Investigating People’s Privacy Risk Perception

Open access

Abstract

Although media reports often warn about risks associated with using privacy-threatening technologies, most lay users lack awareness of particular adverse consequences that could result from this usage. Since this might lead them to underestimate the risks of data collection, we investigate how lay users perceive different abstract and specific privacy risks. To this end, we conducted a survey with 942 participants in which we asked them to rate nine different privacy risk scenarios in terms of probability and severity. The survey included abstract risk scenarios as well as specific risk scenarios, which describe specifically how collected data can be abused, e.g., to stalk someone or to plan burglaries. To gain broad insights into people’s risk perception, we considered three use cases: Online Social Networks (OSN), smart home, and smart health devices. Our results suggest that abstract and specific risk scenarios are perceived differently, with abstract risk scenarios being evaluated as likely, but only moderately severe, whereas specific risk scenarios are considered to be rather severe, but only moderately likely. People, thus, do not seem to be aware of specific privacy risks when confronted with an abstract risk scenario. Hence, privacy researchers or activists should make people aware of what collected and analyzed data can be used for when abused (by the service or even an unauthorized third party).

[1] A. Acquisti and J. Grossklags. Privacy and Rationality in Individual Decision Making. IEEE Security & Privacy, 3(1):26–33, 2005.

[2] Angeliki Aktypi, Jason R.C. Nurse, and Michael Goldsmith. Unwinding Ariadne’s Identity Thread: Privacy Risks with Fitness Trackers and Online Social Networks. In Proceedings of the 2017 on Multimedia Privacy and Security (MPS), pages 1–11, New York, NY, USA, 2017. ACM.

[3] Annie I. Antón, Julia B. Earp, and Jessica D. Young. How Internet Users’ Privacy Concerns Have Evolved Since 2002. IEEE Security & Privacy, 8(1):21–27, 2010.

[4] Gökhan Bal, Kai Rannenberg, and Jason I. Hong. Styx: Privacy risk communication for the android smartphone platform based on apps’ data-access behavior patterns. Computers & Security, 53:187–202, 2015.

[5] X. Bellekens, A. Hamilton, P. Seeam, K. Nieradzinska, Q. Franssen, and A. Seeam. Pervasive eHealth services a security and privacy risk awareness survey. In Proceedings of the International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA), London, UK, 2016.

[6] Ann Bostrom, Cynthia J Atman, Baruch Fischhoff, and M Granger Morgan. Evaluating risk communications: completing and correcting mental models of hazardous processes, Part II. Risk Analysis, 14(5):789–798, 1994.

[7] William Bottom, Thomas Gilovich, Dale Griffin, and Daniel Kahneman. Heuristics and Biases: The Psychology of Intuitive Judgment. The Academy of Management Review, 29, 2004.

[8] Carole Cadwalladr. ‘I made Steve Bannon’s psychological warfare tool’: meet the data war whistleblower. https://www.theguardian.com/news/2018/mar/17/data-warwhistleblower-christopher-wylie-faceook-nix-bannon-trump. Accessed: 2019-03-12.

[9] L. J. Camp. Mental models of privacy and security. IEEE Technology and Society Magazine, 28(3):37–46, 2009.

[10] Pew Research Center. Public Perceptions of Privacy and Security in the Post-Snowden Era. http://www.pewinternet.org/2014/11/12/public-privacy-perceptions/. Accessed: 2019-03-11.

[11] clickworker GmbH. clickworker panel. https://www.clickworker.com/. Accessed: 2017-09-20.

[12] Xuefei Deng, Robert D. Galliers, and Kshiti D. Joshi. Crowdworking - a New Digital Divide? Is Design and Research Implications. In Proceedings of the 2016 European Conference on Information Systems (ECIS), Istanbul, Turkey, 2016.

[13] C. Digmayer and E. Jakobs. Risk perception of complex technology innovations: Perspectives of experts and laymen. In 2016 IEEE International Professional Communication Conference (IPCC), Austin, TX, USA, 2016. IEEE.

[14] eMarketer. Number of social network users worldwide from 2010 to 2021 (in billions). https://www.statista.com/statistics/278414/number-of-worldwide-social-network-users/. Accessed: 2019-03-12.

