The Privacy Attitudes Questionnaire (PAQ) Turned 20: What’s Next for a Generalized Measure of Privacy Attitudes?

Abstract

Attitudes and concerns related to privacy are not homogeneous, but instead differ based on the individual and context at hand. Understanding how these attitudes and concerns vary could inform product, service, and policy design. Questionnaires, such as the Privacy Attitudes Questionnaire (PAQ), can be used to evaluate and derive implications from people’s privacy orientations in numerous domains, including healthcare, social media, and e-commerce. Our objective is to refine the PAQ to reflect areas of privacy concern in today’s landscape. The panel will serve as a forum for conversation about areas of privacy concern, guided by our panelists’ expertise and questions about demographic and user considerations for the revised PAQ, a framework-inspired understanding of privacy, and privacy in healthcare. Insights and perspectives arising from the discussion panel will be considered for subsequent revisions of the PAQ.

Keywords

privacy attitudes concerns questionnaire context healthcare

Introduction

Attitudes towards privacy vary across individuals and contexts alike, with one survey reported by Madden & Rainie (2015) demonstrating differences across both perspectives. The ability to engage in online activities anonymously, for example, was supported by some survey respondents and opposed by others. Furthermore, respondents reported having more trust in credit card companies keeping their personal information confidential as compared to the government and home phone service companies. Alan Westin also recognized that privacy attitudes vary across individuals and grouped people based on their levels of concern: “Privacy Fundamentalists”, “Privacy Pragmatists”, and “Privacy Unconcerned” (Kumaraguru & Cranor, 2005). Understanding individuals’ privacy attitudes and where these vary, based on context, could have important implications for the design of products and services that handle personal information. Development of privacy policies would also benefit from understanding people’s expectations of how their rights to privacy should be safeguarded, and which entities should have access to what types of personal information.

Going back around half a century, several questionnaires have been developed that assess people’s privacy attitudes and concerns. Among these are a questionnaire developed by Pedersen (1979), Westin’s questionnaires as described by Kumaraguru & Cranor (2005), and a questionnaire assessing privacy attitudes published by Buchanan et al. (2007). Some of these questionnaires were developed before certain technologies with privacy implications, such as smartphones, social media platforms, and large-scale data science initiatives, entered widespread use. Additionally, the questionnaire developed by Buchanan et al. (2007) is dedicated towards privacy concerns associated with information technologies and does not encompass additional contexts and constructs, such as physical privacy as described by Stuart et al. (2019), that could be assessed in future questionnaires.

An additional questionnaire that was developed over two decades ago is the Privacy Attitudes Questionnaire (PAQ) (Chignell et al., 2003), which is provided in the Appendix and has seen an increase in use over recent years. However, the questionnaire has not been updated since its publication, and some articles citing the PAQ, such as Li et al. (2004) and van de Garde-Perik et al. (2008), suggest areas for improvement. To enhance its utility, our objective is to update the PAQ to reflect modern privacy concerns and relevant constructs. We are currently carrying out a review of the literature discussing privacy concerns and hope to supplement the review with feedback from this panel at the HFES 67th International Annual Meeting, incorporating resulting comments and insights into the development and validation of a forthcoming updated version of the PAQ.

Original PAQ: USE and Insights

The PAQ was originally developed over twenty years ago to fill a gap in measuring attitudes towards privacy. The questions for the first draft of the PAQ arose from a workshop with around 50 participants that was held at an IBM CASCON conference in Toronto, Canada. The CASCON participants at the time were largely members of industry and academia with an interest in technology and thus the resulting PAQ was influenced by a fairly large group of people, but one that does not represent a full cross-section of society. Due to its origins, the PAQ may also reflect Canadian and perhaps North American sensibilities about privacy. After revisions, the resulting PAQ was published (Chignell et al., 2003) with four subscales: E: Exposure; M: Willingness to be Monitored; P: Interest in Protection; and PI: Willingness to Share Personal Information. The need for a general measure of privacy attitudes is demonstrated by the fact that the PAQ continues to be used in research, in spite of the fact that it was created before the rise of social media, smartphones, and many other technologies.

