The Privacy Attitudes Questionnaire (PAQ) Turned 20: What’s Next for a Generalized Measure of Privacy Attitudes?

Attitudes and concerns related to privacy are not homogeneous, but instead differ based on the individual and context at hand. Understanding how these attitudes and concerns vary could inform product, service, and policy design. Questionnaires, such as the Privacy Attitudes Questionnaire (PAQ), can be used to evaluate and derive implications from people’s privacy orientations in numerous domains, including healthcare, social media, and e-commerce. Our objective is to refine the PAQ to reflect areas of privacy concern in today’s landscape. The panel will serve as a forum for conversation about areas of privacy concern, guided by our panelists’ expertise and questions about demographic and user considerations for the revised PAQ, a framework-inspired understanding of privacy, and privacy in healthcare. Insights and perspectives arising from the discussion panel will be considered for subsequent revisions of the PAQ.


Introduction
Attitudes towards privacy vary across individuals and contexts alike, with one survey reported by Madden & Rainie (2015) demonstrating differences across both perspectives.The ability to engage in online activities anonymously, for example, was supported by some survey respondents and opposed by others.Furthermore, respondents reported having more trust in credit card companies keeping their personal information confidential as compared to the government and home phone service companies.Alan Westin also recognized that privacy attitudes vary across individuals and grouped people based on their levels of concern: "Privacy Fundamentalists", "Privacy Pragmatists", and "Privacy Unconcerned" (Kumaraguru & Cranor, 2005).Understanding individuals' privacy attitudes and where these vary, based on context, could have important implications for the design of products and services that handle personal information.Development of privacy policies would also benefit from understanding people's expectations of how their rights to privacy should be safeguarded, and which entities should have access to what types of personal information.
Going back around half a century, several questionnaires have been developed that assess people's privacy attitudes and concerns.Among these are a questionnaire developed by Pedersen (1979), Westin's questionnaires as described by Kumaraguru & Cranor (2005), and a questionnaire assessing privacy attitudes published by Buchanan et al. (2007).Some of these questionnaires were developed before certain technologies with privacy implications, such as smartphones, social media platforms, and large-scale data science initiatives, entered widespread use.Additionally, the questionnaire developed by Buchanan et al. (2007) is dedicated towards privacy concerns associated with information technologies and does not encompass additional contexts and Proceedings of the Human Factors and Ergonomics Society Annual Meeting 67(1) constructs, such as physical privacy as described by Stuart et al. (2019), that could be assessed in future questionnaires.
An additional questionnaire that was developed over two decades ago is the Privacy Attitudes Questionnaire (PAQ) (Chignell et al., 2003), which is provided in the Appendix and has seen an increase in use over recent years.However, the questionnaire has not been updated since its publication, and some articles citing the PAQ, such as Li et al. (2004) and van de Garde-Perik et al. (2008), suggest areas for improvement.To enhance its utility, our objective is to update the PAQ to reflect modern privacy concerns and relevant constructs.We are currently carrying out a review of the literature discussing privacy concerns and hope to supplement the review with feedback from this panel at the HFES 67th International Annual Meeting, incorporating resulting comments and insights into the development and validation of a forthcoming updated version of the PAQ.

