1 INTRODUCTION

Older adults are increasingly adopting digital technologies and engaging in online activities, which introduce privacy and security threats. Prior research has positioned older adults as a vulnerable group, susceptible to privacy violations that disproportionately affect their safety and well-being. For example, older adults with declining health conditions may need health monitoring technologies for independent living while accepting continuous surveillance. Older adults with limited digital skills may resist tech use, limiting learning opportunities for privacy management and self-protection. Caregivers and family members, despite good intentions, may engage in paternalistic “care surveillance” that impacts older adults’ agency.

People’s privacy behavior is known to be context-dependent, with “context” referring to “various spheres of life [...] or conventional routines” according to the theory of contextual integrity. Despite growing privacy research on older adults, most prior studies have explored the topic broadly without making comparisons across different contexts. Some studies have delved into a specific context such as social media or healthcare. To address this gap, we employed a cross-contextual approach to assess the extent to which older adults’ privacy concerns and behaviors are influenced by context. Specifically, we conducted a qualitative study with 43 older adults (aged 65 to 89) in the United States to explore their privacy concerns, behaviors, and vulnerabilities across five interview scenarios: account and device sharing, healthcare, online advertising, social networking, and cybercrime.

Our findings show that across all five scenarios, participants expressed concerns about falling victim to cybercrime (such as scams and fraudulent charges) consistently and often unprompted; they perceived themselves as more vulnerable to cybercrime than younger counterparts, a distinction that was rarely noted in other scenarios. In contrast, participants were rarely concerned about their health information within the healthcare scenario, prioritizing quality of care and health insurance over privacy. While prior work has characterized older adults’ threat models along Solove’s four dimensions of privacy harm (data collection, processing, dissemination, and invasion), our participants’ concerns and protective behaviors across all scenarios primarily centered on data collection. Unlike prior work that highlighted older adults’ reliance on passive mitigation strategies, our participants employed various active strategies (e.g., configuring privacy/authentication settings and selectively disclosing sensitive information) while trusting service providers to protect and uphold their privacy

A key implication of our findings is that we need to expand the current discourse around privacy vulnerability. Our findings challenge the notion of older adults as a whole being a vulnerable group. Our participants believed that older and younger adults were equally at risk for most scenarios (except for cybercrime), and our analysis showed the actual vulnerability varied greatly among individuals—those with lower tech usage, digital literacy, and income experienced more concrete privacy harms. Some techsavvy participants acted as guardians of their communities for privacy protection, contradicting prior deficit-based narratives in characterizing older adults. Our research provides empirical support for Anaraky and Knijnenburg’s position paper that attributing privacy vulnerability solely to old age is an oversimplification. We conclude with recommendations for designing privacy-protective interventions, technologies, and education that attend to the more positive aspects of the aging experience.

2 RELATED WORK

2.1 Privacy Vulnerability and Aging

Vulnerability is a key concept in HCI and human-centered privacy research, highlighting how technical systems can perpetuate sociopolitical and historical injustices. However, the term has faced criticism for being disempowering and promoting stigmatization, especially in accessibility research. In privacy research, older adults have been labeled as a vulnerable group. The labeling is sometimes reinforced by deficit-based narratives in prior studies: older adults are “more susceptible to fraud”, “express lower concerns about information privacy”, or are “particularly vulnerable to certain risks and experience difficulties in mitigating them” compared to younger adults or the general population. However, some scholars advocate for moving beyond age-related limitations and instead focusing on the wisdom and unique perspectives of older adults; other scholars suggest the importance of disentangling age from other factors that may influence one’s vulnerability.

One of these factors is health, as aging can lead to changes to one’s sensory, physical and cognitive functioning. Older adults with (mild) cognitive impairments may struggle to recognize scams or fully consider the implications of sharing personal information. Chronic disabling conditions may necessitate the use of health monitoring technologies to remain physically independent, and the adoption of such technologies introduces concerns about privacy and ethics. Declining health conditions can amplify one’s dependence on others such as family members, neighbors, and professional caregivers to oversee their privacy and tech use, leading to “care surveillance”. In fact, fraud by a family member is a common form of elder financial abuse. Even when caregivers initiate monitoring with good intentions, heavy-handed stewardship can limit older adults’ agency and hinder their learning of digital threats and respective self-protection skills.

Digital literacy is another critical factor that should be separated from age. While younger and older adults may differ in their technology use, older adults are adopting new technologies and engaging in various online activities, making it important to examine their privacy behaviors across contexts. However, non-adoption of technology among older adults may occur due to cost considerations, inappropriate design, limited self-efficacy, low interest, and fears driven by ageist stereotypes. Low levels of tech usage and digital literacy can subsequently limit one’s privacy self-protection. Our findings contribute to a growing body of research emphasizing the heterogeneity in older adults’ tech use and how tech-savvy older adults often act as influencers and guardians of their peers.

2.2 Older Adults’ Concerns and Behaviors

We organize our literature review in line with the five scenarios explored in our interviews; below we note how our findings add to the existing literature for each scenario. We also examine prior research on age-based differences in privacy concerns and behaviors, as it relates to our findings around privacy vulnerability.

Account and device sharing. Sharing digital accounts and devices is a well-documented practice, observed among romantic partners and in workplace settings. Several studies highlight that older adults—especially those less tech-savvy, with physical or cognitive impairments, or living in collectivist cultures—often give household members or professional caregivers access to their personal accounts and devices, and this practice could introduce tensions around privacy and autonomy.

Older adults may also share account/device access as a way of preparing for their digital legacy to be passed on to family members and friends after their passing. This practice of preparing digital data for death, however, has mostly been explored among younger populations. We studied account and device sharing by older adults considering they will need to face the prospect of death but may experience anxiety and uncertainty in planning. We also included questions about public and second-hand devices to compare with Frik et al.’s study, in which older adult participants exhibited limited risk awareness and concerns in these cases.

Healthcare. Prior research has shown that older adults often find health monitoring technologies intrusive and constraining, but tend to accept these technologies as an inevitable trade-off for safety, care, and aging in place. Older adults generally express comfort with their health data being shared with doctors, caregivers, and family members but not with unknown parties, and they prefer data collection and sharing to occur only when necessary, such as in emergency situations.

We conducted our interviews during the COVID-19 pandemic. Beyond the direct health risks posed by COVID-19, the fear, stress, and loneliness from social isolation during the pandemic further affected older adults’ health and well-being. Our study provides updated insights into older adults’ privacy concerns and behaviors related to healthcare, shaped by the COVID-19 pandemic. We also examined older adults’ privacy considerations when using patient portals, a topic that has been studied but rarely with a specific focus on privacy.

Online advertising. Online advertising often targets individuals based on their online activities, personal information, and inferred interests. Due to the complex and opaque nature of ad tracking practices, most consumers have limited knowledge regarding the extent to which advertisers can access their personal data. Consumers may also hold misconceptions such as conflating online tracking with malware. While some people find targeted ads useful and relevant, others find them intrusive and discomforting. Recent work has also investigated user perceptions of problematic, untrustworthy, or distasteful ads.

Notably, most studies in this area have centered on general adult or younger populations. Limited prior work involving older adults has indicated that they exhibit higher engagement with certain types of advertising such as social video ads while being skeptical about social media-based advertising, and older adults are especially likely to be shown problematic advertising (such as scams or clickbait) on Facebook. We addressed this gap by exploring privacy issues of online advertising with older adults in depth, particularly with regard to their mental models and attitudes toward age-based advertising.

Social networking. Social media use among U.S. older adults continues to grow, but older adults still have lower usage than younger groups. Privacy concerns can deter older adults from using social media, particularly when these concerns outweigh potential social benefits. Some studies have found differences between older and younger adults: older adults are more concerned about who can access their information, while younger generations, especially teens, are more concerned about context collapse or self-representation.

