Visit my lab website, pearl.umd.edu to read more about specific projects I am working on in the areas of privacy, surveillance, and ethics. For information about where I have received funding and financial compensation, visit my Disclosures page.

Below, I share a high-level overview of my research trajectory, written in late 2018, that describes my research contributions to networked privacy and pervasive data ethics.

***

Introduction

Information and communication technologies (ICTs) are reshaping the content individuals share, the audiences with whom they communicate, and the entities that collect and analyze personal information. The social and technical affordances of these ICTs simplify the process of growing a large network of connections and interacting through various public and private communication channels. At the same time, however, they blur distinctions between public and private information, making it difficult for even the most skilled users to understand how content moves through systems. The increasing ubiquity of social and mobile raises a number of questions about the privacy and security of data, the knowledge and skills of those using these tools, and the ethical practices of those who interact with data.

In line with a 2014 White House report calling for more social science research on privacy, my research broadly evaluates two interrelated constructs: (1) networked privacy and (2) pervasive data ethics. By networked privacy, I refer to the contextual and networked nature of online communication and data sharing; my research seeks to understand how people develop and adapt mental models around privacy and disclosure practices when sharing data with companies and social connections, such as through social media [see references 1-7], when using fitness tracking devices, or using in-home intelligent personal assistants like Amazon’s Alexa devices. My ethics research focuses on tensions in how big data researchers and institutional review boards understand rights and obligations regarding use of pervasive  data online. These streams of research are complemented by my ongoing theoretical and empirical work on unpacking communicative affordances of new technologies (see this, this, and this).

Since I received my PhD in 2012, I have developed a reputation as a leading scholar in networked privacy research, with contributions to communication, HCI, and information science disciplines. My research provides valuable insights into how people make sense of new technologies, how they navigate disclosure and data-sharing processes, and how they (mis)understand data flow processes. I have also sought to impact research and mentoring through my service contributions to the major conferences I am active in, including  CSCW, CHI, and iConference.

In the following sections, I provide a more detailed description of my research, show how I connect my research with mentoring and teaching activities, and discuss future directions for my work.

Making Sense of Data Sharing in Online Spaces

In addition to providing users with a number of relational and informational benefits, ICTs also create a significant tension between individuals’ desire to maintain privacy and to be engaged participants in online communities. Problems arise due to increasing user diversity on these sites, a lack of privacy management knowledge and/or skills, and the often-changing privacy standards of the sites themselves. The intensity and risk associated with these issues varies across a number of demographic factors, and marginalized groups such as younger and older users, those living in poverty, and immigrants face even more challenges to safely navigating communication technologies.

I have spent eight years evaluating people’s mental models for understanding networked privacy and for developing and implementing strategies to manage their privacy online. In my early work, I focused primarily on Facebook, which I chose for a number of reasons, including that the site focuses on friendship-based ties and social interactions, as well as encourages users to connect with a wide and diverse network of social ties. I was one of the earliest researchers to empirically study the phenomenon of context collapse on social media, whereby the technical structure of sites flattens social networks and makes it more difficult to engage in the types of nuanced self-presentation individuals do unconsciously offline. For example, in two articles analyzing interview data, my co-authors and I identified a range of privacy management strategies social media users employ to curate their online self-presentation and mitigate their privacy concerns. In more recent work, these strategies have been evaluated in non-Western contexts, where authoritarian governments and norms of surveillance significantly increase negative consequences for privacy missteps. These studies, published predominately in Communication journals, have focused  on theoretical contributions, including defining context collapse as well as refining Petronio’s Communication Privacy Management theory and Nissenbaum’s work on contextual integrity.

An important—but often overlooked—factor in networked privacy research is cross-cultural comparisons of privacy norms. With collaborators in the Netherlands, I am evaluating mobile privacy and surveillance concerns across the U.S. and EU. We have examined multiple mobile applications that collect significant quantities of potentially sensitive data from users, but where data privacy is not typically highlighted (e.g., as in the case of fitness and messaging apps). To date, we have used a mixed-methods approach and collected quantitative (survey) and qualitative (interviews/focus groups) data evaluating consumers’ perceptions and use of messaging apps (Netherlands), fitness trackers (U.S.), and intelligent personal assistants (IPAs) like Alexa and Google Home (U.S. and Netherlands). Findings suggest that consumers do not prioritize privacy; that they place low value on individual pieces of data like the number of steps; and they focus more on short-term benefits (e.g., hands-free voice service) over long-term data privacy violations (e.g., Amazon or Google having years’ worth of voice data from one’s home) [8-10, 20]. Even when consumers express concerns about data privacy, they qualify those concerns with comments about feeling overwhelmed or having a sense that there’s “nothing they can do” to stop companies from gaining access to their data, which is in line with other work discussing a sense of privacy apathy or fatalism.

