American Privacy Perceptions in the COVID Pandemic

Due to the use of contact tracing to slow the rate of Coronavirus infection by identifying exposed individuals to focus on for testing, quarantine, and isolation, the on-going COVID-19 pandemic has brought surveillance and privacy concerns to the forefront. The rejection of contact tracing tools, partly due to privacy concerns, has been widely reported. We conducted an online survey ( N=261 ) to identify participants’ privacy concerns and their risk perceptions during the on-going COVID-19 pandemic. Privacy concerns were measured based on participant comfort with data sharing with several data recipients. Participants were split into two groups by reason for data sharing (either public health or marketing purposes). Both groups were asked about sharing in the context of three vignettes with five possible data recipients. Our results suggest that the only difference between-groups was comfort with sharing video content with law enforcement and health providers. These results contradict the common assertion that people are more willing to share their private information for public health purposes during this public health crisis. We note that participants’ privacy preferences are largely correlated with their perceived autonomy and the perceived severity of consequences related to privacy risks. Even during an on-going COVID-19 pandemic, health risk perception had limited influence on participants’ privacy preference. Only the perceived newness of the risk weakly positively correlated their comfort level. Finally, our results show that participants’ computer expertise positively correlated with their privacy preference, while their knowledge of security makes them less comfortable with sharing.


Introduction
A standard approach to mitigating the spread of contagious diseases is to trace the contacts of those who test positive.To prevent the spread of the Coronavirus, entities from public health authorities, to large organizations like universities are using contact tracing (Centers for Disease Control and Prevention, 2020).To improve speed and breadth of tracing, digital contact tracing (via an app) is often a popular option (Ferretti, et al., 2020).For example, Australia (Australian Government Department of Health, 2020) and the EU (European Commission, 2020) started using voluntary contact tracing apps in April and May.However, there are several critiques of tracing apps focusing on the need protect individuals' security, privacy, and information rights by design (ACM Europe Technology Policy Committee, 2020a, 2020b).In fact, after the Australian app was rolled out in April, by the second week in May Parliament had passed the https://ojs.vvg.hr/index.php/adrs/article/view/35/512/28 Privacy Amendment (Public Health Contact Information) Act to support the COVIDSafe app and ensure users' privacy was protected.In the United States debates about privacy risks and COVID risk simultaneously, we propose there is a need to better understand Americans' privacy perceptions about data use during this pandemic (Australian Government Department of Health, 2020).In this study, we explore RQ: what privacy concerns Americans express during an on-going pandemic through a representative survey of American participants.

Privacy Perception
Privacy is highly contextual.Previous studies suggest that people are willing to give up their information for tangible and intangible benefits (Grossklags and Acquisti, 2007;Castro and McLaughlin, 2019;Taylor, 2003), whereas other studies show significant willingness to pay for privacy (Gopavaram et al., 2020;Egelman et al., 2009).Prior research has identified variations in privacy perceptions as a function of participants' awareness and knowledge of privacy practices (Liu et al., 2005;Malhotra et al., 2004); perceived control over information collection and usage (Castañeda and Montoro, 2007;Brandimarte et al., 2013); perceived sensitivity of information (Castañeda and Montoro, 2007); perceived regulatory protection from privacy harm (Dolnicar and Jordaan, 2006); risk perception (Garg and Camp, 2012); and the reputation of service providers (Teltzrow et al., 2007).Willingness to and comfort with disclosure has been found to be highly correlated or even predicated on perceptions of the ability of the data subject to control information disclosure, identified as the Control Paradox (Brandimarte et al., 2013).Control has also been identified as a determinant of risk perception for a wide range of physical risks (Weinstein, 1984).In our work, we conceptualized privacy as individuals' ability to control information about themselves (Bhasin, 2006).Consequently, we queried participants' comfort level about data sharing during COVID-19 for different purposes in different scenarios.

