IN DEGREE PROJECT COMPUTER SCIENCE AND ENGINEERING,SECOND CYCLE, 30 CREDITS

, STOCKHOLM SWEDEN 2018

An exploratory paper of the privacy paradox in the age of big data and emerging technologies

MICHELLE SERRA

KTH ROYAL INSTITUTE OF TECHNOLOGYSCHOOL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE

Abstract Technological innovations and advancements are helping people gain an increasingly comfortable life, as well as expand their social capital through online networks by offering individual's new opportunities to share personal information. By collecting vast amounts of data a whole new range of services can be offered, information can be collected and compared, and a new level of individualization can be reached. However, with these new technical capacities comes the omnipresence of various devices gathering data, potential threats to privacy, and individuals' increasing concern over data privacy. This paper aims to shed light on the 'privacy paradox' phenomenon, the dichotomy between privacy attitude, concern, and behavior, by examining previous literature as well as using an online survey (N=463). The findings indicate that there is a difference between attitude, concern, and actual behavior. While individuals' value their data privacy and are concerned about information collected on them, few take action to protect it and actions rarely align with expressed concerns. However, the 'privacy paradox' is a complex phenomenon and it requires further research, especially with the implications of a data driven society and when introducing emerging technologies such as Artificial Intelligence and Internet of Things. Sammanfattning Tekniska innovationer och framsteg har bidragit till att människor kan erbjudas en alltmer bekväm livsstil. Genom insamling av stora mängder data kan individer erbjudas ett helt nytt utbud av tjänster, information kan samlas in och jämföras, och en helt ny nivå av individualisering kan uppnås. Dock innebär dessa innovationer en allt större närvaro av datainsamlande enheter, potentiella hot mot privatliv, samt individers ökade oro kring dataintegritet. Denna uppsats undersöker ”the privacy paradox”, skillnaden mellan attityd och beteende kring datasäkerhet, och dess konsekvenser i ett datastyrt samhälle i och med att ny teknik introduceras. Undersökningen har skett genom en litteraturstudie samt en enkätundersökning (N=463) och resultaten visar på ett det finns en skillnad mellan attityd och beteende. Individer värderar datasäkerhet och är oroliga kring vilken mängd information som samlas in, dock är det få som agerar för att inte dela information och attityd går sällan i linje med faktiskt beteende. ”The privacy paradox” är ett komplext fenomen och mer forskning krävs, speciellt i och med introduktion av ny teknik så som Artificiell intelligens och Internet of Things. Keywords Information Privacy; Privacy Paradox; User psychology; Artificial Intelligence; Big Data

An exploratory paper of the privacy paradox in the age ofbig data and emerging technologies

Michelle Serra

KTH Royal Institute of TechnologyBrinellvagen 8

Stockholm, Swedenmserra@kth.se

ABSTRACTTechnological innovations and advancements are helpingpeople gain an increasingly comfortable life, as well as ex-pand their social capital through online networks by offeringindividual’s new opportunities to share personal information.By collecting vast amounts of data a whole new range of ser-vices can be offered, information can be collected and com-pared, and a new level of individualization can be reached.However, with these new technical capacities comes the om-nipresence of various devices gathering data, potential threatsto privacy, and individuals’ increasing concern over data pri-vacy. This paper aims to shed light on the ’privacy paradox’phenomenon, the dichotomy between privacy attitude, con-cern, and behavior, by examining previous literature as wellas using an online survey (N=463). The findings indicatethat there is a difference between attitude, concern, and ac-tual behavior. While individuals’ value their data privacy andare concerned about information collected on them, few takeaction to protect it and actions rarely align with expressedconcerns. However, the ’privacy paradox’ is a complex phe-nomenon and it requires further research, especially with theimplications of a data driven society and when introducingemerging technologies such as Artificial Intelligence and In-ternet of Things.

Author KeywordsInformation Privacy; Privacy Paradox; User psychology;Artificial Intelligence; Big Data.

INTRODUCTIONVarious research [35] [9] [17] indicate that there is a con-tradiction between individuals’ concern and attitude towardsprivacy, and how they actually behave. Individuals’ state to behighly concerned about their privacy and the personal infor-mation gathered on them, yet at the same time very few takeaction to protect their privacy and regularly disclose personalinformation for relatively small rewards. This paper aim toexplore the dichotomy of the attitude and concern regardingdata privacy and individuals’ actual behavior, also referred toas the ”privacy paradox”. While various research [20] [21][6] has been conducted in order to explain the paradoxicalphenomenon, no comprehensive explanation has been found.This paper explores previous research regarding privacy andthreats posed by new technology, and aims to test the follow-ing hypotheses:

• Individuals’ value data privacy.

• There is a contradiction between attitude, concern, and ac-tual behavior.

The relationship between technology and humanity has a longhistory. Humans have been initiating technological changeand inversely, technology has been shaping our behavior, beit on the individual level or that of society. New develop-ments in ICT offer undeniable benefits, both on an individ-ual and a market level. Advantages such as faster and morecost-efficient information sharing is beneficial for a variety ofindustries, including the health industry, by for example en-abling the delivery of more individualized and focused ser-vices [5], as well as in e-commerce, where ICT have im-proved customer responsiveness, product availability, and in-dividualization [22]. However, with these new technical ca-pacities comes the omnipresence of data capturing devices,along with the concern of privacy and the collection of per-sonal data [20]. According to a study conducted by the PewResearch Center, 91% of American adults thought that con-sumers have lost control over how personal information iscollected and used by companies [31], and 80% of thosewho use social networking sites expressed concern over thirdparties, such as advertisers or businesses accessing the datashared on various networks [31]. In 2015, the DMA pub-lished a report of what consumers in the UK think about dataprivacy, showing that 90% claim to want more control overthe data they choose to exchange with various companies[17]. According to a study done by Ipsos, researching over24,000 Internet users in 24 countries, privacy is an importantissue worldwide [9]. However, the expressed attitudes andconcerns do not seem to reflect actual behavior. Accordingto Symantec’s State of Privacy Report from 2015, only 1 in 4disclosed reading the terms and conditions when making anonline purchase, and 30% would trade their e-mail address fora chance to win a prize or be entered into a raffle [35]. Whenexamining the so called ”privacy paradox” Gerber et al. [20]found that ”on the one hand, users express concerns about thehandling of their personal data and report a desire to protecttheir data, whereas at the same time, they not only voluntar-ily give away these personal data by posting details of theirprivate life in social networks or using fitness trackers and on-line shopping websites which include profiling functions, butalso rarely make an effort to protect their data actively, for

example through the deletion of cookies on a regular basis orthe encryption of their e-mail communication”.

