Internet Privacy
Internet Privacy
Internet Privacy
James Y. L. Thong
Department of ISOM, Hong Kong University of Science and Technology, Clear Water Bay, Kowloon, HONG KONG {jthong@ust.hk}
Internet privacy concerns (IPC) is an area of study that is receiving increased attention due to the huge amount of personal information being gathered, stored, transmitted, and published on the Internet. While there is an emerging literature on IPC, there is limited agreement about its conceptualization in terms of its key dimensions and its factor structure. Based on the multidimensional developmental theory and a review of the prior literature, we identify alternative conceptualizations of IPC. We examine the various conceptualizations of IPC with four online surveys involving nearly 4,000 Internet users. As a baseline, study 1 compares the integrated conceptualization of IPC to two existing conceptualizations in the literature. While the results provide support for the integrated conceptualization, the second-order factor model does not outperform the correlated first-order factor model. Study 2 replicates the study on a different sample and confirms the results of study 1. We also investigate whether the prior results are affected by the different perspectives adopted in the wording of items in the original instruments. In study 3, we find that focusing on ones concern for website behavior (rather than ones expectation of website behavior) and adopting a consistent perspective in the wording of the items help to improve the validity of the factor structure. We then examine the hypothesized third-order conceptualizations of IPC through a number of alternative higher-order models. The empirical results confirm that, in general, the third-order conceptualizations of IPC outperform their lower-order alternatives. In addition, the conceptualization of IPC that has the best fit with the data contains a third-order general IPC factor, two second-order factors of interaction management and information management, and six first-order factors (i.e., collection, secondary usage, errors, improper access, control, and awareness). Study 4 cross-validates the results with another data set and examines IPC within the context of a nomological network. The results confirm that the third-order conceptualization of IPC has nomological validity, and it is a significant determinant of both trusting beliefs and risk beliefs. Our research helps to resolve inconsistencies in the key underlying dimensions of IPC, the factor structure of IPC, and the wording of the original items in prior instruments of IPC. Finally, we discuss the implications of this research. Keywords: Internet privacy concerns, information privacy concerns, online privacy, multidimensional development theory, higher-order factors, confirmatory factor analysis, LISREL, nomological validity
Mike Morris was the accepting senior editor for this paper. Hock Chuan Chan served as the associate editor.
Appendices B and C for this paper are located in the Online Supplements section of the MIS Quarterlys website (http://www.misq.org).
275
Introduction
Information privacy, defined as the ability of the individual to control when, how, and to what extent his or her personal information is communicated to others (Westin 1967), is one of the most important ethical, legal, social, and political issue of the information age (Culnan and Bies 2003; Milberg et al. 2000). The increase in digitalized personal information and advances in Internet technologies pose new challenges to consumers information privacy (Angst and Agarwal 2009; Malhotra et al. 2004; Ward et al. 2005). On one hand, personalized web services and business intelligence software require the collection and mining of unprecedented amounts of personally identifying information (Li and Sarkar 2006). On the other hand, as consumers become content providers on web blogs and social networking websites, their personal information becomes more vulnerable. Lawsuits against popular websites (e.g., Google Buzz, Facebook Beacon, and AOL ValueClick) for violation of online privacy, and the implementation of online privacy protection acts (e.g., Federal Trade Commission 2007), are evidence of the increased importance and interest in online privacy. Researchers are also advocating a reexamination of privacy concerns to reflect the contemporary nature of this dynamic construct (Chen et al. 2008; Malhotra et al. 2004). Under these conditions, understanding individuals privacy concerns is fundamental to the success of emerging Internet technologies. In this paper, we focus on Internet privacy concerns (IPC), which is a special case of the more general information privacy concerns. The Internet is becoming one of the most popular media through which consumers personal information is transmitted and collected by numerous companies. In particular, we are interested in studying IPC as a perception in a dyadic relationship between an individual and an online entity, which can either be a particular website or a category of websites, such as commercial websites. Similar definitions have been adopted in recent publications on IPC (e.g., Malhotra et al. 2004; Son and Kim 2008), in which IPC is defined as the degree to which an Internet user is concerned about website practices related to the collection and use of his or her personal information. According to this definition, IPC reflects an individuals perception of his or her concern for how personal information is handled by websites, which is different from his or her expectation of how websites should handle his or her personal information. For example, an individual may expect a website to provide adequate protection of his or her personal information, but it does not necessarily mean that this individual is genuinely concerned about providing his or her personal information to the website. Given the importance of information privacy concerns, and IPC in particular in the Internet age, there have been many
attempts to conceptualize them. However, there is a lack of consistency in these conceptualizations. In past research, information privacy concerns and IPC have been conceptualized as a single first-order factor (e.g., Buchanan et al. 2007; Eastlick et al. 2006; Liu et al. 2005), multiple first-order factors (e.g., Chen and Rea 2004; Culnan 1993; Earp et al. 2005; Smith et al. 1996), and a second-order construct (e.g., Alge et al. 2006; Castaneda et al. 2007; Malhotra et al. 2004; Stewart and Segars 2002). Even in studies where they are recognized as a second-order construct, there is little consensus on the underlying first-order factors or dimensions. In addition, there is little agreement on the definitions and operationalization of the first-order factors. For instance, dimensions that are measured similarly are named and defined differently across studies (e.g., concerns about unauthorized access to personal information is conceptualized as unauthorized access in Smith et al. 1996; information storage in Earp et al. 2005; and unauthorized usage in Chen and Rea 2004). The definitions of some dimensions include multiple subdimensions (e.g., control over collection and usage of information dimension in Sheehan and Hoy 2000), while others are defined to be one thing but have items measuring other dimensions (e.g., concerns of unauthorized use dimension in Chen and Rea has items measuring both unauthorized access and secondary usage). Some studies propose an overall general dimension, but an examination of the items reveals multiple subdimensions (e.g., Buchanan et al. 2007; Eastlick et al. 2006). Further, there are significant differences in the measurement of information privacy concerns and IPC. In most studies, individuals were asked to report their levels of agreement with privacy related items (e.g., Earp et al. 2005; Liu et al. 2005; Malhotra et al. 2004). However, the items are phrased from different perspectives, not only across different instruments, but also within the same instrument. For example, in Smith et al.s (1996) instrument, the items measuring the collection dimension reflect perception of ones concern for others behavior, while the items measuring the remaining dimensions reflect ones expectation of others behavior. These measurement differences may impact the consolidation of findings from prior studies. As this impact has not been examined previously, it will be useful to determine if there is a need to adopt a more consistent wording or perspective in measuring the dimensions of IPC. Given the different conceptualizations and measurements of IPC, it is critical to resolve the inconsistency in the prior literature and consolidate understanding of IPC so as to provide a foundation for future development of this dynamic and complex construct. This paper has two research objectives: (1) to develop an integrated conceptualization of IPC, and
276
(2) to validate the integrated conceptualization of IPC. We will use the multidimensional developmental theory (Laufer and Wolfe 1977) to identify alternative theoretical conceptualizations of IPC. We will review the prior literature to identify the key lower-order dimensions, determine the potential factor structures of the integrated conceptualization of IPC, and develop a consistent wording of items across dimensions. The validity of the integrated conceptualization of IPC will be examined through four large-scale empirical studies. The main contributions of this research are twopronged. First, we will contribute toward clarifying the conceptualization of IPC in terms of its factor structure, its underlying dimensions, and its operationalization. Second, we will provide empirical evidence for our proposed integrated conceptualization of IPC. In summary, this research will contribute to a better understanding of the conceptualization of IPC, and provide a reliable and valid instrument for research into IPC.
