simplifying privacy decisions: towards interactive and adaptive solutions
DESCRIPTION
Keynote for the decsions@recsys workshop at the 2013 Recommender Systems conference.TRANSCRIPT
Simplifying Privacy DecisionsTowards Interactive and Adaptive Solutions
INFORMATION AND COMPUTER SCIENCES
About me...
PhD candidate at UC IrvineRecommender Systems:- Choice overload- Adaptive preference elicitation- User-centric evaluation- Social recommenders
Privacy:- Form auto-completion tools- App recommenders- Location-sharing social
networks
Samsung research intern, Google PhD Fellow
@usabart
INFORMATION AND COMPUTER SCIENCES
Outline
1. Transparency and controlPrivacy calculus, paradoxes, and bounded rationality
2. Privacy nudging and persuasionA solution inspired by decision sciences... with some flaws
3. Privacy Adaptation ProcedureAdaptive nudges based on a contextualized understanding of users’ privacy concerns
Transparency and controlPrivacy calculus, paradoxes, and bounded rationality
INFORMATION AND COMPUTER SCIENCES
The Privacy Paradox
For many participants this behavior stands in sharp contrast to their self-reported privacy attitude
- Spiekermann et al., 2001
Seventy percent of US consumers worry about online privacy, but few take protective action
- Jupiter research report, 2002
Recent surveys, anecdotal evidence, and experiments have highlighted an apparent dichotomy between privacy attitudes and actual behavior
- Acquisti & Grossklags, 2005
INFORMATION AND COMPUTER SCIENCES
The Privacy Paradox
INFORMATION AND COMPUTER SCIENCES
A model by Smith et al. 2011
Why aren’t these more strongly related?
INFORMATION AND COMPUTER SCIENCES
Horror stories
“My daughter [is] still in high school, and you’re sending her coupons for baby clothes and cribs? Are you trying to encourage her to get pregnant?”
“I had a talk with my daughter. It turns out [...] she’s due in August. I owe you an apology.”
INFORMATION AND COMPUTER SCIENCES
A model by Smith et al. 2011
Why aren’t these more strongly related?
Control
Transparency
INFORMATION AND COMPUTER SCIENCES
Transparency and control
ControlTransparency
Informed consent “companies should provide clear descriptions of [...] why they need the data, how they will use it”
User empowerment“companies should o!er consumers clear and simple choices [...] about personal data collection, use, and disclosure”
INFORMATION AND COMPUTER SCIENCES
Are transparency and control really the key to better privacy decisions?
INFORMATION AND COMPUTER SCIENCES
Example: Website A/B testing
INFORMATION AND COMPUTER SCIENCES
The Transparency Paradox
Transparency is useful for concerned users, but bad for others
Makes them more fearful
Mentions of privacy (even favorable ones) often trigger privacy concerns
INFORMATION AND COMPUTER SCIENCES
44
Example: John et al. 43
Appendix C: Experiment 2A: Screenshots of survey interface manipulation. Frivolous:
Baseline:
Serious:
INFORMATION AND COMPUTER SCIENCES
Example: John et al. 43
Appendix C: Experiment 2A: Screenshots of survey interface manipulation. Frivolous:
Baseline:
Serious:
INFORMATION AND COMPUTER SCIENCES
44
Example: John et al.
INFORMATION AND COMPUTER SCIENCES
44
Example: John et al. 43
Appendix C: Experiment 2A: Screenshots of survey interface manipulation. Frivolous:
Baseline:
Serious:
INFORMATION AND COMPUTER SCIENCES
37
0.7
0.8
0.9
1
1.1
1.2
1.3
Serious Frivolous
AAR
rela
tive
to o
vera
ll av
erag
e AA
R w
ithin
que
stio
n ty
pe
Tame Intrusive
Figure 6. The average AAR within each inquiry condition, relative to the overall average AAR for the questions of the given intrusiveness level (Experiment 2B). The value of 1 on the y axis represents the overall average AAR.
Example: John et al.
INFORMATION AND COMPUTER SCIENCES
!
!
!
75%
80%
85%
90%
95%
100%
BlogHeroes I♡WRK Codacare
Auto
! ! !
BlogHeroes I♡WRK Codacare
Remove
! ! !
BlogHeroes I♡WRK Codacare
Add
! ! !
75%
80%
85%
90%
95%
100%
BlogHeroes I♡WRK Codacare
Contact info Interests Job skills Health record
Control example: Knijnenburg et al.
Normally, people are more likely to disclose information when the type of requested information matches the purpose of the website
Please tell us more about yourselfBlogHeroes will assign a "guild" to you based on the information you provide below. Note that noneof the fields are required, but our classification will be better if you provide more information.
