Article

Privacy Indexes: A Survey of Westin's Studies

Abstract and Figures

Since the late 1970's Dr. Alan Westin has conducted over 30 privacy surveys. For each of his surveys, Westin has created one or more Privacy Indexes to summarize his results and to show trends in privacy concerns. Many privacy researchers are interested in using these privacy indexes as benchmarks to which they can compare their own survey results. However, the details of how the indexes were calculated have not been reported except in the original survey reports. These reports were originally distributed in paper form, and many are no longer readily available. We obtained paper copies of five of these survey reports and found a sixth report online. We also found summaries of eight additional reports online. Here we report on the methodology used each year to calculate the privacy indexes and draw some conclusions about which indexes can be used to infer privacy trends.
Content may be subject to copyright.
________________________________________________________________________
- 1 -
Privacy Indexes:
A Survey of Westin’s Studies
Ponnurangam Kumaraguru, Lorrie Faith Cranor
CMU-ISRI-5-138
December 2005
Institute for Software Research International
School of Computer Science
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Abstract
Since the late 1970’s Dr. Alan Westin has conducted over 30 privacy surveys. For each of his
surveys, Westin has created one or more Privacy Indexes to summarize his results and to show
trends in privacy concerns. Many privacy researchers are interested in using these privacy indexes
as benchmarks to which they can compare their own survey results. However, the details of how
the indexes were calculated have not been reported except in the original survey reports. These
reports were originally distributed in paper form, and many are no longer readily available. We
obtained paper copies of five of these survey reports and found a sixth report online. We also
found summaries of eight additional reports online. Here we report on the methodology used each
year to calculate the privacy indexes and draw some conclusions about which indexes can be used
to infer privacy trends.
This research was supported in part by the Institute for Software Research International, Carnegie
Mellon University and by the Carnegie Mellon CyLab.
________________________________________________________________________
- 2 -
Keywords: privacy survey, privacy index, privacy attitudes, medical privacy, consumer
privacy, e-commerce, privacy fundamentalist, privacy pragmatist, privacy unconcerned.
________________________________________________________________________
- 3 -
1. Introduction
Dr. Alan Westin conducted over 30 privacy-related surveys between 1978 and 2004 [21]. These
surveys cover general privacy, consumer privacy, medical privacy, and other privacy-related
areas. For most of these surveys Westin created a “Privacy Index” to summarize his results and to
show trends in privacy concerns. Unfortunately, the details of how Westin calculated these
privacy indexes have not been reported except in the original survey reports. These reports were
originally distributed in paper form, and the early ones are no longer readily available. Some of
the more recent survey reports are currently available for purchase from Privacy & American
Business.1 We were able to obtain paper copies of five of these survey reports [10], [12], [13],
[15], [17] and were able to find a sixth report online [4]. We were also able to obtain the
executive summary of eight additional reports online [5], [6], [7], [11], [14], [16], [18], [19].
Table 1 provides the information regarding reports discussed in this paper.
Table 1: Details of the studies discussed in this paper
Year Name of study Report / Summary
found
Source type
1990 Equifax Executive Summary Summary Online
1991
Harris-Equifax Consumer Privacy
Survey
Report Hard copy
1992 Equifax Executive Summary Summary Online
1993 Health Information Privacy Survey Report Hard copy
1994 Equifax-Harris Consumer Privacy
Survey
Report Hard copy
1995 1995 Equifax / Harris Consumer
Privacy Survey
Summary Online
1996 Equifax-Harris Consumer Privacy
Survey
Report Hard copy
1997 The results of Commerce,
Communication, and Privacy Online
for Privacy & American Business
Summary Online
1998 E-Commerce & Privacy: What Net
Users Want
Report Hard copy
1998 The Privacy Concerns and Consumer
Choice
Summary Online
1999 DoubleClick, Inc. and Privacy & Summary Online
1 Privacy & American Business, Report Order form, http://www.pandab.org/RptOrderForm.pdf , visited on
10 Aug 04.
________________________________________________________________________
- 4 -
American Business
1999 Freebies and Privacy:What Net Users
Think
Summary Online
2001 Privacy On & Off the Internet: What
Consumers Want
Report Hard copy
2003 Most People Are “Privacy
Pragmatists” Who, While Concerned
about Privacy, Will Sometimes Trade
it Off for Other Benefits
Summary Online
Westin’s surveys measure attitudes and concerns about privacy and provide data on how
these attitudes and concerns change over time. Westin has surveyed the general level of privacy
concern of the public and has also studied the attitudes about specific privacy-related topics, for
example, confidence in organizations that handle personal information, acceptance of a national
identification system, and use of medical records for research. He has also investigated changes in
privacy attitudes after September 11, 2001 [4]. Some of Westin’s surveys were commissioned by
companies or organizations that were interested in privacy issues relevant to their particular line
of business. In each survey report, Westin provides insights designed to help organizations
respond to privacy concerns with appropriate policies, products, and services. All of these surveys
were conducted via telephone and surveyed randomly-selected statistical samples of the United
States adult population. Because they are random-sample surveys and are statistically
representative, they serve as useful benchmarks for comparisons with surveys conducted in other
countries or surveys conducted with convenience samples.
Westin created several privacy indexes to summarize his survey results and show privacy
trends over time. While creating the indexes, Westin classified the public into three categories.
Westin has interchangeably used the following categories to refer to the groups of people that he
created: (1) High and Fundamentalist, (2) Medium and Pragmatist, (3) Low and Unconcerned.2
Of the 14 survey reports (complete or summaries) that we examined, six specified the values for
all the three categories while one report provided the value for the High category only. The rest of
the reports did not discuss about the privacy indexes.
We also found other studies where the researchers have directly or indirectly compared
the indexes described by Westin to the results obtained by them in their own studies [1], [2].
Many privacy researchers around the globe are interested in using these privacy indexes as
benchmarks to which they can compare their own survey results and also use these indexes to
classify people in other countries. In this paper, we report the methodology used by Westin to
calculate the privacy indexes and draw some conclusions about which indexes can be used to
infer privacy trends.
The remainder of this paper is organized as follows: In the following section, we present
Westin’s methodology for creating privacy indexes. We include the text of the questions from
which the privacy indexes were obtained.3 In the discussion section, we present some conclusions
about these privacy indexes and present some criticism that has been raised about these surveys.
2 To be consistent with the reports written by Westin, we have also used the terms as presented in Westin’s
reports.
3 When reproducing survey questions in this report, we have omitted those parts of the question that are not
relevant to the privacy indexes under discussion. We have included the actual question and question
numbers from the original surveys, displaying them in bold, italic font.
________________________________________________________________________
- 5 -
2. Creation of Privacy Indexes
In this section, we present the methodology used by Westin for creating the indexes for each of
the reports that we obtained. We present the methodology in chronological order of the study. We
provide the actual questions from the reports, options provided to the samples, results for these
specific questions and definitions given by Westin for the categories of people.
2.1. Harris – Equifax Consumer Privacy Survey – 1990 and 1991
The earliest privacy index we studied was Westin’s “General Privacy Concern Index,” developed
as part of the 1990 study. In order to gain a better understanding of privacy concerns, Westin used
a series of four questions to divide respondents into three groups, representing levels of privacy
concern. As reported in Westin’s 1991 survey report [10], respondents were asked:4
1. Whether they are very concerned about threats to their personal privacy today.
2. Whether they agree strongly that business organizations seek excessively personal
information from consumers.
3. Whether they agree strongly that the Federal government since Watergate is still invading
the citizen’s privacy.
4. Whether they agree that consumers have lost all control over circulation of their
information.
The answers to these questions were used to assign each respondent to a privacy concern group as
follows:
High 3 or 4 privacy-concerned answers
Moderate 2 privacy-concerned answers
Low 1 or no privacy-concerned answers
Westin then examined respondents’ responses to all the other privacy-related questions in the
1990 study and found that the general privacy concern index was a good predictor for relating
general concern level and privacy concern level.
Using the classification mentioned above, Westin divided the respondents into the following
categories :
The privacy Fundamentalists: Fundamentalists are generally distrustful of organizations
that ask for their personal information, worried about the accuracy of computerized
information and additional uses made of it, and are in favor of new laws and regulatory
actions to spell out privacy rights and provide enforceable remedies. They generally
choose privacy controls over consumer-service benefits when these compete with each
other. About 25% of the public are privacy Fundamentalists.
The Pragmatic: They weigh the benefits to them of various consumer opportunities and
services, protections of public safety or enforcement of personal morality against the
degree of intrusiveness of personal information sought and the increase in government
power involved. They look to see what practical procedures for accuracy, challenge and
correction of errors the business organization or government agency follows when
consumer or citizen evaluations are involved. They believe that business organizations or
government should “earn” the public’s trust rather than assume automatically that they
have it. And, where consumer matters are involved, they want the opportunity to decide
whether to opt out of even non-evaluative uses of their personal information as in
compilations of mailing lists. About 57% of public fall into this category.
The Unconcerned: The Unconcerned are generally trustful of organizations collecting
their personal information, comfortable with existing organizational procedures and uses
are ready to forego privacy claims to secure consumer-service benefits or public-order
values and not in favor of the enactment of new privacy laws or regulations. About 18% of
public fall into this category.
