Cross-Contextual Examination of Older Adults’ Privacy Concerns, Behaviors, and Vulnerabilities
Yixin Zou
Kaiwen Sun
Ruba Abu-Salma
Robin Brewer
SimpleOriginal

Summary

Research on older adults finds cybercrime is a major concern while healthcare privacy gets less attention. Strategies focus on data collection, and vulnerability from tech skill and income shows the need for tailored privacy education.

2024

Cross-Contextual Examination of Older Adults’ Privacy Concerns, Behaviors, and Vulnerabilities

Keywords privacy; older adults; privacy concern; privacy behavior; privacy vulnerability

Abstract

A growing body of research has examined the privacy concerns and behaviors of older adults, often within specific contexts. It remains unclear to what extent older adults' privacy concerns and behaviors vary across contexts and whether old age is the primary factor influencing privacy vulnerabilities. To address this gap, we conducted semi-structured interviews with 43 older adults (aged 65 to 89) in the United States. Our interviews were grounded in five scenarios: account and device sharing, healthcare, online advertising, social networking, and cybercrime. Our cross-contextual analysis showed that cybercrime was a recurring and pressing concern across scenarios; privacy concerns and protective behaviors were rarely mentioned in the healthcare scenario. Across all scenarios, participants' threat models and strategies revolved around data collection rather than other stages in which privacy harms may occur; they employed various active strategies to safeguard their privacy while trusting service providers to protect their information. Our findings underscore the need to revisit the discussion around privacy vulnerability and aging. Vulnerability levels among our participants varied widely and were often influenced by factors beyond age, such as tech savviness and income. We discuss opportunities for privacy interventions, technologies, and education that promote positive aging and recognize diversity among older adults.

1 INTRODUCTION

Older adults are increasingly adopting digital technologies and engaging in online activities, which introduce privacy and security threats. Prior research has positioned older adults as a vulnerable group, susceptible to privacy violations that disproportionately affect their safety and well-being. For example, older adults with declining health conditions may need health monitoring technologies for independent living while accepting continuous surveillance. Older adults with limited digital skills may resist tech use, limiting learning opportunities for privacy management and self-protection. Caregivers and family members, despite good intentions, may engage in paternalistic “care surveillance” that impacts older adults’ agency.

People’s privacy behavior is known to be context-dependent, with “context” referring to “various spheres of life [...] or conventional routines” according to the theory of contextual integrity. Despite growing privacy research on older adults, most prior studies have explored the topic broadly without making comparisons across different contexts. Some studies have delved into a specific context such as social media or healthcare. To address this gap, we employed a cross-contextual approach to assess the extent to which older adults’ privacy concerns and behaviors are influenced by context. Specifically, we conducted a qualitative study with 43 older adults (aged 65 to 89) in the United States to explore their privacy concerns, behaviors, and vulnerabilities across five interview scenarios: account and device sharing, healthcare, online advertising, social networking, and cybercrime.

Our findings show that across all five scenarios, participants expressed concerns about falling victim to cybercrime (such as scams and fraudulent charges) consistently and often unprompted; they perceived themselves as more vulnerable to cybercrime than younger counterparts, a distinction that was rarely noted in other scenarios. In contrast, participants were rarely concerned about their health information within the healthcare scenario, prioritizing quality of care and health insurance over privacy. While prior work has characterized older adults’ threat models along Solove’s four dimensions of privacy harm (data collection, processing, dissemination, and invasion), our participants’ concerns and protective behaviors across all scenarios primarily centered on data collection. Unlike prior work that highlighted older adults’ reliance on passive mitigation strategies, our participants employed various active strategies (e.g., configuring privacy/authentication settings and selectively disclosing sensitive information) while trusting service providers to protect and uphold their privacy

A key implication of our findings is that we need to expand the current discourse around privacy vulnerability. Our findings challenge the notion of older adults as a whole being a vulnerable group. Our participants believed that older and younger adults were equally at risk for most scenarios (except for cybercrime), and our analysis showed the actual vulnerability varied greatly among individuals—those with lower tech usage, digital literacy, and income experienced more concrete privacy harms. Some techsavvy participants acted as guardians of their communities for privacy protection, contradicting prior deficit-based narratives in characterizing older adults. Our research provides empirical support for Anaraky and Knijnenburg’s position paper that attributing privacy vulnerability solely to old age is an oversimplification. We conclude with recommendations for designing privacy-protective interventions, technologies, and education that attend to the more positive aspects of the aging experience.

2 RELATED WORK

2.1 Privacy Vulnerability and Aging

Vulnerability is a key concept in HCI and human-centered privacy research, highlighting how technical systems can perpetuate sociopolitical and historical injustices. However, the term has faced criticism for being disempowering and promoting stigmatization, especially in accessibility research. In privacy research, older adults have been labeled as a vulnerable group. The labeling is sometimes reinforced by deficit-based narratives in prior studies: older adults are “more susceptible to fraud”, “express lower concerns about information privacy”, or are “particularly vulnerable to certain risks and experience difficulties in mitigating them” compared to younger adults or the general population. However, some scholars advocate for moving beyond age-related limitations and instead focusing on the wisdom and unique perspectives of older adults; other scholars suggest the importance of disentangling age from other factors that may influence one’s vulnerability.

One of these factors is health, as aging can lead to changes to one’s sensory, physical and cognitive functioning. Older adults with (mild) cognitive impairments may struggle to recognize scams or fully consider the implications of sharing personal information. Chronic disabling conditions may necessitate the use of health monitoring technologies to remain physically independent, and the adoption of such technologies introduces concerns about privacy and ethics. Declining health conditions can amplify one’s dependence on others such as family members, neighbors, and professional caregivers to oversee their privacy and tech use, leading to “care surveillance”. In fact, fraud by a family member is a common form of elder financial abuse. Even when caregivers initiate monitoring with good intentions, heavy-handed stewardship can limit older adults’ agency and hinder their learning of digital threats and respective self-protection skills.

Digital literacy is another critical factor that should be separated from age. While younger and older adults may differ in their technology use, older adults are adopting new technologies and engaging in various online activities, making it important to examine their privacy behaviors across contexts. However, non-adoption of technology among older adults may occur due to cost considerations, inappropriate design, limited self-efficacy, low interest, and fears driven by ageist stereotypes. Low levels of tech usage and digital literacy can subsequently limit one’s privacy self-protection. Our findings contribute to a growing body of research emphasizing the heterogeneity in older adults’ tech use and how tech-savvy older adults often act as influencers and guardians of their peers.

2.2 Older Adults’ Concerns and Behaviors

We organize our literature review in line with the five scenarios explored in our interviews; below we note how our findings add to the existing literature for each scenario. We also examine prior research on age-based differences in privacy concerns and behaviors, as it relates to our findings around privacy vulnerability.

Account and device sharing. Sharing digital accounts and devices is a well-documented practice, observed among romantic partners and in workplace settings. Several studies highlight that older adults—especially those less tech-savvy, with physical or cognitive impairments, or living in collectivist cultures—often give household members or professional caregivers access to their personal accounts and devices, and this practice could introduce tensions around privacy and autonomy.

Older adults may also share account/device access as a way of preparing for their digital legacy to be passed on to family members and friends after their passing. This practice of preparing digital data for death, however, has mostly been explored among younger populations. We studied account and device sharing by older adults considering they will need to face the prospect of death but may experience anxiety and uncertainty in planning. We also included questions about public and second-hand devices to compare with Frik et al.’s study, in which older adult participants exhibited limited risk awareness and concerns in these cases.

Healthcare. Prior research has shown that older adults often find health monitoring technologies intrusive and constraining, but tend to accept these technologies as an inevitable trade-off for safety, care, and aging in place. Older adults generally express comfort with their health data being shared with doctors, caregivers, and family members but not with unknown parties, and they prefer data collection and sharing to occur only when necessary, such as in emergency situations.

We conducted our interviews during the COVID-19 pandemic. Beyond the direct health risks posed by COVID-19, the fear, stress, and loneliness from social isolation during the pandemic further affected older adults’ health and well-being. Our study provides updated insights into older adults’ privacy concerns and behaviors related to healthcare, shaped by the COVID-19 pandemic. We also examined older adults’ privacy considerations when using patient portals, a topic that has been studied but rarely with a specific focus on privacy.

Online advertising. Online advertising often targets individuals based on their online activities, personal information, and inferred interests. Due to the complex and opaque nature of ad tracking practices, most consumers have limited knowledge regarding the extent to which advertisers can access their personal data. Consumers may also hold misconceptions such as conflating online tracking with malware. While some people find targeted ads useful and relevant, others find them intrusive and discomforting. Recent work has also investigated user perceptions of problematic, untrustworthy, or distasteful ads.

Notably, most studies in this area have centered on general adult or younger populations. Limited prior work involving older adults has indicated that they exhibit higher engagement with certain types of advertising such as social video ads while being skeptical about social media-based advertising, and older adults are especially likely to be shown problematic advertising (such as scams or clickbait) on Facebook. We addressed this gap by exploring privacy issues of online advertising with older adults in depth, particularly with regard to their mental models and attitudes toward age-based advertising.

Social networking. Social media use among U.S. older adults continues to grow, but older adults still have lower usage than younger groups. Privacy concerns can deter older adults from using social media, particularly when these concerns outweigh potential social benefits. Some studies have found differences between older and younger adults: older adults are more concerned about who can access their information, while younger generations, especially teens, are more concerned about context collapse or self-representation.

Zoom and other videoconferencing tools also gained popularity during the COVID-19 pandemic for maintaining social contact. Prior work on younger users’ privacy attitudes toward remote communications has found that users lack autonomy in choosing conferencing tools and microphone/webcam use. We examined older adults’ privacy considerations towards videoconferencing tools and compared them to pre-pandemic findings on other social networking sites like Facebook, given the pandemic’s impact on people’s social behaviors.

Cybercrime. Bossler and Berenblum define cybercrime as “computer assisted crime” across four categories: cyber-trespass (e.g., unauthorized system access), cyber-theft (e.g., identity theft and online fraud), cyber-obscenity (e.g., child pornography), and cyberviolence (e.g., cyberstalking); they also note a lack of standardized legal definitions in this field. Mainstream media often depict older adults as vulnerable to cybercrime, especially cyber-theft. However, findings from academic literature are mixed. Simons et al. find that older adults are disproportionately victimized by certain types of fraud, such as tech-support scams and impersonation. Ross et al. argue that there is no compelling evidence of higher consumer fraud rates among older adults. Several studies suggest that susceptibility to scams or phishing attacks can be influenced by other factors such as income and gender.

Studies with older adults highlight that media portrayals heighten their anxiety about spam emails and scam calls. Being defrauded impacts older adults’ health and well-being irrespective of financial loss, as victims experience derision and censure. In Frik et al.’s study, older adult participants held diverse views on their own vulnerabilities: some believed they were easy targets due to low technical literacy and lack of support, whereas others doubted that their information was valuable enough to be exploited. Unlike the prior subsections, cybercrime is primarily associated with risks and harms, whereas other contexts like healthcare also offer tangible benefits. We decided to include cybercrime as an interview scenario given its relevance to older adults and the ageist stereotypes around cybercrime, and we were particularly interested in uncovering more nuanced factors that contribute to older adults’ self-perceived as well as actual vulnerability to cybercrime.

Age-based differences. Several studies have examined the privacy concerns and behaviors of older adults in North America: older adults’ concerns centered on security issues (e.g., scams and identity theft) and institutional threats (e.g., data sold to third parties) rather than interpersonal privacy; passive strategies (like limiting/avoiding technology use) were commonly employed, while active mitigation strategies were rarer and triggered only in response to privacy violations. Older adults’ privacy concerns and behaviors are also culturally dependent: studies in countries with collectivist cultures such as India and China have highlighted older adults’ privacy management as a collective practice, with household members overseeing older adults to ensure their safety.

While some prior research has characterized older adults as being generally vulnerable to privacy risks and violations, empirical findings on differences between older and younger adults are mixed. Some studies indicate that older adults are less likely to react to privacy risks and adopt fewer protective behaviors on social media. Other research suggests that older adults are not necessarily worse at protecting themselves; rather, they have distinct concerns and priorities. For example, older adults often perceive higher risks in online banking and e-commerce and are more likely to base privacy decisions on a privacy calculus. Some studies have found no significant age differences in online privacy sensitivity and attention to privacy policies. These inconsistent findings may be due to different studies examining different contexts and using constructs with different granularity (e.g., general attitudes vs. specific concerns).

3 METHODS

To qualitatively explore the privacy experiences of older adults within and across various contexts, we conducted semi-structured interviews with 43 individuals (≥65 years) in the United States. The interviews took place between August and October 2021 and were conducted using a combination of video calls and in-person meetings based on participants’ preferences. Our study materials (including the screening survey, interview protocol, and codebook) are available online for reference.1

3.1 Interview Protocol

Our interview protocol consisted of two main parts:

Part 1: We began by asking participants to describe their technology ownership and use. We then indirectly elicited participants’ privacy-related concerns by asking whether they had issues with any technologies they used. If privacy concerns were not brought up, we probed further about what information they wanted to protect and who they perceived as potential threats. We designed the sequence in this way (reserving potentially priming privacy-related questions toward the end and only asking them if the participant had not raised these topics) to mitigate potential researcher bias and social desirability bias, following the practices in other work that also touched on sensitive and charged topics.

Part 2: We delved into participants’ privacy perceptions and strategies in five scenarios. Scenarios are commonly used in HCI research to explore values and attitudes toward technology. Our scenario selection was informed by our literature review in Section 2.2. All five scenarios are highly relevant to the daily lives of older adults, although findings specific to older adults and/or privacy varied. Specifically, prior work on account/device sharing and online advertising has predominantly focused on younger populations. Healthcare and social networking have more research specific to older adults, but most of it was conducted before the COVID-19 pandemic, which has impacted how people socialize and manage health issues. Cybercrime is often laden with ageist stereotypes (assuming older adults are always more vulnerable), and we wanted to compare these stereotypes with the actual experiences and perceptions of older adults.

The interview procedure for all scenarios followed a similar structure: first broad questions about mental models and personal experiences, then questions about more specific concerns and protective strategies (if applicable). To assess participants’ perceptions of age-related vulnerability, we asked “How do you feel about your possibility of experiencing X (a negative incident) compared to those older/younger?” with X tailored to each scenario. To ensure we did not impose preconceptions, we mirrored participants’ language in follow-up questions and confirmed our understanding of their responses with them. We randomized the scenario order for each participant to mitigate order effects and potential fatigue toward scenarios discussed later. We concluded the interview by soliciting suggestions from participants on how to support older adults in privacy self-protection.

3.2 Participant Recruitment and Demographics

Our target demographic consisted of individuals aged 65 or older residing in the United States, following the CDC’s definition of older adults. We used various channels to broaden our recruitment: three local senior centers, a participant pool for clinical & health research at University of Michigan, another participant pool hosted by the Healthier Black Elders Center at Wayne State University, and snowball sampling. The majority of our participants came from the university-hosted pools and senior centers; only three participants joined the study through snowball sampling.

We asked interested individuals to complete a screening survey, which was accessible in several formats (online, phone, and paper). We used the screening survey to verify the age criterion and to recruit a diverse sample across age, race, gender, and socioeconomic status. We did, however, exclude individuals with serious cognitive impairments since engaging with this population requires specific protocols that we were not able to implement. We also excluded non-English speakers due to limitations in our research team’s language capabilities.

We pre-tested our interview protocol with three pilot participants. Based on the pilot data, we made minor adjustments to the interview protocol and settled on an interview duration of 60-90 minutes to ensure comprehensive coverage of all scenarios without causing participant fatigue. For the main data collection, the first author conducted interviews with 43 participants. Most interviews were one-on-one; two sessions were done with couples who preferred to take the interview together. We kept interviewing participants until data saturation was reached. Interviews were conducted via phone, Zoom, or at one of the partnering senior centers depending on the participant’s choice. The interviews lasted 82 minutes on average. A few participants took breaks during the interview, but none withdrew from the study or expressed concerns regarding the interview length. Each participant received a $30 check as compensation. With all participants’ consent, interviews were recorded and later transcribed by a professional transcription service.

Table 1 in Appendix A provides details of participant demographics. Our 43 participants were 65-89 years old (mean: 72; median: 71) and approximately balanced in gender (19 men, 23 women, one no response). Participants exhibited diversity across income, race, and self-reported health conditions, but were more educated than the general U.S. population. The majority of participants lived in their own or rented homes and did not have caregivers. Seven participants used assistive devices such as wheelchairs, canes/walking sticks, and hearing aids.

For technology use, most participants were regular users of computers (41) and smartphones (34). More than half (26) also regularly used tablets. Multi-device usage was common: 24 used all three types of devices, and 15 used two. By comparison, smartphones were present in 84% of all U.S. households in 2018, followed by 78% for desktops/laptops and 63% for tablets, indicating that our participants’ tech adoption mirrored that of the general population. Smart device adoption was relatively low in our sample: 11 used smart TVs, and seven used smart speakers or voice assistants.

3.3 Data Analysis

After transcribing and double-checking all interview transcripts, the first author went through all transcripts to create an initial codebook using a combination of deductive and inductive approaches: the codebook’s overall structure was informed by the interview protocol and prior literature; specific codes were mostly paraphrases of what participants said.

To ensure the reliability and consistency of the coding process, the first and second authors independently coded one transcript each, then convened to compare codes, address discrepancies, and modify the codebook; this iterative process was repeated for six transcripts until the two researchers agreed on code saturation. The two authors then used the ‘training’ feature in Dedoose, a qualitative data analysis tool, to calculate inter-rater reliability before independent coding. The first author coded an additional 14 transcripts to ensure a reasonable coverage of each code. The second author then coded the same set of excerpts coded by the first author. The two researchers achieved Cohen’s 𝜅 = 0.74 across all codes, indicating good inter-rater reliability. The two researchers then split the remaining 21 transcripts and coded them independently, and the first author applied the final codebook to the initial six transcripts for consistency. Other co-authors were involved in discussions about the codebook and preliminary findings through regular meetings.

Our final codebook consisted of 296 codes across six categories: one about general privacy concerns and behaviors and five for the respective scenarios. The codes in each category were grouped into consistent sub-categories to facilitate cross-scenario comparisons: general attitudes, specific concerns, challenges in addressing concerns, protective behaviors, and age-based differences.

As our study was qualitative, we focused on describing specific themes rather than making quantitative claims about themes. Following practices in other qualitative work, we adopted the following terminology to provide a qualitative estimation of the frequency of themes: a few (0-20%), some (20-40%), about half (40-60%), many (60-80%), and almost all (80-100%).

3.4 Ethics

Our study was reviewed and determined exempt from oversight by the University of Michigan’s Institutional Review Board. Following a community-based participatory approach, we engaged our participants and community partners throughout the research process for a mutually beneficial experience. For example, we asked staff at the senior centers to provide feedback on our draft interview protocol to ensure the questions were appropriate. We followed trauma-informed practices in conducting the interviews, such as being an active and empathetic listener when participants shared their stories, and clearly communicating options of skipping a question or stopping the participation. As a way to give back to the community, we used our research insights to develop a workshop series on online self-defense and ran the workshops with our partnering senior centers. Thirteen of our interview participants attended the workshops; all spoke positively about the experience and the workshop topics’ relevance to their concerns.