When it was originally developed, the PAQ was never expected to be the last word in measuring privacy attitudes and the researchers at the time expected that it would be updated within a few years. The need for a new version of the PAQ is further spurred by the vast number of technological changes occurring in the past two decades that have an impact on how people express their privacy attitudes. In preparing for a new version of the PAQ, we have been reviewing how the original version has been used over the past two decades, and we have also reviewed other research literature relating to privacy attitudes. Between the PAQ’s publication in 2003 and July of 2023, the paper introducing the original questionnaire received 37 citations. Among these citations, 23 publications reported using or attempting to use the PAQ. Table 1 outlines the areas to which the original PAQ has been applied, demonstrating its utility across multiple domains. However, it is important to note that although more than one application area applies to many of these publications, each is only accounted for once within Table 1 for simplicity.

Table 1.

Application areas covered by publications that used or attempted to use the original PAQ between its publication and July of 2023.

Application Area	Number of Publications
Audio/visual capture and smart/mobile technologies	4
Biometrics	1
Education	2
Health	7
Location-based services and scheduling technologies	6
Personalization	2
Privacy intrusions	1

Among these publications, some point to aspects of the PAQ that could be improved. For example, Li et al. (2004) and van de Garde-Perik et al. (2008) suggest that questionnaires tailored to particular contexts better suit context-specific research. Furthermore, the reliabilities of the PAQ’s subscales as reported by LaJoie et al. (2022) suggest that future improvements could strengthen them.

Discussion Panelists

Our discussion panel will be moderated by Dr. Wayne Giang from the University of Florida and will consist of three panelists from academic settings and industry. These panelists will lead the discussion from the perspectives of demographic and user considerations for the PAQ, conceptualizing privacy, and privacy implications associated with emerging healthcare technologies.

Alyssa Iglar

MASc Student, Department of Mechanical and Industrial Engineering, University of Toronto. The PAQ assesses privacy attitudes generally across several contexts. However, we need to consider how to handle situations where a context may only apply to certain demographics. For example, a survey conducted in 2021 revealed that 28% of adults in the United States were not social media users (Auxier & Anderson, 2021). Moreover, a greater percentage of older adults did not use social media compared to other adult age groups. However, while not universally utilized, social media has inspired concerns about personal information collection and data breaches (Rainie, 2018). These concerns should be reflected in the next version of the PAQ. To ensure that the questionnaire’s items are applicable to the general population, consideration needs to be paid to the number and phrasing of items covering specific domains including social media. Consideration should also be given to specific groups’ needs when developing a general questionnaire. For example, healthcare organizations might be interested in evaluating the impact of employees’ privacy attitudes on management (or mismanagement) of confidential information within the organization. As a general questionnaire, the PAQ covers several domains of privacy that would not be of interest to these users.

Given our intention for the PAQ to remain a general questionnaire that considers multiple privacy-informing contexts, we need to consider a balance between not having too many questionnaire items while also covering as many main contexts and demographic groups as possible.

Dr. Reza Samavi

Associate Professor, Department of Electrical, Computer, and Biomedical Engineering, Toronto Metropolitan University. Since the PAQ was published 20 years ago, public concerns about privacy threats have increased considerably. Dominant privacy concerns at the turn of the 21^st century included the impact of surveillance cameras and large databases collected by e-commerce. However, since then the rapid rise of technologies, the World Wide Web, and social media has created a situation where companies like Twitter, Instagram, and Facebook profile billions of individuals based on their activities, following individuals temporally and spatially based on their digital footprints. The resulting analysis and behavioural prediction of individuals is creating a ubiquitous surveillance environment where the privacy concerns at the turn of this century seem almost quaint.