Original PAQ: USE and Insights
The PAQ was originally developed over twenty years ago to fill a gap in measuring attitudes towards privacy.The questions for the first draft of the PAQ arose from a workshop with around 50 participants that was held at an IBM CASCON conference in Toronto, Canada.The CASCON participants at the time were largely members of industry and academia with an interest in technology and thus the resulting PAQ was influenced by a fairly large group of people, but one that does not represent a full cross-section of society.Due to its origins, the PAQ may also reflect Canadian and perhaps North American sensibilities about privacy.After revisions, the resulting PAQ was published (Chignell et al., 2003) with four subscales: E: Exposure; M: Willingness to be Monitored; P: Interest in Protection; and PI: Willingness to Share Personal Information.The need for a general measure of privacy attitudes is demonstrated by the fact that the PAQ continues to be used in research, in spite of the fact that it was created before the rise of social media, smartphones, and many other technologies.
When it was originally developed, the PAQ was never expected to be the last word in measuring privacy attitudes and the researchers at the time expected that it would be updated within a few years.The need for a new version of the PAQ is further spurred by the vast number of technological changes occurring in the past two decades that have an impact on how people express their privacy attitudes.In preparing for a new version of the PAQ, we have been reviewing how the original version has been used over the past two decades, and we have also reviewed other research literature relating to privacy attitudes.Between the PAQ's publication in 2003 and July of 2023, the paper introducing the original questionnaire received 37 citations.Among these citations, 23 publications reported using or attempting to use the PAQ.Table 1 outlines the areas to which the original PAQ has been applied, demonstrating its utility across multiple domains.
However, it is important to note that although more than one application area applies to many of these publications, each is only accounted for once within Table 1 for simplicity.
Among these publications, some point to aspects of the PAQ that could be improved.For example, Li et al. (2004) and van de Garde-Perik et al. (2008) suggest that questionnaires tailored to particular contexts better suit context-specific research.Furthermore, the reliabilities of the PAQ's subscales as reported by LaJoie et al. (2022) suggest that future improvements could strengthen them.

Discussion Panelists
Our discussion panel will be moderated by Dr. Wayne Giang from the University of Florida and will consist of three panelists from academic settings and industry.These panelists will lead the discussion from the perspectives of demographic and user considerations for the PAQ, conceptualizing privacy, and privacy implications associated with emerging healthcare technologies.

Alyssa Iglar
MASc Student, Department of Mechanical and Industrial Engineering, University of Toronto.The PAQ assesses privacy attitudes generally across several contexts.However, we need to consider how to handle situations where a context may only apply to certain demographics.For example, a survey conducted in 2021 revealed that 28% of adults in the United States were not social media users (Auxier & Anderson, 2021).Moreover, a greater percentage of older adults did not use social media compared to other adult age groups.However, while not universally utilized, social media has inspired concerns about personal information collection and data breaches (Rainie, 2018).These concerns should be reflected in the next version of the PAQ.To ensure that the questionnaire's items are applicable to the general population, consideration needs to be paid to the number and phrasing of items covering specific domains including social media.Consideration should also be given to specific groups' needs when developing a general questionnaire.For example, healthcare organizations might be interested in evaluating the impact of employees' privacy attitudes on management (or mismanagement) of confidential information within the organization.As a general questionnaire, the PAQ covers several domains of privacy that would not be of interest to these users.Given our intention for the PAQ to remain a general questionnaire that considers multiple privacy-informing contexts, we need to consider a balance between not having too many questionnaire items while also covering as many main contexts and demographic groups as possible.

Dr. Reza Samavi
Associate Professor, Department of Electrical, Computer, and Biomedical Engineering, Toronto Metropolitan University.Since the PAQ was published 20 years ago, public concerns about privacy threats have increased considerably.Dominant privacy concerns at the turn of the 21 st century included the impact of surveillance cameras and large databases collected by e-commerce.However, since then the rapid rise of technologies, the World Wide Web, and social media has created a situation where companies like Twitter, Instagram, and Facebook profile billions of individuals based on their activities, following individuals temporally and spatially based on their digital footprints.The resulting analysis and behavioural prediction of individuals is creating a ubiquitous surveillance environment where the privacy concerns at the turn of this century seem almost quaint.
Interestingly, individuals' privacy attitudes towards these new systems and technologies have not been rigid.Some socio-technical systems (e.g., the Cambridge Analytica case; Hinds et al., 2020) created a huge privacy concern.In contrast, using complex digital device connectivity to trace COVID-19 cases or using networks of medical devices for health monitoring have received much less concern.Policymakers' and governments' reactions to these new technologies and their impacts on privacy have also been very diverse.How can these differences in individual attitudes be explained, and why are some technologies, legislations, and policies favoured by some groups of individuals and not by others?
In this panel discussion, my presentation will focus on the difficulties and even impossibilities of providing a uniform definition of privacy.Then, looking at privacy from the lens of contextual integrity (CI; Nissenbaum, 2009), I will posit that individuals' privacy attitudes (and their differences) can be better understood when privacy is expressed in terms of the appropriateness of information flow in the context of new technology.The appropriateness is also not uniform.In addition to the rules and regulations that govern every society, it largely depends on the written and unwritten norms a society is formed around.On a more granular level, it also depends on the characteristics of the context the technology is being used.I will argue that the theory of contextual integrity provides a well-formed prescriptive and proscriptive framework for the interconnectivity of human privacy attitudes, new technologies (or, in CI's terms, socio-technical systems) and societal norms, as shown in Figure 1.The new PAQ needs to be evolved to capture how individuals differ in terms of what they see as appropriate (and inappropriate) information flow.