interpersonal interaction are central to IPC as defined in our paper, because they put privacy concern into a context and are congruent with individuals privacy concern as experienced in online activities. In applying MDT to the study of IPC, we made a few observations. First, IPC focuses on an individuals privacy concern as a result of interaction with websites, and such interaction typically involves the collection and usage of his or her personal information. Hence, we define the interaction management component of IPC more specifically as the ability of an individual to manage the collection and subsequent use of his or her personal information by websites. Second, as early as in the 1970s, researchers began to recognize the potential threat to the privacy of personal data by computer technologies (Rule 1974). In MDT, Laufer and Wolfe specifically noted that the presence of computerized personal data and how such data is managed is an important aspect of the information management component. Research has shown that online consumers are very concerned about the efforts of companies in protecting their personal data after it has been collected (Buchanan et al. 2007; Culnan and Williams 2009; Pavlou et al. 2007), and it is critical that companies take steps and formulate policies to protect the integrity and well-being of the data (Stewart and Segars 2002). Hence, when we examine the information management component of IPC, it is important to incorporate the individuals perception of how personal data is managed by websites. Third, MDT is ambiguous about the role of control and choice in understanding privacy concerns. On one hand, MDT argues that control and choice are two distinct elements related to privacy concerns, in addition to the self-development, environmental impact, and interpersonal aspects. Laufer and Wolfe (p. 37) refer to them as the ability to perceive options (i.e., awareness) and to exercise choice among options (i.e., control) when it comes to the management of personal information. This view of awareness and control is shared by other researchers. For example, social contract theory (Donaldson and Dunfee 1994), which has often been used to study privacy concerns, suggests that the fairness of collection of personal information on a website can only be justified if an online consumer is granted control and informed of the intended use of the information. Similarly, Culnan and Williams (2009) argue that consumers are vulnerable in their dealings with businesses due to a lack of information about and an inability to control the subsequent use of their personal information. Some researchers even define the conditions of privacy violation based on whether individuals are informed of or have control over how their personal information will be used (Culnan 1995; Foxman and
Theoretical Background
Multidimensional Developmental Theory
The multidimensional developmental theory (MDT) is a framework to understand individuals perceptions of privacy and privacy invasion (Laufer and Wolfe 1977). MDT argues that privacy concern is a multidimensional concept that can be described as a result of self-development, environmental impact, and, most importantly, interpersonal interaction. Selfdevelopment and environmental impact describe how individuals develop privacy concern over time, both as a result of a self-development process that focuses on autonomy and as a result of the impacts of cultural, social, and physical settings. According to Laufer and Wolfe (1977, p. 33), the interpersonal interaction aspect constitutes the core of privacy perception, as it assumes the existence of others and focuses on the relationship between an individual and others. This aspect of MDT is consistent with the dyadic relationship assumed in our definition of IPC, and therefore is most relevant to our research on IPC. In the context of IPC, interpersonal interaction can be viewed as an inter-webpersonal interaction which is a dyadic relationship between an individual and an online entity, such as a website. In addition, MDT proposes that the interpersonal interaction aspect of privacy has two main components: interaction management and information management. The interaction management component describes how an individual manages his or her interaction with others, while the information management component describes how an individual manages his or her personal information. These two components of
277
Kilcoyne 1993). The Fair Information Practices (FIP) act also identified the provision of sufficient notice and choice as two key aspects of privacy protection (Culnan and Bies 2003). On the other hand, MDT also relates control closely with the interpersonal interaction component of privacy, and describes it as an individuals loss of control over interactional boundaries (between oneself and other people) and loss of control over personal information. This conceptualization assumes that control is a part of interpersonal management. There is empirical support in prior research for such a conceptualization. For example, Sheehan and Hoy (2000) found that control over collection and usage of information emerges as the strongest factor in explaining the variance of IPC. Similarly, Fletcher and Peters (1997) measured privacy concerns as the degree of control required by consumers over personal information acquisition and use. Hann et al. (2007) argued that privacy can be viewed as control of information about the self, and such control requires that an individual manages the outflow of information as well as the subsequent disclosure of that information to third parties. Hence, an alternative view is that control is a natural part of interpersonal management efforts by the individual. Based on the above discussion, we propose four alternative theoretical frameworks for the IPC construct (see Figure 1). In accordance with MDT, IPC is conceptualized as a multidimensional construct in all of the frameworks. Specifically, theoretical framework 1a recognizes the unique roles of control and awareness in addition to other aspects of privacy concerns, and proposes three main dimensions of IPC, including inter-webpersonal dimension, control dimension, and awareness dimension. Theoretical framework 1b reflects the alternative conceptualization of control, where it is considered to be part of the inter-webpersonal dimension, and thus not included as a main dimension of IPC. In theoretical frameworks 2a and 2b, we decompose the inter-web personal dimension into interaction management and information management, while preserving the other dimensions proposed in theoretical frameworks 1a and 1b. Next, we proceed with a literature review to see how these main dimensions are captured and reflected in prior research.
develop an integrated conceptualization of IPC. We included both studies on information privacy concerns and studies on IPC in particular, as information privacy concerns research conducted before the Internet age can also inform privacy research in the online environment. Table 1 summarizes the research from various disciplines.2 Key Dimensions of IPC We first identify the key dimensions of IPC in the extant literature and relate them to the theoretical frameworks developed earlier based on MDT. However, not all studies provide clear definitions of their dimensions, and in some studies, the items tap different dimensions (e.g., Harris et al. 2003; Liu et al. 2005; Sheehan and Hoy 2000). Even when clear descriptions of the dimensions are provided, the definitions and the nature of these dimensions often vary across studies (e.g., Alge et al. 2006; Chen and Rea 2004). Hence, it was necessary to also examine the instruments to confirm the dimensions. We identified the key dimensions of IPC and related them to the proposed theoretical frameworks in two stages. In the first stage, four academics independently identified relevant dimensions and reviewed the instruments to confirm which dimensions they represent. After independent reviews, a group discussion was held to resolve any differences. Our investigation identified six key dimensions that are most commonly utilized in prior conceptualizations of IPC. They are collection, secondary usage, errors, improper access, control, and awareness. We adapted the definitions of these dimensions to the current research context. Specifically, collection is the degree to which a person is concerned about the amount of individual-specific data possessed by websites (Malhotra et al. 2004). Secondary usage is the degree to which a person is concerned that personal information is collected by websites for one purpose but is used for another, secondary purpose without authorization from the individual (Smith et al. 1996). Errors is the degree to which a person is concerned that protections against deliberate and accidental errors in personal data collected by websites are inadequate (Smith et al. 1996). Improper access is the degree to which a person is concerned that personal information held by websites is readily available to people not properly authorized to view or work with the data (Smith et al. 1996). Control is the degree to which a person is concerned that he/she does not have adequate control over his/her personal information held by websites (Malhotra et al. 2004). Finally, awareness is the
Literature Review
We reviewed the prior literature from various disciplines to determine (1) the key dimensions of IPC identified in prior research and how they fit into the theoretical frameworks we proposed earlier; (2) the existing factor structures of IPC in prior research; and (3) how IPC is measured in the various instruments. Our goal is to consolidate findings from existing research into the theoretical frameworks based on MDT, and
We included the original papers that proposed and used unique measurement of information privacy concerns or IPC. Papers that applied previously developed instruments (such as the instruments developed by Smith et al. 1996 and Malhotra et al. 2004) were excluded.
278
Theoretical Framework 1a
IPC
Theoretical Framework 1b
IPC
Inter-WebPersonal
Control
Awareness
Inter-WebPersonal
Awareness
Theoretical Framework 2a
IPC
Theoretical Framework 2b
IPC
Interaction Management
Information Management
Control
Awareness
Interaction Management
Information Management
Awareness
degree to which a person is concerned about his/her awareness of information privacy practices by websites (Malhotra et al. 2004). In addition to the six key dimensions, there are other aspects of IPC proposed in several studies. One concern is the fear that ones browsing or clicking behavior is being monitored or tracked (Dinev and Hart 2004; Earp et al. 2005). As monitoring represents a form of data collection from Internet users, it can be captured by the collection dimension. It can also belong to the awareness dimension depending on whether users are informed of the practice or not. Other concerns include identity issues (i.e., uncertainty of the identity of others over the Internet), which are not directly related to concerns about the privacy of ones own personal information; legal issues (i.e., inadequate laws in place to protect online privacy), which do not necessarily provide an indication of how ones personal information is actually handled by websites; application issues (e.g., websites using personal information to provide highly customized services), which are services enabled by personal information collected; security issues, which are distinct from privacy issues (Pavlou et al. 2007); and issues that may affect IPC but are not part of it (e.g., computer viruses, familiarity with the website, whether compensations are provided, etc.). As these concerns are not directly related to IPC, we do not incorporate them into our conceptualization of IPC. In the second stage, the same four academics independently relate the six key dimensions to the theoretical frameworks
proposed by MDT. A group discussion was held to resolve any differences. As Table 1 shows, the collection and secondary usage dimensions are core components of privacy concerns that are most commonly identified in prior research. In addition, they both reflect the interaction management dimension of IPC as they describe how an individual manages the collection and subsequent use of his/her personal information by websites. Further, an individuals concerns over the integrity and well-being of his/her personal information are reflected in the errors and improper access dimensions of IPC. Both of these dimensions describe common threats to personal information after it is collected by websites, if not managed properly. Next, control is a complex factor that is considered by some researchers as a distinct dimension of IPC (e.g., Culnan 1993; Malhotra et al. 2004), while other researchers considered it to be part of the interaction management dimension (e.g., Castaneda et al. 2007; Sheehan and Hoy 2000). Two interesting observations can be made here. First, the ambiguity with the control dimension coincides with the alternative conceptualizations of control in the theoretical frameworks based on MDT. Both conceptualizations of control have received some support from the literature. Thus, it is critical to examine both conceptualizations in our study of IPC. Second, virtually no prior study has considered control as part of the information management dimension, probably because our definition of the information management dimension focuses more on websites, and individuals may not perceive themselves as having control over how websites manage their data. Awareness is often identified as a unique factor of IPC, probably because regardless of the interaction
279
280
management or information management practices a website adopts, it can choose to let individuals be aware of it or not. Factor Structure of IPC Our literature review also found little agreement in terms of the factor structure of IPC. Nevertheless, two findings are evident from prior research. First, IPC is a multifacet construct as reflected in the majority of studies in Table 1. Even in studies that conceptualized IPC as a single factor, a close examination of the items shows that they cover multiple dimensions. All of these conceptualizations of the factor structure of IPC are consistent with MDT, which recognizes privacy concerns as a multidimensional construct. Second, there may be a higher-order general construct of IPC that accounts for the lower-order dimensions of IPC. For instance, IPC has been conceptualized and empirically validated as a second-order construct (e.g., Alge et al. 2006; Castaneda et al. 2007; Malhotra et al. 2004); similarly for information privacy concerns (e.g., Stewart and Segars 2002). There are many benefits to higher-order constructs. They can provide a higher level of abstraction than their underlying dimensions, making it easier to examine the relationship between the construct and its related antecedent and dependent constructs in a nomological network (Marsh and Hocevar 1985). Higher-order constructs are also more parsimonious due to the gain in the degrees of freedom (Edwards 2001; Rindskopf and Rose 1988). In addition, a higher-order construct allows an examination of the relative strengths of the lower-order constructs. Factor loadings can represent how reliably each of the lower-order constructs reflects the higherorder construct and how important each of them is (Cheung 2008). Finally, a higher-order factor structure provides the flexibility to encompass additional factors at lower levels when needed (Harlow and Newcomb 1990). On examining the main components of IPC identified through MDT and the key lower-order dimensions of IPC identified in the literature, IPC may even be a third-order construct. The reason IPC has been identified as a second-order factor in the prior literature may be because the lower-order dimensions included in prior studies belong to only one main component of IPC. For example, Smith et al.s (1996) instrument has four dimensions, which all fall into the inter-webpersonal component. Similarly, Alge et al.s (2006) instrument has three dimensions, which all belong to the interaction management dimension. Our review of studies on higher-order factors, most of which are in the psychology and management literature (e.g., Erez
and Judge 2001; Goffin and Jackson 1988; Harlow and Newcomb 1990; Keeping and Levy 2000; Reddy and LaBarbera 1985; Scullen et al. 2003), found that the identification of higher-order factors should be driven by a theoretical definition of the construct followed by a review of prior empirical and theoretical research to identify a plausible set of lower-order dimensions. A third-order factor structure may be necessary when more than one of the lower-order dimensions loads on a single facet of the theoretically defined construct.3 The presence of multiple dimensions of IPC and the assortment of second-order factor structures for IPC suggest the possibility of a higher-order construct. In the next section, we examine alternative models of IPC to see if a third-order factor structure is desirable. Alternative Models of IPC Based on the theoretical frameworks identified through MDT and our uncovering of the key dimensions in the existing privacy literature, we propose a number of alternative models of IPC (see Figure 2). As a baseline, we will examine how well an integrated conceptualization of IPC encompassing the six key dimensions compares to two popular conceptualizations in the prior literature. Model 1 represents Stewart and Segarss (2002) second-order factor model with Smith et al.s (1996) four first-order factors. Model 2 represents Malhotra et al.s (2004) second-order factor model with three first-order factors. Model 3 hypothesizes a model with six correlated first-order factors (with each key dimension as a first-order factor). Such a model is typically included as a baseline model when testing for higher-order models (Rubio et al. 2001). Finally, Model 4 imposes a second-order factor of IPC on the six first-order factors. Next, we propose eight alternative higher-order models based on the theoretical frameworks identified by MDT. Specifically, we propose a pair of models for each theoretical framework, with one model incorporating a third-order general factor of IPC and the other model being its lower-order alternative. A third-order factor imposes a structure on the pattern of correlations among its lower-order factors (Rindskopf and Rose 1988). In confirmatory factor analysis (CFA), when a higher-order factor is not included, the lower-order factors are typically allowed to freely correlate with each other. There
For example, the meaning and satisfaction in life construct has three theoretical components, including relationship satisfaction, purposeful living, and work and health satisfaction (Harlow and Newcomb, 1990). In turn, each component has multiple lower-order factors. For example, the relationship satisfaction component has three subdimensions: peer relationships, intimate relationships, and family relationships.
