Privacy and Security Perceptions of European Citizens: A Test of the Trade-Off Model

. This paper considers the relationship between privacy and security and, in particular, the traditional ”trade-oﬀ” paradigm that argues that citizens might be willing to sacriﬁce some privacy for more security. Academics have long argued against the trade-oﬀ paradigm, but these arguments have often fallen on deaf ears. Based on data gathered in a pan-European survey we show that both privacy and security are important to European citizens and that there is no signiﬁcant correlation between people’s valuation of privacy and security.


Introduction
The relationship between privacy and security has often been understood as a zero-sum game, whereby any increase in security would inevitably mean a reduction in the privacy enjoyed by citizens.A typical incarnation of this thinking is the all-too-common argument: "If you have got nothing to hide you have got nothing to fear".This trade-off model has, however, been criticised because it approaches privacy and security in abstract terms and because it reduces public opinion to one specific attitude, which considers surveillance technologies as useful in terms of security but potentially harmful in terms of privacy [17,15].Some people consider privacy and security as intrinsically intertwined conditions where the increase of one means the decrease of the other.There are also other views: There are those who are very sceptical about surveillance technologies and question whether their implementation can be considered beneficial in any way.Then there are people who do not consider surveillance technologies problematic at all and do not see their privacy threatened in any way by their proliferation.Finally there are those who doubt that surveillance technologies are effective enough in the prevention and detection of crime and terrorism to justify the infringement of privacy they cause [12].
Insight into the public understanding of security measures is important for decision makers in industry and politics who are often surprised about the negative public reactions showing that citizens are not willing to sacrifice their privacy for a bit more potential security.On the back of this the PRISMS project aims to answer two central questions: -Do people actually evaluate the introduction of new security technologies in terms of a trade-off between privacy and security?Our hypothesis is that people do not "naturally" think this way.
-If there is no simple trade-off between privacy and security perceptions, what then are the important factors that affect public assessment of the security and privacy implications of security technologies?
The PRISMS project has approached these questions by conducting a largescale survey of European citizens.This is, however, not simply a matter of gathering data from a public opinion survey, as such questions have intricate conceptual, methodological and empirical dimensions.Citizens are influenced by a multitude of factors.For example, privacy and security may be experienced differently in different political and socio-cultural contexts.Therefore PRISMS has not only conducted a survey of public opinion, but has also explored the relationship between privacy and security from different disciplinary perspectives [14].In this paper, however, we focus on results derived from the survey.The results presented have a European orientation but do not address Member State specifics, dissimilarities or similarities. 3

Measuring privacy and security perceptions
Researchers investigating the relationship between privacy and security have to deal with the so-called privacy paradox: It is well known that while European citizens are concerned about how the government and private sector collect data about citizens and consumers, these same citizens seem happy to freely give up personal and private information when they use the Internet.This "paradox" is not really paradoxical but represents a typical value-action gap which has been observed in other fields as well. 4easuring privacy and security perceptions thus has to deal with problems similar to ecopsychology at the beginning of the environmental movement in the 1970s: What is the relationship between general values and concrete (environmental) concerns and how do they translate into individual behaviour?
In PRISMS we follow the concept of "planned behaviour" that suggests that if people evaluate the suggested behaviour as positive (attitude), and if they think their significant others want them to perform the behaviour (subjective norm), this results in a higher intention and they are more likely to behave in a certain way.A high correlation of attitudes and subjective norms to behavioural intention, and subsequently to behaviour, has been confirmed in many studies [2].As a consequence the PRISMS survey comprises of questions exploring respondents' perceptions of privacy and security issues as well as values questions including political views, attitudes to rights and perceptions of technology.

