Preferences for privacy and security : an experimental investigation

In the United States, the events of 11 September 2001 led to increased efforts to reduce the risk of another terrorist attack. One way to reduce such a risk is to increase surveillance and other security measures. Increasing surveillance, however, reduces privacy. In determining optimal policy, policymakers must weigh the value of a reduced risk of a catastrophic event against the value of privacy. While the debate is not new, interest in the tradeoffs between security measures and individual privacy has grown. We conducted experiments in which participants chose between these two commodities. We use participants’ choices, as well as demographic and other information, to analyze the relative importance of privacy and security across a heterogeneous group of university students. We assume that there exists a tradeoff between privacy and security: giving up some degree of privacy improves security. 3 While the decision as to the appropriate balance is collective, our focus is on the privacy loss to the individual. We do not account for the governing authority’s costs and benefits due to increased security. We asked undergraduate and graduate students to choose among various levels of surveillance in return for reduced risk of loss. Our participants are heterogeneous both in demographics and response, ranging from 19 to 41 years of age, with an average age of almost 22. About 40 percent identified themselves as Caucasian, 32 percent as Hispanic, 6 percent as Native American, 10 percent as Asian, and 2 percent as African American. Like most convenience samples, this pool is younger than the general population and differs from both the typical sample of largely Caucasian, 18-22 year-old college students and the U.S. population generally. Most choose to give up some privacy in exchange for reduced risk but are unwilling to submit to the most invasive measures in return for a very low risk of loss. A nonnegligible percentage of the participants’ decisions reflect preferences that are either high privacy (HP) or high security (HS). Participants whose decisions take relatively extreme values are distinguishable from the participants with more moderate preferences both in the ways they respond to feedback and in some of their demographic characteristics. We begin with a theoretical model explaining the choice of optimal levels of surveillance and privacy and then describe the experimental design. Then, we present regression models and results, and a summary concludes the article.


Preferences for privacy and security: an experimental investigation
C. Jill Stowe, Kate Krause, and Janie M. Chermak I n the United States, the events of 11 September 2001 led to increased efforts to reduce the risk of another terrorist attack.One way to reduce such a risk is to increase surveillance and other security measures.Increasing surveillance, however, reduces privacy.In determining optimal policy, policymakers must weigh the value of a reduced risk of a catastrophic event against the value of privacy.While the debate is not new, interest in the tradeoffs between security measures and individual privacy has grown. 1 We conducted experiments in which participants chose between these two commodities.We use participants' choices, as well as demographic and other information, to analyze the relative importance of privacy and security across a heterogeneous group of university students.
We assume that there exists a tradeoff between privacy and security: giving up some degree of privacy improves security. 2,3 hile the decision as to the appropriate balance is collective, our focus is on the privacy loss to the individual.We do not account for the governing authority's costs and benefits due to increased security. 4e asked undergraduate and graduate students to choose among various levels of surveillance in return for reduced risk of loss.Our participants are heterogeneous both in demographics and response, ranging from 19 to 41 years of age, with an average age of almost 22.About 40 percent identified themselves as Caucasian, 32 percent as Hispanic, 6 percent as Native American, 10 percent as Asian, and 2 percent as African American.Like most convenience samples, this pool is younger than the general population and differs from both the typical sample of largely Caucasian, 18-22 year-old college students and the U.S. population generally. 5Most choose to give up some privacy in exchange for reduced risk but are unwilling to submit to the most invasive measures in return for a very low risk of loss.A nonnegligible percentage of the participants' decisions reflect preferences that are either high privacy (HP) or high security (HS).Participants whose decisions take relatively extreme values are distinguishable from the participants with more moderate preferences both in the ways they respond to feedback and in some of their demographic characteristics.
We begin with a theoretical model explaining the choice of optimal levels of surveillance and privacy and then describe the experimental design.Then, we present regression models and results, and a summary concludes the article.