Zoom and other videoconferencing tools also gained popularity during the COVID-19 pandemic for maintaining social contact. Prior work on younger users’ privacy attitudes toward remote communications has found that users lack autonomy in choosing conferencing tools and microphone/webcam use. We examined older adults’ privacy considerations towards videoconferencing tools and compared them to pre-pandemic findings on other social networking sites like Facebook, given the pandemic’s impact on people’s social behaviors.

Cybercrime. Bossler and Berenblum define cybercrime as “computer assisted crime” across four categories: cyber-trespass (e.g., unauthorized system access), cyber-theft (e.g., identity theft and online fraud), cyber-obscenity (e.g., child pornography), and cyberviolence (e.g., cyberstalking); they also note a lack of standardized legal definitions in this field. Mainstream media often depict older adults as vulnerable to cybercrime, especially cyber-theft. However, findings from academic literature are mixed. Simons et al. find that older adults are disproportionately victimized by certain types of fraud, such as tech-support scams and impersonation. Ross et al. argue that there is no compelling evidence of higher consumer fraud rates among older adults. Several studies suggest that susceptibility to scams or phishing attacks can be influenced by other factors such as income and gender.

Studies with older adults highlight that media portrayals heighten their anxiety about spam emails and scam calls. Being defrauded impacts older adults’ health and well-being irrespective of financial loss, as victims experience derision and censure. In Frik et al.’s study, older adult participants held diverse views on their own vulnerabilities: some believed they were easy targets due to low technical literacy and lack of support, whereas others doubted that their information was valuable enough to be exploited. Unlike the prior subsections, cybercrime is primarily associated with risks and harms, whereas other contexts like healthcare also offer tangible benefits. We decided to include cybercrime as an interview scenario given its relevance to older adults and the ageist stereotypes around cybercrime, and we were particularly interested in uncovering more nuanced factors that contribute to older adults’ self-perceived as well as actual vulnerability to cybercrime.

Age-based differences. Several studies have examined the privacy concerns and behaviors of older adults in North America: older adults’ concerns centered on security issues (e.g., scams and identity theft) and institutional threats (e.g., data sold to third parties) rather than interpersonal privacy; passive strategies (like limiting/avoiding technology use) were commonly employed, while active mitigation strategies were rarer and triggered only in response to privacy violations. Older adults’ privacy concerns and behaviors are also culturally dependent: studies in countries with collectivist cultures such as India and China have highlighted older adults’ privacy management as a collective practice, with household members overseeing older adults to ensure their safety.

While some prior research has characterized older adults as being generally vulnerable to privacy risks and violations, empirical findings on differences between older and younger adults are mixed. Some studies indicate that older adults are less likely to react to privacy risks and adopt fewer protective behaviors on social media. Other research suggests that older adults are not necessarily worse at protecting themselves; rather, they have distinct concerns and priorities. For example, older adults often perceive higher risks in online banking and e-commerce and are more likely to base privacy decisions on a privacy calculus. Some studies have found no significant age differences in online privacy sensitivity and attention to privacy policies. These inconsistent findings may be due to different studies examining different contexts and using constructs with different granularity (e.g., general attitudes vs. specific concerns).

3 METHODS

To qualitatively explore the privacy experiences of older adults within and across various contexts, we conducted semi-structured interviews with 43 individuals (≥65 years) in the United States. The interviews took place between August and October 2021 and were conducted using a combination of video calls and in-person meetings based on participants’ preferences. Our study materials (including the screening survey, interview protocol, and codebook) are available online for reference.1

3.1 Interview Protocol

Our interview protocol consisted of two main parts:

Part 1: We began by asking participants to describe their technology ownership and use. We then indirectly elicited participants’ privacy-related concerns by asking whether they had issues with any technologies they used. If privacy concerns were not brought up, we probed further about what information they wanted to protect and who they perceived as potential threats. We designed the sequence in this way (reserving potentially priming privacy-related questions toward the end and only asking them if the participant had not raised these topics) to mitigate potential researcher bias and social desirability bias, following the practices in other work that also touched on sensitive and charged topics.

Part 2: We delved into participants’ privacy perceptions and strategies in five scenarios. Scenarios are commonly used in HCI research to explore values and attitudes toward technology. Our scenario selection was informed by our literature review in Section 2.2. All five scenarios are highly relevant to the daily lives of older adults, although findings specific to older adults and/or privacy varied. Specifically, prior work on account/device sharing and online advertising has predominantly focused on younger populations. Healthcare and social networking have more research specific to older adults, but most of it was conducted before the COVID-19 pandemic, which has impacted how people socialize and manage health issues. Cybercrime is often laden with ageist stereotypes (assuming older adults are always more vulnerable), and we wanted to compare these stereotypes with the actual experiences and perceptions of older adults.

The interview procedure for all scenarios followed a similar structure: first broad questions about mental models and personal experiences, then questions about more specific concerns and protective strategies (if applicable). To assess participants’ perceptions of age-related vulnerability, we asked “How do you feel about your possibility of experiencing X (a negative incident) compared to those older/younger?” with X tailored to each scenario. To ensure we did not impose preconceptions, we mirrored participants’ language in follow-up questions and confirmed our understanding of their responses with them. We randomized the scenario order for each participant to mitigate order effects and potential fatigue toward scenarios discussed later. We concluded the interview by soliciting suggestions from participants on how to support older adults in privacy self-protection.

3.2 Participant Recruitment and Demographics

Our target demographic consisted of individuals aged 65 or older residing in the United States, following the CDC’s definition of older adults. We used various channels to broaden our recruitment: three local senior centers, a participant pool for clinical & health research at University of Michigan, another participant pool hosted by the Healthier Black Elders Center at Wayne State University, and snowball sampling. The majority of our participants came from the university-hosted pools and senior centers; only three participants joined the study through snowball sampling.

We asked interested individuals to complete a screening survey, which was accessible in several formats (online, phone, and paper). We used the screening survey to verify the age criterion and to recruit a diverse sample across age, race, gender, and socioeconomic status. We did, however, exclude individuals with serious cognitive impairments since engaging with this population requires specific protocols that we were not able to implement. We also excluded non-English speakers due to limitations in our research team’s language capabilities.

We pre-tested our interview protocol with three pilot participants. Based on the pilot data, we made minor adjustments to the interview protocol and settled on an interview duration of 60-90 minutes to ensure comprehensive coverage of all scenarios without causing participant fatigue. For the main data collection, the first author conducted interviews with 43 participants. Most interviews were one-on-one; two sessions were done with couples who preferred to take the interview together. We kept interviewing participants until data saturation was reached. Interviews were conducted via phone, Zoom, or at one of the partnering senior centers depending on the participant’s choice. The interviews lasted 82 minutes on average. A few participants took breaks during the interview, but none withdrew from the study or expressed concerns regarding the interview length. Each participant received a $30 check as compensation. With all participants’ consent, interviews were recorded and later transcribed by a professional transcription service.

Table 1 in Appendix A provides details of participant demographics. Our 43 participants were 65-89 years old (mean: 72; median: 71) and approximately balanced in gender (19 men, 23 women, one no response). Participants exhibited diversity across income, race, and self-reported health conditions, but were more educated than the general U.S. population. The majority of participants lived in their own or rented homes and did not have caregivers. Seven participants used assistive devices such as wheelchairs, canes/walking sticks, and hearing aids.

