Posted: March 5, 2019 by

Our survey and accompanying report find that, no matter their age, users have deep concerns about the privacy of their data online and take significant steps to secure it. Learn how public distrust in corporations' ability to protect and use data in ethically responsible ways has shaped their behavior online.

Before Cambridge Analytica made Facebook an unwilling accomplice to a scandal by appropriating and misusing more than 50 million users’ data, the public was already living in relative unease over the privacy of their information online.

The Cambridge Analytica incident, along with other, seemingly day-to-day headlines about data breaches pouring private information into criminal hands, has eroded public trust in corporations’ ability to protect data, as well as their willingness to use the data in ethically responsible ways. In fact, the potential for data interception, gathering, collation, storage, and sharing is increasing exponentially in all private, public, and commercial sectors.

Concerns of data loss or abuse have played a significant role in the US presidential election results, the legal and ethical drama surrounding Wikileaks, Brexit, and the implementation of the European Union’s General Data Privacy Regulations. But how does the potential for the misuse of private data affect the average user in Vancouver, British Colombia; Fresno, California; or Lisbon, Portugal?

To that end, The Malwarebytes Labs team conducted a survey from January 14 to February 15, 2019 to inquire about the data privacy concerns of nearly 4,000 Internet users in 66 countries, including respondents from: Australia, Belgium, Brazil, Canada, France, Germany, Hong Kong, India, Iran, Ireland, Japan, Kenya, Latvia, Malaysia, Mexico, New Zealand, the Philippines, Saudi Arabia, South Africa, Taiwan, Turkey, the United Kingdom, the United States, and Venezuela.

The survey, which was conducted via SurveyMonkey, focused on the following key areas:

Feelings on the importance of online privacy

Rating trust of social media and search engines with data online

Cybersecurity best practices followed and ignored (a list of options was provided)

Level of confidence in sharing personal data online

Types of data respondents are most comfortable sharing online (if at all)

Level of consciousness of data privacy at home vs. the workplace

____________________________________________________________________________________________________________________________

For a high-level look at our analysis of the survey results, including an exploration of why there is a disconnect between users’ emotions and their behaviors, as well as which privacy tools Malwarebytes recommends for those who wish to do more to protect their privacy, download our report:

The Blinding Effect of Security Hubris on Data Privacy

____________________________________________________________________________________________________________________________

For this blog, we explored commonalities and differences among Baby Boomers (ages 56+), Gen Xers (ages 36 – 55), Millennials (ages 18 – 35), and Gen Zeds, or the Centennials (ages 17 and under) concerning feelings about privacy, level of confidence sharing information online, trust of social media and search engines with data, and which privacy best practices they follow.

Lastly, we delved into the regional data compiled from respondents in Europe, the Middle East, and Africa (EMEA) and compared it against North America (NA) to examine whether US users share common ground on privacy with other regions of the world.

Privacy is complicated

If 10 years ago, someone had asked you to carry an instrument that could: listen into your conversations, broadcast your exact location to marketers, and allow you be tracked as you moved between the grocery aisles (and how long you lingered in front of the Cap’n Crunch cereal), most would have declined, suggesting it was a crazy joke. Of course, that was before the advent of smartphones that can do all that and more, today.

Many regard the public disclosure of surreptitious information-gathering programs conducted by the National Security Agency (NSA) here in the US as a watershed moment in the debate over government surveillance and privacy. Despite the outcry, experts noted that the disclosures hardly made a dent in US laws about how the government may monitor citizens (and non-citizens) legally.

Tech companies in Silicon Valley were equally affected (or unaffected, depending on how you look at it) by Edward Snowden’s actions. Yet, over time, they have felt the effects of people’s change in behaviors and actions toward their services. In the face of increasing pressure from criminal actions and public perception in key demographics, companies like Google, Apple, and Facebook have taken steps to beef up the encryption of and better secure user data. But is this enough to make people trust them again?

Challenge: Put your money where your mouth is

In reality, particularly in commerce, we may have reservations about allowing companies to collect from us, especially because we have little influence on how they use it, but that doesn’t stop us from doing so. The care for the protection of our own data, and that of others, may well be nonexistent—signed away in an End-User Licensing Agreement (EULA) buried 18 pages deep.

Case in point: Students of the Massachusetts Institute of Technology (MIT) conducted a study in 2017 and revealed that, among other findings, there is a paradox between how people feel about privacy and their willingness to easily give away data, especially when enticed with rewards (in this case, free pizza).

Indeed, we have a complicated relationship with our data and online privacy. One minute, we’re declaring on Twitter how the system has failed us and the next, we’re taking a big bite of a warm slice of BBQ chicken pizza after giving away your best friend’s email address.