Theoretical model
We model individuals as voting on allowable surveillance levels.Higher surveillance levels reduce the risk of a catastrophic event, like a terrorist attack; however, to reduce that risk, individuals bear a loss of utility due to invasion of personal privacy. 6In our model, individuals have preferences over net wealth.Net wealth is determined by the original wealth endowment, utility gained from the provided level of security, disutility from the corresponding privacy invasions, and the probabilistic occurrence of a catastrophic event.Individuals vote for optimal levels of surveillance and hence the corresponding optimal levels of privacy loss.The prevailing surveillance level is determined by a specified voting rule, such as majority vote.We assume that individuals do not know the choices of other members of society.Consequently, each person selects the surveillance level that maximizes his or her expected utility over net wealth, conditional on what they expect others to do.Thus, there are two types of uncertainty: first, there is uncertainty regarding the votes of other members of society; second, there is uncertainty regarding the occurrence of a catastrophic event.
Each individual's optimal surveillance level choice equates the marginal cost of that privacy invasion level to the marginal benefit of increased security, plus a term incorporating income elasticity of utility as well as the inherent riskiness of providing security.Security, even if provided at high levels, cannot fully protect against a catastrophic event; as a result, individuals choose higher levels of surveillance and submit to more privacy invasions when there is a probabilistic resolution of a disastrous event. 7ndividual differences in preferences over money and security and in sensitivity to privacy invasions yield different optimal choices.High privacy decisions are consistent with high marginal costs of additional privacy invasions, whereas high security decisions are consistent with greater marginal utility from higher levels of security relative to the cost of privacy invasions.Differences in the individual cost and benefit functions explain why high privacy participants optimally vote for fewer privacy invasions and high security participants allow more privacy invasions.
If preferences change over time, optimal decisions will likewise change.For example, a person may not have well-formed preferences over risks not personally experienced.If the risky event were to occur, that person may adjust his or her preferences between security and privacy.In our experiment, we observe some participants choosing different privacy loss levels after observing a negative outcome, We conducted experiments in which participants chose between privacy and security.A nonnegligible percentage of the participants' decisions reflect preferences that are either high privacy (HP) or high security (HS).Participants whose decisions take relatively extreme values are distinguishable from the participants with more moderate preferences both in the ways they respond to feedback and in some of their demographic characteristics.

Experimental design
Our participants were asked to imagine themselves in a hypothetical scenario.We presented participants with choices between sacrificing some degree of privacy in return for increased security.Because we could not subject participants to realistic privacy invasions, nor could we subject our participants to acts of crime or terror, we used financial loss and gain to give saliency to their choices.Thus, a violation of privacy cost the participant a specified amount of experimental earnings, while realization of the threat resulted in a complete loss of all earnings.In this sense, the investigation resembled an insurance market.Participants could sacrifice a specified amount of earnings in exchange for a reduced probability of complete loss.
Other features of the experiment distinguish it from an insurance market.Ex ante payment did not secure compensation in the event of loss; it only reduced the chance of loss.In addition, decisions about the appropriate tradeoff between security and privacy are necessarily collective.A policy that subjects citizens to various security-enhancing methods must apply to all.Therefore in this investigation, groups of participants voted on the degree to which they were willing to accept privacy invasions in return for more security.
Because we characterized privacy invasions as a cost, a necessary first step was to determine dollar values of various privacy invasions so that those values, in an ordinal sense, were aligned with participants' perceptions of those invasions.Thus, our design has two parts.In the first stage, we asked 46 undergraduate students recruited from three lower-division undergraduate economics courses to rate several privacy invasions by the degree to which that invasion was perceived as intrusive.That first stage of our design informed the second stage.In the second stage, a different group of students, randomly and anonymously assigned to groups of five, voted on the level of surveillance their group would tolerate in exchange for different levels of security.

Stage one
We investigated students' reactions to a number of possible steps that a governing authority might take by asking students to complete a Likert-scale survey.Students were presented with a list of thirteen different surveillance practices and a brief explanation of each practice.They then rated those practices on a scale from one to five, where five indicated a practice perceived as most intrusive. 8e used Stage One results to rank each security measure by the extent to which most students would be offended and to identify those practices for which the perception of invasiveness was most uniform.In the second stage, we included those invasions for which student responses were most consistent and allowed the greatest degree of spread between the least invasive measure and the most.Stage Two participants completed the same instrument after completing the experiment.Their responses are similar to the responses of the Stage One participants as shown in the last column of Table S1 (online supplemental material).
From least intrusive to most, the six practices that we selected were security camera monitoring, drug test, body search, email or internet monitoring, property search, and wiretapping.Both the initial Stage One participants and the Stage Two participants were drawn from a university student body, a population whose experiences with these measures may be quite different from the experiences of the adult population generally.