[15] Fariborz Farahmand and Eugene H. Spafford. Understanding insiders: An analysis of risk-taking behavior. Information Systems Frontiers, 15(1):5–15, 2013.

[16] Baruch Fischhoff, Paul Slovic, Sarah Lichtenstein, Stephen Read, and Barbara Combs. How safe is safe enough? A psychometric study of attitudes towards technological risks and benefits. Policy Sciences, 9(2):127–152, 1978.

[17] Batya Friedman, David Hurley, Daniel C. Howe, Helen Nissenbaum, and Edward Felten. Users’ Conceptions of Risks and Harms on the Web: A Comparative Study. In CHI ’02 Extended Abstracts on Human Factors in Computing Systems, pages 614–615, New York, NY, USA, 2002. ACM.

[18] V. Garg and J. Camp. End User Perception of Online Risk under Uncertainty. In Proceedings of the 45th Hawaii International Conference on System Sciences (HICCS), pages 3278–3287, Maui, HI, USA, 2012. IEEE.

[19] V. Garg and J. Camp. Heuristics and Biases: Implications for Security Design. IEEE Technology and Society Magazine, 32(1):73–79, 2013.

[20] Vaibhav Garg, Kevin Benton, and L. Jean Camp. The Privacy Paradox: A Facebook Case Study. In Proceedings of the 42nd Research Conference on Communication, Information and Internet Policy, Arlington, VA, USA, 2014.

[21] Vaibhav Garg, L. Jean Camp, Katherine Connelly, and Lesa Lorenzen-Huber. Risk Communication Design: Video vs. Text. In Simone Fischer-Hübner and Matthew Wright, editors, Privacy Enhancing Technologies (PETS 2012). Lecture Notes in Computer Science, vol 7384, pages 279–298, 2012.

[22] Nina Gerber, Benjamin Reinheimer, and Melanie Volkamer. Home Sweet Home? Investigating Users’ Awareness of Smart Home Privacy Threats. In Proceedings of An Interactive Workshop on the Human aspects of Smarthome Security and Privacy (WSSP), Baltimore, MD, USA, 2018. USENIX Association.

[23] Marco Ghiglieri, Melanie Volkamer, and Karen Renaud. Exploring Consumers’ Attitudes of Smart TV Related Privacy Risks. In Theo Tryfonas, editor, Human Aspects of Information Security, Privacy and Trust (HAS). Lecture Notes in Computer Science, vol 10292, pages 656–674. Springer, Cham, 2017.

[24] E. Goffman. The Presentation of Self in Everyday Life. Anchor Books/Doubleday, 1999.

[25] Darien Graham-Smith. How to escape the online spies. https://www.theguardian.com/technology/2017/may/13/how-to-get-privacy-digital-life-data-monitoring-gathering-amazon-facebook-google, 2018. Accessed: 2019-03-12.

[26] M. Harbach, S. Fahl, and M. Smith. Who’s Afraid of Which Bad Wolf? A Survey of IT Security Risk Awareness. In Proceedings of the IEEE 27th Computer Security Foundations Symposium (CSF), pages 97–110, Vienna, Austria, 2014. IEEE.

[27] Geert H. Hofstede. Cultures and organizations: Software of the mind. McGraw-Hill, London and New York, 1991.

[28] Daniel Kahneman. A Perspective on Judgment and Choice: Mapping Bounded Rationality. The American psychologist, 58:697–720, 2003.

[29] Katherine Karl, Joy Peluchette, and Christopher Schlaegel. Who’s Posting Facebook Faux Pas? A Cross-Cultural Examination of Personality Differences. International Journal of Selection and Assessment, 18(2):174–186, 2010.

[30] Sabrina Karwatzki, Manuel Trenz, Virpi Kristiina Tuunainen, and Daniel Veit. Adverse consequences of access to individuals’ information: an analysis of perceptions and the scope of organisational influence. European Journal of Information Systems, 26(6):688–715, 2017.

[31] Jennifer King and Andrew McDiarmid. Where’s The Beep? Security, Privacy, and User Misunderstandings of RFID. In Proceedings of Usability, Security, and Psychology (UPSEC), San Francisco, CA, USA, 2008. USENIX Association.