For technology use, most participants were regular users of computers (41) and smartphones (34). More than half (26) also regularly used tablets. Multi-device usage was common: 24 used all three types of devices, and 15 used two. By comparison, smartphones were present in 84% of all U.S. households in 2018, followed by 78% for desktops/laptops and 63% for tablets, indicating that our participants’ tech adoption mirrored that of the general population. Smart device adoption was relatively low in our sample: 11 used smart TVs, and seven used smart speakers or voice assistants.

3.3 Data Analysis

After transcribing and double-checking all interview transcripts, the first author went through all transcripts to create an initial codebook using a combination of deductive and inductive approaches: the codebook’s overall structure was informed by the interview protocol and prior literature; specific codes were mostly paraphrases of what participants said.

To ensure the reliability and consistency of the coding process, the first and second authors independently coded one transcript each, then convened to compare codes, address discrepancies, and modify the codebook; this iterative process was repeated for six transcripts until the two researchers agreed on code saturation. The two authors then used the ‘training’ feature in Dedoose, a qualitative data analysis tool, to calculate inter-rater reliability before independent coding. The first author coded an additional 14 transcripts to ensure a reasonable coverage of each code. The second author then coded the same set of excerpts coded by the first author. The two researchers achieved Cohen’s 𝜅 = 0.74 across all codes, indicating good inter-rater reliability. The two researchers then split the remaining 21 transcripts and coded them independently, and the first author applied the final codebook to the initial six transcripts for consistency. Other co-authors were involved in discussions about the codebook and preliminary findings through regular meetings.

Our final codebook consisted of 296 codes across six categories: one about general privacy concerns and behaviors and five for the respective scenarios. The codes in each category were grouped into consistent sub-categories to facilitate cross-scenario comparisons: general attitudes, specific concerns, challenges in addressing concerns, protective behaviors, and age-based differences.

As our study was qualitative, we focused on describing specific themes rather than making quantitative claims about themes. Following practices in other qualitative work, we adopted the following terminology to provide a qualitative estimation of the frequency of themes: a few (0-20%), some (20-40%), about half (40-60%), many (60-80%), and almost all (80-100%).

3.4 Ethics

Our study was reviewed and determined exempt from oversight by the University of Michigan’s Institutional Review Board. Following a community-based participatory approach, we engaged our participants and community partners throughout the research process for a mutually beneficial experience. For example, we asked staff at the senior centers to provide feedback on our draft interview protocol to ensure the questions were appropriate. We followed trauma-informed practices in conducting the interviews, such as being an active and empathetic listener when participants shared their stories, and clearly communicating options of skipping a question or stopping the participation. As a way to give back to the community, we used our research insights to develop a workshop series on online self-defense and ran the workshops with our partnering senior centers. Thirteen of our interview participants attended the workshops; all spoke positively about the experience and the workshop topics’ relevance to their concerns.

3.5 Limitations

While our qualitative approach allowed deep insights into participants’ lived experiences, it has limitations. Some limitations pertain to the qualitative method and sampling practices. For example, we cannot claim that our sample is representative of all American older adults; our primary aim was not to achieve representativeness but rather to capture diverse perspectives. Our participants were diverse regarding income and race, but they were geographically concentrated and more educated than the broader U.S. population. The sample characteristics may have resulted from our localized recruitment—we opted for this approach to build trust with our participants, reach individuals who might not be accessible through online recruitment, and expand the reach of our workshops. Because our study was conducted in the U.S., some of our findings might be specific to the country or region. One should be careful in generalizing these findings beyond the U.S., and our study opens opportunities for future replication studies in other countries with different cultural values and consumer protection frameworks.

Another limitation of our study relates to the interview scenarios, as cybercrime is more focused on risks and harm compared to other scenarios. Nonetheless, we decided to include cybercrime due to its high relevance to older adults’ existing concerns and ageist stereotypes around this topic. While it is possible that discussions about cybercrime might have primed participants to bring up this topic in other scenarios, this was partially mitigated by randomizing the scenario order for each participant. We also observed that participants who received the cybercrime scenario late in their interviews often still spontaneously discussed it in earlier scenarios.

4 FINDINGS

We first discuss participants’ threat models and privacy concerns in general (Section 4.1), followed by participants’ concerns and behaviors for specific scenarios (Sections 4.2–4.5). We end by comparing findings across the five scenarios (Section 4.7).

4.1 General Threat Models

4.1.1 Heightened concerns about financial information. As the concept of “privacy” can be broad and abstract, we asked participants instead about the specific types of information they would like to protect. Financial information, such as bank account and credit card numbers, was mentioned by about half of the participants. Some also highlighted social security numbers, a unique personal identifier used in the United States. P34 discussed negative incidents that can result in financial loss as their top concerns:

I may not have any money. I may have an outstanding debt . . .My major concern is my identity being taken, and as a result of my identity being taken, my financial security has been compromised or has been taken away from me.

However, privacy harms encompass more than just financial losses when accounting for harms to reputation, psychological well-being, autonomy, discrimination, and more. These harms were less recognized by participants, as P3 said, “Financial information is probably the most relevant thing. The rest of my life is pretty much an open book . . . Somebody sees that I go on a porn site. That’s me.” P18 raised the point that leaked passwords could lead to the compromise of financial accounts: “One of the big things that I worry about is somebody getting a hold of my passwords and user ID that would get them into info on my banking and other financial institutions.” P15 mentioned health information but indicated that it was secondary to financial information in terms of privacy concerns: “I don’t worry about the portal so much . . .I’ve already got my Medicare, and so far I can’t be refused for having [my] problems . . .It’s mostly financial.”

4.1.2 Cybercriminals as the major threat actor. In line with concerns about financial information, about half of our participants identified cybercriminals as the primary threat to their personal information. The specific terms they used included “hackers,” “scammers,” “spammers,” “people trying to steal things,” and “people operating from the dark web.” Some participants shared personal encounters with scams and fraudulent charges. P1 recounted stories they had come across in the news:

There are lonely seniors. You’ll hear some news about a guy . . . gets hacked . . .A somewhat younger pretty lady will connect with him, and be able to access his finances . . . So, my concern is mainly [about] if they hack and get my personal information because hackers are those intelligent criminals.

A few participants identified tech companies as another threat actor, particularly Google/Alphabet and Meta. P13 discussed the extensive data collection and aggregation practices employed by these companies: “Google captures . . . anytime you do any online shopping. That information is captured and shared between organizations. In aggregate, they can build up a pretty detailed profile view of what your interests are.” P12 expressed varying levels of trust in different companies, indicating that not all tech companies are perceived as equal threats:

Microsoft, I’m not as worried about information being shared by them . . . not so much privacy. I would say anything involving the Alphabet as an organization . . .I have too many firsthand experiences that I’ve been uncomfortable with. Information is shared from one site to another without express consent. And I can’t seem to find any features that I could turn on that prevent it . . .It’s something personally I can’t trust

Interestingly, no participant mentioned the government as a threat actor. In fact, a few indicated that they were not concerned about government surveillance due to their belief that they had nothing to hide—a prevalent yet flawed argument about privacy —such as P1: “I’m not a member of any political party or secret organization . . .I have no fear of the police, FBI, or any governmental agent.” This lack of concern about government stands in contrast to heightened concerns about government surveillance among other high-risk populations such as undocumented immigrants, migrant domestic workers, and Muslim-American women, likely because our participants’ identities and backgrounds did not intersect much with these populations. Similarly, no participant identified their family members or caregivers as threat actors, despite them being a major threat vector for elder fraud.

