Predicting users' privacy boundary management ...

Chinese Journal of Communication

ISSN: 1754-4750 (Print) 1754-4769 (Online) Journal homepage: http://www.tandfonline.com/loi/rcjc20

Predicting users’ privacy boundary management strategies on Facebook Qian Liu, Mike Z. Yao, Ming Yang & Caixie Tu To cite this article: Qian Liu, Mike Z. Yao, Ming Yang & Caixie Tu (2017) Predicting users’ privacy boundary management strategies on Facebook, Chinese Journal of Communication, 10:3, 295-311, DOI: 10.1080/17544750.2017.1279675 To link to this article: http://dx.doi.org/10.1080/17544750.2017.1279675

Published online: 31 Jan 2017.

Submit your article to this journal

Article views: 136

View related articles

View Crossmark data

Full Terms & Conditions of access and use can be found at http://www.tandfonline.com/action/journalInformation?journalCode=rcjc20 Download by: [University of Illinois at Urbana-Champaign]

Date: 06 October 2017, At: 19:16

Chinese Journal of Communication, 2017 Vol. 10, No. 3, 295–311, https://doi.org/10.1080/17544750.2017.1279675

Predicting users’ privacy boundary management strategies on Facebook Qian Liua*, Mike Z. Yaob, Ming Yanga and Caixie Tua Department of Media and Communication, City University of Hong Kong, Hong Kong; bCollege of Media, University of Illinois, Urbana-Champaign, US

Downloaded by [University of Illinois at Urbana-Champaign] at 19:16 06 October 2017

a

This study examines the process by which Facebook users regulate their ­interpersonal privacy and information sharing. By tracing the influence of gender, Facebook usage, and privacy-protecting behaviors that are determined by knowledge and attitude, this research identifies a dynamic management process through which Facebook users maintain personal and interpersonal boundaries. Two distinct strategies are used – a privacy-setting control and a self-disclosure control. Based on data collected in a ­survey of 432 college students conducted in Hong Kong, our results suggest that different uses of Facebook activities (i.e., social interaction, social browsing, and entertainment) can be used to predict different boundary management strategies. Gender and privacy-related psychological factors (i.e., privacy literacy and concern about privacy) also showed significant effects. We concluded that the privacy setting options available on social networking sites such as Facebook were useful in providing users with a base point and a psychological sense of security, but they had little influence on the actual patterns of self-disclosure. To regulate their privacy boundaries, users were more likely to rely on frequently changing their privacy settings and on controlling their levels of self-disclosure. Keywords:  Online privacy; privacy boundary; Facebook; self-disclosure; Facebook usage

Introduction Social networking platforms such as Facebook, Instagram, and WeChat are increasingly pervasive and sophisticated, and users are increasingly concerned about personal privacy (Acquisti & Gross, 2006; Rotenberg, Scott, & Horwitz, 2015). Social sharing and selfdisclosure are key characteristics of these communication tools, and users constantly face the dilemma of choosing to share or not to share their personal information. On one hand, sharing personal information may strengthen social relationships, which is a strong motivator for using social media (Boyd & Ellison, 2007). On the other hand, disclosing the wrong information to the wrong audience may lead to embarrassment, relational turbulence, reputational damage, or even threats to personal safety (Boyd, 2008). Most social media platforms give users the ability to set their preferences for data sharing and target audiences. However, although social media users have become increasingly savvy in using such features (Boyd & Hargittai, 2010; Lewis, Kaufman, & Christakis, 2008; Madejski, ­Johnson, & Bellovin, 2011), preset privacy preferences offer only partial protection because they do not provide users with enough flexibility and options in sharing information with others in various social or relational contexts. As such, users may need to adopt a set of fluid and dynamic privacy management strategies. Drawing on the communication privacy *Corresponding author. Email: [email protected] © 2017 The Centre for Chinese Media and Comparative Communication Research, The Chinese University of Hong Kong