3.5 Limitations

While our qualitative approach allowed deep insights into participants’ lived experiences, it has limitations. Some limitations pertain to the qualitative method and sampling practices. For example, we cannot claim that our sample is representative of all American older adults; our primary aim was not to achieve representativeness but rather to capture diverse perspectives. Our participants were diverse regarding income and race, but they were geographically concentrated and more educated than the broader U.S. population. The sample characteristics may have resulted from our localized recruitment—we opted for this approach to build trust with our participants, reach individuals who might not be accessible through online recruitment, and expand the reach of our workshops. Because our study was conducted in the U.S., some of our findings might be specific to the country or region. One should be careful in generalizing these findings beyond the U.S., and our study opens opportunities for future replication studies in other countries with different cultural values and consumer protection frameworks.

Another limitation of our study relates to the interview scenarios, as cybercrime is more focused on risks and harm compared to other scenarios. Nonetheless, we decided to include cybercrime due to its high relevance to older adults’ existing concerns and ageist stereotypes around this topic. While it is possible that discussions about cybercrime might have primed participants to bring up this topic in other scenarios, this was partially mitigated by randomizing the scenario order for each participant. We also observed that participants who received the cybercrime scenario late in their interviews often still spontaneously discussed it in earlier scenarios.

4 FINDINGS

We first discuss participants’ threat models and privacy concerns in general (Section 4.1), followed by participants’ concerns and behaviors for specific scenarios (Sections 4.2–4.5). We end by comparing findings across the five scenarios (Section 4.7).

4.1 General Threat Models

4.1.1 Heightened concerns about financial information. As the concept of “privacy” can be broad and abstract, we asked participants instead about the specific types of information they would like to protect. Financial information, such as bank account and credit card numbers, was mentioned by about half of the participants. Some also highlighted social security numbers, a unique personal identifier used in the United States. P34 discussed negative incidents that can result in financial loss as their top concerns:

I may not have any money. I may have an outstanding debt . . .My major concern is my identity being taken, and as a result of my identity being taken, my financial security has been compromised or has been taken away from me.

However, privacy harms encompass more than just financial losses when accounting for harms to reputation, psychological well-being, autonomy, discrimination, and more. These harms were less recognized by participants, as P3 said, “Financial information is probably the most relevant thing. The rest of my life is pretty much an open book . . . Somebody sees that I go on a porn site. That’s me.” P18 raised the point that leaked passwords could lead to the compromise of financial accounts: “One of the big things that I worry about is somebody getting a hold of my passwords and user ID that would get them into info on my banking and other financial institutions.” P15 mentioned health information but indicated that it was secondary to financial information in terms of privacy concerns: “I don’t worry about the portal so much . . .I’ve already got my Medicare, and so far I can’t be refused for having [my] problems . . .It’s mostly financial.”

4.1.2 Cybercriminals as the major threat actor. In line with concerns about financial information, about half of our participants identified cybercriminals as the primary threat to their personal information. The specific terms they used included “hackers,” “scammers,” “spammers,” “people trying to steal things,” and “people operating from the dark web.” Some participants shared personal encounters with scams and fraudulent charges. P1 recounted stories they had come across in the news:

There are lonely seniors. You’ll hear some news about a guy . . . gets hacked . . .A somewhat younger pretty lady will connect with him, and be able to access his finances . . . So, my concern is mainly [about] if they hack and get my personal information because hackers are those intelligent criminals.

A few participants identified tech companies as another threat actor, particularly Google/Alphabet and Meta. P13 discussed the extensive data collection and aggregation practices employed by these companies: “Google captures . . . anytime you do any online shopping. That information is captured and shared between organizations. In aggregate, they can build up a pretty detailed profile view of what your interests are.” P12 expressed varying levels of trust in different companies, indicating that not all tech companies are perceived as equal threats:

Microsoft, I’m not as worried about information being shared by them . . . not so much privacy. I would say anything involving the Alphabet as an organization . . .I have too many firsthand experiences that I’ve been uncomfortable with. Information is shared from one site to another without express consent. And I can’t seem to find any features that I could turn on that prevent it . . .It’s something personally I can’t trust

Interestingly, no participant mentioned the government as a threat actor. In fact, a few indicated that they were not concerned about government surveillance due to their belief that they had nothing to hide—a prevalent yet flawed argument about privacy —such as P1: “I’m not a member of any political party or secret organization . . .I have no fear of the police, FBI, or any governmental agent.” This lack of concern about government stands in contrast to heightened concerns about government surveillance among other high-risk populations such as undocumented immigrants, migrant domestic workers, and Muslim-American women, likely because our participants’ identities and backgrounds did not intersect much with these populations. Similarly, no participant identified their family members or caregivers as threat actors, despite them being a major threat vector for elder fraud.

4.1.3 Learning from community and commercial resources. Prior work involving U.K. older adults has identified social, community, and commercial resources, as well as broadcast and digital media, as major cybersecurity information resources. Our participants mentioned all five as sources for learning about privacy self-defense, with community resources, commercial resources, and the media being more popular. Starting with community resources as a source of support, P22 highlighted senior center classes: “The senior center had contacts with the lawyer, and he’d come in and just discuss [the credit freeze] . . .People would ask whatever question they had.” P41 identified the American Association of Retired Persons (AARP): “They have print materials . . . Zoom classes . . .If you’re a member, every month they’ll send you a newsletter.”

Another source of support was commercial resources, including customer support services such as AppleCare and professional tech support. For instance, P28 subscribed to Geek Squad and highlighted the benefits of their periodic checkups: “Once or twice a year, [we] have what they call a checkup where they just delete duplicate files . . .make sure you’ve updated all your programs, and you’ve installed everything you need.” While experts no longer recommend thirdparty antivirus software, some participants continued to use such software. P9 noted trust and brand loyalty as relevant factors: “I’ve used Norton for so long . . .I have trusted them with whenever it comes up for renewal. I don’t even question how they’ve been pricing.” The protections offered by third-party antivirus software may be excessive, but they did raise our participants’ awareness of basic risks and encouraged positive behaviors, as in P27’s case:

I have Malwarebytes, and I’m quite happy with that. I think they’ve done a fairly good job. . . . They have a newsletter every week, and it’s quite informative . . . They often tell you that there’s all this phishing going on, and to be very careful about opening some of these emails that look suspicious. And so I take them at that word, and I do just discard a lot of [emails] because they’re obviously not legitimate.

Prior work using deficit-based narratives has portrayed older adults as passive consumers of information who find it challenging or unnecessary to learn about cybersecurity or privacy. Our findings present a more nuanced perspective, as some participants acted as educators and influencers within their communities. P32 acknowledged the respective challenges in doing this:

She will want me to order something through my account. . . . She got mad at me the other day because I said I’m not doing it . . .I have done it a few times for her. But I want her to [learn]. She doesn’t want to be tech-savvy. I’m not tech-savvy, but I know . . . the only way to learn stuff is you might make a mistake.

P19 and P38 helped run computer classes at their senior centers. P38 identified recurring challenges among their peers, including password management and using “BCC” when sending mass emails. P19 was concerned about the potential exclusion of less tech-savvy peers from educational programs:

I’m super literate with computers . . . There are a few people like me, but not many. And as they get older, they have a harder time using the technology that’s available, but they need that technology even more . . . You’re missing a whole segment of the bell curve. Those are people who simply don’t come [to the classes]. They have home phones and they don’t use cell phone technology, and they don’t get emails.

4.2 Account and Device Sharing

4.2.1 Sharing digital assets in preparation for death or accidents. Half of our participants mentioned sharing passwords, mostly with family members and occasionally with close friends. Prior research has identified convenience and trust building as key drivers for password sharing among younger adults, and our participants gave similar reasons. For example, P13 shared streaming service credentials with their son; P33 shared “everything” with their partner after decades of marriage.

However, most participants’ primary motivation for sharing was preparation for unforeseen circumstances such as death or emergencies. For example, P18 shared, “My mom and my sister have my social security number and my passwords . . .I trust [them] implicitly, and I feel better too because you’ll never know.” For similar reasons, some participants also shared access to their financial accounts with family members and occasionally with a financial advisor or attorney. P8 made efforts to facilitate transparent communication between multiple parties:

I take care of all my own finances. My lawyer knows where all my accounts are. And . . .my adopted son is my advocate, and he’s also my executor. So he knows . . . But he also knows where my lawyer is. And my lawyer knows where he is if something should happen.

When we asked about post-death preparation for digital assets, some participants had already made plans. Others like P7, however, only recognized the importance of this consideration in response to our probing:

If I were in a car accident and died, nobody would be able to get into my accounts, which will be bad. It would be weeks of sending mail and death certificates and wedding documents to prove that my wife is my heir and beneficiary. So I should do that. I’ll put that on my list of things sometime

4.2.2 Struggles with password management. During discussions on account sharing, participants often highlighted password management as a recurring challenge. In contrast to studies involving younger populations, our participants relied more on physical methods for password management: about half mentioned physically writing passwords down, and a few attempted to rely solely on their memory. No participant felt their current password management strategies were optimal; for instance, those who wrote passwords down would still have concerns over the “single point of failure” if their password notebook were to be stolen. While remembering all passwords is generally demanding, P30 emphasized age-related memory decline as a specific concern:

For important things like my banking, I want to keep going with the same one. I can’t . . . They want a different one than you’ve used in the last 10 years. I can’t remember 10 years’ worth. What I do worry about, actually, is as I get older it’s going to become harder and harder to do all that to keep track of it all.

Only a few participants, typically those with a technical background, mentioned using password managers in their browsers and operating systems. The adoption rate of password managers was much lower in comparison to studies involving younger adults. Echoing prior work, P20 shared that non-adoption was due to distrust in cloud services storing their passwords:

I do not use any of the password apps where they say you can put in all your passwords, and it’ll be secure, I just don’t trust it. In my opinion, all of these systems were created by a person, and there’s always a way . . . somebody else can figure out how to get into it.

4.2.3 Risk Awareness of Public and Second-Hand Devices. A particular case of device sharing is public devices and Wi-Fi networks, which carry the risks of data leakage and Wi-Fi spoofing. This use case holds particular relevance for older adults given their lower ownership of personal computers or smartphones while having communal places like senior centers that enable device sharing. Many participants reported using public computers and Wi-Fi networks in libraries, hotels, and shops.

In contrast to the findings in Frik et al.’s study, in which few participants expressed concerns about public devices and Wi-Fi networks, our participants (even with similar demographics) exhibited a heightened awareness of these risks. Although they could not always pinpoint specific negative events, they could recognize situations with increased risk. For example, P23 commented, “I think it’s easier to compromise my information [when using public devices]. I think people can get into them more easily.” About half of our participants mentioned that they consciously avoided sensitive activities such as banking when using public devices or Wi-Fi networks. P19 compared banking with other types of online activities regarding their sensitivity:

If somebody wants to hack into my gaming group and screw with my pictures . . . that’s not going to kill me. So I don’t really particularly care about that as much, but I stay away from banks and things that are high security. When we’re traveling, oftentimes I’m looking up what attractions are there? What time does the museum open? . . . things that are not security-driven.

A few participants also cleared their browsing history on exit when using a public computer. P32 shared how they developed this habit after someone compromised their social media account when it remained signed in:

Some years ago I did not sign out on Facebook [at libraries]. And so whoever came [next], they put a whole bunch of crazy stuff up there. And so my son called me up, ‘Ma, was it really [you]?’ ‘Where were you at?’ I said, ‘I was at the library.’ . . . So he deleted [my post] . . .Now I make sure I sign out if I’m on a public device.

The exchange of second-hand devices can also lead to data leaks. Some participants like P6 worried about unwiped data: “When you get second-hand phones, they’re contaminated . . .It’s not good to buy used phones unless they’ve been cleaned or wiped.” Additionally, participants felt a lack of confidence in securely decommissioning their old devices, particularly when selling or donating to strangers, and desired more guidance. As P16 said, “I have two laptops . . .just ready to go to the recycling, but I have to get the stuff off of them . . .I probably will pay to have somebody do it because I don’t know what I’m doing.”

4.3 Healthcare

Our findings within the healthcare context mostly centered on patient portals and smartwatches, as they were adopted by almost all and some participants, respectively. A few participants also mentioned using health-tracking apps, step counters, and blood pressure monitors.

4.3.1 Trust in healthcare providers and smartwatch manufacturers. While a few participants expressed privacy concerns about their health information (see Section 4.1), about half of our participants shared that they trusted service providers (e.g., hospitals and smartwatch manufacturers) to securely handle their health information. This trust contrasts with the healthcare industry being one of the most common victims of data breaches and instances of data exchange between healthcare providers and social media companies for commercial purposes. Participants’ trust in confidential information exchange with healthcare providers could be a result of social norms and existing laws, notably the Health Insurance Portability and Accountability Act (HIPAA), as P25 said: “Any doctor that I’m dealing with can go to my portal and look up what other doctors have done or said . . .It’s already in there. I don’t feel that that’s being shared inappropriately.”

Interestingly, P25 extended the same level of trust to smartwatch manufacturers, despite these entities being subject to different regulatory frameworks, and wearable devices having limited protection under HIPAA: “My Fitbit . . .it’s like a watch . . . as far as I know, there are no data to take. It’s just something I’m looking at . . . for my information only.” P12 explained that their trust in smartwatch manufacturers came from their own positive experiences and social influence:

You know that the Apple Health app . . .I have not personally heard of any episode where that recorded information was used [in]appropriately . . .I encountered a person in a focus group . . .where they were trying out the Apple Watch and recording various aspects of it. That person felt comfortable . . . and that was significant for me. I am not looking and would not be comfortable with any other entity

4.3.2 Concerns about breaches and health-based discrimination. Although participants generally expressed trust in health devices and portals, some voiced concerns about the potential compromise of their health information in data breaches when prompted, as P41 said: “You kind of hear all the time where these health organizations are hacked . . . That’s a big concern, and that’s real.” P9 also noted concerns about health information being used for identity theft:“Somebody can get a hold of a copy of your driver’s license and your health care card and piece together enough to use it for some other purpose.” In addition, some participants expressed concerns about the potential use of their health information for advertising and insurance purposes. These concerns often overlapped with concerns regarding discrimination based on health or age, as P5 articulated:

It seems to me that the misuse of health information is not within the healthcare world . . .it’s in the application, the decision-making of lenders and hirers . . . that would look at a health condition and determine that it’s an additional risk . . . That’s the abuse of the healthcare information that I’m concerned about.

Nonetheless, only a few participants mentioned specific protective behaviors in response to their concerns. Examples include monitoring financial statements (following a healthcare breach notification) and removing prescription labels from medication bottles (to avoid medical identity theft). Overall, participants discussed much fewer privacy-protective behaviors (in terms of both diversity and frequency) in the healthcare scenario than in other scenarios.

4.4 Online advertising

4.4.1 Negative attitudes toward targeted advertising. Almost all participants had experiences with targeted ads, and many participants held negative sentiments. About half expressed frustration with the overwhelming volume of annoying targeted advertisements. P10 voiced concern about the surveillance capitalism model that fuels targeted advertising: “Every time I look at an ad, somebody knows that. And they put that data in a file somewhere that’s linked to me somehow . . . They’re going to sell that information to the manufacturer or the marketer . . . That’s bothersome.” Other participants like P17 suspected that advertisers invaded their privacy by eavesdropping on their conversations, a common misconception [11] perpetuated by inadequate ad explanations: “My son bought a patio wood-burning oven pizza maker [called] Ooni . . .We were over to his house . . . talking a lot about the Ooni . . .I get home, and I look at Facebook, and I’m being sold Ooni pizza ovens.”

Consistent with prior work on the general public’s mixed feelings regarding targeted advertising, a few participants did find targeted advertising useful and relevant. As P38 said, “I think targeting ads helps people . . .I like knowing about something that I may not have known about that fits my situation.” Furthermore, some participants held relatively neutral views as they simply did not pay attention to ads or believed that their personal opinions were not easily influenced by ads. Our findings also align with prior work on consumers’ challenges in understanding the full landscape of online advertising: when asked about the types of information possibly used for delivering targeted ads, about half of our participants exclusively mentioned site activities (e.g., browsing and search histories). Our participants mainly gave examples of targeted ads in the context of cross-website tracking, showing limited awareness of other individual and demographic factors used in ad targeting; only a few discussed factors like age, race, ZIP code, and IP address.

Experiences with deceptive and discriminatory advertising. About half of our participants recounted experiences with “bad ads” particularly deceptive ads, i.e., the claims and appearances could be misleading and different from consumers’ actual experiences. P17, for example, recounted an emotionally manipulative ad:

It was this little plastic gadget . . . that supposedly some teenage boy with autism had invented . . .And I have a special place for people with disabilities . . .I see this on Facebook . . . Totally sell me with the story. My charge card is out . . .And it comes, and it’s a piece of crap . . .And I realized, "Oh, you dummy. You fell prey. You were such an easy target because of the autistic kid.

Regarding advertising specifically targeting older adults, our participants identified ads on Medicare, assistive technology, and funerary services as examples. While a few participants found agebased targeting positive (as it made ads more relevant) or neutral (equating it with other targeting categories like gender), some participants like P21 found the practice discriminatory and harmful for reinforcing ageist stereotypes: “It’s annoying because it just reminds you that you’re older.” In addition, P30 was concerned about older adults’ vulnerability to ad scams, showing that concerns over cybercrime carried over in this scenario:

The older we get, the less astute we are in paying attention to what this really means. That puts a lot of people at risk. We’ve heard about how many people can lose their money, not necessarily scammed but buying something we really have no use for. I guess they’re free to advertise to anybody. I just don’t like it.

4.4.2 Protective strategies exist, but rendered ineffective. Some participants adopted an avoidance strategy when dealing with annoying or problematic ads, which typically involved ignoring them or removing them from their online feeds. This approach was particularly common among participants who held positive or neutral views about ads, as P11 explained, “All you have to do is click on the X . . . hide the ad . . .ignore it. And if there are too many ads and it annoys you, then you don’t go to those sites.”

However, avoidance-focused strategies do not fundamentally stop the excessive volume of ads. Some participants mentioned clicking on ‘unsubscribe’ in marketing emails but encountered challenges, as they either could not find the link or had to wait for a long time before they stopped receiving unwanted emails. Adding to prior work on users’ folk models of online advertising and privacy settings, a few participants like P3 expressed distrust in the ‘unsubscribe’ feature, suspecting that clicking on it would trigger malware or even more spams:

I am concerned that you can generate more dissemination of information . . . that I wouldn’t want people to have . . . [I] can’t always trust that the unsubscribe location is really going to the service that I want to unsubscribe from . . .If it’s a hacker . . . they’re gonna take the information . . . and hack you some more.

These ineffective strategies may explain why many participants felt they had limited control over what advertisers knew about them. As P4 described, their level of control was “probably none, except just avoiding.” A few participants like P3 believed they had some control, but these participants were relatively experienced in using ad settings: “There’s always a setting somewhere that can be adjusted . . .It is left up to me to explore and see.” P22 was the only participant who felt they had a good amount of control, although their perception was narrowly based on the information they disclosed rather than inferences made by advertisers: “I don’t put a lot out there. I think that certainly gives me an edge on not getting advertising I don’t need or don’t want.”

