simplifying privacy decisions: towards interactive and adaptive solutions

Simplifying Privacy DecisionsTowards Interactive and Adaptive Solutions

INFORMATION AND COMPUTER SCIENCES

About me...

PhD candidate at UC IrvineRecommender Systems:- Choice overload- Adaptive preference elicitation- User-centric evaluation- Social recommenders

Privacy:- Form auto-completion tools- App recommenders- Location-sharing social

networks

Samsung research intern, Google PhD Fellow

@usabart

http://www.twitter.com/usabart

http://www.twitter.com/usabart


Outline

1. Transparency and controlPrivacy calculus, paradoxes, and bounded rationality

2. Privacy nudging and persuasionA solution inspired by decision sciences... with some flaws

3. Privacy Adaptation ProcedureAdaptive nudges based on a contextualized understanding of users’ privacy concerns

Transparency and controlPrivacy calculus, paradoxes, and bounded rationality


The Privacy Paradox

For many participants this behavior stands in sharp contrast to their self-reported privacy attitude

- Spiekermann et al., 2001

Seventy percent of US consumers worry about online privacy, but few take protective action

- Jupiter research report, 2002

Recent surveys, anecdotal evidence, and experiments have highlighted an apparent dichotomy between privacy attitudes and actual behavior

- Acquisti & Grossklags, 2005


The Privacy Paradox


A model by Smith et al. 2011

Why aren’t these more strongly related?


Horror stories

“My daughter [is] still in high school, and you’re sending her coupons for baby clothes and cribs? Are you trying to encourage her to get pregnant?”

“I had a talk with my daughter. It turns out [...] she’s due in August. I owe you an apology.”


A model by Smith et al. 2011

Why aren’t these more strongly related?

Control

Transparency


Transparency and control

ControlTransparency

Informed consent “companies should provide clear descriptions of [...] why they need the data, how they will use it”

User empowerment“companies should o!er consumers clear and simple choices [...] about personal data collection, use, and disclosure”


Are transparency and control really the key to better privacy decisions?


Example: Website A/B testing


The Transparency Paradox

Transparency is useful for concerned users, but bad for others

Makes them more fearful

Mentions of privacy (even favorable ones) often trigger privacy concerns


44

Example: John et al. 43

Appendix C: Experiment 2A: Screenshots of survey interface manipulation. Frivolous:

Baseline:

Serious:




Baseline:

Serious:


44

Example: John et al.


44



Baseline:

Serious:


37

0.7

0.8

0.9

1

1.1

1.2

1.3

Serious Frivolous

AAR

rela

tive

to o

vera

ll av

erag

e AA

R w

ithin

que

stio

n ty

pe

Tame Intrusive

Figure 6. The average AAR within each inquiry condition, relative to the overall average AAR for the questions of the given intrusiveness level (Experiment 2B). The value of 1 on the y axis represents the overall average AAR.

Example: John et al.


!

!

!

75%

80%

85%

90%

95%

100%

BlogHeroes I♡WRK Codacare

Auto

! ! !


Remove

! ! !


Add

! ! !

75%

80%

85%

90%

95%

100%


Contact info Interests Job skills Health record

Control example: Knijnenburg et al.

Normally, people are more likely to disclose information when the type of requested information matches the purpose of the website

Please tell us more about yourselfBlogHeroes will assign a "guild" to you based on the information you provide below. Note that noneof the fields are required, but our classification will be better if you provide more information.

General info about mePlease provide some background info to get our matching process started.

Name (first): John (last): Smith

E-mail address: [email protected]

Gender: Male

Age (years): 23

Address: 123 Main St.City: New York State: NY Zip: 12345

What I do for a livingSome guilds write about their jobs. Tell us more about yours, and we can provide a better match.

Employment status: Employed for wages

Experience (years): 5

Current/previous job: Researcher Sector: Education / training / library

Income level: between $50K and $100K/year

Education: Doctoral

My healthSome guilds write about their health. Providing us with some info will help us match them to you.

Physical health: About average

Dietary restrictions: allergic to nuts

Birth control usage: None

> For employers

> For investors

> Contact

> About us

Please enter your informationI WRK will find jobs based on the information you enter on this form.None of the items on the form are required, but if you provide moreinformation the jobs will be a better match.