Seven types of privacy
Privacy is a concept that is not only hard to measure but also difficult to define, or, as Daniel Solove once deplored: "Privacy is a concept in disarray.Nobody can articulate what it means" [17, p. 3].It is, however, a key lens through which many new technologies, and most especially new surveillance or security technologies, are critiqued.Changes in technology have continually required a more precise re-working of the definition in order to capture the ethical and legal issues that current and emerging surveillance and security technologies engender.In this endeavour, scholars have primarily utilised two perspectives to define privacy.On the one hand Solove [17] and Kasper [10] have defined privacy negatively by focussing on privacy intrusions and attempted to systemize the potential infringements that privacy is meant to protect against.
For the PRISMS work, on the other hand, we have used a taxonomy developed by Finn et al. [4] who suggest seven different types of privacy which ought to be protected and that receive different attention and valuation in practice.Such a detailed taxonomy facilitates the overcoming of the problem that privacy is too abstract as a concept.It helps to deal with the fact that people can (and do) understand the term in very different ways.It is a known problem that though people know rather little about the facts and rights related to privacy [9] they often voice (even strong) opinions about it.Finally the taxonomy can help to sort out the difference between "privacy" and "data protection" which are related but not identical [7].The seven types of privacy comprise [4, p. 7-9]: 1. Privacy of the person encompasses the right to keep body functions and body characteristics (such as genetic codes and biometrics) private.This aspect of privacy also includes non-physical intrusions into the body such as occur with airport body scanners.2. Privacy of behaviour and action includes sensitive issues such as sexual preferences and habits, political activities and religious practices.However, the notion of privacy of personal behaviour concerns activities that happen in public space and private space.3. Privacy of communication aims to avoid the interception of communications, including mail interception, the use of bugs, directional microphones, telephone or wireless communication interception or recording and access to e-mail messages.4. Privacy of data and image includes protecting an individual's data from being automatically available or accessible to other individuals and organisations and that people can "exercise a substantial degree of control over that data and its use" [3]. 5. Privacy of thoughts and feelings is the right not to share one's thoughts or feelings or to have those thoughts or feelings revealed.Privacy of thought and feelings can be distinguished from privacy of the person, in the same way that the mind can be distinguished from the body.6. Privacy of location and space means that individuals have the right to move about in public or semi-public space without being identified, tracked or monitored.This conception of privacy also includes a right to solitude and a right to privacy in spaces such as the home, the car or the office.7. Privacy of association (including group privacy) is concerned with people's right to associate with whomever they wish, without being monitored.

Seven types of security
The concept of security is at least as difficult to approach as privacy.Firstly, for a pan-European study it is a problem that the term "security" can have multiple meanings, depending, for example, on language or use context.First, the German term "Sicherheit" can be understood as "security" (against an external threat), safety (against a threat originating from a system or situation) or, rather more generally, as "certainty".Such linguistic ambiguity exists in other European languages as well.Second, "security" can be defined as "protecting people and the values of freedom and democracy, so that everyone can enjoy their daily lives without fear" [8, p. 13] and is thus negatively defined as the absence of insecurity.Perfect objective security thus implies the absence of any threat.Even if this was achieved today it remains open to societal negotiations of new threats in the future.Finally, security can also refer to a subjective notion.What one considers insecure, the other may perceive as secure.Consequently we must distinguish objective from subjective security [20, p. 14].
Apart from these conceptual considerations it is also difficult to delineate the content of "security".The discourse in the media and among (European Union) policy makers is often narrowed down to issues of terrorism, crime and, increasingly, border security.For the general public, however, security is usually much more, including socio-economic conditions, health or cultural security.Therefore we have used a broad definition, in order not to exclude interesting perspectives.We have identified seven general types of security contexts and the accompanying measures to safeguard and protect these contexts [13]: 1. Physical security deals with physical measures designed to safeguard the physical characteristics and properties of systems, spaces, objects and human beings 2. Political security deals with the protection of acquired rights, established institutions/structures and recognised policy choices.3. Socio-economic security deals with economic measures designed to safeguard the economic system, its development and its impact on individuals.4. Cultural security deals with measures designed to safeguard the permanence of traditional schemas of language, culture, associations, identity and religious practices while allowing for changes that are judged to be acceptable 5. Environmental security deals with measures designed to provide safety from environmental dangers caused by natural or human processes due to ignorance, accident, mismanagement or intentional design, and originating within or across national borders 6. Radical uncertainty security deals with measures designed to provide safety from exceptional and rare violence/threats, which are not deliberately inflicted by an external or internal agent, but can still threaten drastically to degrade the quality of life.7. Information security deals with measures designed to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

The questionnaire and the survey
In the survey, the seven types of privacy and security were translated into items that are part of overarching questions about privacy and security (the exact questions can be found in the annex).In the survey, the construct of "security" has been split up into "general security" and "personal security", both being worked out in terms of items reflecting the seven types of security.This was done as people can respond differently to issues that affect them personally, such as "someone hacking into your computer" as opposed to more abstract items, such as "viruses damaging the national Internet infrastructure".The result is that, in the survey, three batteries of questions measure citizens' attitudes towards privacy, general security and personal security.The questions reflect the considerations that were derived from the hypothesis, namely: -In the survey, the two terms "security" and "privacy" are not explicitly used due to the lack of a clear and commonly shared definition.Instead, the questions were designed to address the different, more concrete types of privacy and security.
-For privacy we have asked how important the different types of privacy are for the interviewee (see QD1 in the appendix).-Since we have defined security as the absence of threats, citizens were asked about their security worries.-Finally people were never asked if they think in terms of a trade-off directly as this would have biased respondents' views (and hence their answers).
Fieldwork took place between February and June 2014.The survey company Ipsos MORI conducted around 1 000 telephone interviews in each European Union member state except Croatia5 (27 195 in total) comprised of a representative sample (based on age, gender, work status and region) within each country (the sample composition is presented in the appendix).

