Investigating People’s Privacy Risk Perception

Open access

Abstract

Although media reports often warn about risks associated with using privacy-threatening technologies, most lay users lack awareness of particular adverse consequences that could result from this usage. Since this might lead them to underestimate the risks of data collection, we investigate how lay users perceive different abstract and specific privacy risks. To this end, we conducted a survey with 942 participants in which we asked them to rate nine different privacy risk scenarios in terms of probability and severity. The survey included abstract risk scenarios as well as specific risk scenarios, which describe specifically how collected data can be abused, e.g., to stalk someone or to plan burglaries. To gain broad insights into people’s risk perception, we considered three use cases: Online Social Networks (OSN), smart home, and smart health devices. Our results suggest that abstract and specific risk scenarios are perceived differently, with abstract risk scenarios being evaluated as likely, but only moderately severe, whereas specific risk scenarios are considered to be rather severe, but only moderately likely. People, thus, do not seem to be aware of specific privacy risks when confronted with an abstract risk scenario. Hence, privacy researchers or activists should make people aware of what collected and analyzed data can be used for when abused (by the service or even an unauthorized third party).

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] A. Acquisti and J. Grossklags. Privacy and Rationality in Individual Decision Making. IEEE Security & Privacy 3(1):26–33 2005.

  • [2] Angeliki Aktypi Jason R.C. Nurse and Michael Goldsmith. Unwinding Ariadne’s Identity Thread: Privacy Risks with Fitness Trackers and Online Social Networks. In Proceedings of the 2017 on Multimedia Privacy and Security (MPS) pages 1–11 New York NY USA 2017. ACM.

  • [3] Annie I. Antón Julia B. Earp and Jessica D. Young. How Internet Users’ Privacy Concerns Have Evolved Since 2002. IEEE Security & Privacy 8(1):21–27 2010.

  • [4] Gökhan Bal Kai Rannenberg and Jason I. Hong. Styx: Privacy risk communication for the android smartphone platform based on apps’ data-access behavior patterns. Computers & Security 53:187–202 2015.

  • [5] X. Bellekens A. Hamilton P. Seeam K. Nieradzinska Q. Franssen and A. Seeam. Pervasive eHealth services a security and privacy risk awareness survey. In Proceedings of the International Conference On Cyber Situational Awareness Data Analytics And Assessment (CyberSA) London UK 2016.

  • [6] Ann Bostrom Cynthia J Atman Baruch Fischhoff and M Granger Morgan. Evaluating risk communications: completing and correcting mental models of hazardous processes Part II. Risk Analysis 14(5):789–798 1994.

  • [7] William Bottom Thomas Gilovich Dale Griffin and Daniel Kahneman. Heuristics and Biases: The Psychology of Intuitive Judgment. The Academy of Management Review 29 2004.

  • [8] Carole Cadwalladr. ‘I made Steve Bannon’s psychological warfare tool’: meet the data war whistleblower. https://www.theguardian.com/news/2018/mar/17/data-warwhistleblower-christopher-wylie-faceook-nix-bannon-trump. Accessed: 2019-03-12.

  • [9] L. J. Camp. Mental models of privacy and security. IEEE Technology and Society Magazine 28(3):37–46 2009.

  • [10] Pew Research Center. Public Perceptions of Privacy and Security in the Post-Snowden Era. http://www.pewinternet.org/2014/11/12/public-privacy-perceptions/. Accessed: 2019-03-11.

  • [11] clickworker GmbH. clickworker panel. https://www.clickworker.com/. Accessed: 2017-09-20.

  • [12] Xuefei Deng Robert D. Galliers and Kshiti D. Joshi. Crowdworking - a New Digital Divide? Is Design and Research Implications. In Proceedings of the 2016 European Conference on Information Systems (ECIS) Istanbul Turkey 2016.

  • [13] C. Digmayer and E. Jakobs. Risk perception of complex technology innovations: Perspectives of experts and laymen. In 2016 IEEE International Professional Communication Conference (IPCC) Austin TX USA 2016. IEEE.

  • [14] eMarketer. Number of social network users worldwide from 2010 to 2021 (in billions). https://www.statista.com/statistics/278414/number-of-worldwide-social-network-users/. Accessed: 2019-03-12.

