See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/227669005
Consumers’ Protection of Online Privacy and
Identity
Article in Journal of Consumer Affairs · December 2004
DOI: 10.1111/j.1745-6606.2004.tb00865.x
CITATIONS
READS
132
1,383
3 authors:
George Milne
Andrew Rohm
68 PUBLICATIONS 2,465 CITATIONS
33 PUBLICATIONS 1,442 CITATIONS
University of Massachusetts Amherst
SEE PROFILE
Loyola Marymount University
SEE PROFILE
Shalini Bahl
The Reminding Project
11 PUBLICATIONS 263 CITATIONS
SEE PROFILE
All content following this page was uploaded by Andrew Rohm on 17 April 2014.
The user has requested enhancement of the downloaded file. All in-text references underlined in blue are added to the original document
and are linked to publications on ResearchGate, letting you access and read them immediately.
�WINTER 2004
VOLUME 38, NUMBER 2
217
GEORGE R. MILNE, ANDREW J. ROHM, AND SHALINI BAHL
Consumers’ Protection of Online Privacy and Identity
This article examines online behaviors that increase or reduce risk of
online identity theft. The authors report results from three consumer
surveys that indicate the propensity to protect oneself from online identity theft varies by population. The authors then examine attitudinal,
behavioral, and demographic antecedents that predict the tendency to
protect one’s privacy and identity online. Implications and suggestions
for managers, public policy makers, and consumers related to protecting online privacy and identity theft are provided.
Identity theft, defined as the appropriation of someone else’s personal or
financial identity to commit fraud or theft, is one of the fastest growing
crimes in the United States (Federal Trade Commission 2001) and is increasingly affecting consumers’ online transactions. In the discussion of
identity theft, the Internet represents an important research context. Because of its ability to accumulate and disseminate vast amounts of information electronically, the Internet may make theft of personal or financial
identity easier.
Indeed, online transactions pose several new threats that consumers
need to be vigilant of, such as the placement of cookies, hacking into hard
drives, intercepting transactions, and observing online behavior via spyware (Cohen 2001). Online identity theft through the use of computers
does not necessarily have real space analogs as exemplifed by techniques
of IP spoofing and page jacking (Katyal 2001). Recent instances of online
identity theft appearing in the popular press include a teenager who used
e-mail and a bogus Web page to gain access to individuals’ credit card data
and steal thousands of dollars from consumers (New York Times 2003), and
cyber-thieves who were able to access tens of thousands of personal credit
reports online (Salkever 2002).
The purpose of this article, as depicted in Figure 1, is to explore the
extent to which consumers are controlling their information online and
George R. Milne is an associate professor of marketing at the University of Massachusetts–
Amherst (milne@mktg.umass.edu), and Shalini Bahl is a doctoral candidate at the University of Massachusetts–Amherst (sbahl@som.umass.edu). Andrew J. Rohm is an assistant professor of marketing
at Northeastern University (a.rohm@neu.edu).
The Journal of Consumer Affairs, Vol. 38, No. 2, 2004
ISSN 0022-0078
Copyright 2004 by The American Council on Consumer Interests
�218
THE JOURNAL OF CONSUMER AFFAIRS
FIGURE 1
Online Protection Behaviors and Their Antecedents
Opt out of
third party
information
sharing
Reading online
privacy policies
Remove
information
from Web sites
Check for
spyware
data
capture
Install
firewall
— Offline Data
Protection Practices
Online
Protection
Behaviors
— Online Shopping
Behaviors
—Privacy Attitudes
—Demographics
Virus
protection
Refuse to do
business with
online firms
Check
for cookies
Monitor e-mail
transmission
Check for
fraudulent
Web sites
whether privacy attitudes, offline data behaviors, online experience and
consumer background predict the level of online protection practiced.
There is an explicit link being made by privacy advocates that suggests
controlling one’s information is a step toward protecting oneself from
identity theft (Cohen 2001; Federal Trade Commission 2001). To evaluate
the level of customer protection, we analyze survey results of consumer
online behaviors, many of which are depicted in Figure 1, and investigate
their relationship to antecedent conditions suggested in the literature.
In particular, we address the following research questions: What is the
relationship between offline data protection practices and online protection
behavior? What is the relationship between online shopping behaviors and
online protection behavior? What is the relationship between privacy attitudes and online protection behavior? What is the relationship between demographics and online protection behavior?