4.5 Social Networking

While many participants used Facebook and Zoom, about half primarily connected with others via phone calls and text messages. A few participants mentioned other channels including emails, Instagram, Messenger, Twitter, and WhatsApp.

4.5.1 Benefit-risk analysis for adoption and use. Similar to findings in prior work, our participants deliberated the benefits versus risks/costs associated with specific social media platforms. While the benefits of staying connected and acquiring information apply to all age groups, they became more pronounced among our participants during the COVID-19 pandemic, which exacerbated feelings of social isolation and loneliness. As such, P12 described their “calculated risk” for social media use: “The very fact that I have to use YouTube to do certain functions puts me at risk, and it’s a calculated risk . . . But we’re so isolated as it is . . .It is unhealthy not to know what’s going on in the world.”

Interestingly, in contrast to prior research, our participants’ major concerns with regard to using social media—before we specifically probed into privacy—revolved around disturbing or controversial content and dis/misinformation. In terms of privacyrelated concerns, P36 mentioned possibilities of context collapse: “If you use social media extensively, you are bound to have problems like misinterpretation . . . someone taking your post out of context.” P13 disliked the monetization of user data, a recurring concern that also appeared in the online advertising scenario: “Facebook is notorious for sharing information and also establishing a profile . . .I don’t want to make Mark Zuckerberg any richer.”

A few participants further voiced concerns about scams on social media: scams are already a recurring theme in the cybercrime scenario, but social media can amplify the reach of scams. P8, for example, shared their experience with romance scams: “I have some weird guy that sent me [pictures] . . .He sent the same picture to my daughter-in-law . . .It’s really a jungle out there.” Navigating scams and harassment was even more challenging for low-tech, low-income participants, as in the case of P6:

One day I got 1,000 friend requests [on Messenger] . . . but I accepted them all onto my page. Then I realized . . .I’m getting all these telephone calls [from] people trying to swagger me . . . They would call me up at two . . .in the morning and say, ‘Hi, handsome. How are you?’

4.5.2 Limited risk perceptions of Zoom. Zoom, a videoconferencing service, experienced a substantial surge in its user base during the COVID-19 pandemic. Half of our participants mentioned adopting Zoom during the pandemic to maintain social, informational, and educational needs. A few shared concerns about Zoombombing, and P9 even experienced it firsthand: “There [was] this particular conversation that the council is having. And dirty pictures popped up. And then they had to shut down the Zoom thing.”

Nonetheless, participants who had heard of Zoombombing but had not experienced it personally expressed limited concerns, as they believed they would not be targeted. P36 shared, “I don’t think we will attract the attention of the criminals. . . .It’s only the doctor and myself. So what is there to bomb? You want [to] bomb into a Zoom with 20 CEOs and the president of the United States.” Similarly, P7 speculated that Zoom would not engage in excessive data collection due to its business model: “Why would they record a meeting amongst a family of four? They’re not going to be able to monetize that.” However, Zoom has faced controversy for making false claims about end-to-end encryption while engaging in data exchanges with Facebook for monetization purposes. These problematic data practices rarely influenced our participants’ usage and trust in the platform. A few participants like P14 further mentioned relying on Zoom and its partner institutions for data protection: “You heard so much about Zoom over the last two years that you figure, well, it’s got to be a reasonable company. Hopefully, they have security measures in place.”

4.5.3 Skills and confidence in self-protection. In response to their concerns, participants actively employed protective strategies rather than relying on passive measures. P11 mentioned the option to limit their profile visibility: “You can restrict your profile pretty well. So I do. You can’t see my friends.” P28 described being careful about sharing sensitive information: “I normally don’t post it while we’re away. I wouldn’t want to advertise to the world that we’re going to be out of town for a week.” P2 would block or unfriend someone in the case of scams or interpersonal conflicts: “If I find people that are offensive . . .I will stop following them.” Some participants also adjusted their Zoom settings, such as muting themselves as needed and using a virtual background, similar to findings from prior work with younger populations. Most of these proactive strategies reflected our participants’ efficacy in navigating regular privacy settings on social media.

As in the online advertising scenario, participants’ perceived level of control over their information on social media was closely tied to their confidence in configuring privacy settings. Many participants felt they had some control. Some participants like P39 even noted they had total control, though the perception was—similar to that in the online advertising scenario—primarily based on their knowledge of what they proactively shared rather than the inferences and data exchanges behind the scenes: “I’m in control of what I put out there . . .If you put out everything, you expect to have some fallout . . .I don’t put out personal stuff.”

4.6 Cybercrime

4.6.1 Concerns and negative experiences with scams and fraudulent charges. While prior work has identified cybercrime as a growing problem for older adults, our findings reveal older adults’ concerns about specific types of cybercrime, both prompted and unprompted. When asked about their initial impressions of the term ‘cybercrime,’ some participants mentioned hacking attempts targeting government agencies and companies while others focused on cybercrime targeting individuals. For example, P21 was concerned about account compromises leading to financial loss: “I do have some concerns about somebody stealing . . . not just your bank account, but your investments.” P42 highlighted concerns about scams: “I think about a lot of the scam emails that I’ve been getting.”

About half of our participants reported receiving scam calls or phishing emails, with the majority successfully avoiding falling victim to them. Out of the 43 participants, only three had experienced unrecoverable financial losses. One potential factor contributing to participants’ increased susceptibility to exploitation is concurrent financial hardship, as P32 recalled their experiences:

I was getting these text messages . . . to be like a mystery shopper . . .I received a check for about $1,500 . . . So I went to the bank . . . showed them the check. . . .And I was broke. And then she [bank manager] told me that it was a scam . . . That is how they get you because you’d be thinking about the money [when you’re broke].

Participants’ vulnerability to scam attempts also relates to their level of digital literacy. P26, who considered themselves “computer illiterate,” suspected their identity was stolen without recognizing that it was a social security scam: “I got a call from the government that said somebody in Texas is using my social security number to extrapolate the funds out of bank . . .Maybe I have been a victim.” Nevertheless, having a technical background did not guarantee immunity to scams either, as in the case of P43, who ran a computer supply company but once lost $150 to a ransomware scam:

We had our computer locked up by a software company . . . They sold us a software package for $150 that would guarantee that we would not have our system locked up. And when I called the Geek Squad . . . they said all we had to do was just click on the control, alt, delete, and that would have restored us.

4.6.2 Perceived higher vulnerability among older adults. Since prior literature and news media have portrayed older adults as susceptible targets of cybercrime, we asked participants about their perceptions of age-related vulnerability to cybercrime. About half of the participants believed that older adults were more vulnerable and identified factors that could contribute to higher vulnerability, noting that older adults “are naive with respect to technology” (low tech-savviness), “believe everything that they see” (too trusting), and “are more susceptible to [scammers] working on our emotions, like the grandparent scam . . . Seniors are lonely and just want somebody to talk to” (subject to emotional manipulation). Interestingly, participants often used “they” when referring to older adults and rarely considered their own vulnerability. For instance, P33 were confident in their own resistance to cybercrime but expressed concern for others: “I don’t see why anybody would want to go after me . . .I’m not really worried about myself . . . There are a lot of [older] people that don’t know or get scammed. That worries me."

While older adults being more vulnerable to cybercrime is the dominant view, some participants believed that vulnerability to cybercrime is independent of age. P19, for instance, attributed cybercrime vulnerability to individual information-sharing habits: “If you’re careful and you don’t expose yourself, I think you’re going to be safer than if you just put your information out there willy-nilly.” Interestingly, a few participants considered younger adults more vulnerable due to more careless online behavior. As P14 said, “The younger people spend so much time on their devices . . . They’re savvy . . . but sometimes, you just think these people are not paying attention to what kind of danger they’re putting themselves in.”

4.6.3 Adopting protective strategies. Participants shared a variety of strategies to protect themselves against cybercrime; the most prominent ones were frequent monitoring of financial accounts, avoiding phone calls (from unfamiliar numbers or in general), and looking for common indicators of phishing attempts (e.g., checking the sender’s email address). These strategies aligned with established expert advice for online safety and did not require advanced tech expertise. A strategy unique to older adults was relying on their crystallized intelligence, i.e., knowledge and skills acquired throughout life as opposed to younger adults’ fluid intelligence. In participants’ own words, they relied on “common sense” they had developed over decades, as described by P35:

When someone comes to me asking questions about something I said that I did not put out to the public . . . that’s a big red flag and an automatic delete . . . Because I’m older and already have . . . a whole bag of tricks from these many years of living

Participants’ ability to recognize scams could also come from their professional background. P28, for instance, had worked for the Internal Revenue Service and was able to quickly react to tax scams:

“I once got a call from someone who said they were from IRS and they said . . .if we didn’t make a payment, there would be a warrant out for our arrest. I said, ‘Well, I work for IRS and I know you’re not from IRS. So I think you better stop what you’re doing.’ . . .And I hung up and report it.”

Participants also described acquiring protective strategies through firsthand encounters with scams, echoing prior work on security advice and behavior. For example, P31 shared:

The guy said that he was working for Amazon . . .He was able to put [a charge] back into my account . . . But in the meantime, I noticed that . . .when he took control, he started going into different information . . .And then something dawned on me. I said, ‘Well, wait a minute. Why are you going through all these steps?’ . . .A red flag would be when they start asking you for your financial information. I learned that now, because after this investigation, I was told by my financial institution never [to] give out your financial information

However, participants’ strategies were not foolproof and sometimes led to unnecessary inconveniences or resignations. P26, for example, changed their phone number to avoid excessive spam calls, unaware of alternative strategies like blocking specific numbers or registering on the national Do Not Call list that do not entail the disruption of phone number changes. P20 shared their reliance on service providers such as credit card companies and identity theft monitoring vendors for handling scams rather than self-protection: “I would trust that the credit card company would tell me . . .Other than they tell me, throw that card away . . .we’ll send you a new one, I don’t think there’s anything I personally can do.”

4.7 Cross-Contextual Insights

Having presented findings for each scenario, we now discuss common themes, similarities, and differences across scenarios.

4.7.1 Heightened and cross-scenario concerns about cybercrime. Our findings highlight cybercrime as a prominent and recurring concern for our participants across scenarios. In the initial general discussions on privacy (see Section 4.1), cybercriminals already emerged as the primary threat actors. Participants’ definitions and concerns regarding cybercrime revolved around scams, fraud, phishing attacks, fraudulent charges, and identity theft. These definitions largely align with Bossler and Berenblum’s categorization, focusing on two out of their four categories—cyber-trespass and cyber-theft. Importantly, we observed that cybercrime concerns and experiences were pervasive across scenarios, as participants discussed concerns about identity theft fueled by health information, being victimized by ad fraud, and encountering scams/harassment on social media, even before we probed about cybercrime.

In terms of vulnerability, we also found that cybercrime was the only scenario where a substantial portion of participants perceived higher vulnerability within their own age group compared to younger generations. Although participants rarely viewed themselves as more vulnerable than others—a possible manifestation of optimism bias—they often expressed concerns for other individuals in their age group or older. Conversely, in the other scenarios, almost all participants believed that vulnerability was equally distributed across age groups and identified various factors contributing to heightened vulnerability irrespective of age. For instance, P10 identified health conditions and patient portal use as factors contributing to health-related privacy risks: “I do have medical issues, I’m in and out of the patient portal more than a lot of people . . .I think the more you use a system, the higher the risk of being compromised.” P11 emphasized the importance of education level in dealing with problematic advertising: “Somebody with less education might be distracted by these ads, whatever their age is. . . Have you learned to research? Have you learned critical thinking? . . . Just don’t follow what people tell you.”

4.7.2 Limited concerns and options for protecting health information. Our participants expressed the least privacy concerns in the healthcare scenario. Unlike in other scenarios, where participants readily identified threat actors and specific concerns without prompting, participants generally did not talk about healthcare-related privacy issues until prompted. This might be attributed to the relatively inconspicuous nature of health information misuse, particularly when discrimination is involved. None of our participants had personally experienced medical fraud or any associated financial losses. Our participants’ perceptions may also have been shaped by news media—a common information resource—which provides limited coverage of security and privacy events in the healthcare industry.

In contrast to the diverse array of protective strategies observed in other scenarios, participants shared fewer strategies for safeguarding their health information. However, this limited action should not be equated with a lack of diligence. As aging-related health issues arise, older adults may have more frequent doctor’s visits, naturally cultivating trust in their healthcare providers. While people may switch to a different service provider after negative privacy experiences like a data breach, most patients reasonably make decisions based on cost, coverage, and quality of care when selecting healthcare providers. The “notice and choice” framework for protecting individual privacy has long been criticized for placing the burden of self-protection on consumers, and the shortcomings become even more problematic in the healthcare sector as consumers often have limited or virtually no choice.

4.7.3 Concerns and behaviors centered on information collection. Solove’s taxonomy of privacy classifies privacy harms into four stages: information collection, information processing, information dissemination, and invasion. Frik et al.’s study also characterized older adults’ threat models along these four stages. Nevertheless, our participants’ primary concerns and strategies mostly centered on the information collection stage. For instance, some participants discussed limiting content/profile visibility in the social networking scenario and avoiding interactions with ads in the online advertising scenario. In both cases, participants’ perceived control was tied to the amount of information they explicitly shared with other users and service providers. They felt more in control knowing they did not “put much out there.” Only a few tech-savvy participants (e.g., P10 and P12) shared concerns about how companies aggregated and drew inferences from collected data. Very few participants mentioned concerns about information dissemination, except in the case of health-based discrimination, in which disclosing sensitive health information could jeopardize their health benefits.

4.7.4 Trust in service providers. Participants’ trust in various service providers was a recurring theme across scenarios: trusting banks and credit card companies for detecting and resolving fraudulent charges, trusting healthcare providers and wearable device manufacturers for safeguarding health information, and trusting Zoom and partner institutions for ensuring the security of videoconferencing data. This trust is shaped by positive experiences with service providers, unawareness regarding certain threats, and limited options for self-protection. Prior work has shown older adults’ trust in healthcare professionals and preference for discussing health in-depth with a person rather than non-human sources. In contrast, our findings suggest that older adults’ trust extends beyond interpersonal contacts to encompass healthcarerelated sociotechnical platforms, such as patient portals and videoconferencing tools facilitating virtual doctor’s appointments.

Trust in service providers, particularly in the healthcare scenario due to the health needs of older adults, can be reasonable. However, there exists a risk that excessive trust leads to delegation or even abandonment of useful protective strategies. For instance, one might have limited control over how information in their health portal is used, but they can take retroactive measures when a breach happens. In contrast, with regard to cybercrime, many alternative measures can be taken to actively combat threats, such as using secure mobile payments to limit card fraud and placing credit freezes to mitigate credit fraud, rather than relying solely on protections provided by financial institutions.

5 DISCUSSION

5.1 Comparisons with Prior Work

Consistent with prior work, our participants raised securityrelated concerns, such as scams and identity theft, even when we explicitly asked about online privacy. This suggests that our participants perceive security and privacy as interchangeable concepts, aligning with other work that highlights the diversity in privacy definitions and potential discrepancies between expert and end-user conceptions. In contrast to prior studies that emphasized older adults’ reliance on passive mitigation strategies, our participants employed various active coping strategies, such as configuring privacy/authentication settings and exercising caution when disclosing sensitive information

Our findings also affirm and extend prior research conducted within individual scenarios. For instance, older adults’ privacy concerns and behaviors on social media have been well-researched. Our findings align with prior work on common protective strategies, but our study also uncovered novel insights triggered by the COVID-19 pandemic as participants shared their adoption of Zoom and other videoconferencing tools. Our participants were adept at navigating corresponding privacy settings and expressed higher trust in service providers compared to more traditional social media platforms such as Facebook.

Contrary to prior research, our participants exhibited more risk awareness when using public and second-hand devices than those in Frik et al.’s study. Additionally, in contrast to previous studies that highlighted older adults’ negative perceptions of health monitoring technologies, our participants expressed limited privacy concerns about their health information. However, it is important to contextualize this finding within our sample, as most of our participants lived independently and were not using technologies traditionally considered invasive such as in-home activity sensors and always-on web cameras.

While our study did not quantitatively compare privacy vulnerability between older and younger adults by recruiting both populations—making our findings less comparable to prior work that has done so—our findings add more nuances to the deficit-based narratives of older adults as our participants’ vulnerability varied and could not be simply attributed to age. This divergence could come from our sample, as we recruited participants locally and some participants recruited via senior centers might have learned about privacy self-protections there. However, it is also likely that our cross-contextual interview approach and specific probing into participants’ self-perceived vulnerability contributed to the new and different findings, as we unpack in Sections 5.2 and 5.3.

5.2 Contextual Effects of Privacy Concerns

Prior work, like Acquisti et al., emphasizes the role of context in understanding privacy concerns: “Individuals can, depending on the situation, exhibit anything ranging from extreme concern to apathy about privacy”. Nissenbaum’s theory of contextual integrity similarly posits that societal norms shaping people’s perceptions of what is private versus public vary across contexts. Our findings support the importance of context to some extent, as evidenced by concerns that are unique to certain scenarios, such as health-based discrimination in healthcare and password compromises in account/device sharing. Nevertheless, we also observe that privacy concerns are not entirely context-dependent as certain concerns transcend contexts. Specifically, cybercrime was a pressing concern among our participants, as they shared related concerns not only in the cybercrime scenario but also in healthcare, online advertising, and social networking scenarios. Another cross-contextual concern is related to surveillance capitalism which was mentioned in both the online advertising and social networking scenarios, as participants expressed discomfort with the widespread collection and monetization of personal data by advertisers and social media platforms.

These findings underscore the need for further research to both qualitatively and quantitatively differentiate privacy concerns at the population, context, or individual level. For example, our findings already illuminate some population-level differences qualitatively: none of our participants identified the government as a threat actor, in contrast to other high-risk populations who hold heightened concerns about government surveillance]. Other research has also contributed to this direction quantitatively, such as Herbert et al.’s work that compares the digital security experiences of four at-risk groups (including older adults) and Xu et al.’s context-contingent theory that explicates the mechanisms through which contexts influence privacy concerns and behaviors. Notably, we observe that even within the same context, participants’ concerns and vulnerabilities varied substantially and were shaped by many individual factors beyond age, as we discuss below.

5.3 Rethinking Privacy Vulnerability and Aging

In light of the growing research on specific populations who experience disproportionate privacy harms, it is important to consider the nuanced differences between marginalization and vulnerability. According to Liang et al., marginalization indicates a failing of society as marginalized individuals are being underserved, underrepresented, or forgotten, whereas vulnerability may carry the connotation that the person is weak, in need of help, and burdensome.

We argue that this distinction between marginalization and vulnerability is crucial in research with older adults. Our findings show the specific ways in which older adults experience marginalization. For example, P27 shared how they struggled with technologies not designed for their needs: “The worst thing for me is manipulating that tiny [phone] keyboard . . .I have to use a stylus, with a little rubber on the end of it . . . because I just can’t cope with that little keyboard.” P12 witnessed marginalization among their peers and expressed concerns: “There are some [people] that do not join into our Zoom calls because they are afraid of the technology or they can’t afford the technology. And they are completely left out.” Negative media portrayals can exacerbate feelings of marginalization and take an emotional toll on older adults themselves. This is also supported by our findings related to cybercrime: even though very few participants experienced direct repercussions, such as unrecoverable financial losses, many shared recurring concerns and stress, often accompanied by demanding behaviors (e.g., checking financial accounts frequently and avoiding phone calls) that come with emotional labor.

