How Good is Good Enough? Quantifying the Impact of Benefits, Accuracy, and Privacy on Willingness to Adopt COVID-19 Decision Aids

3.1 State of COVID-19 Pandemic During Our Surveys

In order to properly contextualize our surveys for the reader, we briefly recall the socio-political context in which our surveys were conducted. Both surveys were conducted with respondents located in the United States during May 2020, just four months after the first recorded American COVID-19 case on 21 January, 2020. COVID-19 apps, like the ones that we study in this work, were first discussed broadly in April 2020 as a supplement to traditional contact tracing. By early May, the first contact-tracing apps had been deployed, like the North Dakota app, which had serious privacy flaws [56, 58]. During this early phase of the pandemic, there was significant uncertainty about the practices and tools that would help mitigate the spread of COVID-19. For instance, the World Health Organization did not suggest that everyone should wear face masks until June 2020. When we conducted our surveys, most American states were in a state of emergency, and stay-at-home orders were starting to be lifted after several weeks. By the end of May, official statistics had recorded 100,000 American COVID-19 deaths [14]. Thus, our surveys were conducted during a moment of significant distress and fear, during which COVID-19 apps seemed like they might become a significant tool in suppressing the spread of COVID-19.

3.2 First Survey (RQ1 and RQ2)

In our first survey we looked at how accuracy and/or privacy considerations might influence willingness to adopt (RQ1) and how the relative weight of these considerations might vary with respondent demographics (RQ2). We used a vignette survey [6] to examine these questions. In a vignette survey, respondents are given a short description of a hypothetical situation and then asked a series of questions about how they would respond. This initial situation can also be supplemented with condition-specific descriptions that augment the vignette that is show to all respondents, which allows researchers to isolate specific, explicit differences between respondents in different branches. Vignette surveys have been shown to maximize external validity when examining hypothetical scenarios.

Questionnaire. We used a 2-by-2 between-subjects design to study accuracy and privacy concerns around contact tracing apps that collect two different types of data. We framed our questionnaire by asking respondents to imagine that there exists a contact-tracing app that uses Bluetooth proximity information (Proximity Scenario) or GPS location information (Location Scenario) to identify contact, assigning half of the respondents to the two groups at random. Each participant was then randomly assigned to either the control branch or the experimental branch, and given a series of branch-specific contexts. In the control branch, the respondents were, at random, assigned to one of the following three contexts: (1) the app has perfect accuracy, (2) the app has perfect privacy, or (3) the app has both perfect accuracy and perfect privacy. In the experimental branch, respondents were randomly assigned to one of three contexts: (1) the app has false negatives (“this app occasionally fails to notify you...”), (2) the app has false positives (“this app occasionally notifies you...when you actually have not been exposed”), and (3) the app might leak private information. For this final context, we asked about information leakage to four entities, drawn from prior work [39]: “non-profit institutions verified by the government”, “technology companies”, “the US government”, and “your employer.” In both branches, respondents were asked “Would you install this app?” to which they could respond “Yes”, “No”, or, in the experimental branch only:“It depends on the [risk, chance of information being revealed, etc.]”. See Table 1 for a more detailed description of this questionnaire.

Validation. The questionnaire was validated through expert reviews with multiple researchers. Additionally, we included three attention-check questions—one general attention check and two scenario-specific attention checks—to ensure respondents understood the decision scenario.

Sample. We contracted with the survey research firm Cint to administer the survey to 789 Americans in May 2020; we quota sampled on age, gender, income and race to ensure the sample was representative of US population demographics.

Analysis. We answer RQ1 using \( X^2 \) proportion tests corrected for multiple testing errors using Bonferroni-Holm correction where appropriate, to compare responses to our different sets of questions. We answer RQ2 by constructing two mixed-effects binomial logistic regression models. Our dependent variable (DV) is willingness to install the app, with “Yes” and “It depends on the risk” as a positive outcome and “No” as a negative outcome. We model responses to the accuracy and privacy questions separately, controlling for data type and entity in the privacy model, and both data and accuracy type in the accuracy model. We include as additional variables the respondents’ age, gender, race, internet skill (as measured using the Web Use Skill Index [38]), level of educational attainment, party affiliation, and if the respondent knows someone who died due to complications from COVID-19. We include a mixed-effects term to account for our repeated measures design.

