The psychology of privacy in the digital age

Privacy is a psychological topic suffering from historical neglect — a neglect that is increasingly consequential in an era of social media connectedness, mass surveillance, and the permanence of our electronic footprint. Despite fundamental changes in the privacy landscape, social and personality psychology journals remain largely unre-presented in debates on the future of privacy. By contrast, in disciplines like computer science and media and communication studies, engaging directly with sociotechnical developments, interest in privacy has grown considerably. In our review of this interdisciplinary literature, we suggest four domains of interest to psychologists. These are as follows: sensitivity to individual differences in privacy disposition, a claim that privacy is fundamentally based in social interactions, a claim that privacy is inherently contextual, and a suggestion that privacy is as much about psychological groups as it is about individuals. Moreover, we propose a framework to enable progression to more integrative models of the psychology of privacy in the digital age and in particular suggest that a group and social relations – based approach to privacy is needed.

fundamental changes in the privacy landscape, social and personality psychology journals remain largely unrepresented in debates on the future of privacy. By contrast, in disciplines like computer science and media and communication studies, engaging directly with sociotechnical developments, interest in privacy has grown considerably.
In our review of this interdisciplinary literature, we suggest four domains of interest to psychologists. These are as follows: sensitivity to individual differences in privacy disposition, a claim that privacy is fundamentally based in social interactions, a claim that privacy is inherently contextual, and a suggestion that privacy is as much about psychological groups as it is about individuals. Moreover, we propose a framework to enable progression to more integrative models of the psychology of privacy in the digital age and in particular suggest that a group and social relations-based approach to privacy is needed.

| DEFINING PRIVACY
Privacy is recognised by the United Nations as a universal human right, yet it has been described as an elastic (Allen, 1988;Margulis, 2003b) and evasive (Solove, 2002) concept. Traditional definitions of privacy (e.g., Warren & Brandeis, 1890) assume an individualistic "right to be let alone". However, for a psychological and interactional process-based approach to privacy, a useful definition can be found in Margulis (1977), where privacy is described as "selective control over transactions between self (or one's group) and others, the ultimate aim of which is to enhance autonomy and/or to minimise vulnerability" (p. 10). People need control over their transactions with others (to varying degrees) to experience the well-being that is associated with intimacy and emotional release (Westin, 1967). Moreover, privacy is needed for the protection of freedom of speech, freedom of association (Bloustein, 1976), and freedom from inequality and domination (Anthony, Campos-Castillo, & Horne, 2017;Hoye & Monaghan, 2018). Others have argued that privacy is not based on control, but more specifically that privacy is only achieved when one has limited access to themselves (Dienlin, 2019).
Several ways of classifying the dimensions of privacy exist in the literature. The most heavily researched is personal information privacy (Burgoon et al., 1989;DeCew, 1997). Other domains include interactional privacy , regarding quantity and quality of interactions with others (Burgoon et al., 1989;Laufer & Wolfe, 1977); territorial or physical privacy, regarding space, crowding, and being touched by others (Goffman, 1972;Klopfer & Rubenstein, 1977;Pastalan, 1970); psychological privacy, regarding our thoughts and feelings and the revelation of them (Burgoon et al., 1989); and expressive privacy, concerning expression of self or identity (DeCew, 1997; see similar ideas in Laufer & Wolfe, 1977). The degree to which these overlap has been discussed elsewhere (e.g. . The framework outlined in this paper is intended to be adaptable for all dimensions of privacy, but most of the literature to date relates to information privacy. Self-disclosure is a closely related topic and unlike privacy has a longer tradition of being studied in psychology, particularly in clinical research. Disclosure research typically studies what people reveal about themselves, in what contexts, or how disclosure is done (see Berg & Derluga, 1987;Cozby, 1973;Dindia, Fitzpatrick, & Kenny, 1997;Omarzu, 2000;Won-Doornink, 1985). For various reasons, including psychologists' lack of familiarity with privacy concepts (see Masur, 2018, for an extended discussion of this issue), self-disclosure research has been divorced from the study of privacy despite their obvious interrelatedness and situatedness in interactions and self-presentations (Antaki, Barnes, & Leudar, 2005;Goffman, 1959;Masur, 2018).
The separation of topics speaks to the broader problem of narrow or insufficient privacy theory (Dienlin & Trepte, 2015;Margulis, 1977;Preibusch, 2013;. A key example is the so called "privacy paradox" whereby people ostensibly claim to care about their privacy but openly share information about themselves (Norberg & Horne, 2007;Spiekermann, Grossklags, & Berendt, 2001). However, the privacy paradox can be resolved in some contexts-for example, when distinguishing between different dimensions of privacy and incorporating the psychological theory of planned behaviour (Ajzen, 1991;Dienlin & Trepte, 2015) or when linking privacy to identity consequences rather than the mere presence of surveillance (Stuart & Levine, 2017).