Interestingly, individuals’ privacy attitudes towards these new systems and technologies have not been rigid. Some socio-technical systems (e.g., the Cambridge Analytica case; Hinds et al., 2020) created a huge privacy concern. In contrast, using complex digital device connectivity to trace COVID-19 cases or using networks of medical devices for health monitoring have received much less concern. Policymakers' and governments' reactions to these new technologies and their impacts on privacy have also been very diverse. How can these differences in individual attitudes be explained, and why are some technologies, legislations, and policies favoured by some groups of individuals and not by others?

In this panel discussion, my presentation will focus on the difficulties and even impossibilities of providing a uniform definition of privacy. Then, looking at privacy from the lens of contextual integrity (CI; Nissenbaum, 2009), I will posit that individuals’ privacy attitudes (and their differences) can be better understood when privacy is expressed in terms of the appropriateness of information flow in the context of new technology. The appropriateness is also not uniform. In addition to the rules and regulations that govern every society, it largely depends on the written and unwritten norms a society is formed around. On a more granular level, it also depends on the characteristics of the context the technology is being used. I will argue that the theory of contextual integrity provides a well-formed prescriptive and proscriptive framework for the interconnectivity of human privacy attitudes, new technologies (or, in CI’s terms, socio-technical systems) and societal norms, as shown in Figure 1. The new PAQ needs to be evolved to capture how individuals differ in terms of what they see as appropriate (and inappropriate) information flow.

Figure 1.

An understanding of privacy framed by CI.

Kopiha Nathan

Privacy and Compliance Officer, Healthcare Insurance Reciprocal of Canada. Healthcare is experiencing a rapid growth in the adoption of advanced technology solutions such as virtual care, inter-connected operational technology medical devices, wearable technology and Artificial Intelligence-informed healthcare systems. These advancements in technology heavily rely on the collection and use of sensitive data including personal health information (PHI). PHI involves some of the most sensitive information about a person (Cavoukian, 2004). Inherent data privacy challenges in healthcare are further complicated by the increased presence of cybersecurity threats. Canadian and most North American healthcare organizations are subject to cyber attacks resulting in compromised critical information systems and data/privacy breaches.

It is critical from a risk management perspective, that healthcare organizations, health technology vendors, medical device manufacturers, and commercial manufacturers of wearable technology that track PHI, take a committed approach to understand privacy implications during the design phase of manufacturing or implementing advanced healthcare technology solutions. A systematic privacy attitude measurement, such as an enhanced version of the PAQ, can provide a systematic approach to gathering meaningful data, supporting the incorporation of Privacy by Design (Cavoukian, 2011) principles within technological advancements.

Conclusion

As a construct that evades a single and comprehensive definition, privacy can be understood and conceptualized in numerous ways. Considerations and implications associated with privacy also differ based on context, whether it be patient care in hospitals, personal information sharing through social media, or financial information requested by e-commerce sites.

Questionnaires, such as the PAQ, offer a means to better understand the degree and nature of public concern about privacy and to identify how individuals or groups of people differ in terms of these considerations (Chignell et al., 2003; Kumaraguru & Cranor, 2005). A question that could be considered for future revisions of the PAQ is whether the tool would better serve those using it (1) as a means to understand psychological factors underlying individual differences in privacy attitudes or (2) as a guide for the design of products, services, or policies.

We expect to gain new insights from this panel and will follow up with generation of potential items for the revised version of the PAQ. We will then carry out survey research to examine the reliability and usefulness of the new items based on how they predict privacy-related behaviors and what new underlying factors they generate.

These considerations, as well as our panelists’ expertise and questions, will guide the discussion panel at the Annual Meeting. Our objective is to engage in conversations with attendees about areas of privacy concern and additional considerations that would enhance the utility and rigor of the PAQ as an instrument for assessing privacy attitudes and degrees of concern.

Footnotes

Appendix

The original PAQ (Chignell et al., 2003) consists of 36 items in total within four subscales: Exposure, Willingness to be Monitored, Interest in Protection, and Willingness to Share Personal Information. These items, as listed below, require respondents to express agreement or disagreement with each statement by providing a numeric rating along a five-point Likert scale (1: strongly disagree, 2: disagree, 3: neither agree nor disagree, 4: agree, 5: strongly agree). Items listed with ‘(-)’ beside them should have the scale reversed before calculating subscale scores. Scores along each subscale may be obtained by summing the ratings across all items within the subscale. Chignell et al. (2003) also suggest randomizing the order of the items before administering the PAQ.