This begs the question: Is getting something in exchange for data a square deal? More specifically, should we have to give something away to use free services? Has a scam just taken place? But more to the point: Do people really, really care about privacy? If they do, why, and to what extent?

In search of answers

Before we conducted our survey, we had theories of our own, and these were colored by many previous articles on the topic. We assumed, for example, that Millennials and Gen Zeds, having grown up with the Internet already in place, would be much less concerned about their privacy than Baby Boomers, who spent a few decades on the planet before ever having created an online account. Rather than further a bias, we started from scratch—we wanted to see for ourselves how people of different generations truly felt about privacy.

Privacy by generations: an overview

This section outlines the survey’s overall findings across generations and regions. A breakdown of each generation’s privacy profile follows, including some correlations from studies that tackled similar topics in the past.

An overwhelming majority of respondents (96 percent) feel that online privacy is crucial. And their actions speak for themselves: 97 percent say they take steps to protect their online data, whether they are on a computer or mobile device.

Among seven options provided, below are the top four cybersecurity and privacy practices they follow: “I refrain from sharing sensitive personal data on social media.” (94 percent) “I use security software.” (93 percent) “I run software updates regularly.” (90 percent) “I verify the websites I visit are secured before making purchases.” (86 percent)

Among seven options provided, below are the top four cybersecurity faux pas they admitted to: “I skim through or do not read End User License Agreements or other consent forms.” (66 percent) “I use the same password across multiple platforms.” (29 percent) “I don’t know which permissions my apps have access to on my mobile device.” (26 percent) “I don’t verify the security of websites before making a purchase. (e.g. I don’t look for “https” or the green padlock on sites.)” (10 percent)



This shows that while respondents feel the need to take care of their privacy or data online, we can deduce that they can only consistently protect it at least most of the time and not all the time.

There is a near equal percentage of people who trust (39 percent) and distrust (34 percent) search engines across all generations.

Across the board, there is a universal distrust of social media (95 percent). We can then safely assume that respondents are more likely to trust search engines to protect their data than social media.

When asked to agree or disagree with the statement, “I feel confident about sharing my personal data online,” 87 percent of respondents disagree or strongly disagree.

On the other hand, confident data sharers—or those who give away information to use a service they need—would most likely share their contact info (26 percent), such as name, address, phone number, and email address; card details when shopping online (26 percent); and banking details (16 percent).

A small portion (2 percent) of highly confident sharers are also willing to share (or already have shared) their Social Security Number (SSN) and health-related data.

In practice, however, 59 percent of respondents said they don’t share any of the sensitive data we listed online.

When asked to rate the statement, “I am more conscious of data privacy when at work than I am at home,” a large share (84 percent) said “false.”

Breaking it down

There are many events that happened within this decade that have shaped the way Internet users across generations perceive privacy and how they act on that perception. The astounding number of breaches that have taken place since 2017 and the billions of data stolen, leaked, and bartered on the digital underground market—not to mention the seemingly endless number of opportunities for governments, institutions, and individuals to spy and harvest data on people—can either drive Internet users with a modicum of interest in preserving privacy to (1) live off the grid or (2) completely change their perception of data privacy. The former is unlikely to happen for the majority of users. The latter, however, is already taking place. In fact, not only have perceptions changed but so has behavior, in some cases, almost instantly.

We profiled each age group in light of past and present privacy-related events and how these have changed their perceptions, feeling, and online practices. Here are some of the important findings that emerged from our survey.

Centennials are no noobs when it comes to privacy.*

It’s important to note that while many users who are 18 years old and under (83 percent) admit that privacy is important to them, even more (87 percent) are taking steps to ensure that their data is secure online. Ninety percent of them do this by making sure that the websites they visit are secure before making online purchases. They also refrain from sharing sensitive PII on social media (86 percent) and use security software (86 percent).

Jerome Boursier, security researcher and co-founder of AdwCleaner, is also a privacy advocate. He disagrees with Gen Zeds’ claims that they don’t disclose their personally identifiable information (PII) on social media. “I think most people in the survey would define PII differently. People—especially the younger ones—tend to have a blurry definition of it and don’t consider certain information as personally identifiable the same way older generations do.”

Other notable practices Gen Z admit to partaking in are borrowed from the Cybersecurity 101 handbook, such as using complicated passwords and tools like a VPN on their mobile devices, while others go above-and-beyond normal practices, such as checking the maliciousness of a file they downloaded using Virus Total and modifying files to prevent telemetry logging or reporting—something Microsoft has been doing since the release of Windows 7.

They are also the generation that is the most unlikely to update their software.

Contrary to public belief, Millennials do care about their privacy.