Stage two
The second stage of our investigation addresses our primary interest.We recruited 85 undergraduate and graduate students, none of whom participated in the first stage.After they completed the experiment, Stage Two participants provided demographic information, completed the Stage One instrument, and responded to the following question: "On a scale of one (1) to five (5), which number best describes your attitude?"One (1) is equivalent to: "Reduced privacy doesn't bother me: I am not doing anything wrong so I don't have anything to hide."Five (5) is equivalent to: "Reduced privacy bothers me.It imposes on my rights and allows governmental agencies too much access to my personal information."Responses were fairly symmetric: 40 percent of our sample chose the middle ranking, a 3, in response to this question, 13 percent chose 1, the lowest ranking, and 12 percent chose 5, the highest.Sixteen percent leaned toward not being bothered, choosing 2, and 19 percent leaned toward being bothered, choosing 4. 9 Second stage participants were asked to imagine themselves in a hypothetical  © www.epsjournal.org.uk-Vol.5, No. 1 (2010)   situation that would lead to a complete loss of all earnings with an 80 percent probability if no security-enhancing steps were taken.That probability would be reduced with increasingly invasive security measures.Participants were asked to vote on the proposed security measures that their group would endure.Security measures were constrained to be cumulative in the order presented, so that a participant who voted to accept one security measure was accepting all lower-cost measures as well.Participants were given an endowment of 30 tokens at the beginning of each round.Each token was worth 40 cents, so that the participants' starting endowment was USD12.Table 1 summarizes the cumulative cost of taking each step and the reduction in the probability of loss associated with each level of security. 10While it can be clearly seen from Table 1 that accepting security measures through the level of a body search maximizes expected return, this information was not explicitly provided to participants.
Once all members of a group made their decisions, the experimenters determined the highest level of security accepted by at least three members of the group.A draw from a bingo cage, done in full view of all participants, determined whether or not the loss occurred.Rounds were repeated with no rollover of earnings.Group membership changed with each round and the number of rounds was not pre-announced.In five separate administrations of the experiment, three groups completed three rounds and two groups completed four rounds.

Earnings
Only one round of the hypothetical scenario was chosen for payment.In addition to earnings from the decisions and outcomes, participants were given a USD5 participation fee.Earnings ranged from USD5 to USD15 and averaged USD12.60.