| THE HISTORICAL STUDY OF PRIVACY IN PSYCHOLOGY
In a pair of papers decades apart, Margulis (1977Margulis ( , 2003b writes plaintively about the lack of interest in privacy in psychology (as did Westin, 1967). In the first review, Margulis (1977) points out that despite some early works, privacy research never developed out of its infancy. He describes the research in these early years as privacy orientations rather than theories. More than 20 years later, he writes in a disappointed tone that "there continues to be relative indifference to privacy, as a theoretical or research interest, among psychologists in general" (Margulis, 2003b, p. 243; see also review by Newell, 1995). There are current psychologists who study privacy (e.g., Buchanan, Paine, Joinson, & Reips, 2007;Livingstone, 2006;Marder, Joinson, & Shankar, 2012); however, they tend to publish outside of social and personality psychology, such as in information science and human-computer interaction journals. Although their work has made significant impact in applying psychology to other disciplines, it has had less of an impact on the social/personality psychology mainstream. Conversely, an interest in privacy has burgeoned in a range of computer and social science disciplines-it is to these we now turn.

| COMPUTER, MEDIA, AND COMMUNICATION SCIENCES ON PRIVACY
We aim to review the literature on privacy in computer, media, communication, and other social science disciplines in a way that will be relevant to psychologists, arguing that the interdisciplinary research on privacy can be read through four main psychological lenses: individual personality differences in privacy orientation, privacy as dialectical and interactional, privacy as context-dependent, and privacy as a group-based phenomenon. In conducting this review, our aim is not to provide an exhaustive review of the entire literature, but rather to illustrate how privacy is relevant to theorising these core domains of social and personality psychology (for more on applications or measurement of privacy see reviews such as Acquisti, Brandimarte, & Loewenstein, 2015;Masur, 2018;Preibusch, 2013;Smith et al., 2011).

| Individual differences in privacy dispositions.
The first claim is that there may be individual differences in privacy disposition or concern for privacy (CFP), which acts as a generalised predictor of privacy behaviour across domains and technologies (Smith, Milberg, & Burke, 1996). The CFP perspective traditionally centres on concern about how information is collected, improper access, and concerns about disparate data being combined . Another commonly used measure builds on Westin (1967)'s privacy concepts and is used to classify people into "privacy fundamentalists", "privacy pragmatists", and the "privacy unconcerned", by asking people about their views on their generalised ability to obtain privacy (e.g., do they feel that consumers have lost all control over their personal information; see review by Kumaraguru & Cranor, 2005). The majority of people are found to be pragmatists who adapt their behaviour when they see fit, with approximately a third of the general population in the fundamentalist and 10% in the unconcerned categories (see Joinson, Paine, Buchanan, & Reips, 2006;Kumaraguru & Cranor, 2005;Sheehan, 2002, but for a critique see Jensen, Potts & Jensen, 2005).
The privacy calculus approach uses these attitudinal measures, and people's evaluations of the costs and benefits of sharing or withholding, to study privacy behaviour (Dinev & Hart, 2006;Smith et al., 2011).

| Privacy is dialectical and interactional.
A second claim in the privacy literature is that privacy is dialectical-involving a shifting boundary regulation process of opening and closing at the same time, in which a person can have too much or not enough privacy (Altman et al., 1981). Inherent in this, and similar approaches, is the study of privacy and self-disclosure (e.g., partial disclosure behaviour) in social interactions, between individuals and small groups (Altman, 1974;Altman et al., 1981;Antaki et al., 2005;Palen & Dourish, 2003;Petronio, 2002;B. Schwartz, 1968). Interactional privacy can also refer to the regulation and separation of gatherings of people in spaces, including physical or digital interactions (Goffman, 1963;Joinson, Houghton, Vasalou, & Marder, 2011;Schwartz & Halegoua, 2015).
Communication privacy management (CPM) theory was developed by communications scholars (Petronio, 2002, building on Altman et al., 1981Altman, 1974) and epitomises the interactional and dialectical view of privacy by focussing on how people collectively manage private objects (information)-such as managing how far the boundary spreads (i.e., who co-owns the private object), how permeable the boundary is (how confidential), what linkages exist between private objects, and the strategies that people use to restore privacy when the coregulation expectations have been breached.

