Counteracting the negative effect of form auto-completion on the privacy calculus

670 views
524 views

Published on

Talk given in the "Privacy Calculus" session of the ICIS2013 conference

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
670
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Counteracting the negative effect of form auto-completion on the privacy calculus

  1. 1. Counteracting the negative effect of form auto-completion on the privacy calculus Bart Knijnenburg, Alfred Kobsa, Hongxia Jin
  2. 2. Form auto-completion: the bright side Modern browsers offer an auto-completion feature that reduces the effort of filling out web forms Bart 2
  3. 3. Form auto-completion: the bright side Modern browsers offer an auto-completion feature that reduces the effort of filling out web forms ! Imagine such tools could 
 fill out any form, on any website 3
  4. 4. Form auto-completion: the bright side Modern browsers offer an auto-completion feature that reduces the effort of filling out web forms ! Imagine such tools could 
 fill out any form, on any website ! This would be particularly useful for mobile browsers 4
  5. 5. Form auto-completion: the dark side Preibusch et al. (2012) warn that such auto-completion tools may cause users to complete more form fields than they intended
  6. 6. Form auto-completion: the dark side Preibusch et al. (2012) warn that such auto-completion tools may cause users to complete more form fields than they intended ! Auto-completion tools make it so easy to submit a fully completed form that users may skip weighing the benefits and risk of disclosing a certain piece of information in a specific situation (privacy calculus!)
  7. 7. Form auto-completion: the dark side Preibusch et al. (2012) warn that such auto-completion tools may cause users to complete more form fields than they intended ! Auto-completion tools make it so easy to submit a fully completed form that users may skip weighing the benefits and risk of disclosing a certain piece of information in a specific situation (privacy calculus!) ! Can we overcome these problems with a better 
 auto-completion tool?
  8. 8. Research outline Please tell us more about yourself BlogHeroes  will  assign  a  "guild"  to  you  based  on  the  information  you  provide  below.  Note  that  none of  the  fields  are  required,  but  our  classification  will  be  better  if  you  provide  more  information. General  info  about  me We introduce two new tools that we hypothesize will reinstate the privacy calculus Please  provide  some  background  info  to  get  our  matching  process  started. Name  (first): > For employers E-­mail  address: > For inves tors Gender: > Contac t Age  (years): ! Address: > About us City: (last): John Smith Please  enter  your  information john@smith.com I WRK will find jobs based on the information you enter on this form. Male None of the items on the form are required, but if you provide more 23 information the jobs will be a better match. 123 Main St. State: New York G ENERA L NY Zip: 12345 A ND C ONTA C T I NFO Specifically, we compare three What  I  do  for  a  living auto-completion tools: General and contact information Some  guilds  write  about  their  jobs.  Tell  us  more  about  yours,  and  we  can  provide  a  better  match. FIRST NAME Employment  status: – Auto FormFiller (automatically fills fields, users can remove manually)   – Remove FormFiller (same but users can click to remove eachMy  health field)   – Add FormFiller (no automatic filling, users can click a button to fill each field) Experience  (years): Employed for wages John LAST NAME clear Smith Enter your details, please 5 AGE Your personal Codacare health insurance policy will be based on the 23 Current/previous  job: information you provide. Please note that Education the items are Researcher Sector: none of / training / library required, but the insurance will be better tailored to your needs if you Income  level: between $50K and $100K/year GENDER provide more information. Education: clear Male Doctoral General information E-MAIL ADDRESS Please provide your general information. john@smith.com Name (first): clear (last): Some  guilds  write  about  their  health.  Providing  us  with  some  info  will  help  us  match  them  to  you. ADDRESS CITY STATE ZIP Physical  health: Dietary  restrictions: Birth  control  usage: clear 123 Main St. About average Address: allergic to nuts City: ORK EXPERI ENC E None W Gender: Please New York State: NY 12345 Zip: tell us about your education and work experience, so that we can find a suitable job for you. Age: HIGHEST DEGREE EARNED Doctoral E-‐mail: fill clear fill fill fill 8 clear