296   Qian Liu et al.

Downloaded by [University of Illinois at Urbana-Champaign] at 19:16 06 October 2017

management theory (Petronio, 2002), the present study conducts an empirical examination of the ways in which social media users manage the flow of personal information by implementing technological features and interpersonal self-disclosure strategies. It also aims to identify the key factors that affect the dynamic process of boundary management. Privacy concerns on social media There are three sources of threats to the privacy of social media users. First, although recent advancements in computing technologies enable social media applications to be increasingly interactive, mobile, and user-friendly, these technologies also raise serious concerns about the right to privacy as a legal or normative prerogative. In this context, users are concerned about violations of privacy rights, such as government surveillance, invasive marketing practices, consumer rights, and the control of personal information. A second and immediate threat to personal privacy on social media concerns information and data security. Social media postings about personal feelings, private information, and intimate photos can be accessed by hackers, unauthorized third parties, and the public, making the user vulnerable to cyberbullying, cyberstalking, identity theft, and other dangers. Third, because social media thrive on the core functions of information sharing and self-disclosure, users may also worry about their interpersonal privacy. For example, private information, such as a secret, intimate photo, or gossip, may be widely distributed and misinterpreted out of context by an unintended audience, thus causing relational turbulence. Soon after the Internet became widely available to the public, research showed that users were deeply concerned about threats to their right to privacy (Cranor, Reagle, & Ackerman, 2000; Sheehan, 2002). Numerous surveys reported that Internet users were worried about unauthorized personal data collection and the subsequent sharing of such data by commercial websites and Internet service providers. Users expressed unease about unsanctioned government surveillance, social profiling, and identify theft (Bloom, Milne, & Adler, 1994; Caudill & Murphy, 2000; Culnan, 1995; Goodwin, 1991; Miyazaki & Fernandez, 2000; Rotenberg et al., 2015). Long before the rise of social media, most research on privacy protection was conducted from a normative perspective, and it tended to focus on regulatory and policy solutions (Metzger & Docter, 2003), as well as on the attitudinal and demographic predictors of concerns about privacy rights (Yao, Rice, & Wallis, 2007). In the era of social media, such privacy concerns might be even more relevant and meaningful because of the rapid advancements in computing and data processing technologies. Concerns about privacy rights violations have led some users to commit the so-called “virtual identity suicide” in which they quit using social media altogether (Stieger, Burger, Bohn, & Voracek, 2013). Notwithstanding its critical importance, discussions about individual privacy as a legal right involve complex issues that tend to be entangled with sensitive cultural, legal, and philosophical debates. Nevertheless, the protection of the prerogative of privacy remains beyond the control of individual users (Yao, 2011). However, considerations of this prerogative are outside the scope of the present study. Unlike threats to privacy rights by government surveillance and social profiling, some risks to data security and interpersonal privacy are related to the user’s behavior. On social networking sites, the biggest threat to personal privacy is often the users themselves or the targets previously selected by the user to receive disclosures from them (e.g. Facebook friends). Users of social media frequently and voluntarily share seemingly benign information about themselves and their friends and family (e.g. whereabouts, photos, and life events) with people they trust, yet such information could well threaten their personal privacy if it were widely disseminated in a different context. For example, a selfie taken

Chinese Journal of Communication   297

Downloaded by [University of Illinois at Urbana-Champaign] at 19:16 06 October 2017