Nevertheless, our research challenges the prevailing vulnerability framing of older adults with multiple layers of supporting findings. First, a few participants who were well-versed in both privacy and technology played a crucial role in supporting and influencing their peers—this suggests that broadly labeling older adults as a vulnerable group is an oversimplification. Second, almost all participants believed that older and younger adults faced equal risks of privacy violations in most scenarios; even in the case of cybercrime, which triggered the most concerns among our participants, opinions were mixed. Third, participants’ quotes and our analysis reveal that factors such as education, income, tech use, and online information disclosure influence one’s privacy vulnerability more prominently than age. While these factors may correlate with age, they more often operate independently of age. For cybercrime, participants with a stronger resistance drew the knowledge from their work background, crystallized intelligence, and prior negative experiences; participants with more challenges navigating cybercrime tended to be those with concurrent financial hardship or low tech-savviness, although being tech-savvy does not guarantee immunity to scams either.

These findings highlight the need for more comprehensive frameworks that synthesize and quantify the various factors contributing to one’s privacy vulnerability. Particularly for older adults, our findings provide empirical support to Knowles et al.’s plea to “seek design inspiration in narratives of positive aging”. This philosophy presents numerous avenues for designing privacy interventions, technologies, and education for everyone growing old, as older adults are a highly heterogeneous population with unique traits that enable interesting research and design opportunities.

5.4 Technical and Educational Implications

Our findings open up several directions for future work on privacyenhancing technologies. For example, our participants were motivated to share accounts and devices in anticipation of death and emergencies. However, some participants only became aware of this need after probing, and others were uncertain about the practical aspects of execution. We see opportunities to develop tools that support the data preparation for death specifically for older adults. Drawing from our findings and prior work on safety settings for older adults with memory concerns, such tools should enable multiple users to engage in socio-technical negotiations about agency and power (especially involving financial interests) and alleviate the anxiety that older adults may experience when contemplating their own mortality.

Besides building new tools, our research contributes insights into improving existing tools tailored to older adults’ preferences while addressing misconceptions. In the account and device sharing scenario, our participants often struggled to safely decommission old devices. Participants were more familiar with physical means of destroying a device completely, while knowing but not trusting features like a factory reset. To make a factory reset more useful and explainable, digital devices could implement more granular settings in line with the user’s goal (e.g., recycling, trading in, selling, donating it to friends or strangers) as well as more personalized advice (e.g., recommending reputable sites in the area based on the user’s location). In another scenario, online advertising, some participants found age-based targeted ads discriminatory or offensive. To address such concerns, platforms should allow users to curate a list of topics they wish to avoid in ad targeting—a suggestion also made by prior work. While some platforms already provide adjustments for specific topics like alcohol, parenting, and politics, we see the need for co-designing ad filtering features with older adults who can provide unique insights into topics that may perpetuate ageist views.

Lastly, our findings highlight the need to support older adults in learning about privacy self-defense through educational efforts. Our participants suggested specific topics for education such as password management, privacy settings, the utility of protection services (e.g., antivirus and identity theft monitoring), and device decommissioning. In developing our online self-defense workshop materials, we incorporated these topics while mirroring our participants’ mental models and language choices (e.g., disregarding the nuanced differences between security and privacy topics, and using ‘hackers’ to refer to malicious actors broadly). Going forward, there are opportunities to integrate this training into broader efforts of helping older adults build digital literacy skills such as workshops on ‘how to use smartphones’ or ‘how to find jobs online.’ Our findings suggest that community and commercial resources are reasonable starting points for deploying such training, and it might be useful to join forces with existing initiatives such as Apple’s iPhone classes for older adults. Our findings also suggest that older adults may turn to peers who are influencers and guardians—roles that a few of our participants already played— rather than acquiring new knowledge on their own. As such, a core part of training should be supporting older adults in developing self-learning and information-seeking skills, so that educational efforts are sustainable and can generate influence at scale.

Open Article as PDF

Abstract

A growing body of research has examined the privacy concerns and behaviors of older adults, often within specific contexts. It remains unclear to what extent older adults' privacy concerns and behaviors vary across contexts and whether old age is the primary factor influencing privacy vulnerabilities. To address this gap, we conducted semi-structured interviews with 43 older adults (aged 65 to 89) in the United States. Our interviews were grounded in five scenarios: account and device sharing, healthcare, online advertising, social networking, and cybercrime. Our cross-contextual analysis showed that cybercrime was a recurring and pressing concern across scenarios; privacy concerns and protective behaviors were rarely mentioned in the healthcare scenario. Across all scenarios, participants' threat models and strategies revolved around data collection rather than other stages in which privacy harms may occur; they employed various active strategies to safeguard their privacy while trusting service providers to protect their information. Our findings underscore the need to revisit the discussion around privacy vulnerability and aging. Vulnerability levels among our participants varied widely and were often influenced by factors beyond age, such as tech savviness and income. We discuss opportunities for privacy interventions, technologies, and education that promote positive aging and recognize diversity among older adults.

Introduction

Older adults are increasingly using digital technologies, which can lead to privacy and security risks. Research has often presented older adults as a group that is easily affected by privacy issues, which can impact their safety and well-being. For example, older adults needing health monitoring might accept constant tracking. Those with limited digital skills might avoid technology, missing chances to learn how to manage their privacy. Even well-meaning family members can engage in "care surveillance," affecting an older adult's independence.

Privacy behaviors often depend on the situation, or "context," referring to different parts of daily life or regular routines. While there is growing research on older adults' privacy, most studies look at it generally rather than comparing it across different situations. Some research focuses on specific areas like social media or healthcare. To fill this gap, a study was conducted with 43 older adults (aged 65 to 89) in the United States. The study explored their privacy concerns, behaviors, and risks in five areas: sharing accounts and devices, healthcare, online advertising, social networking, and cybercrime.

The study found that participants consistently worried about becoming victims of cybercrime, such as scams and fraud. They felt more at risk from cybercrime than younger people, a difference not often seen in other areas. However, participants were rarely concerned about their health information in the healthcare setting, prioritizing good care and health insurance over privacy. Previous research described older adults' threats using four categories of privacy harm: data collection, processing, sharing, and invasion. This study's participants primarily focused on data collection in all situations. Unlike earlier findings that suggested older adults mostly used passive ways to protect themselves, these participants actively used various strategies, like adjusting privacy settings and carefully sharing sensitive information. They also trusted service providers to protect their privacy.

A key takeaway is the need to broaden how privacy vulnerability is understood. The findings challenge the idea that all older adults are vulnerable. Participants believed older and younger adults faced equal risks in most situations, except for cybercrime. The analysis showed that actual vulnerability differed greatly among individuals. Those who used less technology, had lower digital skills, or lower incomes experienced more actual privacy problems. Some tech-savvy participants even helped protect their communities, which goes against past negative descriptions of older adults. This research supports the idea that linking privacy vulnerability only to old age is too simple. The study concludes with suggestions for designing privacy protections, technologies, and education that highlight the positive aspects of aging.

Related Work

Privacy Vulnerability and Aging

Vulnerability is a core concept in research on human-computer interaction and privacy, highlighting how technology can worsen existing social, political, and historical unfairness. However, this term has been criticized for being disempowering and creating negative labels, especially in accessibility research. In privacy research, older adults have been called a vulnerable group. This label is sometimes supported by past studies that focus on their weaknesses, suggesting older adults are "more likely to be defrauded," "less concerned about information privacy," or "especially vulnerable to certain risks and struggle to manage them" compared to younger adults or the general public. Yet, some experts argue for moving beyond age-related limitations to focus on the wisdom and unique views of older adults. Others suggest separating age from other factors that might affect vulnerability.

Health is one such factor, as aging can lead to changes in sight, hearing, physical abilities, and thinking skills. Older adults with even mild thinking problems might struggle to spot scams or fully understand the impact of sharing personal information. Long-term disabling conditions may require the use of health monitoring technologies to live independently, which brings up privacy and ethical concerns. Declining health can also increase reliance on others, like family or professional caregivers, to manage privacy and technology use, leading to "care surveillance." In fact, fraud committed by a family member is a common type of financial abuse against older adults. Even when caregivers monitor with good intentions, too much control can limit an older adult's independence and hinder their learning about digital threats and self-protection skills.

Digital literacy is another important factor that should be considered separately from age. While younger and older adults may use technology differently, older adults are adopting new technologies and engaging in various online activities. This makes it important to examine their privacy behaviors in different situations. However, older adults might not adopt technology due to costs, poor design, lack of confidence, low interest, or fears caused by ageist stereotypes. Low levels of technology use and digital literacy can then limit one's ability to protect their privacy. This study's findings contribute to a growing body of research that emphasizes the wide range of technology use among older adults and how tech-savvy older adults often act as leaders and protectors for their peers.

Older Adults' Concerns and Behaviors

This review of existing literature is organized around the five situations explored in the interviews. The following sections highlight how the study's findings add to the current knowledge for each situation. The review also looks at previous research on how privacy concerns and behaviors differ by age, as this relates to the study's findings on privacy vulnerability.

Account and Device Sharing

Sharing digital accounts and devices is a common practice among romantic partners and in workplaces. Several studies show that older adults—especially those who are less tech-savvy, have physical or thinking problems, or live in cultures that value community—often give family members or professional caregivers access to their personal accounts and devices. This practice can create conflicts over privacy and independence.

Older adults might also share account or device access as a way to prepare their digital information to be passed on to family and friends after they die. However, preparing digital data for death has mostly been studied in younger populations. This study examined account and device sharing by older adults, considering they will face death but may feel anxious and uncertain about planning for it. Questions about public and second-hand devices were also included to compare with a previous study where older adult participants showed limited awareness of risks and concerns in these situations.

Healthcare

Past research indicates that older adults often find health monitoring technologies invasive and restrictive. However, they tend to accept these technologies as a necessary trade-off for safety, care, and the ability to live at home. Older adults generally feel comfortable with their health data being shared with doctors, caregivers, and family members, but not with unknown parties. They prefer data collection and sharing only when essential, such as in emergencies.

The interviews for this study were conducted during the COVID-19 pandemic. Beyond the direct health risks of COVID-19, the fear, stress, and loneliness from social isolation during the pandemic further affected older adults' health and well-being. This study provides updated insights into older adults' privacy concerns and behaviors related to healthcare, influenced by the COVID-19 pandemic. It also examined older adults' privacy considerations when using patient portals, a topic previously studied but rarely with a specific focus on privacy.

Online Advertising

Online advertising often targets individuals based on their internet activities, personal information, and inferred interests. Due to the complex and hidden nature of ad tracking, most consumers have limited knowledge about how much advertisers can access their personal data. Consumers may also have wrong ideas, such as confusing online tracking with malicious software. While some people find targeted ads helpful, others find them intrusive. Recent research has also looked into users' views on problematic, untrustworthy, or offensive ads.

Most studies in this area have focused on the general adult or younger populations. Limited past research involving older adults suggests they engage more with certain types of advertising, like social video ads, but are doubtful about social media-based advertising. Older adults are also especially likely to see problematic advertising, such as scams or misleading content, on platforms like Facebook. This study addressed this gap by deeply exploring older adults' privacy issues related to online advertising, particularly their understanding and attitudes toward age-based advertising.

Social Networking

While many older adults in the U.S. use social media, their usage is still lower than that of younger groups. Privacy concerns can discourage older adults from using social media, especially when these concerns outweigh potential social benefits. Some studies have found differences between older and younger adults: older adults are more worried about who can access their information, while younger generations, especially teenagers, are more concerned about how different parts of their lives merge online or how they present themselves.

Zoom and other video conferencing tools also became very popular during the COVID-19 pandemic for staying in touch. Previous work on younger users' privacy attitudes toward remote communication found that users often lack control over choosing conferencing tools and microphone/webcam use. This study examined older adults' privacy considerations for video conferencing tools and compared them to findings from before the pandemic regarding other social networking sites like Facebook, given the pandemic's impact on social behaviors.

Cybercrime

Researchers define cybercrime as "computer-assisted crime" across four categories: cyber-trespass (e.g., unauthorized system access), cyber-theft (e.g., identity theft and online fraud), cyber-obscenity (e.g., child pornography), and cyberviolence (e.g., cyberstalking). They also note a lack of standardized legal definitions in this field. Mainstream media often portrays older adults as vulnerable to cybercrime, especially cyber-theft. However, academic research findings are mixed. Some studies find that older adults are disproportionately affected by certain types of fraud, such as tech-support scams and impersonation. Other research argues there is no strong evidence of higher consumer fraud rates among older adults. Several studies suggest that susceptibility to scams or phishing attacks can be influenced by other factors such as income and gender.

Studies with older adults highlight that media portrayals increase their anxiety about spam emails and scam calls. Being defrauded impacts older adults' health and well-being regardless of financial loss, as victims experience ridicule and criticism. In one study, older adult participants held diverse views on their own vulnerabilities: some believed they were easy targets due to low technical literacy and lack of support, while others doubted that their information was valuable enough to be exploited. Unlike other sections, cybercrime is primarily linked to risks and harms, whereas other contexts like healthcare also offer clear benefits. The decision was made to include cybercrime as an interview topic due to its relevance to older adults and the age-based stereotypes surrounding it. The study aimed to uncover more detailed factors that contribute to older adults' self-perceived and actual vulnerability to cybercrime.

Age-Based Differences

Several studies have examined the privacy concerns and behaviors of older adults in North America. These studies found that older adults' concerns focused on security issues (e.g., scams and identity theft) and threats from institutions (e.g., data sold to third parties) rather than privacy between individuals. Passive strategies, such as limiting or avoiding technology, were commonly used, while active protective measures were rarer and only used after privacy violations occurred. Older adults' privacy concerns and behaviors also depend on culture: studies in countries with collectivist cultures, like India and China, have highlighted older adults' privacy management as a group activity, with family members overseeing older adults to ensure their safety.

While some prior research has generally described older adults as vulnerable to privacy risks, empirical findings on differences between older and younger adults are mixed. Some studies indicate that older adults are less likely to react to privacy risks and adopt fewer protective behaviors on social media. Other research suggests that older adults are not necessarily worse at protecting themselves; instead, they have different concerns and priorities. For example, older adults often perceive higher risks in online banking and e-commerce and are more likely to make privacy decisions based on a careful assessment of costs and benefits. Some studies have found no significant age differences in online privacy sensitivity and attention to privacy policies. These inconsistent findings may be due to different studies examining different situations and using concepts with varying levels of detail (e.g., general attitudes versus specific concerns).

Methods

To deeply explore the privacy experiences of older adults in different situations, 43 individuals aged 65 or older in the United States participated in semi-structured interviews. These interviews took place between August and October 2021, conducted through video calls or in-person meetings, based on what participants preferred. The materials used for the study, including the screening survey, interview guide, and coding manual, are available online for review.

Interview Protocol

The interview guide had two main parts:

Part 1

The interview began by asking participants about their technology ownership and use. Then, participants were indirectly asked about their privacy concerns by inquiring if they had issues with any technologies they used. If privacy concerns were not brought up, further questions were asked about what information they wished to protect and who they saw as potential threats. This sequence was designed to reduce potential researcher bias and the tendency for participants to give socially desirable answers, by placing potentially privacy-related questions toward the end and only asking them if the topic had not been raised naturally. This approach followed practices in other research dealing with sensitive topics.

Part 2

The second part focused on participants' privacy perceptions and strategies in five specific situations. These scenarios are commonly used in research to understand values and attitudes toward technology. The selection of scenarios was based on existing literature. All five situations are very relevant to the daily lives of older adults, though findings specific to older adults or privacy varied. For example, previous work on account/device sharing and online advertising mostly focused on younger populations. Healthcare and social networking have more research on older adults, but most of it was conducted before the COVID-19 pandemic, which changed how people socialize and manage health. Cybercrime is often linked to ageist stereotypes, assuming older adults are always more vulnerable, and the study aimed to compare these stereotypes with the actual experiences and perceptions of older adults.

The interview process for all scenarios followed a similar structure: first, broad questions about participants' general understanding and personal experiences, then more specific questions about concerns and protective strategies, if applicable. To assess participants' views on age-related vulnerability, they were asked, "How do you feel about your possibility of experiencing X (a negative incident) compared to those older/younger?" with X tailored to each scenario. To avoid imposing assumptions, participants' language was mirrored in follow-up questions, and understanding of their responses was confirmed. The order of scenarios was randomized for each participant to reduce the impact of the order of questions and potential fatigue. The interview concluded by asking participants for suggestions on how to help older adults protect their privacy.

Participant Recruitment and Demographics

The target group for this study was individuals aged 65 or older living in the United States, following the definition of older adults by the CDC. Various methods were used to find participants: three local senior centers, a participant pool for clinical and health research at the University of Michigan, another participant pool hosted by the Healthier Black Elders Center at Wayne State University, and snowball sampling (where current participants refer others). Most participants came from the university-hosted pools and senior centers; only three joined through snowball sampling.

Interested individuals were asked to complete a screening survey, available online, by phone, or on paper. This survey was used to confirm age and to recruit a diverse group in terms of age, race, gender, and socioeconomic status. However, individuals with serious cognitive impairments were excluded because engaging with this population requires specific procedures that could not be implemented. Non-English speakers were also excluded due to language limitations within the research team.

The interview protocol was tested with three pilot participants. Based on this pilot data, minor adjustments were made to the protocol, and an interview length of 60-90 minutes was set to ensure all scenarios were covered without causing participant fatigue. For the main data collection, the first author interviewed 43 participants. Most interviews were one-on-one; two sessions were conducted with couples who preferred to be interviewed together. Interviews continued until no new information was being gathered (data saturation). Interviews were conducted by phone, Zoom, or at one of the partner senior centers, depending on the participant's choice. Interviews lasted an average of 82 minutes. A few participants took breaks, but none withdrew from the study or expressed concerns about the interview length. Each participant received a $30 check for their time. With all participants' consent, interviews were recorded and later transcribed by a professional service.

Table 1 in Appendix A provides details on participant demographics. The 43 participants were between 65 and 89 years old (average: 72; median: 71) and were fairly balanced in gender (19 men, 23 women, one no response). Participants showed variety in income, race, and self-reported health conditions, but generally had higher education levels than the general U.S. population. Most participants lived in their own or rented homes and did not have caregivers. Seven participants used assistive devices such as wheelchairs, canes/walking sticks, and hearing aids.

Regarding technology use, most participants regularly used computers (41) and smartphones (34). More than half (26) also regularly used tablets. Using multiple devices was common: 24 used all three types of devices, and 15 used two. In comparison, in 2018, smartphones were in 84% of U.S. households, followed by desktops/laptops at 78% and tablets at 63%. This indicates that the participants' technology adoption was similar to the general population. Smart device adoption was relatively low in the sample: 11 used smart TVs, and seven used smart speakers or voice assistants.

Data Analysis

After all interview transcripts were made and checked, the first author reviewed them to create an initial coding manual. This manual combined both deductive (based on the interview guide and existing research) and inductive (based on what participants actually said) approaches. Specific codes were mostly summaries of participants' statements.