Risk Perception
Sacrificing individual privacy for the sake of national security is an enduring concept in the US, previously used to address bioterrorism plots (Annas, 2002) such as anthrax (Federal Bureau of Investigation) and also 9/11 (Solove, 2011).A similar approach has been suggested for addressing the Coronavirus and COVID-19, assuming that the severity of the COVID-19 pandemic is reason enough to eschew individual privacy concerns and share personal data to mitigate the spread of disease (Ross, 2020).Further underlying this assumption is protection-motivation theory, which suggests fear is a motivating factor for people to seek protective behaviors (Johnston and Warkentin, 2010;Herath and Rao, 2009).Such fear appeals are influenced by people's perceived severity of the risks (Johnston and Warkentin, 2010).Thus due to COVID-19, people's perceived personal risk of infection and disease severity might motivate them to adopt contact tracing apps, despite privacy loss.The other two factors that influence fear appeal are self-efficacy (i.e., are participants able to take action to mitigate risk) and response efficacy (i.e., are such actions effective) (Johnston and Warkentin, 2010).
Risk perceptions are rarely the result of purposeful calculus.Studies found that people are likely to be unrealistically optimistic about risks that are under volitional control and those that are familiar (Nordgren et al., 2007), reifying and extending the Control Paradox.Conversely, risk perception increases when risks are new and uncontrollable, such as emerging infectious diseases (Sjöberg, 2000;Slovic P. E., 2000;Weinstein, 1988;Weinstein, 1984).Therefore, it is arguable that perceptions of COVID-19 risks are unrealistically high and result in unnecessary exposure to the more familiar privacy risk through protection-seeking behaviors (e.g., adopting contact tracing apps).We evaluated this possibility by exploring participants' comfort with data sharing and how this interacts with their health risk and privacy risk perceptions in our experiment.

Other Factors Potentially Applicable to COVID-19
In 2003, SARS was a new infectious disease like COVID-19.Studies on SARS found global differences in risk perceptions.For example, in some Asian countries perceived risk from SARS was lower than in the US (Blendon et al., 2004;Lau et al., 2003).Conversely, one current cross-national study showed that contact tracing could be acceptable to all the participants with only slight national differences.Specifically for COVID-19, the results from Altmann et al.'s survey of participants in France, Germany, Italy, the UK, and the US found the least acceptance in the US and Germany (Altmann, et al., 2020).To eliminate cultural influences in our study, we only focus on the American population's perceptions.
Furthermore, the Altmann et al. survey identified a group of concerns around trust in government, privacy, and security (Altmann, et al., 2020).In addition to these concerns, other research suggests that perceived regulatory protection from harm (Dolnicar and Jordaan, 2006) and service providers' reputation also influence privacy concerns (Teltzrow et al., 2007).To address these factors, we evaluate participants' trust in law enforcement, healthcare providers, and major technology providers by capturing participants' privacy concerns in sharing data with these entities.This is embedded in our first hypothesis as detailed in 2.4.

Research Question
The goal of our research is to explore the privacy concerns Americans express during an on-going pandemic.
To address this question, we explored the following hypotheses: H1) Participants' privacy preferences remain the same whether the information they give is used for public health in the midst of a public health crisis (e.g., . H2) Participants' privacy preferences are a function of risk perceptions

Methodology
In this survey, we chose a quantitative approach to capture participants' perceived comfort with data collection and data sharing, as well as their privacy risk and health risk perceptions.Our online survey approach offers flexibility, time efficiency, ease-of-launch, broader recruitment capability, ease-ofanalysis (Evans and Mathur, 2005), and aligns with social distancing.Previous studies of privacy preferences have found online surveys to be more representative than a census panel (Redmiles et al., 2019) and that even small samples are indistinguishable from a random market sample (Momenzadeh et al., 2020).

