights what privacy experts already know: Many Americans are not sure how much their personal data is worth, and that consumer judgments about what price to put on privacy can be swayed by all kinds of factors.
While most people will say they value privacy, there's a clear dichotomy between "what we say about privacy and what we do," said Alessandro Acquisti, a Carnegie Mellon privacy expert.
A study published last year by Acquisti and other researchers found that people's willingness to pay for privacy depended on whether they perceived that their data was already protected. In one experiment, one group of people were given a free $10 Visa gift card and told their spending would be anonymous. Another group was given a $12 gift card and told their purchases would be tracked. The groups were then given an opportunity to trade gift cards. It turned out that the vast majority people with the higher-value but tracked card were not willing to give up $2 for privacy. But about half of the people who started out with the higher privacy lower value cards wanted to keep them.
READ ALSO: Privacy and Cybersecurity Are Converging. Here’s Why That Matters for People and for Companies.
"The answers to questions such as 'What is privacy worth?" and 'Do people really care for privacy?' depend not just on whom but how you ask," the authors wrote."It is crazy what people were willing to give me," said artist Risa Puno, who conducted the experiment. (Lois Beckett/ProPublica)
Because the Brooklyn data giveaway was part of a performance art piece, Acquisti said, participants may have felt that "it was very low-risk to provide information." The giveaway was part of a game: it would seem fun to play along, and also seem unlikely that the data would be abused.
READ ALSO: "We think it's a good thing that people are more interested in using privacy controls and managing their information online," a Facebook spokesperson said in a statement. Its traffic had steadily been growing since, but it boomed in 2018 as Facebook's privacy issues blew up, said Gabriel Weinberg, CEO and founder of DuckDuckGo.
"Traded all my personal data for a social media cookie," one participant tweeted , along with a photo of a cookie frosted with the Facebook logo.
Puno said some participants did not even eat their cookies — they just wanted to take pictures of them. Cookies decorated with the Instagram logo were so popular among photographers that Puno required "purchasers" to give their fingerprints, the last four digits of their Social Security numbers and their driver's license information. Many still agreed. "They wanted to hold it against the sky with the bridge in the background," she said.
While she's happy with the response to her project, the 33-year-old artist was shocked that people seemed very comfortable giving away the kind of data that's often used in security questions: pet's name, mother's maiden name, place of birth, the name of your first teacher.
People called those questions "easy points," she said. "They didn't recognize them as security questions, or they didn't care, but that's how people 'hack' into celebrity iClouds, by guessing their security questions."
She was also surprised to find that people would give her more data than they actually needed to earn a given cookie. "That to me was baffling," she said. "If I were thinking about giving away my information, I wasn't giving away more than I had to."
Puno still won't say what she's going to do with the data. She says she's considered destroying it. On the other hand, she said, the disclosure forms are also "precious artifacts of what people are willing to do. I kind of want to hold onto them forever."