Model and results
The frequency of participants' choices among the seven security/privacy tradeoff levels is presented in Table 2. Body Search (which includes the lower-ranked surveillance methods of Security Camera and Drug Test) is the mode across all rounds.Assigning a numerical value from zero (none) to six (wiretapping) for the seven choices, respectively, the mean response is 2.8 across all rounds (between Drug Test and Body Search), with a standard deviation of 1.3.
We assume that each participant chooses the level of surveillance which he or she is willing to tolerate in order to approximately maximize utility according to where ß j is a vector of coefficients and x j is a vector of characteristics that capture participants' perceptions of the benefits and costs of increased surveillance.The observed choice = j if U (alternative j) > U (alternative k) oe j … k.The probability a participant makes choice j then is Incorporating survey and experimental data into equation (2) allows us to consider the following questions: 1. Are observable characteristics correlated with participants' privacy/security preferences?2. What distinguishes participants who prefer high security from those who prefer high privacy?3. How do participants' choices respond to a loss event, either to the participant or to others in the experiment?4. Do participants who had made high security decisions in the first round respond to loss events in the same way as those whose early decisions had reflected high privacy preferences?
The size of the data set prevents modeling the probability of each of the seven Group divisions (see text for explanation): < 0 and 1 => HP (high privacy) < 0 through 4 => Base < 0 through 6 => HS (high security) The Economics of Peace and Security Journal, ISSN 1749-852X Stowe, Krause, and Chermak, Privacy and security p. 37  © www.epsjournal.org.uk-Vol.5, No. 1 (2010)   individual security choice levels, so we aggregate responses into three groups: High Privacy (HP), Base, and High Security (HS).A Base choice is the mean plus or minus one standard deviation, rounded to the nearest whole number.Based on this criterion, we categorize decisions to accept None or surveillance by Security Camera only as reflecting HP preferences.Approximately 17 percent of all decisions made in the experiment meet this criterion.The Base group includes choices to accept surveillance practices up to and including Drug Test, the Body Search or Email/internet Monitoring, which accounts for more than 75 percent of the responses.The remaining responses reflect HS preferences and include the most costly levels of security in terms of privacy loss.These three designations are the dependent variables in our analysis.
Explanatory variables fall into three categories: (1) experience and attitudinal; (2) demographic, and (3) experimental (which reflect choices and outcomes of previous rounds).Experience and attitudinal variables capture pre-experiment attitudes and experiences.PERCENT YES is the percentage of security events that a participant had experienced.AVERAGE RANK is the participant's average ranking of invasiveness of the thirteen survey items.ATTITUDE is the participant's ranking of the extent to which reduced privacy bothered them (where a 5 indicated that reduced privacy "bothers me").Thus higher scores on AVERAGE RANK and on ATTITUDE indicate a relative preference for privacy.Finally, we considered experience with each of the 13 privacy issue variables, but include only those two variables which were statistically significantly (at 15 percent) associated with either HS or HP decisions in our initial model. 11emographic variables include AGE, education (binary variables for JR/SR and GRAD), ethnicity (NON-ANGLO), gender (FEMALE), and international student status (INTERNATIONAL).These capture cultural and other systematic differences (if any) that might influence participants' tastes for privacy and security.
Experimental variables allow us to test a participant's response to prior round outcomes.A participant's choice in round one provides a baseline, pre-feedback prior about security and privacy (R1 CHOICE).We investigate whether a good or bad outcome in one round influences a participant's choice in the next round by including the following variables: the participant's outcome in the previous round (OUTCOME LAST), the percentage of groups that experienced a loss in the previous round (PERCENT INCIDENT LAG), the sum over all previous rounds of losses that happened to the participant (SUM INCIDENT), and the participant's group security level from the previous round (GROUP LAST). 12

Round one models
To distinguish the influence of pre-experiment experience, attitudes, and demographics from experience in the experiment, we estimate two separate sets of multinomial logit models.Models 1 and 2 employ only round one data (n=85).This provides a baseline to which we can compare the impact of experiment outcomes.In Model 1, we include only experience and attitudinal variables.Model 2 adds the demographic variables.The results are presented in Tables 3A and 3B (statistically significant variables are indicated with a superscript), with the actual versus predicted values provided in the last row of the tables. 13 © www.epsjournal.org.uk-Vol.5, No. 1 (2010)   Participants who indicated on their surveys that reduced privacy bothers them generally (ATTITUDE), as well as specifically in the context of the thirteen surveillance practices (AVERAGE RANK), and who had relatively more experiences with those practices (PERCENT YES), were more likely to make an HP choice than the Base choice.Participants who had experienced a sobriety test were less likely to make an HP choice.Participants whose decisions reflected an HP preference assigned higher invasiveness scores to the thirteen surveillance practices and those whose decisions reflected an HS preference assigned lower invasiveness scores to the items.
Adding demographic variables in Model 2 only moderately changed the results for the attitude and experience variables.Frequency of experience w i t h t h e n a m e d surveillance practices continues to explain HP decisions, but, somewhat puzzling, is also positively associated with HS decisions.However, specific experience with financial record disclosure and sobriety tests was negatively associated with a HS decision.It appears that for some, having experienced a privacy violation made them more tolerant of violations in the future (HS) while for others the experience made them less tolerant (HP), indicating different people will respond to the same stimulus in different ways.
Of the demographic variables, older participants were more likely to choose HP and non-Anglo participants were less likely to choose HP.Women were less likely to choose HS while international students were more likely to choose HS, but this result must be interpreted with caution given the relatively small number of international students in this data set.
Table 4 presents the marginal effects, estimated at the sample means of the RHS variables.The marginal effects provide the changes in the probability that an individual will choose HP (or HS) over Base, for a one-unit change in the variable.
In Round 1, participants tended to make choices that were generally consistent with their pre-experiment attitude toward privacy.Experience with security measures cuts both ways, perhaps because of differences in how those measures were executed.