281
1st-Order Factors Collection Secondary Usage Errors Improper Access Control Awareness
Theoretical Framework 1a 1st-Order Factors Collection Secondary Usage Errors Improper Access Control Awareness Model 5 Model 6
Theoretical Framework 2a 1st-Order Factors Collection Secondary Usage Errors Improper Access Control Awareness Model 9 Model 10
*S stands for a general second-order IPC; S1 stands for a second-order factor of inter-webpersonal management; S2 stands for a second-order factor of interaction management; S3 stands for a second-order factor of information management; and T stands for a general third-order factor.
282
are a few criteria to help determine whether a higher-order factor is needed for a complex construct. First, a higher-order factor is more likely to exist if the correlations among the lower-order factors are relatively high (Marsh and Hocevar 1985). Second, a comparison of the goodness of fit statistics between the higher-order model and the lower-order alternative model will inform us whether the specification of the third-order general factor is reasonable (Rindskopf and Rose 1988). Third, in a nomological network, using lower-order factors (when there are relatively high correlations between them), instead of using their higher-order general factor, as direct determinants of the dependent variable can result in high error variance and inaccurate path coefficient estimates of the structural model, due to multicollinearity among firstorder factors (Reddy and LaBarbera 1985). Based on the above criteria, we can compare the validity of the proposed models. Models 5 and 6 are instantiations of theoretical framework 1a. Model 5 includes a second-order factor of inter-webpersonal dimension, and two first-order factors of control and awareness. This model theorizes that there are unique roles for control and awareness in addition to the inter-webpersonal dimension. Model 6 imposes a third-order general factor of IPC on Model 5 and theorizes that the lower-order dimensions are best represented by a general factor. Models 7 and 8 are instantiations of theoretical framework 1b. Model 7 includes one second-order factor of inter-web personal dimension, and one first-order factor of awareness. It represents the alternative view of control as being part of the inter-webpersonal dimension. Model 8 imposes a thirdorder general factor of IPC on Model 7 to reflect that the lower-order dimensions are best represented by a general factor. Models 9 and 10 are instantiations of theoretical framework 2a. Model 9 includes the two second-order factors of interaction management and information management, and the two first-order factors of control and awareness. This model differentiates between the interaction management and information management components of the inter-webpersonal dimension, and recognizes the unique roles of control and awareness. Model 10 imposes a third-order general factor of IPC on Model 9 and theorizes that the lower-order dimensions are best represented by a general factor. Models 11 and 12 are instantiated from theoretical framework 2b. Model 11 consists of the two second-order factors of interaction management and information management, and one first-order factor of awareness. This model differentiates between the interaction management and information man-
agement components of the inter-webpersonal dimension, and represents the alternative view that control is a part of the inter-webpersonal dimension.4 Model 12 imposes a thirdorder general factor of IPC on Model 11 to reflect that the lower-order dimensions are best represented by a general factor. Wording of Items: Perception Versus Expectation As part of our literature review, we also examined the wording of items in all of the instruments that were used to measure information privacy concerns and IPC. Some researchers have emphasized the importance of consistent wording in measuring multifaceted constructs (e.g., Marakas et al. 1998). A close scrutiny of the items measuring information privacy concerns and IPC reveals that there is inconsistency in wording both across instruments and sometimes within the same instruments. The majority of items can be categorized as either perception or expectation measures. Further, perception measures can be classified into two perspectives, the perception of ones concern for others behavior and the perception of others behavior, while the expectation measures typically describe ones expectation of others behavior. In the extant privacy literature, others refers to companies or websites that collect personal information. Items measuring the perception of ones concern for others behavior typically start with I am concerned, I mind, I feel, or It bothers me (see Appendix B). These measures reflect an individuals concern about company or website practices related to the collection, use, and management of his or her personal information, which fits closely with the definition of IPC as a perception of a dyadic relationship between an individual and a website. Items measuring the perception of others behavior typically start with My organization, Companies, The ABC website, etc. These items reflect an individuals perception of the privacy-protection or privacy-invasion practices of a company or website. While they describe the information handling practices that companies or websites adopt, they do not provide indications of how individuals may perceive or react to these practices. The fact that a website explains how it will use personal information can provide more assurance to one person than another. Also, a particular individual may or may not agree with the disclosed information handling
We also tested two alternative models in which control is modeled as a subdimension of information management, with and without the third-order general factor of IPC. The fit indices for these models are lower than Models 11 and 12, supporting the view of control as a subdimension of interaction management rather than of information management.
283
practices adopted by a website. Hence, this type of items may be more appropriate for the research context where the main purpose is to understand the status of existing information handling practices of companies or websites. Finally, items measuring expectation of others behavior typically start with Companies should, Companies should not, I want a website to, etc. These items reflect the expectations that individuals hold toward companies or websites in terms of the practices that should be adopted to handle their personal information. A problem with this type of measures is that they may provide misleading responses, as it costs individuals virtually nothing to expect and demand greater protection of their privacy (Harper and Singleton 2001). For example, while most people will respond positively to a statement such as Websites should protect personal information they collect from unauthorized secondary usage, it does not necessarily imply that they are concerned that websites are not doing the right things to protect them, nor does it necessarily inhibit them from providing their personal information online. This may explain why online consumers do not always act in line with their stated privacy preferences (Berendt et al. 2005; Srivastava 2009). Hence, phrasing items in terms of expectation may result in the measurement of a completely different construct from IPC. The differences in wording of items can have an impact on empirical validations of information privacy concerns and IPC. For instance, in Smith et al.s (1996) instrument, the items measuring the collection dimension are phrased as perception of ones concern for others behavior, while items measuring the errors, secondary usage, and improper access dimensions are phrased as expectation of others behavior. Tables 2 and 3 report the means of the four dimensions and their intercorrelations respectively in published empirical studies (i.e., Bellman et al. 2004; Malhotra et al. 2004; Milberg et al. 2000; Rose 2006; Van Slyke et al. 2006). As Table 2 shows, the collection dimension has a lower mean than the other three dimensions in 45 out of the 51 pairs of possible comparisons (88%). This is surprising as collection is a necessary antecedent to the other three dimensions, and has been recognized as one of the most important dimensions of information privacy (Hann et al. 2007; Westin 1967). Table 3 also shows that the collection dimension has a lower average correlation than the other three dimensions (i.e., 0.47 for collection; 0.53 for errors; 0.54 for secondary usage; and 0.58 for improper access) in prior studies that used Smith et al.s (1996) instrument. In view of the differences in wording of the items and the pattern of empirical data in past studies, there is a possibility that the existing items measuring the collection dimension may be tapping into a different construct
from the items measuring the other three dimensions. Recent studies using the instrument either showed that the collection dimension does not converge well with the other three dimensions of IPC (e.g., Angst and Agarwal 2009), or have omitted the collection dimension in their measurement of IPC (e.g., Hui et al. 2007; Junglas et al. 2008). In summary, the inconsistency in wording of items may affect the measurement of IPC.
Methodology
We conducted a series of studies to validate the alternative models of IPC that are derived from the various theoretical frameworks based on MDT. Figure 3 presents a roadmap of the four studies. Study 1 collected data on individuals IPC with commercial websites using items from existing instruments for the purpose of comparing the integrated conceptualization of IPC, which included six key dimensions, against two popular existing conceptualizations of IPC in prior research. Study 2 cross-validated the findings of study 1 on a new sample of individuals IPC with government websites, and examined the impact of inconsistent wording of items in the original instruments. Study 3 collected additional data on individuals IPC with commercial websites using revised wording of the items and reevaluated the factor structure of the integrated conceptualization of IPC through a number of higher-order models. Finally, study 4 cross-validated the findings of study 3 on a new sample of individuals IPC with government websites and assessed the nomological validity of the integrated conceptualization of IPC.