To ensure the coding process was reliable and consistent, the first and second authors each independently coded one transcript. They then met to compare codes, resolve differences, and revise the coding manual. This back-and-forth process was repeated for six transcripts until both researchers agreed that the codes were comprehensive. The two authors then used the 'training' feature in Dedoose, a tool for analyzing qualitative data, to calculate how consistently they coded before starting independent coding. The first author coded an additional 14 transcripts to ensure good coverage of each code. The second author then coded the same sections that the first author had coded. The two researchers achieved a Cohen's kappa score of 0.74 across all codes, which indicates good agreement between them. The remaining 21 transcripts were then divided and coded independently by the two researchers. The first author then applied the final coding manual to the initial six transcripts to ensure overall consistency. Other co-authors participated in discussions about the coding manual and early findings during regular meetings.

The final coding manual contained 296 codes across six main categories: one for general privacy concerns and behaviors, and five for each specific scenario. The codes within each category were organized into consistent sub-categories, such as general attitudes, specific concerns, difficulties in addressing concerns, protective behaviors, and age-based differences. This structure helped compare findings across scenarios.

Since this was a qualitative study, the focus was on describing specific themes rather than making numerical claims about their frequency. Following practices in other qualitative research, the following terms were used to give an idea of how often themes appeared: a few (0-20%), some (20-40%), about half (40-60%), many (60-80%), and almost all (80-100%).

Ethics

The study was reviewed and found to be exempt from oversight by the University of Michigan's Institutional Review Board. Following a community-based approach, participants and community partners were involved throughout the research process, aiming for a mutually beneficial experience. For instance, staff at the senior centers provided feedback on the draft interview guide to ensure the questions were appropriate. Trauma-informed practices were used during interviews, such as actively and empathetically listening when participants shared their stories, and clearly communicating options to skip questions or stop participation. As a way to give back to the community, the research insights were used to develop a series of workshops on online self-defense, which were then conducted with partner senior centers. Thirteen of the interview participants attended these workshops; all spoke positively about the experience and the relevance of the workshop topics to their concerns.

Limitations

While the qualitative approach offered deep insights into participants' real-life experiences, it had limitations. Some limitations relate to the qualitative method and how participants were selected. For example, it cannot be claimed that the sample represents all older adults in America. The main goal was not to achieve representativeness, but to capture various perspectives. Participants showed diversity in income and race, but they were geographically focused and more educated than the general U.S. population. These sample characteristics might be due to the local recruitment strategy, which was chosen to build trust with participants, reach individuals not accessible through online recruitment, and expand the reach of the workshops. Because the study was conducted in the U.S., some findings might be specific to that country or region. Caution should be used when generalizing these findings beyond the U.S., and the study creates opportunities for future similar studies in other countries with different cultural values and consumer protection systems.

Another limitation of the study relates to the interview scenarios. Cybercrime is more focused on risks and harm compared to other scenarios. However, cybercrime was included due to its high relevance to older adults' existing concerns and the age-based stereotypes surrounding this topic. It is possible that discussions about cybercrime might have prompted participants to bring up this topic in other scenarios. This was partially reduced by randomizing the order of scenarios for each participant. It was also observed that participants who discussed the cybercrime scenario later in their interviews often still mentioned it spontaneously in earlier scenarios.

Findings

First, participants' general understanding of threats and privacy concerns are discussed. Then, their concerns and behaviors for specific situations are covered. Finally, findings across all five scenarios are compared.

General Threat Models

Heightened Concerns About Financial Information

Because the concept of "privacy" can be broad, participants were asked about the specific types of information they wished to protect. About half of the participants mentioned financial information, such as bank account and credit card numbers. Some also highlighted social security numbers, a unique personal identifier in the United States. One participant, P34, identified negative events that could lead to financial loss as their main worries:

"I may not have any money. I may have an outstanding debt . . .My major concern is my identity being taken, and as a result of my identity being taken, my financial security has been compromised or has been taken away from me."

However, privacy harms include more than just financial losses; they also involve damage to reputation, emotional well-being, independence, discrimination, and more. Participants recognized these other harms less often. As P3 stated, "Financial information is probably the most relevant thing. The rest of my life is pretty much an open book . . . Somebody sees that I go on a porn site. That’s me." P18 pointed out that leaked passwords could lead to financial account compromises: "One of the big things that I worry about is somebody getting a hold of my passwords and user ID that would get them into info on my banking and other financial institutions." P15 mentioned health information but indicated it was less of a privacy concern than financial information: "I don’t worry about the portal so much . . .I’ve already got my Medicare, and so far I can’t be refused for having [my] problems . . .It’s mostly financial."

Cybercriminals as the Major Threat Actor

In line with concerns about financial information, about half of the participants identified cybercriminals as the main threat to their personal information. They used terms like "hackers," "scammers," "spammers," "people trying to steal things," and "people operating from the dark web." Some participants shared personal experiences with scams and fraudulent charges. P1 recounted news stories:

"There are lonely seniors. You’ll hear some news about a guy . . . gets hacked . . .A somewhat younger pretty lady will connect with him, and be able to access his finances . . . So, my concern is mainly [about] if they hack and get my personal information because hackers are those intelligent criminals."

A few participants identified tech companies, particularly Google/Alphabet and Meta, as another type of threat. P13 discussed the extensive data collection and merging practices these companies use: "Google captures . . . anytime you do any online shopping. That information is captured and shared between organizations. In aggregate, they can build up a pretty detailed profile view of what your interests are." P12 expressed different levels of trust in various companies, suggesting that not all tech companies are seen as equal threats:

"Microsoft, I’m not as worried about information being shared by them . . . not so much privacy. I would say anything involving the Alphabet as an organization . . .I have too many firsthand experiences that I’ve been uncomfortable with. Information is shared from one site to another without express consent. And I can’t seem to find any features that I could turn on that prevent it . . .It’s something personally I can’t trust."

Interestingly, no participant mentioned the government as a threat. In fact, a few indicated they were not concerned about government surveillance because they believed they had nothing to hide—a common but flawed argument about privacy. For example, P1 said, "I’m not a member of any political party or secret organization . . .I have no fear of the police, FBI, or any governmental agent." This lack of concern about the government contrasts with heightened concerns among other high-risk groups, such as undocumented immigrants, migrant domestic workers, and Muslim-American women, likely because the participants' identities and backgrounds did not largely overlap with these populations. Similarly, no participant identified family members or caregivers as threats, despite them being a significant source of elder fraud.

Learning from Community and Commercial Resources

Previous research involving older adults in the U.K. identified social, community, and commercial resources, as well as broadcast and digital media, as key sources of cybersecurity information. The participants in this study mentioned all five as ways they learned about privacy self-protection, with community resources, commercial resources, and media being the most popular. Regarding community resources, P22 highlighted senior center classes: "The senior center had contacts with the lawyer, and he’d come in and just discuss [the credit freeze] . . .People would ask whatever question they had." P41 identified the American Association of Retired Persons (AARP): "They have print materials . . . Zoom classes . . .If you’re a member, every month they’ll send you a newsletter."

Another source of support was commercial resources, including customer support services like AppleCare and professional tech support. For example, P28 subscribed to Geek Squad and highlighted the benefits of their regular checkups: "Once or twice a year, [we] have what they call a checkup where they just delete duplicate files . . .make sure you’ve updated all your programs, and you’ve installed everything you need." While experts no longer recommend third-party antivirus software, some participants continued to use it. P9 noted trust and brand loyalty as important factors: "I’ve used Norton for so long . . .I have trusted them with whenever it comes up for renewal. I don’t even question how they’ve been pricing." The protections offered by third-party antivirus software might be more than necessary, but they did raise participants' awareness of basic risks and encouraged good behaviors, as in P27's case:

"I have Malwarebytes, and I’m quite happy with that. I think they’ve done a fairly good job. . . . They have a newsletter every week, and it’s quite informative . . . They often tell you that there’s all this phishing going on, and to be very careful about opening some of these emails that look suspicious. And so I take them at that word, and I do just discard a lot of [emails] because they’re obviously not legitimate."

Past research, using negative language, has depicted older adults as passive information consumers who find it difficult or unnecessary to learn about cybersecurity or privacy. These findings offer a more nuanced view, as some participants acted as educators and influencers within their communities. P32 acknowledged the challenges involved in this role:

"She will want me to order something through my account. . . . She got mad at me the other day because I said I’m not doing it . . .I have done it a few times for her. But I want her to [learn]. She doesn’t want to be tech-savvy. I’m not tech-savvy, but I know . . . the only way to learn stuff is you might make a mistake."

P19 and P38 helped run computer classes at their senior centers. P38 identified common challenges among their peers, including password management and using "BCC" when sending mass emails. P19 was concerned about excluding less tech-savvy peers from educational programs:

"I’m super literate with computers . . . There are a few people like me, but not many. And as they get older, they have a harder time using the technology that’s available, but they need that technology even more . . . You’re missing a whole segment of the bell curve. Those are people who simply don’t come [to the classes]. They have home phones and they don’t use cell phone technology, and they don’t get emails."

Account and Device Sharing

Sharing Digital Assets in Preparation for Death or Accidents

About half of the participants mentioned sharing passwords, mostly with family members and sometimes with close friends. Previous research identified convenience and building trust as key reasons for password sharing among younger adults, and the participants gave similar reasons. For example, P13 shared streaming service login details with their son, and P33 shared "everything" with their partner after decades of marriage.

However, most participants' main reason for sharing was to prepare for unexpected events like death or emergencies. For example, P18 shared, "My mom and my sister have my social security number and my passwords . . .I trust [them] implicitly, and I feel better too because you’ll never know." For similar reasons, some participants also shared access to their financial accounts with family members and occasionally with a financial advisor or attorney. P8 made efforts to ensure clear communication between multiple parties:

"I take care of all my own finances. My lawyer knows where all my accounts are. And . . .my adopted son is my advocate, and he’s also my executor. So he knows . . . But he also knows where my lawyer is. And my lawyer knows where he is if something should happen."

When asked about preparing digital assets for after death, some participants had already made plans. Others, like P7, only recognized the importance of this consideration when prompted:

"If I were in a car accident and died, nobody would be able to get into my accounts, which will be bad. It would be weeks of sending mail and death certificates and wedding documents to prove that my wife is my heir and beneficiary. So I should do that. I’ll put that on my list of things sometime."

Struggles with Password Management

During discussions about account sharing, participants often highlighted password management as a repeated challenge. Unlike studies involving younger populations, participants relied more on physical methods for managing passwords: about half mentioned writing passwords down, and a few tried to rely solely on their memory. No participant felt their current password management strategies were ideal. For example, those who wrote passwords down still worried about a "single point of failure" if their password notebook were stolen. While remembering all passwords is generally difficult, P30 emphasized age-related memory decline as a specific concern:

"For important things like my banking, I want to keep going with the same one. I can’t . . . They want a different one than you’ve used in the last 10 years. I can’t remember 10 years’ worth. What I do worry about, actually, is as I get older it’s going to become harder and harder to do all that to keep track of it all."

Only a few participants, typically those with a technical background, mentioned using password managers built into their browsers and operating systems. The rate of password manager adoption was much lower compared to studies involving younger adults. Echoing previous research, P20 shared that non-adoption was due to distrust in cloud services storing their passwords:

"I do not use any of the password apps where they say you can put in all your passwords, and it’ll be secure, I just don’t trust it. In my opinion, all of these systems were created by a person, and there’s always a way . . . somebody else can figure out how to get into it."

Risk Awareness of Public and Second-Hand Devices

A specific instance of device sharing involves public devices and Wi-Fi networks, which carry risks of data leakage and Wi-Fi spoofing. This usage is particularly relevant for older adults due to their lower ownership of personal computers or smartphones, while also having communal spaces like senior centers that allow device sharing. Many participants reported using public computers and Wi-Fi networks in libraries, hotels, and shops.

In contrast to findings in a previous study, where few participants expressed concerns about public devices and Wi-Fi networks, the participants in this study (even with similar demographics) showed a heightened awareness of these risks. Although they could not always pinpoint specific negative events, they could recognize situations with increased risk. For example, P23 commented, "I think it’s easier to compromise my information [when using public devices]. I think people can get into them more easily." About half of the participants mentioned that they intentionally avoided sensitive activities, such as banking, when using public devices or Wi-Fi networks. P19 compared banking with other types of online activities in terms of sensitivity:

"If somebody wants to hack into my gaming group and screw with my pictures . . . that’s not going to kill me. So I don’t really particularly care about that as much, but I stay away from banks and things that are high security. When we’re traveling, oftentimes I’m looking up what attractions are there? What time does the museum open? . . . things that are not security-driven."

A few participants also cleared their browsing history upon exiting when using a public computer. P32 shared how they developed this habit after someone compromised their social media account when it remained signed in:

"Some years ago I did not sign out on Facebook [at libraries]. And so whoever came [next], they put a whole bunch of crazy stuff up there. And so my son called me up, ‘Ma, was it really [you]?’ ‘Where were you at?’ I said, ‘I was at the library.’ . . . So he deleted [my post] . . .Now I make sure I sign out if I’m on a public device."

The exchange of second-hand devices can also lead to data leaks. Some participants, like P6, worried about data that had not been erased: "When you get second-hand phones, they’re contaminated . . .It’s not good to buy used phones unless they’ve been cleaned or wiped." Additionally, participants lacked confidence in securely disposing of their old devices, especially when selling or donating to strangers, and desired more guidance. As P16 stated, "I have two laptops . . .just ready to go to the recycling, but I have to get the stuff off of them . . .I probably will pay to have somebody do it because I don’t know what I’m doing."

Healthcare

The findings within the healthcare context primarily focused on patient portals and smartwatches, as nearly all participants used patient portals and some used smartwatches. A few participants also mentioned using health-tracking apps, step counters, and blood pressure monitors.

Trust in Healthcare Providers and Smartwatch Manufacturers

While a few participants expressed privacy concerns about their health information, about half of the participants shared that they trusted service providers, such as hospitals and smartwatch manufacturers, to handle their health information securely. This trust is notable, considering the healthcare industry is often a victim of data breaches and data sharing between healthcare providers and social media companies for commercial purposes. Participants' trust in confidential information exchange with healthcare providers could stem from social norms and existing laws, particularly the Health Insurance Portability and Accountability Act (HIPAA). As P25 stated, "Any doctor that I’m dealing with can go to my portal and look up what other doctors have done or said . . .It’s already in there. I don’t feel that that’s being shared inappropriately."

Interestingly, P25 extended the same level of trust to smartwatch manufacturers, even though these entities are under different regulations, and wearable devices have limited protection under HIPAA. P25 said, "My Fitbit . . .it’s like a watch . . . as far as I know, there are no data to take. It’s just something I’m looking at . . . for my information only." P12 explained that their trust in smartwatch manufacturers came from positive personal experiences and social influence:

"You know that the Apple Health app . . .I have not personally heard of any episode where that recorded information was used [in]appropriately . . .I encountered a person in a focus group . . .where they were trying out the Apple Watch and recording various aspects of it. That person felt comfortable . . . and that was significant for me. I am not looking and would not be comfortable with any other entity."

Concerns About Breaches and Health-Based Discrimination

Although participants generally expressed trust in health devices and portals, some voiced concerns about the potential compromise of their health information in data breaches when prompted. As P41 said, "You kind of hear all the time where these health organizations are hacked . . . That’s a big concern, and that’s real." P9 also noted worries about health information being used for identity theft: "Somebody can get a hold of a copy of your driver’s license and your health care card and piece together enough to use it for some other purpose." In addition, some participants expressed concerns about their health information being used for advertising and insurance purposes. These concerns often overlapped with worries about discrimination based on health or age, as P5 explained:

"It seems to me that the misuse of health information is not within the healthcare world . . .it’s in the application, the decision-making of lenders and hirers . . . that would look at a health condition and determine that it’s an additional risk . . . That’s the abuse of the healthcare information that I’m concerned about."

Nevertheless, only a few participants mentioned specific protective behaviors in response to their concerns. Examples included monitoring financial statements (after receiving a healthcare breach notification) and removing prescription labels from medication bottles (to prevent medical identity theft). Overall, participants discussed far fewer privacy-protective behaviors, both in variety and frequency, in the healthcare scenario compared to other scenarios.

Online Advertising

Negative Attitudes Toward Targeted Advertising

Almost all participants had experienced targeted advertisements, and many held negative feelings about them. About half expressed frustration with the overwhelming number of annoying targeted ads. P10 voiced concern about the surveillance capitalism model that drives targeted advertising: "Every time I look at an ad, somebody knows that. And they put that data in a file somewhere that’s linked to me somehow . . . They’re going to sell that information to the manufacturer or the marketer . . . That’s bothersome." Other participants, like P17, suspected that advertisers invaded their privacy by listening to their conversations, a common misunderstanding perpetuated by inadequate ad explanations: "My son bought a patio wood-burning oven pizza maker [called] Ooni . . .We were over to his house . . . talking a lot about the Ooni . . .I get home, and I look at Facebook, and I’m being sold Ooni pizza ovens."

Consistent with previous research on the general public's mixed feelings about targeted advertising, a few participants did find targeted advertising useful and relevant. As P38 said, "I think targeting ads helps people . . .I like knowing about something that I may not have known about that fits my situation." Furthermore, some participants held relatively neutral views as they simply did not pay attention to ads or believed that their personal opinions were not easily swayed by ads. The findings also align with previous research on consumers' difficulties in understanding the full scope of online advertising. When asked about the types of information potentially used for targeted ads, about half of the participants exclusively mentioned site activities, such as browsing and search histories. Participants mainly gave examples of targeted ads in the context of cross-website tracking, showing limited awareness of other individual and demographic factors used in ad targeting. Only a few discussed factors like age, race, ZIP code, and IP address.

Experiences with Deceptive and Discriminatory Advertising

About half of the participants recounted experiences with "bad ads," particularly deceptive ads. These ads could have misleading claims and appearances, differing from consumers' actual experiences. P17, for example, described an emotionally manipulative ad:

"It was this little plastic gadget . . . that supposedly some teenage boy with autism had invented . . .And I have a special place for people with disabilities . . .I see this on Facebook . . . Totally sell me with the story. My charge card is out . . .And it comes, and it’s a piece of crap . . .And I realized, 'Oh, you dummy. You fell prey. You were such an easy target because of the autistic kid.'"

Regarding advertising specifically targeting older adults, participants identified ads on Medicare, assistive technology, and funerary services as examples. While a few participants found age-based targeting positive, as it made ads more relevant, or neutral, equating it with other targeting categories like gender, some participants like P21 found the practice discriminatory and harmful for reinforcing ageist stereotypes: "It’s annoying because it just reminds you that you’re older." In addition, P30 was concerned about older adults' vulnerability to ad scams, showing that concerns over cybercrime extended to this scenario:

"The older we get, the less astute we are in paying attention to what this really means. That puts a lot of people at risk. We’ve heard about how many people can lose their money, not necessarily scammed but buying something we really have no use for. I guess they’re free to advertise to anybody. I just don’t like it."

Protective Strategies Exist, But Rendered Ineffective

Some participants adopted an avoidance strategy when dealing with annoying or problematic ads, which typically involved ignoring them or removing them from their online feeds. This approach was particularly common among participants who held positive or neutral views about ads, as P11 explained, "All you have to do is click on the X . . . hide the ad . . .ignore it. And if there are too many ads and it annoys you, then you don’t go to those sites."

