Do People Know About Privacy and Data Protection Strategies? Towards the “Online Privacy Literacy Scale” (OPLIS)


Scientific literature (full sample)

Journal articles focusing on “privacy literacy”

Project deliverables (full sample)

Acatech (2012, 2013), Eurobarometer (2010, 2011), PRISMS (2013), SurPRISE (2013)

Legislative texts (full sample, effective October 2013)

Germany (BDSG, GG, TKG, TMG, UrhG, KunstUrhG, decisions of the BVerG)

European Union (EU directives 1995/46/EC, 1997/66/EC, 2000/31/EC, 2002/58/EC, 2006/24/EC, EU regulation 2001/45/EC on processing of personal data, Charter of fundamental rights of the EU)

Privacy policies of major online service providers (Retrieved on the 30 th of October 2013)

E-commerce platforms (Amazon, Ebay)

Online banking provider (Sparkasse)

Search engines (Google, Yahoo)

Email provider (GMX, WEB, Googlemail)

Social media (Facebook, WordPress, XING)

News articles a (November 1 st 2012 to October 31 st 2013)

FAZ – Frankfurter Allgemeine Zeitung

Süddeutsche Zeitung

Computer magazine articles b (November 1 st 2012 to October 31 st 2013)

ComputerBild

c’t magazine


a FAZ and Süddeutsche Zeitung are nationwide newspapers that have more than one million readers per issue. We chose to analyze these daily newspapers as they have the highest coverage in Germany. Institut für Demoskopie Allensbach, “Awa 2013 – Allensbacher Marktanalyse und Werbeträgeranalyse,” (2013), ​www.​ifd-allensbach.​de/​fileadmin/​AWA/​AWA2013/​Codebuchausschni​tte/​AWA_​2013_​BandMedien_​Basistabelle.​pdf

bIn order to gain more information about current strategies and to integrate specialized knowledge from computer and data-protection experts, two computer magazines were included in the sample. Whereas ComputerBild has the highest coverage in Germany among computer magazines, the ct magazine represents a more specialized magazine that is read by computer scientists and experts






    In all, 395 documents comprised the sample for the content analysis. Forty-five percent of these documents were articles from computer magazines (ComputerBild and ct magazine), and 38 % were news articles. Six coders went through all of the documents identifying text passages that contained information relevant for any of the a priori defined dimensions of privacy literacy or privacy literacy in general. In the latter case, they defined a new category in which they coded the identified text passage. The general selection criterion was formulated as a question: “Do internet users need to know this information (described in the document) in order to be capable of regulating their online privacy?”




    14.3.2 Results


    In total, 2,597 extracts resulted from the content analysis. They were coded according to the predefined and continuously adapted and modified categorical system, whereby most extracts were assigned to the dimension knowledge about the practices of organizations, institutions, and online service providers (819 extracts) and knowledge about the laws and legal aspects of data protection (643 extracts). In a subsequent step, doubles and irrelevant extracts were identified. The dimensions knowledge about potential privacy threats and risks and knowledge about ways to deal with privacy threats were dismissed because the remaining dimensions already contained most of the information that could have been coded into these categories. Five dimensions of privacy literacy were confirmed by the content analysis: (1) Knowledge about the practices of organizations, institutions, and online service providers; (2) knowledge about the technical aspects of online privacy and data protection; (3) knowledge about the laws and legal aspects of online data protection in Germany; (4) knowledge about European directives on privacy and data protection; and (5) knowledge about user strategies for individual online privacy control.

    In an iterative process, the remaining extracts were transformed into multiple-choice test questions or true-false items (each with the residual answer “I dont know”). The resulting item pool was comprised of approximately 25 items in each dimension and 113 in total. In the following, each dimension will be described in detail.


    14.3.2.1 Dimension 1: Knowledge About the Practices of Organizations, Institutions, and Online Service Providers


    Extracts falling into this dimension included common online practices such as data surveillance, data collection, data processing, data analysis, data transmission, and data deletion by authorities and internet companies such as social media (e.g., Facebook, Twitter, Google+), search engine providers (e.g., Google, Yahoo, Bing), online banking providers and providers of e-commerce platforms (e.g., Amazon, Ebay), but also governments and intelligence agencies. In the EU project deliverable SurPRISE,93 for example, the following extract was coded:

    In Germany, the surveillance of email communication has increased significantly since 2009. In 2010, German intelligence services inspected 37,292,862 emails and data connections, a number quintupled from 2009, when 6.8 million Internet and other network communications were inspected. Over 15,300 key words related to the topics of terrorism, proliferation, immigrant smuggling and trafficking were used to filter emails, but only led to actually useful clues in 213 investigation cases.