This bears repeating: Millennials do care about their privacy.

An overwhelming majority (93 percent) of Millennials admitted to caring about their privacy. On the other hand, a small portion of this age group, while disclosing that they aren’t that bothered about their privacy, also admit that they still take steps to keep their online data safe.

One reason we can cite why Millennials may care about their privacy is that they want to manage their online reputations, and they are the most active at it, according to the Pew Research Center. In the report “Reputation Management and Social Media,” researchers found that Millennials take steps to limit the amount of PII online, are well-versed at personalizing their social media privacy settings, delete unwanted comments about them on their profiles, and un-tag themselves from photos they were tagged in by someone else. Given that a lot of employers are Google-ing their prospective employees (and Millennials know this), they take a proactive role in putting their best foot forward online.

Like Centennials, Millennials also use VPNs and Tor to protect their anonymity and privacy. In addition, they regularly conduct security checks on their devices and account activity logs, use two-factor authentication (2FA), and do their best to get on top of news, trends, and laws related to privacy and tech. A number of Millennials also admit to not having a social media presence.

While a large share (92 percent) of Millennials polled distrust social media with their data (and 64 percent of them feel the same way about search engines), they continue to use Google, Facebook, and other social media and search platforms. Several Millennials also admit that they can’t seem to stop themselves from clicking links.

Lastly, only a little over half of the respondents (59 percent) are as conscious of their data privacy at home as they are at work. This means that there is a sizable chunk of Millennials who are only conscious of their privacy at work but not so much at home.

Gen Xers feel and behave online almost the same way as Baby Boomers.

Gen Xers are the youngest of the older generations, but their habits better resemble their elder counterparts than their younger compatriots. Call it coincidence or bad luck—depending on your predisposition—or even “wisdom in action.” Either way, being likened to Baby Boomers is a compliment when it comes to privacy and security best practices.

Respondents in this age group have the highest number of people who are privacy-conscious (97 percent), and they are no doubt deliberate (98 percent) in their attempts to secure and take control of their data. Abstaining from posting personal information on social media ranks high in their list of “dos” at 93 percent. Apart from using security software and regularly updating all programs they use, they also do their best to opt out of everything they can, use strong passwords and 2FA, install blocker apps on browsers, and surf the web anonymously.

On the flip side, they’re second only to Millennials for The Generation Good at Avoiding Reading EULAs (71 percent). Gen Xers also bagged The Least Number of People in a Generation to Reuse Passwords (24 percent) award.

When it comes to a search engine’s ability to secure their data, over half of Gen Xers (65 percent) distrust them, while nearly a quarter (24 percent) chose to be neutral in their stance

Baby Boomers know more about protecting privacy online than other generations, and they act upon that knowledge.

Our findings of Baby Boomers have challenged the longstanding notion that they are the most clueless bunch when it comes to cybersecurity and privacy.

Of course, this isn’t to say that there are no naïve users in this generation—all generations have them—but our survey results profoundly contrast what most of us accepted as truth about what Boomers feel about privacy and how they behave when online. They’re actually smarter and more prudent than we care to give them credit for.

Baby Boomers came out as the most distrustful generation (97 percent) of social media when it comes to protecting their data. Because of this, those who have a social media presence hardly disclose (94 percent) any personal information when active.

In contrast, only a little over half (57 percent) of Boomers trust search engines, making them the most trustful among other groups. This means that it is highly likely for a Baby Boomer to trust search engines with their data over social media.

Boomers are also the least confident (89 percent) generation in terms of sharing personal data online. This correlates to a nationwide study commissioned by Hide My Ass! (HMA), a popular VPN service provider, about Baby Boomers and their different approach to online privacy. According to their research, Boomers are likely to respond “I only allow trusted people to see anything I post & employ a lot of privacy restrictions.”

Lastly, they’re also the most consistent in terms of guarding their data privacy both at home and at work (88 percent).

“I am immediately surprised that Baby Boomers are the most conscious about data privacy at work and at home. Anecdotally, I guess it makes sense, at least in work environments,” says David Ruiz, Content Writer for Malwarebytes Labs and a former surveillance activist for the Electronic Frontier Foundation (EFF). He further recalls: “I used to be a legal affairs reporter and 65-and-up lawyers routinely told me about their employers’ constant data security and privacy practices (daily, changing Wi-Fi passwords, secure portals for accessing documents, no support of multiple devices to access those secure portals).”

Privacy by region: an overview of EMEA and NA

A clear majority of survey respondents within the EMEA region are mostly from countries in Europe. One would think that Europeans are more versed in online privacy practices, given they are particularly known for taking privacy and data protection seriously compared to those in North America (NA). Although being well-versed can be seen in certain age groups in EMEA, our data shows that the privacy-savviness of those in NA are not that far off. In fact, certain age groups in NA match or even trump the numbers in EMEA.