Survey Design
In this survey, we used participants' comfort with data collection and sharing as an indicator of their privacy preferences, as done previously by Naeini (2017).Participants were randomly assigned to one of two groups: General or Health.Each participant was shown three scenarios, as shown in Table 1.In the General group, the data are used to "provide personalized services, recommendations, and conveniences," whereas in the Health Group, the data are to "contain the spread of an infectious disease."The scenarios are based on three devices (Smartphone, Security Camera, and Fitness tracker).Our goal was to measure: 1) the difference between whether data is used for public health purposes (H1); and 2) the relationship between their privacy preferences and risk perceptions (H2).Note.The General group in this chart is the control group.
The study started with the study information sheet, and then the scenarios followed, presented in random order.Scenarios were randomized to eliminate potential ordering bias (Brace, 2008).Each scenario was followed by questions asking participants to rate their level of comfort with data collection and sharing.
Participants choose on a five-point scale: 1-Extremely uncomfortable, 2-Uncomfortable, 3-Neutral, 4-Comfortable, 5-Extremely uncomfortable.We then interrogated participants' risk perceptions.To capture participants' privacy risk perception and health risk perception, we relied on the standard nine-dimension Risk Perceptions Scale (Fischhoff et al., 1978).This scale is often used in offline risk perception evaluations (Slovic et al., 1980;Grunert, 2005) and has been used online as well.We made subtle changes in these classic nine-dimensional risk questions, changing generic "risk" to specify either "privacy risk" or "risk of infectious diseases" (See Appendix A).Below, we detail the nine dimensions and specify our changes.For voluntariness we specified, "Is your exposure to the risks of [privacy loss/infectious diseases] in your control (voluntary risk), or out of your control (involuntary risk)?With answers from 1 = voluntary to 5 = involuntary.Similarly for immediacy we customized it to, "Is the impact of [exposing your private information/being exposed to an infectious disease] immediate, or does it happen at a later point in time (delayed risk)?".For both knowledge to exposed and knowledge to science we changed generic risk to "understand the consequences of [privacy loss/infectious diseases]?"Given the importance of the Control Paradox, controllability was refined to, "To what extent do you have control over the consequences of [privacy loss/infectious diseases]?"with options for answers from 1 as "complete control" to 5 meaning "no control."Newness was unchanged (i.e., "Are these risks new, novel ones, or old, familiar ones?").Chroniccatastrophic was unaltered and remained, "Is this a risk that effects people one at a time (chronic risk), or a large number of people at once (catastrophic risk)?"; as was Common-Dread which remained, "Is this a risk that you have learned to live with and can think about reasonable calmly (common risk), or is it one that you dread on the level of a gut reaction (dreadful risks?)".Severity of Consequences was slightly customized from the standard query into, "how severe are the consequences of [privacy loss/infectious diseases]?".
After querying about general risk perception using the standard nine-dimensional scale, we evaluated participants' computer expertise.Here we used the Expertise Measurement Scale (Ravijan et al., 2017), reformatted into two multiple-choice questions.The scale consists of skills and knowledge-based questions about computer and security expertise.
To evaluate the participants' knowledge of health risk, we developed questions using the CDC's recommendations for preventing respiratory viral infections (CDC, 2019a(CDC, , 2019b(CDC, , 2019c).Then we repeated Fischhoff et al.'s nine-dimension scale (Fischhoff et al., 1978) to evaluate health risk perceptions.We closed with demographics questions.A flowchart of our survey design can be seen in Figure 1.Survey Questions can be seen in Appendix A.

Figure 1. Survey Design Flowchart
Note.We relied on the Qualtrics randomizer to, "randomly assign participants" to ensure an even distribution by demographic category.
We also had two attention check questions to ensure valid responses, per best practices (Hauser and Schwarz, 2016).These questions are obvious queries unrelated to the study, e.g., "paying attention is important in our survey, please select 'strongly disagree' in this question."

Participant Recruitment
The survey was designed using Qualtrics.Before deploying the survey, we conducted a pilot study with ten university students to test the correctness and effectiveness of the questions.Upon our University Institutional Review Board (IRB) 's approval, we deployed the survey through Prolific on April 28th, 2020 and paid each participant $3.These payments were calculated based on a $15 an hour living wage and the assumption that the survey could be completed in 10-12 minutes.Prolific provided us a representative sample of adults in the US, which reflects the demographic distribution of American population based on the US Census Bureau.[1] The first page of the survey contained the study information sheet detailing participant rights, including confidentiality and withdrawal measures.The survey was live until May 2nd and we received complete responses from 291 participants.We rejected responses from 17 participants because they completed the survey in fewer than 5 minutes (Smith et al., 2016), and/or they had exact same answers to all questions.In addition, we rejected responses from 13 participants because they failed the attention check questions.In the end, we had 261 valid responses (130 in General Group; 131 in Health Group) with equivalent demographics in both groups.The total response rate was 261/291 = 89.69%(≥ 80%) which is considered acceptable (Fincham, 2008).Detailed demographic information can be found in Table 2. Note.N = 261.Participants were on average 37 years old (SD = 12.90).