| Privacy is contextually dependent.
The theory of privacy as contextual integrity (Nissenbaum, 2004(Nissenbaum, , 2011 is based on the assumption that people desire to contain information within the context in which it was 'intended' and that each context is governed by norms of information flow. The privacy breach scenario-context collapse-is what happens when these norms are not upheld to the expected level, in ways that have unwanted consequences (boyd, 2001;Davis & Jurgenson, 2014).

| Privacy can be a group-based property.
The final claim has received the least research attention , whereby privacy is regarded as selective control over access to one's group (Altman, 1974;Bloustein, 1976;Margulis, 2003b). Groups are a different unit of analysis than contexts because the processes of selective access (over information, interactions, and the expression of self) can concern a group entity and/or individuals as group member representatives. Moreover, groups can persist across contexts-for example, people want selective control over how much they reveal about and allow interaction with their family group while in their workplaces. Some groups represent systematic and stable stratifications in societies, and thus, a group-based privacy analysis has important implications for understanding social inequalitiesfor example, the targeting of minority groups with surveillance (Anthony et al., 2017;Hargittai & Litt, 2013;Park, Campbell, & Kwak, 2012).
There are two main approaches to group privacy in development: The first draws on CMP theory (as mentioned above), and the second borrows from the social identity approach (Tajfel & Turner, 1979;Turner, Hogg, Oakes, Reicher, & Wetherell, 1987). This latter perspective on privacy has thus far focussed on how people determine if individuals are in-group members with the same privacy norms and how they cope with conflicts between social identities or groups with different privacy norms (e.g., Calikli et al., 2016;Lampinen, Tamminen, & Oulasvirta, 2009;Price et al., 2017).

| UNITING THE PSYCHOLOGICAL DOMAINS
The continued separation of psychological domains has arguably been problematic for the discipline of psychology at large (e.g.,leading to duplicated efforts and gaps in knowledge); therefore, we now give a few examples where researchers have made concerted efforts to draw different domains and levels of privacy together. The first is by James, Nottingham, Collignon, Warkentin, and Ziegelmayer (2016) (based on Laufer & Wolfe, 1977). They integrate individual differences and interactional privacy, arguing that people have an interpersonal privacy identity that reflects the control an individual feels they should have over their personal information and that disclosure in social interactions involves the expression of a privacy self-concept. However, the model has yet to develop a clear account of how the individual and interactional might respond to or differ across social contexts or different sets of intergroup relations.
In another integrative study, Child and Agyeman-Budu (2010), drawing on CPM theory, combine individual difference and group levels by examining individuals management of group privacy (including self-monitoring skills and concern for appropriateness) 1 . Also inspired by CPM, De Wolf, Willaert, and Pierson (2014) bring together both individual and group level privacy management strategies in a study finding that privacy turbulence (i.e., a privacy concerning event) caused by oneself increases people's use of individual privacy management strategies, but privacy turbulence caused by others does not correspond with an increase in group privacy management strategies. However, while CPM pays some respect to contextual variation (Child & Petronio, 2011), the psychological mechanisms that create contextual variation in privacy needs and behaviours have not yet been explored.
An approach that integrates across three domains of privacy (individual, interactional, and contextual) is the machine learning approach of Barth et al. (2006). Drawing on the assumptions of a contextual integrity approach to privacy, individual agents' information flow frequencies are used to learn the norms of sharing between agents. By tracking individual agents across multiple interactions, this reveals (or infers) privacy contexts. As an inference of context, however, it cannot explain why individuals are adopting these sharing patterns. That is, it does not reveal the meanings of contexts. In contrast, situational privacy and self-disclosure theory (Masur, 2018) (which notably also incorporates self-disclosure theory) casts a distinction between the sociological construct of contexts (as predetermined settings) and psychological situations (comprised of people's perceptions of the setting).
Further, the multi-layered privacy interaction framework (Aeschlimann et al., 2015), based on Bronfenbrenner's (1977)  Finally, the scale developed by Buchanan et al. (2007) integrates multiple domains of privacy, including information accessibility, expressive privacy (i.e., about the self), and physical privacy (e.g., someone invading your space), thus extending beyond the dominant focus on information privacy that has pervaded privacy research.