GENERAL AND CONTACT INFO

General and contact information

FIRST NAME

JohnLAST NAME

Smith clear

AGE

23 clear

GENDER

Male clear

E-MAIL ADDRESS

[email protected] clear

ADDRESS

123 Main St.CITY

New YorkSTATE

NYZIP

12345 clear

WORK EXPERIENCE

Please tell us about your education and work experience, so that wecan find a suitable job for you.

HIGHEST DEGREE EARNED

Doctoral clear

CURRENT EMPLOYMENT STATUS

Employed for wages clear

CURRENT/PREVIOUS JOB

ResearcherSECTOR

Education, library, or training clear

EXPERIENCE (IN YEARS)5 clear

Enter your details, please

Your personal Codacare health insurance policy will be based on theinformation you provide. Please note that none of the items arerequired, but the insurance will be better tailored to your needs if youprovide more information.

General information

Please provide your general information.

Name (first): (last):fill

Address:

fillCity: State: Zip:

Gender:fill

Age:fill

E-‐mail:fill

Health

Please answer the following questions about your health. This is important to find thecorrect care package.

Birth control usage:fill

Weight (lbs):fill


!

!

!

75%

80%

85%

90%

95%

100%


Auto

! ! !


Remove

! ! !


Add

Control example: Knijnenburg et al.Auto-completion tools make it so easy to submit a fully completed form that users may skip weighing the benefits and risk of disclosing a certain piece of information in a specific situation





Gender: Male

Age (years): 23







Education: Doctoral





bit.ly/icis2013

! ! !

75%

80%

85%

90%

95%

100%



http://bit.ly/icis2013



!

!

!

75%

80%

85%

90%

95%

100%


Auto

! ! !


Remove

! ! !


Add

Control example: Knijnenburg et al.

Adding a simple “clear” button reduces overall disclosure and makes it more purpose-specific again

Why?Users have more control!

> For employers

> For investors

> Contact

> About us




FIRST NAME

JohnLAST NAME

Smith clear

AGE

23 clear

GENDER

Male clear

E-MAIL ADDRESS


ADDRESS

123 Main St.CITY

New YorkSTATE

NYZIP

12345 clear

WORK EXPERIENCE



Doctoral clear




ResearcherSECTOR



bit.ly/icis2013




!

!

!

75%

80%

85%

90%

95%

100%


Auto

! ! !


Remove

! ! !


Add

Control example: Knijnenburg et al.Using a “fill” button instead does not further reduce disclosure, and actually leads to a higher user satisfaction

Why?Even more control!



General information



Address:


Gender:fill

Age:fill

E-‐mail:fill

Health



Weight (lbs):fill

bit.ly/icis2013




Example: Facebook

“bewildering tangle of options” (New York Times, 2010)

“labyrinthian” controls” (U.S. Consumer Magazine, 2012)


Example: Knijnenburg et al.Introducing an “extreme” sharing option

Nothing - City - BlockAdd the option Exact

Expected:Some will choose Exact instead of Block

Unexpected:Sharing increases across the board!

B

N

privacy -->

bene

fits

-->

C

E

bit.ly/chi2013privacy

http://bit.ly/chi2013privacy



The Control Paradox

Decisions are too numerous Most Facebook users don’t know implications of their own privacy settings!

Decisions are di!cultUncertain and delayed outcomes

Result: people just pick the middle option!


Bounded rationality

Why do transparency and control not work?

People’s decisions are inconsistent and seemingly irrational- Framing e!ects

- Default e!ects

- Order e!ects


Please send me Vortrex Newsletters and information.

Please do not send me Vortrex Newsletters and

information. Please send me Vortrex Newsletters and information.


information. Figure 4: Subjects were assigned one of the following conditions

in the registration page. 3.1. Data Analysis and Results The mean levels of participations in each experimental condition are

reported in Table 1 below.

