While most people will say they are extremely concerned with their online privacy, previous experiments have shown that, in practice, users readily divulge privacy information online.
In a study published in the Proceedings of Computer-Human Interaction (CHI 2020), a team of Penn State researchers identified a dozen subtle — but powerful — reasons that may shed light on why people talk a good game about privacy, but fail to follow up in real life.
“Most people will tell you they’re pretty worried about their online privacy and that they take precautions, such as changing their passwords,” said S. Shyam Sundar, James P. Jimirro Professor of Media Effects in the Donald P. Bellisario College of Communications and co-director of the Media Effects Research Laboratory.
“But, in reality, if you really look at what people do online and on social media, they tend to reveal all too much. What we think is going on is that people make disclosures in the heat of the moment by falling for contextual cues that appear on an interface.”
Sundar, who is also an affiliate of Penn State’s Institute for Computational and Data Sciences (ICDS), said that certain cues analyzed by the researchers significantly increased the chance that people would turn over private information such as social security numbers or phone numbers. The cues exploit common pre-existing beliefs about authority, bandwagon, reciprocity, sense-of-community, community-building, self-preservation, control, instant gratification, transparency, machine, publicness and mobility.
“What we did in this study is identify 12 different kinds of appeals that influence people to reveal information online,” said Sundar. “These appeals are based on rules of thumb that we all hold in our head, called heuristics.”
For example, the rule of thumb that ‘if most others reveal their information, then it is safe for me to disclose as well’ is labeled ‘bandwagon heuristic’ by the study.
“There are certainly more than 12 heuristics, but these are the dominant ones that play an important role in privacy disclosure,” added Sundar, who worked with Mary Beth Rosson, Professor-in-Charge of Human Computer Interaction and director of graduate programs in the College of Information Sciences and Technology.
The researchers explain that heuristics are mental shortcuts that could be triggered by cues on a website or mobile app.
“These cues may not always be obvious,” according to Rosson. “The bandwagon cue, for example, can be as simple as a statement that is added to a website or app to prompt information disclosure,” she added.
“For example, when you go on LinkedIn and you see a statement that says your profile is incomplete and that 70 percent of your connections have completed their profiles, that’s a cue that triggers your need to follow others — which is what we call a bandwagon effect,” said Sundar. “We found that those with a stronger pre-existing belief in ‘bandwagon heuristic’ were more likely to reveal personal information in such a scenario.”
For the authority cue, Rosson said that a graphic that signals the site is being overseen by a trusted authority may make people comfortable with turning private information over to the company.
“The presence of a logo of a trusted agency such as FDIC or even a simple icon showing a lock can make users of online banking feel safe and secure, and it makes them feel that somewhere somebody is looking after their security,” said Rosson.
The researchers said that ingrained trust in authority, or what they call ‘authority heuristic,’ is the reason for disclosure of personal information in such scenarios.
“When interviewed, our study participants attributed their privacy disclosure to the cues more often than other reasons,” said Sundar.
An awareness of major cues that prey on common rules of thumb may make people more savvy web users and could help them avoid placing their private information into the wrong hands.
“The number one reason for doing this study is to increase media literacy among online users,” said Sundar.
He added that the findings could also be used to create alerts that warn users when they encounter these cues.
“People want to do the right thing and they want to protect their privacy, but in the heat of the moment online, they are swayed by these contextual cues,” said Rosson. “One way to avoid this is to introduce ‘just-in-time’ alerts. Just as users are about to reveal information, an alert could pop up on the site and ask them if they are sure they want to do that. That might give them a bit of a pause to think about that transaction,” she added.
For the study, the researchers recruited 786 people to participate in an online survey. The participants were then asked to review 12 scenarios that they might encounter online and asked to assess their willingness to disclose personal information based on each scenario.
To ensure that the sample was representative nationally, the participants were chosen so that their demographics were consistent with statistics provided by the U.S. Census Bureau.