Data Analysis
We performed data analysis using R for factor analysis and Python for all additional analysis after exporting the data from Qualtrics.Initial exploration included evaluation of distributions for age, comfort levels, and calculation of Risk Perception.Finally, we conducted the analysis described below to evaluate H1) and H2).This analysis and the subsequent findings are in the next section.

Findings
In this section, we present our data analysis results.

Differences between General and Health Groups
As mentioned in Section 3, we queried participants about their comfort with data collection and sharing in this survey.To test H1, we first summarized the participants' responses using boxplots and found a sizeable difference between the General and Health groups (see Figures 2-5).We then conducted a Wilcoxon ranksum test on each scenario to explore the significance of the difference between the General Group and the Health Group.The Wilcoxon rank-sum test assumes the data from two separate groups on a dependent variable have the same distribution but does not require the samples to be normally distributed (McKnight and Najab, 2010).For each of the three scenarios, we compared the distribution of responses of the two groups.Thus, H1 would be rejected if any of the Wilcoxon rank-sum tests showed statistical significance.We first conducted a Wilcoxon rank-sum test on participants' comfort with data collection.Figure 2 shows apparent sizable between-group differences in Scenarios 2 and 3, but these are not statistically significant.In fact, the results show no statistical significance in between-group differences in any of the Scenarios (see Table 3).Thus, we cannot reject the null hypothesis that participants' comfort with data collection from two groups are the same.

Participants' comfort with data sharing
In the survey, we queried participants' comfort with sharing their data with five distinct entities: Law enforcement, Healthcare providers, Health insurance companies, Third-party private companies, and Device Manufacturers.Participant responses showed a sizable between-group difference for the Healthcare provider and Health insurance company in Scenario 1; between Law enforcement, Healthcare provider, and Thirdparty private companies in Scenario 2; and between Healthcare provider, Health insurance company, Device Manufacturer, and Third-party private companies in Scenario 3 (See Figures 3-5).

Figure 3. Comfort with Sharing Smartphone Data (Scenario 1) by Data Recipient
Note.This figure demonstrates the differences in comfort with sharing smartphone data with five data recipients by group assignment.We conducted Wilcoxon rank-sum tests to explore whether these between-group differences were statistically significant.We found significant between-group differences for Law enforcement and Healthcare provider in Scenario 2. Specifically, for Law Enforcement, the privacy preference in General Group (Median = 3.0) reflects greater comfort in sharing data than in the Health Group (Median = 2.0) given p = .004,statistic = 2.895.Conversely for Healthcare Provider, the privacy preference in Health Group (Median = 3.0) indicates greater comfort than the General Group (Median = 2.0) given p = .000,statistic = -4.031.These are the only two significant between-group differences.Thus while the compilation of data resulted in similar comfort levels (as shown in 4.1.1),there was significant difference based on data sharing in two cases and, counterintuitively, in opposite directions.

Participants' risk perceptions
We also tested if there was any statistically significant between-group difference among participants' privacy and health risk perceptions.We compared the differences between the two groups by implementing a Wilcoxon rank-sum test between the dimensions of privacy risk perceptions and the dimensions of health risk perceptions.We identified no significant differences.
The results illustrated in the boxplots (Figure 2-5) and evaluated with rank-sum tests (Table 3) show no significant differences in people's privacy preference regardless of if the data are for compiled for public health or general commerce.Further, we see no statistical differences in their risk perceptions.As noted in the section above, there are differences in terms of sharing the data once it is compiled.