  • [15] Fariborz Farahmand and Eugene H. Spafford. Understanding insiders: An analysis of risk-taking behavior. Information Systems Frontiers 15(1):5–15 2013.

  • [16] Baruch Fischhoff Paul Slovic Sarah Lichtenstein Stephen Read and Barbara Combs. How safe is safe enough? A psychometric study of attitudes towards technological risks and benefits. Policy Sciences 9(2):127–152 1978.

  • [17] Batya Friedman David Hurley Daniel C. Howe Helen Nissenbaum and Edward Felten. Users’ Conceptions of Risks and Harms on the Web: A Comparative Study. In CHI ’02 Extended Abstracts on Human Factors in Computing Systems pages 614–615 New York NY USA 2002. ACM.

  • [18] V. Garg and J. Camp. End User Perception of Online Risk under Uncertainty. In Proceedings of the 45th Hawaii International Conference on System Sciences (HICCS) pages 3278–3287 Maui HI USA 2012. IEEE.

  • [19] V. Garg and J. Camp. Heuristics and Biases: Implications for Security Design. IEEE Technology and Society Magazine 32(1):73–79 2013.

  • [20] Vaibhav Garg Kevin Benton and L. Jean Camp. The Privacy Paradox: A Facebook Case Study. In Proceedings of the 42nd Research Conference on Communication Information and Internet Policy Arlington VA USA 2014.

  • [21] Vaibhav Garg L. Jean Camp Katherine Connelly and Lesa Lorenzen-Huber. Risk Communication Design: Video vs. Text. In Simone Fischer-Hübner and Matthew Wright editors Privacy Enhancing Technologies (PETS 2012). Lecture Notes in Computer Science vol 7384 pages 279–298 2012.

  • [22] Nina Gerber Benjamin Reinheimer and Melanie Volkamer. Home Sweet Home? Investigating Users’ Awareness of Smart Home Privacy Threats. In Proceedings of An Interactive Workshop on the Human aspects of Smarthome Security and Privacy (WSSP) Baltimore MD USA 2018. USENIX Association.

  • [23] Marco Ghiglieri Melanie Volkamer and Karen Renaud. Exploring Consumers’ Attitudes of Smart TV Related Privacy Risks. In Theo Tryfonas editor Human Aspects of Information Security Privacy and Trust (HAS). Lecture Notes in Computer Science vol 10292 pages 656–674. Springer Cham 2017.

  • [24] E. Goffman. The Presentation of Self in Everyday Life. Anchor Books/Doubleday 1999.

  • [25] Darien Graham-Smith. How to escape the online spies. https://www.theguardian.com/technology/2017/may/13/how-to-get-privacy-digital-life-data-monitoring-gathering-amazon-facebook-google 2018. Accessed: 2019-03-12.

  • [26] M. Harbach S. Fahl and M. Smith. Who’s Afraid of Which Bad Wolf? A Survey of IT Security Risk Awareness. In Proceedings of the IEEE 27th Computer Security Foundations Symposium (CSF) pages 97–110 Vienna Austria 2014. IEEE.

  • [27] Geert H. Hofstede. Cultures and organizations: Software of the mind. McGraw-Hill London and New York 1991.

  • [28] Daniel Kahneman. A Perspective on Judgment and Choice: Mapping Bounded Rationality. The American psychologist 58:697–720 2003.

  • [29] Katherine Karl Joy Peluchette and Christopher Schlaegel. Who’s Posting Facebook Faux Pas? A Cross-Cultural Examination of Personality Differences. International Journal of Selection and Assessment 18(2):174–186 2010.

  • [30] Sabrina Karwatzki Manuel Trenz Virpi Kristiina Tuunainen and Daniel Veit. Adverse consequences of access to individuals’ information: an analysis of perceptions and the scope of organisational influence. European Journal of Information Systems 26(6):688–715 2017.

  • [31] Jennifer King and Andrew McDiarmid. Where’s The Beep? Security Privacy and User Misunderstandings of RFID. In Proceedings of Usability Security and Psychology (UPSEC) San Francisco CA USA 2008. USENIX Association.