The remainder of this article is organized in four sections. We begin in
the first section by reviewing the risks consumers face online and the steps
they can take to minimize their risk of privacy invasion and identity theft.
In the second section, we describe three surveys of consumers’ online behaviors related to online privacy and identity theft. We discuss the results
�WINTER 2004
VOLUME 38, NUMBER 2
219
in the third section and implications for managers, public policy makers,
and consumers in the fourth and final section.
ONLINE PRIVACY AND IDENTITY THEFT
While identity theft has caught the government’s, businesses’, and the
public’s attention (Hemphill 2001; Milne 2003), the empirical scholarly
literature in this area is limited to the closely related issue of online privacy.
Research has measured consumers’ concern for online privacy (Sheehan
and Hoy 2000), their ability to opt out of online relationships (Milne and
Rohm 2000), and the extent to which businesses have implemented fair information practices through the posting of their online privacy notices
(Culnan 2000; Miyazaki and Fernandez 2001; Milne and Culnan 2002).
An underlying premise of this online privacy research is that consumers
need to be given choices for allowing access to their personal information
and have the chance to control this information so that it does not fall into
others’ hands.
While identity theft has traditionally occurred through offline methods,
online data collection of stolen identities can be easier and more efficient
for thieves (Katyal 2001), with new approaches and scams being created
and implemented under the cloak of electronic anonymity. It is not just the
thieves that are contributing to the rise of online identity theft, however.
Organizations and government agencies sometimes unwittingly post consumers’ personal information online. Hoy and Phelps (2003) report that
church Web sites often post private information; Cohen (2001) mentions
that state government agencies have posted public court records on the
Web, which advocates consider a privacy risk (Hoofnagle 2001). Consumer records stored with businesses are also at risk. For example, in 2002
JetBlue Airlines secretly gave the travel records of its customers to the
Transportation Security Administration, which then gave these records to
an independent contractor who posted the records on the Internet (Shenon
2003). Hence, with the legitimate and non-legitimate availability of online
records, it is not surprising that criminals skilled at searching the Web are
able to gather information, which in turn can be distributed and proliferated online.
Consumers who do business with companies online are vulnerable in
three general ways: (1) the data on their computer may be compromised,
(2) the data transfer to an online business may be compromised, and (3) the
data stored by the business may be compromised. When consumers are
connected to the Internet, information on their personal computers is in-
�220
THE JOURNAL OF CONSUMER AFFAIRS
creasingly vulnerable to intrusions and theft. If a firewall is not installed, it
is possible for thieves to hack into consumers’ hard drives. The installation
of spyware distributed as viruses attached to e-mail makes it possible for
third parties to view the content of a consumer’s hard drive and track movement through the Internet.
Consumers’ information is also at risk when they visit Web sites and/or
complete transactions online. When consumers provide credit card and
personal information to Web sites, this information can be intercepted if
the transfer is not encrypted using SSL (secure socket layer) protocols. Privacy can also be compromised with cookies that allow others to track
clickstream history.
Another threat to consumer privacy occurs after a company obtains consumer data. In some cases, companies have not kept their promises not to
share the data with third parties. However, more serious threats for identity theft include employees stealing data that is electronically stored, or
thieves directly hacking into company databases and stealing personal or financial data, such as consumer credit card or Social Security information.
Privacy advocates have suggested ways in which consumers can directly protect their online privacy. For example, the Center for Democracy
and Technology (2003) lists the top ten ways to protect one’s online privacy:
1. Look for privacy policies on the Web.
2. Get a separate e-mail account for personal e-mail.
3. Teach your kids that giving out personal information online means
giving it to strangers.
4. Clear your memory cache after browsing.
5. Make sure that online forms are secure.
6. Reject unnecessary cookies.
7. Use anonymous remailers.
8. Encrypt your e-mail.
9. Use anonymizers while browsing.
10. Opt-out of third party information sharing.
In another list published in Time magazine (Cohen 2001) and echoed by
the Federal Trade Commission (2001), consumers are also encouraged to
install a home firewall and virus protection, be careful of what information
they give out, not download anything unless they trust the sender and the
file, and use encryption for sensitive data.
Given the growth of online identity theft and the potential harm that it
represents to consumers, it is important to understand consumers’ online
�WINTER 2004
VOLUME 38, NUMBER 2
221
behaviors that may place them at risk. In the next section we discuss three
surveys that begin to investigate consumers’ propensities to protect their
information online.