Risk Perception Factors Impacting Comfort Level
We leveraged Exploratory Factor Analysis and Regression Analysis to derive the relation between risk perception dimensions and participants' privacy preferences about data collection and sharing to test H2.Previous work has shown this dimensional analysis can explain significant variance in privacy risk perceptions (Garg and Camp, 2012).We first performed EFA to extract factors from the nine dimensions of privacy risk perception and the nine dimensions of health risk perceptions, with principal component analysis (PCA) for factor extraction. Snook and Gorsuch (1989) show that with larger samples (i.e., N ≥ 200) PCA and other approaches have similar results.The number of participants (N = 261) was adequate to obtain quality in the factor solution (Kline, 2014).The result from the Barlett's test confirmed that the correlation matrix came from a population of independent samples (privacy risk dimensions: x 2 (36) = 197.78,p < .001;health risk dimensions: x 2 (36)= 268.58, p < .001),further indicating that the factor analysis was appropriate.Our analysis indicated no significance in between-group comparisons of the means of participants' risk perceptions (Section 4.1).Similarly, we found no significant differences in the factor analysis.

Exploratory
Based on the result of parallel analysis and PCA eigenvalues, we retained four factors.We used oblique rotation to ensure orthogonality of these factors.Together these four factors could explain more than 60% of the variance.
The EFA results (see Tables 4a and 4b) show that for health and privacy there is an "Autonomy" factor consisting of Voluntariness and Control.The "Familiarity" factors consist of dimensions that are related to the understanding of the risk (Exposed and Science), while the "Newness" factor consists entirely of the Newness dimension.The "Impact" factor in privacy risk perception consists of Common and Severity dimensions.In health risk perception, the "Impact" factor also includes the Chronic dimension.The specific eigenvalue of each factor and the percentage of variances they accounted for are listed in Tables 4a and 4b for privacy and health, respectively.As shown in Tables 4a and 4b, the four factors in privacy risk perceptions accounted for 61.06% of the total variance.The four factors in health risk perceptions accounted for 64.41% of the total variance in risk perception of sharing different types of information in different Scenarios.The result was eight factors: Health_Autonomy, Privacy_Autonomy, Health_Familiarity, Privacy_Familiarity, Health_Newness, Privacy Newness, Health_Impact, and Privacy_Impact.

Regression Analysis
We tested the correlation between the eight reduced factors from health/privacy risk perceptions before performing regression analysis.The result suggests that none of the reduced factors can be collapsed into one, given all r ≤ .5 for each pair of factors.We then performed linear regression analysis to test the relationship between reduced risk perception factors and participants' privacy preferences.

Participants' comfort with data collection vs. risk perceptions
We conducted three regression analyses, one for each scenario.In each analysis, participants' comfort with data collection was used as dependent variables, whereas the eight reduced risk perception factors were used as independent variables.
The results (see Tables 5a-c) indicate that Privacy_Autonomy and Privacy_Impact in privacy risk perception are statistically significant in predicting participants' comfort with data collection in all 3 scenarios (p ≤ .05).
The positive coefficients of Privacy_Autonomy across all 3 scenarios indicate that participants perceived Privacy_Autonomy is positively correlated with increased comfort with data collection.The coefficient is greatest in Scenario 2 (B = .2567)followed by Scenario 1 (B = .1402)and Scenario 3 (B = .1068).On the other hand, the negative coefficients of Privacy_Impact across all three scenarios indicate that participants' perception of an increased impact of privacy loss is correlated with a lower comfort level with data collection.Note.Only factors that were statistically significant are listed in the table.R 2 =0.181.
The Health_Newness factor also appeared to be statistically significant in Scenario 1.The positive coefficient indicates that Health_Newness is correlated with increased comfort with data collection by Smartphone (Scenario 1).

