Privacy and security concerns as major barriers for e-commerce: a survey study

The public lack of confidence in online information technology (IT) is not merely about security of value, but also about trust in the information society. Privacy and security concerns are the number one reason Web users are not purchasing over the Web. Proposes to investigate the privacy and security concerns of IT users in order to establish a consensus among them. Uses data from 158 participants to come to a conclusion that the following major concerns (in the descending of importance) exist: privacy, security and threats, impersonation and forged identity, children protection, e-mail safety, and censorship. The results also show that privacy and security concerns are the main impedimen t to shopping on the Internet. The implication is that the successfu l organizations will be those who expend their resources and efforts to ensure that IT users’ concerns are adequately addressed. profits remain elusive, companies are producing new software and technologies at an unprecedented rate to help people preserve their anonymity, keep credit-card numbers safe and warn them about Web sites that may sell their secrets to others. Governments and commercial organizations are investing a lot of money in establishing secured methods of transferring data over the Internet. With secured sites, consumers can entrust credit card details and rely on the information being sent in encrypted form (Crowe, 1999). Security concern is one of the main reasons Web users give for not purchasing over the Web. Consumer reluctance to Internet commerce is partly due to the fact that the barrier to shopping on the Internet is relatively high. Cambridge-based Forrester Research estimates the amount of e-commerce sales to reach $327 billion world wide by 2002. The importance of secured online transactions has been stressed by such experts as Sydney Rubin, director of Online Privacy Alliance (OPA) who stated that every online business transaction should have a privacy policy to go with it (Reda, 1996). Companies have to establish a certain amount of trust with customers, in order to make the Internet a viable commerce medium. Tracy Mullin, president of National Retail Federation stressed that consumer privacy is one of the most far-reaching issues that must be tackled. According to her, consumer privacy pierces the heart of customer database management and target marketing efforts that retailers have spent the last decade building and expanding, and it threatens to cause expensive and disruptive change (Reda, 1996). Consumers are becoming aware of the fact that many companies are now in the business of collecting consumer information and using it for marketing purposes or monitoring consumers in a way that could be perceived as intrusive. A lot of state and federal government officials in the USA are being forced to rethink how they present public information in the age of the Internet. Information that was always technically available but rarely accessed by the public is beginning to show up online, where it can be viewed with the click of a mouse. That is `̀ raising a whole new set of privacy and security concerns and questions about how sometimes complex information should be presented to a wider audience’’ (Moad, 1997). The Internet and e-mail users are increasingly wary and concerned. Consumer concerns The following are some issues concerning privacy and security of consumers using information technology. Consumer privacy Consumer privacy issues are not new. Consumers have worried for years about how personal data are used by the government and, more recently, by businesses. Their anxiety and action have led to the passing of various privacy protection laws. The consumer privacy issue is taking on greater magnitude, as the number of people accessing the Internet’s information resources grows exponentially and the public becomes more technologically savvy (Reda, 1996; Rubin, 1995). A number of news stories in the past have added to the public concern over electronic privacy, including: The reporter who was able to purchase a list containing the names, addresses, ages and telephone numbers of young children, while using the assumed name of a notorious convicted murderer. The Internet user in Oregon who paid $222 for a copy of the state Department of Motor Vehicles’ list of names and license plates and put it on the Internet, along with software for searching it. The US News & World Report subscriber who sued the publisher for renting his name, address and subscription preference, accusing him of misappropriation of personal data (Reda, 1996). According to a 1999 report from the USA Federal Trade Commission (1999a), information is gathered on the Internet both directly and indirectly. When a user enters a chat room discussion, leaves a message on a bulletin board, registers with a commercial site, enters a contest, or orders a product, he/ she directly and knowingly sends information into cyberspace, The report further states that data can be gathered indirectly, without the user’s knowledge. For example, a user’s travels around a Web site can be tracked by a file called a `̀ cookie’’ left on your computer’s hard drive on the user’s first visit to that site. Because Web sites gather information directly and indirectly, they can accumulate a complete data picture of an individual and his/her family (Federal Trade Commission, 1999). Internet users want to feel that their privacy is being protected. Privacy experts strongly advocate government intervention, while business people are calling for self-regulation. Providing consumers with [ 166] Godwin J. Udo Privacy and security concerns as major barriers for e-commerce: a survey study Information Management & Computer Security 9/4 [2001] 165±174 information about how their personal data are used and exploring the possibilities of offering consumers privacy preference are among the issues they think should be addressed (Rubin, 1995). The US federal government has been advocating a policy of self-regulation rather than government regulation. CNET believes that a voluntary disclosure program is preferable to one mandated by law (Barr, 1999). Maintaining privacy and anonymity while surfing the Internet The computer’s ability to gather and sort vast amounts of data ± and the Internet’s ability to distribute it globally ± has magnified the concern of privacy and anonymity on the Web (Boswald et al., 1999; Federal Trade Commission, 1999a, 1999b, 1999c). Once an individual has ventured into cyberspace, it is hard to remain anonymous. One can expect to receive unwanted advertising e-mail. Cyberspace also has `̀ snoopers’’ and con men. Maintaining privacy is partly the responsibility of the user. When visiting a site, users should look for a privacy statement. Sites that are sensitive to privacy concerns should have privacy policies clearly displayed, and should also offer the user a choice to share their personal information or restrict its use. These sites also have some declarations on how the information would be used. The following have been provided as the top 12 ways to protect the user’s privacy online (EFF, 1999): 1 Do not reveal personal information inadvertently. 2 Turn on cookie notices in your Web browser. 3 Keep a `̀ clean’’ e-mail address. 4 Don’t reveal personal details to strangers or just-met `̀ friends’’. 5 Realize you may be monitored at work, avoid sending highly personal e-mail to mailing lists, and keep sensitive files on your home computer. 