Unpacking the intention-behavior gap in privacy decision making for the internet of things (IoT) using aspect listing

Previous studies have observed an intention-behavior gap that has been labeled the “privacy paradox”: people disclose personal information (behavior) despite expressing negative sharing intentions (in surveys). However, this phenomenon has not been studied in the Internet of Things (IoT) in which users’ personal information sharing is crucial for the functionality of the technology. We explore this phenomenon by comparing participants’ intentions (via a survey) with their actual behavior (via a privacy-setting interface) and controlling the data sharing device and storage. Furthermore, we explore the decision processes underlying these privacy decisions by measuring and manipulating these processes using an aspect listing task. We find a reversed intention-behavior gap in IoT: participants disclosed less (rather than more) information in the behavior condition than in the intention condition, an effect that was associated with fewer benefits than risk aspects listed in the behavior condition. The number and type of aspects listed fully mediated the effect of decision type (intention versus behavior) on the decision, which suggests that a risk-benefit calculation guided the privacy decision-making. Moreover, this reversed intention-behavior gap vanishes if we specifically ask participants to think about positive and negative aspects of the decision, as this allows them to consider both risks and benefits, irrespective of decision type.