METHODOLOGY
In this article, we analyze data from three surveys. One survey (survey 1) consists of an online survey of a national cross section of 2,468
adults, randomly drawn from the multimillion Harris online panel, composed of individuals residing in the United States who use the Internet. The
sample was drawn to reflect known proportions of age, gender, and region
in the U.S. population. Further details about the sample and data collection
are listed elsewhere (Culnan and Milne 2001). These data were utilized to
measure the influence of attitudinal and behavioral antecedents on online
privacy protection. To supplement these data and to investigate the relationship between online and offline identity theft protection behavior, we
conducted two additional surveys, one representing 300 college students
(survey 2) and the other representing 40 nonstudent responses (survey 3).
Survey Development
The surveys administered to students (survey 2) and non-students (survey 3) were identical and included measures of both online and offline
information protection practices as well as a scale to measure social desirability. We developed a 6-page survey instrument to assess consumer concern towards, and vulnerability to, online identity theft. Two lists of online
privacy protection items were generated.
One list consists of the 10 items generated by the Center for Democracy
and Technology (2003) discussed in the previous section. The question
header asked respondents to indicate whether each of the following statements was true or false. The statements were: “I always look for and read
privacy policies on the Web”; “In addition to my work e-mail, I have a
separate e-mail account for my personal e-mail”; “I talk with my children
about getting my permission before giving out information online”; “I
clear my computer’s memory after browsing”; “I make sure that online
forms are secure before filling out information”; “I set up my browser to
reject unnecessary cookies”; “I use anonymous remailers”; “I encrypt my
e-mail”; “I use anonymizers while browsing”; “When given the chance, I
opt-out of third party information sharing.”
The second list consists of 6 behaviors used in the Privacy Leadership
�222
THE JOURNAL OF CONSUMER AFFAIRS
Initiative (2001) and Culnan and Milne (2001) studies. The question header
asked respondents whether they had done any of the following: “Refused
to give information to a Web site because you felt it too personal or unnecessary”; “Asked a Web site to remove your name and address from any
lists used for marketing purposes”; “Asked a Web site not to share your
name or personal information with other companies”; “Decided not to use
a Web site or purchase something from a Web site because you were not
sure how your personal information would be used”; “Set your computer
to reject cookies”; “Supplied false or fictitious information to a Web site
when asked to register.” The offline behaviors were based on the FTC’s
recommendations, which have been investigated in previous empirical research on identity theft (Milne 2003). Social desirability was measured using eight items from the Balanced Inventory of Desirable Responding
(Paulhus 1984).
Data Collection
For the student sample (survey 2), 300 responses were obtained during October 2002 from written surveys administered by 10 undergraduate marketing students enrolled in a marketing research course at a
large university located in the northeastern U.S. Using a judgmental nonprobability sampling approach, self-administered questionnaires were distributed with a cover letter and collected. In administering the survey, established social networks were utilized, which aided in the data gathering
process. As a measure of quality control, one of the authors also worked
directly with the students administering the surveys and oversaw a crosssection of the data collection.
For the nonstudent sample (survey 3), 40 responses from a mail survey
were obtained during November 2002. A random list of 500 households
in the Northeast U.S. was generated using the commercially available
database, SelectPhone. A pre-notification letter on university letterhead
was sent out approximately 10 days prior to the survey mailing. As part of
the survey mailing, we sent a survey booklet with a cover letter on university letterhead, information about a random lottery drawing for two cash
prizes of $50 each, and a stamped return envelope. This procedure roughly
follows guidelines suggested by Dillman (2000). After a 6-week collection period, we received 40 usable surveys and 98 surveys the post office
was unable to deliver. This resulted in approximately a 10% response rate
(40/402).
�WINTER 2004
223
VOLUME 38, NUMBER 2
TABLE 1
Respondent Characteristics
Harris Online
Panel
(survey 1)
Student
Sample
(survey 2)
Nonstudent
sample a
(survey 3)
N
1581
289
26
Bought from Web in the last 90 days
Provided e-mail to Web site in last 90 days
Registered on Web site in last 90 days
Gender (male)
Have credit card
Hours spent on the Web per week
Age (mean)
Years of schooling (mean)
Household income (mean)
064%
088%
077%
053%
100%
16
49
14.7
61K
67%
72%
61%
44%
81%
062%
069%
046%
046%
100%
22
48
a
Sample restricted to respondents who access the Internet and/or use e-mail either at work or at
home.