at the airport may allow a cyber stalker to learn a user’s whereabouts; a photo taken at a child’s birthday party may reveal personal information about the children in attendance. Because most of the information shared on social media does not meet the legal definition of being “private” (Rotenberg et al., 2015), it would be difficult to examine the privacy protection on social media from a strictly legal and normative perspective. Furthermore, because sharing social information is viewed as an intrinsic condition of using social media, and selecting the target audience implies a bond of love and trust, any privacy protection strategies that are rigid and premeditated or developed on the normative grounds of privacy rights might be proven insufficient and ineffective. Protecting personal privacy on social media Most social networking sites such as Facebook offer a relatively comprehensive privacy-setting control system that allows users to define a set of rules regarding the type and target of the information shared. For example, a user can instruct Facebook to share a photo only with their immediate social ties, but he or she can also allow the public to view their status updates. Several empirical studies have been conducted to examine the factors that influence privacy settings on Facebook. These factors included the attitudes toward privacy protection (e.g. Christofides, Muise, & Desmarais, 2009), awareness of privacy protection (e.g. Dey, Jelveh, & Ross, 2012; ), privacy concerns (e.g. Acquisti & Gross, 2006; Govani & Pashley, 2005; Stutzman & Kramer-Duffield, 2010; Tufekci, 2008; Youn, 2009), perceived likelihood of privacy violation (e.g. Krasnova, Kolesnikova, & Guenther, 2010), perceived risk and trust (e.g. Dwyer, Hiltz, & Passerini, 2007; Fogel & Nehmad, 2009), and many others. However, some researchers revealed a disparity between the reported privacy concerns and the actual protections in place. Ellison, Steinfield, and Lampe (2007) discovered that only 13% of the Facebook profiles at Michigan State University were restricted to “friends only,” even though most users had claimed that they understood privacy risks and even had expressed serious concerns about them. Although in recent years people have begun to pay much more attention to privacy control, according to a survey released by the Pew Research Center (Lee, 2015), more than half of young US citizens (18–29 years) did not take any steps to limit the availability of their online personal information; needless to say, older users (30+ years) were less likely to do so. Privacy settings may offer basic privacy protection, but they are not sufficiently effective. For example, to use privacy control settings effectively, users will need basic skills in computer literacy and have a basic knowledge of the privacy threats that they might experience on the Internet. Moreover, users typically customize their privacy settings when they first set up a profile on social media. Few users, however, will frequently update, revise, and check privacy settings after they are set. A study reported by the Pew Research Center (Madden et al., 2013) found that only 30% of teens had checked their Facebook privacy settings in the past seven days, and only 21% had checked their Facebook privacy settings in the previous year or since they created their profile. Another 17% said they had never checked their privacy settings or did not remember the last time they changed them. A majority of users did not realize that every time Facebook updated its privacy policies or updated its privacy-setting control interface, the previous setting was reset to the default, which opened up to the public almost all the personal information in a user’s profile. Unlike the offline environment, in which the physical boundaries separating a person’s private space and the public sphere are visible and real, in a virtual space, users often have difficulties defining and marking their privacy boundaries. Furthermore, the targets of communication are usually known in offline social interactions and in point-to-point

298   Qian Liu et al.

Downloaded by [University of Illinois at Urbana-Champaign] at 19:16 06 October 2017

computer-mediated communication (e.g. email, instant messaging, etc.), whereas social media users typically do not have a single concrete target audience when they update their status or post photos. They are also unlikely to double-check their privacy settings each time they post personal information. Hence, the privacy-setting control options offered by the social networking website are only useful insofar as they provide users with a basis for privacy protection and a psychological sense of security. Privacy settings may help set the relatively stable control of informational barriers, but effective privacy protection on social media would require the users to adopt additional strategies that are sensitive to contextual and situational conditions. Theoretical approaches to online privacy management Privacy protection has also been studied from theoretical perspectives. Some researchers perceived online privacy protection as a planned behavior that could be predicted by a person’s attitude, knowledge, and past behavior (Yao, 2011; Yao & Linz, 2008). This perspective assumes that Internet users are consciously aware of the existence of privacy risks in a communication environment (e.g. unsafe data transaction on a website, the presence of intrusive cookies, etc.); thus, they are able to identify sources of threats. However, unlike the risks to privacy from cyber criminals or commercial websites, the threats to informational and interpersonal privacy in social contexts are difficult to identify because the source and type of privacy threats are uncertain. Thus, the utility of a planned behavior approach to privacy management in such contexts is limited. Indeed, several recent studies that examined privacy attitudes as a precursor to social media privacy behaviors found effects that were weaker than or inconsistent with the findings of previous research on privacy protection on websites in general (e.g. Reynolds, Venkatanathan, Gonçalves, & Kostakos, 2011; Taddicken, 2014; Zafeiropoulou, Millard, Webber, & O’Hara, 2013). A second frequently used theoretical approach to online privacy protection is the risk–benefit perspective. Most privacy research in this area has focused on online consumer behavior. In addition to trust, attitude, and knowledge, the user’s perceived risk and benefit of disclosing certain personal information were also added to the model in order to explain the consumer’s decision-making process (Dinev & Hart, 2006; Dinev et al., 2006). In this perspective, users would often risk their privacy to fulfill certain needs or obtain benefits. However, in the process, they would neglect their concerns about privacy. While a risk–benefit calculation could help explain the “privacy paradox” (Barnes, 2006), according to which Internet users tend to disclose large amounts of personal information despite having high levels of privacy concerns, this rational approach to the privacy calculus may be better suited to information disclosure in financial decisions than in social and relational contexts. In a third theoretical perspective, which has gained momentum among researchers of social media privacy, informational and interpersonal privacy management is considered a dynamic process of boundary negotiation (Petronio, 2002; Stutzman & Hartzog, 2012). Best represented by the communication privacy management (CPM) theory (Petronio, 2002), the communication management perspective focuses on how people regulate interpersonal boundaries to achieve various communication goals by using strategies to manage their privacy. According to CPM, privacy management consists of balancing the amount, target, channel, and the context of information sharing. Unlike the prerogative view of privacy, which states that a person’s right to privacy is defined by absolute and stable boundaries separating the “private” from the “public” (Solove & Rotenberg, 2003), interpersonal privacy, as defined in the CPM, is a highly dynamic and situational process