6 Do not reply to spammers, for anything. 7 Be conscious of Web security. 8 Be conscious of home computer security. 9 Examine privacy policies and seals. 10 Remember that you decide what information about yourself to reveal, when, why, and to whom. 11 Use encryption! 12 Keep sensitive files on your home computer. Security concerns and threats Although much of the publicity about Internet security has focused on the potential risks to consumers who use credit cards to make purchases electronically, payment fraud is also a major threat to Internet-based merchants (Murphy, 1998). Fraudulent or non-creditworthy orders account for as much as one-sixth of all attempted purchases on the Internet. Security threats not only consist of break-ins and technology disturbance, but also stalking, impersonation, and identity theft are serious issues that everyone should be concerned about (Janal, 1998). Computer hacking is another serious problem. Hacking can be either a benign or a malicious activity. E-mail concerns Electronic mail will continue to gain popularity in years to come. Corporations and individuals are now using e-mail as a major means of communication. Like other technological developments, e-mail has both advantages and disadvantages, along with controversy (Botham, 1996). E-mail privacy has been an issue of considerable debate. Despite new developments in encryption and despite new legislation, e-mail privacy has proved to be of major concern to the users. Over the past few years there has been a rising concern over the apparent increase in unsolicited e-mail (junk e-mail), otherwise known as spam. This process of mass distribution of unsolicited e-mail advertisements has become much more common and generally accepted and tolerated, if not loved, because of many powerful corporations. Some people have estimated the amount of spam flowing through the Internet to be up to 30 percent of all e-mails, which is an indication that spam is one of the major concerns today that IT users have to deal with. As expected, the governments of the nations are making efforts to relieve the IT users’ concerns. In the USA, there is statutory privacy protection by the Electronic Communications Privacy Act, but this act is limited because an employer is not liable under the statute for reading an employee’s e-mail if one of the parties to the communication consented to the monitoring. Many companies adopt e-mail policies which employees sign, agreeing that they consent to such monitoring on an ongoing basis. Again, employers are allowed to monitor e-mail if there is a legitimate business reason for the monitoring. In essence, a company that provides an e-mail service can monitor communications in order to protect itself, such as in cases where the company believes it is being defrauded. Organizations are increasingly adopting policies which address e-mail privacy concerns. Of course, there are competing interests at stake. Some [ 167 ] Godwin J. Udo Privacy and security concerns as major barriers for e-commerce: a survey study Information Management & Computer Security 9/4 [2001] 165±174 companies prohibit all non-business uses of e-mail, and expressly reserve the right to monitor any and all communications. Others, concerned about maintaining good will and trust among employees, take less stringent approaches, allowing personal use to the extent it does not interfere with company business, and reserving the right to monitor only under certain conditions. In any event, employers are increasingly seeking to protect themselves from invasion of privacy suits by adopting e-mail policies, notifying employees of the policy. Child protection on the internet Another serious concern among online IT users is the fact many companies routinely ask children to provide personal information about their parents and without parent consent. It is a concern because most times the parents are not aware of this practice and so cannot control what personal information their innocent children are releasing to the world. As expected, the governments are taking actions to curtail the practice (http:// www.ftc.gov/bcp/contine/puts/online/ sitesee/). For example, Robert H. Williams reported in Boston Globe of April 20, 2000 that the Children’s Online Privacy Protection Act has become law in the USA for all commercial Web site operators that market to children under 13. The law requires Web sites where personal information is collected from children to display a prominent notice making clear their information collection practices, including an explicit description of how they use this information. Industry leaders and family advocates have debated how the Act can be enforced. Some think that e-mail notification of parental consent would be the quickest and cheapest method, while family advocates argued that children can easily intercept and falsify the consent. The Federal Trade Commission has allowed parental e-mail consent if accompanied by a digital signature or private pin number. According to Lehman (2000), most Web site operators agree that protecting kids’ privacy online is a worthy endeavor, although it is a costly one. In order to determine which of these concerns are experienced by online IT users, this survey study was conducted. The literature cited above formed the basis for the items used in the instrument. The online IT users were also asked to rank the concerns discussed above with the aim of identifying the severity and importance of the concerns. The method of study, results and discussion of results are given in the proceeding sectors of this paper. Method of study The purpose of this study was to investigate the concerns of online IT users in order to confirm or disconfirm the widely reported concerns in the press and trade journals. The different concerns as reported in this paper were identified by reviewing the literature on the issue. A 29-item questionnaire was developed and mailed to 250 online IT users in a major city in the Southeastern USA. A copy of the questionnaire is shown in the Appendix. The items were derived from the privacy and security issues, news and other literature. The survey instrument was tested on some experienced online shoppers who were also familiar with research issues on privacy and security concerns. Based on the comments received from the pretest, corrections were made to the instrument before administering it to the participants. The purpose of each of the items on the survey instrument was to give the online IT users the opportunity to express their opinions and views concerning their perception and concerns when using online IT. The items were simple statements of concerns for which the participants were asked to indicate their opinions on a scale of `̀ strongly agree to strongly disagree.’’ This group of participants was not hard to find since most people today seem to use e-mail and/or shop on the Internet. The participants were advised not to complete the survey if they have not used e-mail or shopped on the Internet. The data used in the study come from the 158 useable responses (out of 250 questionnaires), which is 63.2 percent of the total instrument sent out. Based on the demographics of those who participated in the study, there is no reason to believe that those who did not return the survey instrument are different from those who did. Simple descriptive statistics were obtained from the data and are discussed below.