NSF Addressing Privacy Online

NSF OVERVIEW
Objectives and Significance The goal of the proposed project is to compare the effectiveness of two tactics in addressing online privacy expectations –notice & consent policies in comparison to contextual privacy norms – so that organizations can better meet the privacy expectations of their users and customers online. ...

To do so, the project will test the hypotheses that (a) individuals hold different privacy expectations based on the context of their online activity and (b) the contextually-defined norms are more effective in addressing online privacy expectations than notice and consent across different contexts.   As such, the project supports organizations in meeting the privacy expectations of their stakeholders both by identifying the factors individuals consider in developing privacy expectations online in various contexts such as shopping, conducting research, gaming, banking, etc.  The longer range goal of the proposed research is to examine the contextual privacy norms where privacy norms are assumed to be developed within and for specific contexts – those communities of actors defined by their activities, roles, relationships, and internal values.  Rather than static expectations of privacy, the larger research agenda focuses on how individuals develop contextual privacy norms for specific communities or contexts.

Broader Impact The results of this proposed project will explain the appropriate role of notice and consent policies in addressing online privacy expectations.  As such, this study is responsive to pressing government needs and societal concerns around online privacy and has direct implications for four audiences:  researchers, business leaders, policy experts, and customers/users....

  Specifically, the results will inform government policy, self-regulation guidelines, and industry best practices by (1) identifying important online contexts with similar privacy expectations (e.g., gaming, shopping, socializing, blogging, researching, etc), (2) prioritizing the role of notice and consent in addressing privacy expectations within different contexts, and (3) identifying the factors and their relative importance in developing privacy expectations for specific contexts online.  For example, users’ privacy expectations of online multiplayer games may have more in common with social networking sites as compared to medical research sites, and notice and consent may not be a factor in either context.

NSF RESEARCH METHODS
The goal of this research is to empirically examine the factors driving individuals’ judgments about privacy expectations and to compare how contextual factors impact meeting privacy expectations relative to individual factors.  The model of privacy expectations utilized here relies on context;  in order to simulate the complexities of online information practices, I utilized the factorial vignette survey methodology developed to investigate human judgments (Rossi & Nock, 1982; Jasso, 2006; Wallander, 2009)....

In a factorial vignette survey, the respondent is asked to evaluate a series of vignettes describing a hypothetical unit of analysis (here, a website).  The vignette factors describing the scenario are the independent variables, are controlled by the researcher, and are randomly selected. The factorial vignette approach supports the researcher in examining (a) the elements of information used to form judgments, (b) the weight of each of these factors, and (c) how different subgroups of the respondents agree on (a) and (b) (Nock & Gutterbock, 2010).  These factors and their associated coefficients are referred to as the ‘equations-inside-the-head’ (Jasso, 2006) of respondents. By examining the equations-inside-the-head of respondents, I aim to learn how they form judgments about privacy expectations across different online situations.

The vignettes for this study were constructed by varying several online privacy factors for both tracking users as well as targeted advertising online.   A deck of 40 vignettes for each respondent was randomly created with replacement as the respondent was taking the survey.  For each rated vignette, the associated rating, factor levels, and the vignette script was preserved as well as the vignette sequence number.  The vignette formats are provided in the appendix below with a sample vignette and the vignette template for each of the studies.  Each respondent was assigned one type of vignette – either targeted advertising or tracking users online.

The factors and sample vignettes are available here.

The surveys are available for targeted advertising here and for tracking users online here.

Dependent Variable For each vignette, respondents were asked to judge the degree to which the situation in the vignette met their privacy expectations.  Respondents were given a rating task:  ‘Tell us how much you agree with the statement below. Using a sliding scale from -100 to 100, with -100 indicating ‘strongly disagree’ and 100 indicating ‘strongly agree’. The respondents were given the prompt, ‘This website meets my privacy expectations.’

Individual-Specific Factors  In addition to age and gender, the respondent was asked ‘Tell us how much you agree with the statements below. On the sliding scale below, with a rating to the left being ‘strongly disagree’ to the right being ‘strongly agree.’  The rating task stated ‘In general, I trust websites.’  Their rating on this question was used as their general level of trust in websites.  The second rating task stated, ‘In general, I believe privacy is important.’

NSF SAMPLE
The surveys were first piloted on Amazon Mechanical Turk to check for readability and reliability of the respondents’ ratings. The sample for the studies report here was recruited by GfK/KnowledgeNetworks (http://www.knowledgenetworks.com/knpanel/index.html;), which is the first online research panel representative of the entire U.S. population. ...

GfK/KnowledgeNetworks panel members are randomly recruited through probability-based sampling.  Households are provided with access to the Internet and hardware if needed. A representative sample was gathered by recruiting panel members with listed and unlisted telephone numbers, telephone and non-telephone households, and cell phone only households, as well as households with and without Internet access. For this study, GfK was subsidized via TESS, a competitively selective program for online behavioral research funded by NSF and run by Time Sharing Experiments in the Social Sciences (TESS).  The surveys were accepted to the TimeSharing Experiments for the Social Sciences (TESS) program in their blind peer-reviewed selection process for a subsidized large, diverse population of research participants.  Funded by NSF (SES – #0819939), TESS provides principal investigators access to a random, probability-based sample for online surveys using experimental design (http://www.tessexperiments.org/introduction.html)

For the two surveys, 1,574 respondents rated 40 vignettes resulting in 62,960 rated vignettes or observations for the privacy expectations surveys (targeting:  779 respondents and 31,160 vignettes; tracking: 795/31,800).  Summary statistics on the sample are in the table below.