The vast amount of information collected due to the increaseduse of everything from smartphone applications to fitnesstrackers has necessitated the automation of data analysis,which is becoming increasingly accurate [23]. In order toturn the collected data into valuable information and focuson individualized services in a way that can shape the con-sumer market, ”companies have been focusing on developingpowerful inference engines based on Artificial Intelligence(AI) algorithms” [23]. Fundamentally, AI refers to a pro-gram whose objective is to understand and reproduce humancognition; creating cognitive processes comparable to thosefound in human beings. With the recent success of machinelearning, AI has entered a new era. Complex algorithms, in-creased computing power, and exponential growth of humanand machine generated data, has been the foundation for thedevelopment of various applications in areas such as trans-portation, healthcare, and translation [40]. Voice recognitionand home assistance is the current race between the giants,at the 2017 CES (The Consumer Electronics Show, an an-nual trade show and gathering place for companies and in-dividuals’ thriving on technical innovations), Alexa ruled thegrowing ”smart speaker” competition, the personal assistantappeared on devices beyond those of Amazon’s own Echorange, and Google countered with the Google Assistant [10].While these devices might be convenient and easy to use, theyalso come with a high security risk, and along with the rapidtechnological advancements, tech companies have encoun-tered a familiar dilemma: It is difficult to deliver conveniencewithout sacrificing security and privacy [38].

THE HISTORY OF PRIVACYPrivacy is one of the most enduring social issues associatedwith information technologies [29]. However, concerns aboutpersonal privacy existed long before the introduction of com-puters and cybertechnology, e.g., the camera and telephonepresented various challenges for privacy [37]. When callerID was first introduced, even though the service quickly grewpopular, it was widely attacked as an invasion of the caller’sright to anonymity, and rival companies as well as advocatesfor privacy rights, quickly raised concerns [19]. What makesprivacy concerns different regarding cybertechnology (refer-ring to a wide range of communication and computing de-vices, e.g., tablets, smartphones, and laptops) is the impactthese technologies have had on a variety of factors, espe-cially regarding the amount of personal information that canbe collected, the duration of time the information can be re-tained, the speed at which information can be transferred, andthe kind of information that can be gathered and exchanged.New technological advancements make it possible to gatherand store much more information than has ever been possiblebefore. Previously the amount of information that could becollected and stored was determined by practical considera-tions, but today a vast amount of digitized information canbe stored in computer databases without much trouble [37].Technological advancements raise privacy concerns not justbecause of how much personal information can be collected,

but due to the myriad of ways it can be manipulated. Un-related pieces of personal information residing in separatedatabases can be merged together in order to construct elec-tronic personal reports or profiles, personal information resid-ing in one database can be matched against records residing inother databases that contain information on us, and our per-sonal information can be mined from various databases (aswell as from our activity on the Web) to reveal behavioralpatterns, all of which would have been difficult in the pre-computed era [37].

According to privacy analysts in the U.S., the meaning of pri-vacy has evolved since the eighteenth century. It was initiallyunderstood in terms of freedom from (physical) intrusion, andthen later became associated with freedom from intrusion intoan individual’s personal affairs. Recently it has come to beclosely associated with concerns affecting access and controlof personal information - also referred to as “informationalprivacy” [37]. In the 1970s, when information technologywas increasingly establishing itself in all aspects of society,the idea of privacy reached a new dimension and was to coverthe ”protection of unnecessary storage and processing of peo-ple’s personal data” [4], also referred to as data minimization.Requirements of data minimization became part of Europeanlegal regulations in the 1990s and 2000s, but since then, infor-mation technology has evolved immensely and had a stronginfluence on people’s perception and demands regarding pri-vacy [4].

Since the mid 1990s, lawmakers and scholars have worked onthe idea of embedding data protection safeguards in ICT. In1995 the first European directive on data protection (Art 17of D-95/46/EC) was introduced in order to compel data con-trollers to implement appropriate technical and organizationalmeasures. The concept of “privacy by design”, was furtherdeveloped in the late 1990s and in April 2000, the workingpaper on “Privacy Design Principles for an Integrated Jus-tice System” was presented by the Ontario’s Privacy Com-missioner and the U.S. Department of Justice [7]. ”Privacyby Design” principles, when applied, ”seek to proactivelyembed privacy into the design specifications of informationtechnologies, organizational practices, and networked systemarchitectures, in order to achieve the strongest protection pos-sible” [8]. The research of “Privacy by Design” is relevantwith the current developments in areas that are disclosing newpossibilities regarding how we can deal with flows of infor-mation in a digital environment.

THE PRIVACY PARADOXThe relationship between privacy and ICT combines con-tradictory features and reveals a “paradox”, and is continu-ously characterized by the tension between transparency andsecrecy. While globalized data processing by governmentsand companies increase fear of threats to individuals free-doms and autonomy, people repeatedly and voluntarily dis-close personal information and share everything from currentlocation, dates of birth, images, or marital status, on socialnetworking sites, or even medical data on health forums.