The characteristics of the three samples used in our analysis are shown
in Table 1. The data reported is based on respondents who answered all
questions used in the study. Besides differences in mean age between the
students (22 years) and the nonstudents (48 years) and online panel (49
years), and the fact that 20% of the students did not have a credit card, the
background differences are not that pronounced. There was, however, a
consistent trend for the online panel (survey 1) to exchange more information online than the other populations (survey 2 and 3).
RESULTS
Our first analysis investigates whether respondents to surveys 2 and 3
practiced the 10 online protection behaviors and 13 offline protection behaviors. The responses to these online protection behaviors are summarized in Table 2, where the behaviors are sorted in descending order of survey 3. For survey 3, 90% report making sure online forms are secure before
filling out information while only 4% report using anonymizers while
browsing. For both the student (survey 2) and nonstudent (survey 3) respondents, each of the items was correlated with a composite score of social desirability. If an item was significantly correlated with social desirability at the p ⬍ .05 level, this is denoted by an asterisk.
The results in Table 2 suggest that nonstudents (survey 3) are more
�224
THE JOURNAL OF CONSUMER AFFAIRS
TABLE 2
Online Identity Theft Protection Behavior 1
Online Protection Behavior
Student
(survey 2)
Nonstudent
(survey 3)
56%
90%
55%
70%
I make sure that online forms are secure before filling
out information
When given the chance, I opt-out of third party information
sharing
I talk to my children about getting my permission before
giving out information online
In addition to my work e-mail, I have a separate e-mail
account for my personal e-mail
I set up my browser to reject unnecessary cookies
I always look for and read privacy policies on the Web
I clear my computer’s memory after browsing
I encrypt my e-mail
I use anonymous re-mailers
I use anonymizers while browsing
61%
34%
22%
31%
20%
19%*
18%
55%
46%
43%
28%
11%
04%
04%
Correlation of Online Protection Behaviors with Offline 1
Protection Behaviors
.032
.431
69%
*Correlation with Social Desirability scale statistically significant at the p ⬍ .05 level.
1
Based on samples’ responses to 13 protection behaviors suggested by Federal Trade Commission
and reported in Milne (2003).
likely to protect themselves than students (survey 2). For both groups, over
50% of the respondents were likely to make sure online forms were secure
before filling out (s3 ⫽ 90%, s2 ⫽ 56%), opt-out of third party information sharing (s3 ⫽ 70%, s2 ⫽ 55%), and have a separate account for their
personal e-mail account (s3 ⫽ 55%, s2 ⫽ 61%). Sixty-nine percent of
the nonstudents talked to their children about giving out personal information. Interestingly, only 46% nonstudents and 34% of the student group
configured their browsers to reject unnecessary cookies, suggesting that
people are either not aware of how to do so or are not interested in protecting themselves, or feel the benefit of Web site personalization is worth
the risk of privacy invasion.
Consistent with other surveys (Culnan and Milne 2001; Privacy Leadership Initiative 2001) less than a majority of the respondents looked at and
read privacy notices (s3 ⫽ 46%, s2 ⫽ 22%). Not surprisingly, the student
population reported being more technically savvy than the mail survey
population. Students were more likely than the mail survey group to encrypt e-mail (s2 ⫽ 20%, s3 ⫽ 11%), use anonymous re-mailers (s2 ⫽
19%, s3 ⫽ 4%), and use anonymizers while browsing (s2 ⫽ 18%, s3 ⫽
4%). In interpreting these results, one should note that students’ use of re-
�WINTER 2004
225
VOLUME 38, NUMBER 2
TABLE 3
Behaviors to Protect Online Privacy and Identity
Dec.
2000
Privacy
Leadership
April
2001
Privacy
Leadership
Nov.
2001
Harris
Online
Survey 1
Oct.
2002
Student
Survey 2
Nov.