  9. 9. Research outline People base th eir information disclosure dec the perceived ision on risk and relev ance of the inf ormation e) thus disclosur (and st nd relevance rceived risk a y of the reque Pe cit rpose-specifi e pu depend on th The effect of ris k and relevance is moderated b type: disclosure y tool is more “calcula ted” when the a remove tools ar dd and e used
  10. 10. Research model Tool type Website Risk Disclosure Item type Relevance
  11. 11. Research model Tool type Website Risk Disclosure Item type Relevance perceived risk and relevance
  12. 12. Research model Tool type cificity purpose-spe Website Risk Disclosure Item type Relevance
  13. 13. Research model Tool type Website Risk Disclosure Item type Relevance moderation by tool type
  14. 14. ure? ation disclos auses inform What c 14
  15. 15. What causes information disclosure? Typical answer: privacy calculus (Laufer and Wolfe 1977) 15
  16. 16. What causes information disclosure? Typical answer: privacy calculus (Laufer and Wolfe 1977) ! Privacy calculus is like utility maximization (Li 2012): people trade off the different aspects and then choose the option that maximizes their utility (Bettman et al. 1998; Simon 1959) 16
  17. 17. What causes information disclosure? Typical answer: privacy calculus (Laufer and Wolfe 1977) ! Privacy calculus is like utility maximization (Li 2012): people trade off the different aspects and then choose the option that maximizes their utility (Bettman et al. 1998; Simon 1959) ! So what are these aspects that people trade off? 17
  18. 18. What causes information disclosure? Risk ! Operationalization: Providing my [item] to [site] is: (-3 = very risky; +3 = very safe) Risk Disclosure ! ! Relevance Relevance ! Operationalization: The fact that [site] asked for my [item] was: (-3 = very inappropriate; +3 very appropriate) 18
  19. 19. ure? ation disclos auses inform What c perceived risk and relevance 19
  20. 20. ure? ation disclos auses inform What c perceived risk and relevance e? and relevanc es risk ut what caus B
  21. 21. But what causes risk and relevance? On web forms, users selectively disclose different types of information in different extent to different types of websites (Hsu 2006)
  22. 22. But what causes risk and relevance? On web forms, users selectively disclose different types of information in different extent to different types of websites (Hsu 2006) ! Social media users also share selectively with others, depending on the purpose of the information (Olson et al. 2005)
  23. 23. But what causes risk and relevance? On web forms, users selectively disclose different types of information in different extent to different types of websites (Hsu 2006) ! Social media users also share selectively with others, depending on the purpose of the information (Olson et al. 2005) ! Does purpose-specificity play a role in commercial privacy as well?
  24. 24. But what causes risk and relevance? In our experiment, participants: – entered a wide range of info into an auto-completion tool – tested the tool on one of three websites Create  a  Profile Please  create  your  profile  by  entering  your  information  below. Note  that  FormFiller  will  store  the  information  locally  on  your  device,  and  only  for  the  duration  of this  study.  We  will  never  submit  any  forms  automatically  or  disclose  this  information  to  others without  your  active  involvement. Please tell us more about yourself BlogHeroes  will  assign  a  "guild"  to  you  based  on  the  information  you  provide  below.  Note  that  none of  the  fields  are  required,  but  our  classification  will  be  better  if  you  provide  more  information. General  info  about  me Please  provide  some  background  info  to  get  our  matching  process  started. Name  (first): John E-­mail  address: About  you: john@smith.com Gender: (last): Age  (years): First  name: State: NY 123 Main St. City: Gender: 23 Address: Last  name: Smith Male New York Zip: 12345 What  I  do  for  a  living Some  guilds  write  about  their  jobs.  