Study 1
The objectives of study 1 are to allow comparison with prior research using items from existing instruments, and to compare the integrated conceptualization of IPC (involving six key dimensions identified from the literature) against two popular existing conceptualizations of IPC. An online survey was conducted over a period of four weeks. We posted a banner advertisement of the survey on the homepage of a Hong Kong website. Incentives in the form of lucky draw prizes were offered to participants in the online survey. A total of 968 participants provided complete data for analysis. Table 4 presents the demographics for the sample. We used items from established instruments to measure the six key lower-order dimensions of IPC. Items for collection, errors, secondary usage, and improper access were taken from
284
Errors
Secondary Usage
Improper Access
1.00 1.00 1.00 1.00 1.00 0.421 0.512 0.503 0.454 0.435 0.551 0.822 0.683 0.614 0.405
1.00 1.00 1.00 1.00 1.00 0.601 0.752 0.813 0.644 0.455
Van Slyke et al. (2006); 2Rose (2006); 3Malhotra et al. (2004); 4Smith et al. (1996); 5Stewart and Segars (2002).
285
Study 1
1. Compare the baseline integrated conceptualization of IPC against two popular conceptualizations in the literature. 2. Replicate prior studies using items from existing instruments
Study 2
1. Examine impact of inconsistent wording of items in original instruments. 2. Cross-validate the findings of study 1 using a new sample.
Study 3
1. Resolve inconsistent wording of items and adopt a common perspective in measuring IPC. 2. Evaluate the alternative integrated conceptualizations of IPC with a new sample.
Study 4
1. Cross-validate the findings of study 3 using a new sample. 2. Assess the nomological validity of the best fitting theoretical model of IPC identified in study 3.
Smith et al. (1996), and items for control and awareness were taken from Malhotra et al. (2004).5 These two instruments were selected as they have undergone extensive empirical testing. To reduce the length of the questionnaire, we selected the three items with the highest loadings on each dimension (from Smith et al.). The items were adapted to the Internet context by replacing companies with commercial websites. Seven-point Likert scales with anchors ranging from strongly disagree to strongly agree were used for all items. The questionnaire was pilot tested on 40 staff in a
public university and was found to be reliable and valid (see Appendix C). Table 5 presents the descriptive statistics of the six key firstorder factors. The mean of the collection dimension was significantly lower than those of the other five dimensions, possibly due to the different wording/perspective adopted by the original items. We then examined four models of IPC. Model 1 was Stewart and Segarss (2002) second-order factor model with Smith et al.s four first-order factors. Model 2 was Malhotra et al.s second-order factor model with three first-order factors. Model 3 hypothesized a model with six correlated first-order factors (representing the six key dimensions identified from the literature). Finally, Model 4 imposed a second-order factor on the six first-order factors. We used LISREL to conduct confirmatory factor analysis (CFA). Models 1 and 2 showed good fit with the data (see Table 6). All fit indices were within the recommended ranges (Hair et al. 1998). As the two models were not nested within each other, we examined the AIC and CAIC fit indices. Model 2 had smaller AIC and CAIC, indicating a better fit. This is consistent with Malhotra et al., but should be interpreted with care as AIC and CAIC favor simpler models by taking parsimony (in terms of number of parameters) into account as well as fit (Jreskog and Srbom 1993). Thus,
We selected instruments that are most commonly used in prior research and their construct validity has been established through confirmatory factor analysis. Both Smith et al.s and Malhotra et al.s instruments met these criteria. Smith et al.s instrument is probably the most recognized instrument of privacy concern that has been used widely and tested extensively across various disciplines; recent studies include Angst and Agarwal (2009), Hui et al. (2007), Junglas et al. (2008), and Van Slyke et al. (2006). Malhotra et al.s instrument has also been adopted in recent studies on IPC (e.g., Okazaki et al. 2009; Yang and Wang 2009). The other instruments listed in Table 1 are mostly developed and used by their authors only. Thus, we chose Smith et al.s instrument to measure collection, secondary usage, errors, and improper access, and Malhotra et al.s instrument to measure control and awareness. Using existing instruments also enables us to compare our findings with those of prior research, and see how a change in perspective can affect the factor structure of even well-established instruments. This effort is imperative in terms of facilitating knowledge accumulation and knowledge development.
286
*The difference between the mean of the collection dimension and the other dimensions.
Fit Indices df /df Goodness-of-fit (GFI) Adjusted goodness-of-fit (AGFI) Normalized fit index (NFI) Non-normalized fit index (NNFI) Comparative fit index (CFI) Root mean square residual (RMSR) Root mean square error of approximation (RMSEA) Model AIC Model CAIC
Recommended Value N/A N/A #5 $ 0.90 $ 0.80 $ 0.90 $ 0.90 $ 0.90 # 0.10 # 0.08 N/A N/A
Model 2 (Malhotra et al. 2004) 84.94 24 3.54 0.98 0.96 0.99 0.99 0.99 0.043 0.052 128.05 251.43
Model 2 might have better fit than Model 1 because of its simplicity over Model 1. Models 3 and 4 demonstrated good fit with all fit indices within the recommended ranges. As Models 1 and 2 were not nested within Models 3 or 4, we used AIC and CAIC indices to compare their efficiency. Model 3 showed higher AIC and CAIC than Models 1 and 2, probably due to the increased complexity of the integrated conceptualization of IPC. Based on theoretical support for an integrated conceptualization of IPC, and their comparable fit indices with the less complex models, we concluded that the integrated conceptualization received decent support.
We examined the existence of a second-order construct by comparing Model 3 and Model 4. The goodness-of-fit of a higher-order model can never be better than that of the corresponding first-order model, as the higher-order model tries to explain all the covariance among the first-order factors with fewer parameters (Marsh and Hocevar 1985). Thus, we used the target coefficient (T), the ratio of the chi-square value from the first-order model to that of the second-order model, to assess the performance of the higher-order model. T has an upper limit of 1.0 when the covariance among the first-order factors is completely accounted for by the secondorder model, and a value of 0.90 or greater suggests that the higher-order factor provides a good explanation for correla-
287
tions between the lower-order factors (Marsh and Hocevar 1985). T was 0.74 when comparing Model 4 against Model 3, implying that the second-order model was not supported by the data. The factor loadings of two dimensions (collection and improper access) on the second-order factor were also lower than 0.70 (Fornell 1982) in Model 4. Hence, Model 4 did not provide satisfactory performance over Model 3. This result suggests that IPC may be a higher-order construct, as a single second-order factor cannot sufficiently explain the relationships among the first-order factors. There are two possible explanations: (1) the inconsistency in the wording of existing instruments may have affected the empirical validation of the factor structure of IPC, and (2) the six firstorder factors belong to more than one higher-order factor, consistent with the predictions of the various theoretical frameworks based on MDT, and thus do not converge into a single second-order factor. We examined these possibilities in studies 2 and 3.
1.02, p = 0.000) than in the other five dimensions (average || = 0.11, p = 0.15). The data supports our argument that while individuals perceptions of concerns for information collection are significantly lower for government websites than for commercial websites, they have similar expectations for both types of websites in protecting their privacy. The CFA results for the four models were similar to study 1. While the fit indices were all acceptable, Model 4 again failed to provide sufficient performance improvement against Model 3, with a target coefficient (T) of only 0.72. Also, the factor loading of the collection dimension on the second-order factor was lower than the recommended value. Hence, study 2 helps us to verify the first possible explanation at the end of study 1 that inconsistency in the wording of existing instruments can affect the empirical validation of the factor structure of IPC. We resolved the wording inconsistency and reexamined the factor structure of IPC in study 3.
Study 2
The objective of study 2 is to cross-validate the findings of study 1 with a new sample and examine the impact of inconsistent wording of items. We used the same items, except for replacing commercial websites with government websites. The rationale is that if items measuring secondary usage, errors, and improper access in Smith et al.s instrument are indeed measuring expectations, then individuals expectations of government websites should be somewhat similar to their expectations of commercial websites (i.e., ceiling effect), given that it costs individuals virtually nothing to expect more privacy protection. On the other hand, if items measuring the collection dimension are indeed reflecting individuals perceptions of their privacy concerns, and given that a recent study shows that Hong Kong residents hold greater privacy concerns for data collected by the commercial sector than by government agencies (Office of the Privacy Commissioner for Personal Data, Hong Kong, 2009), we should find lower concerns for personal information collection by government websites than by commercial websites. Using a similar method as study 1, we collected data from 961 new respondents. The demographics of the respondents in study 2 were similar to study 1 (see Table 4). Similar to the results for commercial websites, the means of the expectation dimensions are consistently higher than the mean of the collection dimension, with the differences ranging from 1.26 to 1.83 (see Table 5). Comparing the means of the dimensions in study 1 and study 2, we found a much larger difference in the collection dimension (|| =
Study 3
The objectives of study 3 are to resolve inconsistency in the wording of the original items, and to reevaluate the factor structure of the integrated conceptualization of IPC against alternative higher-order models developed from the various theoretical frameworks using MDT. In order to focus on individuals perceptions of their concerns for website behavior rather than their expectations of website behavior, we rephrased the items to start with either I am concerned that websites or It usually bothers me when websites (see Appendix A). Similar types of phrasing had been used in more recent privacy instruments (e.g., Buchanan et al. 2007; Dinev and Hart 2006; Pavlou et al. 2007). Using a similar method as study 1, we collected data from 992 new respondents about their IPC with commercial websites using the rephrased instrument. Compared to the earlier studies, the means of the six dimensions were now in a closer range, with the differences between the mean of the collection dimension and the other five dimensions ranging between -0.28 and 0.30 (see Table 5). The changes to the wording of the items appeared to have resolved the inconsistency issue. We then proceeded with CFA to examine the factor structures of the alternative conceptualizations of IPC. We first examined Model 3 (six correlated first-order factors) with the new data (see Table 7). Model 3 continued to show good fit with all fit indices falling into recommended ranges. Tables 8 and 9 present tests of reliability, convergent validity, and discriminant validity of the six first-order factors. Cron-
288
Theoretical Framework 1a
Model 5 (1 secondorder factor and 2 firstorder factors) 668.52 129 5.18 0.93 0.91 0.99 0.99 0.27 0.062 Model 6 (Model 5 with a thirdorder factor) 551.62 128 4.31 0.94 0.92 0.99 0.99 0.048 0.057
Theoretical Framework 1b
Theoretical Framework 2a
Theoretical Framework 2b
Fit Indices
df /df Goodness-of-fit (GFI) Adjusted goodness-of-fit (AGFI) Normalized fit index (NFI) Comparative fit index (CFI) Root mean square residual (RMSR) Root mean square error of approximation (RMSEA)
Model 7 Model 9 Model 11 (1 second(2 second(2 secondorder Model 8 order Model 10 order Model 12 factor and (Model 7 factors (Model 9 factors and (Model 11 1 firstwith a and 2 firstwith a 1 firstwith a order third-order order third-order order third-order factor) factor) factors) factor) factor) factor) 692.77 130 5.33 0.93 0.91 0.99 0.99 0.26 0.064 576.28 128 4.5 0.94 0.92 0.99 0.99 0.050 0.060 538.78 127 4.24 0.94 0.93 0.99 0.99 0.33 0.055 490.80 127 3.86 0.95 0.93 0.99 0.99 0.043 0.054 547.92 129 4.25 0.94 0.93 0.99 0.99 0.33 0.055 420.18 127 3.31 0.95 0.94 0.99 0.99 0.035 0.049
Note: Factor loadings are from confirmatory factor analysis; C.A. = Cronbachs Alpha; C.R. = Composite Reliability.