The paradoxical behavior is not a new phenomenon in theprivacy research area, and while studies have been conducted

in order to explain it, so far no comprehensive explanationhas been found, and user privacy remains a complex phe-nomenon [21]. While research shows that privacy is a pri-mary concern for most citizens in the digital age, various re-search evidence also indicate that people are willing to tradetheir personal information for a relatively small reward. Car-rascal et al. [6] conducted an economic study on the valueof personal information, and found that Internet users valuetheir online browsing history for about 7 Euros, comparing itto the cost of a Big Mac meal. Acquisti [1] built an economicmodel that partly describes privacy attitudes and incorporatesthe immediate gratification bias, referring to the tendency tovalue present benefits more than future risks. Thus meaningthat the present benefits of information disclosure outweighthe future privacy risks [1]. The present benefits from engag-ing with social media platforms or using various technologycan be highly alluring, as it is built on the principle that themore users choose to share about themselves, the more theyenjoy the benefits that the systems have to offer. Tufekci [39]researched students’ self-disclosure behavior on social me-dia networks to examine the relationship between informationdisclosure and privacy concerns. Results from a questionnairesurvey indicated little to no relationship between informationdisclosure and privacy concerns, yet did find that students’manage their privacy concerns by adjusting the visibility ofinformation - not by adjusting how much they disclose [39].Research by Taddicken [36] found that the relation betweenprivacy concern and self-disclosure is effected by differentvariables, but that privacy concern have very little impact onthe personal information disclosed. However, the number ofsocial web applications used and the perceived social rele-vance had strong effect.

Looking at the medical field, self-tracking technology suchas fitness bands and smartwatches are becoming more andmore mainstream, with a prediction of 110 million fitnessdevices being sold in 2018 in the US alone. Manufacturersare utilizing a variety of digital persuasive techniques and so-cial influence strategies in order to increase engagement, suchas social influence principles, gamification, or rewards forachievements. There is also a growing population of wearableusers who are specifically interested in the concept of self-discovery via personal analytics - the Quantified Self (QS)movement [33], which for example includes tracking diet,sleep, physical activity, psychological and mental states, andeven social interaction “to improve various aspects of life andhealth through recording and reviewing daily activities andbiometrics”[2]. The use of ICT have improved developmentsin preventive medicine and the potential to empower patientsto self-monitor and manage a variety of diseases and healthissues. However, the rising number of E-health applicationsand continuous digitalization within healthcare make privacyand confidentiality concerns increasingly sensitive [5]. Previ-ous high-profile breaches of individuals’ health information,such as the accidental attachment of an electronic file whichcontained names and addresses of 6500 HIV/AIDS patients[27], or theft of a state health department laptop containinginformation on approximately 1600 families [15], heightenanxiety regarding privacy. Yet with a large increase in chronicdiseases, an aging population, and the development of more

expensive diagnostic tools and therapies, E-health constitutesa crucial part of a new paradigm focusing on preventive ratherthan reactive medicine [26].

A shifting attitude towards sharingIn 2015 the DMA [17] published a report of what consumersin the UK really think about data privacy and discovered aconsiderable change in attitudes since 2012. Since 2012, thestudy showed there had been a significant increase overall inthose willing to share data. However, though there had been adecline in individuals who were emotionally or ideologicallyopposed to sharing personal data with companies, there wasa clear change from not wanting to share data out of prin-ciple, to not wanting to share data due the benefits for shar-ing data were not satisfactory or clearly stated. Since the re-port conducted in 2012, a large variety of factors have shapedthe privacy landscape and effected individuals’ view of datasharing. There has been an increase in sharing of media con-tent on various social media networks, and the introductionof the “sharing economy” have created ways for private re-sources to become more available for public use, e.g., Uberand Airbnb. ‘Sharing’ is placed in the center of not only in-dividuals’ social lives, but also increasingly their financial,professional, and commercial lives as well [17]. However,attitudes towards privacy and integrity are not static or uni-form, according to the 2015 report by DMA, trust remainsthe critical factor in willingness to share data. 40% of con-sumers chose ‘trust in an organization’ as the most importantfactor when deciding to share personal data or not. 80% of theconsumers participating in the survey claimed that providingterms and conditions that are easy to read and understand areessential for the exchange of data, as well as considered per-sonal data as their property and that they should be able totrade it as they see fit [17]. Findings by the DMA go in linewith other studies, including research done by Ericsson Con-sumerLab [18], who found that many individuals’ were opento the idea of sharing personal information with companies,but in exchange companies must be transparent with how theyuse that information, there has to be a possibility to opt out,and sharing the information should benefit the company andthe consumer equally .

Contradictory, even though a majority of individuals’ expressconcern over data privacy and claim to expect companies andorganizations to be transparent in their handling of personalinformation, both empirical and anecdotal evidence indicateotherwise. Research show that even individuals’ who are pri-vacy concerned and genuinely want to protect their privacy,might not actually do so, and are even willing to trade pri-vacy or exchange personal information for convenience orrelatively small rewards [1]. The dichotomy between infor-mation privacy attitude and actual behavior could have sig-nificant implications for various arenas as society becomesmore and more connected. So called ”optimism bias” (think-ing bad things will happen to other people, not themselves)might lead people to choose the convenience that comes withconnectivity rather then disconnect. According to MIT se-nior research scientist David Clark “Unless we have a disas-ter that triggers a major shift in usage, the convenience and

benefits of connectivity will continue to attract users [...] Evi-dence suggests that people value convenience today over pos-sible future negative outcomes” [32]. The increased devel-opments in IoT and AI, connecting machines to machinesand linking people to valuable resources, services and op-portunities, holds tremendous possibilities and is expected toexpand immensely in both size and influence over the nextdecade. The immediate and concrete advantages and conve-nience of connectivity is expected to outweigh the uncertainfuture threats. So far the expanding collection of connectedthings goes mostly unnoticed by the public, such as actua-tors, sensors, and other items completing various tasks, mostof them supported by Artificial Intelligence-enhanced com-munication [32], the rapid advancements of emerging tech-nologies is expected to contribute heavily in creating an evenmore connected and convenient life in the future.