3.3 Second Survey (RQ3)

We use the data from this survey to predict people’s intent to install COVID-19 apps based on the amount of public health (infection rate reduction) and individual health (notification of at-risk status – e.g., accuracy) benefit, or privacy risk, of a hypothetical COVID-19 tracking app (RQ3).

Questionnaire. All questions were asked in the context of an architecture-agnostic Bluetooth proximity-based contact-tracing app, as the type of information compromised (location vs. contacted individuals), as well as the entity that could compromise the information (Employer, Government, etc.) had relatively little effect on willingness to install in our first survey (see Section 4.1).

Participants in this survey were randomly assigned to one of four branches: public benefit, false negative, false positive, or explicit privacy. As the degree of privacy risk for contact-tracing apps is not yet quantified, we drew estimates of privacy risk from respondents own perceptions. To this end, respondents in the first three branches were first asked to estimate the risk that information collected by this contact tracing app would be leaked (implicit privacy assessment), using a modified version of the Paling Perspective scale [60] (see Table 2), which has been validated for use in eliciting digital security [42] as well as health risk perceptions. Then, each respondent was given a context about the benefit (or privacy risk) of the contact tracing app. Each context provides a baseline of the benefit, or privacy risk, for individuals who do not install the app (see Table 2 for per-branch baselines). All survey respondents were then asked “Would you install this app?,” with answer options “Yes” and “No”.

In the public benefit branch, respondents were given the context that individuals with the app installed were infected X% less often (see Table 2 for values of X) than those who did not have the app installed. For both the false positive and false negative branches, respondents were told that individuals without the app would be notified of a COVID-19 exposure 1 in 100 times. Respondents in the false negative branch were told that the app has a false negative rate of X%; respondents in the false positive branch were told that the app had a false negative rate of \( 0\% \), but a false positive rate of X%. Finally, respondents in the explicit privacy branch were told explicitly of the privacy risk of the app: X in 1,000 people who use this app will have their information compromised. They were then asked the same question as the false negative branch. See Table 2 for an overview.

Although we have used percentages above for brevity, no information in this survey was expressed in terms of percentages, following best practices from prior work on how to measure the acceptability of different levels of machine-learning system accuracy [47] and prior work in health risk communication and numeracy showing that people reason more accurately with frequency formats than with percentages [29, 30, 48, 72]. Similarly, we avoided technical terms like “false negative” and “false positive,” instead describing the practical ramifications of the situations. See Table 2 for questionnaire wording.

Validation. The questionnaire and respondent answers were validated in the same way as Survey 1.

Sample. We surveyed 3,826 Amazon Mechanical Turk workers located in the United States. These workers were split into different survey branches (see above) so all results sections note the number of responses analyzed. There are always concerns about the generalizability of crowdsourced results [41, 59, 70]. Recent work has shown that Amazon Mechanical Turk results generalize well [59, 62], including in the security and privacy domain [70]. To further address generalizability concerns in our application area in particular, we also conducted Survey 1 on Amazon Mechanical Turk. We found only one significant difference,² with small effect size between the two samples. As the goal of our work is not to provide precise point estimates of phenomena in the entire U.S. population [7], given the the quantitative nature of the RQ3 survey, the sample size required, and the lack of difference in the most relevant questions (about accuracy and privacy vs. leaks to particular entities), and prior work on the validity of crowd-sourced results, we chose to proceed with using Amazon Mechanical Turk.

Analysis. We develop predictive models using the data obtained in this survey via binomial logistic regression analysis.³ For benefits and accuracy, we construct models with willingness to install as the dependent variable, the amount of benefit or error (e.g., chance of FN) as the independent variable, and the respondents’ perceived implicit privacy risk for the app as a control variable. To evaluate the impact of privacy on decision making we construct a binomial logistic regression model with willingness to install as the dependent variable and explicit privacy risk as the independent variable. To further evaluate the impact of privacy on decision making and to validate our measurement of the implicit privacy perceptions, we use \( X^2 \) proportion tests to compare the proportion of respondents willing to install given an FN rate in the implicit and explicit privacy conditions.

Model Validation. We did not have a strong prior knowledge as to how exactly the outcomes varied with the quantitative values for the benefit, error, or risk for the app. Thus, we considered models of varying complexity (polynomial degree) to account for the observed responses. 80% of the data were used to fit and select a best model based on the average RMSE estimates across 5-fold cross validation at each of 10 potential polynomial degrees; final performance is quoted on the remaining 20% test set. We use first-degree models, which offered the lowest RMSE.