Acknowledgements

We would like to acknowledge the work that Anabel Quan-Haase and Jacek Gwizdka did in helping to develop the original version of the PAQ, as well as the researchers who have used the PAQ in the intervening years and have inspired us to update it.

ORCID iD

Wayne C. W. Giang

References

Auxier

Anderson

(2021, April 7). Social media use in 2021. Pew Research Center. https://www.pewresearch.org/internet/2021/04/07/social-media-use-in-2021

Buchanan

Paine

Joinson

A. N.

Reips

U.-D.

(2007). Development of measures of online privacy concern and protection for use on the Internet. Journal of the American Society for Information Science and Technology, 58(2), 157–165. https://doi.org/10.1002/asi.20459

Cavoukian

(2004). A guide to the Personal Health Information Protection Act. Information and Privacy Commissioner/Ontario. https://www.ipc.on.ca/wp-content/uploads/Resources/hguide-e.pdf

Cavoukian

(2011). Privacy by Design: The 7 foundational principles [Fact sheet]. Information and Privacy Commissioner of Ontario. https://www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf

Chignell

M. H.

Quan-Haase

Gwizdka

(2003). The Privacy Attitudes Questionnaire (PAQ): Initial development and validation. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 47(11), 1326–1330. https://doi.org/10.1177/154193120304701102

Hinds

Williams

E. J.

Joinson

A. N.

(2020). “It wouldn't happen to me”: Privacy concerns and perspectives following the Cambridge Analytica scandal. International Journal of Human-Computer Studies, 143, Article 102498. https://doi.org/10.1016/j.ijhcs.2020.102498

Kumaraguru

Cranor

L. F.

(2005). Privacy indexes: A survey of Westin’s studies. Institute for Software Research International. https://www.cs.cmu.edu/~ponguru/CMU-ISRI-05-138.pdf

LaJoie

A. S.

Holm

R. H.

Anderson

L. B.

Ness

H. D.

Smith

(2022). Nationwide public perceptions regarding the acceptance of using wastewater for community health monitoring in the United States. PLoS ONE, 17(10), Article e0275075. https://doi.org/10.1371/journal.pone.0275075

Chignell

Pabani

(2004). Patient attitudes to privacy of electronic health records. University of Toronto. https://www.academia.edu/2623483/Patient_Attitudes_to_Privacy_of_Electronic_Health_Records

10.

Madden

Rainie

(2015, May 20). Americans’ attitudes about privacy, security and surveillance. Pew Research Center. https://www.pewresearch.org/internet/2015/05/20/americans-attitudes-about-privacy-security-and-surveillance/

11.

Nissenbaum

(2009). Privacy in context: Technology, policy, and the integrity of social life. Stanford University Press.

12.

Pedersen

D. M.

(1979). Dimensions of privacy. Perceptual and Motor Skills, 48(3_suppl), 1291–1297. https://doi.org/10.2466/pms.1979.48.3c.1291

13.

Rainie

(2018, March 27). Americans’ complicated feelings about social media in an era of privacy concerns. Pew Research Center. https://www.pewresearch.org/fact-tank/2018/03/27/americans-complicated-feelings-about-social-media-in-an-era-of-privacy-concerns/

14.

Stuart

Bandara

A. K.

Levine

(2019). The psychology of privacy in the digital age. Social and Personality Psychology Compass, 13(11), Article e12507. https://doi.org/10.1111/spc3.12507

15.

van de Garde-Perik

Markopoulos

de Ruyter

Eggen

Ijsselsteijn

(2008). Investigating privacy attitudes and behavior in relation to personalization. Social Science Computer Review, 26(1), 20–43. https://doi.org/10.11770894439307307682