Contents Introduction
Information privacy is seeing a considerable increase in interest from academic researchers [1]. This trend is partially due to the emergence and rapid progress of mobile technologies. Smartphones and tablets typically include global positioning systems (OPS), which can be easily accessed from the software development kits (SDK) used to generate “apps” for each mobile platform. Combined with the availability of application programming interfaces (API) for the most popular social networking systems (e.g., Facebook, Twitter, Linkedin, and Pinterest), mobile apps combine personal information, social network data, and real-time location data. Consequently, mobile apps have become a virtual “shopping mall” of information privacy risks by combining the most valuable consumer information in one device.
Because of the incredible usefulness and attractiveness of many mobile apps, consumers are flocking to them with seemingly little regard for the risks. Research has implied that as long as: 1) an app has some sort of stated privacy policy with third-party assurance [2], [3], 2) the app appears to be the favorite among prior app adopters [2], or 3) app consumers believe they are skilled enough [4] or “in control” enough [5] to avoid the privacy risks, they will adopt the app and disclose any requested information.
Perhaps the dominant paradigm for explaining information disclosure is privacy calculus [6] which posits a tradeoff of perceived risks and benefits as primary determinants of disclosure. Privacy calculus is useful for explaining rational actors for a particular transaction. However, it doesn't account for the trends in risks and benefits over time or the bounded rationality consumers can exhibit with risk-based decisions [7].
Similarly, there are two limitations commonly found in prior research that may limit their implications. First, with little exception [e.g., 7], most research in the mobile app context has restricted the data collection and theoretical models to include information disclosure intentions without gathering actual information disclosure. This is problematic considering the oft observed privacy paradox in which actual consumer information disclosure far exceeds stated intentions [8], [9]. Second, there are even fewer longitudinal studies of information disclosure over mobile devices. This is also problematic considering that research has shown that consumers exhibit hyperbolic discounting in which future risks and benefits are viewed differently from the immediate term [7], [10]. In addition, privacy-related experience and knowledge are known to affect risk judgments [3], [11]. As a result, information disclosure decisions would logically change over time. Both of the above limitations are understandable considering the nature and difficulty of collecting longitudinal information disclosure data. Further increasing this difficulty, today's mobile apps include a variety of information including personal data, social network data, and location data.
Consequently, the purpose of this study is to design and execute a longitudinal field experiment in which consumers will need to make real disclosure decisions over time based on real privacy risks. To accomplish this, we designed a mobile application (available on iOS and Android smartphones and tablets) called “Findamine.” Findamine is a social geo-caching game that requires players to find a series of clues each week leading to interesting locations around their city. Players are incented to refer and track other players using an online social network built into the accompanying app website. Players are also incented to complete an optional player profile and to share their profile data, app data (including their location), and social network data with as many players as possible. Players are awarded game points that qualify the players for gift cards and prizes for every type of data disclosed. However, players are also given a detailed set of privacy controls allowing them to make conscious choices about exactly which types of information they will share and who they will share it with (e.g., nobody, friends, or all players). To manipulate behavior over time, the level of points awarded for data disclosed was either increased or decreased over time to observe the tradeoff between disclosure risks and benefits over time.
As a result of this design, we can test whether alternative theories, like prospect theory [12], can better explain mobile information disclosure. Prospect theory accounts the for the irrational consumer behaviors regarding past experience in new risk decisions. The results reveal support prospect theory. After explaining the experimental design in detail, we expound on these and other interesting findings at the end of the paper.
Literature Review
In general, information privacy refers to an individual's control over the myriad forms of information about themselves [13], [14] including its collection, unauthorized use, improper access, and errors [11]. Information privacy has a long and interesting research stream which is well-documented in recent literature reviews [1], [13]. Its definition depends on its conceptualization. Smith et al. [1] summarizes these conceptualizations as information privacy as: (1) a state [15]—something you currently have (or don't have); (2) a control [16]—something to be limited during transactions; (3) a right [17]—something the law entitles you to; and most recently 4) a commodity [18]—something that can be traded.
As discussed, the progress of mobile device technologies and popularity of social networking applications have combined to increase privacy risks. Because of the emerging nature of this problem, the research in this area only beginning to mature and much is found in recent conference proceedings. However, there are key findings worth noting.
First, a recent review of the fledgling research on mobile location privacy behaviors [19] indicates that consumers prefer privacy on mobile devices. Although this finding may seem obvious, it is important because consumers have shown a relative unwillingness to pay for privacy in other contexts [20]. Moreover, because mobile consumers prefer privacy, they are rational, making this context suitable to theories that assume consumer rationality.