THE INTRODUCTION OF EMERGING TECHNOLOGIESEmerging technologies refer to technologies that are consid-ered capable of having a profound effect on our lives. Suchas a pilot plant in the petrochemical industry in Texas whichis attempting to create completely clean power from natu-ral gas, developments in 3-D printing could change the waymany products could be mass-produced, and the smart-cityproject Quayside in Toronto has an aim to base decisionsabout everything from policy to technology on informationfrom a substantial network of sensors that are collecting dataon everything from individuals’ activities, to noise levels, tothe quality of air [25]. Artificial Intelligence is an emergingtechnology that is rapidly advancing and new developmentsare benefiting a variety of areas.

Fundamentally, Artificial Intelligence (AI) refers to a pro-gram whose objective is to understand and reproduce humancognition; creating cognitive processes comparable to thosefound in human beings [40]. With the recent success of ma-chine learning, AI has entered a new era. Complex algo-rithms, increased computing power, and exponential growthof human and machine generated data, has been the founda-tion for the development of various applications in areas suchas transportation, healthcare, and translation [40]. The cur-rent race between the giants is voice recognition and homeassistance. With technologies such as Alexa, Google Assis-tant, Siri, and Cortana, the smart home of the future becomesan attainable reality, and Artificial Intelligence is appearingeverywhere [10]. These devices might be convenient and easyto use but they also come with a high security risk, and withthe rapid technological advancements, tech companies haveencountered a familiar dilemma: It is difficult to deliver con-venience without sacrificing security and privacy. The Ama-zon Echo Spot is designed as an alarm clock, it can controlsmart home gadgets, answer questions, set timers and alarms,and play music, — but it has a small camera, a microphonethat is always listening and an Internet connection that is al-ways on [10]. Many of these devices have vulnerabilities,such as unencrypted data, insecure software stacks, or defaultpasswords, and can at any time become an entry point for datamonitoring or network intrusions. The rapid increase of newconnected objects multiplies the inroads to critical networksand data, and even organizations with substantial resources

and expertise in data and technology can, and do, find them-selves vulnerable to data breaches [38]. For example, onlydays after it was launched, a Google Home Mini was caughtconstantly listening in its owner’s bathroom, uploading ev-erything it heard to Google’s server [10]. In 2017, a casinoin North America was attacked when a hacker used a high-tech fish tank with Internet connectivity, in order to collect 10gigabytes of data [24]. The BlueBorn attack disclosed crit-ical Bluetooth vulnerabilities that impacted millions of AI-based voice-activated personal assistants, including the Ama-zon Echo and Google Home. These devices were constantlylistening to Bluetooth communication and there was no wayto turn it off. With BlueBorne, hackers could take completecontrol over a vulnerable device, and then use it for a widerange of malicious purposes; including spreading malwareor stealing sensitive information [3]. Internet security ex-pert Bruce Schneier predicted that unless technology-basedbusinesses and governments address security problems, theremight be a shift in attitude and instead of embracing connec-tivity, people might retreat offline, saying “My guess is we arereaching the high-water mark of computerization and connec-tivity” and continued ”We are living in a computerized worldwhere attacks are easier to create than defenses against them.This is coming faster than we think. We need to address itnow. People up to now have been able to code the world asthey see fit. That has to change. We have to make moral,ethical and political decisions about how these things shouldwork and then put that into our code.”[32]

In the future, AI will play an even more important role, butwhen deploying and advancing AI technologies in any field,ethical considerations must be taken into account. AI is notthe first emerging technology that created ethical quandaries,yet in difference to previous technologies, AI research and de-velopments present unique challenges as it asks us to consider”whether, when and how machines should make decisionsabout human lives - and whose values should guide those de-cisions” [12]. There are extraordinary potential for the de-velopment of AI and what it could lead to, for example, itis already producing advanced improvements on energy con-sumption and leukemia detection. However, AI systems arealso making problematic judgments that are producing signif-icant social, economic, and cultural impacts on people’s ev-eryday lives [13]. while it has been widely discussed, so far,no global ethical framework has been agreed on in regards toAI. In October 2016 the Networking and Information Tech-nology Research and Development (NITRD) Subcommitteeof the National Science and Technology Council publishedan American strategic plan entitled ”The National ArtificialIntelligence Research and Development (NAIRD) StrategicPlan”, which articulated the ethical impacts of AI must beconsidered an integral part of its research and developmentstrategy plan [28]. The NAIRD approach is to intentionally“build ethical AI”—referring to the idea of building AI tech-nology to understand abstract social principals, such as jus-tice. Building ethical AI relies on the quality and accuracy ofthe engineering elements of AI, in particular, the quality ofthe algorithm design [23]. However, building ethics into AIcomes with a variety of challenges, such as how to expressethical values in measurable metrics that a computer can pro-

cess, something that would require humans to agree on themost ethical behavior in any given situation [34]. Comingfrom a different perspective, the European Union released thereport in January 2017 titled “Recommendations to EU Com-mission on Civil Law Rules on Robotics”. The EU Parliamentresolution draft touches upon ethics in AI from a universal,legal perspective, that relies on the ethics of the human de-signers and developers rather than attempting to build ethicsinto AI [23]. In April 2018, 25 European countries signed adeclaration of cooperation on Artificial Intelligence, agreeingto work together on the most important issues, from secur-ing competitiveness to dealing with economic, ethical, social,and legal questions [16].

METHODThe research conducted was a desk-based literary study aswell as an empirical study based on a survey conducted with463 participants. Based on theoretical arguments and findingsfrom prior research, the author tested the following hypothe-ses:

• Individuals’ value data privacy.

• There is a contradiction between attitude, concern, and ac-tual behavior.

In order to test these predictions and gain an understandingof the privacy paradox, a survey with 463 participants wasconducted and analyzed. The survey aimed to examine in-dividuals view of data privacy and if concerns and attitudecorrelate with actual behavior.

The author does not aim to reach a conclusive solution nor afixed conclusion, this thesis aims to investigate if the privacyparadox exists and if so, what implications it might have withimplementation of new technology such as IoT and ArtificialIntelligence.