  • [32] Predrag Klasnja Sunny Consolvo Jaeyeon Jung Benjamin M. Greenstein Louis LeGrand Pauline Powledge and David Wetherall. “When I Am on Wi-Fi I Am Fearless”: Privacy Concerns & Practices in Everyday Wi-Fi Use. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI) pages 1993–2002 New York NY USA 2009. ACM.

  • [33] H. Krasnova and N. F. Veltri. Privacy Calculus on Social Networking Sites: Explorative Evidence from Germany and USA. In Proceedings of the 2010 43rd Hawaii International Conference on System Sciences (HICSS) Honolulu HI USA 2010. IEEE.

  • [34] D. LeBlanc and R. Biddle. Risk perception of internet-related activities. In Proceedings of the Tenth Annual International Conference on Privacy Security and Trust (PST) pages 88–95 Paris France 2012. IEEE.

  • [35] D. J. Leiner. SoSci Survey (Version 2.5.00-i). https://www.soscisurvey.de/ 2017. Accessed: 2017-09-20.

  • [36] Huigang Liang and Yajiong Xue. Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective. Journal of the Association for Information Systems 11(7):394–413 2010.

  • [37] Ragnar Löfstedt and Åsa Boholm. The study of risk in the 21st century. In The Earthscan Reader on Risk pages 1–23. Earthscan 2009.

  • [38] Naresh K Malhotra Sung S Kim and James Agarwal. Internet Users’ Information Privacy Concerns (IUIPC): The Construct the Scale and a Causal Model. Information systems research 15(4):336–355 2004.

  • [39] BBC News. Edward Snowden: Leaks that exposed US spy programme. http://www.bbc.com/news/world-us-canada-23123964 2014. Accessed: 2019-03-12.

  • [40] BBC News. Facebook to exclude billions from European privacy laws. http://www.bbc.com/news/technology-43822184 2018. Accessed: 2019-03-12.

  • [41] Helen Nissenbaum. Privacy As Contextual Integrity. Washington Law Review 79 2004.

  • [42] P. A. Norberg D. R. Horne and D. A Horne. The Privacy Paradox : Personal Information Disclosure Intentions versus Behaviors. The Journal of Consumer Affairs 41(1):100–126 2007.

  • [43] Isabelle Oomen and Ronald Leenes. Privacy Risk Perceptions and Privacy Protection Strategies. In Elisabeth de Leeuw Simone Fischer-Hübner Jimmy Tseng and John Borking editors Policies and Research in Identity Management pages 121–138 2008.

  • [44] George Packer. Can You Keep a Secret? The former C.I.A. chief Michael Hayden on torture and transparency. https://www.newyorker.com/magazine/2016/03/07/michael-hayden-comes-out-of-the-shadows 2016. Accessed: 2019-03-12.

  • [45] Chanda Phelan Cliff Lampe and Paul Resnick. It’s Creepy But It Doesn’t Bother Me. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI) pages 5240–5251 New York NY USA 2016. ACM.

  • [46] Eduardo Porter. The Facebook Fallacy: Privacy Is Up to You. https://www.nytimes.com/2018/04/24/business/economy/facebook-privacy.html 2018. Accessed: 2019-03-12.

  • [47] Lee Rainie Sara Kiesler Ruogu Kang and Mary Madden. Anonymity Privacy and Security Online. http://www.pewinternet.org/2013/09/05/anonymity-privacy-and-security-online/#. Accessed: 2019-03-12.

  • [48] Ulf-Dietrich Reips and Frederik Funke. Interval-level measurement with visual analogue scales in Internet-based research: VAS Generator. Behavior Research Methods 40(3):699–704 2008.

  • [49] Karen Renaud Melanie Volkamer and Arne Renkema-Padmos. Why Doesn’t Jane Protect Her Privacy? In Emil-iano De Cristofaro and Steven J. Murdoch editors Privacy Enhancing Technologies (PETS 2014). Lecture Notes in Computer Science vol 8555 pages 244–262 2014.

  • [50] Carsten Röcker. Information Privacy in Smart Office Environments: A Cross-Cultural Study Analyzing the Willingness of Users to Share Context Information. In David Taniar Osvaldo Gervasi Beniamino Murgante Eric Pardede and Bernady O. Apduhan editors Computational Science and Its Applications – ICCSA 2010. Lecture Notes in Computer Science vol 6019 pages 93–106 Berlin Heidelberg 2010. Springer.