Important Considerations for Interpreting Models of Human Behavior. Models of human behavior notoriously achieve relatively low accuracy compared to many models developed in computer science and related fields, with \( R^2 \) for “good” models of human behavior approximating 30–40% explanation of variance and prediction accuracy between 60 and 70% [31, 33, 49, 69, 90]. This lower accuracy is due to a number of factors including high levels of variance in human behavior, estimation of performance on single-period-in-time measurements—which under-count predictive power for repeated decisions such as app installation—and compounded behavioral and self-report biases (see Limitations for more detail on how we mitigate these biases) [1, 43].

3.4 Limitations

As with all surveys, the answers represented in these results are people’s self-reported intentions regarding how to behave. As shown in prior literature on security, these intentions are likely to align directionally with actual behavior, but are likely to over-estimate actual behavior [32, 71]. As described in the questionnaire validation sections above, we took multiple steps to minimize self-report biases. The goal of this work is to show how willingness to adopt may be influenced by privacy/accuracy considerations, and thus model results should not be interpreted as exact adoption estimates.

4.1 Both Accuracy & Privacy Influence Whether People Want to Install a COVID App

Flaws in both accuracy and privacy significantly⁴ relate to respondents reported willingness to adopt COVID-19 apps, as shown in Figure 1. When considering apps purported to be perfect, we find that respondents do not significantly differentiate between perfect privacy vs. perfect accuracy vs. perfect accuracy & privacy (\( X^2 \) prop. omnibus test, p = 0.178).

Fig. 1.

View Figure

We find that significantly (\( X^2 \) prop. test, \( p\!\lt \!0.001 \)) more people say their decision would depend on the amount of accuracy error than the amount of privacy risk (the yellow bars in Figure 1). We examine in more depth how the amount of accuracy error influences reported willingness to adopt below.

Respondents differentiate between types of accuracy error. When provided no information about the false positive rate, 8% fewer respondents reported being willing to install an app with false negatives compared to one with false positives or one with privacy leaks to any of the entities examined (\( X^2 \) prop. tests BH corrected, both with \( p\lt 0.01 \)).

Finally, focusing on privacy leaks, we find that respondents’ reported willingness to install did not significantly differ (\( X^2 \) prop. tests BH corrected, all with \( p\gt 0.05 \)) based on what data the app might leak to a particular entity, except for hypothetical leaks to the respondents’ employer. Only 23% of respondents were willing to install an app that might leak their locations to their employer while 31% were willing to install an app that might leak information about who they have been near (their proximity data) to their employer.

4.2 Some Americans Weigh Accuracy or Privacy Considerations More Highly than Others

In order to examine whether some Americans weigh accuracy or privacy considerations more highly than others, we construct two mixed-effects logistic regression models as described in Section 3.2. We evaluate model fit by building our model with an 80:20 train test split,⁵ however we note that these models are intended to provide descriptive insight into how respondents’ weigh accuracy and privacy considerations and should be interpreted as such. In the remainder of this section we report descriptively on a model built on the full data set.

First, considering respondents’ willingness to install apps with accuracy errors (Table 3 (left)), we validate that even when controlling for demographic variance, respondents were more comfortable with false positives (spurious exposure notifications) than false negatives (missed notifications after an exposure). Additionally, emphasizing the relevance of ego-centricity [27] in people’s considerations of data-driven decision aids, we find that those who know someone who died from COVID-19 were more likely to report being willing to install an app with accuracy errors than those who do not know someone who died.

Second, considering privacy risk (Table 3 (right)), we find that respondents were more comfortable installing an app with potential privacy leaks to a nonprofit organization verified by the government than an app with potential leaks to any other entity (their employer, a technology company, or the U.S. government). In this controlled model we find that the type of data leaked (proximity vs. location data) did not significantly affect reported willingness to install (see the previous section for a more detailed examination of this point).

Women and respondents who are younger are less likely to report that they would install an app with privacy errors. The gender finding aligns with past work showing that women may be more privacy sensitive than men [44, 67]. Further, Democrats are more likely than Republicans to report intent to install an app with privacy risks, potentially reflecting the increasingly politicized nature of privacy [91] and the COVID-19 pandemic itself at the time of the survey.