Table 1: Mean participation levels as a function of frames and defaults

Choice-Frame Rejection-frame

Default-checked 0.526

(N=14)

0.000

(N=19)

Default-unchecked

0.250

(N=16)

0.368

(N=19)

An analysis of variance (ANOVA) revealed a significant main

effect of choice framing on the level of consumer participation

(F=3.662, p=0.060). There was also a significant interaction effect

between checked/unchecked-default and the question frame of

choice or rejection (F=9.148, p=0.004). These are consistent with

Hypotheses 1a and 1b.

Pair-wise comparisons were conducted among the four conditions

(1) choice-frame, checked-default (2) choice-frame, unchecked-

default (3) rejection-frame, checked-default and (4) rejection-frame,

unchecked-default. Within the choice-frame context, the disparity

between the two checked-default/unchecked-default conditions was

0.276 and marginally significant (t=-1.702, p<0.10). On average,

the checked-default treatment in the choice-frame context elicited

about 27.6% more participation relative to the unchecked-default

treatment. Within the rejection-frame context, the difference

between the two default stipulations was slightly larger at 0.368 and

statistically significant (t=3.240, p<0.01. The unchecked-default

treatment educed about 36.8% higher level of consumer

participation as compared with the checked-default treatment within

the rejection-frame context. These results are consistent with


We further evaluate the conditions adhering to opt-in: (2) choice-

frame, unchecked-default and (3) rejection-frame, checked-default.

The difference was 0.250 and statistically significant (t=2.236,

p<0.05). Also, an evaluation of conditions (1) choice-frame,

checked-default and (4) rejection-frame, unchecked-default (both

adhering to opt-out) yielded a difference of 0.158 which was not

statistically significant (t=-0.965, p=0.341). Hence, Hypothesis 2a

was supported, but Hypothesis 2b was not.

Finally, we compared the aggregate of the two mechanisms under

opt-in and that of the two mechanisms under opt-out. The difference

between opt-in and opt-out was statistically significant (t=3.041,

p<0.01). On average, opt-out garnered about 31.4% more

participation relative to opt-in. Therefore, Hypothesis 3 was

supported.

4. THE MODERATING EFFECT OF PRIVACY CONCERN

In the age of escalating information exchange, privacy concern is an

inherent candidate to investigate the malleability of the framing and

default status effects on consumer participation, especially in the

online context where such elicitations are rampant.

The tendency for people to follow default suggestions may relate to

the subjective importance of, or the exposure to, the associated task.

Connolly et al. suggest that prior outcomes could influence the

actions performed by a person [3]. Specifically, they posit that

negative prior outcomes may induce a tendency of people to act and

convert an action into a “normal” state (cf. abnormal, as originally

posited by the norm theory). When the prior outcome is negative,

people may regret more if they do not take actions to prevent further

losses should the same negative outcome reappears.2 In contrast, if

they did act to prevent the potential losses, even if their actions were

not effective, the regret or affective feeling may be less significant.

In the online context, negative prior outcomes are often publicized

by press reports that highlight the misuse of customer data and the

escalation of spam. People who are generally more concerned about

privacy may tend to associate negative outcomes with participation

in online activities. It is more likely for privacy-concerned

consumers to study the offered options carefully, and they do not

necessarily regard the default option as the “norm”.

Similarly, Wilson et al. posit that the salience of anchoring may

depend on the prior knowledge of the decision maker [30]. If a

person is more certain about the implications of performing an

action, the anchoring effect that is induced by a default option may

be weaker [2]. Intuitively, if a person were apprehensive about the

outcomes of an action (e.g., to opt in or opt out of online activities),

then it is more likely for her to spend the time/cost to study the

options carefully. It is also less likely for her to be biased by default

suggestions. Hence, we hypothesize the following moderating

effect:

H4: The higher the privacy concern, the smaller the difference

between the level of participation in online activities induced by the

checked-default mechanism and the unchecked-default mechanism

(for both choice- and rejection- frames).

The intensity of privacy concern may additionally mitigate the

impact of attribute framing effects. Previous studies have revealed

that topics entailing issues of strongly held attitudes or personal

involvement are less vulnerable to the effects of attribute framing.

Marteau discovered no framing effects across a wide variety of

problems pertaining to decisions on abortion [21]. Also, Levin,

Schnittjer and Thee found no disparity between one’s indications of

the possibility of being a cheater himself/herself but detected a

difference in the conditions when the subjects were requested to rate

the general incidence of cheating [19]. In a similar vein, attribute

framing effects are consistently absent when subjects were

estimating their own performance by employing the diverse frames

of “percentage correct” vis-à-vis “percentage wrong”, but

significantly salient when approximating performance of others

[e.g. 27].

