The Social Media Privacy Model: Privacy and Communication in the Light of Social Media Affordances

130

Social media and its boundary conditions for privacy

Privacy is a concept that has been considered and defined in very different disciplines, from descriptive, empirical, and normative perspectives (Sevignani, 2016; Trepte & Reinecke, 2011). In earlier days, privacy was considered a human right and identified as the “right to be let alone” (Warren & Brandeis, 1890, p. 75). Later and more
specifically, privacy was defined as “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” (Westin, 1967, p. 7) or “the selective control of access to the self” (Altman, 1975, p. 24). Informational control has only seldom been defined, but the most common definitions touch either a static or behavioral aspect of control: Informational control foremost means that owners of a certain piece of information have a choice over whether, when, and to what extent they will disclose or withhold personal information (Crowley, 2017; Tavani, 2007). Here control is static, a question of more or less, yes or no.

It can be understood as an option or an available mechanism. Then, control can be exerted actively (e.g., restricting access to information, audience segregation, self-censorship, encryption), ambiguously (e.g., softening the truth, obfuscating information, or engaging in other forms of partial disclosure), or passively (e.g., unintentionally omitting information) (Crowley, 2017; Ochs & Büttner, 2018). In this rather behavioral understanding, informational control is executed and experienced by the individual person. In both perspectives, control is centered around the individual and individual decision-making.The majority of privacy theories are devoted to two—somewhat contradictory— paradigms: I will call the first paradigm “privacy as control,” because here, privacy and control are strongly connected, and, the second paradigm “privacy and control,” because here, privacy and control are treated as separate constructs with conditional relationships. I will then suggest a third perspective that redefines the meaning and impact of control and the conditions among which control becomes relevant. This
perspective will be summarized in the social media privacy model.

In the seminal work by Altman (1975) and the privacy regulation model of selfdisclosure (Derlega, Metts, Petronio, & Margulis, 1993), control was set forth as the crucial mechanism of privacy. More recent conceptualizations have also referred to control as a precondition of privacy (Petronio, 2002). Even in their very first conceptualizations of privacy, Warren and Brandeis (1890) referred to privacy as the right to control what others publish about oneself. In an overview of privacy theories, Smith, Dinev, and Xu (2011) investigated 448 publications on privacy. They found that—besides an understanding of privacy as a value—the cognate-based understanding of privacy as control has dominated the social sciences. The vast majority of privacy scholars have referred to control as a dynamic behavior in the process of privacy regulation to grant access or to deny access. Altman (1975) suggested a process model with three steps: First, an individual assesses the desired level of privacy; then the individual eventually regulates privacy by controlling interpersonal boundaries; and then, the individual again assesses the achieved level of privacy. In his flow-model the crucial role that was assigned to control becomes apparent. On the basis of this notion, Petronio (2002) articulated how  control is the engine of privacy management.

In her understanding, an individual jointly manages and coordinates rules with others while interacting with them. Here again, control is not only the behavior through which privacy can be gained, but control is also the means by which to measure the status quo of privacy, and in turn, it will foster the extent to which privacy regulation is further engaged in through an exertion of control. Privacy scholars have also referred to the question of what is being controlled. Here, in particular, the control of access to boundaries and the control of the flow of an interaction were addressed as the topics or processes that needed to be controlled (Johnson, 1974; Wolfe & Laufer, 1974). Further, control over stimuli that impinge upon a person were articulated as things that need to be controlled (Wolfe & Laufer, 1974). Margulis (1977) explained that control refers to all matters being exchanged between individuals: “Privacy, as a whole or in part, represents the control of transactions between person(s) and other(s). In some theories, control has been used almost interchangeably with privacy. For example, Derlega et al. (1993) stated that “(…) privacy represents control over the amount and kind of information exchange that persons have with one another”

The relationship of privacy and control

Then, Burgoon (1982) differentiated between four dimensions of privacy, all of which refer to how much control an individual has: Possessing physical privacy refers to whether and how much control an individual perceives to have over physical boundaries. Social privacy refers to how much control an individual perceives to have over the access of others to the person’s environments. Psychological privacy refers to how much control an individual perceives to have over emotional and cognitive input and output. Finally, informational privacy refers to how much control an individual perceives to have over the use of personal data. In this conceptualization, the ability to exert control is the key to an individual’s privacy perception and, in turn, regulation.

