Online Privacy Survey

    As mentioned in Chapter 1, Introduction , two of the reasons why people do not purche on the Web, are insufficient privacy and security [GRTC98]. Since that is a rather general statement. we conducted a small survey in order to find out what really bothers people. The main goal was to get more specific information about people's experiences with online transactions, personal information on the Web, and privacy.

Survey Methodology

    The target group of this survey was people who are familiar with the Web and use it frequently. The respondents of this survey were asked to give their gender, age and profession and had to answer 20 questions. These questions were divided into four sections:

  1. People's general experience with the World Wide Web.
  2. People's experience with online transactions.
  3. People's knowledge about privacy policies.
  4. Things that people would like to have or do in regards to online transactions and privacy on the Web.
  5. The following sections show the survey questions and results.

Demographics

    Fifteen respondents participated in this survey. The respondents were between 23 and 40 years old. Four of the respondents were females. The respondents' professions were:

  1. Accountant, Chemical Engineer, Computer Scientist (3), Design Engineer, Graphic Designer (2), Lawyer, Programmer (2), Researcher, Sales Marketing Assistant, Video Game Designer, MBA Student
  2. Because of the small number of respondents this survey is not representative of the general public nor was it the author's intention to produce such a survey. Nevertheless, the results presented in the following sections show that people with different professions, who frequently use the Web, share the same concerns and opinions regarding online privacy.

User's General Experience with the WWW

    This section of the survey was intended to find out how much time the respondents spend using the Web and for what purpose.

Questions and Analysis

Question 1:

How long have you been using the World Wide Web?

Question 2:

How many hours per week do you spend using the World Wide Web?

Question 3:

Do you use it for personal or business purposes?

(a) Personal

(b) Business

(c) Both

    The respondents had experiences in using the Web of up to 5 years. The average number of years was approximately 3.5. The least experienced respondent started using the Web six months ago.

    The respondents stated that the number of hours per week spent on the Web lie between 1.5 and 15 hours. The average number of hours was approximately 8 hours per week.

    All of the respondents stated that they used the Web for personal as well as business purposes, although the ratio of times between these two purposes varied from one respondent to another.

User's Experience with Online Transactions

    This section of the survey was intended to find out about the respondents' experiences with online transactions.

Questions and Analysis

Question 4:

Have you ever subscribed to, bought or ordered anything online? (This also includes registering with a Web site.)

Analysis/Summary:

All of the respondents except one answered this question with Yes.

Question 5:

If not, what were the reasons why you did not do it yet?

Analysis/Summary:

The respondent who answered question 1 with No. One respondent never needed to do anything on the Web, as mentioned in question 4.

Question 6:

If so (in regards to question 4), (a) what sorts of subscriptions, orders or purchases have you made, (b) could you have done the same things without the Web, (c) if so, why did you use the Web?

Analysis/Summary:

(a) Respondents bought all kinds of things such as books, software and hardware, etc. Other transactions that were performed by a majority of respondents were registering with Web sites, such as airlines or online travel agents and subscribing to news services.

(b) All respondents stated that they could have done most of the transactions offline, except for net-based transactions, such as subscribing to an online service or a mailing list.

(c) The number one reason for most of the respondents was convenience. Other reasons mentioned were efficiency (online transaction are less time consuming), search capabilities, and accessibility of the service.

Question 7:

What could have been better about these services? (This question is in regards to the way the transaction was performed and not in regards to the Web sites' content or connection performance.)

Analysis/Summary:

Approximately 50% of the respondents were satisfied with the process of the transaction. The other half stated that they were not sure why some Web sites wanted all kinds of information that weren't really necessary for the completion of the transaction. Some respondents found it annoying that they had to reenter whole sets of information even though they had been at the same site before. One respondent wasn't satisfied with the level of security.

Question 8:

When performing online transactions (such as buying, ordering, subscribing to something or just visiting a Web site for the first time, etc.), Web sites often request some information from the user. Did you ever release any personal information such as your name, email address, phone number, etc. during one of these transactions?

Analysis/Summary:

All of the respondents answered this question with Yes, although the amount of information released differed from one respondent to another according to the kind of transaction.

Question 9:

Did you know why the Web site asked for the information and what it wanted to do with it?

Analysis/Summary:

Six of the respondents knew or at least believed they knew why the Web site asked for the information and what it wanted to do with it. The rest of the respondents (five) either did not know or knew sometimes. Some of the respondents sometimes wondered about the amount of information collected by a Web site.

Question 10:

If so, what made you believe that the Web site really does what you thought it would do?

Analysis/Summary:

Eleven respondents answered this question. Two of the respondents who answered question 9 with Yes, said that they read and trusted the Web site's privacy statement. The rest of the respondents either were not sure or just trusted the Web site.

Question 11:

If not (in regards to question 9), did you finish the transaction anyways?

Analysis/Summary:

Four of the respondents had chosen not to finish a transaction if they were not sure about the Web site's intentions. The rest of the respondents finished transactions despite the fact that they were not sure about the Web site's intentions. Some of them only proceeded when they could finish without giving away information they did not want to release. Others provided false information to finish the transaction.

Question 12:

(a) Have you ever thought about a Web site misusing your information and what do you think could happen? (b) Assume you ordered and paid for a book online. (b) How can you be sure that the online book store does not sell your information (address, buying habits, ...) to somebody else?