General info about mePlease provide some background info to get our matching process started.
Name (first): John (last): Smith
E-mail address: [email protected]
Gender: Male
Age (years): 23
Address: 123 Main St.City: New York State: NY Zip: 12345
What I do for a livingSome guilds write about their jobs. Tell us more about yours, and we can provide a better match.
Employment status: Employed for wages
Experience (years): 5
Current/previous job: Researcher Sector: Education / training / library
Income level: between $50K and $100K/year
Education: Doctoral
My healthSome guilds write about their health. Providing us with some info will help us match them to you.
Physical health: About average
Dietary restrictions: allergic to nuts
Birth control usage: None
> For employers
> For investors
> Contact
> About us
Please enter your informationI WRK will find jobs based on the information you enter on this form.None of the items on the form are required, but if you provide moreinformation the jobs will be a better match.
GENERAL AND CONTACT INFO
General and contact information
FIRST NAME
JohnLAST NAME
Smith clear
AGE
23 clear
GENDER
Male clear
E-MAIL ADDRESS
[email protected] clear
ADDRESS
123 Main St.CITY
New YorkSTATE
NYZIP
12345 clear
WORK EXPERIENCE
Please tell us about your education and work experience, so that wecan find a suitable job for you.
HIGHEST DEGREE EARNED
Doctoral clear
CURRENT EMPLOYMENT STATUS
Employed for wages clear
CURRENT/PREVIOUS JOB
ResearcherSECTOR
Education, library, or training clear
EXPERIENCE (IN YEARS)5 clear
Enter your details, please
Your personal Codacare health insurance policy will be based on theinformation you provide. Please note that none of the items arerequired, but the insurance will be better tailored to your needs if youprovide more information.
General information
Please provide your general information.
Name (first): (last):fill
Address:
fillCity: State: Zip:
Gender:fill
Age:fill
E-‐mail:fill
Health
Please answer the following questions about your health. This is important to find thecorrect care package.
Birth control usage:fill
Weight (lbs):fill
INFORMATION AND COMPUTER SCIENCES
!
!
!
75%
80%
85%
90%
95%
100%
BlogHeroes I♡WRK Codacare
Auto
! ! !
BlogHeroes I♡WRK Codacare
Remove
! ! !
BlogHeroes I♡WRK Codacare
Add
Control example: Knijnenburg et al.Auto-completion tools make it so easy to submit a fully completed form that users may skip weighing the benefits and risk of disclosing a certain piece of information in a specific situation
Please tell us more about yourselfBlogHeroes will assign a "guild" to you based on the information you provide below. Note that noneof the fields are required, but our classification will be better if you provide more information.
General info about mePlease provide some background info to get our matching process started.
Name (first): John (last): Smith
E-mail address: [email protected]
Gender: Male
Age (years): 23
Address: 123 Main St.City: New York State: NY Zip: 12345
What I do for a livingSome guilds write about their jobs. Tell us more about yours, and we can provide a better match.
Employment status: Employed for wages
Experience (years): 5
Current/previous job: Researcher Sector: Education / training / library
Income level: between $50K and $100K/year
Education: Doctoral
My healthSome guilds write about their health. Providing us with some info will help us match them to you.
Physical health: About average
Dietary restrictions: allergic to nuts
Birth control usage: None
bit.ly/icis2013
! ! !
75%
80%
85%
90%
95%
100%
BlogHeroes I♡WRK Codacare
Contact info Interests Job skills Health record
INFORMATION AND COMPUTER SCIENCES
!
!
!
75%
80%
85%
90%
95%
100%
BlogHeroes I♡WRK Codacare
Auto
! ! !
BlogHeroes I♡WRK Codacare
Remove
! ! !
BlogHeroes I♡WRK Codacare
Add
Control example: Knijnenburg et al.
Adding a simple “clear” button reduces overall disclosure and makes it more purpose-specific again
Why?Users have more control!
> For employers
> For investors
> Contact
> About us
Please enter your informationI WRK will find jobs based on the information you enter on this form.None of the items on the form are required, but if you provide moreinformation the jobs will be a better match.
GENERAL AND CONTACT INFO
General and contact information
FIRST NAME
JohnLAST NAME
Smith clear
AGE
23 clear
GENDER
Male clear
E-MAIL ADDRESS
[email protected] clear
ADDRESS
123 Main St.CITY
New YorkSTATE
NYZIP
12345 clear
WORK EXPERIENCE
Please tell us about your education and work experience, so that wecan find a suitable job for you.