Second, even though the ethics and intentions of mobile app providers cannot be verified (as evidenced in [21]), consumers have proven to be more than willing to adopt and pay for mobile apps. To justify increased privacy risk, consumers rely on some combination of external signals, internal self-assessments, or “sunk cost” beliefs. For example, privacy promises, seals, or third party statements about the reliability of an app provider can significantly reduce perceived risk [2], [3], [2]. Concurrently, consumers may believe that they are firmly in control of the risky situation regardless of the asymmetries of information between themselves and the app provider [5] or that their self-efficacy with mobile devices will allow them to prevent unauthorized access to their data [4]. More recently, research has also shown that, much like gamblers sunk in a “loss” position, mobile app consumers are willing to take greater risks if they believe their personal information is already “lost” [7]. Therefore, they readily adopt apps to gain the benefits, believing they cannot be placed in greater risk.
Lastly, a qualitative analysis of consumer focus groups and business managers [19] has revealed that both the costs and benefits of information disclosure over mobile devices are more multifaceted than prior research has considered. The decision to adopt a mobile application involves not only location data risks, but also personal information risks, and often social network information risks and others. Similarly, the benefits are also diverse including improvements in personal productivity, well-being, and entertainment. Although no single study can or should examine all forms of benefits at once, some types (e.g. entertainment) have not been examined in research at all. Additionally, most research studies (with limited exception [7]) focus on only one form of privacy risk.
Theoretical Model and Hypotheses
Several theories have been used to explain privacy concerns and perceived privacy risks. However, privacy calculus has been the dominate paradigm for explaining the formation of disclosure intentions [2], [3], [7], [19].
Privacy calculus in the e-commerce context explains information disclosure as a tradeoff between the perceived benefits and context-specific risks [6]. Also, the formation of perceived risks and disclosure intentions are determined by an individual's general privacy concerns with the environment.
3.1. Privacy Calculus Hypotheses
Because the nomological relationships in privacy calculus theory have been posited [6] and tested numerous times [2], [3], [7], [19], we do not formally hypothesize them here—although we test them in our study as a theoretical baseline. Importantly, we extend privacy calculus by accounting for changes in disclosure benefits and risks over time.
Privacy calculus is based on the assumption that consumers are rational [7]—meaning they can estimate the benefits and risks of information disclosure with some degree of accuracy and then make decisions based on a linear relationship, or tradeoff, between them. This assumption also implies that privacy calculus adopts the conceptualization of privacy as a commodity. That is, consumers can place a monetary value behind both the costs and benefits, thus making it possible to evaluate a perceived net gain/loss. Consequently, risks and benefits are independent of each other. They are calculated separately, yet both are used in the disclosure equation. Thus, if privacy calculus holds true as prior research has evidenced [2], [3], [7], [19], then increases in benefits over time should have no effect on perceived risk, yet also cause greater information disclosure:
HI:
As information disclosure benefits increase, app consumers will perceive less mobile app risk.
H2:
As information disclosure benefits increase, app consumers will disclose more information.
3.2. Prospect Theory Hypotheses
Although privacy calculus theory has proven to be a strong predictor of disclosure intentions, it has two limitations that we address. First, privacy calculus is intended to explain a cross-section of privacy beliefs and behaviors. A consumer's current risk and benefit assessment is what determines their current information disclosure. However, the risks and benefits of a given information technology (IT) are often changing, implying that a privacy calculus model might not be a good indicator of future behavior. For example, a news report of a serious security breach would certainly change users' risk perceptions. Similarly, if mobile app provider were to offer new incentives or functionality, then past information disclosure levels would be a poor indicator of future consumer behavior.
Privacy calculus assumes that consumers are rational and base disclosure decisions on a linear relationship between the risks and benefits of disclosure. Nevertheless, a recent study demonstrated in the mobile app context that this assumption is only partially valid [7]. Consumers tend to overweight the probability of risks, while underweighting the impact or cost of risks [7]. As a result, we propose prospect theory [12] as a useful lens to modify the privacy calculus model. A key proposition of prospect theory is that individuals strongly consider reference points when making risk decisions. For example, if a gambler is “up” from their original financial position, they will take fewer risks where as they will take greater risks if they are “down” in order to catch up to their original position. However, the actual risk (probability * impact) does not change.