Tell  us  more  about  yours,  and  we  can  provide  a  better  match. Age: > For employers Employment  status: Experience  (years): > For inves tors Current/previous  job: Address: City: E-­‐‑mail: Phone: > Contac t Income  level: State: Zip: Education: > About us My  health Employed for wages 5 Please  enter  your  information I WRK will find jobs based on the information you enter on this form. Sector: Education / training library None of the items on the form are required,/ but if you provide more Researcher between $50K andthe jobs will information $100K/year be a better match. Doctoral G ENERA L A ND C ONTA C T I NFO General and contact information Some  guilds  write  about  their  health.  Providing  us  with  some  info  will  help  us  match  them  to  you. Physical  health: Dietary  restrictions: FIRST NAME About average LAST NAME John Smith Enter your details, please Birth  control  usage: clear allergic to nuts AGE None 23 Your personal Codacare health insurance policy will be based on the GENDER information you provide. Please note that none of the items are Male required, but the insurance will be better tailored to your needs if you E-MAIL ADDRESS provide more information. john@smith.com clear clear clear
  25. 25. But what causes risk and relevance? In our experiment, participants: – entered a wide range of info into an auto-completion tool   – tested the tool on one of three websites Enter your details, please Your personal Codacare health insurance policy will be based on the
  26. 26. But what causes risk and relevance? In our experiment, participants: – entered a wide range of info into an auto-completion tool   – tested the tool on one of three websites   Websites correspond to a particular type of info: – blogging community ⋍ personal interest items   – job search website ⋍ job skills items   – health insurer ⋍ health record items Enter your details, please Your personal Codacare health insurance policy will be based on the
  27. 27. But what causes risk and relevance? Website Item type Risk Relevance Purpose-specificity will look like an interaction effect between Website and Item type ! ! When the type of information requested matches the purpose of the website: – perceived risk will be lower   – perceived relevance will be higher – people will be more likely to disclose the item
  28. 28. But what causes risk and relevance? Website Item type Risk Relevance Purpose-specificity will look like an interaction effect between Website and Item type ! ! Disclosure When the type of information requested matches the purpose of the website: – perceived risk will be lower   – perceived relevance will be higher – people will be more likely to disclose the item
  29. 29. But what causes risk and relevance? Model tested with 543 Mechanical Turk participants Website Risk see next slide Item type odds: 0.818*** Disclosure Relevance odds: 1.079*** 2 χ (12) = 11.929, p = .451; CFI = 1.00, TLI = 1.00; RMSEA < .001, 90% CI: [.000, .011] 29
  30. 30. But what causes risk and relevance? Counteracting the negative privacy effect of form auto-completi Counteracting the negative privacy effect of form auto-completi Counteracting negative privacy effect of form auto-complet Contact info Contact info Contact info 33 3 Interests Interests Interests Perceived risk Perceived risk Perceived risk 100% 100% 100% 95% 95% 95% 90% 90% 90% Perceived relevance 85% 85% 85% 80% 80% 80% 22 2 Job skills Health record record Health record Job skills 3 3 Perceived relevance Perceived relevance 2 2 11 1 1 1 0 00 # # # # # 0 0 -1 -1-1 # # -1 -1 -2 -2 -2 -3 -3 -3 " " " BlogHeroes BlogHeroes BlogHeroes " " " I♡WRK I♡WRK I♡WRK " " Codacare Codacare Codacare -2 -2 -3 -3 -3 BlogHeroes BlogHeroes BlogHeroes I♡WRK I♡WRK I♡WRK Codacare Codacare Codacare Figure 3. Perceived Risk and Perceived Relevance per Website and Item type. The Figure 3. Perceived Risk and Perceived Relevance Figure 3. Perceived Risk and Perceived Relevance per Website and Item type. The and Item type. When pointtype of item matches the purpose of±the website, The the to the matching item types. Error bars are ± 1 Standard Error. arrows point to the matching item types. Error bars are 1 Standard Error. arrows arrows point to the matching item types. Error bars are ± 1 Standard Error. people perceive lower risk and higher relevance 2 egarding perceived Risk, we find that the interaction between Website and Item type is significant (χ2 2 egarding perceived Risk, we find that the interaction between Website and Item type is significant (χ ( garding perceived Risk, we find that the interaction between Website and Item type is significant (χ ( 246.41, p < .0001). Moreover, for each website, the non-matching item types are perceived 246.41, .0001). Moreover, for each website, the non-matching item types are perceived 246.41, pp << .0001). Moreover, for each website, the non-matching item types are perceived gnificantly more risky than the matching item type. Also, for each item type, the non-matching websit gnificantly more risky than the matching item type. Also, for each item type, the non-matching websi nificantly more risky than the matching item type. Also, for each item type, the non-matching websit