Many empirical studies have addressed the relationship between control and privacy, but only a minority of studies have supported the notion that privacy behavior is related to informational control (Brandimarte, Acquisti, & Loewenstein, 2013). In sum, studies that have been based on this first paradigm have underscored the idea that individuals exert control to achieve privacy. In turn, privacy should be achieved if a certain level of control is successfully executed and maintained as the status quo. However, these conceptualizations of privacy suggest a linear relationship between privacy and control. They assume that “. the more one has control over this information exchange, the greater the amount of privacy one has in a social relationship” (Derlega et al., 1993, p. 67). However, previous empirical research did \not find a linear relationship between privacy and control. Hence, there is a mismatch between the theoretical assumption that privacy and control are closely related on the one hand and the rare empirical data supporting this notion on the other.

Access/Limited Control (RALC) theory of privacy, these authors defined privacy in terms of the individual’s protection from intrusion and information gathering by third parties. They argued that control in the information age is impossible and further that “We can have control but no privacy, and privacy but no control” (Tavani
& Moor, 2001, p. 6). They suggested that privacy and control should be separated such that privacy is a concept and a value that is defined by being protected from information access by others, whereas control is one mechanism that can be used to manage and justify privacy. Control may be exerted through choice, consent, or
correction.In the flow of the exchange of digital information, people choose situations according to their communication goals, level of access, and emerging privacy needs (Trepte & Masur, 2017); then, privacy is maintained through the processes of consent, and finally, corrections allow people to restore their privacy when it gets lost or threatened.

The interplay of affordances, control, and privacy

For the upcoming social media privacy model, I will refer to this notion that control is one mechanism among others, and I will explain that for all processes (i.e., choice, consent, correction), individuals have to get in touch with others and communicate their motives and aims. With the theory of contextual integrity, Nissenbaum (2010) also addressed the contextual requirements as boundary conditions, regardless of whether control is a functional mechanism or not. She suggested that the two sets of theories be married: those referring to privacy as a constraint on access and those referring to privacy as a form of control. In the theory of contextual integrity, Nissenbaum (2010) described control as one “transmission principle” (p. 145) that defines how information is exchanged. Other transmission principles are reciprocity and confidentiality. Control as a transmission principle is appropriate only if it fits into the particular context, the subject that uThe interplay of affordances, control, and privacyThe interplay of affordances, control, and privacysers are talking about, the type of information that is to be exchanged, and the actors they communicate with. From this point of view, there can be privacy without control in situations in which control is inappropriate or not available (Laufer & Wolfe, 1977). Current privacy theories pushed the idea of control as a dynamic attribute of the situation one crucial step further.

According to Dienlin’s (2014) privacy process model, individuals assess the controllability of the context and behavior. Masur (2019) adds an analysis of what is being controlled by entangling interpersonal (e.g., the relationship between interaction partners) and external factors (e.g., the architecture of a room) in his theory of situational privacy and self-disclosure. Depending on the situation, these interpersonal and external factors can be controlled to different degrees, and in turn, they can elicit differential levels of self-disclosure. Self-disclosure
will be understood as “the intentional communication of information about the self to another person or group of people” (Masur 2019, p. 70) in the remainder of this article. The notion that privacy and control are not necessarily connected has been supported by previous research (Saeri, Ogilvie, La Macchia, Smith, & Louis, 2014).
For example, Zlatolas, Welzer, Hericko, and Hölbl (2015) ˇ demonstrated that privacy norms, policies, and awareness but not privacy control were related to the self

disclosures of N = 673 Slovenian Facebook users. In a U.S. sample of N = 249 Facebook users, Taneja, Vitrano, and Gengo (2014) found that perceived behavioral control and the intention to engage in privacy-related behavior were unrelated. Eastin et al. (2016) investigated how different variables predicted mobile commerce activity and found that control was the one that explained the smallest amount of variance. In particular, trust and attitude toward mobile commerce were more important predictors than control.

Author: Sabine Trepte