Beyond empirical contributions, we are considering wide-ranging policy implications of this research related to how companies should communicate about the data they collect from consumers and the role the government should play in educating consumers in how to protect their data. In June 2018, we hosted a two-day workshop at the University of Maryland for 15 privacy scholars and policymakers to discuss the research project; from this meeting, we have refined the study design for our cross-cultural study via factorial vignettes (data collection in early 2019), and we have begun outlining our next NSF submission to further explore the privacy and security challenges of the Internet of Things and help consumers better understand how their data flows from device to companies, third parties, and others.

Empowering Children and Families Through Privacy and Security Education

While my networked privacy research discussed above has largely focused on contributions to theory and policy, I also use participatory design (PD) as a methodological approach to develop design contributions. First, through two Google Grants with Drs. Marshini Chetty and Tamara Clegg, we have been working with families and teachers to better understand what elementary and middle-school aged children understand about digital privacy and security, what types of tools or resources would be successful in effectively teaching them about complex topics related to privacy and security, and how to embed privacy and security curriculum into existing learning outcomes in primary schools. While we have found that many parents of younger children put off discussions about privacy and security “until they’re older,” we argue that that helping children develop strong practices at a young age will prepare them to manage their privacy and security as adolescents and adults. Further, we recently published work highlighting suggestions for designing online privacy-focused educational resources based on multiple design sessions with children through the Human Computer Interaction Lab’s (HCIL) Kidsteam, and we are currently testing two types of interactive games (developed based on our Kidsteam sessions) with families [23].

Another space that is often neglected by empirical research is the privacy challenges and needs faced by economically disadvantaged populations, who face compounding threats due to reduced digital literacy, reduced home internet access and reliance on publicly available computers and, in many cases, reduced English proficiency. In a three-year IMLS funded project, Dr. Mega Subramaniam and I are working with librarians and families at four libraries across the state of Maryland serving low-income communities. We are developing educational resources for librarians, adults, and children in these communities to reduce data privacy risks and empower them to feel more confident and safer when navigating digital services. Findings to date from focus groups with librarians and interviews with more than 50 families have revealed that librarians face a lack of resources and little consensus in guidelines for how to work with patrons’ personal information. Our research with 54 families suggests they cannot turn to their social network for technical help and that completing a task, such as submitting a job application or form for aid, typically supersedes concerns privacy concerns related to sharing their data through public channels. We are currently developing a preliminary set of resources and will engage families through PD sessions to develop the complete set of resources in late 2018.

Ethical Practices Around Online Data Research

With the increasing focus on sharing personal information publicly via social media platforms, we have also seen a rise of big data analytics and other forms of online data collection and analysis practices in social science and computing research. Researchers face significant challenges when making decisions about how to treat data from users who may not be considered “human subjects” by review boards, who are often unaware of the boundaries between public and private information, and who rarely give informed consent to have their data collected, analyzed, and/or published online in aggregate. I would argue we have reached a turning point in online data research—users, researchers, review boards, and policymakers must work together to re-evaluate existing rules and to ensure that research participants’ privacy is protected to the fullest extent possible. In collaboration with Dr. Katie Shilton at UMD, as well as researchers at five other institutions, I am a Co-PI on PERVADE, a four-year, $3 million NSF grant on pervasive data ethics. This project was selected by UMD to represent the university’s research program at the Coalition for National Science Funding (CNSF) Exhibition on Capitol Hill in May 2018, highlighting the critical nature of this research stream.

In my research, I focus primarily on evaluating ethical challenges in the research process, both from the perspective of researchers collecting and analyzing large-scale user data, as well as institutional review boards that evaluate proposed human subjects research projects. In a 2016 CSCW paper with Dr. Shilton, we surveyed 263 self-identified social computing researchers on their research attitudes and practices, as well as how they defined their personal code of ethics. While identified several areas of consensus—including transparency with participants, ethical deliberation with colleagues, and caution in sharing results—we also found disagreements on important topics like the feasibility of obtaining consent and violating websites’ Terms of Service, as well as defining what constituted “public” data.