Prospect theory can help inform the first limitation we described. If the benefits of information disclosure are increasing over time, consumers are in a “gain” position from their original reference point. Thus, they will be more risk averse. Conversely, if the benefits of information disclosure are decreasing over time, consumers will be in a “loss” position and willing to accept greater risks to return to the net gain/loss position they once had. This proposition is supported by recent research [7] that found consumers' perception of their level of prior risk exposure (i.e., the extent to which their personal information was already held by marketing companies) significantly increased their intention to disclose information again. Similarly, the level of prior benefits held significantly affected consumers future disclosure decisions. Therefore:
As information disclosure benefits increase, app consumers will perceive more mobile app risk.
As information disclosure benefits increase, app consumers will disclose less information.
In summary, we examine whether changes in information disclosure benefits over time are better explained by privacy calculus or prospect theory.
Methodology
As noted, we created a mobile app with an accompanying website to test the hypotheses. Five hundred and sixty-eight undergraduates at a large private university in the western United States participated during the spring semester of 2013.
The mobile phone application (called “findamine” or “find.a.mine” it the Apple App Store™ and Google Play™) was a geo-caching game. Each week (for 12 weeks), participants received three new clues on their phone or tablet (iOS and Android supported) through the mobile app. They earned points by deciphering the clue, travelling to the location, and taking a picture of the location through the mobile app. If they were correct, they earned points. Participants also earned points by sharing demographic information and uploading a photo on the personal profile they created on the website and by referring friends to join.
We provided weekly and end-of-game incentives to encourage play. Each week, we awarded 3–15 gift cards ($10 Visa or $11 campus gift card) to the participants who were first to find all of that week's locations. At the end of the game, the two participants with the most total points won a Samsung Galaxy Tab II™. We also held a random drawing, based on points earned, to award a third Samsung Galaxy Tab II™.
As seen in the example in Figure 2b&c, if players could not decipher the clue, they could use the “hot/cold” meter which indicated how geographically close they were to the target clue. Upon finding the clue, players pressed the “Found It!” button which prompted them to take a photograph through the app. After the photograph was submitted, participants could login to the mobile website and view their points on the leaderboard. Figure 3 shows the website leaderboard.
4.1. Ensuring Experimental Validity
To generate valid and realistic information disclosure behaviors, participants needed to perceive actual personal risk and fear of disclosing information. This was accomplished in multiple ways. First, we obtained IRB approval to not require participants' informed consent because informed consequent automatically elevants' participants awareness of risk and the artificial nature of data collection. Rather, participants were recruited under the false pretense that a local mobile app business wanted to pilot test a new geo-caching app at their university. As a result, there was no priming effect on participants and they participants were less susceptible to social desirability bias. Moreover, they were told that the friends and family members they referred to the app did not have to be university students or employees.
Second, the context of the app was chosen to replicate several relevant forms of information privacy and encourage consistent disclosure. For example, by choosing an app design with weekly incentives, participants were motivated to play by more than just extra credit. Because it was a geo-caching app, there was a clear need to collect location data, which presents personal safety risks [19]. The social network aspect of the app created both additional enjoyment as well as creating vertical and horizontal personal information privacy risks [23]. The website included a player directory and social network (consisting of “frenemies” and “minions”1). Players could search through and explore the app directory, which allowed them to view any player profile and app data that had been made public (like traditional social network apps) and add them to their social network. Thus, participants' personal information could legitimately be made publicly available—unless they set their privacy settings to restrict their data to “friends only” or “nobody.”
Third, the findamine app architecture needed to match those that are most potentially dangerous to consumers. In particular, the game was made possible by a native mobile app, a cross-platform website, and web services that connected the mobile app to the external database. When the app was introduced to participants, they were given a brief explanation of how the mobile app and website worked together with the same data. Consequently, participants were aware that the mobile app was capable of sending personal information to remote servers.
4.2. Experimental Manipulation
To understand how information disclosure behaviors change over time, we decided to manipulate the benefits of disclosure. As noted, participants were incented to disclose their profile data and personal photo by giving them points, which earned prizes, for each piece of information. At the beginning of the experiment, all participants were offered 35 points for each piece of information they disclosed. However, over the next three months until the final day, half of the participants were randomly assigned to have a gradual point reduction while the other half's points were increased over time. By the end of the experiment, one group was offered 65 points for each piece of information and the other group was offered 5 points. Participants knew their points were constantly changing because they frequently checked the leaderboard. They were also warned that point values would change during the course of the experiment2 Figure 4 depicts a screen shot from a participant in the “decreasing” condition on the last day of the game. Participants were allowed to either submit or delete the profile data stored by this form at any time during the game. In this figure, no data has been entered. However, the participant could earn five points for each piece of information if they chose to submit it.