Data collectionThe author designed and administered an online survey toan opportunity sample of individuals and collected responsesduring May 2018. Responses were collected through personalinvitation in person or via email, private messages on Face-book, and social media channels such as Facebook groups.A majority of the groups chosen had members in a varietyof ages, as well as a majority of members with Swedish na-tionality. In order to gain a diverse collection of participants,several Facebook groups were chosen with a large variationof members. The author received 463 questionnaires in to-tal and discarded 38 that were incomplete, resulting in a 92%completion rate and 425 completed questionnaires.

A weakness of the study was that a majority of the respon-dents were invited to participate via social media channels,lessening the chances of getting a representative number ofparticipants not having accounts on any social media net-works. Another weakness was that a majority, 83%, ofthe participants were below 35 years of age, ideally the au-thor would have preferred a higher percentage of participantsabove 35, in order to gain a wider view of the hypothesestested.

Figure 1. Demographic table.

RESULT

Use of social media and communication platforms100% of the participants stated having an account on one ormore social media networks, and 99% stated that they wereregularly using their accounts. For the survey, the social me-dia networks given as examples were Pinterest, LinkedIn,Facebook, Twitter, Snapchat, Instagram, and Snapchat, aswell as an ”Other” option where participants could specifyother networks where they had registered accounts. Regard-ing communication platforms, the platforms given as optionswere Messenger, WhatsApp, Slack, Viber, KiK, Telegram,and Skype, as well as an option for Other. 99% of the par-ticipants stated having accounts with one or more commu-nication platforms, and only 2% claimed not to use any oftheir accounts regularly. The social media network most par-ticipants stated having an account with was Facebook, with99% of the participants registered for an account and 94%claiming to use it regularly. Closely connected to Facebookis their communication platform Messenger, where 92% ofthe participants had an account and 87% used regularly. Sec-ond to Facebook was Instagram, where 87% stated havingan account and 78% used regularly. The category ‘Other’,for questions regarding both social media networks (5%) andcommunication platforms (5%), was open-ended; respon-dents listed a variety of both communication platforms andsocial media networks, most frequently Tumblr regarding so-cial media (N=10) and Discord (N=9) for communication.

Regarding communication platforms, 51% stated regularlyusing WhatsApp, yet 71% stated having an account. The thirdmost common communication platforms was Skype, where84% stated having an account, yet only 25% expressed to useregularly. Registered accounts on the other platforms weresignificantly lower, Slack (21%), KiK (11%), Viber (15%),

and Telegram (8%). Regarding regular use of the various plat-forms, Slack was the forth most used (13%), followed by thedistant fifth Viber (3%), Telegram (3%) and KiK (1%).

Figure 2. Overview of use and registered accounts

Attitude towards data privacyIn order to examine whether or not there was a difference be-tween the attitude towards data privacy, and actual behavior,the author included several questions regarding how peoplevalue their information privacy and how aware the partici-pants consider they are about the collection and handling ofdata collected on them. 94% strongly agreed or agreed thatit was important to them that companies are clear about whatdata they collect and how it is used. Out of the participantsin the survey, only 25% stated that they trusted how compa-nies used the data collected on them, yet only 52% consideredthemselves aware of what data companies collected, and 44%of when their personal information could be shared with 3rdparties. However, a majority (78%) of the participants con-sidered themselves more aware of how their data is used andcollected now than they did in the past.

Figure 3. Participants awareness and attitude towards data privacy

(N=425)

The questions relevant to awareness and attitude regardingdata privacy stated as follows:

Q1: I am aware of when my personal information can beshared with 3rd partiesQ2: It is important to me that companies are clear about whatdata they collect and how it is usedQ3: I am aware of what information is collected on me by theapplications/social networking sites I useQ4: I consider data privacy important

Almost all of the participants in the survey stated they use so-cial media networks and communication platforms regularly,and vast majority (93%) considered data privacy important(for this survey, data privacy was defined as follows: Anyinformation related to an individual that can be used to di-rectly or indirectly identify the person. For example, a name,a photo, an email address, bank details, posts on social net-working websites, or medical information). Yet out of the425 participants, only 28% researched the creators of an ap-plication before downloading it. The author also focused onprivacy concern and understanding, as a starting point, theauthor asked if the participants read and understood the termsof agreement before downloading and using applications, andwhether the participants would decide to not use applicationswhen they did not agree with the terms. Most respondents(65%) reported to never or rarely read the terms of agree-ments, and 55% stated that they understand them. An evensmaller amount, 34%, reported not to download an applica-tion when they did not agree with the terms of agreement.

Behavior regarding information sharing

Figure 4. Behavior ragarding location settings on applications (N=425)

Q1: I allow applications to access my location (I.e.GoogleMaps, geotag on Instagram or Snapchat)Q2: I change the location settings of applications to my pref-erence

Questions about actual use of applications, communicationplatforms, and social media channels, showed that a major-ity (76%) of the participants considered themselves always oroften being cautious about what they posted online, such asphotographs, status updates, or links they shared. Equal cau-tiousness (71%) translated into which personal informationthe participants shared about themselves online, e.g., homeaddress, relationship status, or place of work. However, con-tradictory to the consideration regarding information sharing,most participants (83%) allowed applications to access theirlocation, by for example using Google Maps or geotagging

on applications such as Instagram or Snapchat. Yet only 17%agreed or strongly agreed that they were comfortable with acompany being able to access their location at any given time,further only a minority of the participants (31%) stated thatthey always or often change the location settings of applica-tions to their preference, while a slightly larger percentage(33%) answered that they rarely or never change it at all.

Attitude towards emerging technologiesThe conveniences of emerging technologies and virtual assis-tants might not be too far away, and of the 425 participantsin this study, the majority (60%) strongly agreed or agreedthey did or would feel comfortable using new technologiesfor smart homes (i.e Amazon Alexa, Google Assistant, andSiri), while only 22% disagreed or strongly disagreed. How-ever, as 18% of the participants stated they did not know itis hard to know if they would or would not feel comfortablewith the technology if knowing more about it.