4 We were unable to obtain the complete report of the 1990 study. The privacy index that we have provided
here for the year 1990 is from the 1991 report [10].
________________________________________________________________________
- 6 -
In the 1991 study, Westin created the “Consumer Privacy Concern Index.” He used questions
about business use of personal information as the basis for creation of the index. He used the
response of the following question to create the index [10]:
4 a. Do you agree or disagree with the following statement (READ EACH ITEM)? Do you agree /
disagree very strongly or somewhat strongly?
1. Consumers have lost all control over how personal information about them is circulated
and used by companies.
Agree very strongly 1 ( 37 ) 5
Agree somewhat strongly 2 ( 34 )
Disagree somewhat strongly 3 ( 20 )
Disagree very strongly 4 ( 3 )
Neither / Not sure 5 ( 4 )
2. My privacy rights as a consumer in credit reporting are adequately protected today by law
and business practices
Agree very strongly 1 ( 10 )
Agree somewhat strongly 2 ( 27 )
Disagree somewhat strongly 3 ( 29 )
Disagree very strongly 4 ( 20 )
Neither / Not sure 5 ( 4 )
For creating the index, Westin considered the privacy-oriented position to be “agree” 6 for the
first question (4 a 1) and for the second question (4 a 2), he regarded the privacy-oriented
position to be “disagree.” The 1991 report describes how these responses were used to create the
Consumer Privacy Concern Index [10]:
If a person did not take the privacy-oriented position on either of the two statements, we
scored them as a Low in Consumer Privacy Concern. If they took one of the two pro-
privacy views, we considered them to have Moderate concern. And if they took the
strongest privacy-oriented position on both of the statements, we considered them to have
High concern. We tested the power of the index by looking whether those who scored
highest on this index were the most privacy-oriented in answering most of the other
attitude and policy questions on the 1991 survey, whether those scoring lowest on the
index were the least concerned with privacy on those questions, and moderates were in
the middle.
Westin in the 1991 report provided the comparison of the index values for 1990 and 1991 studies
[10]:
Consumer privacy concerns for 1991 and 1990 is as follows
1990 1991
High concern 46 % 41%
Moderate concern 36 % 39%
Low concern 17 % 20%
2.2. Harris-Equifax Health Information Privacy Survey – 1993
Westin created the “Medical Privacy Concern Index” and “Computer Fear Index” as part of his
1993 survey. Westin used “Medical Sensitivity Index” (described below) and an additional two
5 The numbers in parenthesis are the exact values from the reports.
6 Westin has used “agree” to be sum of “agree very strongly” and “agree somewhat;” this was not clearly
mentioned in the reports. Similar aspects were seen in few other reports also [15], [17].
________________________________________________________________________
- 7 -
questions to create the Medical Privacy Concern Index. The additional two questions to create the
index were [12]:
A 2. (Have/do) you or (has/does) a member of your immediate family (READ ITEM), or not?
1. Ever used the services of a psychologist, psychiatrist, or other mental-health professional.
Yes (22 ) 7
No (77 )
Not Sure (1 )
D1. Do you believe that (READ EACH ITEM) has ever disclosed your personal medical information
in a way that you felt was improper, or not?
Health insurance companies ( 15 – 82 – 3 ) 8
A clinic or hospital that treated you or a family member ( 11 – 87 – 2 )
Public health agencies (10 – 86 – 4 )
Your employer or a family member’s employer ( 9 – 89 – 1 )
A doctor who has treated you or a family member ( 7 – 92 – 1 )
A pharmacy or druggist who filled a prescription
for you or a family member ( 3 – 95 - 1 )
The Medical Sensitivity Index was based on two questions measuring computer fear and two
questions measuring concern over the circulation of medical information among various
organizations. The two questions measuring concern for circulation of medical information were:
C2. Please tell me for each of the following statements whether you agree strongly, agree
somewhat, disagree somewhat, or disagree strongly?
1. It concerns me that my medical information is being seen today by many organizations
beyond those that I go to for health care services.
Agree Strongly ( 32 )
Agree somewhat ( 29 )
Disagree somewhat ( 22 )
Disagree strongly ( 14 )
Not sure ( 4 )
L 4. Under national health-care reform, each person might be assigned an identification number for
health insurance purposes. How concerned would you be to have such a health information
number assigned to you – very concerned, somewhat concerned, not very concerned or not
concerned at all?
Very concerned ( 28 )
Somewhat concerned ( 29 )
Not very concerned ( 22 )
Not concerned at all ( 20 )
Not sure ( 1 )
The two questions measuring computer fear were:
K1. How concerned are you that many health care providers you use today employ computers in
some of their operations, such as patient billing and accounting, laboratory work, and keeping
some medical records – are you concerned, some what concerned, not too concerned, not
concerned at all?
Very concerned ( 8 )
Somewhat concerned ( 21 )
Not too concerned ( 31 )
7 During this year Westin also conducted the study among leaders of organizations, but these values are not
discussed in this report. In this report, we provide the values for the “Total Public” as mentioned in
Westin’s report.
8 The values are presented in the order of “Yes,” “No” and “Not sure.”
________________________________________________________________________
- 8 -
Not concerned at all ( 40 )
Not sure ( ** ) 9
L1. Under national health care reform, computers are expected to be used extensively to manage
and monitor operations. Some of these uses will involve individual medical records. In general,
would such use of computers worry you – a great deal, a little or not at all?
A great deal ( 23 )
A little ( 47 )
Not at all ( 29 )
Not sure ( 1 )
Responses to questions C2, K1, L1, and L4 were first combined to form a Medical Sensitivity
Index. If a respondent answered 3 or 4 questions with the strongest privacy position, he or she
was placed in the High category; if a respondent answered 1 or 2 questions with the strongest
privacy position, he or she was placed in the Medium category. Respondents with no strong
privacy answers were placed in the Low category of Medical Sensitivity Index. Dividing the
public into these three groups produced the following distribution:
High - 13%
Medium - 45%
Low - 42%
Westin specified that Medical Sensitivity Index proved to be strongly correlated with privacy
orientations of a large majority of the respondents. Respondents scoring highest in the Medical
Sensitivity Index took the most privacy-oriented position on the majority of the questions;
respondents with Medium Medical Sensitivity Index occupy middle positions; and respondents
with Low Medical Sensitivity Index were the least privacy oriented. Using the results from the
above questions A2 and D1, along with the Medical Sensitivity Index, Westin created the Medical
Privacy Concern Index. Westin found 48% of the public fell into the category of High Medical
Privacy Concern Index. Westin in his report (referring to the results for the above questions)
mentioned [12]:
Each of these measures as we have already discussed produced strong correlation
between these respondents and strong privacy-oriented positions on a majority of the 39-
question data set. After eliminating duplications among the three sets of respondents, we
found 48% of public – representing 89 million Americans - fall into the High Medical
Concern.
As mentioned earlier, in the 1993 study, Westin also created the Computer Fear Index. He asked
the following questions for creating the index:
X3. Do you agree strongly, agree somewhat, disagree somewhat or disagree strongly?
1. If privacy is to be preserved, the use of computers must be sharply restricted in the future.
Agree strongly ( 40 )
Agree somewhat ( 31 )
Disagree somewhat ( 17 )
Disagree strongly ( 10 )
Not sure ( 2 )
9 The value for this option was less than 0.5%, so no specific values were provided in Westin’s report.
Values provided with ( ** ) hereafter in this report specifies percentages less than 0.5%. We also suspect
that all the values presented in the Westin’s reports were rounded off to the nearest integer values.
________________________________________________________________________
- 9 -
K1. How concerned are you that many health care providers you use today employ computers in
some of their operations, such as patient billing and accounting, laboratory work, and keeping
some medical records – are you very concerned, somewhat concerned, not too concerned, not
concerned at all?
Very concerned (8%)
Somewhat concerned (21%)
Not too concerned at all (31%)
Not concerned at all (40%)
Not sure ( ** )
18% of public are very concerned that their health care provides are using computer
today.
L1. Under national health care reform, computers are expected to be used extensively to manage
and monitor operations. Some of these uses will involve individual medical records. In general,
would such use of computers worry your – a great deal, a little or not at all?
A great deal ( 23 )
A little ( 47 )
Not at all ( 29)
Not sure ( 1 )
Westin used the above questions (X3.1, K1, L1) to create the Computer Fear Index. Westin
proposed [12]:
People with 2 or 3 of above answers were rated as high in computer fear; 1 answer as
medium and no answer as Low. The public divided into three groupings as follows:10
High Computer Fear - 22%
Medium Computer Fear - 32%
Low Computer Fear - 47%
2.3. Equifax-Harris Consumer Privacy Report – 1994
In the 1994 study [13], Westin created the “Distrust Index”. Westin used the following questions
to derive the index.
H1. For each of the following statements, please tell me whether you tend to agree or disagree? Do
you agree strongly, agree somewhat, disagree somewhat or disagree strongly?