However, avoidance-focused strategies do not fundamentally stop the excessive volume of ads. Some participants mentioned clicking on ‘unsubscribe’ in marketing emails but faced challenges, as they either could not find the link or had to wait a long time before they stopped receiving unwanted emails. Adding to previous research on users' common understandings of online advertising and privacy settings, a few participants like P3 expressed distrust in the ‘unsubscribe’ feature, suspecting that clicking on it would trigger malicious software or even more spam:

"I am concerned that you can generate more dissemination of information . . . that I wouldn’t want people to have . . . [I] can’t always trust that the unsubscribe location is really going to the service that I want to unsubscribe from . . .If it’s a hacker . . . they’re gonna take the information . . . and hack you some more."

These ineffective strategies may explain why many participants felt they had limited control over what advertisers knew about them. As P4 described, their level of control was "probably none, except just avoiding." A few participants like P3 believed they had some control, but these participants were relatively experienced in using ad settings: "There’s always a setting somewhere that can be adjusted . . .It is left up to me to explore and see." P22 was the only participant who felt they had a good amount of control, although their perception was narrowly based on the information they disclosed rather than inferences made by advertisers: "I don’t put a lot out there. I think that certainly gives me an edge on not getting advertising I don’t need or don’t want."

Social Networking

While many participants used Facebook and Zoom, about half primarily connected with others through phone calls and text messages. A few participants mentioned other channels, including emails, Instagram, Messenger, Twitter, and WhatsApp.

Benefit-Risk Analysis for Adoption and Use

Similar to findings in previous research, participants carefully considered the benefits versus the risks or costs associated with specific social media platforms. While the benefits of staying connected and getting information apply to all age groups, they became more noticeable among participants during the COVID-19 pandemic, which worsened feelings of social isolation and loneliness. As such, P12 described their "calculated risk" for social media use: "The very fact that I have to use YouTube to do certain functions puts me at risk, and it’s a calculated risk . . . But we’re so isolated as it is . . .It is unhealthy not to know what’s going on in the world."

Interestingly, in contrast to previous research, participants' main concerns regarding social media use—before specifically asked about privacy—centered on disturbing or controversial content and false or misleading information. In terms of privacy-related concerns, P36 mentioned the possibility of context collapse: "If you use social media extensively, you are bound to have problems like misinterpretation . . . someone taking your post out of context." P13 disliked the practice of making money from user data, a repeated concern that also appeared in the online advertising scenario: "Facebook is notorious for sharing information and also establishing a profile . . .I don’t want to make Mark Zuckerberg any richer."

A few participants also voiced concerns about scams on social media: scams were already a recurring theme in the cybercrime scenario, but social media can increase their reach. P8, for example, shared their experience with romance scams: "I have some weird guy that sent me [pictures] . . .He sent the same picture to my daughter-in-law . . .It’s really a jungle out there." Dealing with scams and harassment was even more challenging for participants with low tech skills and low income, as in the case of P6:

"One day I got 1,000 friend requests [on Messenger] . . . but I accepted them all onto my page. Then I realized . . .I’m getting all these telephone calls [from] people trying to swagger me . . . They would call me up at two . . .in the morning and say, ‘Hi, handsome. How are you?’"

Limited Risk Perceptions of Zoom

Zoom, a video conferencing service, saw a significant increase in users during the COVID-19 pandemic. Half of the participants mentioned adopting Zoom during the pandemic to meet their social, informational, and educational needs. A few shared concerns about "Zoombombing," and P9 even experienced it firsthand: "There [was] this particular conversation that the council is having. And dirty pictures popped up. And then they had to shut down the Zoom thing."

Nonetheless, participants who had heard of Zoombombing but had not experienced it personally expressed limited concerns, believing they would not be targeted. P36 shared, "I don’t think we will attract the attention of the criminals. . . .It’s only the doctor and myself. So what is there to bomb? You want [to] bomb into a Zoom with 20 CEOs and the president of the United States." Similarly, P7 speculated that Zoom would not collect excessive data due to its business model: "Why would they record a meeting amongst a family of four? They’re not going to be able to monetize that." However, Zoom has faced controversy for falsely claiming end-to-end encryption while engaging in data exchanges with Facebook for financial gain. These problematic data practices rarely influenced participants' usage and trust in the platform. A few participants like P14 further mentioned relying on Zoom and its partner institutions for data protection: "You heard so much about Zoom over the last two years that you figure, well, it’s got to be a reasonable company. Hopefully, they have security measures in place."

Skills and Confidence in Self-Protection

In response to their concerns, participants actively used protective strategies instead of relying on passive measures. P11 mentioned the option to limit their profile visibility: "You can restrict your profile pretty well. So I do. You can’t see my friends." P28 described being careful about sharing sensitive information: "I normally don’t post it while we’re away. I wouldn’t want to advertise to the world that we’re going to be out of town for a week." P2 would block or unfriend someone in the case of scams or interpersonal conflicts: "If I find people that are offensive . . .I will stop following them." Some participants also adjusted their Zoom settings, such as muting themselves as needed and using a virtual background, similar to findings from previous research with younger populations. Most of these proactive strategies reflected participants' effectiveness in navigating regular privacy settings on social media.

As in the online advertising scenario, participants' perceived level of control over their information on social media was closely linked to their confidence in configuring privacy settings. Many participants felt they had some control. Some participants like P39 even stated they had total control, although this perception—similar to that in the online advertising scenario—was primarily based on their knowledge of what they proactively shared rather than the hidden inferences and data exchanges: "I’m in control of what I put out there . . .If you put out everything, you expect to have some fallout . . .I don’t put out personal stuff."

Cybercrime

Concerns and Negative Experiences with Scams and Fraudulent Charges

While previous research has identified cybercrime as a growing issue for older adults, the findings reveal older adults' specific concerns about certain types of cybercrime, both when directly asked and when mentioned voluntarily. When asked about their first thoughts on the term 'cybercrime,' some participants mentioned hacking attempts targeting government agencies and companies, while others focused on cybercrime targeting individuals. For example, P21 was concerned about account compromises leading to financial loss: "I do have some concerns about somebody stealing . . . not just your bank account, but your investments." P42 highlighted concerns about scams: "I think about a lot of the scam emails that I’ve been getting."

About half of the participants reported receiving scam calls or phishing emails, with most successfully avoiding becoming victims. Out of the 43 participants, only three had experienced financial losses that could not be recovered. One possible factor contributing to participants' increased susceptibility to exploitation is current financial hardship, as P32 recalled their experiences:

"I was getting these text messages . . . to be like a mystery shopper . . .I received a check for about $1,500 . . . So I went to the bank . . . showed them the check. . . .And I was broke. And then she [bank manager] told me that it was a scam . . . That is how they get you because you’d be thinking about the money [when you’re broke]."

Participants' vulnerability to scam attempts also relates to their level of digital literacy. P26, who considered themselves "computer illiterate," suspected their identity was stolen without recognizing it was a social security scam: "I got a call from the government that said somebody in Texas is using my social security number to extrapolate the funds out of bank . . .Maybe I have been a victim." Nevertheless, having a technical background did not guarantee immunity to scams, as in the case of P43, who ran a computer supply company but once lost $150 to a ransomware scam:

"We had our computer locked up by a software company . . . They sold us a software package for $150 that would guarantee that we would not have our system locked up. And when I called the Geek Squad . . . they said all we had to do was just click on the control, alt, delete, and that would have restored us."

Perceived Higher Vulnerability Among Older Adults

Since previous literature and news media have portrayed older adults as easy targets for cybercrime, participants were asked about their perceptions of age-related vulnerability to cybercrime. About half of the participants believed that older adults were more vulnerable and identified factors that could contribute to this higher vulnerability. They noted that older adults "are naive with respect to technology" (low tech-savviness), "believe everything that they see" (too trusting), and "are more susceptible to [scammers] working on our emotions, like the grandparent scam . . . Seniors are lonely and just want somebody to talk to" (subject to emotional manipulation). Interestingly, participants often used "they" when referring to older adults and rarely considered their own vulnerability. For instance, P33 was confident in their own resistance to cybercrime but expressed concern for others: "I don’t see why anybody would want to go after me . . .I’m not really worried about myself . . . There are a lot of [older] people that don’t know or get scammed. That worries me."

While the idea that older adults are more vulnerable to cybercrime is the common view, some participants believed that vulnerability to cybercrime is independent of age. P19, for instance, attributed cybercrime vulnerability to individual habits of sharing information: "If you’re careful and you don’t expose yourself, I think you’re going to be safer than if you just put your information out there willy-nilly." Interestingly, a few participants considered younger adults more vulnerable due to more careless online behavior. As P14 said, "The younger people spend so much time on their devices . . . They’re savvy . . . but sometimes, you just think these people are not paying attention to what kind of danger they’re putting themselves in."

Adopting Protective Strategies

Participants shared a variety of strategies to protect themselves against cybercrime. The most common ones included frequently monitoring financial accounts, avoiding phone calls from unknown numbers or in general, and looking for common signs of phishing attempts, such as checking the sender's email address. These strategies aligned with established expert advice for online safety and did not require advanced technical skills. A strategy unique to older adults was relying on their accumulated knowledge and skills acquired throughout life, rather than the rapid problem-solving abilities of younger adults. In participants' own words, they relied on "common sense" developed over decades, as described by P35:

"When someone comes to me asking questions about something I said that I did not put out to the public . . . that’s a big red flag and an automatic delete . . . Because I’m older and already have . . . a whole bag of tricks from these many years of living."

Participants' ability to recognize scams could also come from their professional background. P28, for instance, had worked for the Internal Revenue Service and was able to quickly react to tax scams:

"I once got a call from someone who said they were from IRS and they said . . .if we didn’t make a payment, there would be a warrant out for our arrest. I said, ‘Well, I work for IRS and I know you’re not from IRS. So I think you better stop what you’re doing.’ . . .And I hung up and report it."

Participants also described learning protective strategies through direct experiences with scams, echoing previous research on security advice and behavior. For example, P31 shared:

"The guy said that he was working for Amazon . . .He was able to put [a charge] back into my account . . . But in the meantime, I noticed that . . .when he took control, he started going into different information . . .And then something dawned on me. I said, ‘Well, wait a minute. Why are you going through all these steps?’ . . .A red flag would be when they start asking you for your financial information. I learned that now, because after this investigation, I was told by my financial institution never [to] give out your financial information."

However, participants' strategies were not perfect and sometimes led to unnecessary difficulties or feelings of helplessness. P26, for example, changed their phone number to avoid excessive spam calls, unaware of other strategies like blocking specific numbers or registering on the national Do Not Call list, which do not require changing one's number. P20 shared their reliance on service providers, such as credit card companies and identity theft monitoring vendors, for handling scams rather than self-protection: "I would trust that the credit card company would tell me . . .Other than they tell me, throw that card away . . .we’ll send you a new one, I don’t think there’s anything I personally can do."

Cross-Contextual Insights

After presenting findings for each scenario, common themes, similarities, and differences across scenarios are discussed.

Heightened and Cross-Scenario Concerns About Cybercrime

The findings highlight cybercrime as a significant and recurring concern for participants across all situations. In the initial general discussions about privacy, cybercriminals already emerged as the main threat. Participants' definitions and concerns regarding cybercrime focused on scams, fraud, phishing attacks, fraudulent charges, and identity theft. These definitions largely align with the categories of cyber-trespass and cyber-theft. Importantly, cybercrime concerns and experiences were widespread across scenarios. Participants discussed worries about identity theft fueled by health information, being victimized by advertising fraud, and encountering scams or harassment on social media, even before cybercrime was specifically addressed.

Regarding vulnerability, cybercrime was the only scenario where a significant number of participants felt their age group was more vulnerable than younger generations. Although participants rarely saw themselves as more vulnerable than others (a possible sign of optimism bias), they often expressed concerns for other older individuals. Conversely, in the other scenarios, almost all participants believed that vulnerability was equally distributed across age groups and identified various factors contributing to increased vulnerability regardless of age. For instance, P10 identified health conditions and patient portal use as factors contributing to health-related privacy risks: "I do have medical issues, I’m in and out of the patient portal more than a lot of people . . .I think the more you use a system, the higher the risk of being compromised." P11 emphasized the importance of education level in dealing with problematic advertising: "Somebody with less education might be distracted by these ads, whatever their age is. . . .Have you learned to research? Have you learned critical thinking? . . . Just don’t follow what people tell you."

Limited Concerns and Options for Protecting Health Information

Participants expressed the fewest privacy concerns in the healthcare scenario. Unlike other situations where participants readily identified threats and specific concerns without prompting, participants generally did not discuss healthcare-related privacy issues until asked. This might be due to the relatively hidden nature of health information misuse, especially when discrimination is involved. None of the participants had personally experienced medical fraud or any associated financial losses. Participants' perceptions may also have been shaped by news media—a common source of information—which provides limited coverage of security and privacy events in the healthcare industry.

In contrast to the wide range of protective strategies seen in other scenarios, participants shared fewer strategies for safeguarding their health information. However, this limited action should not be confused with a lack of care. As age-related health issues arise, older adults may have more frequent doctor's visits, naturally building trust in their healthcare providers. While people might switch service providers after negative privacy experiences like a data breach, most patients reasonably make decisions based on cost, coverage, and quality of care when choosing healthcare providers. The "notice and choice" framework for protecting individual privacy has long been criticized for putting the burden of self-protection on consumers, and these shortcomings become even more problematic in the healthcare sector, where consumers often have limited or no choice.

Concerns and Behaviors Centered on Information Collection

A classification of privacy harms divides them into four stages: information collection, information processing, information dissemination, and invasion. A previous study also described older adults' threat models using these four stages. However, participants' primary concerns and strategies in this study mostly focused on the information collection stage. For instance, some participants discussed limiting content or profile visibility in the social networking scenario and avoiding interactions with ads in the online advertising scenario. In both cases, participants' perceived control was linked to how much information they explicitly shared with other users and service providers. They felt more in control knowing they did not "put much out there." Only a few tech-savvy participants (e.g., P10 and P12) shared concerns about how companies gathered and inferred information from collected data. Very few participants mentioned concerns about information dissemination, except when discussing health-based discrimination, where sharing sensitive health information could jeopardize their health benefits.

Trust in Service Providers

Participants' trust in various service providers was a repeated theme across scenarios. This included trusting banks and credit card companies to detect and resolve fraudulent charges, trusting healthcare providers and wearable device manufacturers to protect health information, and trusting Zoom and partner institutions to ensure the security of video conferencing data. This trust is shaped by positive experiences with service providers, a lack of awareness regarding certain threats, and limited options for self-protection. Previous research has shown older adults' trust in healthcare professionals and their preference for discussing health in depth with a person rather than non-human sources. In contrast, these findings suggest that older adults' trust extends beyond personal contacts to include healthcare-related technology platforms, such as patient portals and video conferencing tools that facilitate virtual doctor's appointments.

Trust in service providers, particularly in the healthcare scenario due to older adults' health needs, can be reasonable. However, there is a risk that excessive trust leads to delegating or even abandoning useful protective strategies. For instance, one might have limited control over how information in their health portal is used, but they can take steps after a breach occurs. In contrast, regarding cybercrime, many alternative measures can be taken to actively fight threats, such as using secure mobile payments to limit card fraud and placing credit freezes to reduce credit fraud, rather than relying solely on protections provided by financial institutions.

Discussion

Comparisons with Prior Work

Consistent with previous research, participants raised security-related concerns, such as scams and identity theft, even when explicitly asked about online privacy. This suggests that participants view security and privacy as interchangeable concepts, aligning with other research that highlights the diverse definitions of privacy and potential differences between expert and user understandings. In contrast to prior studies that emphasized older adults' reliance on passive protection strategies, participants in this study used various active coping strategies, such as configuring privacy and authentication settings and being cautious when sharing sensitive information.

The findings also confirm and expand on previous research conducted within individual situations. For instance, older adults' privacy concerns and behaviors on social media have been extensively studied. The findings align with previous work on common protective strategies, but this study also uncovered new insights prompted by the COVID-19 pandemic, as participants shared their adoption of Zoom and other video conferencing tools. Participants were skilled at navigating relevant privacy settings and expressed greater trust in service providers compared to more traditional social media platforms like Facebook.

Contrary to previous research, participants showed more awareness of risks when using public and second-hand devices than those in a past study. Additionally, unlike previous studies that highlighted older adults' negative perceptions of health monitoring technologies, participants in this study expressed limited privacy concerns about their health information. However, it is important to consider this finding within the context of the sample, as most participants lived independently and were not using technologies traditionally considered invasive, such as in-home activity sensors and always-on web cameras.

While this study did not quantitatively compare privacy vulnerability between older and younger adults by recruiting both groups—making its findings less comparable to prior work that has done so—the findings add more detail to the negative portrayals of older adults. Participants' vulnerability varied and could not be simply attributed to age. This difference could stem from the sample, as participants were recruited locally, and some from senior centers might have learned about privacy self-protection there. However, it is also likely that the cross-situational interview approach and specific questions about participants' self-perceived vulnerability contributed to the new and different findings.

Contextual Effects of Privacy Concerns

Previous work emphasizes the role of the situation in understanding privacy concerns: "Individuals can, depending on the situation, exhibit anything ranging from extreme concern to apathy about privacy." A theory of contextual integrity similarly states that societal norms, which shape people's perceptions of what is private versus public, vary across different situations. The findings support the importance of context to some extent, as shown by concerns unique to certain situations, such as health-based discrimination in healthcare and password compromises in account/device sharing. Nevertheless, it is also observed that privacy concerns are not entirely dependent on context, as certain concerns cross over between situations. Specifically, cybercrime was a pressing concern among participants, as they shared related worries not only in the cybercrime scenario but also in healthcare, online advertising, and social networking scenarios. Another cross-contextual concern relates to surveillance capitalism, mentioned in both the online advertising and social networking scenarios, as participants expressed discomfort with the widespread collection and monetization of personal data by advertisers and social media platforms.

These findings highlight the need for further research to qualitatively and quantitatively differentiate privacy concerns at the population, context, or individual level. For example, the findings already show some population-level differences qualitatively: none of the participants identified the government as a threat, unlike other high-risk populations who have heightened concerns about government surveillance. Other research has also contributed to this direction quantitatively, such as work that compares the digital security experiences of four at-risk groups (including older adults) and a theory that explains how contexts influence privacy concerns and behaviors. Notably, it is observed that even within the same context, participants' concerns and vulnerabilities varied significantly and were shaped by many individual factors beyond age.

Rethinking Privacy Vulnerability and Aging

Given the growing research on specific groups who experience disproportionate privacy harms, it is important to consider the subtle differences between marginalization and vulnerability. Marginalization indicates a societal failure where individuals are underserved, underrepresented, or forgotten, while vulnerability may imply that a person is weak, needs help, and is a burden.

This distinction between marginalization and vulnerability is crucial in research involving older adults. The findings show the specific ways older adults experience marginalization. For example, P27 shared struggles with technologies not designed for their needs: "The worst thing for me is manipulating that tiny [phone] keyboard . . .I have to use a stylus, with a little rubber on the end of it . . . because I just can’t cope with that little keyboard." P12 witnessed marginalization among peers and expressed concerns: "There are some [people] that do not join into our Zoom calls because they are afraid of the technology or they can’t afford the technology. And they are completely left out." Negative media portrayals can worsen feelings of marginalization and take an emotional toll on older adults themselves. This is also supported by findings related to cybercrime: even though very few participants experienced direct negative consequences, such as irreversible financial losses, many shared recurring concerns and stress, often accompanied by demanding behaviors (e.g., checking financial accounts frequently and avoiding phone calls) that involve emotional effort.