Descriptive results
All in all, European citizens share a commitment to privacy and security.In an introductory question we asked citizens about the importance of protecting their privacy and taking action against important security risks.In both cases 87 % of the respondents said that this is important or very important for them.This is a first indication for a shared commitment to privacy and security, and evidence against a trade-off.The answers to the three batteries of questions representing the concepts privacy, general security and personal security show what this commitment means in detail.First, the answers to the items measuring these concepts are shown, to get an idea of how the respondents score these.
With respect to security in general (in their respective countries) citizens made clear that social issues, such as unemployment, healthcare and young people are top concerns with more than 60 % of the respondents saying that they worry about them at least once a month (cf.figure 2).A much smaller share of European citizens (under 40 %) are worried about security issues with a potential privacy impact, such as virus attacks against the ICT infrastructure or becoming a victim of terrorist attacks.
With respect to personal security the level of concern is much lower than that for general security (cf.figure 3).There is an indication that feelings of safety and health are more important to people personally than generally.At the same time, issues such as becoming a victim of crime in the neighbourhood, or someone hacking into one's computer are relatively more important than similar general security issues.
Regarding privacy, the survey results show that for many citizens personal control over their data is crucial, as is freedom of everyday association (cf.figure 3).In this context, personal is understood widely, ranging from the freedom to decide and to know who is collecting personal data, to the ability to move and communicate without being monitored.Compared to general and personal security worries the importance of privacy is rated relatively high.This result Fig. 4. Importance of privacy.Question D1: "How important, if at all, is it for you to be able to. . ." Base: All valid responses (n=27 195), answers including "essential", "very important", "fairly important" Overall, it can be stated that while general security is a an important issue for citizens there is a higher concern about general socio-economic phenomena such as employment, healthcare and discrimination.Criminality and terrorism is only a secondary concern for most citizens.This also applies for individual security though the concern is on average lower here ("The world is in crisis, but I am doing relatively fine").On the other hand, however, it is noteworthy that there is high concern about individual monitoring whether e.g., telephonically, electronically, or physically.This highlights the tension that exists between security as a collective and privacy as a (mainly) individual value [18].4 Testing the privacy-security trade-off hypothesis

Methodology
As mentioned before, the survey did not include a question directly addressing whether people think about privacy and security in terms of a trade-off.This does not only prevent biased answers, but also makes it less straightforward to analyse whether a trade-off exists or not.To test the validity of the tradeoff model we investigated whether perceptions of general and personal security and privacy are related or independent.If the trade-off exists, we expected that people who worry a lot about security, think privacy is less important and vice versa.Our hypothesis was that the trade-off does not exist, and therefore there would be no correlation between privacy and security attitudes.For this test, the three batteries of questions regarding general security, personal security and privacy that embrace different types of privacy and security are used.First, factor analysis was used to investigate whether the three constructs that are supposed to be there really emerge in the data.When they are found to be present, they can be used for further regression analyses.

Factor analysis results
Previously it was stated that privacy and security have many different aspects.This was taken into account by asking respondents about seven different types of both privacy and security in the questionnaire.The concept of security was split up into both general security and personal security.In total the analysis included 24 items.Instead of analysing them individually, we reduced the number of variables in the analysis without losing valuable information by using factor analysis.
Table 1 shows the factor loadings which indicate which items can be combined into one construct.All items with factor loadings above a threshoold in one column (cells shaded in grey) constitute the three constructs that are expected, namely "privacy", "general security" and "personal security".
For the data on the European level the table shows that all items in battery QD1, the privacy question, are strong predictors for each other (someone answering positive on one of the privacy questions will respond positively as well on the other privacy questions).This indicates that they measure the same underlying construct of "privacy".It seems largely independent of the other two constructs; these items do not explain many of the security items.Based on the factor loadings, the majority of items in QC3, the general security question, can be considered as part of the construct which we labelled for rather obvious reasons "general security".Only "extreme weather conditions" and "viruses damaging the internet infrastructure" do not correlate well with the other items.They do, however, correlate with the "personal security" items, which makes sense since these are easier to relate to an individual's "real life" than, for example, "youth unemployment", which is a rather abstract concern when you are not part of this group.The last construct is "personal security" which is composed mainly of the items in question QC4, the "personal security" question.In addition, the QC3 questions on "extreme weather conditions", "damages to the Internet infrastructure" and "terrorist attacks" are relevant for this construct.
In summary, the factor analysis indicates that on the European level citizens' attitudes towards different aspects of privacy, general security and personal security correlate for each of these concepts.The answers on one item are good predictors for others in the same construct.