| GAPS AND ABSENCES IN THE PRIVACY RESEARCH BASE
Despite these attempts at integration, there are a number of gaps and absences in existing approaches to privacy that would need to be addressed to resolve ostensible paradoxes and inconsistencies in the study of privacy. In the following subsections, we expand on two concerns: (a) working towards distinguishing the different types of contexts of privacy and (b) the need to engage with the dynamics of privacy as it shifts across different domains and levels of interaction.

| Contexts in the digitally integrated world.
This gap in the privacy literature comes from the way context is conceptualised and on how groups and contexts are distinguished. There is general agreement that context is key to privacy (e.g., Barkhuus, 2012;Marwick & boyd, 2011;Nissenbaum, 2004) but not about how context should be conceptualised. For instance, Nissenbaum (2015) defines context as a physical place, a technology system/platform, a business model, a sector or industry, or a social domain; Masur (2018) emphasises psychological situations rather than contexts; Davis and Jurgenson (2014) define context as encompassing the shared meaning associated with a space, the people in it, and the associated identity meanings; under the social identity approach, context refers to a situation composed of a set of intra-or intergroup cues that make salient one of an individual's (psychologically relevant) identities, meaning that a change in the cues constitutes a change in context, while other aspects of the place can remain the same (see Turner, Hogg, Oakes, Reicher, & Wetherell, 1987). As a result of the complexity of defining context, research that talks about context often ends up studying social networks (e.g., Barth et al., 2006), but other elements of context are likely to be important for understanding privacy.
Based on our reading of the literature on context in privacy research, we propose considering a tripartite layered approach to contexts that accounts for the cyberphysical environmental, social context, and technical infrastructure elements of context. Cyberphysical contexts refer to the built environment (i.e., the design of places or spaces, including digital). The design of an environment affords the flow of movement and shapes communicative and behavioural actions (see Evans, Pearce, Vitak, & Treem, 2017;Norman, 2013). Privacy under this dimension is at risk when information crosses between environments (Evans et al., 2017). Social contexts are the more typical understanding of context as referred to by social scientists-the groups and individuals who occupy a space and have an investment in it. Davis and Jurgenson (2014) give the example of a wedding where guests from different aspects of one's social network are managed by strategically seating them at different tables (see also Binder, Howes, & Sutcliffe, 2009). Privacy is informed by an understanding of the social or cultural norms of relational conduct, that is, privacy is at risk when I or my confidants reveal my secrets to people in a different social network. Finally, the technical infrastructure context is the noninteractive infrastructure and architecture of environments-such as information flows that are created through unconfigurable technology design, or the materials that spaces are designed with, that cannot be altered. For example, an implanted device that measures my heart rate and has a preconfigured information flow transmitting data to my physician (via Wi-Fi). To understand privacy risks in this dimension of context, researchers would need to map technological configurations so as to identify privacy threats people may be unaware that they face. Distinguishing these ways of conceptualising context should create greater specificity in what privacy behaviours are afforded by context. Later, we suggest a framework for incorporating contexts and the dynamics of privacy.