4.3. Measures
Because of our research design, we were able to capture a variety of objective measures for overall game play and information disclosure. Six of them are included in this study representing three types of information which can be disclosed over mobile apps:
Personal information
Percent of overall profile information disclosed (0.0 to 1.0)
Accuracy of profile information entered (1=nothing was accurate, 6=everything was accurate)3
Privacy setting (O=nobody, 1 =minions only, 2=frenemies and minions, 3=all players)
Location data
Number of game clues found
Social network information
Number of referrals (required submitting friends' email addresses)
Controls
Number of updates to profile data
Number of website logins
In addition to the game measures, we collected latent construct measures of perceived disclosure risk (modeled as a second order formative construct consisting of both location data risk and personal information risk) and perceived disclosure benefits (modeled as a second order formative construct consisting of both locatability and personalization). These measures were based on prior relevant research [3], [7]. We also measured general privacy concern using a new and better-targeted instrument for mobile privacy [24]. Lastly, we included trusting beliefs which is an important determinant of perceived risk privacy calculus theory [6] and trusting behaviors such as information disclosure [25].
To capture these latent measures during the most relevant moments during game play, and to minimize the potential for common methods bias (CMB), we designed the findamine app to allow a few survey questions (typically 3-5) to be collected from the app as soon as a player selects a clue and before the map was displayed. Figure 2d shows an example screen shot of one survey. This screen is displayed before the screen shot in Figure 2b. Once the player answers the questions, they can proceed with the clue. During the game, not all clues had questions assigned to them. The items measured for this study were collected during the last few clues of the game after participants had had a couple of months of experience with the game—giving adequate time for players to form experience-based perceptions. In this way, we were able to capture perceptions during the moments those perceptions were relevant in the minds of players—as opposed to before or after the game when those beliefs would be only hypothetical.
Results
5.1. Measurement Validity
Pre-analysis was performed to analyze whether the measures were formative and/or reflective, test the convergent and discriminant validity of the reflective measures, test for multicollinearity, ensure reliabilities, and check for CMB. For brevity, the details are not reported here. However, the results indicated acceptable factorial validity and minimal multicollinearity or CMB based on the standards for IS research [26]–[29].
5.2. Hypothesis Testing
To analyze the results, we analyzed a path model with the PLS SEM technique using SmartPLS 2.0.M3 [30]. This was appropriate because we needed to test multiple paths in the same model, two of the constructs were second-order formatives, and PLS does not depend on normal distributions or interval scales [31], [32]—making it ideal for our measures of actual behavior.
Table 1 summarizes descriptive statistics of the players and their game play. About two-thirds (68%) of participants were male. Although participants could refer any friend to play the game they wanted to in order earn points, it originated in an
Table 2 summarizes the variable means, standard deviations, and construct correlations. Table 3 summarizes the path coefficients for the PLS model. The t-statistics were generated from running a number of bootstrap procedures equal to the number of samples
Discussion
Table 4 summarizes the hypothesis testing results. Perhaps most importantly, when the disclosure benefits increased over time, consumers perceived greater risks
Overall, the effect of changing profile data disclosure benefits supports H4 over H2. However, at first glance, it appears that the opposite is true for personal data. Technically, as benefits increased over time, participants disclosed more information (
Concerning the other forms of disclosure, Participants completed fewer clues
In summary, the prospect theory hypotheses (H3 and H4) were best-supported. However, there are other interesting differences between our findings and prior research worth highlighting. For example, it is clear that trust plays a significant role in determining perceived risk and information disclosure although it has been omitted from some of the prior research [2], [3], [7]. In fact, perceived risks and benefits—the traditional independent variables in privacy calculus theory—become insignificant after accounting for trust when predicting profile disclosure and clues found. Although, perceived risk is clearly more important in predicting the number of referrals
Lastly, it is also worth noting that privacy concern was a significant predictor of profile disclosure (
6.1. Implications for Research
Our research evidence supports prospect theory as a better explanation of the effect of changes in disclosure benefits on perceived risks than does the privacy calculus model. Consumers appear to be considering their original reference point of benefits when making risk decisions regardless of the fact that real risk has not changed. They become risk averse when they are in a “gain” position and risk seeking when in a “loss” position. That is, consumers appear to behave with “bounded” rationality because their level of risk aversion changes based on the direction of their change from a given reference point.