Technology has almost gotten out of control ( 23 – 28 – 25 – 21 – 1 ) 11
Government can generally be trusted to look after our interests ( 5 – 15 – 28 – 52 - ** )
The way one votes has no effect on what the government does ( 24 – 22 – 26 – 27 – 1 )
In general business helps us more than harm us ( 34 – 42 – 14 – 8 – 1 )
Westin specified [13]:
To create the Distrust Index, we examined each respondent’s answers to the four
questions.12 If a respondent gave 3-4 distrustful answers (e.g., agrees that voting has no
effect; disagrees that government can generally be trusted; disagrees that business helps
more than harms; and agrees that technology is almost out of control), we classify that
respondent as High in distrust; two distrustful answers are scored as Medium distrust; one
as Low distrust; and no distrustful answers are called No distrust.
The values for the classification were:
10 Here Westin mentions the privacy orientation as the answers to the questions asked to the respondents.
11 Values specified are in the order of “Agree strongly,” “Agree somewhat,” “Disagree somewhat,”
“Disagree strongly” and “Not sure.”
12 Here Westin refers to the four parts of the question mentioned above in H1.
________________________________________________________________________
- 10 -
High Distrust - 31%
Medium Distrust - 38%
Low Distrust - 26%
No Distrust - 5%
Westin showed a direct correlation between the respondent’s distrust level and respondent’s
position for a majority of the privacy issues. Westin showed this correlation in the 1990, 1993 and
1994 studies. In one of his remarks regarding this correlation, Westin argued the following [13]:
The degree of pro-privacy orientation on each issue goes up in a step-by-step rise as the
level of distrust increases. For example, 51% of public is very concerned about threats to
personal privacy, but 61% of those High in distrust are very concerned; 53% of those with
Medium distrust; 42% of those Low in distrust; and only 24% of respondents who are Not
Distrustful say they are very concerned about threats to their personal privacy today.
2.4. Equifax-Harris Consumer Privacy Report – 1996
In the 1996 study [15], Westin created the “Privacy Concern Index”. The following questions
were used for creating the index:
A1. How would you rate each of the following consumer issues in terms of their importance to you?
Is this very important to you, somewhat important, not very, or not at all important?
5. Protecting the privacy of consumer information
Very Important ( 65 )
Somewhat important ( 23 )
Not very important ( *** ) 13
Not at all important ( *** )
Don’t know ( @@ ) 14
Refused ( @@ )
A 2a. Have you personally ever been the victim of what you felt was an improper invasion of
privacy, or not?
Yes, has been victim ( 24 )
No, have not been victim ( @@ )
Don’t know ( @@ )
Refused ( @@ )
A 3. The present system in the U.S. for protecting the confidentiality of consumer information used
by business combines THREE main controls; voluntary privacy practices adopted by companies,
individual lawsuits and court decisions, and federal and state laws in specific industries.
Some experts feel that congress should create a permanent federal government Privacy
Commission, as some European countries have done. This Commission would examine new
technology development and could issue and enforce privacy regulations governing ALL business
in the U.S.
Other experts believe the present system is flexible enough to apply those consumer privacy rights
that the American public wants to have protected, and that creating a federal Commission gives too
much authority to the federal government.
Which of these choices do you think is best for the U.S.?
Creating a federal government Privacy Commission ( 28 )
Using the present system to protect consumer privacy rights ( 67 )
Neither ( *** )
15
13 ( *** ) together they were specified to be 10%
14 ( @@ ) hereafter in this report specifies when the values were not addressed in Westin’s reports.
________________________________________________________________________
- 11 -
Don’t know ( ***)
Refused ( @@ )
A 5. Here are some predictions about how well the privacy of information about consumers will be protected
in the year 2000. Which of the following comes closest to the way you feel – consumer privacy protection will
get better, will get worse, or will remain about the same as it is today?
Consumer privacy will get better ( 17 )
Consumer privacy will get worse ( 44 )
Consumer privacy will remain about the same ( 39 )
Dont know ( @@ )
Refused ( @@ )
E 3. Here are some statements about the internet. (READ EACH ITEM) Do you agree strongly, agree
somewhat, disagree somewhat, or disagree strongly?
1. The providers of on-line services should be able to track the places users go on the
Internet in order to send these users targeted marketing offers
Agree strongly ( 7 )
Agree somewhat ( 25 )
Disagree somewhat ( 32 )
Disagree strongly ( 32 )
Don’t know ( @@ )
Refused ( @@ )
G 2. Health care system researchers sometimes use patient records to study the value and costs of specific
medications and treatments in order to improve programs for handling diseases. These researchers do not
release any information that would identify specific patients. If your identity were kept strictly confidential,
AND obtaining your permission in advance was NOT feasible, how acceptable would it be for your medical
information to be used as part of that type of general research project – very, somewhat, not very, or not at
all acceptable?
Very acceptable ( 18 )
Somewhat acceptable ( 39 )
Not very acceptable ( 12 )
Not at all acceptable ( 31 )
Don’t know ( @@ )
Refused ( @@ )
Westin used the following six options for each of the questions mentioned above for creating the
index respectively (e.g. the response “very important” to the question A1.5 is modified as a
statement “Privacy of consumer information is very important”) [15]:
Privacy of consumer information is very important
Personally a victim of privacy invasion
Favor a general federal regulatory privacy commission
Believe consumer privacy will get worse by year 2000
Disagree that online services can track users for marketing to them
Not acceptable to use medical records of health-system research without advance
consent.
Westin divided the total public into High privacy concern (taking the samples whose response
matched with 4, 5, or 6 of the above options), Medium privacy concern (taking the samples
whose response matched with 2 or 3 of the above options), and Low privacy concern (taking the
samples whose response matched with 1 or none of the above options) groups. Using this division
Westin categorized the respondents into the following groups:
15 ( *** ) together they were specified as 5%
________________________________________________________________________
- 12 -
Privacy Fundamentalists: The respondents in this group were from the High privacy concern
group as classified before. 25% 16 of the respondents belonged to privacy Fundamentalists.
To this segment, consumer privacy is very important, they feel that they have been victims
of privacy invasions, they are pessimistic about the future of privacy protection and about
a third of them favor creating a general federal regulatory agency on consumer privacy.
Privacy Pragmatists: The respondents in this group were from the Medium privacy concern group
as classified before. 59 % of the respondents were privacy Pragmatists.
They are concerned about consumer privacy; they look at promised consumer-service
benefits before they willingly give personal information to businesses. They seek
safeguards and fair information practices when their personal information is sought to be
used by business; and most of them favor using the present system of sectoral regulation
by government and voluntary policies by business rather than creating a general federal
privacy agency with regulatory powers.
Privacy Unconcerned: The respondents in this group were from the Low privacy concern group
as classified before. 16 % of the respondents were classified as privacy Unconcerned.
They are not concerned about consumer privacy, do not feel victimized are ready to give
their information for consumer benefits, and a large majority of them are not supportive of
a general federal regulatory agency for consumer privacy.
2.5. E-commerce & Privacy: What Net Users want, 1998
In the 1998 study [17], Westin did not create any privacy index; instead Westin asked a question
regarding personal privacy. This question was also asked in some of the other studies [10], [12],
[13]:
Q1017. How concerned are you about threats to your personal privacy in America today - very
concerned, somewhat concerned, not very concerned, or not concerned at all?17
Very concerned
Somewhat concerned
Not very concerned
Not concerned at all
Don’t know
Refused
Westin found that 87% of computer users say they are concerned, with 56% “very concerned”
and 31% “somewhat concerned”.
2.6. Privacy On and Off the Internet: What Consumers Want, 2001
Westin in his 2001 report [4] provides the definition of the “Privacy Segmentation Index” created
for the studies conducted between 1995 and 1999 [9], [14], [15], [20] Westin used the following
question to derive the index in these studies:
Q206. For each of the following statements, how strongly do you agree or disagree?
16 In the report [15], the values for the individual groups were specified as: privacy fundamentalists – 24%,
privacy pragmatists – 60% and privacy unconcerned – 16%. But the values provided in one of the foot
notes of the report were: Privacy Unconcerned – 16%, Privacy Pragmatists – 59% and Privacy
Fundamentalists – 25%. We have used the later value as the results in this paper, as the values of the groups
sum up to 100%.
17 We report this question here, as we use this information in later analysis. In this report we refer to this
question as the “common question.”
________________________________________________________________________
- 13 -
1. Consumers have lost all control over how personal information is collected and used by
companies.
2. Most businesses handle the personal information they collect about consumers in a
proper and confidential way.
3. Existing laws and organizational practices provide a reasonable level of protection for
consumer privacy today.
For each of the above statements the following options were provided:
Strongly Disagree
Somewhat Disagree
Somewhat Agree
Strongly Agree
We were able to obtain the values for 1990 and 2000 only [9], [20]; the values were:18
Table 2: Percentage of responses for the questions during 1990 and 200019
1999 [9]
2000 [20]
Strongly /
Somewhat
Agree
Strongly /
Somewhat
Disagree
Strongly/
Somewhat
Agree
Strongly/
Somewhat
Disagree
Consumers have lost all control
over how personal information is
collected and used by
companies.
80 20 77 20
Most businesses handle the
personal information they collect
about consumers in a proper and
confidential way.
64 34 54 43
Existing laws and organizational
practices provide a reasonable
level of protection for consumer
privacy today
59 38 51 47
In these studies (1995 – 1999), Westin used the following definitions for classifying the public
into three categories:
Privacy Fundamentalists are respondents who agreed (strongly or somewhat) with the first
statement (Q206 - 1) and disagreed (strongly or somewhat) with the second (Q206 - 2)
and third statements (Q206 – 3).