  • [51] Matthew Rosenberg Nicholas Confessore and Carole Cadwalladr. How Trump Consultants Exploited the Facebook Data of Millions. https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html. Accessed: 2019-03-12.

  • [52] Bruce Schneier. Beyond Fear: Thinking Sensibly About Security in an Uncertain World. Springer-Verlag Berlin Heidelberg 2003.

  • [53] Fatemeh Shirazi and Melanie Volkamer. What Deters Jane from Preventing Identification and Tracking on the Web? In Proceedings of the 13th Workshop on Privacy in the Electronic Society (WPES) pages 107–116 Scottsdale Arizona USA 2014. ACM.

  • [54] Michael Warren Skirpan Tom Yeh and Casey Fiesler. What’s at Stake: Characterizing Risk Perceptions of Emerging Technologies. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (CHI) pages 70:1–70:12 New York NY USA 2018. ACM.

  • [55] Paul Slovic. Informing and Educating the Public About Risk. Risk Analysis 6(4):403–415 1986.

  • [56] Jessica Staddon David Huffaker Larkin Brown and Aaron Sedley. Are Privacy Concerns a Turn-off?: Engagement and Privacy in Social Networks. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS) pages 10:1–10:13 New York NY USA 2012. ACM.

  • [57] Chauncey Starr. Social Benefit versus Technological Risk. Science 165(3899):1232–1238 1969.

  • [58] Yao-Ting Sung and Jeng-Shin Wu. The Visual Analogue Scale for Rating Ranking and Paired-Comparison (VASRRP): A new technique for psychological measurement. Behavior Research Methods 50(4):1694–1715 2018.

  • [59] Symantec. State of Privacy Report 2015. Technical report Symantec 2015.

  • [60] Nitasha Tiku. Facebook Is Steering Users Away From Privacy Protections. https://www.wired.com/story/facebookis-steering-users-away-from-privacy-protections/?mbid=BottomRelatedStories 2018. Accessed: 2019-03-12.

  • [61] Sabine Trepte Leonard Reinecke Nicole B. Ellison Oliver Quiring Mike Z. Yao and Marc Ziegele. A Cross-Cultural Perspective on the Privacy Calculus. Social Media + Society 3(1) 2017.

  • [62] Monique Turner Christine Skubisz and Rajiv Rimal. Theory and practice in risk communication: A review of the literature and visions for the future. In Teresa L. Thompson Roxanne Parrott and Jon F. Nussbaum editors Handbook of Health Communication (2. ed.) pages 146–164. Rout-ledge 2011.

  • [63] Amos Tversky and Daniel Kahneman. Judgment under Uncertainty: Heuristics and Biases. Science 185(4157):1124–1131 1974.

  • [64] Blase Ur and Yang Wang. A Cross-cultural Framework for Protecting User Privacy in Online Social Media. In Proceedings of the 22nd International Conference on World Wide Web (WWW) pages 755–762 New York NY USA 2013. ACM.

  • [65] James Q. Whitman. The Two Western Cultures of Privacy: Dignity Versus Liberty. Yale Law Journal 113 2004.

  • [66] Allison Woodruff Vasyl Pihur Sunny Consolvo Laura Brandimarte and Alessandro Acquisti. Would a Privacy Fundamentalist Sell Their DNA for $1000...If Nothing Bad Happened as a Result? The Westin Categories Behavioral Intentions and Consequences. In Proceedings of the 10th Symposium On Usable Privacy and Security (SOUPS) pages 1–18 Menlo Park CA USA 2014. USENIX Association.

  • [67] Eric Zeng Shrirang Mare and Franziska Roesner. End User Security and Privacy Concerns with Smart Homes. In Proceedings of the Thirteenth Symposium on Usable Privacy and Security (SOUPS) pages 65–80 Santa Clara CA USA 2017. USENIX Association.

  • [68] Pei Zhang and A. Jetter. Understanding risk perception using Fuzzy Cognitive Maps. In Proceedings of the 2016 Portland International Conference on Management of Engineering and Technology (PICMET) pages 606–622 Honolulu HI USA 2016. IEEE.

Search
Journal information
Metrics
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 186 186 70
PDF Downloads 70 70 37