Nevertheless, this research challenges the common framing of older adults as vulnerable with multiple supporting findings. First, a few participants who were very knowledgeable about both privacy and technology played a crucial role in supporting and influencing their peers. This suggests that broadly labeling older adults as a vulnerable group is an oversimplification. Second, almost all participants believed that older and younger adults faced equal risks of privacy violations in most situations. Even in the case of cybercrime, which caused the most concerns among participants, opinions were mixed. Third, participants' statements and the analysis reveal that factors such as education, income, technology use, and online information disclosure influence one's privacy vulnerability more significantly than age. While these factors may correlate with age, they often operate independently of it. For cybercrime, participants who showed stronger resistance gained knowledge from their work background, accumulated wisdom, and past negative experiences. Participants who faced more challenges navigating cybercrime tended to be those with concurrent financial hardship or low tech-savviness, although being tech-savvy does not guarantee immunity to scams.

These findings highlight the need for more comprehensive frameworks that combine and measure the various factors contributing to an individual's privacy vulnerability. Particularly for older adults, the findings provide empirical support for the call to "seek design inspiration in narratives of positive aging." This approach offers numerous paths for designing privacy interventions, technologies, and education for everyone as they age, given that older adults are a very diverse population with unique qualities that create interesting research and design opportunities.

Technical and Educational Implications

The findings open several new avenues for future work on technologies that enhance privacy. For example, participants were motivated to share accounts and devices in anticipation of death and emergencies. However, some participants only became aware of this need after being asked, and others were uncertain about how to actually do it. There are opportunities to develop tools that specifically support preparing data for after death for older adults. Drawing from these findings and previous research on safety settings for older adults with memory concerns, such tools should allow multiple users to engage in social and technical discussions about autonomy and control, especially involving financial interests. They should also reduce the anxiety older adults may experience when contemplating their own mortality.

Besides creating new tools, this research offers insights for improving existing tools tailored to older adults' preferences while addressing misunderstandings. In the account and device sharing scenario, participants often struggled to safely dispose of old devices. Participants were more familiar with physical methods of completely destroying a device, and while they knew about features like a factory reset, they did not trust them. To make a factory reset more useful and understandable, digital devices could implement more specific settings aligned with the user's goal (e.g., recycling, trading in, selling, donating to friends or strangers) as well as more personalized advice (e.g., recommending reputable local sites based on the user's location). In another scenario, online advertising, some participants found age-based targeted ads discriminatory or offensive. To address such concerns, platforms should allow users to create a list of topics they wish to avoid in ad targeting, a suggestion also made in previous research. While some platforms already allow adjustments for specific topics like alcohol, parenting, and politics, there is a need to design ad filtering features with older adults who can offer unique insights into topics that might reinforce ageist views.

Lastly, the findings highlight the need to support older adults in learning about privacy self-defense through educational efforts. Participants suggested specific topics for education, such as password management, privacy settings, the usefulness of protection services (e.g., antivirus and identity theft monitoring), and device disposal. In developing the online self-defense workshop materials, these topics were included, reflecting participants' understandings and language choices (e.g., disregarding subtle differences between security and privacy topics, and using 'hackers' to broadly refer to malicious actors). Moving forward, there are opportunities to integrate this training into broader efforts to help older adults build digital literacy skills, such as workshops on 'how to use smartphones' or 'how to find jobs online.' The findings suggest that community and commercial resources are good starting points for delivering such training, and it might be helpful to collaborate with existing initiatives, such as Apple's iPhone classes for older adults. The findings also indicate that older adults may turn to peers who act as influencers and protectors—roles that a few participants already played—rather than learning new knowledge on their own. Therefore, a key part of training should be supporting older adults in developing self-learning and information-seeking skills, so that educational efforts are sustainable and can have a widespread impact.

Open Article as PDF

Abstract

A growing body of research has examined the privacy concerns and behaviors of older adults, often within specific contexts. It remains unclear to what extent older adults' privacy concerns and behaviors vary across contexts and whether old age is the primary factor influencing privacy vulnerabilities. To address this gap, we conducted semi-structured interviews with 43 older adults (aged 65 to 89) in the United States. Our interviews were grounded in five scenarios: account and device sharing, healthcare, online advertising, social networking, and cybercrime. Our cross-contextual analysis showed that cybercrime was a recurring and pressing concern across scenarios; privacy concerns and protective behaviors were rarely mentioned in the healthcare scenario. Across all scenarios, participants' threat models and strategies revolved around data collection rather than other stages in which privacy harms may occur; they employed various active strategies to safeguard their privacy while trusting service providers to protect their information. Our findings underscore the need to revisit the discussion around privacy vulnerability and aging. Vulnerability levels among our participants varied widely and were often influenced by factors beyond age, such as tech savviness and income. We discuss opportunities for privacy interventions, technologies, and education that promote positive aging and recognize diversity among older adults.

Introduction

Older adults are increasingly using digital technologies, which can expose them to privacy and security risks. Previous research often described older adults as easily targeted, facing problems that severely affect their safety and well-being. For instance, older adults with health issues might need health monitoring tools for independent living, accepting constant tracking. Those with limited digital skills might avoid technology, missing chances to learn how to manage privacy and protect themselves. Family members, even with good intentions, might watch over older adults, which can reduce their independence.

People's privacy habits change depending on the situation, or "context," which refers to different parts of life or normal routines, according to the theory of contextual integrity. While there is more research on older adults' privacy, most studies look at the topic broadly instead of comparing different situations. Some studies focus on a single area, like social media or healthcare. To fill this gap, a study used a cross-contextual method to see how much older adults' privacy worries and actions are shaped by the situation. Researchers conducted a qualitative study with 43 older adults (aged 65 to 89) in the United States. The study explored their privacy concerns, actions, and vulnerabilities across five interview scenarios: sharing accounts and devices, healthcare, online advertising, social networking, and cybercrime.

The study found that across all five situations, participants consistently expressed worries about becoming victims of cybercrime, such as scams and fraud, often without being asked. They felt more likely to be targeted by cybercrime than younger people, a difference rarely noted in other situations. In contrast, participants were seldom concerned about their health information in healthcare situations, prioritizing good care and health insurance over privacy. Previous work has described older adults' threats using four categories of privacy harm: data collection, processing, sharing, and invasion. However, the study participants' concerns and protective actions across all situations mainly focused on data collection. Unlike prior studies that highlighted older adults relying on passive ways to reduce risks, the participants used various active methods (like changing privacy settings and carefully sharing private information) while trusting service providers to protect their privacy.

A key takeaway from these findings is the need to broaden the discussion about privacy vulnerability. The results challenge the idea that all older adults are a vulnerable group. Participants believed that older and younger adults faced equal risks in most situations (except for cybercrime). The analysis showed that actual vulnerability varied greatly among individuals, with those having less technology use, digital knowledge, and income experiencing more real privacy harms. Some tech-savvy participants acted as protectors for their communities, which goes against earlier stories that focused on older adults' weaknesses. This research supports the idea that attributing privacy vulnerability only to old age is too simple. The study ends with suggestions for creating privacy-protecting tools, technologies, and education that also recognize the positive aspects of aging.

Related Work

Privacy Vulnerability and Aging

Vulnerability is a core concept in human-computer interaction (HCI) and privacy research centered on people. It highlights how technology systems can continue social, political, and historical unfairness. However, the term has faced criticism for being disempowering and promoting negative stereotypes, especially in accessibility research. In privacy research, older adults have been labeled as a vulnerable group. This label is sometimes supported by past studies that focus on weaknesses, suggesting older adults are "more likely to be victims of fraud," "show less concern about information privacy," or are "especially open to certain risks and have trouble reducing them" compared to younger adults or the general population. However, some researchers advocate moving beyond age-related limitations and instead focusing on the wisdom and unique perspectives of older adults. Other scholars suggest the importance of separating age from other factors that might influence one's vulnerability.

One such factor is health, as aging can bring changes to senses, physical abilities, and thinking. Older adults with mild thinking problems might struggle to spot scams or fully understand what sharing personal information means. Ongoing health issues might require using health monitoring technologies to stay physically independent. Adopting such technologies introduces privacy and ethical concerns. Declining health can increase a person's reliance on others, like family members, neighbors, and professional caregivers, to manage their privacy and technology use, leading to "care surveillance." In fact, fraud by a family member is a common type of financial abuse of older adults. Even when caregivers begin monitoring with good intentions, too much control can limit older adults' independence and prevent them from learning about digital threats and self-protection skills.

Digital literacy is another important factor that should be looked at separately from age. While younger and older adults may use technology differently, older adults are adopting new technologies and engaging in various online activities. This makes it important to examine their privacy behaviors across different situations. However, older adults might not use technology due to costs, inappropriate design, low confidence in their abilities, lack of interest, and fears driven by age-based stereotypes. Low levels of technology use and digital literacy can then limit one's ability to protect their privacy. These findings add to a growing body of research that emphasizes the wide range of technology use among older adults and how tech-savvy older adults often act as leaders and protectors for their peers.

Older Adults’ Concerns and Behaviors

This review of existing literature is organized around the five situations explored in the interviews. The discussion below highlights how the study's findings contribute to the current understanding for each situation. Additionally, previous research on age-based differences in privacy concerns and behaviors is examined, as it relates to the study's findings on privacy vulnerability.

Account and Device Sharing

Sharing digital accounts and devices is a common practice among romantic partners and in workplaces. Several studies show that older adults, especially those less comfortable with technology, with physical or mental challenges, or living in cultures that value community, often give household members or professional caregivers access to their personal accounts and devices. This practice can create conflicts regarding privacy and independence.

Older adults might also share account or device access to prepare their digital information to be passed on to family and friends after they die. However, this practice of preparing digital data for death has mostly been studied in younger populations. This study examined account and device sharing by older adults, considering they will face the prospect of death but may feel anxious and unsure about planning for it. Questions about public and used devices were also included for comparison with a study by Frik et al., where older adult participants showed limited awareness of risks and concerns in these situations.

Healthcare

Past research has shown that older adults often find health monitoring technologies intrusive and restrictive, but they tend to accept these technologies as a necessary trade-off for safety, care, and living independently. Older adults generally feel comfortable with their health data being shared with doctors, caregivers, and family members, but not with unknown parties. They prefer data collection and sharing only when needed, such as in emergencies.

The interviews for this study took place during the COVID-19 pandemic. Beyond the direct health risks of COVID-19, the fear, stress, and loneliness from social isolation during the pandemic further affected older adults' health and well-being. This study provides updated insights into older adults' privacy concerns and behaviors related to healthcare, shaped by the COVID-19 pandemic. The study also examined older adults' privacy considerations when using patient portals, a topic that has been studied but rarely with a specific focus on privacy.

Online Advertising

Online advertising often targets individuals based on their online activities, personal information, and guessed interests. Because ad tracking is complex and not always clear, most consumers have limited knowledge about how much advertisers can access their personal data. Consumers might also have wrong ideas, such as confusing online tracking with computer viruses. While some people find targeted ads helpful and relevant, others find them intrusive and unsettling. Recent work has also looked into how users perceive ads that are problematic, untrustworthy, or unpleasant.

Most studies in this area have focused on the general adult population or younger people. Limited previous work involving older adults has indicated that they engage more with certain types of advertising, like social video ads, while being doubtful about social media-based advertising. Older adults are especially likely to see problematic advertising, such as scams or misleading content, on platforms like Facebook. This study addressed this gap by deeply exploring privacy issues of online advertising with older adults, particularly their understanding and feelings about age-based advertising.

Social Networking

The use of social media among older adults in the U.S. continues to grow, but older adults still use it less than younger groups. Privacy concerns can discourage older adults from using social media, especially when these concerns outweigh the potential social benefits. Some studies have found differences between older and younger adults: older adults are more worried about who can access their information, while younger generations, especially teens, are more concerned about different parts of their lives mixing online or how they present themselves.

Zoom and other video conferencing tools also became popular during the COVID-19 pandemic for staying connected. Previous work on younger users' privacy attitudes toward remote communications found that users lack control over choosing conferencing tools and microphone/webcam use. This study examined older adults' privacy considerations regarding video conferencing tools and compared them to findings from before the pandemic about other social networking sites like Facebook, given the pandemic's impact on people's social behaviors.

Cybercrime

Bossler and Berenblum define cybercrime as "computer-assisted crime" across four categories: cyber-trespass (e.g., unauthorized system access), cyber-theft (e.g., identity theft and online fraud), cyber-obscenity (e.g., child pornography), and cyberviolence (e.g., cyberstalking). They also note a lack of standardized legal definitions in this field. Mainstream media often portray older adults as vulnerable to cybercrime, especially cyber-theft. However, findings from academic literature are mixed. Simons et al. find that older adults are disproportionately victimized by certain types of fraud, such as tech-support scams and impersonation. Ross et al. argue that there is no strong evidence of higher consumer fraud rates among older adults. Several studies suggest that susceptibility to scams or phishing attacks can be influenced by other factors such as income and gender.

Studies with older adults highlight that media portrayals increase their anxiety about spam emails and scam calls. Being defrauded impacts older adults' health and well-being regardless of financial loss, as victims experience ridicule and blame. In Frik et al.'s study, older adult participants held diverse views on their own vulnerabilities: some believed they were easy targets due to low technical literacy and lack of support, whereas others doubted that their information was valuable enough to be exploited. Unlike the previous sections, cybercrime is mainly linked to risks and harms, while other contexts like healthcare also offer clear benefits. The decision was made to include cybercrime as an interview scenario given its relevance to older adults and the age-based stereotypes around cybercrime. The researchers were particularly interested in uncovering more detailed factors that contribute to older adults' self-perceived and actual vulnerability to cybercrime.

Age-Based Differences

Several studies have examined the privacy concerns and behaviors of older adults in North America: older adults' concerns centered on security issues (e.g., scams and identity theft) and threats from institutions (e.g., data sold to third parties) rather than privacy between individuals. Passive strategies (like limiting or avoiding technology use) were commonly used, while active risk reduction strategies were rarer and only triggered by privacy violations. Older adults' privacy concerns and behaviors also depend on their culture. Studies in countries with community-focused cultures, like India and China, have highlighted older adults' privacy management as a group effort, with household members watching over older adults to ensure their safety.

While some previous research has described older adults as generally vulnerable to privacy risks and violations, empirical findings on differences between older and younger adults are mixed. Some studies indicate that older adults are less likely to react to privacy risks and adopt fewer protective behaviors on social media. Other research suggests that older adults are not necessarily worse at protecting themselves; rather, they have distinct concerns and priorities. For example, older adults often perceive higher risks in online banking and e-commerce and are more likely to make privacy decisions based on a privacy calculation. Some studies have found no significant age differences in online privacy sensitivity and attention to privacy policies. These inconsistent findings may be due to different studies examining different contexts and using constructs with different levels of detail (e.g., general attitudes versus specific concerns).

Methods

To explore the privacy experiences of older adults both within and across various situations, researchers conducted semi-structured interviews with 43 individuals aged 65 or older in the United States. The interviews took place between August and October 2021 and were conducted using video calls and in-person meetings, based on participants' preferences. The study materials, including the screening survey, interview guide, and codebook, are available online for review.

Interview Protocol

The interview guide had two main parts:

Part 1: Researchers started by asking participants to describe their technology ownership and use. Then, they indirectly asked about participants' privacy concerns by asking if they had issues with any technologies they used. If privacy concerns were not brought up, further questions were asked about what information they wanted to protect and who they saw as potential threats. This sequence was designed to reduce possible researcher bias and social desirability bias by asking potentially priming privacy questions only if the participant had not already raised these topics, following practices in other work that also dealt with sensitive subjects.

Part 2: Researchers then deeply explored participants' privacy perceptions and strategies in five different situations. Scenarios are commonly used in HCI research to explore values and attitudes toward technology. The selection of scenarios was based on the literature review in Section 2.2. All five scenarios are highly relevant to the daily lives of older adults, although findings specific to older adults and/or privacy varied. Specifically, previous work on account/device sharing and online advertising has mainly focused on younger populations. Healthcare and social networking have more research specific to older adults, but most of it was conducted before the COVID-19 pandemic, which changed how people socialize and manage health issues. Cybercrime is often associated with age-based stereotypes (assuming older adults are always more vulnerable), and the researchers wanted to compare these stereotypes with the actual experiences and perceptions of older adults.

The interview process for all scenarios followed a similar pattern: first, broad questions about general understanding and personal experiences, then questions about more specific concerns and protective strategies (if applicable). To assess participants' perceptions of age-related vulnerability, the question "How do you feel about your possibility of experiencing X (a negative incident) compared to those older/younger?" was asked, with X tailored to each scenario. To avoid imposing preconceived notions, participants' language was mirrored in follow-up questions, and understanding of their responses was confirmed with them. The order of scenarios was randomized for each participant to reduce order effects and potential tiredness towards scenarios discussed later. The interview concluded by asking participants for suggestions on how to support older adults in protecting their privacy.

Participant Recruitment and Demographics

The target group included individuals aged 65 or older living in the United States, following the CDC's definition of older adults. Various channels were used to recruit participants: three local senior centers, a participant pool for clinical and health research at the University of Michigan, another participant pool hosted by the Healthier Black Elders Center at Wayne State University, and snowball sampling. The majority of participants came from the university-hosted pools and senior centers; only three participants joined the study through snowball sampling.

Interested individuals were asked to complete a screening survey, available in several formats (online, phone, and paper). The screening survey was used to verify the age requirement and to recruit a diverse sample across age, race, gender, and socioeconomic status. However, individuals with severe cognitive impairments were excluded because working with this population requires specific procedures that could not be implemented. Non-English speakers were also excluded due to limitations in the research team's language abilities.

The interview protocol was tested with three pilot participants. Based on the pilot data, minor adjustments were made to the interview protocol, and an interview duration of 60-90 minutes was set to ensure all scenarios were covered without causing participant fatigue. For the main data collection, the first author conducted interviews with 43 participants. Most interviews were one-on-one; two sessions were with couples who preferred to be interviewed together. Interviews continued until data saturation was reached. Interviews were conducted via phone, Zoom, or at one of the partnering senior centers, depending on the participant's choice. Interviews lasted 82 minutes on average. A few participants took breaks during the interview, but none withdrew from the study or expressed concerns about the interview length. Each participant received a $30 check as compensation. With all participants' consent, interviews were recorded and later transcribed by a professional transcription service.

Table 1 in Appendix A provides details of participant demographics. The 43 participants were 65-89 years old (mean: 72; median: 71) and had a roughly even gender balance (19 men, 23 women, one no response). Participants showed diversity in income, race, and self-reported health conditions, but they were more educated than the general U.S. population. Most participants lived in their own or rented homes and did not have caregivers. Seven participants used assistive devices such as wheelchairs, canes/walking sticks, and hearing aids.

Regarding technology use, most participants regularly used computers (41) and smartphones (34). More than half (26) also regularly used tablets. Using multiple devices was common: 24 used all three types of devices, and 15 used two. In comparison, smartphones were present in 84% of all U.S. households in 2018, followed by 78% for desktops/laptops and 63% for tablets, indicating that the participants' technology adoption was similar to that of the general population. Smart device adoption was relatively low in the sample: 11 used smart TVs, and seven used smart speakers or voice assistants.