Finally, those who have higher internet skills are more willing to install an app that has either errors in accuracy or privacy leaks. This is in line with findings from prior work showing that those with higher skills are more willing to install COVID-19 apps in general [39], perhaps due to greater confidence in their ability to install and use these apps [19, 40].

4.3 Amount of Public Health and Individual Benefit Influence Willingness to Install

In the findings above, we validate that the individual considerations of accuracy and privacy both impact reported willingness to install. Further, we find that amount of accuracy error is especially important to people’s decision making about whether or not to use a data-driven decision aid: at least 30% of our respondents reported their installation decision depended on the amount of error.

Thus, in our second survey we examine whether we can predict how a quantified amount of public health (i.e., infection rate reduction) or individual benefit (i.e., FN and FP rates) impact intended adoption rates. Figure 2 provides an overview of these findings. To examine the relationship between amount of benefit and willingness to install beyond visual inspection, we construct logistic regression models as described in Section 3.3.

Fig. 2.

View Figure

With respect to public health benefit, on 20% test data, we can predict reported willingness to install the app with 63.6% accuracy (null model accuracy: 54.0%, threshold = 0.5).⁶ We find that, for every 1% reduction to infection rate offered by the app, respondents are 4% more likely to report that they would install (O.R. 95% CI: [0.95, 0.98], \( p\lt 0.001 \)).

With respect to accuracy, we can predict reported willingness to install a COVID-19 app based on the false negative rate with 70.0% accuracy (null model accuracy: 52.0%, threshold = 0.5) and based on false positive rate with 62.5% accuracy (null model accuracy: 41.0%, threshold = 0.5). For every 1% increase (O.R. 95% CI: [1.01, 1.02], \( p\lt 0.001 \)) in app sensitivity, respondents are 1% more likely to report that they would install. For every 1% decrease (O.R. 95% CI: [0.98,0.99], \( p\lt 0.001 \)) in false positive rate, respondents are 1% more likely to report that they would install.

4.4 Amount of Privacy Risk Also Influences Willingness to Install

Next, we model willingness to install based on explicit privacy risk. We can predict willingness to install based on privacy risk with 65.5% accuracy (null model accuracy: 34.5%, threshold = 0.5). For privacy risk (recall that magnitude of privacy risk is far smaller than benefit rates or accuracy errors), we observe that a 52% decrease in privacy risk results in a 1% increase in intent to install (O.R. 95% CI: [0.3, 0.74], \( p\lt 0.01 \)).

Further, we confirm the relevance of privacy risk, implicit or explicit, in respondent decision making – and validate the equivalency of explicitly stated privacy risk and our measurements of respondents’ implicit privacy perceptions – by comparing the proportion of respondents who were willing to install a COVID-19 app given an explicit statement of privacy risk (privacy risks were drawn from the portion of the implicit risk distribution reported by the majority of respondents) vs. their own implicit perception. We find no significant difference between the proportion of respondents who intend to install an app with a given false negative rate when relying on their own implicit privacy assumptions vs. an explicit statement of the risk of privacy leak.

Finally, further confirming the relevance of benefits, accuracy, and privacy, modeling respondents’ response to benefit/error rates (e.g., infection rates, FN rate, FP rate)—including implicit privacy risk as a control in the regression—significantly improves model fit in all three models (likelihood ratio tests [65], \( p\lt 0.05 \) for all models).

5.1 Implications Beyond COVID-19 Apps

While our results offer insight into data-driven decision aids in the context of a global pandemic, more broadly, they speak to the importance of both accuracy and privacy in modeling data-driven decision aid adoption. Although the goal is always to create perfect decision aids, inaccuracy is inherent. Moreover, because of the data-hungry nature of many machine-learning based decision aids, it is doubtful that invasive data collection will disappear in the near future. As such, our work suggests that decision aid designers should address these factors explicitly and consider them closely when deploying their systems. Critically, developers must remember that justifying low accuracy or high risk of privacy breaches with high utility and social good is unlikely to be a successful strategy for earning user trust. Especially for data-driven decision aids that need widespread adoption in order to be useful, ensuring that the system maintains appropriate accuracy thresholds and addresses privacy risk before deployment is critical to achieving and maintaining adoption rates.