4.1.3 Learning from community and commercial resources. Prior work involving U.K. older adults has identified social, community, and commercial resources, as well as broadcast and digital media, as major cybersecurity information resources. Our participants mentioned all five as sources for learning about privacy self-defense, with community resources, commercial resources, and the media being more popular. Starting with community resources as a source of support, P22 highlighted senior center classes: “The senior center had contacts with the lawyer, and he’d come in and just discuss [the credit freeze] . . .People would ask whatever question they had.” P41 identified the American Association of Retired Persons (AARP): “They have print materials . . . Zoom classes . . .If you’re a member, every month they’ll send you a newsletter.”

Another source of support was commercial resources, including customer support services such as AppleCare and professional tech support. For instance, P28 subscribed to Geek Squad and highlighted the benefits of their periodic checkups: “Once or twice a year, [we] have what they call a checkup where they just delete duplicate files . . .make sure you’ve updated all your programs, and you’ve installed everything you need.” While experts no longer recommend thirdparty antivirus software, some participants continued to use such software. P9 noted trust and brand loyalty as relevant factors: “I’ve used Norton for so long . . .I have trusted them with whenever it comes up for renewal. I don’t even question how they’ve been pricing.” The protections offered by third-party antivirus software may be excessive, but they did raise our participants’ awareness of basic risks and encouraged positive behaviors, as in P27’s case:

I have Malwarebytes, and I’m quite happy with that. I think they’ve done a fairly good job. . . . They have a newsletter every week, and it’s quite informative . . . They often tell you that there’s all this phishing going on, and to be very careful about opening some of these emails that look suspicious. And so I take them at that word, and I do just discard a lot of [emails] because they’re obviously not legitimate.

Prior work using deficit-based narratives has portrayed older adults as passive consumers of information who find it challenging or unnecessary to learn about cybersecurity or privacy. Our findings present a more nuanced perspective, as some participants acted as educators and influencers within their communities. P32 acknowledged the respective challenges in doing this:

She will want me to order something through my account. . . . She got mad at me the other day because I said I’m not doing it . . .I have done it a few times for her. But I want her to [learn]. She doesn’t want to be tech-savvy. I’m not tech-savvy, but I know . . . the only way to learn stuff is you might make a mistake.

P19 and P38 helped run computer classes at their senior centers. P38 identified recurring challenges among their peers, including password management and using “BCC” when sending mass emails. P19 was concerned about the potential exclusion of less tech-savvy peers from educational programs:

I’m super literate with computers . . . There are a few people like me, but not many. And as they get older, they have a harder time using the technology that’s available, but they need that technology even more . . . You’re missing a whole segment of the bell curve. Those are people who simply don’t come [to the classes]. They have home phones and they don’t use cell phone technology, and they don’t get emails.

4.2 Account and Device Sharing

4.2.1 Sharing digital assets in preparation for death or accidents. Half of our participants mentioned sharing passwords, mostly with family members and occasionally with close friends. Prior research has identified convenience and trust building as key drivers for password sharing among younger adults, and our participants gave similar reasons. For example, P13 shared streaming service credentials with their son; P33 shared “everything” with their partner after decades of marriage.

However, most participants’ primary motivation for sharing was preparation for unforeseen circumstances such as death or emergencies. For example, P18 shared, “My mom and my sister have my social security number and my passwords . . .I trust [them] implicitly, and I feel better too because you’ll never know.” For similar reasons, some participants also shared access to their financial accounts with family members and occasionally with a financial advisor or attorney. P8 made efforts to facilitate transparent communication between multiple parties:

I take care of all my own finances. My lawyer knows where all my accounts are. And . . .my adopted son is my advocate, and he’s also my executor. So he knows . . . But he also knows where my lawyer is. And my lawyer knows where he is if something should happen.

When we asked about post-death preparation for digital assets, some participants had already made plans. Others like P7, however, only recognized the importance of this consideration in response to our probing:

If I were in a car accident and died, nobody would be able to get into my accounts, which will be bad. It would be weeks of sending mail and death certificates and wedding documents to prove that my wife is my heir and beneficiary. So I should do that. I’ll put that on my list of things sometime

4.2.2 Struggles with password management. During discussions on account sharing, participants often highlighted password management as a recurring challenge. In contrast to studies involving younger populations, our participants relied more on physical methods for password management: about half mentioned physically writing passwords down, and a few attempted to rely solely on their memory. No participant felt their current password management strategies were optimal; for instance, those who wrote passwords down would still have concerns over the “single point of failure” if their password notebook were to be stolen. While remembering all passwords is generally demanding, P30 emphasized age-related memory decline as a specific concern:

For important things like my banking, I want to keep going with the same one. I can’t . . . They want a different one than you’ve used in the last 10 years. I can’t remember 10 years’ worth. What I do worry about, actually, is as I get older it’s going to become harder and harder to do all that to keep track of it all.

Only a few participants, typically those with a technical background, mentioned using password managers in their browsers and operating systems. The adoption rate of password managers was much lower in comparison to studies involving younger adults. Echoing prior work, P20 shared that non-adoption was due to distrust in cloud services storing their passwords:

I do not use any of the password apps where they say you can put in all your passwords, and it’ll be secure, I just don’t trust it. In my opinion, all of these systems were created by a person, and there’s always a way . . . somebody else can figure out how to get into it.

4.2.3 Risk Awareness of Public and Second-Hand Devices. A particular case of device sharing is public devices and Wi-Fi networks, which carry the risks of data leakage and Wi-Fi spoofing. This use case holds particular relevance for older adults given their lower ownership of personal computers or smartphones while having communal places like senior centers that enable device sharing. Many participants reported using public computers and Wi-Fi networks in libraries, hotels, and shops.

In contrast to the findings in Frik et al.’s study, in which few participants expressed concerns about public devices and Wi-Fi networks, our participants (even with similar demographics) exhibited a heightened awareness of these risks. Although they could not always pinpoint specific negative events, they could recognize situations with increased risk. For example, P23 commented, “I think it’s easier to compromise my information [when using public devices]. I think people can get into them more easily.” About half of our participants mentioned that they consciously avoided sensitive activities such as banking when using public devices or Wi-Fi networks. P19 compared banking with other types of online activities regarding their sensitivity:

If somebody wants to hack into my gaming group and screw with my pictures . . . that’s not going to kill me. So I don’t really particularly care about that as much, but I stay away from banks and things that are high security. When we’re traveling, oftentimes I’m looking up what attractions are there? What time does the museum open? . . . things that are not security-driven.

A few participants also cleared their browsing history on exit when using a public computer. P32 shared how they developed this habit after someone compromised their social media account when it remained signed in:

Some years ago I did not sign out on Facebook [at libraries]. And so whoever came [next], they put a whole bunch of crazy stuff up there. And so my son called me up, ‘Ma, was it really [you]?’ ‘Where were you at?’ I said, ‘I was at the library.’ . . . So he deleted [my post] . . .Now I make sure I sign out if I’m on a public device.

The exchange of second-hand devices can also lead to data leaks. Some participants like P6 worried about unwiped data: “When you get second-hand phones, they’re contaminated . . .It’s not good to buy used phones unless they’ve been cleaned or wiped.” Additionally, participants felt a lack of confidence in securely decommissioning their old devices, particularly when selling or donating to strangers, and desired more guidance. As P16 said, “I have two laptops . . .just ready to go to the recycling, but I have to get the stuff off of them . . .I probably will pay to have somebody do it because I don’t know what I’m doing.”

4.3 Healthcare

Our findings within the healthcare context mostly centered on patient portals and smartwatches, as they were adopted by almost all and some participants, respectively. A few participants also mentioned using health-tracking apps, step counters, and blood pressure monitors.