 TABLE:  Targeting and Tracking Vignette Survey Samples.

table nsf

NSF FINDINGS/PRESENTATIONS

Shilton, K. & Martin, K. Mobile Privacy Expectations in Context. 2016. The Information Society. This paper reports on survey findings that identify contextual factors of importance in the mobile data ecosystem. Our survey demonstrated that overall, very common activities of mobile application companies such as harvesting and reusing location data, accelerometer readings, demographic data, contacts, keywords, name, images and friends do not meet users’ privacy expectations. But these differences are modulated by both information type and social context.

Martin, K. 2016. Data Aggregators, Big Data, and Responsibility Online- Who is tracking us online and should they stop? The Information Society.
The goal of this paper is to examine the strategic choices of firms collecting consumer data online and to identify the roles and obligations of the actors within the current network of online tracking. In doing so, the focus shifts from placing the onus on individuals to make an informed choice to justifying the roles and responsibilities of firms when gathering, aggregating, and using consumers’ interests or behavior online.

Martin, K. 2013. Transaction Costs, Privacy, and Trust: The laudable goals and ultimate failure of notice and choice onlineFirst Monday 18(12).
The goal of this paper is to outline the laudable goals and ultimate failure of notice and choice to respect privacy online and suggest an alternative framework to manage and research privacy. This paper suggests that the online environment is not conducive to rely on explicit agreements to respect privacy.

Martin, K. 2015. Understanding Privacy Online: Development of a Social Contract Approach to PrivacyJournal of Business Ethics.
Recent scholarship in philosophy, law, and information systems suggests that respecting privacy entails understanding the implicit privacy norms about what, why, and to whom information is shared within specific relationships. These social contracts are important to understand if firms are to adequately manage the privacy expectations of stakeholders. ...

This paper explores a social contract approach to developing, acknowledging, and protecting privacy norms within specific contexts. While privacy as a social contract—a mutually beneficial agreement within a community about sharing and using information—has been introduced theoretically and empirically, the full impact on firms of an alternative framework to respecting the privacy expectations of stakeholders has not been examined. The goal of this paper is to examine how privacy norms develop through social contract’s narrative, to redescribe privacy violations given the social contract approach, and to critically examine the role of business as a contractor in developing privacy norms.

Martin, K. & Shilton, K.  2015. Why Experience Matters to Privacy- How Context-Based Experience Moderates Consumer Privacy Expectations for Mobile ApplicationsJournal of the Association for Information Science and Technology
Analysis of the data suggests that experience using mobile applications did moderate the effect of individual preferences and contextual factors on privacy judgments. Experience changed the equation respondents used to assess whether data collection and use scenarios met their privacy expectations. Discovering the bridge between 2 dominant theoretical models enables future privacy research to consider both personal and contextual variables by taking differences in experience into account.

Martin, K. 2015. Ethical Issues in the Big Data Industry. MISQ Executive. This article examines Big Data within the context of the Big Data Industry and identified persistent issues and points of weakness in current market practices. Importantly, the article identifies the Big Data Industry as having both economic and ethical issues at the individual firm, supply chain and general industry level and has suggested associated solutions to preserve sustainable industry practices.

Martin, K. 2015. Privacy Notices as Tabula Rasa- How consumers project expectations on privacy notices. Journal of Public Policy and Marketing. Submitted November 2014.
The results of this study suggest respondents perceived the privacy notice as offering greater protections than the actual privacy notice. Perhaps most problematic, respondents projected the important factors of their privacy expectations onto the privacy notice. In other words, privacy notices became a tabula rasa for users’ privacy expectations.

Shilton, K. & Martin, K. forthcoming Mobile Privacy Expectations in Context. The Information Society.
An increasing amount of social activity and commerce is performed using applications running on mobile devices such as phones and tablets. During these activities, mobile applications collect increasing amounts of personal data. Consumers, organizations, and regulators struggle to address privacy expectations for these new forms of data collection across a diverse set of activities....

Understanding how consumer privacy expectations change in different data use and business contexts can help regulators identify contexts that may require stricter privacy protections and help firms and managers better meet privacy expectations of users. Study results help us understand one aspect of mobile privacy: the expectations of consumers as they vary by context. These expectations have direct implications for researchers, business leaders, policy experts, and consumers.

Who is tracking us online and should they stop?...

    • American Statistical Association Annual Meeting (Boston, MA). August 2014.
    • American Association of Opinion Researcher’s Annual Meeting (Anaheim, CA). May 2014.
    • John Carroll University. April 2013.
    • Society of Business Ethics (Orlando, FL). August 2013.

Addressing Privacy Online: Individual v. Contextual Factors....

    • Carnegie Mellon University. March 2014.
    • New York University. March 2014.
    • Society of Business Ethics (Boston, MA). August 2012.
    • Association for Practical and Professional Ethics (Cincinnati, OH). March 2012.

Mobile Privacy Expectations...

    • Privacy Law Scholars Conference (Washington, DC). June 2014.
    • Future Privacy Forum. April 2014.
    • TPRC (GMU). September 2013.
    • Privacy Law Scholars Conference (Berkeley, CA). June 2013.