Downloaded by [University of Illinois at Urbana-Champaign] at 19:16 06 October 2017

Chinese Journal of Communication   299 by which people maintain social distance from other individuals through the disclosure or non-disclosure of information. Although the planned behavior and the cost–benefit approaches to privacy management are useful in dealing with immediate and external threats to a person’s privacy rights in an online environment (e.g. websites, government entities), the boundary negotiation approach to online privacy management is appropriate for analyzing interpersonal privacy issues that are specific to social media. In balancing the need to self-disclose with the need to maintain interpersonal boundaries, the CPM includes five major tenets (Petronio, 2002). (1) People need to or have to disclose certain private information to achieve their communication goals. (2) There are two types of privacy boundaries – personal and collective. Personal boundaries refer to private information that could be controlled and managed by the user, whereas collective boundaries refer to private information that is co-owned and shared, requiring the joint control and management by the co-owners. (3) People believe that they have the right to own and control their private information, as well as co-own private information with others. People adjust both personal and collective boundaries by regulating ownership and controlling their private information. (4) Three rule-management processes are used to regulate the management system. First, people build up privacy rule foundations that are affected by certain criteria, including the following: different cultural values and expectations; individual differences such as gender and age, different personalities, and psychological states; contextual factors such as different communication goals and contexts of communication. Although such rule foundations are stable, they might change. Second, users who co-own private information with others need to coordinate their collective boundaries. Third, there might be a risk of boundary turbulence, which requires the owners and co-owners to take collective action to restore boundary coordination. (5) The boundaries of privacy change depending on the context of the communication. Hypotheses Based on the five major tenets of the CPM theory (Petronio, 2002), we contend that on social media, privacy protection is mainly achieved through a process of interpersonal boundary management in which users are primarily concerned with privacy risks arising from self-disclosure in interpersonal contexts. The boundary management process involves two separate strategies: privacy-setting control and self-disclosure control. The privacy-setting control refers to using or changing the privacy-setting options provided by social media, whereas the self-disclosure control refers to dynamically controlling the type, amount, and audience of personal information disclosure. First, users take advantage of the privacy-setting options offered by the social networking sites to sketch a rough boundary around their personal information space. This process is conscious and deliberate. Consistent with previous research that described the self-­ protection of online privacy as a planned behavior (Yao, 2011; Yao & Linz, 2008), the customization of privacy settings on social networking websites requires users to be aware of privacy threats, perceive such threats as relevant, and know how to protect themselves against them. Users may decide to change their privacy settings from time to time to reflect their changing needs in using social media. For instance, users could have relatively loose privacy settings when they start using Facebook because they hope to connect with as many people as possible. However, they could tighten the setting options after their online social network reached a certain size. Others could adopt restrictive privacy settings from the very beginning after learning about the various privacy risks in using Facebook, which could be loosened as they gained confidence over time in using this site. Based on the find-