[32] Predrag Klasnja, Sunny Consolvo, Jaeyeon Jung, Benjamin M. Greenstein, Louis LeGrand, Pauline Powledge, and David Wetherall. “When I Am on Wi-Fi, I Am Fearless”: Privacy Concerns & Practices in Everyday Wi-Fi Use. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI), pages 1993–2002, New York, NY, USA, 2009. ACM.

[33] H. Krasnova and N. F. Veltri. Privacy Calculus on Social Networking Sites: Explorative Evidence from Germany and USA. In Proceedings of the 2010 43rd Hawaii International Conference on System Sciences (HICSS), Honolulu, HI, USA, 2010. IEEE.

[34] D. LeBlanc and R. Biddle. Risk perception of internet-related activities. In Proceedings of the Tenth Annual International Conference on Privacy, Security and Trust (PST), pages 88–95, Paris, France, 2012. IEEE.

[35] D. J. Leiner. SoSci Survey (Version 2.5.00-i). https://www.soscisurvey.de/, 2017. Accessed: 2017-09-20.

[36] Huigang Liang and Yajiong Xue. Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective. Journal of the Association for Information Systems, 11(7):394–413, 2010.

[37] Ragnar Löfstedt and Åsa Boholm. The study of risk in the 21st century. In The Earthscan Reader on Risk, pages 1–23. Earthscan, 2009.

[38] Naresh K Malhotra, Sung S Kim, and James Agarwal. Internet Users’ Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model. Information systems research, 15(4):336–355, 2004.

[39] BBC News. Edward Snowden: Leaks that exposed US spy programme. http://www.bbc.com/news/world-us-canada-23123964, 2014. Accessed: 2019-03-12.

[40] BBC News. Facebook to exclude billions from European privacy laws. http://www.bbc.com/news/technology-43822184, 2018. Accessed: 2019-03-12.

[41] Helen Nissenbaum. Privacy As Contextual Integrity. Washington Law Review, 79, 2004.

[42] P. A. Norberg, D. R. Horne, and D. A Horne. The Privacy Paradox : Personal Information Disclosure Intentions versus Behaviors. The Journal of Consumer Affairs, 41(1):100–126, 2007.

[43] Isabelle Oomen and Ronald Leenes. Privacy Risk Perceptions and Privacy Protection Strategies. In Elisabeth de Leeuw, Simone Fischer-Hübner, Jimmy Tseng, and John Borking, editors, Policies and Research in Identity Management, pages 121–138, 2008.

[44] George Packer. Can You Keep a Secret? The former C.I.A. chief Michael Hayden on torture and transparency. https://www.newyorker.com/magazine/2016/03/07/michael-hayden-comes-out-of-the-shadows, 2016. Accessed: 2019-03-12.

[45] Chanda Phelan, Cliff Lampe, and Paul Resnick. It’s Creepy, But It Doesn’t Bother Me. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI), pages 5240–5251, New York, NY, USA, 2016. ACM.

[46] Eduardo Porter. The Facebook Fallacy: Privacy Is Up to You. https://www.nytimes.com/2018/04/24/business/economy/facebook-privacy.html, 2018. Accessed: 2019-03-12.

[47] Lee Rainie, Sara Kiesler, Ruogu Kang, and Mary Madden. Anonymity, Privacy, and Security Online. http://www.pewinternet.org/2013/09/05/anonymity-privacy-and-security-online/#. Accessed: 2019-03-12.

[48] Ulf-Dietrich Reips and Frederik Funke. Interval-level measurement with visual analogue scales in Internet-based research: VAS Generator. Behavior Research Methods, 40(3):699–704, 2008.

[49] Karen Renaud, Melanie Volkamer, and Arne Renkema-Padmos. Why Doesn’t Jane Protect Her Privacy? In Emil-iano De Cristofaro and Steven J. Murdoch, editors, Privacy Enhancing Technologies (PETS 2014). Lecture Notes in Computer Science, vol 8555, pages 244–262, 2014.

[50] Carsten Röcker. Information Privacy in Smart Office Environments: A Cross-Cultural Study Analyzing the Willingness of Users to Share Context Information. In David Taniar, Osvaldo Gervasi, Beniamino Murgante, Eric Pardede, and Bernady O. Apduhan, editors, Computational Science and Its Applications – ICCSA 2010. Lecture Notes in Computer Science, vol 6019, pages 93–106, Berlin, Heidelberg, 2010. Springer.