Contradictory to the comfortableness of using technologiesfor smart homes, very few of the participants stated they usea voice assistant (i.e Siri, Google Assistant) on their smart-phones. The majority (78%) stated that they never or rarelyuse it (with the majority of 54% stating that they never usedit), and only 8% answered that they always or often use it.

Figure 5. Participants attitude towards smart home assistants (N=425)

Q1: I am comfortable with a company knowing my locationat any given timeQ2: I am comfortable with a company constantly recordingaudioQ3: I am comfortable with a company constantly record-ing videoQ4: I feel/would feel comfortable using new technologies forsmart homes (I.e. Amazon Alexa, Google Assistant, Siri)

When examining the different attitudes regarding new tech-nology, there were clear contradictions between concern andattitude. While the majority claimed to be comfortable withusing technology such as home assistants for smart homes,very few were comfortable with the consequences of thatconvenience. While the knowledge of participants locationseemed to feel as less of an intrusion and not as sensitive,considering a majority of participants allowed applicationsto access their location and a minority changed the location

settings, very few were comfortable with the possibility of acompany recording sound or video.

LIMITATIONSThis research has focused mainly on behavior and concernsregarding social media networks, the use of smartphone ap-plications, and the attitude towards new technology such asIoT. Yet the privacy paradox exists in many different con-texts and might look different when exploring e-commerce,e-government, or e-banking. It is important to remember thatprivacy behavior is a contextual phenomenon, and differentcontext provoke different behaviors. Also worth remember-ing is that personal information is not a consistent object.There are a number of different types of personal information,and they might not all be valued the same by individuals’.

The study was conducted via an online survey, which is con-sidered appropriate for exploring beliefs and attitudes, yet itcan be difficult to measure actual behavior. All questions areinterpreted by the respondent, and options such as ”somewhatagree” or ”strongly agree” could represent different things todifferent respondents. Especially problematic for this studywas the measurement of cautiousness regarding what individ-uals’ chose to disclose about themselves online. A vast major-ity of the respondents stated to be cautious of what they postonline and which personal information they chose to share,yet ”cautious” might have a different meaning to different re-spondents.

DISCUSSIONThe digital revolution has changed the way we can carry outordinary tasks. By a simple click, swipe, or voice commandwe can make a restaurant reservation, find directions, or con-nect with friends and family. Yet the convenience technologyhas offered might have come at the price of privacy. Mostthings we do leave a digital fingerprint, often without inten-tion, and further that information is often collected, tracked,and used for various reasons. Personal interest, shoppinghabits, or activity preferences are valuable information forcompanies who want to target their marketing and individ-ualize services and offers. According to both this and otherstudies regarding the value and attitude towards data privacy,a vast majority state they are concerned about data privacyand the information collected on them. Individuals’ also statethat there should be fair exchange for personal informationand companies need to be clear about what is collected andhow it is used. However, contradictory to this is individu-als’ actual behavior. In several studies, including this one,a minority of participants state to read terms of agreement,research creators of data gathering applications before usingthem, or change location settings. Janna Anderson, directorof Imagining the Internet Center at Elon University stated that”most experts believe that businesses and governments havelittle incentive to bolster privacy. This is, in part, because peo-ple have proven that they will give away personal informationfor something as small as a free cup of coffee” [11]. The pri-vacy paradox, the dichotomy between behavior and concern,could have significant implications on a variety of areas, es-pecially as technology is getting more and more integrated inour lives and with the developments of IoT and AI, even more

personal information can be gathered about people. Knowingthat concern and attitude towards privacy does not correlatewith behavior, companies could be encouraged to increasetheir data collection and use of personal information in orderto gain profit from tailored services and offers. While on theother hand, policy makers could justify implementing privacyregulations based on expressed concerns.

This research also concluded that individuals’ feel moreaware of data privacy today than in the past, results that con-clude with previously mentioned research. More and morepeople seem to understand that the ’free’ services offered bycompanies such as Facebook or Google, are actually collect-ing personal information as payment. Yet there will always bepeople who consider the benefits of information sharing out-weighs the risks. Hal Varian, Google’s chief economist stated”The benefits of cloud-based, personal, digital assistants willbe so overwhelming that putting restrictions on these serviceswill be out of the question [...] Everyone will expect to betracked and monitored, since the advantages, in terms of con-venience, safety, and services, will be so great” [11].

Pew Research center conducted a study called The Future ofPrivacy [30] which in some parts examine ’experts’ assess-ments of the technology environment by 2025. Privacy wasa big part of the study, and some stated that in the future pri-vacy could very possibly be non-existent and a new transpar-ent norm would be accepted. ”Living a public life is the newdefault. It is not possible to live modern life without revealingpersonal information to governments and corporations. Fewindividuals will have the energy, interest, or resources to pro-tect themselves [...] privacy will become a ‘luxury.’”. How-ever, not everyone were willing to accept the potential lack ofprivacy in the future. Some of the experts who participated inthe study expressed common theme in believing there wouldbe trusted and reliable privacy arrangements by 2025, stat-ing ”citizens and consumers will have more control thanks tonew tools that give them the power to negotiate with corpora-tions and work around governments. Individuals will be ableto choose to share personal information in a tiered approachthat offers varied levels of protection and access by others”[30].