    Specifically, the privacy policies of companies such as Facebook have revealed a number of common data collection and data mining practices. Knowing the contents of privacy policies hence becomes an important aspect of this dimension. An extract from Facebooks privacy policy, for example, indicates precisely what such companies do with their users’ data:

    We receive data if you visit a website that has a social plugin. We store these data for a period of 90 days. Afterwards, we delete your name and other identity-related information or combine them with data from other people in such a way that these data cannot be linked to your person.94

    Other extracts revealed the infrastructure and data flow in companies such as Google. In the following example, it can be seen that knowledge about institutional practices also means a greater understanding of the data flow and the architecture of the internet:

    Google processes personal data on our servers, which are located in various countries around the world. Thus, we might process your data on a server that is not located in your country.95

    These short extracts from different documents were then transformed into knowledge items. Although more than 100 items were generated from the extracts in this dimension, the final item pool contained 22 items (Table 14.2).


    Table 14.2
    Example Items for Dimension 1


















    Example items of the dimensionknowledge about the practices of organizations , institutions , and online service providers

    Companies are able to provide users with online advertising that is based on their surfing behavior.

    True

    Social network sites (e.g., Facebook) collect and analyze user data.

    True

    Companies are able to detect whether someone has opened an email even if the receiver does not reply.

    True


    14.3.2.2 Dimension 2: Knowledge About Technical Aspects with Regard to Online Privacy and Data Protection


    The content analysis revealed that there were a number of technical solutions for online privacy and online data protection. Thus, the examples primarily revealed technical solutions for data protection with regard to hardware (e.g., router, intranets) and software (e.g., firewalls, data encryption, antispyware, specific browser settings and features such as cache and browsing history). Furthermore, the dimension also included examples explaining the technical infrastructure or functionality of the web (e.g., HTML, IP addresses, and Cloud Computing). A smaller number of extracts addressed knowledge about the technical processes of data stealing (e.g., phishing through Trojans or other malware) and techniques for data tracking.

    It was noticeable that many documents focused on data encryption when discussing privacy-enhancing technologies (PETs). In ct magazine, which specializes in computer technologies in particular, the following text passage was extracted:

    In the end, only the server defines which type of encryption will be used. Although the browser can express preferences, large servers in particular tend to ignore this and use the encryption type that is most appropriate for them from the list specified within the browser.96

    Another example extract that focused on malware and how it affects users’ privacy was found in the EU deliverable SurPRISE:

    The Trojan is usually brought onto the device covertly. This can occur in different ways: for example, the visit to a prepared website link (drive-by download) or the opening of an e-mail attachment may trigger the installation. Other possibilities are the usage of so-called infection proxies or direct physical access to the device.97

    All in all, 54 items were created from these extracts, 28 items of which were retained for the final item pool (Table 14.3).


    Table 14.3
    Example Items for Dimension 2



























    Example items of the dimensionknowledge about the technical aspects of online privacy and data protection

    What is a Trojan? A computer program that…

    (a) …is disguised as a useful application but covertly and secretly executes other functions in the background
     
    (b) …protects the computer from viruses and other malware
     
    (c) …was invented only for fun and does not have a specific function
     
    (d) …caused damage as a computer virus in the 90s but does not exist anymore

    All browsers automatically support the current Transport Layer Security (TLS 1.2)

    False

    Companies are able to detect whether someone has opened an e-mail even if the receiver does not reply

    True


    14.3.2.3 Dimension 3: Knowledge About the Laws and Legal Aspects of Online Data Protection in Germany


    The last two dimensions comprise examples of German laws and directives from the European Union concerning online data protection. We coded fundamental rights in the German constitution, especially the right to informational self-determination and applicable German laws concerning data protection conditions. As data protection is not just the responsibility of the individual, it became apparent that a user has to know his or her rights concerning online data transmission. The following passage was extracted from the acatech project deliverable:

    The principle of data minimization (not contained in EU law, but in § 3a BDSg) demands that data collection should be kept to a minimum with regard to conducted business and data processing systems should be built in a data minimizing manner.98

    The extracts were consequently transformed into 51 multiple-choice and True/False/Don’t know questions. Twenty-three items concerning German laws on data protection were retained in the final item pool (Table 14.4).