Participants' comfort with data sharing
We then performed regression to derive the relation between reduced risk perception factors and participants' comfort with sharing data with five entities: Law enforcement, Healthcare provider, Health Insurance company, Device manufacturer, and Third-party private companies.We conducted three multivariate regressions for three scenarios to evaluate the relationship between the reduced risk factors and each entity.
The results of all three analyses are shown in Tables 6a-c.This indicates that Privacy_Impact was not statistically significant in all scenarios across all five entities.The consistent negative coefficients indicate that, in general, participants tend to be more comfortable sharing their data when the impact of privacy risk is less serious.Privacy_ Autonomy was statistically significant in nearly all Scenarios across all five entities, except for Law enforcement in Scenario 1 and 3 (Table 6a and 6c (Table 6b).The consistent positive coefficients imply that participants tend to be more comfortable sharing their data when they perceive a higher level of autonomy.Note.This regression was completed using data from Scenario 3. *p<.05, **p<.01 Health_Newness also appeared to be significant for nearly all scenarios across all entities, except for Law enforcement in Scenario 2 (see Table 6b); and for Healthcare provider in Scenario 1 and 3 (see Table 6a and  6c).Recall that the Health_Newness factor in Health Risk Perception dimensions consists only of the Newness dimension of risk perception.For Law enforcement, Health_Autonomy also appeared to be significant in Scenario 1.The positive coefficients indicate that participants tend to be more comfortable share their data when they perceive a high level of autonomy on health risks.
For Scenario 3 when the data recipient is Healthcare provider, Health_Familiarity, Health_Autonomy, Privacy_Impact, and Privacy_Autonomy are all significant.Recall that Health_Familiarity in health risk perception consists of the understanding of the risks associated with exposure (i.e., Exposed) and how well scientific experts understand the risk (i.e., Science).This indicates that participants tend to be more comfortable sharing their Fitness Tracker data when the health risks are perceived better understood, by participants and by experts, and when participants perceive a high level of autonomy.

Do other factors influence participants' privacy preferences?
Besides the research questions we discussed above, we explored if participants' expertise had an impact on predicting their privacy preferences, given that their understanding of the privacy risks might vary by their level of expertise.As discussed in Section 3, in our survey we used the expertise measurement scale from Ravijan et al.'s (2017) work to evaluate participants' expertise.Ravijan et al. has previously verified the calculation of two reduced factors: Computer Score (CS) corresponding to participants' computer expertise and Security Score (SS) corresponding to participants' security expertise.These two factors are positively correlated, with no party having a high CS with a low SS.We leveraged these two factors to test whether there was a relationship between participants' expertise and privacy preferences.

Expertise vs. Privacy Preferences about data collection
We first tested the inter-correlation between the two factors for our populations.Our results suggest that these two factors are positively correlated but cannot be collapsed into one (r = .456).Then, we conducted linear regression analyses to derive the relationship with participants' privacy preferences.We found neither CS nor SS to be statistically significant for predicting participants' comfort with data collection with a Smartphone (Scenario 1) or a Security Camera (Scenario 2).Only CS is statistically significant in Scenario 3 (p = .039).
The positive coefficient indicates that CS is positively correlated with participants' comfort with data collection by Fitness Tracker.The consistently negative coefficients of SS might be due to participants with higher security expertise having a greater awareness of privacy risks and thus decreased comfort with data sharing.This possibility was supported by the correlation between SS and Privacy Familiarity, showing p = .0245and B = .1643.We then conducted Multivariate Regression analyses for the 5 data recipients in each scenario.The results are shown in Tables 7a-c.We only found statistical significance for CS and SS for Health insurance company, Healthcare provider, and Third-party private companies.Specifically, both CS and SS are statistically significant for comfort with sharing with a Health insurance company in Scenario 1 and 3; and for Healthcare provider and Third-party private companies in Scenario 3 (see Tables 7a and 7c).Further, CS was also statistically significant for Health insurance company in Scenario 2 (see Table 7b).The consistent positive coefficients of CS indicate that participants' computer expertise is positively correlated with their comfort with data sharing.Besides, the consistent negative coefficients of SS indicate that participants' security expertise is consistently negatively correlated with their comfort with data sharing.Neither CS nor SS was statistically significant in Scenario 1 and 2 for Healthcare Provider and Third-party Private Companies.Also, neither of these two factors were found to be statistically significant for Law Enforcement and Device Manufacturer.Only CS was found to be statistically significant in Scenario 2 for Health Insurance Company, and this is the only significant factor in Scenario 2. CS is only significant in Scenario 2 for Health Insurance Company.

