A few years ago, when Leslie K. John was a doctoral student at Carnegie Mellon University, a classmate introduced her to a then-nascent website called Facebook. John took a look, scrolling through page after page of photographs, personal confessions, and ongoing accounts of people's every move. She found the whole thing perplexing.

“We show that people are prone to sharing more information in the very context in which it's more dangerous to share.”

"I didn't understand why people were putting all this information out there," says John, now an assistant professor in the Marketing Unit at Harvard Business School. "There seemed to be a constant need for people to give status updates on what they were doing. It was very bizarre to me."

John's curiosity led to a raft of collaborative research about information disclosure in the age of social media. Her goal: to determine when we're most likely to divulge intimate facts and when we're apt to keep our lives to ourselves.

In short, the initial findings indicate that individuals are both illogical and careless with their privacy on the web. "We show that people are prone to sharing more information in the very contexts in which it's more dangerous to share," John says.

Creepy Questions

Specifically, John and two colleagues from Carnegie Mellon set out to study a common contradictory attitude toward Internet privacy. On the one hand, studies show that Americans are wary of companies having access to their personal information. For example, in a February 2012 survey by the Pew Research Center, 73 percent of 2,253 adult respondents answered they would not be OK with a search engine (such as Google) keeping track of their searches and using the results to personalize future searches. And 68 percent said they were uncomfortable with targeted advertising for the same reason: they didn't want anyone tracking their behavior. On the other hand, millions of people routinely share the most intimate details of their lives via various social media sites.

With a series of field and lab experiments, John, Alessandro Acquisti, and George Loewenstein shed some light on the discrepancy.

In each experiment, the researchers asked participants to answer a list of questions to indicate whether they had engaged in various sensitive activities—looking at pornographic material, cheating on a romantic partner, trying cocaine, and so on. "We basically sat down together and brainstormed creepy questions to ask," John says.

The experiments tested the idea that downplaying privacy concerns would increase the likelihood of disclosure. For example, the researchers set up laptop computers across the Carnegie Mellon campus and asked passersby to fill out a "Web survey about student behaviors," which comprised 15 yes/no questions. Unbeknownst to them, the participants were randomly assigned to one of three user-interface conditions.

In some cases, they took an online survey titled "How BAD Are U???" Deliberately designed to look unprofessional, it featured red font and a pixelated cartoon devil. Other participants received a deliberately professional-looking survey titled "Carnegie Mellon University Executive Council Survey on Ethical Behaviors," which sported the school's official crest. A third set, the control group, received the relatively neutral "Survey of Student Behaviors."

The questions were exactly the same in every case. Yet participants in the "unprofessional" condition were almost twice (1.98 times) as likely to admit to having engaged in the various behaviors relative to those in the "professional" condition, with the control group answers generally falling in the middle.

From a logical Internet privacy viewpoint, the results don't make sense. After all, an amateur website of unknown origins is likely far less concerned with data protection than a professional website of a firm or university. But according to John, the research supports the hypothesis that people often don't even think about privacy unless reminded to do so. Ironically, professionalism seemed to remind participants that airing their affairs might have negative consequences.

"When you're on a very official-looking site, it sort of cues you in to think about the concept of privacy," she says. "We argue that oftentimes, privacy isn't something that's at the forefront of people's minds until you cue it."

To further test this argument, the researchers repeated their experiment, but added a very deliberate privacy cue at the onset: Before completing the personal survey, some participants took a test called "Phind the phishing emails," in which they viewed screen shots of email messages and identified them as "just spam" or "phishing"—the common cybercrime of masquerading as a trustworthy source to acquire data such as credit card information. Others (the control group) took a test called "find the endangered fish."

Indeed, thinking about phishing caused participants to be equally judicious in their responses, regardless of whether they were taking the "How BAD Are U???" or the "Executive Council on Ethical Behavior" survey. (Looking at pictures of endangered Acadian redfish and Atlantic halibut had no effect.)

Indirect Questions

The researchers also showed that people are likely to share information online if a personal question comes at them in a roundabout way. In another experiment, they teamed up with New York Times science columnist John Tierney, who posted a survey called "Test Your Ethics" on his official blog. Some 890 readers completed the survey, unaware that they were part of a research project. Upon clicking a link, all participants were presented with a list of 16 arguably unethical behaviors. For each one, they rated the behavior on a scale of "not at all unethical" to "extremely unethical" and answered questions about whether they themselves had ever engaged in that behavior.

“We basically sat down together and brainstormed creepy questions to ask."

However, the nature of the inquiry varied from participant to participant. In some cases the question was point blank: "Have you done this behavior?" But in others, the question was indirect: Participants had the choice of answering "If you have ever done this behavior, how unethical do you think it was?" or "If you have never done this behavior, how unethical do you think it would be, if you were to choose to do it?" Unfailingly, the researchers found that participants were far more likely to admit to a behavior when the question was posed indirectly.

Simply changing the order of the survey questions also had a direct effect on information disclosure. If shocked at the start, respondents would let their guard. The researchers found that participants were more likely to divulge personal information if the questions were presented in decreasing order of intrusiveness—starting with "Have you had sex with the current husband, wife, or partner of a friend?" and ending with the relatively tame "In the last year, have you eaten meat, poultry, or fish?"

Participants also were more likely to admit to unethical behavior if they were told that other participants had reported misdeeds, too. That herd mentality helps explain the propensity to air dirty laundry on Facebook, John explains. In fact, with so many Facebook members oversharing, it's gotten to the point that people get suspicious when their peers don't overshare.

In a recent experiment, John and HBS Associate Professor Michael I. Norton asked several college students to fill out a brief questionnaire, choosing to answer a personal question about either a desirable behavior (such as charity work) or an undesirable behavior (such as cheating). The students could respond to only one of the questions, with the understanding that another group of participants would be rating the answers on a scale of trustworthiness.

Many respondents chose to answer the question about positive behavior, assuming that this would show them in the most trustworthy light. But in fact, the group rating the answers tended to give higher trustworthiness scores to the students who chose to reveal unsavory behavior instead. "People tend to assume the worst about those who choose not to divulge," John says.

The Broad Implications

So why aren't most of us more logical and judicious in our approach to Internet privacy? "Broadly, the lesson of this research is that people don't really know how to value their own information," John says. "Because of this uncertainty about what the value of privacy is, people don't know when to value their information or how to care about it. And as a consequence, when people are uncertain, their judgments are often influenced by seemingly arbitrary contextual factors."

The research should prove useful to marketing firms, which often use online quizzes and games to garner detailed demographic information. But the findings also highlight a catch-22 situation for conscientious companies. While these firms want to ensure customer privacy for legal and ethical reasons, the mere act of ensuring privacy seems to suppress information disclosure.

What's the solution? "Perhaps the happy medium for marketers is to protect people's privacy, but don't explicitly tell them you're doing that," John says. "That may be a slippery slope. It may lead to the temptation just not to bother protecting people's privacy. But I would hope that the virtuous marketer would resist that temptation."

To read more: For detailed accounts of research by Leslie John, Alessandro Acquisti, and George Loewenstein, see "The Impact of Relative Standards on the Propensity to Disclose," in the April 2012 issue of the Journal of Marketing Research, and "Strangers on a Plane: Context-Dependent Willingness to Divulge Sensitive Information," in the February 2011 issue of the Journal of Consumer Research