Feedback models
We now turn to the models that incorporate immediate feedback from the  © www.epsjournal.org.uk-Vol.5, No. 1 (2010)   experiments.We lose all first round observations when we lag variables, leaving us with 210 observations.Model 3 replicates Model 1, but with data from later rounds of the experiment and binary round variables.Similarly, Model 4 replicates Model 2 with this data and binary round variables.While the magnitudes of the coefficients have changed, we observe many of the same patterns.Older participants continue to choose HP, and women continue to avoid choosing HS.In the new data, though, pre-experiment attitude no longer predicts HP choices, and experience with the thirteen security measures is negatively associated with HP choices.Model 5 incorporates the experimental variables (feedback) and suggests that pre-experiment attitudes and experience may be supplanted by the outcomes of earlier experimental rounds.Results are provided in Table A1, appended to this article. 14he number of statistically significant experience and attitude variables related to HS declines when immediate feedback is included: attitude and experience are partially supplanted by immediate experience.Relative to Model 2, fewer demographic variables explain HS choices, but having experienced a loss in a prior round and having higher security imposed in a prior round are associated with an increased likelihood of a HS choice.Thus, current events appear to influence privacy/security tradeoff preferences.The tendency to make HP choices appears less sensitive to inclusion of feedback variables.Only the cumulative count of losses in prior rounds is statistically significantly associated with the likelihood of choosing HP, and its influence is to increase HP choices.
First round choices strongly predict choices in subsequent rounds.The likelihood that a participant will display HP preferences increases as the overall faring of the experimental group in the last periods worsens (SUM INCIDENT), while the likelihood of displaying HS preferences is positively associated with a loss that is personally experienced by the participant, as well as with the level of security chosen by his or her group in the previous period (OUTCOME LAG and GROUP LAST).
The marginal effects for statistically significant variables from Models 3, 4, and 5 are presented in Table 5.The marginal effects for HP are larger than those in Models 1 and 2, while the magnitude of marginal effects for HS are relatively small in magnitude.Current events affect participants' choices, and there is a distinct difference in how those events lead to HP or HS choices.Pre-experiment experience and a pro-privacy attitude, when immediate experimental feedback is included in the model, reduce the probability of making an HP choice in the later rounds.Regardless of the specification, older participants tend toward HP preferences.The decision to make an HP choice is impacted by the community-centric variable-what happened to the entire experimental group last period-rather than by the individual-centric variables.In this case, a one-percent increase in loss in the last period increased the probability of a HP choice by 16 percent.This counter-intuitive result may reflect the tendency for participants to apply a heuristic assessment of risk: if a terrorist attack happens on a given day, another incident may seem highly unlikely on the following day.
HS participants appear much different from their HP counterparts.As in every other specification, being female reduces the probability of HS.This may at first seem at odds with other studies that find women are more risk averse than men, but in this context, there is more than one risk domain that must be considered.Other researchers have found that women's risk attitudes differ depending on the domain. 15There is the security (and hence financial) risk, but there is also a personal risk associated with being subjected to invasive actions.2. Both privacy and security are broad concepts, so it is important to clarify their definitions in the context of this article.The most accurate description of privacy for our purposes comes from Schoeman (1984), who described privacy as one's right to determine what information about oneself is communicated to others, one's degree of control over personal information, and who has sensory access to oneself, and a state or condition of limited access to oneself.These ideas are related to those found in Hirshleifer (1980), Stigler (1980), and Posner (1981).These authors consider privacy in both narrow and broad terms.Narrowly, privacy is the restriction or concealment of information (secrecy); broadly, privacy is freedom and autonomy from society, or the right to manage information about oneself.We adopt Baldwin's (1997) notion that security is a "low probability of damage to acquired values."3. See Chandler (2009).
In contrast to the case for HP choices, the immediate feedback variables that impact the probability of HS are the individual-centric variables.What happened to me?What did my group do?An adverse own-group event increases the probability of HS.