Discussion
Our results reveal a small and conditional significant difference between participants' comfort with data sharing, and thus the potential impact of privacy preferences on data sharing, depending on the usage of data for public health during the current pandemic compared with the pre-pandemic purposes.Specifically, Figures 2-5 indicate that participants in the General Group (where we did not specifically mention data use for public health) in Scenario 3 tend to be more comfortable having their data compiled than participants' in the Health Group.
Beyond that, we found a surprisingly small overall difference.Our findings also revealed some interesting patterns.Specifically, as noted in Section 4.1, we found that people's privacy perceptions and risk perception did not differ when the use was for health, despite the on-going health crisis.This finding contradicts previous research which indicated people are less concerned about their privacy when there is a public health crisis (Altmann, et al., 2020;University of Maryland, 2020).
Second, the analysis in Section 4.2.2.1 revealed that Privacy_Autonomy and Privacy_Impact are the two most significant factors in predicting participants' comfort with data collection in all three scenarios.Thus, participants' comfort with data compilation and disclosure increases with their perceived level of control.This aligns with previous studies (Brandimarte et al., 2013).Participants' comfort with data use decreases with their perceived severity of consequences.This aligns with the importance of severity of risks in previous work on both health and computing risks.
In general, participants' health risk perceptions seemed to have no impact in predicting their privacy preferences about data collection, except in Scenario 1, where Health_Newness appeared to be statistically significant.This might imply that participants are less willing to cooperate with data collection through Smartphones over time.We also reported that Health_Newness positively correlated with participants' comfort of data collection via Smartphones and comfort of data sharing with all five entities.The consistent positive coefficients of Health_Newness indicate that participants tend to be more comfortable sharing their data when they face a relevantly new health risk.This might be explained by the Construal level theory, which suggests that newer risks are perceived with larger temporal distance and result in abstract perceptions (Trope and Liberman, 2010).Thus, novel risks are perceived to be less well-known with more uncertainty (Garg and Camp, 2012).Furthermore, this may raise the fear of uncontrollability and unpredictability of what could happen in the future and invoke people's actions of seeking protection (Johnston and Warkentin, 2010).
In our case, such protection-seeking action is represented by the higher comfort with data sharing.Similarly, this reifies a protection motivation theory (Herath and Rao, 2009) and previous work in risk perception.
Third, as reported in Section 4.2.2.2, we found that Privacy_Autonomy is statistically significant in nearly all scenarios for all entities, except for Law enforcement in Scenario 1 and 3, and Healthcare provider in Scenario 2. The absence of Privacy_Autonomy in Law enforcement may reflect the fact that the provision of personal information to government entities is compulsory when it is for the purpose of law enforcement.This is supported by the nature of governmental mandates, which potentially leads to the loss of control even when participants' are unwilling to share (see Figures 3-5 Median(Law enforcement) ≈ 2.0).In comparison, people have more flexibility in choosing their own Healthcare provider.Thus, the absence of Privacy_Autonomy for Healthcare provider may implies they have some level of trust (i.e., less concern about controllability) (see Figures 3-5, Median(Healthcare provider) ≥ 3.0) but still are concerned about their Smartphone and Fitness Tracker data which might contain more details of their daily activities.Alternatively, those who identify that the American health insurance and care structures remove autonomy would argue that compulsive is the explanation for both cases.
In general, we saw nearly no significant results for participants' health risk perceptions having an impact in predicting participants' privacy preferences.This is reflected in the reduced factors from health risk perception being sparse in Tables 5a-c and Tables 6a-c.Participants' comfort was mainly correlated with https://ojs.vvg.hr/index.php/adrs/article/view/35/5116/28 their privacy risk perceptions.This might explain why participants' aggregate privacy preferences remained similar with or without the data being used for public health, although the perceptual components of that concern differed.
Finally, in examining computer expertise (in Section 5.2) we found that the two expertise factors (i.e., CC and CS) are not statistically significant in predicting participants' privacy preference for data sharing with Law Enforcement or Device Manufacturer.This, again, may reflect that such data sharing is often mandatory (please recall the Autonomy results.)Specifically, data sharing with governmental entities is often mandated by Law Enforcement.Further, using a device implies potentially unavoidable data sharing with the manufacturing company.In addition, CS was only found to be significant in Scenario 2 for Health Insurance Company.This might be due to greater public concern about Security Camera data and less comfort with sharing or compilation (see Figures 2-5).Beyond that, participants' expertise had no impact in predicting their privacy preference in Scenario 1 and 2 for Third-party private companies.This result suggests that the trust issues with technology providers deserve further exploration, as much of the focus on data sharing addresses third parties.
We can offer explanations from previous research, but no certainty as to why CS has uniformly positive coefficients and the SS has uniformly negative coefficients.Participants' security expertise was correlated with decreased comfort with all data sharing.Note that Computing Expertise is a requirement for Security Expertise, so the SS can arguably be considered the risk-aware subset of CS.In general, this means participants with a higher level of computer expertise tend to be more comfortable sharing their data with Health Insurance Company, Healthcare Provider, and Third-party Private Companies.However, such comfort is limited and varies by device type.
Finally, in expertise, we found no significance for health expertise as defined by correctly answering questions about COVID-19.This was true in a simple correlation, multivariate analysis, and PCA.