Privacy Unconcerned are those respondents who disagreed with the first statement (Q206
- 1) and agreed with the second (Q206 - 2) and third statements (Q206 – 3).
All other respondents were categorized into Privacy Pragmatists. For studies conducted between
1995 and 1999, Westin has provided the values in the 2001 report as follows (we provide the
values for the above groups):
18 Westin in his 2001 report specifies that he has derived the privacy segmentation index for the studies
conducted between 1995 and 1999; but we did not find any mention of the privacy segmentation index in
the 1996 report [15].
19 The total of the values obtained for all the categories except for the first category in 1999 did not total to
100; since we did not have the reports for 1999 and 2000, we were not able to check these values.
________________________________________________________________________
- 14 -
The values for fundamentalist, unconcerned and pragmatists were found to be:
Privacy Fundamentalists: This group sees privacy as an especially high value, rejects the
claims of many organizations to need or be entitled to get personal information for their
business or governmental programs, thinks more individuals should simply refuse to give
out information they are asked for, and favors enactment of strong federal and state laws
to secure privacy rights and control organizational discretion.
This group consists of about 25% of the American public.
Privacy Unconcerned: This group doesn’t know what the “privacy fuss” is all about,
supports the benefits of most organizational programs over warnings about privacy abuse,
has little problem with supplying their personal information to government authorities or
businesses, and sees no need for creating another government bureaucracy (a “Federal
Big Brother) to protect someone’s privacy.
This group consists of about 20% of the American public.
Privacy Pragmatists: This group weighs the value to them and society of various business
or government programs calling for personal information, examines the relevance and
social propriety of the information sought, wants to know the potential risks to privacy or
security of their information, looks to see whether fair information practices are being
widely enough observed, and then decides whether they will agree or disagree with
specific information activities – with their trust in the particular industry or company
involved being a critical decisional factor. The pragmatists favor voluntary standards and
consumer choice over legislation and government enforcement. But they will back
legislation when they think not enough is being done - or meaningfully done - by voluntary
means.
This group consists of about 55% of the American public.
Westin in his 2001 report also presents the value and procedure for obtaining the “Core Privacy
Orientation Index.” Westin created this index for the studies conducted in mid - 2000 and 2001.
For deriving the index, Westin used the same questions, options and the categories as in the above
study (1995 – 1999). Using the same definitions provided above, Westin derived the following
results for the mid – 2000 study:
Privacy Fundamentalists 25 %
Privacy Unconcerned 12 %
Privacy Pragmatists 63 %
Westin provided the following comments for the change in behavior of people in this
study (mid – 2000) compared to earlier studies:
What this documents is something that makes good sense in terms of what we
see happening all around us - that unconcern about privacy among the public
has dropped, and 88% of the public now registers Medium to High consumer
privacy concerns. But it also suggests that Privacy Fundamentalism is NOT
increasing. Instead, an even larger segment of the public than in the mid to late
1990’s, almost two-thirds, is adopting the Privacy Pragmatist - show me and let
me decide - position.
To obtain the core privacy orientation index for 2001 study, Westin used the same question as in
the above studies (1995 – 1999):
Q206. For each of the following statements, how strongly do you agree or disagree?
1. Consumers have lost all control over how personal information is collected and used by
companies. ( 32 – 47 – 16 – 5 ) 20
2. Most businesses handle the personal information they collect about consumers in a
proper and confidential way. ( 3 – 41 – 19 – 18 )
20 Specified in the order of “strongly disagree,” “somewhat disagree,” “somewhat agree,” “strongly agree.”
________________________________________________________________________
- 15 -
3. Existing laws and organizational practices provide a reasonable level of protection for
consumer privacy today. ( 4 – 34 – 45 – 18 )
The following options were provided to the respondents to select from:
Strongly Disagree
Somewhat Disagree
Somewhat Agree
Strongly Agree
In this 2001 study, Westin used the following definitions for classifying the public into three
categories:
Privacy Fundamentalists are respondents who agreed (strongly or somewhat) with the first
statement (Q.206 - 1) and disagreed (strongly or somewhat) with the second (Q.206 - 2)
and third statements (Q.206 – 3).
Privacy Unconcerned are those respondents who disagreed with the first statement
(Q.206 - 1) and agreed with the second (Q.206 - 2) and third statements (Q.206 – 3).
Privacy Pragmatists are all other respondents.
The values for fundamentalist, unconcerned and pragmatists were found to be:
Privacy Fundamentalists: At the maximum extreme of privacy concern, Privacy
Fundamentalists are the most protective of their privacy. These consumers feel
companies should not be able to acquire personal information for their organizational
needs and think that individuals should be proactive in refusing to provide information.
Privacy Fundamentalists also support stronger laws to safeguard an individual’s privacy.
This group consists of 34% of the American public.
Privacy Unconcerned: These consumers are the least protective of their privacy - they feel
that the benefits they may receive from companies after providing information far outweigh
the potential abuses of this information. Further, they do not favor expanded regulation to
protect privacy.
This group consists of 8% of the American public.
Privacy Pragmatists: Privacy Pragmatists weigh the potential pros and cons of sharing
information; evaluate the protections that are in place and their trust in the company or
organization. After this, they decide whether it makes sense for them to share their
personal information.
Majority of the American public (58%) belong to this group.
2.7. Harris Privacy Survey - 2003
In the 2003 study [6], to obtain the privacy index, Westin asked the following question:
For each of the following statements, how strongly do you agree or disagree?21
1. Consumers have lost all control over how personal information is collected and used by
companies. ( 69% agreeing )
2. Most businesses handle the personal information they collect about consumers in a
proper and confidential way. ( 54% disagreeing )
3. Existing laws and organizational practices provide a reasonable level of protection for
consumer privacy today. (53% disagreeing )
Following options were provided to the respondents to choose from:
Strongly Disagree
Somewhat Disagree
Somewhat Agree
21 As we took this information from the summary this does not have a question number; also we were not
able to obtain the complete breakup percentage for each options. So we provide the values that we obtained
from the summary.
________________________________________________________________________
- 16 -
Strongly Agree
Replies to these three questions have the following results:
1. 69% of adults agree,22 “Consumers have lost all control over how personal information is
collected and used by companies." This is a decline of eleven points from 80% who felt
this way in 1999.
2. 54% of the public disagree that "most businesses handle the personal information they
collect about consumers in a proper and confidential way." This is an increase of nineteen
points from only 35% who felt this way in 1999.
3. 53% of all adults disagree that "existing laws and organizational practices provide a
reasonable level of protection for consumer privacy today." This is an increase of fifteen
points from 38% in 1999.
Using above values Westin classified the public into three categories:
Privacy Fundamentalists: Some people feel very strongly about privacy matters. They
tend to feel that they have lost a lot of their privacy and are strongly resistant to any further
erosion of it.
This group consists of 26% of the American public.
Privacy Unconcerned: At the other extreme there are people who have no real concerns
about privacy and who have far less anxiety about how other people and organizations
are using information about them.
This group consists of 10% of the American public.
Privacy Pragmatists: who have strong feelings about privacy and are very concerned to
protect themselves from the abuse or misuse of their personal information by companies
or government agencies.
This group consists of 64% of the American public.
3. Discussion
This study was conducted to provide an understanding of the methodology, questions and results
used by Westin to create the privacy indexes. Westin in his surveys, created several privacy
indexes to summarize his results and to show trends in privacy concerns among the public. As
mentioned earlier Westin used these indexes to classify people into three groups. He has
interchangeably used the following to describe these three groups: (1) High and Fundamentalist,
(2) Medium and Pragmatist, (3) Low and Unconcerned. We showed that Westin has used
different questions to derive the same index (e.g. 1990 study [10] and 1996 study [11]). Also
Westin did not create or provide the same indexes for all the studies which could have aided
direct comparison.
22 Westin has considered “strongly agree” and “somewhat agree” together for “agree” and “strongly
disagree” and “somewhat disagree” together for “disagree”.
________________________________________________________________________
- 17 -
Table 3 : Values and names for various privacy indexes. We were not able to obtain the index name for the
2004 study. 23
Year of Study Index Category name with % of population in
the study
Privacy Fundamentalists – 25%
Privacy Unconcerned – 18%
1990 [10] General Privacy Concern Index
Privacy Pragmatists – 57%
High Concern – 41%
Medium Concern – 39%
1990 [10] Consumer Privacy Concern Index
Low Concern – 20%
High Concern – 46%
Medium Concern – 36%
1991 [10] Consumer Privacy Concern Index
Low Concern – 17%
High – 13%
Medium – 45%
1993 [12] Medical Sensitivity Index
Low – 42%
1993 [12] Medical Privacy Concern Index High – 48%
High – 22 %
Medium – 32 %
1993 [12] Consumer Fear Index
Low – 47 %
High Distrust - 31%
Medium Distrust - 38%
Low Distrust - 26%
1994 [13] Distrust Index
No Distrust - 5%
Privacy Fundamentalists – 25%
Privacy Unconcerned – 16%
1996 [15] Privacy Concern Index
Privacy Pragmatists – 59%
Privacy Fundamentalists – about 25%
Privacy Unconcerned – about 20%
1995 – 1999 [4] Privacy Segmentation Index
Privacy Pragmatists – about 55%
Privacy Fundamentalists – 25%
Privacy Unconcerned – 12%
Mid – 2000 [4] Core Privacy Orientation Index
Privacy Pragmatists – 63%
Privacy Fundamentalists – 34%
Privacy Unconcerned – 8%
Late – 2001 [4]
Core Privacy Orientation Index
Privacy Pragmatists – 58%
2003 [6] Core Privacy Orientation Index Privacy Fundamentalists – 26%
23 Information provided in the summary of 2001 survey gives the details for 1995 – 1999. Since we had the
complete report for 1996, we have provided the exact values from the 1996 survey report. Also we have
provided the values only from the summary and reports which we were able to find.