289
Table 9. Discriminant Validity of First-Order Factors in Study 3 Construct Collection Secondary Usage Errors Improper Access Control Awareness 1 0.60 0.67 0.57 0.61 0.63 0.59 2 0.82 0.54 0.71 0.60 0.57 3 4 5 6
0.86 0.54
0.80
Note: Diagonals are the average variance extracted. Off-diagonals are the correlations.
bachs alphas and composite reliabilities for all of the factors were above 0.80, indicating good reliability for the first-order factors. All factor loadings were greater than 0.70, and squared multiple correlations between the individual items and their a priori factors were high (> 0.50 with the majority over 0.70), confirming high convergent validity. Further, the shared variances between factors were lower than the average variance extracted of the individual factors, confirming discriminant validity. Hence, Model 3 demonstrated adequate reliability, convergent validity, and discriminant validity. While Model 4 also showed good model fit with fit indices falling into recommended ranges, the T coefficient was only 0.66, implying that a single second-order factor could not adequately account for the correlations among the first-order factors. However, the moderately high correlations among the first-order factors (0.54 to 0.71) provided empirical support for the presence of higher-order factor models (Bollen 1989; Marsh and Jackson 1999). We proceeded with using Model 3 as the baseline model and compared it to alternative higher-order factor models in subsequent analysis. Table 7 presents the goodness-of-fit indices for the eight alternative models (Models 5 to 12) developed from the various theoretical frameworks identified by MDT. All of these models were nested within Model 3. As nested models could never have better fit than their baseline model, we looked for a nested model that was more parsimonious and with the closest fit indices to those of Model 3. The results showed that models that hypothesized a third-order factor (Models 6, 8, 10, and 12) consistently performed better than their corresponding lower-order factor models (Models 5, 7, 9, and 11). This supports our conceptualization of IPC as a higher-order construct with a general factor of IPC encompassing the lower-order factors. Further, Model 12 had significantly better fit than the alternative models, and its fit indices were the closest to those of the baseline Model 3. The T coefficient was 0.90, indicating reasonable performance of Model 12 over Model 3. Model 12 also showed much better
fit than Model 4, indicating a third-order factor explained the data much better than a single second-order factor. In addition, factor loadings from lower-order indicators to higher-order factors were all larger than 0.70. Given the parsimony of Model 12, its reasonable performance over the baseline model, and the high factor loadings, we concluded that Model 12 best represents the factor structure of IPC. The empirical results provide support for the interaction management and information management dimensions of IPC. These two dimensions represent two main areas from which online consumers privacy concerns may arise. On one hand, consumers are concerned about losing control of their personal information when interacting with websites, in terms of how their personal information is collected and used by websites. For example, many websites, such as Travelocity, use business intelligence software to track consumers search behavior and use the data to predict consumers needs and make personalized recommendations. While such a personalized service may provide convenience to consumers, it also raises their privacy concerns about the websites using their personal data without their approval. Online consumers are also concerned whether websites are doing their best to protect the confidentiality of their personal information. For example, there have been high profile incidents of credit card information leaks that could potentially affect millions of consumers (Koenig 2008). The results also help to clarify the role of control in IPC. Based on MDT, we have conceptualized two different roles of control. In accordance with theoretical framework 2a, the control dimension was hypothesized to be an independent dimension that is correlated with the interaction management dimension in Model 10, while in Model 12 the control dimension is hypothesized to be a subdimension of interaction management following theoretical framework 2b. As Model 12 has better fit indices than Model 10, our results provide support for the conceptualization of control as a part of the
290
interaction management dimension. In other words, individuals may not perceive that they have control over the information management practices adopted by websites. Finally, our results provide support for the conceptualization of awareness as a unique passive dimension of privacy concerns (Malhotra et al. 2004; Milne and Rohm 2000). Awareness is somewhat independent of the other dimensions, because no matter what interaction management or information management practices are adopted by a website, it can choose to let individuals be aware of it or not. For example, a website may or may not inform individuals when their personal information is collected, what type of information is collected, or whether their personal information will be used for a different purpose. Similarly, a website may or may not let individuals know when their personal information is jeopardized by unauthorized access to its database. The Federal Trade Commission surveyed 1,400 websites and found that out of the 92 percent that collected data about visitors, only 14 percent revealed how that data was used (Henderson 1999). Hence, individuals information privacy could be infringed without their awareness of the interaction management and information management practices of the websites. Awareness constitutes a unique dimension in addition to the interaction management and information management dimensions. A limitation of the data analysis is with regard to the identification issue in LISREL. A latent variable needs at least three indicators to be identified, meaning the number of correlations among the indicators is exactly equal to the number of parameters needed to define the third-order factor (Byrne 1998). The third-order factor in Model 12 was just identified, which made it indistinguishable from its corresponding lower-order model (Model 11) from a statistical sense. To test such models, additional constraints need to be imposed (Byrne 1998). Following Blackburn et al. (2005), we fixed the error terms of the two second-order factors in Model 12 to be equal in order to address the identification issue. The fit indices of the revised model were very similar to those of the original model, providing evidence that Model 12 was statistically better than Model 11. From another perspective, Model 10 had four indicators for its third-order factor, which made it over-identified. As Model 10 provided better fit with the data than its corresponding lower-order model (Model 9), it was added assurance of the existence of the third-order factor. Similar practices can be found in the psychology literature when treating complex higher-order factors with identification issues (Marsh and Hocevar 1985). Finally, the influence of common method variance (CMV) can be an important issue for this research, as the observed
superiority of the third-order factor models over alternative models may be attributed to the cross-sectional data collection. We conducted the marker variable test, which is recognized as an effective tool for accounting for CMV (Malhotra et al. 2006). A marker variable is believed to be theoretically unrelated to at least one substantive variable, but susceptible to the same causes of CMV. We selected knowledge of the Internet as a marker variable. Following Lindell and Whitney (2001), we used the second lowest positive correlation between the marker variable and the six first-order factors as a conservative estimate of shared correlation resulting from CMV. We found that the second lowest positive correlation was 0.02, which was low and nonsignificant. Based on this estimate, we calculated CMV-adjusted correlations using the equation developed by Lindell and Whitney to partial out method variance. The results showed that the differences between the original and the CMVadjusted correlations were very small (from 0.006 to 0.009), suggesting that CMV did not present a major threat to our analysis.