4.3.1 Trust in healthcare providers and smartwatch manufacturers. While a few participants expressed privacy concerns about their health information (see Section 4.1), about half of our participants shared that they trusted service providers (e.g., hospitals and smartwatch manufacturers) to securely handle their health information. This trust contrasts with the healthcare industry being one of the most common victims of data breaches and instances of data exchange between healthcare providers and social media companies for commercial purposes. Participants’ trust in confidential information exchange with healthcare providers could be a result of social norms and existing laws, notably the Health Insurance Portability and Accountability Act (HIPAA), as P25 said: “Any doctor that I’m dealing with can go to my portal and look up what other doctors have done or said . . .It’s already in there. I don’t feel that that’s being shared inappropriately.”

Interestingly, P25 extended the same level of trust to smartwatch manufacturers, despite these entities being subject to different regulatory frameworks, and wearable devices having limited protection under HIPAA: “My Fitbit . . .it’s like a watch . . . as far as I know, there are no data to take. It’s just something I’m looking at . . . for my information only.” P12 explained that their trust in smartwatch manufacturers came from their own positive experiences and social influence:

You know that the Apple Health app . . .I have not personally heard of any episode where that recorded information was used [in]appropriately . . .I encountered a person in a focus group . . .where they were trying out the Apple Watch and recording various aspects of it. That person felt comfortable . . . and that was significant for me. I am not looking and would not be comfortable with any other entity

4.3.2 Concerns about breaches and health-based discrimination. Although participants generally expressed trust in health devices and portals, some voiced concerns about the potential compromise of their health information in data breaches when prompted, as P41 said: “You kind of hear all the time where these health organizations are hacked . . . That’s a big concern, and that’s real.” P9 also noted concerns about health information being used for identity theft:“Somebody can get a hold of a copy of your driver’s license and your health care card and piece together enough to use it for some other purpose.” In addition, some participants expressed concerns about the potential use of their health information for advertising and insurance purposes. These concerns often overlapped with concerns regarding discrimination based on health or age, as P5 articulated:

It seems to me that the misuse of health information is not within the healthcare world . . .it’s in the application, the decision-making of lenders and hirers . . . that would look at a health condition and determine that it’s an additional risk . . . That’s the abuse of the healthcare information that I’m concerned about.

Nonetheless, only a few participants mentioned specific protective behaviors in response to their concerns. Examples include monitoring financial statements (following a healthcare breach notification) and removing prescription labels from medication bottles (to avoid medical identity theft). Overall, participants discussed much fewer privacy-protective behaviors (in terms of both diversity and frequency) in the healthcare scenario than in other scenarios.

4.4 Online advertising

4.4.1 Negative attitudes toward targeted advertising. Almost all participants had experiences with targeted ads, and many participants held negative sentiments. About half expressed frustration with the overwhelming volume of annoying targeted advertisements. P10 voiced concern about the surveillance capitalism model that fuels targeted advertising: “Every time I look at an ad, somebody knows that. And they put that data in a file somewhere that’s linked to me somehow . . . They’re going to sell that information to the manufacturer or the marketer . . . That’s bothersome.” Other participants like P17 suspected that advertisers invaded their privacy by eavesdropping on their conversations, a common misconception [11] perpetuated by inadequate ad explanations: “My son bought a patio wood-burning oven pizza maker [called] Ooni . . .We were over to his house . . . talking a lot about the Ooni . . .I get home, and I look at Facebook, and I’m being sold Ooni pizza ovens.”

Consistent with prior work on the general public’s mixed feelings regarding targeted advertising, a few participants did find targeted advertising useful and relevant. As P38 said, “I think targeting ads helps people . . .I like knowing about something that I may not have known about that fits my situation.” Furthermore, some participants held relatively neutral views as they simply did not pay attention to ads or believed that their personal opinions were not easily influenced by ads. Our findings also align with prior work on consumers’ challenges in understanding the full landscape of online advertising: when asked about the types of information possibly used for delivering targeted ads, about half of our participants exclusively mentioned site activities (e.g., browsing and search histories). Our participants mainly gave examples of targeted ads in the context of cross-website tracking, showing limited awareness of other individual and demographic factors used in ad targeting; only a few discussed factors like age, race, ZIP code, and IP address.

Experiences with deceptive and discriminatory advertising. About half of our participants recounted experiences with “bad ads” particularly deceptive ads, i.e., the claims and appearances could be misleading and different from consumers’ actual experiences. P17, for example, recounted an emotionally manipulative ad:

It was this little plastic gadget . . . that supposedly some teenage boy with autism had invented . . .And I have a special place for people with disabilities . . .I see this on Facebook . . . Totally sell me with the story. My charge card is out . . .And it comes, and it’s a piece of crap . . .And I realized, "Oh, you dummy. You fell prey. You were such an easy target because of the autistic kid.

Regarding advertising specifically targeting older adults, our participants identified ads on Medicare, assistive technology, and funerary services as examples. While a few participants found agebased targeting positive (as it made ads more relevant) or neutral (equating it with other targeting categories like gender), some participants like P21 found the practice discriminatory and harmful for reinforcing ageist stereotypes: “It’s annoying because it just reminds you that you’re older.” In addition, P30 was concerned about older adults’ vulnerability to ad scams, showing that concerns over cybercrime carried over in this scenario:

The older we get, the less astute we are in paying attention to what this really means. That puts a lot of people at risk. We’ve heard about how many people can lose their money, not necessarily scammed but buying something we really have no use for. I guess they’re free to advertise to anybody. I just don’t like it.

4.4.2 Protective strategies exist, but rendered ineffective. Some participants adopted an avoidance strategy when dealing with annoying or problematic ads, which typically involved ignoring them or removing them from their online feeds. This approach was particularly common among participants who held positive or neutral views about ads, as P11 explained, “All you have to do is click on the X . . . hide the ad . . .ignore it. And if there are too many ads and it annoys you, then you don’t go to those sites.”

However, avoidance-focused strategies do not fundamentally stop the excessive volume of ads. Some participants mentioned clicking on ‘unsubscribe’ in marketing emails but encountered challenges, as they either could not find the link or had to wait for a long time before they stopped receiving unwanted emails. Adding to prior work on users’ folk models of online advertising and privacy settings, a few participants like P3 expressed distrust in the ‘unsubscribe’ feature, suspecting that clicking on it would trigger malware or even more spams:

I am concerned that you can generate more dissemination of information . . . that I wouldn’t want people to have . . . [I] can’t always trust that the unsubscribe location is really going to the service that I want to unsubscribe from . . .If it’s a hacker . . . they’re gonna take the information . . . and hack you some more.

These ineffective strategies may explain why many participants felt they had limited control over what advertisers knew about them. As P4 described, their level of control was “probably none, except just avoiding.” A few participants like P3 believed they had some control, but these participants were relatively experienced in using ad settings: “There’s always a setting somewhere that can be adjusted . . .It is left up to me to explore and see.” P22 was the only participant who felt they had a good amount of control, although their perception was narrowly based on the information they disclosed rather than inferences made by advertisers: “I don’t put a lot out there. I think that certainly gives me an edge on not getting advertising I don’t need or don’t want.”

4.5 Social Networking

While many participants used Facebook and Zoom, about half primarily connected with others via phone calls and text messages. A few participants mentioned other channels including emails, Instagram, Messenger, Twitter, and WhatsApp.

4.5.1 Benefit-risk analysis for adoption and use. Similar to findings in prior work, our participants deliberated the benefits versus risks/costs associated with specific social media platforms. While the benefits of staying connected and acquiring information apply to all age groups, they became more pronounced among our participants during the COVID-19 pandemic, which exacerbated feelings of social isolation and loneliness. As such, P12 described their “calculated risk” for social media use: “The very fact that I have to use YouTube to do certain functions puts me at risk, and it’s a calculated risk . . . But we’re so isolated as it is . . .It is unhealthy not to know what’s going on in the world.”