HIGHEST DEGREE EARNED
Doctoral clear
CURRENT EMPLOYMENT STATUS
Employed for wages clear
CURRENT/PREVIOUS JOB
ResearcherSECTOR
Education, library, or training clear
EXPERIENCE (IN YEARS)5 clear
bit.ly/icis2013
INFORMATION AND COMPUTER SCIENCES
!
!
!
75%
80%
85%
90%
95%
100%
BlogHeroes I♡WRK Codacare
Auto
! ! !
BlogHeroes I♡WRK Codacare
Remove
! ! !
BlogHeroes I♡WRK Codacare
Add
Control example: Knijnenburg et al.Using a “fill” button instead does not further reduce disclosure, and actually leads to a higher user satisfaction
Why?Even more control!
Enter your details, please
Your personal Codacare health insurance policy will be based on theinformation you provide. Please note that none of the items arerequired, but the insurance will be better tailored to your needs if youprovide more information.
General information
Please provide your general information.
Name (first): (last):fill
Address:
fillCity: State: Zip:
Gender:fill
Age:fill
E-‐mail:fill
Health
Please answer the following questions about your health. This is important to find thecorrect care package.
Birth control usage:fill
Weight (lbs):fill
bit.ly/icis2013
INFORMATION AND COMPUTER SCIENCES
Example: Facebook
“bewildering tangle of options” (New York Times, 2010)
“labyrinthian” controls” (U.S. Consumer Magazine, 2012)
INFORMATION AND COMPUTER SCIENCES
Example: Knijnenburg et al.Introducing an “extreme” sharing option
Nothing - City - BlockAdd the option Exact
Expected:Some will choose Exact instead of Block
Unexpected:Sharing increases across the board!
B
N
privacy -->
bene
fits
-->
C
E
bit.ly/chi2013privacy
INFORMATION AND COMPUTER SCIENCES
The Control Paradox
Decisions are too numerous Most Facebook users don’t know implications of their own privacy settings!
Decisions are di!cultUncertain and delayed outcomes
Result: people just pick the middle option!
INFORMATION AND COMPUTER SCIENCES
Bounded rationality
Why do transparency and control not work?
People’s decisions are inconsistent and seemingly irrational- Framing e!ects
- Default e!ects
- Order e!ects
INFORMATION AND COMPUTER SCIENCES
Please send me Vortrex Newsletters and information.
Please do not send me Vortrex Newsletters and
information. Please send me Vortrex Newsletters and information.
Please do not send me Vortrex Newsletters and
information. Figure 4: Subjects were assigned one of the following conditions
in the registration page. 3.1. Data Analysis and Results The mean levels of participations in each experimental condition are
reported in Table 1 below.
Table 1: Mean participation levels as a function of frames and defaults
Choice-Frame Rejection-frame
Default-checked 0.526
(N=14)
0.000
(N=19)
Default-unchecked
0.250
(N=16)
0.368
(N=19)
An analysis of variance (ANOVA) revealed a significant main
effect of choice framing on the level of consumer participation
(F=3.662, p=0.060). There was also a significant interaction effect
between checked/unchecked-default and the question frame of
choice or rejection (F=9.148, p=0.004). These are consistent with
Hypotheses 1a and 1b.
Pair-wise comparisons were conducted among the four conditions
(1) choice-frame, checked-default (2) choice-frame, unchecked-
default (3) rejection-frame, checked-default and (4) rejection-frame,
unchecked-default. Within the choice-frame context, the disparity
between the two checked-default/unchecked-default conditions was
0.276 and marginally significant (t=-1.702, p<0.10). On average,
the checked-default treatment in the choice-frame context elicited
about 27.6% more participation relative to the unchecked-default
treatment. Within the rejection-frame context, the difference
between the two default stipulations was slightly larger at 0.368 and
statistically significant (t=3.240, p<0.01. The unchecked-default
treatment educed about 36.8% higher level of consumer
participation as compared with the checked-default treatment within
the rejection-frame context. These results are consistent with
Hypotheses 1a and 1b.
We further evaluate the conditions adhering to opt-in: (2) choice-
frame, unchecked-default and (3) rejection-frame, checked-default.
The difference was 0.250 and statistically significant (t=2.236,
p<0.05). Also, an evaluation of conditions (1) choice-frame,
checked-default and (4) rejection-frame, unchecked-default (both
adhering to opt-out) yielded a difference of 0.158 which was not
statistically significant (t=-0.965, p=0.341). Hence, Hypothesis 2a
was supported, but Hypothesis 2b was not.
Finally, we compared the aggregate of the two mechanisms under
opt-in and that of the two mechanisms under opt-out. The difference
between opt-in and opt-out was statistically significant (t=3.041,
p<0.01). On average, opt-out garnered about 31.4% more
participation relative to opt-in. Therefore, Hypothesis 3 was
supported.