Correlations between privacy and security attitudes
To examine the correlation between the privacy and security constructs the scales were plotted pairwise against each other.7This gives a visual impression as to whether people who score high on "privacy importance" score low on "security worries" -as would be expected in the trade-off model -or not. Figure 5 displays the values for the two security scales in a scatter graph.A regression line is computed to assess the relationship between the newly constructed variables.As was expected, the explained variance of the scores on general security and on personal security shown by the R 2 Linear is quite high at 0.316.This is not surprising since these are comparable concepts.Next, the general and personal security and privacy scales are plotted to see whether there is a relation between these constructs that can indicate evidence for or against the trade-off hypothesis.See figure 6 with general security (a) and personal security (b).In both cases, the explained variance of one variable in relation to the other is very low, at 0.012 for general security and 0.023 for personal security.There is a slight positive relationship indicating that when you think privacy is important, you also worry more about security.This is evidence against the trade-off hypothesis -albeit not convincing evidence.More convincing is that there is no negative relationship visible showing that respondents who worry more about security think their privacy is less important and vice versa.This is evidence against the existence of the trade-off model in the data.
To further assess this relationship between the privacy and security scales, correlation coefficients are calculated, using Pearson correlations ranging from

table 2)
. There is a relatively strong and significant correlation of 0.562 between both security scales -as the scatter plot already indicated.The privacy scale has significant, but low, correlation with the security scale, indicating that there is only a small connection between the answers given to these scales.Also, the correlation is not negative, which would indicate that people who score high on the one, score low on the other.A negative correlation would have been evidence for the trade-off hypothesis.The results retrieved here show there is no clear relation between the privacy scale and the security scales, providing evidence against the trade-off hypothesis.

Discussion of results and outlook
Our analysis of the answers to the three batteries of questions that aim to measure European citizens' attitudes towards privacy and security had three main results: 81.By applying factor analysis to a large number of items reflecting different types of privacy and security, it was possible to distinguish three "constructs" that reflect attitudes towards privacy, general security and personal security in a rich way.Something that needs more investigation is the fact that the results of the factor analysis are less clear on the national level.While in most cases the items in the privacy question contribute exclusively to the privacy construct, the assignment of QC3 and QC4 questions to the two security constructs is more variable.2. Perception of general security and personal security are highly correlated.
This result was to be expected as the individual feeling of security is (among other, often contextual factors) influenced by the general security feeling.We expect to gain greater insight into the mechanism of this translation process with the results from the analysis of the eight vignettes used in the survey.3.There is no significant statistical correlation between people's valuation of privacy and their worries about security on the level of attitudes.This is first evidence against the trade-off hypothesis.The result only applies to people's attitudes, since these were measured in the variables used for the analyses in this paper.When it comes to actual behaviour people have to make choices that include trade-offs.It should be investigated further whether and how people make these trade-offs in their behaviour (for comparable work with focus on economic decision-making see e.g.[1]).
Finally we need to bear in mind that for citizens privacy and security are not always subject matter number one -most people have other day-to-day concerns.While our research shows that both privacy and security are important to people, the process of weighing the two values in specific situations is a contingent one that needs to take other factors into account as well.
Since we have shown that a simple trade-off between citizens' privacy and security perceptions does not exist, the next step is to define a structural model that describes the relationship of the main constructs.This will be a translation of the theory of planned behaviour into a survey based empirical model.This model will, in particular, take into account that attitudes towards a specific surveillance practice and the perceived as well as actual behavioural control may differ significantly.Such an enriched model may then support decision-makers in industry, public authorities and politics to implement security measures that raise fewer concerns in the population and are thus more acceptable along the lines stated in many policy documents. 9

6 Table 1 .
Factor loadings of principal axis factoring personal security, general security and privacy

Table 2 .
Correlation between privacy, general security, and personal security scales