  31. 31. But what causes risk and relevance? Counteracting the negative privacy effect of form auto-completion Contact info 3 Interests 3 Perceived risk 100% 95% 90% 85% 80% 2 2 1 1 0 Website -3 " BlogHeroes " I♡WRK Health record # Perceived relevance # # 0 Risk -1 -2 Job skills -1 " -2 -3 Codacare Counteracting the negative privacy effect of form auto-completion Contact info 100% BlogHeroes Interests I♡WRK ! Job skills Health record Codacare ! 95% ! Figure 3. Perceived Risk and Perceived Relevance per 90% Website and Item type. The arrows point to the matching item types. Error bars are ± 1 Standard Error. 85% Contact info 3 Perceived risk 100% 95% 90% 85% 80% 2 1 Item type 0 -3 " BlogHeroes Interests Job perceived Risk, we find that the interaction between Website and Item type is significant (χ2(6) Health record 80% Regarding skills = 246.41, p < Perceived relevanceeach website, the non-matching item types are perceived as .0001). Moreover, for 3 # 75% significantly more risky than the matching item type. Also, for each item type, the non-matching websites # BlogHeroes I♡WRK Codacare 2 # are perceived as significantly more risky than the matching website13. H3 is thus supported. 1 Likewise, the interaction between Website and Item type is also significant for Perceived Relevance (χ2(6) 0 = 913.47, p < .0001). For each website, the non-matching item types are perceived as significantly less relevant than the matching item type, and for each item type, the non-matching websites are perceived as -1 significantly less relevant than the matching website. H4 is thus supported as well. -1 -2 " I♡WRK " -2 H5+H6. Tool type ! Disclosure -3 Codacare BlogHeroes I♡WRK Codacare The last row in Table 2 presents the effect of Tool type on Disclosure. Controlling for Perceived Risk, Perceived Relevance, and Item type, the odds of Disclosure are 6.3% higher for users of the Add tool than Figure 3. Perceived Risk and Perceived Relevance per Website and Item this effect not significant (p = .631). Surprisingly then, H5 is for users of the Remove tool, although type. The arrows point to the matching itemrejected:Erroris no significantStandard in Disclosure between the Add and Remove tools. types. there bars are ± 1 difference Error. The planned contrast between the traditional Auto tool and the alternative tools is significant (χ2(1) = Regarding perceived Risk, we find that the interaction between Website and Item type is significant (χ2(6) 4.037, p = .045). Controlling for Perceived Risk, Perceived Relevance, and Item type, the odds of = 246.41, p < .0001). Moreover, for each website, the non-matching item types are perceived as Disclosure are 24.0% lower for users of the Remove tool compared to users of the Auto tool, a small (d = significantly more risky than the matching item type. Also, for each item type, the non-matching websites .165) but significant (p = .047) effect. The odds of Disclosure are 18.9% lower for users of the Add tool are perceived as significantly more risky than the matching website13. H3 is thus supported. compared to users of the Auto tool, a small (d = .107) effect that is not significant (p = .130). H6 is thus partially is also significant for is indeed Relevance (χ2(6) Likewise, the interaction between Website and Item typesupported: Disclosure Perceivedsignificantly higher for the Auto tool than for the Remove tool. = 913.47, p < .0001). For each website, the non-matching item types are perceived as significantly less
  32. 32. But what causes risk and relevance? When the type of information requested matches the purpose of the website, people are more likely to disclose it. Contact info Interests Job skills 100% ! 95% ! Health record ! 90% 85% 80% 75% BlogHeroes I♡WRK Codacare 32
  33. 33. ure? ation disclos auses inform What c perceived risk and relevance e? and relevanc es risk ut what caus B purpose-spec ificity
  34. 34. ure? ation disclos auses inform What c perceived risk and relevance e? and relevanc es risk ut what caus B purpose-spec ificity ence at is the influ Wh tion auto-comple of the tool?