Since the issue in the research question pertains to the forays of

possible unwanted intrusions into one’s private space, it is

2 They might then ask themselves: “why didn’t I do something to

prevent this?”

256

Framing and defaults: Lai and Hui

0%

25%37%53%

D

ABC


Default order: Acquisti et al.

Foot in the door(innocuous requests first)

Door in the face(risqué requests first)


0

200

400

600

800

1000

1200

1400

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

Question number (Increasing condition)

Cum

ulat

ive

adm

issi

on r

ates

in p

erce

ntag

es

DecreasingIncreasingBaseline

Default order: Acquisti et al.


Bounded rationality

Why do transparency and control not work?

Transparency: Information overload

Control: Choice overload


Summary of part 1

We need to move beyond control and transparency

Rational privacy decision-making is boundedTransparency and control increase choice di"culty

Privacy nudging and persuasionA solution inspired by decision sciences... with some flaws


Starting point...

People’s decisions are inconsistent and seemingly irrational, therefore:- People do not always choose what is best for them

- There is significant leeway to influence people's decisions

- Being objectively neutral is impossible


Privacy Calculus

A new model

Decision heuristics

Benefits

Behavioral reactions (including disclosures)

Risk/Costs

Nudge Nudge

Persuasion PersuasionJustification

Default value

Default order

Justification


A new modelDefault

valueJustification

A succinct reason to disclose (or not disclose) a piece of information - Make it easier to

rationalize the decision

- Minimize the potential regret of choosing the wrong option

Relieve users from the burden of making decisions- Path of least resistance

- Implicit normative cue (what I should do)

- Endowment e!ect (what I have is worth more than what I don’t have)


Example: Knijnenburg & Kobsa

5 justification typesNoneUseful for youNumber of othersUseful for othersExplanation

bit.ly/tiis2013




0%#

10%#

20%#

30%#

40%#

50%#

60%#

70%#

80%#

90%#

100%#Context#first# Demographics#first# Context#first# Demograpics#first#

Disclosure*behavior**

Demographics*disclosure * *Context*disclosure*

Default order: Knijnenburg & Kobsa

bit.ly/tiis2013




*"

1"

**"*"

***"*"

*"

0%"

10%"

20%"

30%"

40%"

50%"

60%"

70%"

80%"

90%"

100%"Context"first" Demographics"first" Context"first" Demograpics"first"



none" useful"for"you" #"of"others" useful"for"others" explanaDon"

Justifications: Knijnenburg & Kobsa

bit.ly/tiis2013




**" **"***"

1"

$1,00"

$0,75"

$0,50"

$0,25"

0,00"

0,25"

0,50"

0,75"

1,00"

Sa#sfac#on)with))the)system)

Justifications: Knijnenburg & Kobsa

Anticipated satisfaction with the system (intention to use):

6 items, e.g. “I would recommend the system to others”

Lower for any justification!

*"

1"

**"*"

***"*"

*"

0%"

10%"

20%"

30%"

40%"

50%"

60%"

70%"

80%"

90%"

100%"Context"first" Demographics"first" Context"first" Demograpics"first"



none" useful"for"you" #"of"others" useful"for"others" explanaDon"

bit.ly/tiis2013




Please send me Vortrex Newsletters and information.


information. Please send me Vortrex Newsletters and information.


information. Figure 4: Subjects were assigned one of the following conditions

in the registration page. 3.1. Data Analysis and Results The mean levels of participations in each experimental condition are

reported in Table 1 below.

