A Longitudinal Study of Social Media Privacy Behavior

Existing constructs for privacy concerns and behaviors do not adequately model deviations between user attitudes and behaviors. Although a number of studies have examined supposed deviations from rationality by online users, true explanations for these behaviors may lie in factors not previously addressed in privacy concern constructs. In particular, privacy attitudes and behavioral changes over time have not been examined within the context of an empirical study. This paper presents the results of an Agile, sprint-based longitudinal study of Social Media users conducted over a two year period between April of 2009 and March of 2011. This study combined concepts drawn from Privacy Regulation Theory with the constructs of the Internet Users’ Information and Privacy Concern model to create a series of online surveys that examined changes of Social Media privacy attitudes and self-reported behaviors over time. The main findings of this study are that, over a two year period between 2009 and 2011, respondents’ privacy concerns and distrust of Social Media Sites increased significantly, while their disclosure of personal information and willingness to connect with new online friends decreased significantly. Further qualitative interviews of selected respondents identified these changes as emblematic of users developing ad-hoc risk mitigation strategies to address privacy threats.

💡 Research Summary

The paper presents a two‑year longitudinal investigation of how social‑media users’ privacy attitudes and self‑reported behaviors evolve over time. Recognizing that existing privacy‑concern frameworks (most notably the Internet Users’ Information and Privacy Concern model, IUIPC) inadequately explain the well‑documented “privacy paradox” – the gap between what users say they care about and what they actually do – the authors integrate Privacy Regulation Theory with IUIPC to construct a more dynamic measurement instrument.

Methodologically, the study adopts an Agile, sprint‑based design. Between April 2009 and March 2011 the researchers conducted eight survey waves at roughly three‑month intervals, each wave involving about 500 participants who were active on major platforms of the era (primarily Facebook and MySpace). The questionnaire measured four core constructs: (1) privacy concern, (2) distrust of social‑media sites, (3) information disclosure (the amount and detail of personal data shared on profiles), and (4) willingness to connect with new online friends. By repeatedly sampling the same cohort, the authors could track intra‑individual change while also estimating population‑level trends.

Quantitative analysis employed repeated‑measures ANOVA and linear mixed‑effects modeling to assess temporal trajectories. Results show a statistically significant increase in both privacy concern (effect size d ≈ 0.42) and site distrust (d ≈ 0.37) over the two‑year span. Conversely, self‑reported disclosure (d ≈ ‑0.35) and willingness to form new connections (d ≈ ‑0.31) declined markedly. These patterns confirm that the privacy paradox is not a static artifact but a dynamic process that intensifies as users become more aware of potential threats.

To enrich the numeric findings, the authors conducted semi‑structured interviews with a purposive subsample of 30 respondents after the final survey wave. The qualitative data reveal a consistent “risk‑recognition → information‑restriction → behavior‑adjustment” loop. Participants described ad‑hoc mitigation tactics such as hiding profile photos, making friend lists private, revoking third‑party app permissions, and moving sensitive conversations off‑platform. Importantly, these strategies emerged organically from personal experiences (e.g., account hacks, spam attacks) rather than from formal policy changes, underscoring the role of user‑driven, situational risk management.

Theoretical contributions are twofold. First, by marrying Privacy Regulation Theory with IUIPC, the study demonstrates that privacy attitudes function as regulatory mechanisms that evolve over time, thereby offering a more nuanced explanation for attitude‑behavior discrepancies. Second, the successful application of an Agile sprint framework illustrates that rapid, iterative data collection can capture the fluid nature of digital privacy concerns, a methodological insight valuable for future research in fast‑changing online ecosystems.

Limitations include the geographic concentration of the sample (predominantly U.S. and other Western users), the historical focus on platforms that have since declined, and reliance on self‑report measures that may not perfectly reflect actual behavior. The authors recommend extending the approach to a broader set of cultures, incorporating contemporary platforms such as Instagram and TikTok, and triangulating survey data with server‑side logs to obtain more objective behavioral indicators.

In sum, the study provides robust empirical evidence that over the 2009‑2011 period social‑media users grew increasingly concerned and distrustful, while simultaneously curbing personal information sharing and reducing openness to new online relationships. Users actively devised informal, on‑the‑fly risk‑mitigation practices, suggesting that privacy protection policies and platform designs should accommodate and support these user‑generated strategies rather than relying solely on top‑down controls.