300   Qian Liu et al. ings of previous research (Dey et al., 2012; Dwyer et al., 2007; Livingstone, 2008; Tufekci, 2008; Yao & Zhang, 2008; Yao et al., 2007), we state the following hypothesis:

Downloaded by [University of Illinois at Urbana-Champaign] at 19:16 06 October 2017

H1:The openness of privacy settings on Facebook is negatively related to the user’s (a) dispositional needs for privacy, (b) concerns about online privacy threats, and (c) privacy literacy (knowledge about privacy setting control).

In line with the CPM, in addition to using privacy settings to control the flow of personal information, social media users also control the types, amount, and targets of self-disclosure. Unlike the privacy-setting control, the self-disclosure control is highly situational and spontaneous. Contrary to the effortful decision-making process involved in customizing privacy settings, the users’ decisions to share, not to share, and how to share certain private information with other social media users in a given social context are driven by social goals, such as impression management and relationship development. Previous research showed that most basic communication in social media is motivated by the users’ desire to keep in touch with friends (Ellison, Steinfield, & Lampe, 2006, 2011; Ellison et al., 2007; Joinson, 2008; Saleh, Jani, Al Marzouqi, Al Khajeh, & Rajan, 2011; Sheldon, 2008). Based on this motivation, scholars have investigated levels of motivation in relation to specific social media activities. Researchers have found that, similar to social networks offline (Wellman & Gulia, 1999), the most common activities on Facebook, such as posting photos and comments and commenting on other users’ updates, were aimed at obtaining emotional support and information resources (Burke, Marlow, & Lento, 2010; Ellison et al., 2006, 2007, 2011). Among social media users who are primarily motivated by their needs to engage in social interactions with others, sharing personal and private information with others seems to be an inherent and natural behavior. They also expect others to view and comment on their profiles. Furthermore, they are be more likely to adjust and change their privacy settings because a greater number of social interactions could lead to an increasing amount of privacy-related turbulence, such as unwanted comments and uninvited viewers. Previous studies examined self-presentation on social media and suggested that in the online environment, individuals disclosed more information about themselves because it could alter their personal identities (Christofides et al., 2009; Gibbs, Ellison, & Heino, 2006). Therefore, the following hypothesis is stated: H2:Facebook users who engage in more social interactions on Facebook (a) have more open privacy settings, (b) change privacy settings more frequently, and (c) have higher levels of self-disclosure.

In addition to enabling social interactions, social media may also provide a space for users to seek useful social information about others and observe other users’ social lives. Different from direct social interactions, social browsing is usually passive. Wise, Alhabash, and Park’s (2010) study showed that users who spent much time observing their friends’ information, including checking or viewing their profiles, posts, and photos, derived great pleasure from this activity. Whether active (e.g. visiting a particular target’s profile pages or photo albums) or passive (e.g. browsing the status-update main page without a particular target), browsing other users’ social media profiles could help reduce uncertainty in the interpersonal communication process (Ramirez, Walther, Burgoon, & Sunnafrank, 2002). Users who primarily engage in passive social activities such as social monitoring, have little need to share much social information because they observe other users’ lives as

Chinese Journal of Communication   301 invisible voyeurs. However, they may be more sensitive to privacy issues because they are familiar with making inferences about the social lives of others based on the latter’s available personal information. They would set up a restrictive privacy boundary and not risk encountering any potential threats to their own privacy. Therefore, their privacy settings would be highly restrictive and less flexible. Therefore, the following hypothesis is stated:

Downloaded by [University of Illinois at Urbana-Champaign] at 19:16 06 October 2017

H3:Facebook users who engage in more social browsing on Facebook (a) have more restrictive privacy settings, (b) change privacy settings less frequently, and (c) have lower levels of self-disclosure.