    Table 14.4
    Example Items for Dimension 3


























    Example items for the dimensionknowledge about the laws and legal aspects of online data protection in Germany

    All providers of social network sites in Germany have to apply the same privacy policy. Deviations have to be indicated

    False

    German law prohibits the spreading of abusive or incorrect information about a person on one’s own profile or the profile of the concerned person on a social network site

    True

    By German law, when are online service providers allowed to use and analyze personal data for personalized advertising?

    (a) Always

    (b) If the user has consented to it

    (c) If the purpose of it is noncommercial

    (d) Never

    (e) Don’t know


    14.3.2.4 Dimension 4: Knowledge About European Directives on Privacy and Data Protection (Table 14.5)





    Table 14.5
    Example Items for Dimension 4






























    Example items of the dimensionknowledge about European directives on privacy and data protection

    Directives of the European Union concerning data protection…

    (a) … count as transnational data protection laws
     
    (b) … have to be implemented into national data protection laws by EU member states
     
    (c) … serve only as guidelines for national data protection laws
     
    (d) … do not exist yet
     
    (e) Don’t know

    By European law, it is legal to forward anonymous data for market research

    True

    Directives of the European Union prohibit the processing of data that reflect racial or ethnic background, political opinions, and religious or philosophical beliefs without explicit consent

    True

    As Germany is part of the European Union, a German internet user might also refer to EU regulations, general directives, and special directives on data retention and the processing of personal data, all of which have to be implemented into national law by EU member states. Extracts from this dimension included all decisions about data protection that have been specified in these directives. An example passage extracted from Regulation (EC) No 45/2001 would be:

    Personal data shall only be processed for purposes other than those for which they have been collected if the change of purpose is expressly permitted by the internal rules of the Community institution or body.

    A total of 56 items concerning European law were created from which 16 items were included in the final item pool.


    14.3.2.5 Dimension 5: Knowledge About User Strategies for Individual Online Privacy Control


    In this dimension, example extracts indicated strategies that help to ensure online privacy and data protection. In contrast to knowledge about technical aspects or institutional practices, knowledge about strategies is characterized as knowing how to protect data by passive or active actions. Passive actions incorporate control strategies such as the nondisclosure of personal information or opting out of services that require the disclosure of personal data. An example extract is:

    Hiding can be effective if a person communicates anonymously. Yet, hiding can also refer to not disclosing information about age, gender, or location.99

    Active actions include the use of encryption software, privacy-enhancing technologies, antispyware and privacy-related browser settings support data protection (e.g., clearing the web browser history and deleting the cache and cookies). In the magazine ComputerBild, the following strategy was proposed for guaranteeing more security online (Table 14.6):

    No one can attack a wireless network that has been switched off. If you go on vacation, unplug the wireless network or deactivate it. Also activate the “night option” of your router so that it switches off your wireless network at night.100



    Table 14.6
    Example Items for Dimension 5


















    Example items of the dimensionknowledge about strategies for individual online privacy control

    In order to protect one’s privacy, it is useful to regularly delete the browsing history, the cache, and saved cookies

    True

    It is safe to use one secure password that consists of upper and lowercase letters, numbers, and special characters for all online accounts and profiles

    False

    Not disclosing any information online is not a good strategy for protecting data and privacy

    False

    All in all, 37 items were generated of which 22 items were included in the final item pool.



    14.4 Discussion


    With the research presented in this chapter, we aimed at developing a reliable and valid scale for measuring online privacy literacy. Privacy literacy has often been identified as a possible solution for overcoming the disparities of users’ privacy attitudes and behaviors. Also, an ongoing assessment of citizens’ privacy literacy might help to provide an online-privacy-behavior evaluation that can be used for policy, legal, and educational purposes.

    In a methodological sense, a new and comprehensive scale for privacy literacy is needed because prior studies have not covered all aspects and dimensions that may be relevant to online privacy literacy.101 , 102 , 103 , 104 On the basis of our argumentation, we believe that privacy literacy is not unidimensional but consists of diverse aspects of factual and procedural knowledge. Furthermore, previous studies have been based on self-reported measures of privacy literacy.105 , 106 , 107 But as Morrison demonstrated, subjective assessments of knowledge do not necessarily correspond with objective knowledge.108 With the development of the OPLIS, we tried to address both points of criticism. As a multidimensional scale, the OPLIS covers five distinct dimensions of online privacy literacy. Furthermore, all five dimensions will be presented as a knowledge test. The scale includes both multiple-choice items and true-false items to permit an objective assessment of online privacy literacy.