2002
Nonstudent
Survey 3
Refused to give information to a
Web site because you felt it was
too personal or unnecessary
83%
75% a
85%
81%
97%
Asked a Web site to remove your
name and address from any lists
used for marketing purposes
70%
66% a
83%
65%
77%
Asked a Web site not to share your
name or other personal information
with other companies
69%
66% a
79%
67%
80%
Decided not to use a Web site or
purchase something from a Web site
because you were not sure how your
personal information would be used
63%
61% a
64%
66%
77%
24%
32%
41%
50%
48%
69%
30%
Set your computer or browser to
reject cookies
Supplied false or fictitious information
to a Web site when asked to register
mailers was positively correlated with social desirability at the p ⫽ .05
level. This suggests students might have overstated their technical abilities
on this dimension.
There is a mixed relationship between protecting one’s information
offline and online. The correlations of online and offline prevention summated scales showed a statistically significant positive relationship for
nonstudents (r ⫽ .431, p ⬍ .05) but not for students (r ⫽ .032, p ⬎ .05).
For students, their behavior in the real and cyber-world does not appear to
be consistent.
Our second analysis investigates attitudinal and behavior antecedents
that predict the tendency to protect one’s privacy and identity online. In
particular, we investigated factors that contribute to the practice of six behaviors that have been used in previous online privacy surveys (Privacy
Leadership Initiative 2001; Culnan and Milne 2001). The percentage of respondents who engage in the six behaviors is shown in Table 3 for two
years (2000 and 2001) of the Privacy Leadership Initiative surveys and the
three surveys analyzed in this paper. A majority of online consumers are
�226
THE JOURNAL OF CONSUMER AFFAIRS
shown to control their information (i.e., refuse to give information). However, as shown in Table 2, less than a majority use technology (e.g., set
their computer to reject cookies) in an effort to protect their information.
A summated scale of online protection behavior was formed from the
items in Table 3. A regression model for each survey was formed to explain protection behavior in terms of attitudes, behaviors, and demographics. The attitude, privacy concern, was investigated as an antecedent for the
online, mail, and student samples. A 5-item measure adapted from Smith,
Milberg, and Burke’s (1996) “Information Privacy Scale” was used to
measure privacy concern (alpha ⫽ .81 for the online sample). To measure
online behavior, we used three questions (reported in Table 1) that measured whether in the last 90 days the respondent had bought something online, provided an e-mail address to a Web site, or registered for a Web site.
In addition, for survey 1, we included a 4-item active resistance scale
adapted from Moorman’s (1990) preventative orientation scale (alpha ⫽
.77 for the online sample). Demographic variables included gender,
whether the respondent had a credit card, hours spent on the Web, age,
years of schooling, and household income. An OLS regression model was
run for each sample. The models and results are reported in Table 4.
The regressions for the online panel (survey 1) and students (survey 2)
were statistically significant, while the regression for the nonstudents (survey 3) with the sample restricted to online users was not. The adjusted R2
for the three models ranged from 8.5% to 18.6%. The privacy concern construct explained the most variation in all three models.
For survey 1, general attitudes and behaviors toward privacy were
strong predictors of online privacy protection behavior. A positive significant relationship was found for privacy concern (b ⫽ .297, p ⬍ .01) and
active resistance (b ⫽ .133, p ⬍ .01). In addition, online exposure also
contributed to protection behavior. Having bought online (b ⫽ .063;
p ⬍ .01), provided e-mail (b ⫽ .049; p ⬍ .05), and registered for a Web
site (b ⫽ .068; p ⬍ .01) all led to higher rates of protection, as did number
of hours on the Web (b ⫽ .065; p ⬍ .01). Interestingly, males were more
likely to protect their information online than females (b ⫽ .146; p ⬍ .01).
Consistent with previous knowledge, protection behavior increased with
years of schooling (b ⫽ .111; p ⬍ .01). However, for this population, age
was inversely related to protection behavior (b ⫽ ⫺.113; p ⬍ .01), suggesting that younger online adults were more vigilant than older adults.
For survey 2, privacy concern was statistically significant (b ⫽ .285;
p ⬍ .01). However, no significant statistical relationships were found for
the behavior and demographic variables.