Analysis/Summary:

(a) All of the respondents have thought about misuse of information. They were mostly concerned about unsolicited phone calls, email or physical mail, caused by the Web site through selling the respondent's information. Three of the respondents were concerned about misuse of credit card information.

(b) None of the respondents was sure but two of them mentioned that Web sites should be held responsible from a legal point of view if they perform other actions than stated in their privacy statement.

Question 13:

Have you ever experienced any kind of misuse (such as unsolicited email) and if so, what kind of misuse?

Analysis/Summary:

Seven respondents have experienced misuse that happened as a result of online transaction they performed. The misuse was mostly unsolicited email or physical mail. The rest (six) never experienced any misuse or were unable to relate the misuse to a specific online transaction.

Question 14:

How do you estimate the risk of misuse of information given away in online transactions compared to ordinary transactions, such as filling out a form in a bank or paying with your credit card in a store?

Analysis/Summary:

Fifty percent of the respondents thought that the risk is slightly or much higher, mainly because the following reasons:

  • Information is already in machine readable form which makes it easier and quicker to misuse. (Hard to physically control access to data.)
  • Dealing with real people makes people feel better (emotional aspect).

The other respondents estimated the risk to be the same. None of the respondents estimated the risk to be smaller.

Privacy Policies

    In this section, the respondents were asked questions in regards to privacy policies of Web sites and their experience with them.

Questions and Analysis

Question 15:

What would you like to know about a Web site when it requests information from you?

Analysis/Summary:

The respondents wanted information about the following things:

  • Why the Web site requires this information and what is it and isn't it going to do with it (purpose). (8)
  • A person or institution behind this Web site who is responsible for the Web site (physical location). (5)
  • How long do they keep the information and how well is it protected (security). (4)
  • A promise that the Web site would not do anything with the information that the respondent does not want (e.g., selling the information). (3)
  • The Web site's reputation. (3)
  • Who stores and who has access to the information. (3)

It seems that the currently existing technology is not sufficient. All of the respondents would like to know more about the Web site than they learn during a transaction.

Question 16:

Some Web sites contain a privacy policy statement. (a) Have you ever read such a statement? (b) Would you know how to find one if you wanted to read it?

Analysis/Summary:

(a) Two thirds of the respondents have read one or more privacy policy statements.

(b) Five of the respondents either don't know at all how to get to a Web site's privacy policy statement or only knew how to get to it if the Web site had an explicit link (or button) that was shown during the transaction. The other respondents know in general how to get to a statement or how to search for it.

    Question 17:

    (a) If you looked at a Web site's privacy policy, did you read the whole statement, or did you quit after a while because it was too long? (b) In case you quit, did you finish the transaction anyways?

    Analysis/Summary:

    (a) All of the respondents who have read a privacy statement before admitted that they had quit reading a statement because it was too long or too complicated.

    (b) All of the respondents (except one) who quit reading the privacy policy statement, finished one or more transactions anyways.

    Question 18:

    Did you ever make a decision whether to finish a transaction based on the content of a Web site's privacy policy? Why?

    Analysis/Summary:

    From all the respondents who have ever read a privacy policy statement only two based their decision whether to finish or abort a transaction on the content of the privacy policy statement. The rest of the respondents trusted the Web site because of the presence of a privacy policy or other personal beliefs, knowledge or experience.

Conclusions

    The last section of the survey was intended to give the respondents the opportunity to express their ideas about how they would like the Web to be in regards to privacy and online transactions.

Questions and Analysis

Question 19:

Reading a Web site's privacy policy may require a lot of effort and knowledge of juristic terms. What do you think needs to be done, to make online transactions easier and safer for a user?

Analysis/Summary:

Listed below are some of the responses:

  • Short and simple privacy policies, easy to understand. (4)
  • Multilanguage policies and privacy policy standard. (3)
  • Certificates and trust center. (3)
  • Security (Encryption). (3)
  • Law enforcement, penalties if policies are violated. (2)
  • Mechanism to keep track of Web transactions.
  • Another mechanism to provide the last piece of information to complete a transaction, such that the Web site would never have all of the information (via a trusted third party).

To summarize, the respondents find privacy policies appropriate and trustworthy but too complicated. Respondents also mentioned that Web sites should use better security, such as encryption.

    Question 20:

    Assume you could use a system that can automatically obtain Web sites' privacy policies and check and evaluate them against your personal needs and preferences. How would you configure such a system , i.e., what would your preferences look like regarding the release of personal information?

    Analysis/Summary:

    Below the list of things that the respondents would like this system to do:

    • Give out minimal set of information. (6)
    • Only accept if promise not to resell information, otherwise abort transaction or warn user. (5)
    • Complete transaction with a reputable/trusted business. (2)
    • Distinction of what information to give out based on the business asking for it. (2)
    • Inform user when Web sites' practices would have the potential to violate the user's privacy based on his preferences.
    • Require secure connection.
    • System should ask the user if asked for certain information (e.g., credit card).
    • Default abort of transactions, accept in special cases.
    • Notification when a privacy policy changed.
    • Configurable options, such as privacy levels for certain kinds of information.

April 9, 1999 · Jörg Meyer · jmeyer@almaden.ibm.com