Interestingly, in contrast to prior research, our participants’ major concerns with regard to using social media—before we specifically probed into privacy—revolved around disturbing or controversial content and dis/misinformation. In terms of privacyrelated concerns, P36 mentioned possibilities of context collapse: “If you use social media extensively, you are bound to have problems like misinterpretation . . . someone taking your post out of context.” P13 disliked the monetization of user data, a recurring concern that also appeared in the online advertising scenario: “Facebook is notorious for sharing information and also establishing a profile . . .I don’t want to make Mark Zuckerberg any richer.”

A few participants further voiced concerns about scams on social media: scams are already a recurring theme in the cybercrime scenario, but social media can amplify the reach of scams. P8, for example, shared their experience with romance scams: “I have some weird guy that sent me [pictures] . . .He sent the same picture to my daughter-in-law . . .It’s really a jungle out there.” Navigating scams and harassment was even more challenging for low-tech, low-income participants, as in the case of P6:

One day I got 1,000 friend requests [on Messenger] . . . but I accepted them all onto my page. Then I realized . . .I’m getting all these telephone calls [from] people trying to swagger me . . . They would call me up at two . . .in the morning and say, ‘Hi, handsome. How are you?’

4.5.2 Limited risk perceptions of Zoom. Zoom, a videoconferencing service, experienced a substantial surge in its user base during the COVID-19 pandemic. Half of our participants mentioned adopting Zoom during the pandemic to maintain social, informational, and educational needs. A few shared concerns about Zoombombing, and P9 even experienced it firsthand: “There [was] this particular conversation that the council is having. And dirty pictures popped up. And then they had to shut down the Zoom thing.”

Nonetheless, participants who had heard of Zoombombing but had not experienced it personally expressed limited concerns, as they believed they would not be targeted. P36 shared, “I don’t think we will attract the attention of the criminals. . . .It’s only the doctor and myself. So what is there to bomb? You want [to] bomb into a Zoom with 20 CEOs and the president of the United States.” Similarly, P7 speculated that Zoom would not engage in excessive data collection due to its business model: “Why would they record a meeting amongst a family of four? They’re not going to be able to monetize that.” However, Zoom has faced controversy for making false claims about end-to-end encryption while engaging in data exchanges with Facebook for monetization purposes. These problematic data practices rarely influenced our participants’ usage and trust in the platform. A few participants like P14 further mentioned relying on Zoom and its partner institutions for data protection: “You heard so much about Zoom over the last two years that you figure, well, it’s got to be a reasonable company. Hopefully, they have security measures in place.”

4.5.3 Skills and confidence in self-protection. In response to their concerns, participants actively employed protective strategies rather than relying on passive measures. P11 mentioned the option to limit their profile visibility: “You can restrict your profile pretty well. So I do. You can’t see my friends.” P28 described being careful about sharing sensitive information: “I normally don’t post it while we’re away. I wouldn’t want to advertise to the world that we’re going to be out of town for a week.” P2 would block or unfriend someone in the case of scams or interpersonal conflicts: “If I find people that are offensive . . .I will stop following them.” Some participants also adjusted their Zoom settings, such as muting themselves as needed and using a virtual background, similar to findings from prior work with younger populations. Most of these proactive strategies reflected our participants’ efficacy in navigating regular privacy settings on social media.

As in the online advertising scenario, participants’ perceived level of control over their information on social media was closely tied to their confidence in configuring privacy settings. Many participants felt they had some control. Some participants like P39 even noted they had total control, though the perception was—similar to that in the online advertising scenario—primarily based on their knowledge of what they proactively shared rather than the inferences and data exchanges behind the scenes: “I’m in control of what I put out there . . .If you put out everything, you expect to have some fallout . . .I don’t put out personal stuff.”

4.6 Cybercrime

4.6.1 Concerns and negative experiences with scams and fraudulent charges. While prior work has identified cybercrime as a growing problem for older adults, our findings reveal older adults’ concerns about specific types of cybercrime, both prompted and unprompted. When asked about their initial impressions of the term ‘cybercrime,’ some participants mentioned hacking attempts targeting government agencies and companies while others focused on cybercrime targeting individuals. For example, P21 was concerned about account compromises leading to financial loss: “I do have some concerns about somebody stealing . . . not just your bank account, but your investments.” P42 highlighted concerns about scams: “I think about a lot of the scam emails that I’ve been getting.”

About half of our participants reported receiving scam calls or phishing emails, with the majority successfully avoiding falling victim to them. Out of the 43 participants, only three had experienced unrecoverable financial losses. One potential factor contributing to participants’ increased susceptibility to exploitation is concurrent financial hardship, as P32 recalled their experiences:

I was getting these text messages . . . to be like a mystery shopper . . .I received a check for about $1,500 . . . So I went to the bank . . . showed them the check. . . .And I was broke. And then she [bank manager] told me that it was a scam . . . That is how they get you because you’d be thinking about the money [when you’re broke].

Participants’ vulnerability to scam attempts also relates to their level of digital literacy. P26, who considered themselves “computer illiterate,” suspected their identity was stolen without recognizing that it was a social security scam: “I got a call from the government that said somebody in Texas is using my social security number to extrapolate the funds out of bank . . .Maybe I have been a victim.” Nevertheless, having a technical background did not guarantee immunity to scams either, as in the case of P43, who ran a computer supply company but once lost $150 to a ransomware scam:

We had our computer locked up by a software company . . . They sold us a software package for $150 that would guarantee that we would not have our system locked up. And when I called the Geek Squad . . . they said all we had to do was just click on the control, alt, delete, and that would have restored us.

4.6.2 Perceived higher vulnerability among older adults. Since prior literature and news media have portrayed older adults as susceptible targets of cybercrime, we asked participants about their perceptions of age-related vulnerability to cybercrime. About half of the participants believed that older adults were more vulnerable and identified factors that could contribute to higher vulnerability, noting that older adults “are naive with respect to technology” (low tech-savviness), “believe everything that they see” (too trusting), and “are more susceptible to [scammers] working on our emotions, like the grandparent scam . . . Seniors are lonely and just want somebody to talk to” (subject to emotional manipulation). Interestingly, participants often used “they” when referring to older adults and rarely considered their own vulnerability. For instance, P33 were confident in their own resistance to cybercrime but expressed concern for others: “I don’t see why anybody would want to go after me . . .I’m not really worried about myself . . . There are a lot of [older] people that don’t know or get scammed. That worries me."

While older adults being more vulnerable to cybercrime is the dominant view, some participants believed that vulnerability to cybercrime is independent of age. P19, for instance, attributed cybercrime vulnerability to individual information-sharing habits: “If you’re careful and you don’t expose yourself, I think you’re going to be safer than if you just put your information out there willy-nilly.” Interestingly, a few participants considered younger adults more vulnerable due to more careless online behavior. As P14 said, “The younger people spend so much time on their devices . . . They’re savvy . . . but sometimes, you just think these people are not paying attention to what kind of danger they’re putting themselves in.”

4.6.3 Adopting protective strategies. Participants shared a variety of strategies to protect themselves against cybercrime; the most prominent ones were frequent monitoring of financial accounts, avoiding phone calls (from unfamiliar numbers or in general), and looking for common indicators of phishing attempts (e.g., checking the sender’s email address). These strategies aligned with established expert advice for online safety and did not require advanced tech expertise. A strategy unique to older adults was relying on their crystallized intelligence, i.e., knowledge and skills acquired throughout life as opposed to younger adults’ fluid intelligence. In participants’ own words, they relied on “common sense” they had developed over decades, as described by P35:

When someone comes to me asking questions about something I said that I did not put out to the public . . . that’s a big red flag and an automatic delete . . . Because I’m older and already have . . . a whole bag of tricks from these many years of living

Participants’ ability to recognize scams could also come from their professional background. P28, for instance, had worked for the Internal Revenue Service and was able to quickly react to tax scams:

“I once got a call from someone who said they were from IRS and they said . . .if we didn’t make a payment, there would be a warrant out for our arrest. I said, ‘Well, I work for IRS and I know you’re not from IRS. So I think you better stop what you’re doing.’ . . .And I hung up and report it.”