Table 1: Mean participation levels as a function of frames and defaults

Choice-Frame Rejection-frame

Default-checked 0.526

(N=14)

0.000

(N=19)

Default-unchecked

0.250

(N=16)

0.368

(N=19)

An analysis of variance (ANOVA) revealed a significant main

effect of choice framing on the level of consumer participation

(F=3.662, p=0.060). There was also a significant interaction effect

between checked/unchecked-default and the question frame of

choice or rejection (F=9.148, p=0.004). These are consistent with


Pair-wise comparisons were conducted among the four conditions

(1) choice-frame, checked-default (2) choice-frame, unchecked-

default (3) rejection-frame, checked-default and (4) rejection-frame,

unchecked-default. Within the choice-frame context, the disparity

between the two checked-default/unchecked-default conditions was

0.276 and marginally significant (t=-1.702, p<0.10). On average,

the checked-default treatment in the choice-frame context elicited

about 27.6% more participation relative to the unchecked-default

treatment. Within the rejection-frame context, the difference

between the two default stipulations was slightly larger at 0.368 and

statistically significant (t=3.240, p<0.01. The unchecked-default

treatment educed about 36.8% higher level of consumer

participation as compared with the checked-default treatment within

the rejection-frame context. These results are consistent with


We further evaluate the conditions adhering to opt-in: (2) choice-

frame, unchecked-default and (3) rejection-frame, checked-default.

The difference was 0.250 and statistically significant (t=2.236,

p<0.05). Also, an evaluation of conditions (1) choice-frame,

checked-default and (4) rejection-frame, unchecked-default (both

adhering to opt-out) yielded a difference of 0.158 which was not

statistically significant (t=-0.965, p=0.341). Hence, Hypothesis 2a

was supported, but Hypothesis 2b was not.

Finally, we compared the aggregate of the two mechanisms under

opt-in and that of the two mechanisms under opt-out. The difference

between opt-in and opt-out was statistically significant (t=3.041,

p<0.01). On average, opt-out garnered about 31.4% more

participation relative to opt-in. Therefore, Hypothesis 3 was

supported.

4. THE MODERATING EFFECT OF PRIVACY CONCERN

In the age of escalating information exchange, privacy concern is an

inherent candidate to investigate the malleability of the framing and

default status effects on consumer participation, especially in the

online context where such elicitations are rampant.

The tendency for people to follow default suggestions may relate to

the subjective importance of, or the exposure to, the associated task.

Connolly et al. suggest that prior outcomes could influence the

actions performed by a person [3]. Specifically, they posit that

negative prior outcomes may induce a tendency of people to act and

convert an action into a “normal” state (cf. abnormal, as originally

posited by the norm theory). When the prior outcome is negative,

people may regret more if they do not take actions to prevent further

losses should the same negative outcome reappears.2 In contrast, if

they did act to prevent the potential losses, even if their actions were

not effective, the regret or affective feeling may be less significant.

In the online context, negative prior outcomes are often publicized

by press reports that highlight the misuse of customer data and the

escalation of spam. People who are generally more concerned about

privacy may tend to associate negative outcomes with participation

in online activities. It is more likely for privacy-concerned

consumers to study the offered options carefully, and they do not

necessarily regard the default option as the “norm”.

Similarly, Wilson et al. posit that the salience of anchoring may

depend on the prior knowledge of the decision maker [30]. If a

person is more certain about the implications of performing an

action, the anchoring effect that is induced by a default option may

be weaker [2]. Intuitively, if a person were apprehensive about the

outcomes of an action (e.g., to opt in or opt out of online activities),

then it is more likely for her to spend the time/cost to study the

options carefully. It is also less likely for her to be biased by default

suggestions. Hence, we hypothesize the following moderating

effect:

H4: The higher the privacy concern, the smaller the difference

between the level of participation in online activities induced by the

checked-default mechanism and the unchecked-default mechanism

(for both choice- and rejection- frames).

The intensity of privacy concern may additionally mitigate the

impact of attribute framing effects. Previous studies have revealed

that topics entailing issues of strongly held attitudes or personal

involvement are less vulnerable to the effects of attribute framing.

Marteau discovered no framing effects across a wide variety of

problems pertaining to decisions on abortion [21]. Also, Levin,

Schnittjer and Thee found no disparity between one’s indications of

the possibility of being a cheater himself/herself but detected a

difference in the conditions when the subjects were requested to rate

the general incidence of cheating [19]. In a similar vein, attribute

framing effects are consistently absent when subjects were

estimating their own performance by employing the diverse frames

of “percentage correct” vis-à-vis “percentage wrong”, but

significantly salient when approximating performance of others

[e.g. 27].