________________________________________________________________________
- 18 -
Privacy Unconcerned – 10%
Privacy Pragmatists – 64%
2004 [3] High - 35%
Table 4 : Values for each option from the common question; the column “Total” provides the sum of the
column “Very concerned” and the column “somewhat concerned.”24
Year
Very
concerned
Somewhat
concerned
Not very
concerned
Not
concerned
at all
Not
sure Total
1978 [13] 31% 33% 17% 19% 1% 64%
1983 [13] 48% 29% 15% 7% 0% 77%
1990 [13] 46% 33% 14% 6% 1% 79%
1991 [13] 48% 31% 12% 7% 1% 79%
1992 [13] 47% 31% 13% 8% 2% 78%
1993 [13] 49% 30% 11% 6% 3% 79%
1994 [13] 51% 33% 10% 5% 1% 84%
1995 [14] 47% 35% DNA DNA DNA 82%
1996 [15] DNTAQ DNTAQ DNTAQ DNTAQ DNTAQ DNTAQ
1998 [17] 55% 33% DNA DNA DNA 88%
1998 [18] 56% 31% DNA DNA DNA 87%
2001 [4] DNTAQ DNTAQ DNTAQ DNTAQ DNTAQ DNTAQ
2003 [6] DNA DNA DNA DNA DNA DNA
2004 [3] DNA DNA DNA DNA DNA DNA
DNA – Data Not Available, DNTAQ – Did Not Ask The Question
Table 3 provides the values for each privacy indexe created by Westin; Table 4 provides
the percentage of personal privacy concern level for the common question mentioned in Section
2.5. From Table 3, we can see that during 1994 – 2000 the percentage of Fundamentalists in the
public have remained almost the same, around 25% but the number of Unconcerned had
decreased from 42 % in 1993 to 12 % in 2000 and reduced further to 10 % in 2003. However
Pragmatist group was varying between 30% and 64%, 64% in 2003 being the highest to date of
all the surveys. From Table 4 we can see that the percentage of personal privacy concern (“very
concerned” or “somewhat concerned”) was around 80 % in almost all the studies, except for 88%
during 1998. Using the results from his studies, Westin showed a strong correlation between the
index values and the responses for the “common question” (e.g. higher the concern for personal
privacy, higher the possibility of being in the category of “High or Fundamentalist.”)
In his reports Westin specifies that in recent years the position of – “Show me and let me
decide” – [4] which is the Pragmatist (around 60%) view is prevailing among the public. This is
consistent with the data in Table 3. The percentage of “Unconcerned” has been steadily
decreasing for the last few years. In his reports Westin mentions that this might be due to more
people getting to know more about technology and also becoming aware of various means to
protect their privacy.
Westin stated, “Surveys show that consumer privacy concerns have not been lessened by 9/11”
[8]. This can be seen in Table 3 for mid-2000 and late-2001. An increase of 9% (due to a decrease
of 4% in Unconcerned and 5% in Pragmatist) in Fundamentalist shows that Americans are more
worried about privacy post 9/11.
24 We have presented all the values from the reports and the summaries that we have discussed in this
report.
________________________________________________________________________
- 19 -
3.1. Closer look at the questions used for creating the indexes:
From Table 5 we can see that the criteria used for deriving the indexes have been different for
different studies and also the indexes’ names have been different.
Table 5 summarizes the different aspects that Westin used for deriving the privacy indexes (For the
purpose of comparison we have provided only necessary details and all details provided are taken exactly
from Westin reports).
Year of study Criteria used for deriving the privacy index
1990
(General Privacy
Concern Index)
Whether they are very concerned about threats to their personal privacy
today.
Whether they agree strongly that business organizations seek
excessively personal information from consumers.
Whether they agree strongly that the Federal government since
Watergate is still invading the citizen’s privacy.
Whether they agree that consumers have lost all control over circulation
of their information.
1991
(Consumer Privacy
Concern Index)
Agreement for the statements :
Consumers have lost all control over how personal information about
them is circulated and used by companies
My privacy rights as a consumer in credit reporting are adequately
protected today by law and business practices
1993
(Medical Privacy
Concern Index)
Ever used the services of a psychologist, psychiatrist, or other mental-
health professional.
Do you believe your personal information has been disclosed? And
there were other 4 questions which were all related to medical
information.
1993
(Computer Fear Index)
If privacy is to be preserved, the use of computers must be sharply
restricted in the future.
Concern level in usage of computers in medical services (patient
billing, accounting)
1994
(Distrust Index)
Technology has almost gotten out of control
Government can generally be trusted to look after our interests
The way one votes has no effect on what the government does
In general business helps us more than harm us
1995 – 2003
(Privacy Segmentation
&
Core Privacy
Orientation Index)
Consumers have lost all control over how personal information is
collected and used by companies.
Most businesses handle the personal information they collect about
consumers in a proper and confidential way.
Existing laws and organizational practices provide a reasonable level of
protection for consumer privacy today.
________________________________________________________________________
- 20 -
From this analysis we can say that the results produced by these different surveys conducted by
Westin cannot be directly compared because of the following reasons:
The indexes derived in the different studies did not use the same criteria
(questions) for deriving them.
The options (answers) used for obtaining the indexes were different for different
studies.
These indexes could be directly compared to any similar study if and only if:
The same questions are analyzed as asked by Westin
The options for the questions provided are the same as those provided by Westin.
The criteria used for deriving the indexes should be the same as the criteria used
by Westin in deriving the particular index.
We see that the criteria for deriving the indexes have been consistent since 1995 and also the
names given to the privacy indexes have been consistent. This helps us in understanding the
privacy trend from 1995.
Apart from questions related to privacy index and general privacy concern, Westin’s
privacy studies also include many other questions that may be of use to privacy researchers.
However, it is important to keep in mind that these questions were usually asked in the context of
studies commissioned by corporations that intended to use the results as part of their efforts to
influence the public policy process. Thus, privacy activists have been critical of the design of
some of these questions and the ways the results have been reported [3].
Other groups and organizations have shown concern towards Westin’s categorization. Electronic
Privacy Information Center (EPIC), in their criticism, say that Westin has chosen “Pejorative”
terms to describe those who care a great deal about privacy – “Fundamentalists.” EPIC mentions
that the behavior of the samples who are classified as “Fundamentalists” by Westin are not
unreasonable and so they must not be referred and seen as people who are paranoid about privacy
issues. Also, Professor Oscar Gandy in “The Role of Theory in the Policy Process” comments on
the Equifax report of 1990. He mentions that the extent to which people had read or heard about
“the potential use or misuse of computerized information about consumers” influences their level
of privacy concerns. The more the people heard or read, the more they were concerned about
threats to their privacy and the more concerned they were about the sale of personal information
by industry [3].
We expect this report to help researchers in gaining an understanding of the questions,
results and criteria for analysis of the privacy indexes created by Westin. We hope this study will
help privacy researchers by giving a perspective of various privacy indexes created by Westin. In
this report we only provide the results obtained by Westin; we did not perform any survey or
study to evaluate the values presented in this report. As shown earlier, most of the indexes created
by Westin cannot be directly compared.
In this study, we analyzed only the reports that we were able to obtain [Table 1]. Westin
has conducted more than 30 survey studies and we analyzed only 14 of them. But we suspect the
reports that we have analyzed are a good sample of the studies. Also the studies mentioned in this
report were the studies mostly referenced in other reports and publications. A report based on all
the 30 studies would help to generalize the findings further. One of the future research questions
is to study time or the situation (political, legal and social) in which the study was conducted and
to correlate it with the responses by the samples. We suspect these could have had an impact on
the responses obtained by Westin.
________________________________________________________________________
- 21 -
Acknowledgements
The authors would like to thank Dr. Alessandro Acquisti, Heinz School, Carnegie Mellon
University, for his suggestions on the initial draft of this report. The authors also wish to thank
Edward Barr and Sarah Jameson of Carnegie Mellon University for their feedback on the
presentation and language of the paper. This research was partially supported by Institute for
Software Research International, Carnegie Mellon University. This research was also partially
funded by Carnegie Mellon CyLab.
References
[1]. ACQUISTI, A., AND GROSSKLAGS, J. Privacy and Rationality: Preliminary
Evidence from Survey Data. In Proceedings. In Third Workshop on Economics and
Information Security, 2004. (May 2004).
[2]. CRANOR, L. F., REAGLE, J., AND ACKERMAN, M. S. Beyond Concern:
Understanding Net Users' Attitudes About Online Privacy. Tech. rep., Retrieved
June 18, 2004,
http://www.research.att.com/resources/trs/TRs/99/99.4/99.4.3/report.htm.,
September 25-27, 1999.