Study 4
The objectives of study 4 are to cross-validate the findings of study 3 using a new sample, and to assess the nomological validity of the integrated conceptualization of IPC. From study 3, our data analysis has identified Model 12 as having the best fit with the data. Using a similar method as study 1, we collected data from another 887 respondents. This time, we used the rephrased items from study 3 and changed commercial websites to government websites. The demographics of the respondents in study 4 were similar to study 3 (see Table 4). In congruence with study 3, the means of the six dimensions were in a closer range with each other, ranging from -0.15 to 0.60 (see Table 5). The CFA results were also similar to study 3, with Model 12 having the best fit with the data. Its T coefficient was 0.92, and its fit indices were the closest to the baseline Model 3. Factor loadings were above 0.70 for all first-order factors and all higher-order factors, confirming the third-order factor structure. Hence, the cross-validation confirmed the findings of study 3. Nomological validity is the degree to which predictions from a formal theoretical network containing the concept under scrutiny are confirmed (Bearden et al. 1993). A critical step in assessing the efficacy of a higher-order factor is to study its relationship with theoretically related constructs within a nomological network (Chin 1998). Following Malhotra et al. (2004), we examined the relationship between IPC and two
291
Note: *p < 0.05; **p < 0.01; ***p < 0.001; Chi-square = 1147.17; df = 289; GFI = 0.90; AGFI = 0.88; NFI = 0.99; NNFI = 0.99; CFI = 0.99; RMR = 0.083; RMSEA = 0.063
theoretically related constructs: trusting beliefs and risk beliefs of websites. IPC was theorized to have a negative relationship with trusting beliefs and a positive relationship with risk beliefs. Individuals with higher privacy concerns are less likely to trust websites in handling their personal information, and are more likely to find it risky providing personal information to websites. Trusting beliefs and risk beliefs were measured by four items each (see Appendix A). The structural models fit indices were within the recommended ranges, indicating good fit with the data (see Figure 4). The path coefficients from the third-order factor of IPC to trusting beliefs (-0.52) and risk beliefs (0.73) were both significant. The third-order factor explained 27 percent
of the variance in trusting beliefs and 54 percent of the variance in risk beliefs. Hence, we conclude that the thirdorder factor structure of IPC has good nomological validity. In order to assess the influence of CMV, we used the marker variable test (Lindell and Whitney 2001). We selected knowledge of the Internet as a marker variable, and used the second lowest positive correlation between the marker variable and the other variables as a conservative estimate of shared correlation resulting from CMV. The second lowest positive correlation was 0.08, which was low and nonsignificant. After partialing out the estimate of method variance, the CMV-adjusted structural relationships remained significant: IPC trusting beliefs (beta = -0.46) and IPC
292
risk beliefs (beta = 0.69). These results demonstrate the robustness of our findings.6
Discussion
There are a number of theoretical contributions from this research. First, based on MDT, we have identified four theoretical frameworks in conceptualizing IPC and developed corresponding alternative higher-order factor structures of IPC. The results of four large-scale empirical studies provide support for theoretical framework 2b, which incorporates three unique dimensions of IPC: interaction management, information management, and awareness. Prior research has not been consistent in terms of identifying the main dimensions of IPC. Oftentimes, interaction management and information management dimensions are grouped together as one common dimension of IPC. Our study shows that it is important to differentiate between concerns over the flow of personal information between online consumers and websites, and concerns over how personal information is managed by websites. Second, we have identified six key dimensions which form the foundation for an integrated conceptualization of IPC. These key dimensions were arrived at through an extensive review of the privacy literature. Prior research has proposed many dimensions of IPC, some of which overlap with each other although they are defined differently, and some of which contain multiple subdimensions. By distilling them into the six key dimensions, we consolidate prior findings and build a cumulative understanding of IPC. Third, this study helps to clarify the role of control in understanding IPC (i.e., online consumers consider control or loss of control as a key component in their interaction with websites). The alternative conceptualization that control is a unique dimension separate from inter-webpersonal management is not supported in this study, indicating that control is more meaningful in certain contexts. Specifically, online consumers deem control an important aspect of their interaction or information exchange with websites, but they do not consider themselves to have much control over how their personal information is managed by websites.
6
Fourth, we have identified and empirically validated a thirdorder factor structure of IPC. Through careful theoretical development and a systematic investigation of alternative higher-order factor models, we found that third-order factor models consistently outperform their corresponding lowerorder factor models. Specifically, the proposed third-order general factor of IPC in Model 12 has the best fit with the data. It contains two second-order factors of interaction management and information management, and six first-order factors of collection, secondary usage, errors, improper access, control, and awareness. Identifying a third-order general factor has many other benefits, including providing a structure to explain the correlations among the lower-order factors, making it easier to examine the variable in a nomological network, and providing the flexibility to include additional subdimensions in the future. Fifth, we have studied the effects of inconsistent wording of items in the original instruments measuring IPC and have highlighted the need for consistent measures of the dimensions of IPC. We found that adopting an expectation perspective can result in the measurement of a different construct from IPC. The problem can be mitigated by focusing on the individuals perceptions of their concerns for others behavior rather than their expectations of others behavior. By adopting a common perspective in terms of defining IPC as a perception in a dyadic relationship between the individual and an online entity and adopting consistent wording of items in measuring IPC, researchers will obtain a more consistent picture of individuals IPC. As part of this effort, we have developed a reliable and valid instrument that can be used to measure the key dimensions of IPC. Finally, we have utilized four large-scale empirical studies involving nearly 4,000 respondents to investigate the conceptualization of IPC in an Asian context. As Culnan (1993) and Malhotra et al. (2004) pointed out, information privacy concerns is a dynamic construct that needs to be examined within different contexts to fully understand the attitudes of individuals toward information management practices. Our study has extended the existing IPC research based mainly on western cultures to the under-studied Asian cultures.
Practical Implications
This study provides several practical implications to researchers, website owners, and policy makers. First, it provides a parsimonious and integrated representation of IPC. The third-order factor represents a general factor of IPC, which can be used when the goal is to identify the relationships between IPC and other theoretically related constructs. Our nomological validity test showed that using the third-
We also analyzed the nomological network of the next best conceptualization of IPC from study 3 (i.e., Model 10). Model 10 similarly conceptualized a third-order general factor of IPC, but with control as a separate dimension of IPC. The fit indices for the nomological network test of Model 10 were within the acceptable ranges, indicating good fit with the data. IPC has a significant negative effect on trusting beliefs (beta = -0.51) and a significant positive effect on risk beliefs (beta = 0.73). This analysis provides further support for the third-order conceptualization of IPC.
293
order general factor in the structural equation model provides good model fit. In fact, when the correlations among lowerorder factors are relatively high, examining the direct effects of the lower-order factors on the dependent variable (after removing the higher-order general factor) can lead to high error variance and inaccurate estimates of such effects (Reddy and LaBarbera 1985). Second, the integrated conceptualization of IPC allows website owners and policy makers to evaluate the relative importance of the lower-order factors of IPC in different privacy contexts. By examining the relative loadings of the lowerorder factors on the higher-order factor (Hair et al.1998), practitioners will be able to identify the key aspects of individuals IPC in a particular context, and can then focus their attention on the corresponding privacy management practices. Finally, this study provides important guidelines to policy makers in terms of the wording of privacy items for public surveys. We found that framing privacy items as expectations will result in the measurement of a different construct from IPC. Our findings support the talk is cheap problem where public surveys on privacy tend to show a higher demand for privacy protection from individuals than what they actually desire (Harper and Singleton 2001).
nology successfully eliminate the possibility of gaining improper access to databases that hold personal information, then improper access will cease to be a significant privacy concern of Internet users. Take another example: Although the information obtained through unauthorized monitoring and analysis can be used to provide better services to Internet users (e.g., through personalization), such practices are often conducted without their awareness, and the information may be used for a secondary purpose. While these practices are related to the key dimensions of IPC, they may have their own unique characteristics. Hence, future research can reevaluate the lower-order dimensions of IPC on a periodic basis, especially after significant social and technological changes which may impact Internet users privacy perceptions. Second, researchers have noted the importance of context in studying information privacy (Culnan 1993; Malhotra et al. 2004). As our studies were conducted in an Asian country, future research can test our conceptualization of IPC in other countries. Third, it will be useful to perform factorial invariance tests on the integrated instrument of IPC across different demographics (e.g., with respect to age, culture, and gender) to further validate our conceptualization of IPC. Finally, the integrated conceptualization of IPC can be used in a nomological network to investigate the antecedents and consequences of IPC in a particular research context. For example, it would be interesting to examine the impact of IPC on consumers online behavior through longitudinal studies.
Conclusions
Based on MDT and an extensive literature review, we have identified various conceptualizations of IPC. We then consolidate the existing knowledge about information privacy by developing an integrated conceptualization of IPC which consists of a third-order general factor, two second-order factors of interaction management and information management, and six first-order factors (i.e., collection, secondary usage, errors, improper access, control, and awareness). The reliability and validity of this integrated conceptualization of IPC were validated through a series of four studies involving large-scale online surveys. As a result, this research has contributed to building a better understanding of the conceptualization of IPC and provided a modified instrument for future research into IPC.
Acknowledgments
We thank the senior editor, associate editor, and reviewers for their constructive comments. This study was partially funded by research grants (RPC11BM17 and SBI07/08.BM13) from the Hong Kong
294
Research Grants Council and the Center for Electronic Commerce at HKUST.
References
Alge, B. J., Ballinger, G. A., Tangirala, S., and Oakley, J. L. 2006. Information Privacy in Organizations: Empowering Creative and Extra-Role Performance, Journal of Applied Psychology (91:1), pp. 221-232. Angst, C. M., and Agarwal, R. 2009. Adoption of Electronic Health Records in the Presence of Privacy Concerns: The Elaboration Likelihood Model and Individual Persuasion, MIS Quarterly (33:2), pp. 339-370. Bearden, W. O., Netemeyer, R. G., and Mobley, M. F. 1993. Handbook of Marketing Scales: Multi-Item Measures for Marketing and Consumer Behavior Research, Newbury Park, CA: Sage Publications. Bellman, S., Johnson, E. J., Kobrin, S. J., and Lohse, G. L. 2004. International Differences in Information Privacy Concerns: A Global Survey of Consumers, The Information Society (20:5), pp. 313-324. Berendt, B., Gnther, O., and Spiekermann, S. 2005. Privacy in E-Commerce: Stated Preferences vs. Actual Behavior, Communications of the ACM (48:4), pp. 101-106. Blackburn, R., Logan, C., Renwick, S. J. D., and Donnelly, J. P. 2005. Higher-Order Dimensions of Personality Disorder: Hierarchical Structure and Relationships with the Five-Factor Model, the Interpersonal Circle, and Psychopathy, Journal of Personality Disorders (19:6), pp. 597-623. Bollen, K. A. 1989. Structural Equation with Latent Variables, New York: Wiley. Buchanan, T., Paine, C., Joinson, A. N., and Reips, U-D. 2007. Development of Measures of Online Privacy Concern and Protection for Use on the Internet, Journal of the American Society for Information Science and Technology (58:2), pp. 157-165. Byrne, B. M. 1998. Structural Equation Modelling with LISREL, PRELIS, and SIMPLIS: Basic Concepts, Applications, and Programming, Mahwah, NJ: Lawrence Erlbaum Associates. Cases, A.-S., Fournier, C., Dubois, P.-L., and Tanner, J. F. 2010. Web Site Spill Over to Email Campaigns: The Role of Privacy, Trust, and Shoppers Attitudes, Journal of Business Research (63: 9/10), pp. 993-999. Castaneda, J. A., Montoso, F. J., and Luque, T. 2007. The Dimensionality of Customer Privacy Concern on the Internet, Online Information Review (31:4), pp. 420-439. Chen, H.-G., Chen, C. C., Lo, L., and Yang, S. C. 2008. Online Privacy Control Via Anonymity and Pseudonym: Cross-Cultural Implications, Behaviour & Information Technology (27:3), pp. 229-242. Chen, K., and Rea, A. I. 2004. Protecting Personal Information Online: A Survey of User Privacy Concerns and Control Techniques, Journal of Computer Information Systems (44:4), pp. 85-92.