Since the issue in the research question pertains to the forays of

possible unwanted intrusions into one’s private space, it is

2 They might then ask themselves: “why didn’t I do something to

prevent this?”

256

Framing and Defaults: Lai and Hui

0%

25%37%53%

D

ABC


Problems with Privacy Nudging

What should be the purpose of the nudge?

“More data collection = better, e.g. for personalization”Techniques to increase disclosure cause reactance in the more privacy-minded users

“Privacy is an absolute right“More di"cult for less privacy-minded users to enjoy the benefits that disclosure would provide


Problems with Privacy NudgingSmith, Goldstein & Johnson:

“What is best for consumers depends upon characteristics of the consumer: An outcome that maximizes consumer welfare may be suboptimal for some consumers in a context where there is heterogeneity in preferences.”


Summary of part 2

Nudges workDefaults and justifications can influence users’ decisions

But we cannot nudge everyone the same way!

Users di!er in their disclosure preferencesNudges should respect these di!erences

Privacy Adaptation ProcedureAdaptive nudges based on a contextualized

understanding of users’ privacy concerns


What kind of system helps users find what they want in the presence of heterogeneous

preferences?

A recommender system!

(more specifically, a Privacy Adaptation Procedure)


Towards Privacy Adaptation

“Figure out what people want, then help them do that.”

Explicate the privacy calculus/heuristicsWhat best captures people’s privacy preferences? What are the underlying reasons to disclose or not?

Contextualize the privacy calculus/heuristicsWho discloses and who doesn’t? What do they disclose and what do they withhold? Under what circumstances do they disclose?


Contextualize

Privacy decision

different users

diffe

rent

con

text

Contextualizing privacy

The optimal justification and default may depend on:- type of info (what)

- user characteristics (who)

- recipient (to whom)

- etc...


Example: Knijnenburg et al.

Type of data ID Items

Facebook activity

1 Wall

Facebook activity2 Status updates

Facebook activity 3 Shared linksFacebook activity4 Notes

Facebook activity

5 Photos

Location6 Hometown

Location 7 Location (city)Location8 Location (state/province)

Contact info9 Residence (street address)

Contact info 11 Phone numberContact info12 Email address

Life/interests13 Religious views

Life/interests 14 Interests (favorite movies, etc.)Life/interests15 Facebook groups

bit.ly/privdim





Type of data ID Items

Facebook activity

1 Wall

Facebook activity2 Status updates

Facebook activity 3 Shared linksFacebook activity4 Notes

Facebook activity

5 Photos

Location6 Hometown

Location 7 Location (city)Location8 Location (state/province)

Contact info9 Residence (street address)

Contact info 11 Phone numberContact info12 Email address

Life/interests13 Religious views

Life/interests 14 Interests (favorite movies, etc.)Life/interests15 Facebook groups

“What?”=

Four dimensions

bit.ly/privdim





159 pps tend to share little information overall (LowD)26 pps tend to share activities and interests (Act+IntD)50 pps tend to share location and interests (Loc+IntD)65 pps tend to share everything but contact info (Hi-ConD)59 pps tend to share everything

“Who?”=

Fivedisclosure

profiles

bit.ly/privdim





Detect class

member-ship

bit.ly/privdim




! ! !

75%

80%

85%

90%

95%

100%








Gender: Male

Age (years): 23







Education: Doctoral





> For employers

> For investors

> Contact

> About us




FIRST NAME

JohnLAST NAME

Smith clear

AGE

23 clear

GENDER

Male clear

E-MAIL ADDRESS


ADDRESS

123 Main St.CITY

New YorkSTATE

NYZIP

12345 clear

WORK EXPERIENCE



Doctoral clear




ResearcherSECTOR





General information



Address:


Gender:fill

Age:fill

E-‐mail:fill

Health



Weight (lbs):fill

“To whom?” matters

too!



I do whatever others do

I care about the benefits


Subjective Valuations We analyze the effect of the strategies on subjective valuations by submitting the questionnaire items to a Confirmatory Factor Analysis and regressing resulting satisfaction-factors on the strategies and user characteris-tics. The dependent variables in these analyses are: perceived disclosure help, perceived privacy threat, trust in company privacy practices, and overall satisfaction. The independent variables are the strategies (5 justification types × 2 orders), and the interactions of the strategies with gender and disclosure tendency. In effect, each dependent variable is regressed on justification type × order × gender × disclosure tendency.