Kopiha Nathan
Privacy and Compliance Officer, Healthcare Insurance Reciprocal of Canada.Healthcare is experiencing a rapid growth in the adoption of advanced technology solutions such as virtual care, inter-connected operational technology medical devices, wearable technology and Artificial Intelligence-informed healthcare systems.These advancements in technology heavily rely on the collection and use of sensitive data including personal health information (PHI).PHI involves some of the most sensitive information about a person (Cavoukian, 2004).Inherent data privacy challenges in healthcare are further complicated by the increased presence of cybersecurity threats.Canadian and most North American healthcare organizations are subject to cyber attacks resulting in compromised critical information systems and data/privacy breaches.
It is critical from a risk management perspective, that healthcare organizations, health technology vendors, medical device manufacturers, and commercial manufacturers of wearable technology that track PHI, take a committed approach to understand privacy implications during the design phase of manufacturing or implementing advanced healthcare technology solutions.A systematic privacy attitude measurement, such as an enhanced version of the PAQ, can provide a systematic approach to gathering meaningful data, supporting the incorporation of Privacy by Design (Cavoukian, 2011) principles within technological advancements.

Conclusion
As a construct that evades a single and comprehensive definition, privacy can be understood and conceptualized in numerous ways.Considerations and implications associated with privacy also differ based on context, whether it be patient care in hospitals, personal information sharing through social media, or financial information requested by e-commerce sites.
Questionnaires, such as the PAQ, offer a means to better understand the degree and nature of public concern about privacy and to identify how individuals or groups of people differ in terms of these considerations (Chignell et al., 2003;Kumaraguru & Cranor, 2005).A question that could be considered for future revisions of the PAQ is whether the tool would better serve those using it (1) as a means to understand psychological factors underlying individual differences in privacy attitudes or (2) as a guide for the design of products, services, or policies.4. Video cameras should be used in public places to improve public safety and security.5.I would give my home phone number to business clients.6.I like to fill out surveys and contests.7. Red light (intersection) cameras should be used.8. Speeding cameras should be used.9. (-) Insurance companies should not have access to people's health records.

Interest in Protection
1.I would prefer to have an unlisted phone number.2. I like to clear my cache frequently for privacy reasons.3. I like to change my passwords frequently.4. I like to close my curtains at home at night. 5.I frequently question why I'm providing personal information.6.I would prefer people to knock before coming into my office or bedroom.7. I worry about the possibility that my conversations will be overheard.8.I would use a personal firewall.

Willingness to Share Personal Information
1.I am comfortable with giving a DNA sample.2. I am comfortable giving out my personal identification number.3. I am comfortable in allowing others to check my credit.4. I am comfortable wearing a name tag. 5. Employers should be able to monitor employee email.6.It is ok to use messaging services even if the messages could in principle be tracked.7. I allow strangers to enter my house while I'm not there.8.I am comfortable with having my retina scanned.9.I do not mind using my real name in online discussions.10. (-) My medical information should never be communicated to people or organizations without my permission.

Table 1 .
Application areas covered by publications that used or attempted to use the original PAQ between its publication and July of 2023.