S-1 Fifth Symposium on Information Systems Assurance University of Waterloo Centre for Information Systems Assurance 5 th Symposium of Information Systems

S-1

Fifth Symposium on Information Systems Assurance

University of Waterloo Centre for Information Systems Assurance

5th Symposium of Information Systems Assurance

October 11 -13, 2007

The Effect of Involvement and Privacy Policy Disclosure on Individuals’ Privacy Behaviour

Discussant’s Comments

Robert G. Parker MBA, FCA, CA*CISA, CMC

S-2


Overall Impression

Good paper, I enjoyed reading it

There is not enough known about the impact of privacy concerns on eCommerce

Provides useful insight into individuals privacy behaviour

The paper appears to assume that eCommerce users understand what privacy really means

Experience has shown that privacy is frequently confused with confidentiality and security

S-3


Privacy Defined

Privacy is about fair information practices

The AICPA-CICA definition of privacy states that:

Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure and retention of personal information.

A set of policies, principles and procedures designed to ensure the fair, lawful and ethical collection, use and disclosure of personal information, which give respect to the rights of the individual

Robert G. Parker Unpublished Manuscript - 2004

AICPA - CICA - 2002

S-4


Abstract

The authors state that: “Privacy emerges as a critical issue in an e-commerce environment because of a fundamental tension among corporate, consumer, and government interests”

In Canada, eBusiness appears to be business as usual without provision for real choice.

The real concerns currently are security and identity theft

Need for a crisp definition of high privacy involvement, as the reader is left to consider whether that means:

Fair information practices

Amount of information requested

Type of information requested

Sensitivity of information requested,

Security over that information

Impact if information is misused

S-5


Abstract

The discussion on privacy seals leaves the reader wondering if the failure of privacy seals to impact the willingness to provide personal information was due to:

Individuals do not understand the seal

They do not trust the seal

Because nothing is going to change an individual’s preconceived ideas about privacy on the web

S-6


Introduction

The authors states that “customers’ concerns about privacy have put pressure on them to develop customer-focused privacy practices.”

• Companies develop privacy policies that addressed the optics

• Back office systems were not changed

• Training of staff was not rigorously carried out

• Other legislative and regulatory imperatives absorbed management’s focus

What appears to have happened is that:

Canadian Model of Knowledge & Consent vs. Notice & Choice

• Users are not provided with the opportunity or ability to make changes

S-7


Literature Reviews

The authors’ site research conducted by Georgia Institute of Technology, in which Koyuncu and Lien (2003) found that privacy concerns contribute negatively to consumer’s online purchasing decision

The paper focuses on the impact of the privacy policies; the examples provided may be impacted more by news articles, TV and other privacy “noise” than the degree to which a particular privacy policy may impact the individual’s decisions or behaviour.

In other research discussed one must consider the relevancy in view if the rapid changes in privacy, particularly California SB 1386 in 2004 and the ramping up of the Federal Trade Commission’s rulings in 2005 and 2006.

S-8


Theory & Hypotheses

The Authors Appear to Adopt the Premise That:

• Customers’ behaviour is affected by customers’ privacy concerns, companies’ privacy policy disclosures, and company characteristics such as the trustworthiness of a company, and

• Education level, income level, and online experience have a positive effect on consumer’s online purchasing decision, but privacy concern contributes negatively to consumer’s online purchasing decision.

• generation gap issues (perhaps partially explained through online experience)

• weighting amongst education, income and on-line experience

The second theory may be intuitively obvious. However, one would likely want to also consider:

S-9


Theory & Hypotheses

I mentioned earlier that I would discuss “involvement” and “impact”.

The authors consider that it is “reasonable to expect that the individuals’ behaviour might be different depending on their involvement with privacy”.

When adopting the Elaboration Likelihood Model (ELM) to explain how variables influence an individual’s attitude the authors should also consider the extent to which they read and understand the pages of information dealing with privacy. (the authors did measure time on the web page)

The authors reference Rothschild (1984), who defines involvement is “an unobservable state of motivation, arousal or interest.”

How may of you read the entire license agreement prior to installing a new piece of software?

One of the Canadian financial institutions posted a 42 page privacy policy

S-10


Theory & Hypotheses

One page 8 the authors indicate that: “Since involvement might have an impact on individuals’ attitudes toward privacy and their behaviour, it is anticipated that there is a relationship between the level of privacy involvement and individuals’ behaviour in terms of reading the privacy policy statement when they are requested to provide personal information on a web site”.

This assumption must be based on the premise that the individuals reading the privacy notice fully understand what privacy means.

Most readers do not even understand the difference between privacy and confidentiality and are most likely more concerned about identity theft and/or security.

After searching the web for hours and finally finding the product you need, few would let it slip through their hands because they didn’t like the company’s privacy statement.

S-11


The authors go on to state that “it is expected that when customers are under high privacy involved situations in which they are motivated to think about privacy, they will carefully examine all available privacy relevant information such as privacy policies and come to a judgment on the company’s privacy practices based on the quality of the information they find”.