The increased technological advancements and emergingtechnologies present both new opportunities and threats.More and more technologies are accepted, appreciated, andexpected, and with the increase in use there is an increasein expectation. The more we get use to the conveniencesbrought by technology, the more we will want. It is hard toimagine being without the technologies we have grown ac-custom to, but for a company to provide quick services theyneed to know what you are looking for, and for a transporta-tion application to deliver quick options they need to knowwhere you are going or how you prefer to travel. In the futureservices could be even more tailored and technology couldmake life even more convenient. A variety of sectors are ben-efiting from advancements in technology, such as healthcare,recruitment, or manufacturing. Technologies focusing on pre-ventive care rather then reactive are changing the healtcare in-dustry and technology such as AI are providing tremendous

opportunities in areas such as robotic surgeries or leukemiadetection. The recruitment industry could potentially becomemore automated with advancements in AI, with the opportu-nity to remove human bias from the process and providing apotentially more fair recruitment process. Yet it comes withrisks and demands AI to overcome the problems of bias pro-gramming or immature AI, in order for it to reach its potentialand benefit social sustainability, rather then repeat old pat-terns. The advancements of IoT also holds the potential tohave a positive impact on social sustainability, for exampleit could lead to large-scale, connected technological systemsthat could remove human intervention in order to increase re-liability, yet on the other hand it increases the potential for so-cietal vulnerability. The social impacts of this technology willbe highly complex and likely unpredictable. Machines capa-ble of talking to each other and people connected to both ser-vices, resources, and companies, comes with both risks andbenefits. Having a smart pillow that can track your sleep ora smart toothbrush that can track dental hygiene and connectyou with your dentist when needed, might provide both con-venience and value. Yet on the other hand it might feel likean intrusion of privacy to have your dental hygiene tracked bya company, posing the question: How much are we willing tosacrifice for the convenience of connectivity? Further ques-tioning what happens if individuals’ want to choose privacy,not wanting to be connected. Will there be a possibility to bedisconnected in an increasingly connected society?

Can we disconnect?Technological advancements might make it very difficult todisconnect in the future, and even if individuals’ try to dis-connect, or even have the illusion of being disconnected, thismight not be the case. It could for example be close to im-possible to opt out of public surveillance, and as companies,governments, and organizations increasingly choose connec-tivity, staying disconnected might not be a realistic option.As for use of social media, findings from research by Bernardet al. [14] exemplified how deeply Facebook is integrated indaily life. The study indicated that the social media networkhas become an indispensable tool of social capital and con-nectedness for a large number of people, and that the benefitsof using the platform outweigh privacy concerns. In the fu-ture we will most likely be even more connected, and not justregarding social media, especially with the increasing devel-opments of IoT. Currently, a few of the biggest public devel-opments in IoT are voice-activated assistants, home systemsand appliances, cars, road sensors, and personal fitness andhealth trackers, yet there are a vast amount of emerging IoTproducts that indicate just how big the urge is to connect eventhe most ordinary items. E.g., items such as toothbrushes, pil-lows, egg trays, wine bottle sleeves, dental floss, and umbrel-las, to name a few. With a vast number of connected items,being connected might be less of a choice and more by de-fault. Even if a person would like to be disconnected, it mightnot be realistic.

CONCLUSIONAltough there is a lot of research regarding information pri-vacy and the dichotomy between behavior and attitude, it

is difficult to draw a comprehensive conclusion as many re-searchers have approached the paradoxical behavior from dif-ferent angles. Studies do conclude that a vast majority of in-dividuals’ care about privacy and expect responsibility andtransparency from companies and organizations, but evenmore than that, people seem to care about convenience. Fur-ther research is needed in order to fully understand the impli-cations of the ”privacy paradox” in a society faced with theimplementation of emerging technologies such as Internet ofThings and Artificial Intelligence.

With a lot of emerging technologies relying on data in or-der to be efficient, personal information could arguably bea good that is purchased or exchanged. Knowing there is acontradiction between how people behave and their attitudeand concerns, there could be a need for regulations protect-ing individuals’ information privacy and forcing companiesto act responsibly, transparent, and ethically, regarding theirhandling of data. Especially considering the possibility thatwith the increased connectivity emerging technologies bring,in the future it might be close to impossible to disconnect andremain offline, thus the convenience versus risk assessmentmight not be down to individuals at all.

ACKNOWLEDGEMENTI would like to thank Anders Hedman as a supervisor fromthe University, as well as Anna Fellander who acted as anexternal supervisor, both of whom offered valuable insightand guidance along this process. I would also like to thankthe anonymous participants of the study for their time and in-put, as well as my mother whom offered advice and guidancethroughout the process.

REFERENCES1. Acquisti, A. Privacy in electronic commerce and the

economics of immediate gratification. In Proceedings ofthe 5th ACM conference on Electronic commerce, ACM(New York, NY, USA, May 17 - 20 2004).

2. Appelboom, G., LoPresti, M., Reginster, J.-Y., Connolly,E. S., and Dumont, E. P. 2014 The quantified patient: apatient participatory culture. Current Medical Researchand Opinion 30 (12), 2585–2587. DOI:10.1185/03007995.2014.954032

3. Armis. blueborne cyber threat impacts amazon echogoogle home. https://www.armis.com/blueborne-cyber-threat-impacts-amazon-echo-google-home/

4. Borcea-Pfitzmann, K., P. A., and Berg, M. 2011 Privacy3.0 := data minimization + user control + contextualintegrity. it - Information Technology 53, 1. DOI:10.1524/itit.2011.0622

5. Buschel, I., Mehdi, R., Cammilleri, A., Marzouki, Y.,and Elger, B. 2014, Protecting human health andsecurity in digital europe: How to deal with the “privacyparadox”? Science and Engineering Ethics 20, 3639–658.

6. Carrascal, J. P., Riederer, C., Erramilli, V., Cherubini,M., and de Oliveira, R. 2013, Your browsing behavior

for a big mac: economics of personal informationonline. Proceedings of the 22nd internationalconference on World Wide Web 189–200.