4. THE MODERATING EFFECT OF PRIVACY CONCERN
In the age of escalating information exchange, privacy concern is an
inherent candidate to investigate the malleability of the framing and
default status effects on consumer participation, especially in the
online context where such elicitations are rampant.
The tendency for people to follow default suggestions may relate to
the subjective importance of, or the exposure to, the associated task.
Connolly et al. suggest that prior outcomes could influence the
actions performed by a person [3]. Specifically, they posit that
negative prior outcomes may induce a tendency of people to act and
convert an action into a “normal” state (cf. abnormal, as originally
posited by the norm theory). When the prior outcome is negative,
people may regret more if they do not take actions to prevent further
losses should the same negative outcome reappears.2 In contrast, if
they did act to prevent the potential losses, even if their actions were
not effective, the regret or affective feeling may be less significant.
In the online context, negative prior outcomes are often publicized
by press reports that highlight the misuse of customer data and the
escalation of spam. People who are generally more concerned about
privacy may tend to associate negative outcomes with participation
in online activities. It is more likely for privacy-concerned
consumers to study the offered options carefully, and they do not
necessarily regard the default option as the “norm”.
Similarly, Wilson et al. posit that the salience of anchoring may
depend on the prior knowledge of the decision maker [30]. If a
person is more certain about the implications of performing an
action, the anchoring effect that is induced by a default option may
be weaker [2]. Intuitively, if a person were apprehensive about the
outcomes of an action (e.g., to opt in or opt out of online activities),
then it is more likely for her to spend the time/cost to study the
options carefully. It is also less likely for her to be biased by default
suggestions. Hence, we hypothesize the following moderating
effect:
H4: The higher the privacy concern, the smaller the difference
between the level of participation in online activities induced by the
checked-default mechanism and the unchecked-default mechanism
(for both choice- and rejection- frames).
The intensity of privacy concern may additionally mitigate the
impact of attribute framing effects. Previous studies have revealed
that topics entailing issues of strongly held attitudes or personal
involvement are less vulnerable to the effects of attribute framing.
Marteau discovered no framing effects across a wide variety of
problems pertaining to decisions on abortion [21]. Also, Levin,
Schnittjer and Thee found no disparity between one’s indications of
the possibility of being a cheater himself/herself but detected a
difference in the conditions when the subjects were requested to rate
the general incidence of cheating [19]. In a similar vein, attribute
framing effects are consistently absent when subjects were
estimating their own performance by employing the diverse frames
of “percentage correct” vis-à-vis “percentage wrong”, but
significantly salient when approximating performance of others
[e.g. 27].
Since the issue in the research question pertains to the forays of
possible unwanted intrusions into one’s private space, it is
2 They might then ask themselves: “why didn’t I do something to
prevent this?”
256
Framing and defaults: Lai and Hui
0%
25%37%53%
D
ABC
INFORMATION AND COMPUTER SCIENCES
Default order: Acquisti et al.
Foot in the door(innocuous requests first)
Door in the face(risqué requests first)
INFORMATION AND COMPUTER SCIENCES
0
200
400
600
800
1000
1200
1400
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
Question number (Increasing condition)
Cum
ulat
ive
adm
issi
on r
ates
in p
erce
ntag
es
DecreasingIncreasingBaseline
Default order: Acquisti et al.
INFORMATION AND COMPUTER SCIENCES
Bounded rationality
Why do transparency and control not work?
Transparency: Information overload
Control: Choice overload
INFORMATION AND COMPUTER SCIENCES
Bounded rationality
Why do transparency and control not work?
Transparency: Information overload
Control: Choice overload
INFORMATION AND COMPUTER SCIENCES
Summary of part 1
We need to move beyond control and transparency
Rational privacy decision-making is boundedTransparency and control increase choice di"culty
Privacy nudging and persuasionA solution inspired by decision sciences... with some flaws
INFORMATION AND COMPUTER SCIENCES
Starting point...
