IP: Understanding Net Users' Attitudes About Online Privacy

[Dave Farber <farber () cis upenn edu>]

> From: "Lorrie Faith Cranor" <lorrie () research att com>
> To: "Dave Farber" <farber () cis upenn edu>
> Date: Wed, 14 Apr 1999 11:20:19 -0400
>
>
> My colleagues and I have released an AT&T Labs-Research Technical
> Report on our study of Net users' attitudes about online privacy. I
> have attached the executive summary below. The full report is
> available online at:
> http://www.research.att.com/projects/privacystudy/
> Feel free to forward this.
>
> Lorrie
>
>
> Beyond Concern: Understanding Net Users' Attitudes
> About Online Privacy
>
> by Lorrie Faith Cranor, Joseph Reagle, and Mark S. Ackerman 
>
> 14 April 1999
>
> Executive Summary
>
> People are concerned about privacy, particularly on the
> Internet. While many studies have provided evidence of this concern,
> few have explored the nature of the concern in detail, especially for
> the online environment. With this study, we have tried to better
> understand the nature of online privacy concerns; we look beyond the
> fact that people are concerned and attempt to understand how they are
> concerned. We hope our results will help inform both policy decisions
> as well as the development of technology tools that can assist
> Internet users in protecting their privacy. 
>
> We present results here from the analysis of 381 questionnaires
> completed between November 6 and November 13, 1998 by American
> Internet users. The sample was drawn from the FamilyPC
> magazine/Digital Research, Inc. Family Panel. While this is not a
> statistically representative sample of US Internet users, our
> respondents are heavy Internet users, and quite possibly lead
> innovators. As such, we believe that this sample is important for
> understanding the future Internet user population. 
>
> Major Findings
>
> Internet users are more likely to provide information when they are
> not identified. When presented with scenarios involving the provision
> of personal data to Web sites, our respondents were much less willing
> to provide information when personally identifiable information was
> requested.
>
> Some types of data are more sensitive than others. Our respondents
> were generally comfortable providing preference information to Web
> sites. However, they were often very uncomfortable providing credit
> card numbers and social security numbers. We also observed significant
> differences in sensitivity to seemingly similar kinds of data. For
> example, while postal mail address, phone number, and email address
> can all be used to contact someone, most of our respondents said they
> would never or rarely feel comfortable providing their phone number
> but would usually or always feel comfortable providing their email
> address. The comfort level for postal mail address fell somewhere in
> between.
>
> Many factors are important in decisions about information
> disclosure. When deciding whether to provide information to Web sites,
> our respondents report that the most important factor is whether or
> not information will be shared with other companies and
> organizations. Other highly important factors include whether
> information is used in an identifiable way, the kind of information
> collected, and the purpose for which the information is
> collected. Whether a site posts a privacy policy, whether a site has a
> privacy seal of approval, and whether a site discloses a data
> retention policy were viewed as important, but considerably less so
> than the other factors we asked about.
>
> Acceptance of the use of persistent identifiers varies according to
> their purpose. Fifty-two percent of our respondents indicated they
> were concerned about Web cookies, and another 12% said they were
> uncertain about what a cookie is. Of those who knew what cookies were,
> 56% said they had changed their cookie settings to something other
> than accepting all cookies without warning. However, 78% of
> respondents said they would definitely or probably agree to Web sites
> using persistent identifiers (possibly implemented using cookies) to
> provide a customized service. Fewer (60%) would agree to the use of
> such an identifier to provide customized advertising, and fewer still
> (44%) would agree to using the identifier to provide customized
> advertising across many Web sites.
>
> Internet users dislike automatic data transfer. While our respondents
> said they are interested in tools that make using the Web more
> convenient, most do not want these tools to transfer information about
> them to Web sites automatically. When asked about several possible
> browser features that would make it easier to provide information to
> Web sites, 86% of respondents reported no interest in features that
> would automatically transfer their data to Web sites without any user
> intervention.
>
> Internet users dislike unsolicited communications. Respondents
> indicated a strong desire to avoid unsolicited communications
> resulting from providing information to Web sites. For example, 61% of
> respondents who said they would be willing to provide their name and
> postal mail address to a site in order to receive free pamphlets and
> coupons said they would be less likely to provide the information if
> it would be shared with other companies and used to send them
> additional marketing materials.
>
> A joint program of privacy policies and privacy seals seemingly
> provides a comparable level of user confidence as that provided by
> privacy laws. We described a scenario in which a Web site with
> interesting information related to a favorite hobby asks for a
> visitor's name and postal address in order to provide free pamphlets
> and coupons. Of the respondents who were unsure or said they would not
> provide the requested information:
>
> - 48% said they would be more likely to provide it if there was a law
> that prevented the site from using the information for any purpose
> other than processing the request, 
>
> - 28% said they would be more likely to provide it if the site had a
> privacy policy, 
>
> - and 58% said they would be more likely to provide it if the site had
> both a privacy policy and a seal of approval from a well-known
> organization such as the Better Business Bureau or the AAA. 
>
> On the other hand, when we asked respondents about online privacy seal
> programs without mentioning any specific brand names, their responses
> suggest that they do not yet understand how Internet seal programs
> work.
>
> We are continuing to analyze our survey data and plan to collect more
> data to further explore these and other issues. We expect to provide
> more detailed analyses in future reports. 
>
> Implications
>
> Finally, we believe that a few technical and policy implications can
> be drawn from our work. As the software engineering community attempts
> to implement the Platform for Privacy Preferences (P3P) and similar
> privacy protocols, one of the major issues will be designing suitable
> user interfaces for these systems. Such systems need to inform users
> when user privacy might be at risk. However, not only must a user
> interface present an extremely complex information and decision space,
> it must do so seamlessly and unobtrusively (Ackerman and Cranor
> 1999). Our results suggest that for users who either have strong
> feelings about privacy or who are marginally concerned about privacy,
> very simple interfaces would likely be useful and usable. However, for
> the majority of users who take a pragmatic approach to privacy issues,
> it seems likely that a variety of mechanisms will be needed. 
>
> While the vast majority of our respondents were concerned about
> privacy (only 13% said they were "not very" or "not at all" concerned
> about privacy threats), their reactions to scenarios involving online
> data collection were extremely varied. Some respondents reported that
> they would rarely be willing to provide personal data online, others
> showed some willingness to provide data depending on the situation,
> and others were quite willing to provide data -- regardless of whether
> or not they reported a high level of concern about privacy. Thus it
> seems unlikely that a one-size-fits-all approach to online privacy is
> likely to succeed. 
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Lorrie Faith Cranor <lorrie () research att com>
> AT&T Labs-Research, Shannon Laboratory 
> 180 Park Ave. Room A241, Florham Park, NJ 07932 
> Phone: 973-360-8607  FAX: 973-360-8970
> http://www.research.att.com/~lorrie/