Comparing and contrasting user perception and practice in EMEA and NA

There is no denying that those polled in EMEA and NA care about privacy and take steps to secure themselves, too. Most of them refrain from disclosing any information they deemed as sensitive in social media (an average of 89 percent of EMEA users versus 95 percent of NA users), verify websites where they plan to make purchases are secure (an average of 90 percent of EMEA users versus 91 percent of NA users), and use security software (an average of 89 percent of EMEA users versus 94 percent of NA users).

However, like what we’ve seen in the generational profiles, they also recognize the weaknesses that dampen their efforts. All respondents are prone to skimming through or completely avoiding reading the EULA (an average of 77 percent of EMEA users versus 71 percent of NA users). This is the most prominent problem across generations, followed by reusing passwords (an average of 26 percent of EMEA users versus 38 percent of NA users) and not knowing which permissions their apps have access to on their mobile devices (an average of 19 percent of EMEA users versus 17 percent of NA users).

As you can see, there are more users in NA that are embracing these top online privacy practices than those in EMEA.

All respondents from EMEA and NA are significantly distrustful of social media—92 and 88 percent, respectively—when it comes to protecting their data. For those who are willing to disclose their data online, they usually share their credit card details (26 percent), contact info (26 percent), and banking details (16 percent). Essentially, the most common pieces of information you normally give out when you do online banking and purchasing.

Millennials in both EMEA and NA (61 percent) feel the least conscious about their data privacy at work vs. at home. On the other hand, Baby Boomers (85 percent) in both regions feel the most conscious about their privacy in said settings.

It’s also interesting to note that Baby Boomers in both regions appear to share a similar profile.

Privacy in EMEA and NA: notable trends

When it comes to knowing which permissions apps have access to on mobile devices, Gen Zeds in EMEA (90 percent) are the most aware compared to Gen Zeds in NA (63 percent). In fact, Gen Zeds and Millennials (73 percent) are the only generations in EMEA that are conscious of app permissions. Not only that, they’re the less likely group to reuse passwords (at 20 and 24 percent, respectively) across generations in both regions. Although Gen Xers in EMEA have the highest rate of users (31 percent) who recycle passwords.

It also appears that the average percentage of older respondents—the Gen Xers (31 percent) and Baby Boomers (37 percent)—in both regions are more likely to read EULAs or take the time to do so than the average percentage of Gen Zeds and Millennials (both at 18 percent).

Gen Zeds in NA are the most distrustful generation of search engines (75 percent) and social media (100 percent) when it comes to protecting their data. They’re also the most uncomfortable (100 percent) when it comes to sharing personal data online.

Among the Baby Boomers, those in NA are the most conscious (85 percent) when it comes to data privacy at work. However, Baby Boomers in EMEA are not far off (84 percent).

With privacy comes universal reformation, for the betterment of all

The results of our survey have merely provided a snapshot of how generations and certain regions perceive privacy and what steps they take (and don’t take) to control what information is made available online. Many might be surprised by these findings while others may correlate them with other studies in the past. However you take it, one thing is clear: Online privacy has become as important an issue as cybersecurity, and people are beginning to take notice.

With this current privacy climate, it is not enough for Internet users to do the heavy lifting. Regulators play a part, and businesses should act quickly to guarantee that the data they collect from users is only what is reasonably needed to keep services going. In addition, they should secure the data they handle and store, and ensure that users are informed of changes to which data they collect and how they are used. We believe that this demand from businesses will continue at least for the next three years, and any plans or reforms that elevate the importance of online privacy of user data will serve as cornerstones to future transformations.

At this point in time, there is no real way to have complete privacy and anonymity when online. It’s a pipe dream in the current climate. Perhaps the best we can hope for is a society where businesses of all sizes recognize that the user data they collect has a real impact on their customers, and to respect and secure that data. Users should not be treated as a collection of entries with names, addresses, and contact numbers in a huge database. Customers are customers once again, who are always on the lookout for products and services to meet their needs.

The privacy advocate mantle would then be taken upon by Centennials and “Alphas” (or iGeneration), the first age group entirely born within the 21st century and considered the most technologically infused of us all. For those who wish to conduct future studies on privacy like this, it would be really, really interesting to see how Alphas and Centennials would react to a free box of pizza in exchange for their mother’s maiden name.

[*] The Malwarebytes Labs was only able to poll a total of 31 respondents in Gen Zed. This isn’t enough to create an accurate profile of this age group. However, this author believes that what we were able to gather is enough to give an informed assessment of this age group’s feelings and practices.