  35. 35. Influence of tool type Please tell us more about yourself BlogHeroes  will  assign  a  "guild"  to  you  based  on  the  information  you  provide  below.  Note  that  none of  the  fields  are  required,  but  our  classification  will  be  better  if  you  provide  more  information. General  info  about  me We tested three tools: Please  provide  some  background  info  to  get  our  matching  process  started. Name  (first): > For employers E-­mail  address: > For inves tors Gender: John (last): Smith Please  enter  your  information john@smith.com – Auto FormFiller (automatically fills I WRK will find jobs based on the information you enter on this form. None of the items on the form are required, but if you provide more fields, users can remove manually)   information the jobs will be a better match. – Remove FormFiller (same but users G can click to remove each field)   What  I  do  for  a  living General and contact information – Add FormFiller (no automatic filling, Enter your details, please users can click a button to fill each Your personal Codacare health insurance policy will be based on the field) information you provide. Please note that none of the items are > Contac t Age  (years): Address: > About us City: Male 23 123 Main St. New York State: NY Zip: 12345 ENERA L A ND C ONTA C T I NFO Some  guilds  write  about  their  jobs.  Tell  us  more  about  yours,  and  we  can  provide  a  better  match. FIRST NAME Employment  status: Experience  (years): LAST NAME Employed for wages John 5 AGE Current/previous  job: Income  level: Education: 23 Researcher clear Smith Sector: Education / training / library clear required, but the insurance will be better tailored to your needs if you between $50K and $100K/year GENDER provide more information. clear Male Doctoral General information E-MAIL ADDRESS My  health Please provide your general information. john@smith.com Name (first): clear (last): Some  guilds  write  about  their  health.  Providing  us  with  some  info  will  help  us  match  them  to  you. ADDRESS CITY STATE ZIP Physical  health: Dietary  restrictions: Birth  control  usage: 123 Main St. About average Address: allergic to nuts City: ORK EXPERI ENC E None W Gender: Please New York State: NY 12345 Zip: tell us about your education and work experience, so that we can find a suitable job for you. fill clear fill fill Age: HIGHEST DEGREE EARNED Doctoral E-‐mail: CURRENT EMPLOYMENT STATUS Employed for wages fill clear fill clear
  36. 36. Influence of tool type Tool type Website Risk Disclosure Item type Relevance 2 χ (86) = 99.443, p = .152; CFI = .990, TLI = .988; RMSEA = .007, 90% CI: [.000, .013] 2 χ (86) = 95.140, p = .235; CFI = .993, TLI = .992; RMSEA = .006, 90% CI: [.000, .012]
  37. 37. Influence of tool type ! Tool type Auto 0.863*** Remove 0.754*** ! Add 0.811*** ! Disclosure ! Risk ! ! ! Relevance Auto 0.989 Remove 1.133*** Add 1.114*** Odds are closest to 1 for the Auto tool, so Risk and Relevance influence Disclosure the least for users of the Auto tool
  38. 38. Influence of tool type Results: – Disclosure was not purpose-specific for users of the Auto tool – Disclosure was purpose-specific for users of the Remove and Add tools. These tools help users consider the website’s purpose in their disclosure decisions – Additional note: Users of the Add tool were more satisfied, despite having to click more frequently on average! Contact info 100% ! Auto 100% ! ! 95% 90% Job skills Health record Remove ! ! 95% Interests ! ! Add ! ! ! ! ! 90% 85% 85% 80% 80% 75% BlogHeroes I♡WRK Codacare BlogHeroes I♡WRK Codacare BlogHeroes I♡WRK Codacare
  39. 39. ure? ation disclos auses inform What c perceived risk and relevance e? and relevanc es risk ut what caus B purpose-spec ificity ence at is the influ Wh moderates effe tion auto-comple of the ct of risk and re levance tool?
  40. 40. Take-home message People base th eir information disclosure dec the perceived ision on risk and relev ance of the inf ormation e) thus disclosur (and st nd relevance rceived risk a y of the reque Pe cit rpose-specifi e pu depend on th The effect of ris k and relevance is moderated b type: disclosure y tool is more “calcula ted” when the a remove tools ar dd and e used

×