7. Cavoukian, A. 2009, Privacy by design. IPCPublications

8. Cavoukian, A., and Weiss, J. B. 2012, Privacy by designand user interfaces: Emerging design criteria – keep ituser-centric. IPC Publications

9. Centre for International Governance Innovation &IPSOS, 2017, Global survey on internet security andtrust.

10. Charlton, A. 2018, In 2018, the ai will be listening morethan ever: Is our privacy under threat?, Retrieved April5, 2018 https://www.gearbrain.com/alexa-google-assistant-ai-privacy-2524884961.htm

11. CNN. Survey: Will we give up privacy without a fight?,2014. Retrieved May 7, 2018https://edition.cnn.com/2014/12/18/tech/innovation/pew-future-of-privacy/index.html

12. Crawford, K., Campolo, A., Sanfilippo, M., Whittaker,M. 2017, AI now 2017 report,

13. Crawford, K. and Whittaker, M., 2016, Artificialintelligence is hard to see, Medium, Retrieved March 20,2018 https://medium.com/@katecrawford/artificial-intelligence-is-hard-to-see-a71e74f386db

14. Debatin, B., Lovejoy, J. P., Horn, A.-K., and Hughes,B. N. 2009, Facebook and online privacy: Attitudes,behaviors, and unintended consequences. Journal ofComputer-Mediated Communication 5 83–108. DOI:10.1111/j.1083-6101.2009.01494.x

15. Denver Channel, 2005, Patients not notified that theirhealth records were stolen, Retrieved May 5, 2018http://www. thedenverchannel.com/7newsinvestigates/4438964/detail.html

16. Digital Single Market, 2018, EU member states sign upto cooperate on artificial intelligence, Retrieved May 17,2018https://ec.europa.eu/digital-single-market/en/news/eu-member-states-sign-cooperate-artificial-intelligence

17. DMA Group, 2016, Data privacy: what the consumerreally thinks.

18. Ericsson ConsumerLab, 2015, Sharing information - therise of consumer influence.

19. Ferguson, K. G. 2001, Caller id – whose privacy is it,anyway? Journal of Business Ethics 29 227–237.

20. Gerber, N., Gerber, P., and Volkamer, M. 2018,Explaining the privacy paradox: A systematic review ofliterature investigating privacy attitude and behaviors.Computers and Security 77 226–261. DOI:10.1016/j.cose.2018.04.002

21. Kokolakis, S. 2017, Privacy attitudes and privacybehaviour: a review of current research on the privacyparadox phenomenon. Computer & Security 64 122–34.DOI: 10.1016/j.cose.2015.07.002

22. Lee, C., and Cranage, D. A. 2011, Personalisation -privacy paradox: The effects of personalisation andprivacy assurance on customer responses to travel websites. Tourism Management 32, 5, 987–994. DOI:10.1016/j.tourman.2010.08.011

23. Martin, C. D., and Makoundou, T. T. 2017, Ethics bydesign in AI. ACM Inroads 8, 4, 35–37. DOI:110.1145/3148541

24. Mathews, L. 2017, Criminals hacked a fish tank to stealdata from a casino, Forbes Retrieved April 28, 2018https://www.forbes.com/sites/leemathews/2017/07/27/criminals-hacked-a-fish-tank-to-steal-data-from-a-casino/

25. MIT Technology Review, 2018, 10 breakthroughtechnologies 2018, Retrieved May 20, 2018,https://www.technologyreview.com/lists/technologies/2018/

26. Moerenhout, T., Devisch, I., and Cornelis, G. C. 2017E-health beyond technology: analyzing the paradigmshift that lies beneath. Medicine, Health Care andPhilosophy 21 31–41.

27. Myers, J., Frieden, T. R., Bherwani, K. M., andHenning, K. J. 2008, Ethics in public health research.American Journal of Public Health 98 793–801.

28. Networking and Information Technology Research andDevelopment Subcommittee, 2016, The nationalartificial intelligence research and development strategicplanhttps://www.nitrd.gov/PUBS/national ai rd strategic plan.pdf

29. Nissenbaum, H. 2004, Privacy as contextual integrity.Washington Law Reviewhttps://crypto.stanford.edu/portia/papers/RevnissenbaumDTP31.pdf

30. Pew Research Center, 2014, The future of privacy,Retrieved May 4, 2018http://www.pewinternet.org/2014/12/18/future-of-privacy/

31. Pew Research Center, 2014, Public perceptions ofprivacy and security in the post-snowden era, RetrievedApril 12, 2018http://www.pewinternet.org/2014/11/12/public-privacy-perceptions/

32. Pew Research Center, 2017, The internet of thingsconnectivity binge: What are the implications?,Retrieved April 12, 2018http://www.pewinternet.org/2017/06/06/the-internet-of-things-connectivity-binge-what-are-the-implications/

33. Piwek, L., Ellis, D. A., Andrews, S., and Joinson, A.2016, The rise of consumer health wearables: Promisesand barriers. PLoS Med 13(2) 1–9. DOI:10.1371/journal.pmed.1001953”

34. Polonski, V. 2018, The hard problem of ai ethics - threeguidelines for building morality into machines,Retrieved April 23, 2018, https://www.oecd-forum.org/users/80891-dr-vyacheslav-polonski/posts/30743-the-hard-problem-of-ai-ethics-three-guidelines-for-building-morality-into-machines

35. Symantec. 2015, State of privacy report 2015,https://www.symantec.com/content/en/us/about/presskits/b-stateofprivacyreport2015.pdf

36. Taddicken, M. 2013, The ‘privacy paradox’ in the socialweb: the impact of privacy concerns, individualcharacteristics, and the perceived social relevance ondifferent forms of self-disclosure. J Comput-MedCommun 248– 73.

37. Tavani, H. 2016, Ethics and Technology: Controversies,Questions, and Strategies for Ethical Computing. JohnWiley & Sons,

38. The Internet Society, 2018, Cyber incident & breachtrends report. Retrieved April 23, 2018https://otalliance.org/system/files/files/initiative/documents/ota cyber incident trends report jan2018.pdf

39. Tufekci, Z. 2008, Can you see me now? audience anddisclosure regulation in online social network sites.Bulletin of Science, Technology and Society 20–36.

40. Villani, C. 2018 For a meaningful artificial intelligence.towards a French and European strategy. France

www.kth.se