[51] Matthew Rosenberg, Nicholas Confessore, and Carole Cadwalladr. How Trump Consultants Exploited the Facebook Data of Millions. https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html. Accessed: 2019-03-12.

[52] Bruce Schneier. Beyond Fear: Thinking Sensibly About Security in an Uncertain World. Springer-Verlag, Berlin, Heidelberg, 2003.

[53] Fatemeh Shirazi and Melanie Volkamer. What Deters Jane from Preventing Identification and Tracking on the Web? In Proceedings of the 13th Workshop on Privacy in the Electronic Society (WPES), pages 107–116, Scottsdale, Arizona, USA, 2014. ACM.

[54] Michael Warren Skirpan, Tom Yeh, and Casey Fiesler. What’s at Stake: Characterizing Risk Perceptions of Emerging Technologies. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (CHI), pages 70:1–70:12, New York, NY, USA, 2018. ACM.

[55] Paul Slovic. Informing and Educating the Public About Risk. Risk Analysis, 6(4):403–415, 1986.

[56] Jessica Staddon, David Huffaker, Larkin Brown, and Aaron Sedley. Are Privacy Concerns a Turn-off?: Engagement and Privacy in Social Networks. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS), pages 10:1–10:13, New York, NY, USA, 2012. ACM.

[57] Chauncey Starr. Social Benefit versus Technological Risk. Science, 165(3899):1232–1238, 1969.

[58] Yao-Ting Sung and Jeng-Shin Wu. The Visual Analogue Scale for Rating, Ranking and Paired-Comparison (VASRRP): A new technique for psychological measurement. Behavior Research Methods, 50(4):1694–1715, 2018.

[59] Symantec. State of Privacy Report 2015. Technical report, Symantec, 2015.

[60] Nitasha Tiku. Facebook Is Steering Users Away From Privacy Protections. https://www.wired.com/story/facebookis-steering-users-away-from-privacy-protections/?mbid=BottomRelatedStories, 2018. Accessed: 2019-03-12.

[61] Sabine Trepte, Leonard Reinecke, Nicole B. Ellison, Oliver Quiring, Mike Z. Yao, and Marc Ziegele. A Cross-Cultural Perspective on the Privacy Calculus. Social Media + Society, 3(1), 2017.

[62] Monique Turner, Christine Skubisz, and Rajiv Rimal. Theory and practice in risk communication: A review of the literature and visions for the future. In Teresa L. Thompson, Roxanne Parrott, and Jon F. Nussbaum, editors, Handbook of Health Communication (2. ed.), pages 146–164. Rout-ledge, 2011.

[63] Amos Tversky and Daniel Kahneman. Judgment under Uncertainty: Heuristics and Biases. Science, 185(4157):1124–1131, 1974.

[64] Blase Ur and Yang Wang. A Cross-cultural Framework for Protecting User Privacy in Online Social Media. In Proceedings of the 22nd International Conference on World Wide Web (WWW), pages 755–762, New York, NY, USA, 2013. ACM.

[65] James Q. Whitman. The Two Western Cultures of Privacy: Dignity Versus Liberty. Yale Law Journal, 113, 2004.

[66] Allison Woodruff, Vasyl Pihur, Sunny Consolvo, Laura Brandimarte, and Alessandro Acquisti. Would a Privacy Fundamentalist Sell Their DNA for $1000...If Nothing Bad Happened as a Result? The Westin Categories, Behavioral Intentions, and Consequences. In Proceedings of the 10th Symposium On Usable Privacy and Security (SOUPS), pages 1–18, Menlo Park, CA, USA, 2014. USENIX Association.

[67] Eric Zeng, Shrirang Mare, and Franziska Roesner. End User Security and Privacy Concerns with Smart Homes. In Proceedings of the Thirteenth Symposium on Usable Privacy and Security (SOUPS), pages 65–80, Santa Clara, CA, USA, 2017. USENIX Association.

[68] Pei Zhang and A. Jetter. Understanding risk perception using Fuzzy Cognitive Maps. In Proceedings of the 2016 Portland International Conference on Management of Engineering and Technology (PICMET), pages 606–622, Honolulu, HI, USA, 2016. IEEE.

Journal Information

Metrics

All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 137 137 119
PDF Downloads 48 48 30