Participants also described acquiring protective strategies through firsthand encounters with scams, echoing prior work on security advice and behavior. For example, P31 shared:

The guy said that he was working for Amazon . . .He was able to put [a charge] back into my account . . . But in the meantime, I noticed that . . .when he took control, he started going into different information . . .And then something dawned on me. I said, ‘Well, wait a minute. Why are you going through all these steps?’ . . .A red flag would be when they start asking you for your financial information. I learned that now, because after this investigation, I was told by my financial institution never [to] give out your financial information

However, participants’ strategies were not foolproof and sometimes led to unnecessary inconveniences or resignations. P26, for example, changed their phone number to avoid excessive spam calls, unaware of alternative strategies like blocking specific numbers or registering on the national Do Not Call list that do not entail the disruption of phone number changes. P20 shared their reliance on service providers such as credit card companies and identity theft monitoring vendors for handling scams rather than self-protection: “I would trust that the credit card company would tell me . . .Other than they tell me, throw that card away . . .we’ll send you a new one, I don’t think there’s anything I personally can do.”

4.7 Cross-Contextual Insights

Having presented findings for each scenario, we now discuss common themes, similarities, and differences across scenarios.

4.7.1 Heightened and cross-scenario concerns about cybercrime. Our findings highlight cybercrime as a prominent and recurring concern for our participants across scenarios. In the initial general discussions on privacy (see Section 4.1), cybercriminals already emerged as the primary threat actors. Participants’ definitions and concerns regarding cybercrime revolved around scams, fraud, phishing attacks, fraudulent charges, and identity theft. These definitions largely align with Bossler and Berenblum’s categorization, focusing on two out of their four categories—cyber-trespass and cyber-theft. Importantly, we observed that cybercrime concerns and experiences were pervasive across scenarios, as participants discussed concerns about identity theft fueled by health information, being victimized by ad fraud, and encountering scams/harassment on social media, even before we probed about cybercrime.

In terms of vulnerability, we also found that cybercrime was the only scenario where a substantial portion of participants perceived higher vulnerability within their own age group compared to younger generations. Although participants rarely viewed themselves as more vulnerable than others—a possible manifestation of optimism bias—they often expressed concerns for other individuals in their age group or older. Conversely, in the other scenarios, almost all participants believed that vulnerability was equally distributed across age groups and identified various factors contributing to heightened vulnerability irrespective of age. For instance, P10 identified health conditions and patient portal use as factors contributing to health-related privacy risks: “I do have medical issues, I’m in and out of the patient portal more than a lot of people . . .I think the more you use a system, the higher the risk of being compromised.” P11 emphasized the importance of education level in dealing with problematic advertising: “Somebody with less education might be distracted by these ads, whatever their age is. . . Have you learned to research? Have you learned critical thinking? . . . Just don’t follow what people tell you.”

4.7.2 Limited concerns and options for protecting health information. Our participants expressed the least privacy concerns in the healthcare scenario. Unlike in other scenarios, where participants readily identified threat actors and specific concerns without prompting, participants generally did not talk about healthcare-related privacy issues until prompted. This might be attributed to the relatively inconspicuous nature of health information misuse, particularly when discrimination is involved. None of our participants had personally experienced medical fraud or any associated financial losses. Our participants’ perceptions may also have been shaped by news media—a common information resource—which provides limited coverage of security and privacy events in the healthcare industry.

In contrast to the diverse array of protective strategies observed in other scenarios, participants shared fewer strategies for safeguarding their health information. However, this limited action should not be equated with a lack of diligence. As aging-related health issues arise, older adults may have more frequent doctor’s visits, naturally cultivating trust in their healthcare providers. While people may switch to a different service provider after negative privacy experiences like a data breach, most patients reasonably make decisions based on cost, coverage, and quality of care when selecting healthcare providers. The “notice and choice” framework for protecting individual privacy has long been criticized for placing the burden of self-protection on consumers, and the shortcomings become even more problematic in the healthcare sector as consumers often have limited or virtually no choice.

4.7.3 Concerns and behaviors centered on information collection. Solove’s taxonomy of privacy classifies privacy harms into four stages: information collection, information processing, information dissemination, and invasion. Frik et al.’s study also characterized older adults’ threat models along these four stages. Nevertheless, our participants’ primary concerns and strategies mostly centered on the information collection stage. For instance, some participants discussed limiting content/profile visibility in the social networking scenario and avoiding interactions with ads in the online advertising scenario. In both cases, participants’ perceived control was tied to the amount of information they explicitly shared with other users and service providers. They felt more in control knowing they did not “put much out there.” Only a few tech-savvy participants (e.g., P10 and P12) shared concerns about how companies aggregated and drew inferences from collected data. Very few participants mentioned concerns about information dissemination, except in the case of health-based discrimination, in which disclosing sensitive health information could jeopardize their health benefits.

4.7.4 Trust in service providers. Participants’ trust in various service providers was a recurring theme across scenarios: trusting banks and credit card companies for detecting and resolving fraudulent charges, trusting healthcare providers and wearable device manufacturers for safeguarding health information, and trusting Zoom and partner institutions for ensuring the security of videoconferencing data. This trust is shaped by positive experiences with service providers, unawareness regarding certain threats, and limited options for self-protection. Prior work has shown older adults’ trust in healthcare professionals and preference for discussing health in-depth with a person rather than non-human sources. In contrast, our findings suggest that older adults’ trust extends beyond interpersonal contacts to encompass healthcarerelated sociotechnical platforms, such as patient portals and videoconferencing tools facilitating virtual doctor’s appointments.

Trust in service providers, particularly in the healthcare scenario due to the health needs of older adults, can be reasonable. However, there exists a risk that excessive trust leads to delegation or even abandonment of useful protective strategies. For instance, one might have limited control over how information in their health portal is used, but they can take retroactive measures when a breach happens. In contrast, with regard to cybercrime, many alternative measures can be taken to actively combat threats, such as using secure mobile payments to limit card fraud and placing credit freezes to mitigate credit fraud, rather than relying solely on protections provided by financial institutions.

5 DISCUSSION

5.1 Comparisons with Prior Work

Consistent with prior work, our participants raised securityrelated concerns, such as scams and identity theft, even when we explicitly asked about online privacy. This suggests that our participants perceive security and privacy as interchangeable concepts, aligning with other work that highlights the diversity in privacy definitions and potential discrepancies between expert and end-user conceptions. In contrast to prior studies that emphasized older adults’ reliance on passive mitigation strategies, our participants employed various active coping strategies, such as configuring privacy/authentication settings and exercising caution when disclosing sensitive information

Our findings also affirm and extend prior research conducted within individual scenarios. For instance, older adults’ privacy concerns and behaviors on social media have been well-researched. Our findings align with prior work on common protective strategies, but our study also uncovered novel insights triggered by the COVID-19 pandemic as participants shared their adoption of Zoom and other videoconferencing tools. Our participants were adept at navigating corresponding privacy settings and expressed higher trust in service providers compared to more traditional social media platforms such as Facebook.