People’s decisions are inconsistent and seemingly irrational, therefore:- People do not always choose what is best for them
- There is significant leeway to influence people's decisions
- Being objectively neutral is impossible
INFORMATION AND COMPUTER SCIENCES
Privacy Calculus
A new model
Decision heuristics
Benefits
Behavioral reactions (including disclosures)
Risk/Costs
Nudge Nudge
Persuasion PersuasionJustification
Default value
Default order
Justification
INFORMATION AND COMPUTER SCIENCES
A new modelDefault
valueJustification
A succinct reason to disclose (or not disclose) a piece of information - Make it easier to
rationalize the decision
- Minimize the potential regret of choosing the wrong option
Relieve users from the burden of making decisions- Path of least resistance
- Implicit normative cue (what I should do)
- Endowment e!ect (what I have is worth more than what I don’t have)
INFORMATION AND COMPUTER SCIENCES
Example: Knijnenburg & Kobsa
5 justification typesNoneUseful for youNumber of othersUseful for othersExplanation
bit.ly/tiis2013
INFORMATION AND COMPUTER SCIENCES
0%#
10%#
20%#
30%#
40%#
50%#
60%#
70%#
80%#
90%#
100%#Context#first# Demographics#first# Context#first# Demograpics#first#
Disclosure*behavior**
Demographics*disclosure * *Context*disclosure*
Default order: Knijnenburg & Kobsa
bit.ly/tiis2013
INFORMATION AND COMPUTER SCIENCES
*"
1"
**"*"
***"*"
*"
0%"
10%"
20%"
30%"
40%"
50%"
60%"
70%"
80%"
90%"
100%"Context"first" Demographics"first" Context"first" Demograpics"first"
Disclosure*behavior**
Demographics*disclosure * *Context*disclosure*
none" useful"for"you" #"of"others" useful"for"others" explanaDon"
Justifications: Knijnenburg & Kobsa
bit.ly/tiis2013
INFORMATION AND COMPUTER SCIENCES
**" **"***"
1"
$1,00"
$0,75"
$0,50"
$0,25"
0,00"
0,25"
0,50"
0,75"
1,00"
Sa#sfac#on)with))the)system)
Justifications: Knijnenburg & Kobsa
Anticipated satisfaction with the system (intention to use):
6 items, e.g. “I would recommend the system to others”
Lower for any justification!
*"
1"
**"*"
***"*"
*"
0%"
10%"
20%"
30%"
40%"
50%"
60%"
70%"
80%"
90%"
100%"Context"first" Demographics"first" Context"first" Demograpics"first"
Disclosure*behavior**
Demographics*disclosure * *Context*disclosure*
none" useful"for"you" #"of"others" useful"for"others" explanaDon"
bit.ly/tiis2013
INFORMATION AND COMPUTER SCIENCES
Please send me Vortrex Newsletters and information.
Please do not send me Vortrex Newsletters and
information. Please send me Vortrex Newsletters and information.
Please do not send me Vortrex Newsletters and
information. Figure 4: Subjects were assigned one of the following conditions
in the registration page. 3.1. Data Analysis and Results The mean levels of participations in each experimental condition are
reported in Table 1 below.
Table 1: Mean participation levels as a function of frames and defaults
Choice-Frame Rejection-frame
Default-checked 0.526
(N=14)
0.000
(N=19)
Default-unchecked
0.250
(N=16)
0.368
(N=19)
An analysis of variance (ANOVA) revealed a significant main
effect of choice framing on the level of consumer participation
(F=3.662, p=0.060). There was also a significant interaction effect
between checked/unchecked-default and the question frame of
choice or rejection (F=9.148, p=0.004). These are consistent with
Hypotheses 1a and 1b.
Pair-wise comparisons were conducted among the four conditions
(1) choice-frame, checked-default (2) choice-frame, unchecked-
default (3) rejection-frame, checked-default and (4) rejection-frame,
unchecked-default. Within the choice-frame context, the disparity
between the two checked-default/unchecked-default conditions was
0.276 and marginally significant (t=-1.702, p<0.10). On average,
the checked-default treatment in the choice-frame context elicited
about 27.6% more participation relative to the unchecked-default
treatment. Within the rejection-frame context, the difference
between the two default stipulations was slightly larger at 0.368 and
statistically significant (t=3.240, p<0.01. The unchecked-default
treatment educed about 36.8% higher level of consumer
participation as compared with the checked-default treatment within
the rejection-frame context. These results are consistent with
Hypotheses 1a and 1b.
We further evaluate the conditions adhering to opt-in: (2) choice-
frame, unchecked-default and (3) rejection-frame, checked-default.
The difference was 0.250 and statistically significant (t=2.236,
p<0.05). Also, an evaluation of conditions (1) choice-frame,
checked-default and (4) rejection-frame, unchecked-default (both
adhering to opt-out) yielded a difference of 0.158 which was not
statistically significant (t=-0.965, p=0.341). Hence, Hypothesis 2a
was supported, but Hypothesis 2b was not.
Finally, we compared the aggregate of the two mechanisms under
opt-in and that of the two mechanisms under opt-out. The difference
between opt-in and opt-out was statistically significant (t=3.041,
p<0.01). On average, opt-out garnered about 31.4% more
participation relative to opt-in. Therefore, Hypothesis 3 was
supported.