Cheung, G. W. 2008. Testing Equivalence in the Structure, Means, and Variances of Higher-Order Constructs with Structural Equation Modeling, Organizational Research Methods (11:3), pp. 593-613. Chin, W. W. 1998. The Partial Least Squares Approach to Structural Equation Modeling, in Modern Methods for Business Research, G. A. Marcoulides (ed.), Mahwah, NJ: Lawrence Erlbaum Associates, pp. 295-336. Culnan, M. J. 1993. How Did They Get My Name? An Exploratory Investigation of Consumer Attitudes Toward Secondary Information Use, MIS Quarterly (17:3), pp. 341-363. Culnan, M. J. 1995. Consumer Awareness of Name Removal Procedures: Implications for Direct Marketing, Journal of Direct Marketing (9:2), 1995, pp. 10-19. Culnan, M. J., and Bies, R. J. 2003. Consumer Privacy: Balancing Economic and Justice Considerations, Journal of Social Issues (59:2), pp. 323-342. Culnan, M. J., and Williams, C. C. 2009. How Ethics Can Enhance Organizational Privacy: Lessons from the ChoicePoint and TJX Data Breaches, MIS Quarterly (33:4), pp. 673-687. Dinev, T., and Hart, P. 2004. Internet Privacy Concerns and Their AntecedentsMeasurement Validity and a Regression Model, Behaviour & Information Technology (23:6), pp. 413-422. Dinev, T., and Hart, P. 2006. An Extended Privacy Calculus Model for E-Commerce Transactions, Information Systems Research (17:1), pp. 61-80. Donaldson, T., and Dunfee, T. W. 1994. Toward a Unified Conception of Business Ethics: Integrative Social Contracts Theory, Academy of Management Review (19:2), pp. 252-284. Earp, J. B., Antn, A. I., Aiman-Smith, L., and Stufflebeam, W. 2005. Examining Internet Privacy Policies Within the Context of User Privacy Values, IEEE Transactions on Engineering Management (52:2), pp. 227-237. Eastlick, M. A., Lotz, S. L., and Warrington, P. 2006. Understanding Online B-to-C Relationships: An Integrated Model of Privacy Concerns, Trust, and Commitment, Journal of Business Research (59:8), pp. 877-886. Edwards, J. R. 2001. Multidimensional Constructs in Organizational Behavior Research: An Integrative Analytical Framework, Organizational Research Methods (4:2), pp. 144-192. Erez, A., and Judge, T. A. 2001, Relationship of Core SelfEvaluations to Goal Setting, Motivation, and Performance, Journal of Applied Psychology (86:6), pp. 1270-1279. Federal Trade Commission. 2007. Implementing the Childrens Online Privacy Protection Act: A Report to Congress (http:// www.ftc.gov/reports/coppa/07COPPA_Report_to_Congress.pdf). Fletcher, K. P., and Peters, L. D. 1997. Trust and Direct Marketing Environments: A Consumer Perspective, Journal of Marketing Management (13:6), pp. 523-539. Fornell, C. 1982. A Second Generation of Multivariate Analysis, Volume 1: Methods, New York: Praeger Special Studies. Foxman, E. R., and Kilcoyne, P. 1993. Information Technology, Marketing Practice, and Consumer Privacy: Ethical Issues, Journal of Public Policy & Marketing (12:1), pp. 106-119. Goffin, R. D., and Jackson, D. N. 1988. The Structural Validity of the Index of Organizational Reactions, Multivariate Behavioral Research (23:3), pp. 327-347.
295
Hair, J. F., Anderson, R. E., Tatham, R. L., and Black, W. C. 1998. Multivariate Data Analysis (5th ed.), Englewood Cliffs, NJ: Prentice Hall. Hann, I-H., Hui, K. L., Lee, S-Y. T., and Png, I. P. L. 2007. Overcoming Online Information Privacy Concerns: An Information-Processing Theory Approach, Journal of Management Information Systems (24:2), pp. 13-42. Harlow, L. L., and Newcomb, M. D. 1990. Towards a General Hierarchical Model of Meaning and Satisfaction in Life, Multivariate Behavioral Research (25:3), pp. 387-405. Harper, J., and Singleton, S. 2001. With a Grain of Salt: What Consumer Privacy Surveys Dont Tell Us, Competitive Enterprise Institute, Washington, DC (http://www.cei.org/PDFs/ with_a_grain_of_salt.pdf). Harris, M. M., Hoye, G. V., and Lievens, F. 2003. Privacy and Attitudes Towards Internet-Based Selection Systems: A CrossCultural Comparison, International Journal of Selection and Assessment (11:2/3), pp. 230-236. Henderson, H. 1999. Privacy in the Information Age, New York: Facts on File, Inc. Hui, K.-L., Teo, H. H., and Lee, S.-Y. T. 2007. The Value of Privacy Assurance: An Exploratory Field Experiment, MIS Quarterly (31:1), pp. 19-33. Jreskog, K. G., and Srbom, D. 1993. LISREL 8: Structural Equation Modeling with the SIMPLIS Command Language, Chicago: Scientific Software International. Junglas, I. A., Johnson, N. A., and Spitzmller, C. 2008. Personality Traits and Concern for Privacy: An Empirical Study in the Context of Location-Based Services, European Journal of Information Systems (17:4), pp. 387-402. Keeping, L. M., and Levy, P. E. 2000. Performance Appraisal Reactions: Measurement, Modeling, and Method Bias, Journal of Applied Psychology (85:5), pp. 708-723. Koenig, D. 2008. Data Lost on 650,000 Credit Card Holders, USA Today, January 18 (http://www.usatoday.com/tech/news/ computersecurity/2008-01-18-penney-data-breach_N.htm). Korgaonkar, O. K., and Wolin, L. D. 1999. A Multivariate Analysis of Web Usage, Journal of Advertising Research (39:2), pp. 53-68. Laufer, R. S., and Wolfe, M. 1977. Privacy as a Concept and a Social Issue: A Multidimensional Development Theory, Journal of Social Issues (33:3), pp. 22-42. Li, X. B., and Sarkar, S. 2006. Privacy Protection in Data Mining: A Perturbation Approach for Categorical Data, Information Systems Research (17:3), pp. 254-270. Lindell, M. K., and Whitney, D. J. 2001. Accounting for Common Method Variance in Cross-Sectional Research Settings, Journal of Applied Psychology (86:1), pp. 114-121. Liu, C., Marchewka, J. T., Lu, J., and Yu, C.-S. 2005. Beyond ConcernA Privacy-Trust-Behavioral Intention Model of Electronic Commerce, Information & Management (42:2), pp. 289-304. Malhotra, N. K., Kim, S. S., and Agarwal, J. 2004. Internet Users Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model, Information Systems Research (15:4), pp. 336-355.
Malhotra, N. K., Kim, S. S., and Patil, A. 2006. Common Method Variance in IS Research: A Comparison of Alternative Approaches and a Reanalysis of Past Research, Management Sciences (52: 12), pp. 1865-1883. Marakas, G. M., Yi, M. Y., and Johnson, R. D. 1998. The Multilevel and Multifaceted Character of Computer Self-Efficacy: Toward Clarification of the Construct and an Integrative Framework for Research, Information Systems Research (9:2), pp. 126-163. Marsh, H. W., and Hocevar, D. 1985. Application of Confirmatory Factor Analysis to the Study of Self-Concept: First- and Higher-Order Factor Models and Their Invariance Across Groups, Psychological Bulletin (97:3), pp. 562-582. Marsh, H. W., and Jackson, S. A. 1999. Flow Experience in Sport: Construct Validation of Multidimensional, Hierarchical State, and Trait Responses, Structural Equation Modeling (6:4), pp. 343-371. Metzger, M. J. 2007. Communication Privacy Management in Electronic Commerce, Journal of Computer-Mediated Communication (12:2), pp. 1-27. Milberg, S. J., Burke, S. J., Smith, H. J., and Kallman, E. A. 1995. Values, Personal Information Privacy, and Regulatory Approaches, Communications of the ACM (38:12), pp. 65-74. Milberg, S. J., Smith, H. J., and Burke, S. J. 2000. Information Privacy: Corporate Management and National Regulation, Organization Science (11:1), pp. 35-57. Milne, G. R., and Rohm, A. J. 2000. Consumer Privacy and Name Removal Across Direct Marketing Channels: Exploring Opt-In and Opt-Out Alternatives, Journal of Public Policy & Marketing (19:2), pp. 238-249. Office of the Privacy Commissioner for Personal Data, Hong Kong. 2009. Privacy Commissioner for Personal Datas 2008-2009 Annual Report Tabled in the Legislative Council (http:// www.pcpd.org.hk/english/infocentre/press_20091217.html). Okazaki, S., Li, H., and Hirose, M. 2009. Consumer Privacy Concerns and Preference for Degree of Regulatory Control, Journal of Advertising (38:4), pp. 63-77. Pavlou, P. A., Liang, H., and Xue, Y. 2007. Understanding and Mitigating Uncertainty in Online Environments: An Agency Theory Perspective, MIS Quarterly (31:1), pp. 105-136. Reddy, S. K., and LaBarbera, P. A. 1985. Hierarchical Models of Attitude, Multivariate Behavioral Research (20:4), pp. 451-471. Rindskopf, D., and Rose, T. 1988. Some Theory and Applications of Confirmatory Second-Order Analysis, Multivariate Behavioral Research (23:1), pp. 51-67. Rose, E. A. 2006. An Examination of the Concern for Information Privacy in the New Zealand Regulatory Context, Information & Management (43:3), pp. 322-335. Rubio, D. M., Berg-Weger, M., and Tebb, S. 2001. Using Structural Equation Modeling to Test for Multidimensionality, Structural Equation Modeling (8:4), pp. 613-626. Rule, J. B. 1974. Private Lives and Public Surveillance, New York: Schocken Books. Scullen, S. E., Mount, M. K., and Judge, T. A. 2003. Evidence of the Construct Validity of Developmental Ratings of Managerial Performance, Journal of Applied Psychology (88:1), pp. 50-66.
