Author(s): Pradeep Kumar Murukannaiah, Jessica Staddon, Heather Lipford, Bart Knijnenburg

Download: Paper (PDF)

Date: 26 Feb 2017

Document Type: Reports

Additional Documents: Slides

Associated Event: NDSS Symposium 2017


A clear and efficient process for responding to privacy incidents is widely viewed as necessary for a strong privacy program. In addition, analysis of privacy incidents is advocated to understand risk trends. Both incident response and analysis require an actionable definition of privacy incident, which is challenging to derive given that privacy attitudes vary by culture and context, resulting in variation in incident manifestation. We present a first study of end user understanding of the term    privacy incident    with 482 Amazon Mechanical Turk users. Our study uses a variety of news exemplars, many of which concern the privacy-related concepts of data collection, storage, and usage. We find that although participants appear to closely tie sensitive data collection and usage to privacy, they often conflate privacy and security and are more inclined than privacy law to view perceived or anticipated privacy issues as grounds for an incident. Our study suggests that there is some degree of schism between end user conceptions of privacy and the views of industry and government.