�WINTER 2004
227
VOLUME 38, NUMBER 2
TABLE 4
Regression Models Explaining Behaviors that Protect Online Privacy and Identity 1
Survey 1
Online
Panel
Privacy concern
Active resistance
Bought from Web in the past 90 days
Provided e-mail address to Web site
in past 90 days
Registered with a Web site in past
90 days
Gender (male)
Have credit card
Hours spent on the Web
Age
Years of schooling
Household income
N
F
Adjusted R2
.297 ***
.133 ***
.063 ***
.049 **
.068 ***
.146 ***
Survey 2
Students
.285 ***
⫺.015
.020
.108
⫺.013
.015
.065 ***
⫺.113 ***
.111 ***
.040
1299
35.81 ***
.186
Survey 3
Nonstudents
.261
.222
a
.223
.308
b
.026
288
4.390 ***
.085
25 c
1.625
.111
*Significant at p ⬍ .10; **significant at p ⬍ .05; ***significant at p ⬍ .01
1
Standardized beta weights reported in the table.
a
Variable not included due to high correlation (.610) with “registered with a Web site.”
b
Variable not included since 100% of eligible sample had a credit card.
c
Sample restricted to respondents who access the Internet and/or use e-mail either at work or at
home.
The survey 3 sample did not yield statistically significant results, in part
due to its low sample size.
LIMITATIONS
Prior to drawing implications from these studies it is important to put
the empirical results in context and recognize the limitations of viewing
the individual studies singly and together. First, the three studies were conducted in different time frames. Second, the studies represented different
sampling pools. Survey 1 was a national sample drawn from an online user
panel, survey 2 was a sample of undergraduates, and survey 3 a sample of
online users contacted via the mail. Third, the sample sizes of the three
studies are very different.
Despite the differences and limitations of the three surveys, the overall
pattern shows that consumers are not protecting themselves adequately.
This especially rings true for more technically sophisticated behaviors
�228
THE JOURNAL OF CONSUMER AFFAIRS
such as setting computers to reject cookies and using encryption e-mail
and anonymizers for browsing. The data also show that the level of privacy
concern is a key antecedent predictor of online protection behavior across
samples. Based on these results, it is clear that consumers have much more
work to do to protect themselves. They are either not well enough informed
or do not have the tools or knowledge to protect themselves. Further, as we
discuss in the following section, the lack of protection that consumers are
using online points to the need for a stronger role by the government and
business community to combat identity theft.
IMPLICATIONS FOR MANAGERS, POLICY MAKERS,
AND CONSUMERS
Growing public concern about online privacy abuses and identity theft
has stimulated action on the part of several types of organizations with
vested interests in responding to this trend in Internet fraud. Given the
growth in online fraud, personal privacy invasion, and identity theft, several prevention efforts need to be considered by the business community,
legislators and policy makers, and consumers themselves. For instance,
online retailers such as Microsoft, Amazon, and eBay have recently
formed a group called the Coalition on Online Identity Theft, whose purpose is to fight online identity theft and fraud (Tedeschi 2003). The concept behind the coalition is that the member companies will work with
such government agencies as the FTC and Department of Justice to share
information on cybercrimes.
For the business community, the implications of the findings reported
here are that companies such as online content providers, retailers, and
credit card firms must take responsibility (such as what is being proposed
with the Coalition on Online Identity Theft) for the security of sensitive
customer information in the offline as well as online context. Related to online data protection and self-regulation, Hemphill (2001) notes that in
fighting online fraud, technological solutions including digital certificates
and signatures, biometrics, and other authentification approaches need to
be adopted by businesses. The challenge facing these businesses is that
customer databases may be at greater risk for security breaches resulting
from increased use of open architectures, more widespread use of encryption, and the use of standard firewalls. Moreover, some suggest that self
regulatory efforts to protect personal information have been disappointing
(e.g., Katyal 2001). A recent Business Week study found that two-thirds of
the financial services firms included in the study collected sensitive per-
�WINTER 2004
VOLUME 38, NUMBER 2
229
sonal information on their Web sites, yet did not employ security features
to safeguard that information (Black 2003a).
At the same time, businesses must also work with the public sector to
expand educational programs geared towards consumers. These programs
could be used to encourage consumers to be more cognizant of the risks of
online identity theft as well as to take more aggressive actions to defend
themselves. The threat of online identity theft and other forms of Internet
fraud may result in a reluctance for consumers to do business with companies who are not perceived to take necessary actions to safeguard their
customers.
