Promoting I-Safety: Effects of Privacy Warnings and Privacy Seals on Risk Assessment and Online Privacy Behavior

Article excerpt

Using social cognitive theory, this study experimentally examines the effects of explicit privacy warnings, a clear, conspicuous, and concise presentation of the benefits and risks associated with database information practices stated in a Web site's privacy policy. Warnings increased perceptions of the risks associated with information practices and decreased disclosures, but not in the presence of a privacy seal. The effects were also moderated by consumer privacy self-efficacy and involvement with privacy. The results support the development of privacy warnings as a part of consumer privacy self-regulatory efforts and the use of a social cognitive paradigm for understanding consumer privacy behaviors.

THE I-SAFETY PROBLEM

How can we motivate Internet consumers to engage in behavior that will protect their privacy online? This question assumes increasing importance as privacy threats reach alarming proportions. In a recent multicity audit of consumers' computers conducted by the National Cyber Security Alliance, four-fifths were infested with spyware (National Cyber Security Alliance 2004). One-eighth of all identity thefts are attributed to online sources including spyware, online transactions, viruses, and phishing (Better Business Bureau 2005). Two-thirds of all e-mail worldwide is now spam (MessageLabs 2005), up from 7% in 2001 (Brightmail 2004). Consumers, as well as Web site proprietors, software developers, and policy makers, must play a role in protecting privacy (Milne and Culnan 2004). However, consumers are called upon (Consumer Reports 2004; PC Magazine 2004) to enact a bewildering array of measures to protect their privacy online: update virus protection, mind security settings, download patches, install firewalls, screen e-mail, shut down spyware, control cookies, deploy encryption, fend off browser hijackers, and block pop-ups. How can the average consumer be enlisted in the abstract and complex cause of privacy protection and ultimately, network security?

Presently, Internet privacy standards have been set forth by the Federal Trade Commission (FTC), relying on the voluntary participation of Web proprietors for the provision of their information practices in a clear and conspicuous privacy policy and the participation in privacy seal programs such as TRUSTe. Yet, consumers do not appear to completely understand what seals assure (Rifon, LaRose, and Choi 2005) and most do not read policies (Turow 2003). We suggest that privacy policies and seals do not provide adequate information for consumers to understand the implications of the sharing of their personal information, nor do they motivate consumers to take protective actions and engage in safe online behaviors. A different model for notice is needed, one that can prompt consumers to consider the potential consequences, positive and negative, that are associated with personal information disclosures.

From the consumer's perspective, privacy and security measures entail managing the release of personal information while deflecting unwanted intrusions, parallel to two underlying dimensions of consumer privacy (cf. Goodwin 1991; Lee and LaRose 1994). Online privacy may then be defined in behavioral terms as actions that prevent unwanted disclosures and intrusions while using the Internet. As such, consumers translate preferences into actions that protect themselves, their information, and their computers. We conceptualize the problem as one of personal safety protection, arming consumers with the requisite information and skills so that they can make informed choices and enact appropriate behaviors that will shield them from online privacy threats. Following the common practice of adding an e-, an i-, or a cyber- to denote the online version of a familiar concept, we call ours i-Safety. The result is an intentional double entendre, the i signifying information but also highlighting the role that the individual must play to protect one's information and the network at large. …