Contrary to prior research, our participants exhibited more risk awareness when using public and second-hand devices than those in Frik et al.’s study. Additionally, in contrast to previous studies that highlighted older adults’ negative perceptions of health monitoring technologies, our participants expressed limited privacy concerns about their health information. However, it is important to contextualize this finding within our sample, as most of our participants lived independently and were not using technologies traditionally considered invasive such as in-home activity sensors and always-on web cameras.

While our study did not quantitatively compare privacy vulnerability between older and younger adults by recruiting both populations—making our findings less comparable to prior work that has done so—our findings add more nuances to the deficit-based narratives of older adults as our participants’ vulnerability varied and could not be simply attributed to age. This divergence could come from our sample, as we recruited participants locally and some participants recruited via senior centers might have learned about privacy self-protections there. However, it is also likely that our cross-contextual interview approach and specific probing into participants’ self-perceived vulnerability contributed to the new and different findings, as we unpack in Sections 5.2 and 5.3.

5.2 Contextual Effects of Privacy Concerns

Prior work, like Acquisti et al., emphasizes the role of context in understanding privacy concerns: “Individuals can, depending on the situation, exhibit anything ranging from extreme concern to apathy about privacy”. Nissenbaum’s theory of contextual integrity similarly posits that societal norms shaping people’s perceptions of what is private versus public vary across contexts. Our findings support the importance of context to some extent, as evidenced by concerns that are unique to certain scenarios, such as health-based discrimination in healthcare and password compromises in account/device sharing. Nevertheless, we also observe that privacy concerns are not entirely context-dependent as certain concerns transcend contexts. Specifically, cybercrime was a pressing concern among our participants, as they shared related concerns not only in the cybercrime scenario but also in healthcare, online advertising, and social networking scenarios. Another cross-contextual concern is related to surveillance capitalism which was mentioned in both the online advertising and social networking scenarios, as participants expressed discomfort with the widespread collection and monetization of personal data by advertisers and social media platforms.

These findings underscore the need for further research to both qualitatively and quantitatively differentiate privacy concerns at the population, context, or individual level. For example, our findings already illuminate some population-level differences qualitatively: none of our participants identified the government as a threat actor, in contrast to other high-risk populations who hold heightened concerns about government surveillance]. Other research has also contributed to this direction quantitatively, such as Herbert et al.’s work that compares the digital security experiences of four at-risk groups (including older adults) and Xu et al.’s context-contingent theory that explicates the mechanisms through which contexts influence privacy concerns and behaviors. Notably, we observe that even within the same context, participants’ concerns and vulnerabilities varied substantially and were shaped by many individual factors beyond age, as we discuss below.

5.3 Rethinking Privacy Vulnerability and Aging

In light of the growing research on specific populations who experience disproportionate privacy harms, it is important to consider the nuanced differences between marginalization and vulnerability. According to Liang et al., marginalization indicates a failing of society as marginalized individuals are being underserved, underrepresented, or forgotten, whereas vulnerability may carry the connotation that the person is weak, in need of help, and burdensome.

We argue that this distinction between marginalization and vulnerability is crucial in research with older adults. Our findings show the specific ways in which older adults experience marginalization. For example, P27 shared how they struggled with technologies not designed for their needs: “The worst thing for me is manipulating that tiny [phone] keyboard . . .I have to use a stylus, with a little rubber on the end of it . . . because I just can’t cope with that little keyboard.” P12 witnessed marginalization among their peers and expressed concerns: “There are some [people] that do not join into our Zoom calls because they are afraid of the technology or they can’t afford the technology. And they are completely left out.” Negative media portrayals can exacerbate feelings of marginalization and take an emotional toll on older adults themselves. This is also supported by our findings related to cybercrime: even though very few participants experienced direct repercussions, such as unrecoverable financial losses, many shared recurring concerns and stress, often accompanied by demanding behaviors (e.g., checking financial accounts frequently and avoiding phone calls) that come with emotional labor.

Nevertheless, our research challenges the prevailing vulnerability framing of older adults with multiple layers of supporting findings. First, a few participants who were well-versed in both privacy and technology played a crucial role in supporting and influencing their peers—this suggests that broadly labeling older adults as a vulnerable group is an oversimplification. Second, almost all participants believed that older and younger adults faced equal risks of privacy violations in most scenarios; even in the case of cybercrime, which triggered the most concerns among our participants, opinions were mixed. Third, participants’ quotes and our analysis reveal that factors such as education, income, tech use, and online information disclosure influence one’s privacy vulnerability more prominently than age. While these factors may correlate with age, they more often operate independently of age. For cybercrime, participants with a stronger resistance drew the knowledge from their work background, crystallized intelligence, and prior negative experiences; participants with more challenges navigating cybercrime tended to be those with concurrent financial hardship or low tech-savviness, although being tech-savvy does not guarantee immunity to scams either.

These findings highlight the need for more comprehensive frameworks that synthesize and quantify the various factors contributing to one’s privacy vulnerability. Particularly for older adults, our findings provide empirical support to Knowles et al.’s plea to “seek design inspiration in narratives of positive aging”. This philosophy presents numerous avenues for designing privacy interventions, technologies, and education for everyone growing old, as older adults are a highly heterogeneous population with unique traits that enable interesting research and design opportunities.

5.4 Technical and Educational Implications

Our findings open up several directions for future work on privacyenhancing technologies. For example, our participants were motivated to share accounts and devices in anticipation of death and emergencies. However, some participants only became aware of this need after probing, and others were uncertain about the practical aspects of execution. We see opportunities to develop tools that support the data preparation for death specifically for older adults. Drawing from our findings and prior work on safety settings for older adults with memory concerns, such tools should enable multiple users to engage in socio-technical negotiations about agency and power (especially involving financial interests) and alleviate the anxiety that older adults may experience when contemplating their own mortality.

Besides building new tools, our research contributes insights into improving existing tools tailored to older adults’ preferences while addressing misconceptions. In the account and device sharing scenario, our participants often struggled to safely decommission old devices. Participants were more familiar with physical means of destroying a device completely, while knowing but not trusting features like a factory reset. To make a factory reset more useful and explainable, digital devices could implement more granular settings in line with the user’s goal (e.g., recycling, trading in, selling, donating it to friends or strangers) as well as more personalized advice (e.g., recommending reputable sites in the area based on the user’s location). In another scenario, online advertising, some participants found age-based targeted ads discriminatory or offensive. To address such concerns, platforms should allow users to curate a list of topics they wish to avoid in ad targeting—a suggestion also made by prior work. While some platforms already provide adjustments for specific topics like alcohol, parenting, and politics, we see the need for co-designing ad filtering features with older adults who can provide unique insights into topics that may perpetuate ageist views.

Lastly, our findings highlight the need to support older adults in learning about privacy self-defense through educational efforts. Our participants suggested specific topics for education such as password management, privacy settings, the utility of protection services (e.g., antivirus and identity theft monitoring), and device decommissioning. In developing our online self-defense workshop materials, we incorporated these topics while mirroring our participants’ mental models and language choices (e.g., disregarding the nuanced differences between security and privacy topics, and using ‘hackers’ to refer to malicious actors broadly). Going forward, there are opportunities to integrate this training into broader efforts of helping older adults build digital literacy skills such as workshops on ‘how to use smartphones’ or ‘how to find jobs online.’ Our findings suggest that community and commercial resources are reasonable starting points for deploying such training, and it might be useful to join forces with existing initiatives such as Apple’s iPhone classes for older adults. Our findings also suggest that older adults may turn to peers who are influencers and guardians—roles that a few of our participants already played— rather than acquiring new knowledge on their own. As such, a core part of training should be supporting older adults in developing self-learning and information-seeking skills, so that educational efforts are sustainable and can generate influence at scale.