These findings provided a useful starting point for conversations that have continued in the CHI Research Ethics Committee and at workshops at CSCW and Facebook’s New York office. In a follow-up study, we surveyed institutional review board (IRB) staff at U.S.-based research universities to gain insights into the types of pervasive data studies they evaluated, as well as their attitudes toward their ability to effectively evaluate risk in big data research. Findings highlight a paradox: while IRB staff note significant challenges evaluating increasingly technical research proposals, they also have confidence in their ability to overcome these difficulties. Furthermore, echoing the findings from our survey of social computing researchers, these data point to a lack of consensus among IRB staff about what types of pervasive data research projects constitute “human subjects research”—and consequently, need to be reviewed by IRB staff. The PERVADE team conducted focus groups at the PRIM&R (Public Responsibility in Medicine and Research) conference in fall 2018 to further unpack these findings. I plan on conducting a third survey focusing on research participants, to better understand their attitudes and beliefs around sharing their data with researchers.

Bridging Privacy Education and Research

My research is inherently interdisciplinary and spans HCI, CMC, STS, education, social psychology, and computer science, and I’ve collaborated with researchers in each of these disciplines. To provide a centralized space to highlight the research I have done while at UMD, I founded the Privacy Education and Research Lab (PEARL) in 2015. PEARL enables me to coordinate my research collaborations and showcase the work of my graduate students and post-docs. To date, I have advised four PhD students, including one who graduated in summer 2017. I have also worked with nearly a dozen other graduate students through research projects and independent study courses, and I have published 16 journal articles or proceedings with UMD graduate students in the last four years.

As my lab’s name implies, bridging privacy research and education is very importance to me. In addition to developing the first privacy-focused seminar offered at the iSchool, I am currently part of a small team developing a new undergraduate specialization in Cybersecurity and Privacy, which launched in fall 2018 and will put the iSchool at the forefront of human-centered security education. I have worked with undergraduate research teams on privacy-focused research, including two teams in the pilot run of our undergraduate capstone program. More broadly, I have provided substantial leadership to the undergraduate curriculum at UMD as a member of the undergraduate committee and a primary developer of the core curriculum for our new BS in Information Science. In particular, I have ensured that the new curriculum, while heavily STEM-focused, incorporates interdisciplinary content that helps students better see where humans fit into computing decisions, designs, and outcomes. I have additionally developed two undergraduate courses offered as general education requirements at the university, broadening our College’s reach to students outside the major.

One of the biggest gaps my research has revealed is that consumers and users of new technologies face numerous hurdles to becoming engaged and proactive managers of their digital footprints. As I look to 2019 and beyond, I plan to focus on ways to translate my research findings so I can reach a wider audience and move the needle on privacy literacy. I will accomplish this through a range of methods that might include outreach, public scholarship, a popular press book, curriculum development (including in K-12 education), policy work, and new developing new ways to evaluate whether research interventions impact consumers’ privacy and data sharing behaviors.

References

1. Vitak, J., Wisniewski, P., *Ashktorab, Z., & Badillo-Urquiola, K. (2017). Benefits and drawbacks of using social media to grieve following the loss of pet. Proceedings of the 2016 International Conference on Social Media & Society (Article No. .23). New York: ACM. doi:10.1145/3097286.309730
2. Vitak, J., Blasiola, S., Patil, S., & Litt, E. (2015). Balancing audience and privacy tensions on social network sites. International Journal of Communication, 9, 1485-1504. doi: 1932–8036/20150005
3. *Kim, J., Ahn, J., & Vitak, J. (2015). Korean mothers’ KakaoStory use and its relationships to psychological well-being. First Monday, 20(3), n.p.
4. Vitak, J., & *Kim, J. (2014). “You can’t block people offline”: Examining how Facebook’s affordances shape users’ disclosure process. In Proceedings of the 17th ACM Conference on Computer Supported Cooperative Work and Social Computing (CSCW) (pp. 461-474). New York: ACM. doi:10.1145/2531602.2531672
5. Vitak, J. (2012). The impact of context collapse and privacy on social network site disclosures. Journal of Broadcasting and Electronic Media, 56, 451-470. doi: 10.1080/08838151.2012.732140
6. McLaughlin, C., & Vitak, J. (2012). Norm evolution and violation on Facebook. New Media & Society, 14, 299-315. doi: 10.1177/1461444811412712
7. Vitak, J., Lampe, C., Ellison, N., & Gray, R. (2012). “Why won’t you be my Facebook Friend?”: Strategies for dealing with context collapse in the workplace. In Proceedings of the 7th Annual iConference (pp. 555-557). New York: ACM. doi:10.1145/2132176.2132286