[3]. ENTERPRISE PRIVACY INFORMATION CENTRE. Public Opinion on Privacy.
2005. Retrieved June 18, 2005, http://www.epic.org/privacy/survey/default.html.
[4]. HARRIS INTERACTIVE. Privacy On & Off the internet: What Consumers Want.
Tech. rep., Retrieved Aug 27, 2004,
http://www.aicpa.org/download/webtrust/priv_rpt_21mar02.pdf., November 2001.
Conducted for Privacy & American Business, 1,529 interviewees.
[5]. PRIVACY & AMERICAN BUSINESS. Executive Summary. 1999. Retrieved Aug
20, 2004, http://www.pandab.org/doubleclicksummary.html
[6]. TAYLOR, H. Most People Are "Privacy Pragmatists" Who, While Concerned about
Privacy, Will Sometimes Trade It Off for Other Benefits. 2003. Conducted among
1,010 respondents. Retrieved Aug 18 2004,
http://www.harrisinteractive.com/harris_poll/index.asp?PID=365.
[7]. WESTIN, A. Freebies and Privacy:What Net Users Think. 1999. Retrieved Aug 20,
2004, http://www.pandab.org/sr990714.html.
[8]. WESTIN, A. Consumer, Privacy and Survey Research. 2003. Retrieved Aug 17,
2004,
http://www.harrisinteractive.com/advantages/pubs/DNC_AlanWestinConsumersPri
vacyandSurveyResearch.pdf
[9]. WESTIN, A., AND HARRIS INTERACTIVE. IBM-Harris Multi-National
Consumer Privacy Survey. Tech. rep., 1999. Approximately 5,000 adults of the
U.S., Britain and Germany.
[10]. WESTIN, A., AND HARRIS LOUIS & ASSOCIATES. Harris-Equifax Consumer
Privacy Survey. Tech. rep., 1991. Conducted for Equifax Inc. 1,255 adults of the
U.S. public.
[11]. WESTIN, A., AND HARRIS LOUIS & ASSOCIATES. Equifax Executive
Summary. 1992. Conducted among 1,254 adults of the U.S. public. Retrieved Aug
20, 2004, http://www.privacyexchange.org/iss/surveys/eqfx.execsum.1992.html.
[12]. WESTIN, A., AND HARRIS LOUIS & ASSOCIATES. Health Information Privacy
Survey. Tech. rep., 1993. Conducted for Equifax Inc. 1,000 adults of the U.S.
public.
________________________________________________________________________
- 22 -
[13]. WESTIN, A., AND HARRIS LOUIS & ASSOCIATES. Equifax-Harris Consumer
Privacy Survey. Tech. rep., 1994. Conducted for Equifax Inc. 1,005 adults of the
U.S. public.
[14]. WESTIN, A., AND HARRIS LOUIS & ASSOCIATES. 1995 Equifax/Harris
Consumer Privacy Survey- Executive Summary. Conducted for Equifax Inc. 1,006
adults of the national public. Retrieved Aug 20, 2004,
http://www.mindspring.com/~mdeeb/equifax/cc/parchive/svry95/docs/summary.htm
l.
[15]. WESTIN, A., AND HARRIS LOUIS & ASSOCIATES. Equifax-Harris Consumer
Privacy Survey. Tech. rep., 1996. Conducted for Equifax Inc. 1,005 adults of the
U.S. public.
[16]. WESTIN, A., AND HARRIS LOUIS & ASSOCIATES. Executive Summary. 1997.
The results of Commerce, Communication, and Privacy Online for Privacy &
American Business. 1,009 computer using adults. Retrieved Aug 20, 2004,
http://www.privacyexchange.org/iss/surveys/computersurvey97.html.
[17]. WESTIN, A., AND HARRIS LOUIS & ASSOCIATES. E-Commerce & Privacy:
What Net Users Want. Tech. rep., 1998. Conducted for Privacy & American
Business and PricewaterhouseCoopers. 1,011 adults of the national public.
[18]. WESTIN, A., AND HARRIS LOUIS & ASSOCIATES. Executive Summary. 1998.
Findings from the survey - The Privacy Concerns and Consumer Choice. Retrieved
Aug 18, 2004, http://www.privacyexchange.org/iss/surveys/1298execsum.html.
[19]. WESTIN, A., AND HARRIS LOUIS & ASSOCIATES. Equifax Executive
Summary. 1990. Findings from the Survey - Consumers in the Information Age for
Equifax Inc. 2,254 adults of the national public. Retrieved Aug 20, 2004,
http://www.privacyexchange.org/iss/surveys/eqfx.execsum.1990.html.
[20]. WESTIN, A., AND OPINION RESEARCH CORPORATION. Public Records and
the Responsible Use of Information. Tech. rep., 2000. Conducted for the Center for
Social and Legal Research and sponsored by ChoicePoint, Inc.
[21]. WESTIN, A., AND THE STAFF OF THE CENTER FOR SOCIAL & LEGAL
RESEARCH. Bibliography of Surveys of the U.S. Public, 1970-2003. 2003.
Retrieved June 19, 2004,
http://www.privacyexchange.org/iss/surveys/surveybibliography603.pdf.
... In the first variant (Agent 1), the utility function is personalised for each user based on their previous decisions (accepted or rejected offers). For the second variant (Agent 2), the agent classifies a user as being one of a three different privacy types, which is initially determined based on their Westin's Privacy Segmentation Index [40,64] and later adjusted based on their sharing behaviour. ...
... At the beginning, participants were asked to download the mobile app from the Play Store. They entered their demographics (age, gender, nationality, university course) into the app, and completed Westin's Privacy Segmentation Index survey [64]. Westin's Privacy Segmentation Index is a widely used tool for measuring privacy attitudes [124] and categorising individuals into three privacy types: Fundamentalists, Pragmatists, and Unconcerned. ...
... dev.: 3.78). The participant poll consisted of 18.18% Fundamentalists, 75% Pragmatists and 6.82% Unconcerned (as defined by Westin's Privacy Segmentation Index) which is broadly consistent with the overall American population [64] -however attitudes to privacy may differ between the overall American population and the participants in out study. ...
Article
Full-text available
Many service providers require permissions to access privacy-sensitive data that are not necessary for their core functionality. To support users’ privacy management, we propose a novel agent-based negotiation framework to negotiate privacy permissions between users and service providers using a new multi-issue alternating-offer protocol based on exchanges of partial and complete offers. Additionally, we introduce a novel approach to learning users’ preferences in negotiation and present two variants of this approach: one variant personalised to each individual user, and one personalised depending on the user’s privacy type. To evaluate them, we perform a user study with participants, using an experimental tool installed on the participants’ mobile devices. We compare the take-it-or-leave-it approach, in which users are required to accept all permissions requested by a service, to negotiation, which respects their preferences. Our results show that users share personal data 2.5 times more often when they are able to negotiate while maintaining the same level of decision regret. Moreover, negotiation can be less mentally demanding than the take-it-or-leave-it approach and it allows users to align their privacy choices with their preferences. Finally, our findings provide insight into users’ data sharing strategies to guide the future of automated and negotiable privacy management mechanisms.
... With regard to that, related work offers some ways of clustering users with potentially similar preferences into small numbers of privacy preference profiles and inferring preferences of those groups of users (Agarwal and Hall, 2013;Baarslag et al., 2017;Lin et al., 2012;Nakamura et al., 2016;Ravichandran et al., 2009). For example, Baarslag et al. (2017) proposed assigning users into three profile categories (fundamentalists, pragmatists and unconcerned ) according to their general level of privacy concern measured using a three-question survey instrument called Privacy Segmentation Index (Kumaraguru and Cranor, 2005). However, Jensen et al. (2005) observed that while those classified as fundamentalists have consistent privacy concerns, they do not appear to form a cohesive group with respect to decision-making. ...
... fundamentalists, pragmatists and unconcerned (Kumaraguru and Cranor, 2005). The three-question survey instrument he developed (Privacy Segmentation Index), has been hugely influential in the debate over privacy attitudes (Woodruff et al., 2014) and deployed in other research studies (e.g. ...
... The lab study procedure involved four parts: the initial survey, the main experiment, a post-study questionnaire and a debrief. (Kumaraguru and Cranor, 2005). Westin's Privacy Segmentation Index is a widely used tool for measuring privacy attitudes (Woodruff et al., 2014) and categorising individuals into three privacy types: Fundamentalists, Pragmatists, and Unconcerned. ...