I find this somewhat simplistic; from a purchaser’s perspective the question in my mind is likely “Is what they have what I want, at the price I am willing to pay”.

Then I consider that “I have searched for months and finally I have found it.” – Oops I don’t think their privacy policy provides sufficient information

Theory & Hypotheses

What do you do? Oh well, CLICK”

S-12


Research Methodology

I like the approach

I liked the fact that they highlighted some of the deficiencies

The choice of personal information of screen 9/23 which purports to acquire data on sensitive personal information; unfortunately financial and health information was omitted.

Financial information such as bank account or credit cared number used in executing an eBusiness transaction and health information such as that required to be disclosed when applying for travel insurance online may well have changed the results which currently rank SIN and Student Number as the two highest sensitivity items.

S-13


On the “additional information” screen (all screens should be identified with a unique number or other identifier for reference and trouble shooting) respondents are asked to provide their Social Insurance Number for a chance to win $100.

The results obtained using this form of request may not be as conclusive as the request to provide the SIN number was not part of executing the transaction


S-14


On page 15 the authors state ”type of information requested has effect on customers’ privacy concerns (e.g., Ackerman et al., 1999; Earp and Baumer, 2003) and purchase intention (e.g., Malhotra et al., 2004; Phelps et al., 2000).

While the relationship between personal information requested and privacy concerns appears valid, the impact on purchase intention may be less clear unless the prior studies included an analysis of purchase intentions that existed but which were consummated through different channels.

What would be interesting is to see if they abandoned the purchase altogether or whether they adopted a different channel.

Perhaps the current research should have included different channel purchases in their analysis.


S-15



On page 20 the authors provide information on the responses received and indicate that “92 percent reported that they had online transaction experiences such as ordering consumer goods, subscribing services or registering on web sites for online services. On average, they conducted online transactions 10 times in the past twelve months. A total of 179 participants (85.2%) had seen the privacy policy statement attached to some web sites.

Because the perceived risks of eBusiness differs depending upon the type of products purchased and the business the individual is dealing with, it would have been beneficial to know what the respondents had purchased in the past (travel, entertainment tickets, books, CDs DVDs, computer software or clothes).

It would also have been interesting to know the country from which they purchased the goods and whether the vendor was a household name, an unknown vendor or an auction site.

S-16



On page 21 the authors state that “respondents tended to have low trust in e-commerce companies”.

This response would benefit from a comparison.

For example, it would be interesting to know the level of trust of similar business in different environments, such as banks in a bricks and mortar environment as compared to an eBusiness environment.

Do banks have a lower trust on the Internet than in a bricks and mortar environment?

S-17


Discussion and Implications

The study appears to focus on the willingness to provide personal information, and while an indicator, from a business perspective perhaps what is more important is whether the individual used their feelings about the company’s privacy policies and practices to influence their ultimate decision, in other words, did they still execute the purchase.

Whether or not a privacy statement is read, or whether or not specific information is provided is not as compelling as whether or not they executed a purchase transaction.

Sometimes individuals feel uncomfortable in providing personal information. However, in order to obtain what they want, whether a loan from the bank, tickets to the concert or a book they cannot find elsewhere, they are willing to accept the “risk” that their personal information may be misused in order to get want they want

S-18


The authors indicate a weakness on page 34-35 in that “Individuals’ behaviour with respect to reading privacy policy statement was measured by examining whether they opened the privacy policy statement Web page as well as the number of seconds they spent in the Web page.

However, the study did not measure whether respondents in fact read the privacy policy statement as well as their understanding of the privacy statement”.

While the authors acknowledge two items, whether respondents in fact read the privacy policy statement as well as their understanding, they also have to consider their level of understanding, whether they had sufficient privacy knowledge to fully assess the company’s privacy statement, their appreciation of the meaning of the privacy statement, their appreciation of the privacy risks associated with the privacy statement and whether they used that appreciation to guide their decision whether or not to engage in eBusiness.


S-19



Perhaps what we really need to understand is:• What personal information is collected• How that personal information is used• How disclosure of that personal information made, and • To whom

Did the paper contribute to the understanding of the relationship between individuals’ privacy behaviour and their degree of involvement in use of the company’s privacy statement?

One then needs to determine the likely result that each of these will have on whether or not an individual engages in eBusiness.

S-20


Further, we need to fully understand what activities, opportunities, choices, etc., about the collection, use and disclosure of personal information are likely to enhance the likelihood that the individual will engage in eBusiness.

With this information one could provide guidance on privacy policies, practice, procedures and privacy notice and choice. .

Then we might see progress in user understanding of privacy and corporate responsibility in the collection, use and disclosure of personal information


S-21


Thank You

For The Opportunity

To Discuss This Paper

Documents

S-1 Fifth Symposium on Information Systems Assurance University of Waterloo Centre for Information Systems Assurance 5 th Symposium of Information Systems