“I wonder how, I wonder why”: Supporting users in protecting their digital privacy by increasing risk awareness and knowledge as well as addressing protection obstacles

Abstract

This thesis aims to shed light on the so-called “privacy paradox”, which refers to the dichotomy between people’s attitude and behavior in the privacy context: Although people often express concerns about their privacy, they rarely take measures to protect their private data and frequently provide private information voluntarily, e.g., by using data-collecting technologies and services. Privacy researchers have investigated this phenomenon for several years, but no exhaustive explanation has been found so far. This thesis addresses this issue by (1) adding to the understanding of users’ privacy attitude and behavior, and (2) investigating how users can be supported in their efforts to behave more privacy-friendly. To this aim, this thesis makes three main contributions: First, I integrate prior research on the privacy paradox by identifying and combining theoretical explanation attempts and empirical findings based on a literature review. This holistic approach leads to new insights on the privacy paradox, and thus allow to gauge the validity of the various explanations that have been proposed for the privacy paradox. The literature review provides strong evidence for the privacy calculus model and the influence of social factors on privacy behavior. The results can further serve as a framework for researchers, who can build on the results to guide the direction of their research, e.g., by allowing them to investigate factors that have been found repeatedly to strongly influence the different facets of user privacy, exclude factors that have been found to be negligible, or choose an appropriate study design based on the sizes of the considered effects. Second, I explore possibilities to assist users in their privacy protection attempts. Based on the literature review described above, I identify three factors that are important for users’ decision to protect their privacy or share their private data, respectively: (1) awareness of privacy issues, (2) knowledge of and ability to use protection solutions, and (3) obstacles for privacy protection, such as benefits associated with data disclosure. I investigate these factors more thoroughly in a combination of qualitative and quantitative studies. Regarding (1), I find that most participants lack awareness of possible privacy risks. I conduct a literature review to identify appropriate risks that can be used for risk communication, e.g., in public risk awareness raising campaigns, exemplarily for the case of smart environments. The results can serve as a basis for activists and researchers who are conducting interventions aiming to raise privacy risk awareness. Regarding (2), I identify a lack of understanding in terms of privacy protection and the application of protection solutions. While I find that it seems to be a reasonable approach to design a dedicated solution for providing privacy knowledge instead of including information material in existing solutions, e.g., the app store, also additional motivational elements should be included in this solution to maximize users’ motivation and eventually extend their privacy protection measures to various domains. I outline the development of such motivational elements based on a well-founded theoretical model and empirical findings. These results can inform the design of future privacy protection solutions. To address (3), the study results imply that protection solutions and privacy-friendly alternatives should be easy to use and understand, and should also be used by other people. Further, people use digital technologies and services to accomplish a multiplicity of goals, and strive to feel related, competent, autonomous, and stimulated. The extensive list of these goals presented in this thesis, including an assessment of importance for a broad range of technologies and services, can support product designers or designers of privacy interventions in deciding on product features. As usage motivation is found to be related to the deployment of privacy protection strategies, the results can also guide privacy researchers, e.g., when studying the privacy calculus model by serving as input for the privacy costs. Third, I outline the development of a privacy protection solution. For this purpose, I describe the development and evaluation of a prototypical app that combines information on privacy topics, an analysis of the installed apps to increase privacy awareness, and gamification elements. I discuss how the findings described above can be considered in the design of this privacy protection solution. This solution can serve as a base for the development of further interventions, as it is designed as a proof of concept and allows to easily integrate additional information content. Motivating users to gain information on the topic of digital privacy over a period of two weeks, the app can be utilized, e.g., in school classes as part of the curriculum to sensitize children and adolescents to privacy issues. I hope that this thesis adds to the understanding of the ongoing discussion about the privacy paradox and informs future research by identifying which factors are important and which are negligible, respectively, for people’s privacy attitude, intention, or behavior. I further aim to provide actual support for users who aim to better protect their privacy, by investigating factors that can contribute to protection solutions and thus inspiring the design of such solutions, as well as by proposing an own protection solution.