Thesis
As the number of online services powered by personal data is growing, the technology behind those services raises unprecedented concerns with regard to users’ privacy. Although there are significant privacy engineering efforts made to provide users with an acceptable level of privacy, often users lack mechanisms to understand, decide and control how their personal data is collected, processed and used. On one hand, this affects users’ trust towards the service provider; on the other, under some regulatory frameworks the service provider is legally required to obtain user’s consent to collection, use and processing of personal data. Therefore, in this thesis, we focus on privacy engineering mechanisms for consent. As opposed to the simple act of clicking ‘I agree’, we view consent as a process, which involves the formation of user’s privacy preferences, the agreement between the user and the service provider and the implementation of that agreement in the service provider’s system. Firstly, we focus on understanding the user’s consent decision-making. Specifically, we explore the role of privacy knowledge in data sharing. To that end, we conduct an experiment, where we inform participants how they stop allowing the collection of their online activity data. We compare the behaviour of two groups with an increased knowledge of data collection: one provided only with actionable information on privacy protection, and one additionally informed about the details of how and by whom the collection is conducted. In our experiment, we observe no significant difference between the two groups. Our results suggest that procedural privacy knowledge on how users can control their privacy has impact on their consent decisions. However, we also found that the provision of factual privacy knowledge in addition to procedural knowledge does not effect users’ prevention intent or behaviour. These outcomes suggest that the information about privacy protection itself may act a stimulus for users to refuse consenting to data collection. Secondly, we investigate the idea of agent-based privacy negotiations between a user and a service provider. To that end, we propose a novel framework for the implementation of semi-automated, multi-issue negotiation. Our findings suggest that such a framework is more suitable for negotiation in the privacy domain that the ‘take-it-or-leave-it’ approach or setting privacy preferences manually, because it allows for a collaborative search for mutually beneficial agreements: users consent to data use more often, consent is more consistent with users’ data-sharing sensitivity and it requires less users’ effort. Moreover, in order for an agent to accurately represent the user, the agent needs to learn the user’s privacy preferences. To address this problem, we compare two approaches to privacy preference elicitation through a user study: one where the preferences are personalised for each user based on their previous consent and one where the user classified into one of the three privacy profiles and later re-classified if their consent decisions reflect a change. We find that the latter approach can represent the user more accurately in the initial negotiation rounds than those of the former. Finally, we look at the implementation of consent on the service provider’s side after the agreement regarding data use has been made. In more detail, we consider a scenario where a user can deny consent to process certain data for certain purposes. To that end, the existing approaches do not allow service providers to satisfy the user’s consent in the optimal way. Therefore, we propose a novel graph-theoretic model for the service provider to store consent, which indicates the kinds of data processing that can be performed under the privacy agreement. Then, we formalise the consent problem as a constraint satisfaction problem on graphs. We provide several algorithms to solve the problem and compare them in terms of their trade off between execution time and quality of the solution. Our algorithms can provide a nearly optimal solution in the face of tens of constraints and graphs of thousands of nodes in a few seconds. The research presented in this thesis contributes to understanding users’ consent decision making and addresses an emerging need for technologies that can help service providers manage users’ consent. We propose ideas for potentially fruitful lines of exploration within this area.
... Privacy research has put enormous effort in classifying people into groups. Most attempts classify people based on their privacy concerns [4,9,15,17,42,43,73,80,83,94]. Fewer attempts are based on perceived sensitivity, willingness to disclose, and behavior [38,41,45,68,98]. ...
... Fewer attempts are based on perceived sensitivity, willingness to disclose, and behavior [38,41,45,68,98]. Segmentations are found useful to (1) assess willingness to disclose in marketing settings [42], (2) study the impact of service features on different users [37], (3) serve developers and service providers in developing products [15], and (4) help resolve the privacy paradox [43]. Some studies have included employees [68], but so far there are no studies that focus on the employment context [7]. ...
... Here, classes are assumed to be unobserved categorical (latent) variables. We determined the optimal number of classes by first estimating a one-class model and then iteratively adding classes up to a maximum of five, as we expected group sizes similar to those in previous studies in other contexts [4,38,42,80]. We evaluated model fit using various fit indices, with a focus on BIC due to its superiority in LCA class selection [64]. ...
Article
Full-text available
The processing of employees’ personal data is dramatically increasing, yet there is a lack of tools that allow employees to manage their privacy. In order to develop these tools, one needs to understand what sensitive personal data are and what factors influence employees’ willingness to disclose. Current privacy research, however, lacks such insights, as it has focused on other contexts in recent decades. To fill this research gap, we conducted a cross-sectional survey with 553 employees from Germany. Our survey provides multiple insights into the relationships between perceived data sensitivity and willingness to disclose in the employment context. Among other things, we show that the perceived sensitivity of certain types of data differs substantially from existing studies in other contexts. Moreover, currently used legal and contextual distinctions between different types of data do not accurately reflect the subtleties of employees’ perceptions. Instead, using 62 different data elements, we identified four groups of personal data that better reflect the multi-dimensionality of perceptions. However, previously found common disclosure antecedents in the context of online privacy do not seem to affect them. We further identified three groups of employees that differ in their perceived data sensitivity and willingness to disclose, but neither in their privacy beliefs nor in their demographics. Our findings thus provide employers, policy makers, and researchers with a better understanding of employees’ privacy perceptions and serve as a basis for future targeted research on specific types of personal data and employees.
... STPA-security focuses on the methods of controlling system vulnerabilities by securing those control actions that leads to vulnerabilities. In this work, we perform component, sub-system, and systemlevel verification and validation of the network modules and their Operating System (OS) in an automotive through STPA-Privacy (STPA-Priv) (Kumaraguru and Cranor 2005;Spiekermann et al. 2015). We have chosen a model-based approach as we know the state machines (Benton et al. 2013) and the sub-component interactions with the system. ...
... In this work, we emphasize the need for privacyrelated constraints and security precautions in system design. The privacy referred to in this paper is personal information that unknowingly gets shared with the attacker, who might exploit the gathered information (Kumaraguru and Cranor 2005). This research is based on the premise that the user trusts the automotive infotainment system and gives permission to share and synchronize personal information with the system by agreeing to the disclosure agreement. ...
Article
Full-text available
Modern automobiles are equipped with connectivity features to enhance the user’s comfort. Bluetooth is one such communication technology that is used to pair a personal device with an automotive infotainment unit. Upon pairing, the user could access the personal information on the phone through the automotive head unit with minimum distraction while driving. However, such connectivity introduces a possibility for privacy attacks. Hence, performing an in-depth analysis of the system with privacy constraints is extremely important to prevent unauthorized access to personal information. In this work, we perform a systematic analysis of the Bluetooth network of an automotive infotainment unit to exploit security and privacy-related vulnerabilities. We model the identified threat with respect to privacy constraints of the system, emphasize the severity of attacks through a standardized rating metric and then provide potential countermeasures to prevent the attack. We perform System Theoretic Process Analysis for Privacy as a part of the systematic analysis and use the Common Vulnerability Scoring System to derive attack severity. The identified vulnerabilities are due to design flaws and assumptions on Bluetooth protocol implementation on automotive infotainment systems. We then elicit the vulnerability by performing a privacy attack on the Automotive system in an actual vehicle. We use Android Open-Source Project to report our findings and propose defense strategies.
... Understanding the commonalities and differences among users based on profiles has been among the main issues in data privacy research [1,2,3]. Categorizing profiles contributes to better identification of users' behaviors and supports administrators in comprehending privacy choices. ...
... methodology he applied classifies people into three categories: privacy fundamentalists, pragmatists, and unconcerned. Because of the commercial nature of Westin's surveys, the methodology and the details of how privacy indexes were calculated are not fully disclosed, so we rely on subsequent works[2] that deeply analyzed and reported them.Westin Segmentation, and particularly the pragmatism adherence of the consumers were criticized by the work of Hoofnagle and Urban[42,43]. Their experimental work investigated customer expectations for privacy safeguards, showing that many people believe they have greater protection than they really do due to a lack of knowledge about corporate practices, privacy policies, and data usage limits. ...
Preprint
Full-text available
Privacy and ethics of citizens are at the core of the concerns raised by our increasingly digital society. Profiling users is standard practice for software applications triggering the need for users, also enforced by laws, to properly manage privacy settings. Users need to manage software privacy settings properly to protect personally identifiable information and express personal ethical preferences. AI technologies that empower users to interact with the digital world by reflecting their personal ethical preferences can be key enablers of a trustworthy digital society. We focus on the privacy dimension and contribute a step in the above direction through an empirical study on an existing dataset collected from the fitness domain. We find out which set of questions is appropriate to differentiate users according to their preferences. The results reveal that a compact set of semantic-driven questions (about domain-independent privacy preferences) helps distinguish users better than a complex domain-dependent one. This confirms the study's hypothesis that moral attitudes are the relevant piece of information to collect. Based on the outcome, we implement a recommender system to provide users with suitable recommendations related to privacy choices. We then show that the proposed recommender system provides relevant settings to users, obtaining high accuracy.
... The Privacy Segmentation Index introduced by Westin (2003) has been widely used to measure privacy attitudes and make longitudinal comparisons (Krane, Light & Gravitsch, 2002;Kumaraguru & Cranor, 2005). Westin's Index categorizes individuals into three privacy groups: 1. Unconcerned -those who give privacy little thought 2. Pragmatists -those who worry about threats to privacy but believe that reasonable safeguards are in place or can be created 3. Fundamentalists -those with high privacy concerns and high distrust in government, business, and technology One might expect that people's attitudes would have a significant impact on their behaviour. ...
Book
Full-text available
Proceedings of the ETHICOMP 2022 Conference was held in Turku, Finland, July 26-28, 2022.