4. THE MODERATING EFFECT OF PRIVACY CONCERN
In the age of escalating information exchange, privacy concern is an
inherent candidate to investigate the malleability of the framing and
default status effects on consumer participation, especially in the
online context where such elicitations are rampant.
The tendency for people to follow default suggestions may relate to
the subjective importance of, or the exposure to, the associated task.
Connolly et al. suggest that prior outcomes could influence the
actions performed by a person [3]. Specifically, they posit that
negative prior outcomes may induce a tendency of people to act and
convert an action into a “normal” state (cf. abnormal, as originally
posited by the norm theory). When the prior outcome is negative,
people may regret more if they do not take actions to prevent further
losses should the same negative outcome reappears.2 In contrast, if
they did act to prevent the potential losses, even if their actions were
not effective, the regret or affective feeling may be less significant.
In the online context, negative prior outcomes are often publicized
by press reports that highlight the misuse of customer data and the
escalation of spam. People who are generally more concerned about
privacy may tend to associate negative outcomes with participation
in online activities. It is more likely for privacy-concerned
consumers to study the offered options carefully, and they do not
necessarily regard the default option as the “norm”.
Similarly, Wilson et al. posit that the salience of anchoring may
depend on the prior knowledge of the decision maker [30]. If a
person is more certain about the implications of performing an
action, the anchoring effect that is induced by a default option may
be weaker [2]. Intuitively, if a person were apprehensive about the
outcomes of an action (e.g., to opt in or opt out of online activities),
then it is more likely for her to spend the time/cost to study the
options carefully. It is also less likely for her to be biased by default
suggestions. Hence, we hypothesize the following moderating
effect:
H4: The higher the privacy concern, the smaller the difference
between the level of participation in online activities induced by the
checked-default mechanism and the unchecked-default mechanism
(for both choice- and rejection- frames).
The intensity of privacy concern may additionally mitigate the
impact of attribute framing effects. Previous studies have revealed
that topics entailing issues of strongly held attitudes or personal
involvement are less vulnerable to the effects of attribute framing.
Marteau discovered no framing effects across a wide variety of
problems pertaining to decisions on abortion [21]. Also, Levin,
Schnittjer and Thee found no disparity between one’s indications of
the possibility of being a cheater himself/herself but detected a
difference in the conditions when the subjects were requested to rate
the general incidence of cheating [19]. In a similar vein, attribute
framing effects are consistently absent when subjects were
estimating their own performance by employing the diverse frames
of “percentage correct” vis-à-vis “percentage wrong”, but
significantly salient when approximating performance of others
[e.g. 27].
Since the issue in the research question pertains to the forays of
possible unwanted intrusions into one’s private space, it is
2 They might then ask themselves: “why didn’t I do something to
prevent this?”
256
Framing and Defaults: Lai and Hui
0%
25%37%53%
D
ABC
INFORMATION AND COMPUTER SCIENCES
Problems with Privacy Nudging
What should be the purpose of the nudge?
“More data collection = better, e.g. for personalization”Techniques to increase disclosure cause reactance in the more privacy-minded users
“Privacy is an absolute right“More di"cult for less privacy-minded users to enjoy the benefits that disclosure would provide
INFORMATION AND COMPUTER SCIENCES
Problems with Privacy NudgingSmith, Goldstein & Johnson:
“What is best for consumers depends upon characteristics of the consumer: An outcome that maximizes consumer welfare may be suboptimal for some consumers in a context where there is heterogeneity in preferences.”
INFORMATION AND COMPUTER SCIENCES
Summary of part 2
Nudges workDefaults and justifications can influence users’ decisions
But we cannot nudge everyone the same way!
Users di!er in their disclosure preferencesNudges should respect these di!erences
Privacy Adaptation ProcedureAdaptive nudges based on a contextualized
understanding of users’ privacy concerns
INFORMATION AND COMPUTER SCIENCES
What kind of system helps users find what they want in the presence of heterogeneous
preferences?
A recommender system!
(more specifically, a Privacy Adaptation Procedure)
INFORMATION AND COMPUTER SCIENCES
Towards Privacy Adaptation
“Figure out what people want, then help them do that.”
Explicate the privacy calculus/heuristicsWhat best captures people’s privacy preferences? What are the underlying reasons to disclose or not?
Contextualize the privacy calculus/heuristicsWho discloses and who doesn’t? What do they disclose and what do they withhold? Under what circumstances do they disclose?
