Today, online privacy is the domain of regulatory measures and privacy-enhancing technologies. Transparency in the form of external and public assessments has been proposed for improving privacy and security because it exposes otherwise hidden deficiencies. Previous work has studied privacy attitudes and behavior of consumers. However, little is known on how organizations react to measures that employ public "naming and shaming" as an incentive for improvement. We performed the first study on this aspect by conducting a qualitative survey with 152 German health insurers. We scanned their websites with PrivacyScore.org to generate a public ranking and confronted the insurers with the results. We obtained a response rate of 27%. Responses ranged from positive feedback to legal threats. Only 12% of the sites - mostly non-responders - improved during our study. Our results show that insurers struggle due to unawareness, reluctance, and incapability, and demonstrate the general difficulties of transparency-based approaches.
Privacy plays an increasingly important role for consumers, regulators, and companies, especially on the internet. A growing number of companies provide services in the areas of online advertising, web analytics, and user profiling. Users and regulators have responded by deploying tracking blockers and passing stronger privacy laws, e.g., the European General Data Protection Regulation (GDPR). So far, most research has focused on user perceptions of information privacy [1][2][3][4] and models for firms' data sharing gathering [5][6][7] and sharing behavior [8]. However, there is a lack of research on how to incentivize companies to reduce their use of tracking services, which are disliked by many users [9]. The study presented in this paper investigates the role of transparency as an incentive mechanism. Our scope is not limited to privacy (represented by online tracking services); we also consider the connected area of security (e.g., transport encryption of web and mail traffic), as they affect user privacy against malicious actors like criminals and intelligence agencies.
Existing website scanners like the Qualys SSL Test (ssllabs.com) and Webbkoll [10] allow to assess security and privacy features of single sites. However, these scanners communicate the result only to the particular user who commissioned a scan. Therefore, there is little incentive for site operators to improve their rating. In contrast, we consider a scenario in which the scan results for multiple competing organizations are published openly on the internet in a ranking. This combination of publicity and comparability creates more transparency for consumers, which may increase the pressure on site operators to improve. Therefore, we pose the following research questions: RQ1: How do website operators react when they are notified that their website has been rated in terms of privacy and security aspects and the results are publicly available online? RQ2: Does telling them about being in a public ranking change their reaction?
We seek to answer these questions by contacting 152 German health insurance providers in a qualitative study, confronting them with and asking their comment on the current state of information privacy on their websites as determined by the PrivacyScore platform [11]. PrivacyScore.org is a public web service that automatically analyzes websites for security and privacy issues. Since its inception in June 2017, it has performed over 1 million scans and is being used by activists, data protection officers, and the general public. To the best of our knowledge, our study is the first to investigate how the competitive nature of public privacy and security rankings affects website operators, using the ranking functionality offered by PrivacyScore.
The majority of IS privacy research focuses on individual privacy [6]. One of the central questions in this area is how privacy concerns affect the way individuals behave and their willingness to disclose personal information [1]. A frequently discussed aspect in this context refers to the decisions that individuals make regarding privacy and a tradeoff between risk and benefit [3], which is informed by many factors, including company culture, legal environment, and the industry of the information-gathering company [4].
In contrast, there is less research on the question of how privacy issues are perceived from the organization perspective, i.e., by companies who work with personal data of their consumers. This field concerns itself with the interests and attitudes and motivations that companies have towards privacy [1,[5][6][7][8]. Greenaway and Chan argue that companies can behave in a reactive or proactive manner in regard to privacy and thus influence the perception of customers, and that their behavior can be explained using two models [5]. The Institutional Approach (IA) considers firms behavior as a search for legitimacy in the face of external pressures, and distinguishes an acquiescent (compliance with law, imitation of peers) and a proactive approach (exceeding minimum requirements and using clear communication to achieve leadership without falling out of line). The Resource-based View (RbV) posits that firms seek a sustainable competitive advantage using either an information-(through superior data analysis) or a customer focus (through superior customer trust).
To the best of our knowledge, the role of competition in promoting privacy has not received significant attention so far, although individual companies like Apple1 or DuckDuckGo 2 have started marketing themselves as privacy champions. Like the RbV, Ohlhausen and Okuliar view privacy as a factor in competition [12]. Kerber reverses the argument and posits that a lack of competition may be partially responsible for the lack of privacy offerings from online companies [13].
Another reason may be that the privacy behavior of companies is often invisible from the outside. Thus, consumers find it hard to
This content is AI-processed based on open access ArXiv data.