Switching behavior after a loss
There were 50 instances in which a subject experienced a loss in a round prior to the last round of play. 16Of those who experienced a loss, 21 switched their choice from the previous round.Among these switchers, the average privacy invasion chosen in the round leading to the loss was 2.81, whereas the average privacy invasion selected after the loss was 3.38.Thus, these individuals increased their tolerance for privacy invasions after suffering a loss. 17witchers differed attitudinally and demographically.Switchers' response to the overall attitude question (where 5 indicated that privacy violations bothered the person) averaged 2.95, while non-switchers entered the experiment with more strongly-held preferences for privacy; their average ATTITUDE rank was 3.69. 18witchers are less sensitive to reduced privacy and so are more willing to submit to increasing privacy violations in exchange for risk reduction.Switchers also tended to be younger.The average age of the switchers is 21.2, while the average age of non-switchers is 23.0. 19This is consistent with the positive correlation between age and pro-privacy attitude.

Summary and conclusions
We sought insight into people's preferences for privacy and security when an explicit tradeoff exists between the two.While most participants chose a moderate level of privacy in exchange for a moderate level of security, some made choices that were consistent with a very strong preference for security, and others made choices that were consistent with a very strong preference for privacy.
In response to the first two questions we pose, we find that older participants tended to make high privacy choices and women were less likely than men to choose high security measures.Non-Anglo participants were less likely to make high privacy choices; international students tended to make higher security choices.These suggest that policies intended to enhance security, at the expense of privacy, must be sensitive to the relative values that citizens of diverse backgrounds place on privacy and security.
We answer our third and fourth questions by investigating choices over multiple rounds, observing how choices change when a participant experiences a loss or when a participant observes others' loss.Other participants' losses were associated with high privacy choices, while high security choices were more likely after participants experienced a loss themselves.However, a participant's first round decision remained predictive even when controlling for loss experience.
We find evidence for diversity of preferences for security and privacy, and we find that this diversity is correlated with observable characteristics and pre-experiment experience with surveillance.But those preferences are not immutable.Experimental experience led some participants to change their decisions, although not in uniform ways.This suggests that the relative value that citizens place on security and privacy will change as circumstances change and as events unfold.

Notes
C. Jill Stowe, the corresponding author, is an Assistant Professor of Agricultural Economics, with a joint appointment to the Department of Economics, at the University of Kentucky, Lexington, KY, U.S.A.She may be reached at jill.stowe@uky.edu.Kate Krause is an Associate Professor of Economics at the University of New Mexico in Albuquerque, NM, U.S.A.She may be reached at kkrause@unm.edu.Janie M. Chermak is a Professor of Economics at the University of New Mexico in Albuquerque, NM, U.S.A.She may be reached at jchermak@unm.edu.
The Economics of Peace and Security Journal, ISSN 1749-852X   Stowe, Krause, and Chermak, Privacy and security p. 41  © www.epsjournal.org.uk-Vol.5, No. 1 (2010)   5. Compared to U.S. Census Statistics, our sample is younger and under-represents Caucasians and African Americans, while it over-represents Hispanics and Native Americans.
6.The formal model, including definitions and proofs, is available online as supplementary material.See www.epsjournal.org.uk,vol.5, no. 1.   7. Figure S1 in the online supplementary materials illustrates this result.
8. The Stage One survey instrument is available in the online supplementary materials.Summary statistics of the results of this stage of the investigation are presented in Table S1.9. Demographic detail and the distribution of responses to this attitude question are given in Table S2.
10.This information was presented to the participants in an expanded narrative.All experiment forms and instructions are available in the online supplementary materials.
11.The privacy issue variables were added one at a time to Model 1.If the additional variable was significant for either or both HP and HS it was kept; otherwise, it was dropped.In the case where the addition of a new privacy issue variable resulted in making an already included privacy issue variable insignificant, the variable which had the higher explanatory power was kept and the other was dropped.
12. Table S3 provides descriptive statistics for these prior-round variables.
13.The log-likelihood ratios indicate both models are a better fit than a restricted model with only a constant.Further, including demographic information in Model 2 provides better explanatory power than Model 1, as indicated by the log-likelihood ratio, as well as by the pseudo R-squared.Finally, the Wald statistic for the demographic variables is 11.11, implying rejecting the null of joint insignificance at the usual levels.Notes: a = stat.sign.at the 5% level; b = at the 10% level; c = at the 15% level.
14. Again, Wald tests indicate the additional variables in Models 4 and 5 are jointly significant at the usual levels.

Table 1 : Costs and benefits of each choice
The Economics of Peace and Security Journal, ISSN 1749-852X Stowe, Krause, and Chermak, Privacy and security p. 36