INFORMATION AND COMPUTER SCIENCES
Contextualize
Privacy decision
different users
diffe
rent
con
text
Contextualizing privacy
The optimal justification and default may depend on:- type of info (what)
- user characteristics (who)
- recipient (to whom)
- etc...
INFORMATION AND COMPUTER SCIENCES
Example: Knijnenburg et al.
Type of data ID Items
Facebook activity
1 Wall
Facebook activity2 Status updates
Facebook activity 3 Shared linksFacebook activity4 Notes
Facebook activity
5 Photos
Location6 Hometown
Location 7 Location (city)Location8 Location (state/province)
Contact info9 Residence (street address)
Contact info 11 Phone numberContact info12 Email address
Life/interests13 Religious views
Life/interests 14 Interests (favorite movies, etc.)Life/interests15 Facebook groups
bit.ly/privdim
INFORMATION AND COMPUTER SCIENCES
Example: Knijnenburg et al.
Type of data ID Items
Facebook activity
1 Wall
Facebook activity2 Status updates
Facebook activity 3 Shared linksFacebook activity4 Notes
Facebook activity
5 Photos
Location6 Hometown
Location 7 Location (city)Location8 Location (state/province)
Contact info9 Residence (street address)
Contact info 11 Phone numberContact info12 Email address
Life/interests13 Religious views
Life/interests 14 Interests (favorite movies, etc.)Life/interests15 Facebook groups
“What?”=
Four dimensions
bit.ly/privdim
INFORMATION AND COMPUTER SCIENCES
Example: Knijnenburg et al.
159 pps tend to share little information overall (LowD)26 pps tend to share activities and interests (Act+IntD)50 pps tend to share location and interests (Loc+IntD)65 pps tend to share everything but contact info (Hi-ConD)59 pps tend to share everything
“Who?”=
Fivedisclosure
profiles
bit.ly/privdim
INFORMATION AND COMPUTER SCIENCES
Example: Knijnenburg et al.
Detect class
member-ship
bit.ly/privdim
INFORMATION AND COMPUTER SCIENCES
! ! !
75%
80%
85%
90%
95%
100%
BlogHeroes I♡WRK Codacare
Contact info Interests Job skills Health record
Example: Knijnenburg et al.
Please tell us more about yourselfBlogHeroes will assign a "guild" to you based on the information you provide below. Note that noneof the fields are required, but our classification will be better if you provide more information.
General info about mePlease provide some background info to get our matching process started.
Name (first): John (last): Smith
E-mail address: [email protected]
Gender: Male
Age (years): 23
Address: 123 Main St.City: New York State: NY Zip: 12345
What I do for a livingSome guilds write about their jobs. Tell us more about yours, and we can provide a better match.
Employment status: Employed for wages
Experience (years): 5
Current/previous job: Researcher Sector: Education / training / library
Income level: between $50K and $100K/year
Education: Doctoral
My healthSome guilds write about their health. Providing us with some info will help us match them to you.
Physical health: About average
Dietary restrictions: allergic to nuts
Birth control usage: None
> For employers
> For investors
> Contact
> About us
Please enter your informationI WRK will find jobs based on the information you enter on this form.None of the items on the form are required, but if you provide moreinformation the jobs will be a better match.
GENERAL AND CONTACT INFO
General and contact information
FIRST NAME
JohnLAST NAME
Smith clear
AGE
23 clear
GENDER
Male clear
E-MAIL ADDRESS
[email protected] clear
ADDRESS
123 Main St.CITY
New YorkSTATE
NYZIP
12345 clear
WORK EXPERIENCE
Please tell us about your education and work experience, so that wecan find a suitable job for you.
HIGHEST DEGREE EARNED
Doctoral clear
CURRENT EMPLOYMENT STATUS
Employed for wages clear
CURRENT/PREVIOUS JOB
ResearcherSECTOR
Education, library, or training clear
EXPERIENCE (IN YEARS)5 clear
Enter your details, please
Your personal Codacare health insurance policy will be based on theinformation you provide. Please note that none of the items arerequired, but the insurance will be better tailored to your needs if youprovide more information.
General information
Please provide your general information.
Name (first): (last):fill
Address:
fillCity: State: Zip:
Gender:fill
Age:fill
E-‐mail:fill
Health
Please answer the following questions about your health. This is important to find thecorrect care package.
Birth control usage:fill
Weight (lbs):fill
“To whom?” matters
too!