| The dynamics of change in levels of privacy evaluations.
The second gap in the privacy literature is the need for a psychological understanding of the dynamics of changes in privacy evaluations and behaviours. These evaluations and behaviours concern different domains of privacy (informational, physical, interactional, etc.; see Buchanan et al., 2007), at different levels of abstraction (e.g., sometimes privacy concerns manifest at the interindividual level and sometimes at the group level), and at different time periods (e.g., is my privacy at risk now or later?) (see Davis & Jurgenson, 2014).
There is only a small amount of research investigating these transitions or dynamics. For instance, it is suggested that an individual's privacy risk calculations may be momentarily replaced by collective privacy norms, if group threat is made salient (Aeschlimann et al., 2015;Cichy & Salge, 2015), and that people's self-disclosure decisions are made difficult when social spheres/contexts overlap (Joinson et al., 2011). The multilayered privacy interaction framework (Aeschlimann et al., 2015) explains how decisions made at different levels of society could affect individuals. It is possible that while some levels of privacy may influence each other (e.g., individual vs. group), others may not be correlated (e.g., physical vs. information privacy). The interrelatedness (or lack of) of domains and dimensions of privacy require further investigation.
We suggest that one way to deal with both of these gaps-in the conceptualisation of contexts and on the dynamics of privacy-is to draw on theory on the role of social identity in decision-making and behaviour (Turner, 1991), as it offers a model of how the moment-by-moment dynamic interactions between context and cognition can be understood. It can be used to explore how the different aspects of privacy might impact on the self-and how these might change as contexts change. This notion of a more dynamic self at the heart of privacy was foregrounded by Altman et al. (1981) who proposed that momentary states determine how accessible the self currently is to others (see also James et al., 2016;Margulis, 1977). The social identity approach also explains cognitive shifts between interpersonal, intragroup, and intergroup levels of interaction.

| A FRAMEWORK APPROACH TO MODELLING PRIVACY
Given the complexity of privacy, we do not suggest that there is one all-encompassing theory that can account for all aspects of privacy. Instead, we suggest that researchers utilise a framework approach (see Figure 1) where they select the substantive dimensions that are relevant for their domain of application and apply (existing) social and personality psychological theory as applicable to those psychological domains. Being deliberate in these choices will assist in determining which levels and domains of privacy are being captured in the study of privacy and which ones are not.
We set out the below framework with all of the possible levels of analysis. Research on privacy can be decomposed across them, or the framework itself can be used to extract privacy relevant dimensions from other psychological topics of interest (e.g., if interested in intergroup conflict, researchers could draw more on group privacy research). In form, and following the format of this paper, the model laid out below also essentially represents a The characteristics of the individual begins with what an individual might bring to a privacy interaction-including personality dispositions, personal decision-making processes, and even neurological or physiological workings of privacy. The study of privacy in context can in turn be analysed across the cyberphysical environmental context, the social context, and the technical infrastructural context. Then, each privacy-related interaction can be analysed across three levels: privacy in interpersonal interactions, privacy in intragroup interactions, and privacy in intergroup interactions. Next, it is important to classify which dimensions of privacy are relevant to a privacy interaction-for example, whether it regards selective control over territories, information, physical privacy, the expression of identity, and so forth. Finally, the source and nature of privacy threats can occur at any level and from multiple locations. Privacy threats are traditionally thought of as arising from one of two sources: surveillance and exploitation by powerful entities or from listening in by our peers (Westin, 1967). Yet, there are also new forms of veillance that are less well understood, including sousveillance ('from below') (e.g., Mann, Nolan, & Wellman, 2002 The next step we envisage is to attempt integration of prominent approaches to privacy and their key insights. For instance, CPM theory (Petronio, 2002(Petronio, , 2010(Petronio, , 2015 and privacy as contextual integrity theory (Nissenbaum, 2004) are two theories that capture important insights into privacy, on regulating the co-ownership of private information, and people's expectations that information should stay within elected boundaries. However, they have never claimed to be complete theories of privacy (see Barth et al., 2006) and, furthermore, do not reference each other.
Next, the multi-layered privacy interaction framework could help to situate individuals in the systems and organisations that they interact with and that influence their decision-making (Aeschlimann et al., 2015) and to furnish individuals with insights from social identity theory that could develop a dynamic interactional model of privacy. We also indicated placeholders for individual characteristics underpinning privacy evaluations and behaviour in the frame- work. An understanding of the extent to which these needs are stable versus malleable should feed into any dynamic account of privacy. These theories and approaches are not inherently incompatible, and integrations may lead to breakthroughs in understanding privacy behaviour; however, future research needs to evaluate the extent to which total theoretical integration is possible or desirable, which is why we suggested using a selective framework approach as a way of specifying which privacy dimensions and psychological domains are applicable to a problem area. We do not envisage the framework as a static description of the privacy space. How privacy shifts dynamically between these levels-and whether and how these levels might be in operation at one and the same time-are key theoretical and practical research questions.