... He distinguishes between fundamentalists who are generally worried about privacy and lack trust in institutions to handle their data carefully; pragmatists who weigh benefits and risks in particular situations; and unconcerned who are generally trusting and willing to share their data for personal benefit. Throughout the surveys, the largest portion of people is found to be pragmatists (King, 2014;Kumaraguru & Cranor, 2005). Sheehan (2002) constructs a similar typology from survey data about Internet users but identifies four categories: alarmed, wary, circumspect and unconcerned. ...
Article
Full-text available
In this article, the authors present exploratory research about privacy behaviour in a smart city. They ask if and why people share personal data in a smart city environment. They designed a gamified survey that offers realistic scenarios in which people are asked to identify smart technologies and to share or withhold their personal data. The findings show that most respondents are willing to share their data for surveillance purposes and security benefits. They found that privacy behaviour was directly and most strongly explained by privacy concerns: people with more concerns shared less personal data than others. Smart city literacy had a much smaller effect on privacy behaviour, as did age, education, and income. They found no effect of gender or place of residence on any of the dependent variables. They discuss the meanings of these outcomes for local governments as a matter of digital placemaking (i.e., designing the smart city in a way that makes technology visible and provides transparency with respect to privacy and data governance).
... While studies try to distinguish between non-users [51,131], beginners [48,49], and cryptocurrency users [79,102,115], Abramova et al. are the rst to dene a typology of cryptocurrency users using an empirical approach [2]. They build on the concept of privacy personas [31,80], a model distinguishing users based on their motivation and knowledge about security and privacy into ve personas [31]. Froehlich et al. rst connected privacy personas with user behavior in the cryptocurrency domain, suggesting that both knowledge and motivation about secure behavior would inuence their risk perception. ...
Preprint
We present a systematic literature review of cryptocurrency and blockchain research in Human-Computer Interaction (HCI) published between 2014 and 2021. We aim to provide an overview of the field, consolidate existing knowledge, and chart paths for future research. Our analysis of 99 articles identifies six major themes: (1) the role of trust, (2) understanding motivation, risk, and perception of cryptocurrencies, (3) cryptocurrency wallets, (4) engaging users with blockchain, (5) using blockchain for application-specific use cases, and (6) support tools for blockchain. We discuss the focus of the existing research body and juxtapose it to the changing landscape of emerging blockchain technologies to highlight future research avenues for HCI and interaction design. With this review, we identify key aspects where interaction design is critical for the adoption of blockchain systems. Doing so, we provide a starting point for new scholars and designers and help them position future contributions.
... Early research into privacy attitudes suggested that people may divide into a small set of distinct privacy 'types' [160,161], including 'privacy fundamentalists' who avoid disclosing their information at all costs, 'pragmatists' who make calculated tradeoffs between privacy and benefit, and 'unconcerned' who are willing to give away their personal information for little or no benefit. One might expect these broad categories to predict people's (intended or actual) behaviours in specific situations; however, later research has found no significant correlations between the two [162]. ...
Preprint
Full-text available
Tracking' is the collection of data about an individual's activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred. This paper aims to introduce tracking on the web, smartphones, and the Internet of Things, to an audience with little or no previous knowledge. It covers these topics primarily from the perspective of computer science and human-computer interaction, but also includes relevant law and policy aspects. Rather than a systematic literature review, it aims to provide an over-arching narrative spanning this large research space. Section 1 introduces the concept of tracking. Section 2 provides a short history of the major developments of tracking on the web. Section 3 presents research covering the detection, measurement and analysis of web tracking technologies. Section 4 delves into the countermeasures against web tracking and mechanisms that have been proposed to allow users to control and limit tracking, as well as studies into end-user perspectives on tracking. Section 5 focuses on tracking on `smart' devices including smartphones and the internet of things. Section 6 covers emerging issues affecting the future of tracking across these different platforms.
... Metacodes encompassed attribute codes, identifying where the image provided was composite (with multiple sub-components or added text). Frameworks referred to identifiable mapping to established privacy frameworks, including Solove's Taxonomy of Privacy [75] and Westin's states of privacy [40]. Analysis from drawings related privacy to digital and social media, with the frequency increasing steadily from 11 to 14 and beyond. . ...
Article
Full-text available
In this paper, we report on the literature related to understanding young learners' mental models related to deceptive "dark patterns" used by malicious agents online: so-called sludge. We also discuss elicitation of mental models, particularly when carrying out activities to reveal the mental models of young learners. In addition, we review the ethical considerations when carrying out research in this domain. Finally, we propose the design of an activity to implement the lessons we have learned to assess the sludge-related mental models of young learners.
Article
When it comes to feelings about privacy, we are not all the same. In our work on this topic with privacy expert, Dr. Alan Westin, president and publisher, Privacy & American Business, we find three very different groups. Some people feel very strongly about privacy matters. They tend to feel that they have lost a lot of their privacy and are strongly resistant to any further erosion of it. We call them privacy fundamentalists, and they are currently about a quarter (26%) of all adults. At the other extreme there are people who have no real concerns about privacy and who have far less anxiety about how other people and organizations are using information about them. We call them privacy unconcerned and they are about ten percent of all adults. The third, and by far the largest group, now almost two-thirds of all adults (64%) are what we call privacy pragmatists, who have strong feelings about privacy and are very concerned to protect themselves from the abuse or misuse of their personal information by companies or government agencies. However, they are – to a far greater degree than the privacy fundamentalists – often willing to allow people to have access to, and to use, their personal information where they understand the reasons for its use, where they see tangible benefits for so doing and when they believe care is taken to prevent the misuse of this information. Since 1999 the numbers in each segment have varied somewhat. Compared to nine years ago, privacy pragmatists have increased from 54% to 64%, while the privacy unconcerned have declined from 22% to 10% of all adults. This analysis is based on replies to three questions included in a recent Harris Poll conducted by telephone by Harris Interactive ® with a nationwide cross section of 1,010 adults. The survey was fielded between February 12 and 16, 2003.
Article
People are concerned about privacy, particularly on the Internet. While many studies have provided evidence of this concern, few have explored the nature of the concern in detail, especially for the online environment. With this study, we have tried to better understand the nature of online privacy concerns; we look beyond the fact that people are concerned and attempt to understand how they are concerned. We hope our results will help inform both policy decisions as well as the development of technology tools that can assist Internet users in protecting their privacy. We present results here from the analysis of 381 questionnaires completed between November 6 and November 13, 1998 by American Internet users. The sample was drawn from the FamilyPC magazine/Digital Research, Inc. Family Panel. While this is not a statistically representative sample of US Internet users, our respondents are heavy Internet users, and quite possibly lead innovators. As such, we believe that this sample is important for understanding the future Internet user population.
Harris Consumer Privacy Survey-Executive Summary. Conducted for Equifax Inc. 1,006 adults of the national public
  • A And
  • Harris Louis
  • Associates
WESTIN, A., AND HARRIS LOUIS & ASSOCIATES. 1995 Equifax/Harris Consumer Privacy Survey-Executive Summary. Conducted for Equifax Inc. 1,006 adults of the national public. Retrieved Aug 20, 2004, http://www.mindspring.com/~mdeeb/equifax/cc/parchive/svry95/docs/summary.htm l.
Executive Summary The results of Commerce, Communication, and Privacy Online for Privacy & American Business. 1,009 computer using adults
  • A And
  • Harris Louis
  • Associates
WESTIN, A., AND HARRIS LOUIS & ASSOCIATES. Executive Summary. 1997. The results of Commerce, Communication, and Privacy Online for Privacy & American Business. 1,009 computer using adults. Retrieved Aug 20, 2004, http://www.privacyexchange.org/iss/surveys/computersurvey97.html.
IBM-Harris Multi-National Consumer Privacy Survey
  • A Consumer
  • Survey Privacy
  • Research
  • A Westin
  • Harris And
  • Interactive
WESTIN, A. Consumer, Privacy and Survey Research. 2003. Retrieved Aug 17, 2004, http://www.harrisinteractive.com/advantages/pubs/DNC_AlanWestinConsumersPri vacyandSurveyResearch.pdf [9]. WESTIN, A., AND HARRIS INTERACTIVE. IBM-Harris Multi-National Consumer Privacy Survey. Tech. rep., 1999. Approximately 5,000 adults of the U.S., Britain and Germany.
Public Records and the Responsible Use of Information
  • A And
  • Opinion
  • Corporation
WESTIN, A., AND OPINION RESEARCH CORPORATION. Public Records and the Responsible Use of Information. Tech. rep., 2000. Conducted for the Center for Social and Legal Research and sponsored by ChoicePoint, Inc.
Equifax Executive Summary Findings from the Survey -Consumers in the Information Age for Equifax Inc. 2,254 adults of the national public
  • A And
  • Harris Louis
  • Associates
WESTIN, A., AND HARRIS LOUIS & ASSOCIATES. Equifax Executive Summary. 1990. Findings from the Survey -Consumers in the Information Age for Equifax Inc. 2,254 adults of the national public. Retrieved Aug 20, 2004, http://www.privacyexchange.org/iss/surveys/eqfx.execsum.1990.html.
Privacy On & Off the internet: What Consumers Want
  • Harris Interactive
HARRIS INTERACTIVE. Privacy On & Off the internet: What Consumers Want. Tech. rep., Retrieved Aug 27, 2004, http://www.aicpa.org/download/webtrust/priv_rpt_21mar02.pdf., November 2001. Conducted for Privacy & American Business, 1,529 interviewees.