Conclusion and Future Work
Our analysis of risk perceptions suggests that participants' privacy preference is primarily driven by their perceived control and the perceived severity of consequences.It is reasonable to test if participants' perceptions of control over non-health dimensions of data-sharing changes after the pandemic.Our current plan is to reproduce the survey post-pandemic then develop a hierarchical analysis of both datasets.Second, participants' health risk perceptions seemed to have no influence on their privacy preferences, even in the Health Group where we explicitly mentioned a public health crisis.However, the public crisis may be so ubiquitous in its impact that all answers may, upon post-hoc repetition and analysis, be answers about public health.We found that perceived "Newness" of health risks is statistically significant in nearly all scenarios across all entities.This aligns with the protection motivation theory.Thus, an evaluation of risk perception when COVID-19 is no longer new or news may be illustrative.In addition, we also found that participants' who have higher computer expertise perceive higher levels of autonomy and lower levels of impact, which correlated to higher comfort level; and conversely security expertise corresponds to decreased comfort.This reflects the critical difference between correlation and causation, as computer security expertise results in increased knowledge of risk and computer security expertise also indicate an exogenous interest or concern about computing risks.We plan to further explore the combination of recipients and devices for the same data type, based on the findings illustrated in Section 4.1.

Figure 2 .
Figure 2. Comfort with Data Collection by Scenario Note.This figure demonstrates the differences in participant comfort with data sharing by scenario and group assignment (General or Health).Scenario 1 (S1) was for Smartphone data, Scenario 2 (S2) for Security Camera data, and Scenario 3 (S3) for Fitness Tracker data.Comfort with data sharing for each individual device type by data recipient and group assignment is shown in Figures 3 through 5.

Figure 4 .
Figure 4. Comfort with Sharing Security Camera Data (Scenario 2) by Data Recipient Note.This figure demonstrates the differences in comfort with sharing security camera data with five data recipients by group assignment.

Figure 5 .
Figure 5. Comfort with Sharing Fitness Tracker Data (Scenario 3) by Data Recipient Note.This figure demonstrates the differences in comfort with sharing fitness tracker data with five data recipients by group assignment.

Table 4a . Results from Factor Analysis of 9 Dimensions of Privacy Risk Dimensions
Note.N = 261.The extraction method was Exploratory Factor Analysis (EFA).The relevant survey question number is listed before the Privacy Risk Dimension.

Table 4b . Results from Factor Analysis of 8 Dimensions of Health Risk Dimensions
https://ojs.vvg.hr/index.php/adrs/article/view/35/Note.N = 261.The extraction method was Exploratory Factor Analysis (EFA).The relevant survey question number is listed before the Health Risk Dimension.

Table 5a
Only factors that were statistically significant are listed in the table.R 2 =0.183.

Table 5b . Regression Analysis of Comfort with Data Collection via Security Camera (Scenario 2) with Reduced Factors
Note.Only factors that were statistically significant are listed in the table.R 2 =0.177.

Table 6a . Multivariate Regression Analysis of Comfort with Smartphone Data by Entity Using Reduced Factors
This regression was completed using data from Scenario 1. *p<.05, **p<.01

Table 7a . Multivariate Regression Analysis of Comfort with Smartphone Data Sharing Based on Expertise
Note.This regression was completed using data from Scenario 1. *p<.05, **p<.01