For public policy makers, the online world is fast changing and consumers are going to become more vulnerable as they hook into the Web,
particularly as wireless applications become more widespread. Because
of the externalities involved, new laws will need to be enacted to more
effectively monitor business practices. Recently, the Fair and Accurate
Credit Transactions Act of 2003 (FACTA) was passed, which requires uniform credit reporting nationwide. In addition, the state of California recently passed a database-protection law, which requires businesses to publicly disclose security breaches of sensitive customer information (Black
2003a). These are examples of newly stringent anti–identity theft legislation that will be needed to combat the growing threat of offline as well as
online identity theft (USA Today 2003; Black 2003b). However, Katyal
(2001) recommends that legislation be proposed to levy even heavier punishment on certain criminal activity in cyberspace. Companies with significant stakes in online marketing must recognize the need to coordinate
and share information with the public sector related to cases of identity
theft and potential fraudulent actions. Aggregating and coordinating information such as between commercial and government entities may help
prevent future criminal actions and behaviors.
These findings also suggest that consumers need to do more to protect
themselves. While consumers are becoming more cognizant of the dangers
in providing information to online marketers without sufficient assurance,
they still put themselves at risk by not taking technical precautions or fully
understanding how a Web site might collect information. Increased chat
room activity among individuals might also make people more vulnerable
to privacy invasion and identity theft. There are a variety of technologies
and software programs that provide privacy and security. However, the results from this study indicate that less than half of the online users set up
their browsers to reject unnecessary cookies, read privacy policies on the
Web, clear their computer memories after browsing, encrypt their e-mail,
�230
THE JOURNAL OF CONSUMER AFFAIRS
use anonymous re-mailers, and use anonymizers while browsing. As suggested in Figure 1, online data protection practices might also include opting out of third-party information sharing, checking for unfavorable or
fraudulent Web site practices, and installing firewalls and virus protection
software.
Perhaps even more troubling, a recent U.S. study revealed that over 90%
of broadband users sampled had computers infected with spyware (Baig
2004). The use of spyware, software that appears on your computer to
track your online behavior, is also proliferating. Some spyware programs
are able to track keystrokes and take periodic snapshots of your computer
screen, resulting in even more ways that online thieves can steal your credit
card number and identity.
Clearly, there is room for greater consumer education along these lines.
Online consumers who are concerned also tend to have more online experience and are more likely to take precautions. In many respects, the
pattern that emerges from these data fits within a motivations, ability, and
opportunity framework. Education will be instrumental in furthering consumers’ motivations and abilities to protect themselves from identity theft,
and training them how to use technical tools to protect themselves. The opportunity to protect themselves can be fostered by educating consumers as
to where they can get the software tools to protect themselves. Technological challenges will continue to emerge, requiring consumers to continue
to improve their protection efforts. Besides the technical issues investigated in this study, other new dangers are emerging daily. Viruses are now
being used to compromise servers, putting individuals and databases at
risk to data theft. Consumers need to constantly update their virus protection and upgrade their security systems.
In light of the findings from this research, much work in educating and
motivating consumers to follow recommended protective measures needs
to be done. This may require a concurrent effort combining government,
business, individuals, and consumer groups. In lieu of combined efforts,
however, among businesses, policy makers and legislators, and individuals, consumer efforts to protect the privacy of their personal information
and identities may be ineffective. Such efforts are presently U.S.-focused,
yet these organizations must recognize that online identity theft is a global
rather than domestic problem (for a survey of international laws and developments, see http://www.privacyinternational.org/survey/phr2003).
The ease with which electronic data flows across borders makes consumers vulnerable to privacy invasions and identity theft, especially when
the data is transferred to countries that don’t have appropriate legislation
to safeguard consumers against online privacy invasions and thefts.
�WINTER 2004
VOLUME 38, NUMBER 2
231
In conclusion, the Internet remains an integral mechanism for marketing exchange, and businesses’ and consumers’ reliance on technology will
grow in the future. At the same time, with expanding technological capabilities and an expanding volume of data stored and transmitted on the Internet, the risks to consumers will increase. Because of this, consumer protection of online data will be an ongoing concern and will require strong
preventative actions by businesses, policy makers, and consumers to curb
the abuses of online identity theft.
REFERENCES
Baig, Edward C. 2004. Keep Spies From Skulking Into Your PC. USA Today Online. January 22.
http://www.usatoday.com/money/industries/technology/2004-01-22-spy_x.htm.
Black, Jane. 2003a. “Basic Hygiene” for Sensitive Data. Business Week Online. November 14.
http://www.businessweek.com/technology/content /nov2003.
———. 2003b. Your New Weapon vs. ID Theft. Business Week Online. December 11. http://www
.businessweek.com/technology/content /dec2003.