296
Sheehan, K. B., and Hoy, M. G. 2000. Dimensions of Privacy Concern Among Online Consumers, Journal of Public Policy & Marketing (19:1), pp. 62-73. Sheng, H., Nah, F. F.-H., Siau, K. 2008. An Experimental Study on Ubiquitous Commerce Adoption: Impact of Personalization and Privacy Concern, Journal of the Association for Information Systems (9:6), pp. 344-376. Smith, J. J., Milberg, S. J., and Burke, S. J. 1996. Information Privacy: Measuring Individuals Concerns About Organizational Practices, MIS Quarterly (20:2), pp. 167-196. Son, J. Y., and Kim, S. S. 2008. Internet Users Information Privacy-Protective Responses: A Taxonomy and a Nomological Model, MIS Quarterly (32:3), pp. 503-529. Srivastava, M. 2009. Consumers Cognitive, Affective, and Behavioral Responses to an Invasion of Privacy: Essays on Understanding Consumers Privacy Concerns, unpublished doctoral dissertation, Texas A&M University, College Station, TX. Stewart, K. A., and Segars, A. H. 2002. An Empirical Examination of the Concern for Information Privacy Instrument, Information Systems Research (13:1), pp. 36-49. Van Slyke, C., Shim, J. T., Johnson, R., and Jiang, J. 2006. Concern for Information Privacy and Online Consumer Purchasing, Journal of the Association for Information Systems (7:6), pp. 415-444. Ward, S., Bridges, K., and Chitty, B. 2005. Do Incentives Matter? An Examination of On-Line Privacy Concerns and Willingness to Provide Personal and Financial Information, Journal of Marketing Communications (11:1), pp. 21-40. Westin, A. F. 1967. Privacy and Freedom, New York: Atheneum. Yang, S., and Wang, K. 2009. The Influence of Information Sensitivity Compensation on Privacy Concern and Behavioral Intention, The Database for Advances in Information Systems (40:1), pp. 38-51. Zviran, M. 2008. Users Perspectives on Privacy in Web-Based Applications, Journal of Computer Information Systems (48:4), pp. 97-105.
Appendix A
Final Items of IPC Used in Studies 3 and 4
IPC (Collection) COL1: It usually bothers me when commercial/government websites ask me for personal information. COL2: When commercial/government websites ask me for personal information, I sometimes think twice before providing it. COL3: I am concerned that commercial/government websites are collecting too much personal information about me. IPC (Secondary Usage) SEC1: I am concerned that when I give personal information to a commercial/government website for some reason, the website would use the information for other reasons. SEC2: I am concerned that commercial/government websites would sell my personal information in their computer databases to other companies. SEC3: I am concerned that commercial/government websites would share my personal information with other companies without my authorization.
297
IPC (Errors) ERR1: I am concerned that commercial/government websites do not take enough steps to make sure that my personal information in their files is accurate. ERR2: I am concerned that commercial/government websites do not have adequate procedures to correct errors in my personal information. ERR3: I am concerned that commercial/government websites do not devote enough time and effort to verifying the accuracy of my personal information in their databases. IPC (Improper Access) ACC1: I am concerned that commercial/government website databases that contain my personal information are not protected from unauthorized access. ACC2: I am concerned that commercial/government websites do not devote enough time and effort to preventing unauthorized access to my personal information. ACC3: I am concerned that commercial/government websites do not take enough steps to make sure that unauthorized people cannot access my personal information in their computers. IPC (Control) CON1: It usually bothers me when I do not have control of personal information that I provide to commercial/government websites. CON2: It usually bothers me when I do not have control or autonomy over decisions about how my personal information is collected, used, and shared by commercial/government websites. CON3: I am concerned when control is lost or unwillingly reduced as a result of a marketing transaction with commercial/government websites. IPC (Awareness) AWA1: I am concerned when a clear and conspicuous disclosure is not included in online privacy policies of commercial/government websites. AWA2: It usually bothers me when I am not aware or knowledgeable about how my personal information will be used by commercial/ government websites. AWA3: It usually bothers me when commercial/government websites seeking my information online do not disclose the way the data are collected, processed, and used. Trusting Beliefs TRUS1: Commercial/Government websites in general would be trustworthy in handling my personal information. TRUS2: Commercial/Government websites would keep my best interests in mind when dealing with my personal information. TRUS3: Commercial/Government websites would fulfill their promises related to my personal information. TRUS4: Commercial/Government websites are in general predictable and consistent regarding the usage of my personal information. Risk Beliefs RISK1: In general, it would be risky to give my personal information to commercial/government websites. RISK2: There would be high potential for loss associated with giving my personal information to commercial/government websites. RISK3: There would be too much uncertainty associated with giving my personal information to commercial/government websites. RISK4: Providing commercial/government websites with my personal information would involve many unexpected problems.
298
RESEARCH NOTE
James Y. L. Thong
Department of ISOM, Hong Kong University of Science and Technology, Clear Water Bay, Kowloon, HONG KONG {jthong@ust.hk}
Appendix B
Example Items from Existing IPC Instruments
Perceptions of ones concerns for others behavior I mind when a web site discloses my buying patterns to third parties. (Earp et al. 2005) I feel that my organizations information policies and practices are an invasion of privacy. (Alge et al. 2006) It usually bothers me when companies ask me for personal information. (Smith et al. 1996) I am concerned about threats to my personal privacy. (Culnan 1993) Perceptions of others behavior My organization always allows me to decide how my personal information can be released to others. (Alge et al. 2006) Companies sell employee-related information (e.g., answers to a test) that they collect from unsuspecting applicants over the Internet. (Harris et al. 2003) The Husky Virtual Bookstore explained how they would use the information collected about me. (Liu et al. 2005) Expectation of others behavior Companies should devote more time and effort to preventing unauthorized access to personal information. (Smith et al. 1996) Companies should not use personal information for any purpose other than the one authorized. (Culnan 1993) I want a web site to disclose how my PII will be used. (Earp et al. 2005) Web sites cannot share the information I voluntarily provide to them with other firms, without my permission. (Castaneda et al. 2007)
A1
Appendix C
Original Items of IPC Used in Studies 1 and 2
IPC (Collection) COL1: It usually bothers me when commercial/government websites ask me for personal information. COL2: When commercial/government websites ask me for personal information, I sometimes think twice before providing it. COL3: I am concerned that commercial/government websites are collecting too much personal information about me. IPC (Secondary Usage) SEC1: When people give personal information to a commercial/government website for some reason, the website would never use the information for any other purpose. SEC2: Commercial/Government websites would never sell the personal information in their computer databases to other companies. SEC3: Commercial/Government websites would never share personal information with other companies unless it has been authorized by the individuals who provided the information. IPC (Errors) ERR1: Commercial/Government websites should take more steps to make sure that the personal information in their files is accurate. ERR2: Commercial/Government websites should have better procedures to correct errors in personal information. ERR3; Commercial/Government websites should devote more time and effort to verifying the accuracy of the personal information in their databases. IPC (Improper Access) ACC1: Commercial/Government website databases that contain personal information should be protected from unauthorized access. ACC2: Commercial/Government websites should devote more time and effort to preventing unauthorized access to personal information. ACC3: Commercial/Government websites should take more steps to make sure that unauthorized people cannot access personal information in their computers. IPC (Control) CON1: Consumer control of personal information lies at the heart of consumer privacy. CON2: Consumer online privacy is really a matter of consumers right to exercise control and autonomy over decisions about how their information is collected, used, and shared by commercial/ government websites. CON3: I believe that online privacy is invaded when control is lost or unwillingly reduced as a result of a marketing transaction with commercial/government websites. IPC (Awareness) AWA1: A good consumer online privacy policy should have a clear and conspicuous disclosure. AWA2: It is very important to me that I am aware and knowledgeable about how my personal information will be used by commercial/ government websites. AWA3: Commercial/Government websites seeking personal information online should disclose the way the data are collected, processed, and used.
References
Alge, B. J., Ballinger, G. A., Tangirala, S., and Oakley, J. L. 2006. Information Privacy in Organizations: Empowering Creative and Extrarole Performance, Journal of Applied Psychology (91:1), pp. 221-232. Castaneda, J. A., Montoso, F. J., and Luque, T. 2007. The Dimensionality of Customer Privacy Concern on the Internet, Online Information Review (31:4), pp. 420-439. Culnan, M. J. 1993. How Did They Get My Name? An Exploratory Investigation of Consumer Attitudes Toward Secondary Information Use, MIS Quarterly (17:3), pp. 341-363. Earp, J. B., Antn, A. I., Aiman-Smith, L., and Stufflebeam, W. 2005. Examining Internet Privacy Policies Within the Context of User Privacy Values, IEEE Transactions on Engineering Management (52:2), pp. 227-237.
A2
Harris, M. M., Hoye, G. V., and Lievens, F. 2003. Privacy and Attitudes Towards Internet-Based Selection Systems: A Cross-Cultural Comparison, International Journal of Selection and Assessment (11:2/3), pp. 230-236. Liu, C., Marchewka, J. T., Lu, J., and Yu, C.-S. 2005. Beyond ConcernA Privacy-Trust-Behavioral Intention Model of Electronic Commerce, Information & Management (42:2), pp. 289-304. Smith, J. J., Milberg, S. J., and Burke, S. J. 1996. Information Privacy: Measuring Individuals Concerns About Organizational Practices, MIS Quarterly (20:2), pp. 167-196.
A3
Copyright of MIS Quarterly is the property of MIS Quarterly & The Society for Information Management and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.