Further supporting prospect theory, consumers actually disclosed less location data (via finding clues) and referred fewer friends and family members as the benefits of disclosure increased. As hypothesized above, this is because consumers become increasingly risk averse after finding themselves in a gain position relative to their original reference point. However, privacy calculus still was appropriate in one scenario. In particular, when consumers made their initial and earlyterm disclosure decisions, their profile information was positively related to the benefits of disclosure. Rather, it wasn't until later when participants returned to edit their profile page that they decided to reduce this effect.
With several measures of disclosure (except for clues and referrals), trust played a larger role than perceived risks. That is, when consumers considered disclosing their own information, they based it on the trustworthiness of the app provider. However, when it comes to disclosing the email addresses of their friends and families, they considered the likelihood and impact of privacy risks. Consequently, our consumers treated the privacy of others as a commodity while their treated their own privacy as a right or a desired state. If this holds in other contexts, then researchers will need to more clearly focus on these distinctions going forward.
Another interesting implication for research is the role that perceived benefits does not play in disclosure decisions. After accounting for the direction of the change in benefits, perceived benefits had no direct effect on any form of disclosure. This finding underscores the importance of considering risk decisions (at least in the mobile app space) as processes rather than states. Consumers consider the directionality and likely future expectations of benefits over the current perceived benefit of information disclosure.
Lastly, general privacy concern played a larger role in actual disclosure than shown in previous studies of disclosure intentions [2], [3], [7]. Perhaps in known laboratory settings, general privacy concerns are more easily forgotten and relaxed because the participants have no legitimate threat to their privacy. In our context, privacy threats were naturally more legitimate. Another explanation may be that the privacy concern measurement used in this study was based on a more recent instrument that was targeted for mobile privacy concerns including location data [24].
6.2. Implications for Practice
The implications for practice are unique from prior studies. Most importantly, mobile app vendors should be wary of changes in app features and benefits. If the changes are perceived as an attempt to elicit more consumer information, they may have the opposite effect. However, it appears consumers are much more willing to disclose information about others and violate their privacy; hence, the natural points of focus for app providers should be on the perceived commodity of the information of “others” rather than on the consumer.
It appears from our study that privacy concerns in the field are much more salient than in artificial laboratory experiments. Thus, in practice, app producers need to place more effort on understanding and addressing specific concerns consumers might have that should be alleviated.
Perhaps the biggest conundrum of our study for practice is that consumers appear to be considering their original reference point of benefits when making risk decisions regardless of the fact that real risk has not changed. They become risk averse when they are in a “gain” position and risk seeking when in a “loss” position. Thus, the key for app developers is to find ways to move or keep consumers in a “loss” positions, perhaps by making the consumer feel
6.3. Limitations and Future Research
As with all research, there are several limitations of this study that also present useful areas for future research. First, not all consumers were perfectly explained by the prospect theory hypotheses. Some followed the commodity-based view of privacy and increased (decreased) their disclosure as the benefits increased (decreased). All we can tell from this study is that the majority of consumers in this context were best explained by prospect theory. Therefore, it would be useful to further develop theory by explaining why consumers would behave one way versus the other.
Next, we examined only one form of benefits manipulation. Changing the game points for profile data was an easily-quantifiable adjustment. Participants may have been skeptical about the reasons for point changes—leading them to behave differently than, for example, if new levels were added to the game for pure enjoyment unrelated to their leaderboard position.
Another limitation is the context of our field study. Although the perceived risks were real, our app was a game. The enjoyment of a game may trade off differently with perceived risks than, for example, the productivity benefits of an office app, or the health benefits of a fitness app. Future research should explore additional contexts and theorize about the differences between them.
Lastly, our population was not randomly selected and focused on college students in a close geographic area. This was a conscious tradeoff that allowed us to improve the realism of the field experiment. Any social network based context will require that many of the participants be geographically collocated. However, other apps could be examined without the social network context to obtain a more random sample.
Conclusion
In conclusion, we executed a realistic, longitudinal field experiment that allowed us to examine the effects of changes in the benefit/risk tradeoff. We discovered that consumers exhibit “bounded rationality” in their information disclosure decisions regarding mobile apps. As a result, the commodity-based view of information privacy is only partially appropriate for the mobile app context which incorporates personal information, location data, and social network data. Overall, prospect theory was more strongly supported