Center for Democracy and Technology. 2003. Top Ten Ways to Protect Online Privacy. http://
www.cdt.org/privacy/guide/basic/topten.html.
Cohen, Adam. 2001. Internet Insecurity. Time, July 2.
Culnan, Mary J. 2000. Protecting Privacy Online: Is Self-Regulation Working? Journal of Public Policy and Marketing, 19 (1): 20 –26.
Culnan, Mary J. and George R. Milne. 2001. The Culnan-Milne Survey on Consumers and Online
Privacy Notices, November. http://intra.som.umass.edu /georgemilne/pdffiles/culnan-milne.pdf.
Dillman, Don. 2000. Mail and Internet Surveys: The Tailored Design Method. 2nd edition. New York:
Wiley.
Federal Trade Commission (FTC). 2001. ID Theft: When Bad Things Happen to Your Good Name.
http://www.ftc.gov/bcp/conline/pubs/credit /idtheft.pdf.
———. 2003. Identify Theft Survey Report. Prepared by Synovate (Aegis Group plc).
Hemphill, Thomas A. 2001. Identity Theft: A Cost of Business? Business and Society Review, 106 (1):
51– 63.
Hoofnagle, Chris. 2001. Public Comment on Privacy and Public Access to Electronic Case Files.
http://www.courtaccess.org/federal/documents/ecfcomments.pdf.
Hoy, Mariea Grubbs and Joseph Phelps. 2003. Consumer Privacy and Security Protection on Church
Websites: Reasons for Concern. Journal of Public Policy and Marketing, 22 (1): 58 –70.
Katyal, Neal Kumar. 2001. Criminal Law in Cyberspace. University of Pennsylvannia Law Review,
149 (4): 1003 –1115.
Milne, George R. 2003. How Well Do Consumers Protect Themselves From Identity Theft? Journal
of Consumer Affairs, 37 (2): 388 – 402.
Milne, George R. and Mary J. Culnan. 2002. Using the Content of Online Privacy Notices to Inform
Public Policy: A Longitudinal Analysis of the 1998 –2001 U.S. Web Surveys. The Information Society, 18 (5): 345 –360.
Milne, George R. and Andrew J. Rohm. 2000. Consumer Privacy and Name Removal Across Direct
Marketing Channels: Exploring Opt-In and Opt-Out Alternatives. Journal of Public Policy and
Marketing, 19 (2): 238 –249.
Miyazaki, Anthony D. and Ana Fernandez. 2001. Consumer Perceptions of Privacy and Security Risks
for Online Shopping. Journal of Consumer Affairs, 35 (1): 27– 44.
Moorman, Christine. 1990. The Effects of Stimulus and Consumer Characteristics on the Utilization
of Nutrition Information. Journal of Consumer Research, 17 (3): 362 –374.
�232
THE JOURNAL OF CONSUMER AFFAIRS
New York Times. 2003. Technology Briefing/Internet: F.T.C. Settles Suit Against Youth in Net Fraud.
July 22.
Paulhus, D.L. 1984. Two-Component Models of Socially Desirable Responding. Journal of Personality and Social Psychology, 46: 598 – 609.
Privacy and Human Rights. 2003. Available at http://www.privacyinternational.org/survey/phr2003.
Privacy Leadership Initiative. 2001. Privacy Notices Research Final Results. Available at: http://www.
understandingprivacy.org/ content /library/datasum.pdf.
Salkever, A. 2002. Toward a More Secure 2003. Business Week Online. December 31. http://www.
businessweek.com/technology/content /oct2002/tc20021010_3368.htm.
Sheehan, Kim Bartel and Mariea Grubbs Hoy. 2000. Dimensions of Privacy Concern Among Online
Consumers. Journal of Public Policy and Marketing, 19 (1): 62 –73.
Shenon, Philip. 2003. JetBlue Chef Was Not Told of Decision on Passenger Data. New York Times.
September 25.
Smith, H. Jeff, Sandra J. Milberg, and Sandra J. Burke. 1996. Information Privacy: Measuring Individual’s Concerns About Organizational Practices. MIS Quarterly, 20 (2): 167–196.
Tedeschi, Bob. 2003. Growing Concern About Fraud Is Pushing the Online World Into Action. New
York Times, September 8.
USA Today. 2003. House Passes Anti–Identity Theft, National Credit Reporting Legislation, September 11.
�View publication stats