Figure 4 displays the estimated effects of justification type and request order on the subjective valuations for each gender and disclosure tendency. Disregarding justification type, the request order has a significant effect on perceived disclosure help for males with a low disclosure tendency (β = -0.533, p = .023), where requesting context data first generally leads to a higher level of perceived disclosure help. The request order also has a significant effect on perceived privacy threat (β = 0.425, p = .024) and trust in the company (β = -0.340, p = .043) for females with a high disclosure tendency, where requesting context data first leads to less threat and more trust.

Figure 4 compares for each group the best strategy (marked with an arrow) against all other strategies. Strategies that perform significantly worse than the best strategy are labeled with a p-value.

HEURISTICS FOR SELECTING THE BEST STRATEGY The results show that the best strategy depends on users’ disclosure tendency and gender. It also depends on the goal of the system: some strategies increase disclosure of one type of data but not the other, and some increase disclosure but at the same time reduce users’ satisfaction. We therefore suggest that the strategy should be adapted to the optimization goal of the system and the characteristics of the user. Table 4 outlines heuristics for selecting the best strategy for each type of user, given a certain system goal. Below we reflect on these suggested heuristics.

Best Strategy to Achieve High Demographics Disclo-sure To get high demographics disclosure, one should ask for demographics first. Users with high disclosure tendency do not require a justification. Users with low disclosure tendency require a justification; the best justification is ‘number of others’ for females, and ‘explanation’ for males.

Best Strategy to Achieve High Context Data Disclosure To get high context data disclosure, one should ask for context data first. No justification is required, but males with high disclosure tendency disclose more with the ‘number of others’ or ‘useful for others’ justification.

Best Strategy to Achieve High Total Disclosure Since it is best to ask demographics first to increase demographics disclosure, and context first to increase context disclosure, increasing total disclosure asks for a compromise. The best way to attain this compromise is to first choose a preferred request order, and then to select a

User type Context first Demographics first

Males with low disclosure tendency

The ‘useful for you’ justification gives the highest demographics disclosure.

Providing no justification gives the highest context disclosure.

Females with low disclosure tendency

Providing no justification gives the highest demographics disclosure.

The ‘explanation’ justification keeps context disclosure on par.

Males with high disclosure tendency

The ‘useful for others’ justification keeps demographics disclosure almost on par.

The ‘useful for you’ justification keeps context disclosure on par.

Females with high disclosure tendency

Providing no justification gives a high demographics disclosure.

The ‘useful for you’ justification gives the highest context disclosure.

Table 2: Best strategies to achieve high overall disclosures.

User type Best strategy

Males with low disclosure tendency Demographics first with ‘useful for you’.

Males with high disclosure tendency The ‘useful for you’ justification in any order.

Females with low disclosure tendency Context first with ‘useful for you’.

Females with high disclosure tendency Context first with no justification, but ‘useful for you’ is second best.

Table 3: Best strategies to achieve high user satisfaction.


bit.ly/iui2013




The Adaptive Privacy Procedure

pshare = α + βitemtype + βusertype + βrecipienttype

• Determine the item-. user-, and recipient-type• Select the default and justification that fits best

for this contextINPUT

{user, item, recipient} {defaults, justification}OUTPUT


The Adaptive Privacy Procedure

Practical use:- Automatic initial defaults in line with “disclosure profile”

- Personalized disclosure justifications

Relieves some of the burden of the privacy decision:The right privacy-related information The right amount of control

“Realistic empowerment”


Summary of part 3

Smith, Goldstein & Johnson:“the idea of an adaptive default preserves considerable consumer autonomy [...] and strikes a balance between providing more choice and providing the right choices.”


Final summary

1. Transparency and controlRational privacy decision-making is bounded, and transparency and control only increase choice di"culty

2. Privacy nudging and persuasionNeeds to move beyond the one-size-fits-all approach

3. Privacy Adaptation ProcedureThe optimal balance between nudges and control