| EXPANDING BEYOND PRIVACY
The outline of different privacy theories and approaches was the focus of this paper; however, there are several broader social issues that could incorporate privacy, and we briefly signpost towards these now. These subjects include the following: (a) security, the need for certainty, stability, and safety may compete or complement the need for privacy (Bansal, 2016;Dourish & Anderson, 2006;Solove, 2011), yet as far as we are aware, they have not been studied in unison and are rhetorically treated as a trade-off; (b) surveillance studies are an interdisciplinary effort that psychologists could contribute towards (Tucker, Ellis, & Harper, 2016). There is a research on personality traits and employer monitoring (Sayre & Dahling, 2016) and on the shared identities between surveillers and the surveilled (O'Donnell, Jetten, & Ryan, 2010a, 2010bStuart & Levine, 2017;Subaši c, Reynolds, Turner, Veenstra, & Haslam, 2011); however, intergroup relations and resistance research in social psychology could further help situate the surveillance by studying which powerful groups are enacting their influence over less powerful groups, via surveillance, the vulnerabilities that some social groups face (Anthony et al., 2017;Park, 2013) and how this is allowed or resisted (see work on the elaborated social identity model in particular, Drury & Reicher, 2000;Reicher, 1996) psychological theory that could help drive this area forward include protection motivation theory (Ardion, 2016;Rogers, 1975;Rogers & Prentice-Dunn, 1997), psychological reactance theory (Brehm, 1966), and motivational and identity approaches to decision-making (e.g., social identity theory; Tajfel & Turner, 1979). We suggest that these, and other topics, could feed into the privacy framework (see Figure 1) at any stage, but a fuller consideration of how exceeds the scope of this review.

| CONCLUSION
Privacy concerns selective control and withdrawal from transactions with others and others' transactions with us; sometimes, transactions are technologically mediated, but nonetheless, privacy is inherent to individual well-being and to understanding the dynamics of social relations (Altman, 1974;Anthony et al., 2017;Westin, 2003). The intention of this paper was to persuade social and personality psychologists to take a keener interest in this topic.
The review of the literature and framework we have suggested is intended as a guide towards filling in the gaps in existing privacy theory. We also suggested the theoretical approaches that we believe are the most suited to uncovering the psychological mechanisms and processes involved in privacy management in the digital age, in particular those theories that situate privacy in social and group relations, as increasingly digital technology captures more about the people and places that are associated with us (boyd, 2012;Koohikamali, Peak, & Prybutok, 2017;Petronio, 2002). It is essential to develop privacy theory in order to enable the engineering of privacy protection mechanisms into computer systems; to evaluate the privacy implications of new technological innovations; to develop computer systems that can use observable contextual phenomena, physical (e.g., location), physiological (e.g., heart rate), etc.
to infer users' privacy needs; and to inform social policies and protections. Thus, the challenge we pose to psychologists is to use this framework to engage in the debate about the future of privacy. Through multidisciplinary work, we can have better theories and tools to undertake this research (Yarkoni, 2012). The study of privacy should not be an isolated, specialist field. Psychologists have the ability to develop a comprehensive theory of the psychology of privacy and have a professional and a moral responsibility to contribute to the debate over the changes in the privacy landscape. Without engaging, we may end up 'watching the very concept of privacy being rewritten under our noses' (to paraphrase Webb, 2015). Zuckerberg, M. (2010). Facebook CEO Mark Zuckerberg TechCrunch interview at the Crunchies/Interviewer: M. Arrington. San Francisco: TechCrunch, Crunchie awards.

AUTHOR BIOGRAPHIES
Dr Avelie Stuart completed her Social Psychology PhD in 2014 at Murdoch University, Western Australia, and is now a postdoctoral research fellow in Psychology at the University of Exeter, working on interdisciplinary projects relating to the development of privacy-sensitive and usable digital technologies, and is interested in using technology to study social identities, social networks, privacy, surveillance, and healthcare management. She is also more generally interested in studying social groups and collective behaviour.
Arosha K. Bandara is Professor of Software Engineering at The Open University, whose research and teaching focusses on software engineering for adaptive systems. Arosha has a particular interest in techniques for building adaptive security and privacy mechanisms for ubiquitous, Internet of Things (IoT) systems, and has developed approaches for engineering adaptive mechanisms for network access control, cloud software services, as well as quantitative metrics for privacy risks in social networks. He is also interested in mechanisms for supporting engi-