Finally, in addition to their social functions, social networking sites also serve as entertainment (e.g. playing games). Some users use social media to kill time or as a diversion (Park, Kee, & Valenzuela, 2009; Wise & Kim, 2008). Compared with social media activities that reduce loneliness and uncertainty, on Facebook, entertainment fulfills different psychological needs, such as relieving boredom (Steinfield, Ellison, & Lampe, 2008). Users who use Facebook for leisure may not need to disclose a great amount of personal information, and they may not wish to be bothered by others. Therefore, the following hypothesis is stated: H4:Facebook users who engage in more entertainment usage on Facebook (a) have more restrictive privacy settings, (b) change privacy settings less frequently, and (c) have lower levels of self-disclosure.

As discussed earlier, at first, social media users are likely to set their privacy control settings as the basis of privacy protection. They then apply a set of dynamic and situational interpersonal boundary management rules to decide when, how, and with whom they share certain personal and private information. Therefore, we may expect the level of privacy settings to affect the level of self-disclosure. Brandimarte, Acquisti, and Loewenstein (2013) conducted three experiments on privacy control and information disclosure. Their findings showed that decreasing the participants’ anxiety about privacy control increased their willingness to share information on a new school social networking site, whereas increasing their anxiety about privacy control decreased their willingness to disclose information. The study concluded that the perceived privacy control provided by the technological features gave users a false sense of safety and confidence, which resulted in more information disclosure and less privacy. Following this logic, if Facebook users adopt very open privacy settings, they are less likely to share intimate personal information via a status update and a picture posting. However, if users have very restrictive privacy settings, they might feel safer in disclosing private and personal information. Therefore, the following hypothesis is stated: H5:The openness of a user’s privacy settings on Facebook is negatively related to the level of self-disclosure.

Methods Participants A convenience sample of 432 students who used Facebook (Male = 320, Female = 110, 2 unreported) at a medium-sized public university in Hong Kong was recruited to participate

302   Qian Liu et al.

Downloaded by [University of Illinois at Urbana-Champaign] at 19:16 06 October 2017

in an online survey. College students were identified as among the most active group of Facebook users (Cassidy, 2006); thus, we recruited participants who were adults having a current Facebook account. The participants’ ages ranged from 18 to 24 years (M = 19.09, SD = 1.35). Measures The openness/restrictiveness of privacy setting was measured by a combination of 13 items. After adjusting the privacy-setting options offered by Facebook, the participants were asked to indicate the level of accessibility to 13 types of personal information (e.g. contact details, age, religion, interests, current school or company, posts, etc.) on a fivepoint scale ranging from 1 = “only me” to 5 = “public.” The 13 items formed a reliable composite measure (M = 3.06, SD = 0.80, α = 0.90). A larger value implied a more open privacy setting; a smaller value indicated a more restrictive privacy setting. Frequency of changing privacy setting was measured by the response to the following question: “How frequently do you change your privacy settings on Facebook?” The fivepoint scale ranged from 1 = “never” to 5 = “always” (M = 2.76, SD = 0.93). Level of self-disclosure was measured by three items that were selected and revised from the self-disclosure scale proposed by Wheeless and Grotz (1976). The participants were asked to indicate their agreement with statements such as “I often talk about myself on Facebook,” “I often discuss my feelings on Facebook,” and “statements about my feelings are usually brief on Facebook (reverse-coded)” on a five-point scale from 1=“strongly disagree” to 5=“strongly agree” (M=2.51, SD=0.88, α=0.85). Facebook usage was measured by asking the participants to indicate the frequency of their various Facebook activities on a five-point scale ranging from 1  =  “never” to 5  =  “always.” We combined five items, “add new friends,” “update status,” “tag others and themselves in photos,” and “upload pictures,” to measure social interaction usage (M  =  2.77, SD  =  0.74, α = 0.84), two items “check friends’ status” and “view friends’ pictures” to measure social browsing usage (M = 3.80, SD = 0.80, r = 0.70, p