INFORMATION AND COMPUTER SCIENCES
Example: Knijnenburg & Kobsa
I do whatever others do
I care about the benefits
INFORMATION AND COMPUTER SCIENCES
Subjective Valuations We analyze the effect of the strategies on subjective valuations by submitting the questionnaire items to a Confirmatory Factor Analysis and regressing resulting satisfaction-factors on the strategies and user characteris-tics. The dependent variables in these analyses are: perceived disclosure help, perceived privacy threat, trust in company privacy practices, and overall satisfaction. The independent variables are the strategies (5 justification types × 2 orders), and the interactions of the strategies with gender and disclosure tendency. In effect, each dependent variable is regressed on justification type × order × gender × disclosure tendency.
Figure 4 displays the estimated effects of justification type and request order on the subjective valuations for each gender and disclosure tendency. Disregarding justification type, the request order has a significant effect on perceived disclosure help for males with a low disclosure tendency (β = -0.533, p = .023), where requesting context data first generally leads to a higher level of perceived disclosure help. The request order also has a significant effect on perceived privacy threat (β = 0.425, p = .024) and trust in the company (β = -0.340, p = .043) for females with a high disclosure tendency, where requesting context data first leads to less threat and more trust.
Figure 4 compares for each group the best strategy (marked with an arrow) against all other strategies. Strategies that perform significantly worse than the best strategy are labeled with a p-value.
HEURISTICS FOR SELECTING THE BEST STRATEGY The results show that the best strategy depends on users’ disclosure tendency and gender. It also depends on the goal of the system: some strategies increase disclosure of one type of data but not the other, and some increase disclosure but at the same time reduce users’ satisfaction. We therefore suggest that the strategy should be adapted to the optimization goal of the system and the characteristics of the user. Table 4 outlines heuristics for selecting the best strategy for each type of user, given a certain system goal. Below we reflect on these suggested heuristics.
Best Strategy to Achieve High Demographics Disclo-sure To get high demographics disclosure, one should ask for demographics first. Users with high disclosure tendency do not require a justification. Users with low disclosure tendency require a justification; the best justification is ‘number of others’ for females, and ‘explanation’ for males.
Best Strategy to Achieve High Context Data Disclosure To get high context data disclosure, one should ask for context data first. No justification is required, but males with high disclosure tendency disclose more with the ‘number of others’ or ‘useful for others’ justification.
Best Strategy to Achieve High Total Disclosure Since it is best to ask demographics first to increase demographics disclosure, and context first to increase context disclosure, increasing total disclosure asks for a compromise. The best way to attain this compromise is to first choose a preferred request order, and then to select a
User type Context first Demographics first
Males with low disclosure tendency
The ‘useful for you’ justification gives the highest demographics disclosure.
Providing no justification gives the highest context disclosure.
Females with low disclosure tendency
Providing no justification gives the highest demographics disclosure.
The ‘explanation’ justification keeps context disclosure on par.
Males with high disclosure tendency
The ‘useful for others’ justification keeps demographics disclosure almost on par.
The ‘useful for you’ justification keeps context disclosure on par.
Females with high disclosure tendency
Providing no justification gives a high demographics disclosure.
The ‘useful for you’ justification gives the highest context disclosure.
Table 2: Best strategies to achieve high overall disclosures.
User type Best strategy
Males with low disclosure tendency Demographics first with ‘useful for you’.
Males with high disclosure tendency The ‘useful for you’ justification in any order.
Females with low disclosure tendency Context first with ‘useful for you’.
Females with high disclosure tendency Context first with no justification, but ‘useful for you’ is second best.
Table 3: Best strategies to achieve high user satisfaction.
Example: Knijnenburg & Kobsa
bit.ly/iui2013
INFORMATION AND COMPUTER SCIENCES
The Adaptive Privacy Procedure
pshare = α + βitemtype + βusertype + βrecipienttype
• Determine the item-. user-, and recipient-type• Select the default and justification that fits best
for this contextINPUT
{user, item, recipient} {defaults, justification}OUTPUT
INFORMATION AND COMPUTER SCIENCES
The Adaptive Privacy Procedure
Practical use:- Automatic initial defaults in line with “disclosure profile”
- Personalized disclosure justifications
Relieves some of the burden of the privacy decision:The right privacy-related information The right amount of control
“Realistic empowerment”
INFORMATION AND COMPUTER SCIENCES
Summary of part 3
Smith, Goldstein & Johnson:“the idea of an adaptive default preserves considerable consumer autonomy [...] and strikes a balance between providing more choice and providing the right choices.”
INFORMATION AND COMPUTER SCIENCES
Final summary
1. Transparency and controlRational privacy decision-making is bounded, and transparency and control only increase choice di"culty
2. Privacy nudging and persuasionNeeds to move beyond the one-size-fits-all approach
3. Privacy Adaptation ProcedureThe optimal balance between nudges and control