Data Analysis

After transcribing and carefully checking all interview transcripts, the first author reviewed all transcripts to create an initial codebook. This was done using a mix of deductive and inductive approaches: the overall structure of the codebook was guided by the interview protocol and existing literature, while specific codes were mostly based on what participants said.

To ensure the coding process was reliable and consistent, the first and second authors independently coded one transcript each. They then met to compare codes, resolve differences, and refine the codebook. This iterative process was repeated for six transcripts until both researchers agreed that code saturation had been reached. The two authors then used the 'training' feature in Dedoose, a qualitative data analysis tool, to calculate inter-rater reliability before independent coding. The first author coded an additional 14 transcripts to ensure a reasonable coverage of each code. The second author then coded the same set of excerpts coded by the first author. The two researchers achieved a Cohen's 𝜅 = 0.74 across all codes, indicating good agreement between coders. The two researchers then divided the remaining 21 transcripts and coded them independently, and the first author applied the final codebook to the initial six transcripts for consistency. Other co-authors were involved in discussions about the codebook and initial findings through regular meetings.

The final codebook contained 296 codes across six categories: one about general privacy concerns and behaviors, and five for the specific scenarios. The codes in each category were grouped into consistent sub-categories to make cross-scenario comparisons easier: general attitudes, specific concerns, challenges in addressing concerns, protective behaviors, and age-based differences.

As this was a qualitative study, the focus was on describing specific themes rather than making quantitative claims about them. Following practices in other qualitative work, the following terms were adopted to give a qualitative estimate of how often themes appeared: a few (0-20%), some (20-40%), about half (40-60%), many (60-80%), and almost all (80-100%).

Ethics

The study was reviewed and deemed exempt from oversight by the University of Michigan's Institutional Review Board. Following a community-based participatory approach, participants and community partners were involved throughout the research process for a mutually beneficial experience. For example, staff at the senior centers provided feedback on the draft interview protocol to ensure the questions were appropriate. Trauma-informed practices were followed in conducting the interviews, such as being an active and empathetic listener when participants shared their stories, and clearly communicating options of skipping a question or stopping participation. As a way to give back to the community, research insights were used to develop a workshop series on online self-defense, which was then run with partnering senior centers. Thirteen of the interview participants attended the workshops; all spoke positively about the experience and the relevance of the workshop topics to their concerns.

Limitations

While the qualitative approach allowed for deep insights into participants' lived experiences, it has limitations. Some limitations relate to the qualitative method and sampling practices. For example, the sample cannot be claimed to represent all American older adults; the main goal was not to achieve representativeness but rather to capture diverse perspectives. Participants were diverse in terms of income and race, but they were geographically concentrated and more educated than the broader U.S. population. The sample characteristics may have resulted from the localized recruitment, chosen to build trust with participants, reach individuals who might not be accessible through online recruitment, and expand the reach of the workshops. Because the study was conducted in the U.S., some findings might be specific to the country or region. Caution should be exercised when generalizing these findings beyond the U.S., and the study creates opportunities for future replication studies in other countries with different cultural values and consumer protection frameworks.

Another limitation of the study relates to the interview scenarios, as cybercrime is more focused on risks and harm compared to other scenarios. Nevertheless, cybercrime was included due to its high relevance to older adults' existing concerns and age-based stereotypes surrounding this topic. While it is possible that discussions about cybercrime might have made participants more likely to bring up this topic in other scenarios, this was partly reduced by randomizing the scenario order for each participant. It was also observed that participants who received the cybercrime scenario late in their interviews often still spontaneously discussed it in earlier scenarios.

Findings

First, participants' general threat models and privacy concerns are discussed (Section 4.1), followed by their concerns and behaviors for specific scenarios (Sections 4.2–4.5). The discussion concludes by comparing findings across the five scenarios (Section 4.7).

General Threat Models

Heightened Concerns about Financial Information

Because the concept of "privacy" can be broad and abstract, participants were asked instead about the specific types of information they wanted to protect. Financial information, such as bank account and credit card numbers, was mentioned by about half of the participants. Some also highlighted social security numbers, a unique personal identifier used in the United States. P34 discussed negative incidents that can lead to financial loss as their main worries:

"I may not have any money. I may have an outstanding debt...My major concern is my identity being taken, and as a result of my identity being taken, my financial security has been compromised or has been taken away from me."

However, privacy harms include more than just financial losses when considering damage to reputation, psychological well-being, independence, discrimination, and more. Participants recognized these harms less often, as P3 said, "Financial information is probably the most relevant thing. The rest of my life is pretty much an open book...Somebody sees that I go on a porn site. That’s me." P18 raised the point that leaked passwords could lead to financial account compromises: "One of the big things that I worry about is somebody getting a hold of my passwords and user ID that would get them into info on my banking and other financial institutions." P15 mentioned health information but indicated it was secondary to financial information in terms of privacy concerns: "I don’t worry about the portal so much...I’ve already got my Medicare, and so far I can’t be refused for having [my] problems...It’s mostly financial."

Cybercriminals as the Major Threat Actor

In line with concerns about financial information, about half of the participants identified cybercriminals as the main threat to their personal information. The specific terms they used included "hackers," "scammers," "spammers," "people trying to steal things," and "people operating from the dark web." Some participants shared personal experiences with scams and fraudulent charges. P1 recounted stories they had come across in the news:

"There are lonely seniors. You’ll hear some news about a guy...gets hacked...A somewhat younger pretty lady will connect with him, and be able to access his finances...So, my concern is mainly [about] if they hack and get my personal information because hackers are those intelligent criminals."

A few participants identified technology companies as another threat, particularly Google/Alphabet and Meta. P13 discussed the extensive data collection and aggregation practices employed by these companies: "Google captures...anytime you do any online shopping. That information is captured and shared between organizations. In aggregate, they can build up a pretty detailed profile view of what your interests are." P12 expressed varying levels of trust in different companies, indicating that not all technology companies are perceived as equal threats:

"Microsoft, I’m not as worried about information being shared by them...not so much privacy. I would say anything involving the Alphabet as an organization...I have too many firsthand experiences that I’ve been uncomfortable with. Information is shared from one site to another without express consent. And I can’t seem to find any features that I could turn on that prevent it...It’s something personally I can’t trust."

Interestingly, no participant mentioned the government as a threat. In fact, a few indicated that they were not concerned about government surveillance due to their belief that they had nothing to hide—a common yet flawed argument about privacy—such as P1: "I’m not a member of any political party or secret organization...I have no fear of the police, FBI, or any governmental agent." This lack of concern about government stands in contrast to heightened concerns about government surveillance among other high-risk populations such as undocumented immigrants, migrant domestic workers, and Muslim-American women, likely because the participants' identities and backgrounds did not overlap much with these populations. Similarly, no participant identified their family members or caregivers as threats, despite them being a major source of elder fraud.

Learning from Community and Commercial Resources

Previous work involving older adults in the U.K. has identified social, community, and commercial resources, as well as broadcast and digital media, as major sources of cybersecurity information. Participants in this study mentioned all five as sources for learning about privacy self-defense, with community resources, commercial resources, and the media being more popular. Starting with community resources as a source of support, P22 highlighted senior center classes: "The senior center had contacts with the lawyer, and he’d come in and just discuss [the credit freeze]...People would ask whatever question they had." P41 identified the American Association of Retired Persons (AARP): "They have print materials...Zoom classes...If you’re a member, every month they’ll send you a newsletter."

Another source of support was commercial resources, including customer support services such as AppleCare and professional technical support. For instance, P28 subscribed to Geek Squad and highlighted the benefits of their periodic checkups: "Once or twice a year, [we] have what they call a checkup where they just delete duplicate files...make sure you’ve updated all your programs, and you’ve installed everything you need." While experts no longer recommend third-party antivirus software, some participants continued to use such software. P9 noted trust and brand loyalty as relevant factors: "I’ve used Norton for so long...I have trusted them with whenever it comes up for renewal. I don’t even question how they’ve been pricing." The protections offered by third-party antivirus software may be excessive, but they did raise participants' awareness of basic risks and encouraged positive behaviors, as in P27's case:

"I have Malwarebytes, and I’m quite happy with that. I think they’ve done a fairly good job...They have a newsletter every week, and it’s quite informative...They often tell you that there’s all this phishing going on, and to be very careful about opening some of these emails that look suspicious. And so I take them at that word, and I do just discard a lot of [emails] because they’re obviously not legitimate."

Previous work using negative narratives has portrayed older adults as passive consumers of information who find it difficult or unnecessary to learn about cybersecurity or privacy. These findings present a more detailed perspective, as some participants acted as educators and influencers within their communities. P32 acknowledged the challenges involved in doing this:

"She will want me to order something through my account...She got mad at me the other day because I said I’m not doing it...I have done it a few times for her. But I want her to [learn]. She doesn’t want to be tech-savvy. I’m not tech-savvy, but I know...the only way to learn stuff is you might make a mistake."

P19 and P38 helped run computer classes at their senior centers. P38 identified common challenges among their peers, including password management and using "BCC" when sending mass emails. P19 was concerned about the potential exclusion of less tech-savvy peers from educational programs:

"I’m super literate with computers...There are a few people like me, but not many. And as they get older, they have a harder time using the technology that’s available, but they need that technology even more...You’re missing a whole segment of the bell curve. Those are people who simply don’t come [to the classes]. They have home phones and they don’t use cell phone technology, and they don’t get emails."

Account and Device Sharing

Sharing Digital Assets in Preparation for Death or Accidents

Half of the participants mentioned sharing passwords, mostly with family members and occasionally with close friends. Previous research has identified convenience and building trust as key reasons for password sharing among younger adults, and participants gave similar reasons. For example, P13 shared streaming service credentials with their son; P33 shared "everything" with their partner after decades of marriage.

However, most participants' main reason for sharing was to prepare for unexpected events like death or emergencies. For example, P18 shared, "My mom and my sister have my social security number and my passwords...I trust [them] implicitly, and I feel better too because you’ll never know." For similar reasons, some participants also shared access to their financial accounts with family members and occasionally with a financial advisor or attorney. P8 made efforts to ensure clear communication between multiple parties:

"I take care of all my own finances. My lawyer knows where all my accounts are. And...my adopted son is my advocate, and he’s also my executor. So he knows...But he also knows where my lawyer is. And my lawyer knows where he is if something should happen."

When asked about preparing digital assets for after death, some participants had already made plans. Others, like P7, only realized the importance of this consideration when prompted:

"If I were in a car accident and died, nobody would be able to get into my accounts, which will be bad. It would be weeks of sending mail and death certificates and wedding documents to prove that my wife is my heir and beneficiary. So I should do that. I’ll put that on my list of things sometime."

Struggles with Password Management

During discussions on account sharing, participants often highlighted password management as a common challenge. In contrast to studies involving younger populations, participants relied more on physical methods for password management: about half mentioned physically writing passwords down, and a few tried to rely solely on their memory. No participant felt their current password management strategies were ideal; for instance, those who wrote passwords down still worried about a "single point of failure" if their password notebook were stolen. While remembering all passwords is generally demanding, P30 emphasized age-related memory decline as a specific concern:

"For important things like my banking, I want to keep going with the same one. I can’t...They want a different one than you’ve used in the last 10 years. I can’t remember 10 years’ worth. What I do worry about, actually, is as I get older it’s going to become harder and harder to do all that to keep track of it all."

Only a few participants, typically those with a technical background, mentioned using password managers in their browsers and operating systems. The adoption rate of password managers was much lower compared to studies involving younger adults. Echoing previous work, P20 shared that non-adoption was due to distrust in cloud services storing their passwords:

"I do not use any of the password apps where they say you can put in all your passwords, and it’ll be secure, I just don’t trust it. In my opinion, all of these systems were created by a person, and there’s always a way...somebody else can figure out how to get into it."

Risk Awareness of Public and Second-Hand Devices

A specific instance of device sharing involves public devices and Wi-Fi networks, which carry risks of data leaks and Wi-Fi spoofing. This use case is particularly relevant for older adults given their lower ownership of personal computers or smartphones, while communal places like senior centers enable device sharing. Many participants reported using public computers and Wi-Fi networks in libraries, hotels, and shops.

In contrast to the findings in Frik et al.'s study, where few participants expressed concerns about public devices and Wi-Fi networks, participants in this study (even with similar demographics) showed a heightened awareness of these risks. Although they could not always pinpoint specific negative events, they could recognize situations with increased risk. For example, P23 commented, "I think it’s easier to compromise my information [when using public devices]. I think people can get into them more easily." About half of the participants mentioned that they consciously avoided sensitive activities such as banking when using public devices or Wi-Fi networks. P19 compared banking with other types of online activities regarding their sensitivity:

"If somebody wants to hack into my gaming group and screw with my pictures...that’s not going to kill me. So I don’t really particularly care about that as much, but I stay away from banks and things that are high security. When we’re traveling, oftentimes I’m looking up what attractions are there? What time does the museum open?...things that are not security-driven."

A few participants also cleared their browsing history when they finished using a public computer. P32 shared how they developed this habit after someone compromised their social media account when it remained signed in:

"Some years ago I did not sign out on Facebook [at libraries]. And so whoever came [next], they put a whole bunch of crazy stuff up there. And so my son called me up, ‘Ma, was it really [you]?’ ‘Where were you at?’ I said, ‘I was at the library.’...So he deleted [my post]...Now I make sure I sign out if I’m on a public device."

The exchange of used devices can also lead to data leaks. Some participants, like P6, worried about data that had not been erased: "When you get second-hand phones, they’re contaminated...It’s not good to buy used phones unless they’ve been cleaned or wiped." Additionally, participants lacked confidence in securely getting rid of their old devices, particularly when selling or donating to strangers, and desired more guidance. As P16 said, "I have two laptops...just ready to go to the recycling, but I have to get the stuff off of them...I probably will pay to have somebody do it because I don’t know what I’m doing."

Healthcare

The findings within the healthcare context mainly focused on patient portals and smartwatches, as these were adopted by almost all and some participants, respectively. A few participants also mentioned using health-tracking apps, step counters, and blood pressure monitors.

Trust in Healthcare Providers and Smartwatch Manufacturers

While a few participants expressed privacy concerns about their health information (see Section 4.1), about half of the participants shared that they trusted service providers (e.g., hospitals and smartwatch manufacturers) to handle their health information securely. This trust is notable, considering the healthcare industry is one of the most common victims of data breaches and instances of data exchange between healthcare providers and social media companies for commercial purposes. Participants' trust in confidential information exchange with healthcare providers could be a result of social norms and existing laws, notably the Health Insurance Portability and Accountability Act (HIPAA), as P25 said: "Any doctor that I’m dealing with can go to my portal and look up what other doctors have done or said...It’s already in there. I don’t feel that that’s being shared inappropriately."

Interestingly, P25 extended the same level of trust to smartwatch manufacturers, despite these entities being subject to different regulatory frameworks, and wearable devices having limited protection under HIPAA: "My Fitbit...it’s like a watch...as far as I know, there are no data to take. It’s just something I’m looking at...for my information only." P12 explained that their trust in smartwatch manufacturers came from their own positive experiences and social influence:

"You know that the Apple Health app...I have not personally heard of any episode where that recorded information was used [in]appropriately...I encountered a person in a focus group...where they were trying out the Apple Watch and recording various aspects of it. That person felt comfortable...and that was significant for me. I am not looking and would not be comfortable with any other entity."

Concerns About Breaches and Health-Based Discrimination

Although participants generally expressed trust in health devices and portals, some voiced concerns about the potential compromise of their health information in data breaches when prompted, as P41 said: "You kind of hear all the time where these health organizations are hacked...That’s a big concern, and that’s real." P9 also noted concerns about health information being used for identity theft: "Somebody can get a hold of a copy of your driver’s license and your health care card and piece together enough to use it for some other purpose." In addition, some participants expressed concerns about the potential use of their health information for advertising and insurance purposes. These concerns often overlapped with worries about discrimination based on health or age, as P5 articulated:

"It seems to me that the misuse of health information is not within the healthcare world...it’s in the application, the decision-making of lenders and hirers...that would look at a health condition and determine that it’s an additional risk...That’s the abuse of the healthcare information that I’m concerned about."

Nonetheless, only a few participants mentioned specific protective behaviors in response to their concerns. Examples included monitoring financial statements (following a healthcare breach notification) and removing prescription labels from medication bottles (to avoid medical identity theft). Overall, participants discussed much fewer privacy-protective behaviors (in terms of both variety and frequency) in the healthcare scenario than in other scenarios.

Online Advertising

Negative Attitudes Toward Targeted Advertising

Almost all participants had experiences with targeted ads, and many held negative feelings about them. About half expressed frustration with the overwhelming number of annoying targeted advertisements. P10 voiced concern about the surveillance capitalism model that drives targeted advertising: "Every time I look at an ad, somebody knows that. And they put that data in a file somewhere that’s linked to me somehow...They’re going to sell that information to the manufacturer or the marketer...That’s bothersome." Other participants, like P17, suspected that advertisers invaded their privacy by listening to their conversations, a common misconception perpetuated by inadequate ad explanations: "My son bought a patio wood-burning oven pizza maker [called] Ooni...We were over to his house...talking a lot about the Ooni...I get home, and I look at Facebook, and I’m being sold Ooni pizza ovens."

Consistent with previous work on the general public's mixed feelings regarding targeted advertising, a few participants did find targeted advertising useful and relevant. As P38 said, "I think targeting ads helps people...I like knowing about something that I may not have known about that fits my situation." Furthermore, some participants held relatively neutral views as they simply did not pay attention to ads or believed that their personal opinions were not easily influenced by ads. The findings also align with previous work on consumers' challenges in understanding the full scope of online advertising: when asked about the types of information possibly used for delivering targeted ads, about half of the participants exclusively mentioned site activities (e.g., browsing and search histories). Participants mainly gave examples of targeted ads in the context of cross-website tracking, showing limited awareness of other individual and demographic factors used in ad targeting; only a few discussed factors like age, race, ZIP code, and IP address.

Experiences with Deceptive and Discriminatory Advertising

About half of the participants recounted experiences with "bad ads," particularly deceptive ads—meaning the claims and appearances could be misleading and different from consumers' actual experiences. P17, for example, recounted an emotionally manipulative ad:

"It was this little plastic gadget...that supposedly some teenage boy with autism had invented...And I have a special place for people with disabilities...I see this on Facebook...Totally sell me with the story. My charge card is out...And it comes, and it’s a piece of crap...And I realized, 'Oh, you dummy. You fell prey. You were such an easy target because of the autistic kid.'"

Regarding advertising specifically targeting older adults, participants identified ads on Medicare, assistive technology, and funerary services as examples. While a few participants found age-based targeting positive (as it made ads more relevant) or neutral (equating it with other targeting categories like gender), some participants, like P21, found the practice discriminatory and harmful for reinforcing age-based stereotypes: "It’s annoying because it just reminds you that you’re older." In addition, P30 was concerned about older adults' vulnerability to ad scams, showing that concerns over cybercrime extended to this scenario:

"The older we get, the less astute we are in paying attention to what this really means. That puts a lot of people at risk. We’ve heard about how many people can lose their money, not necessarily scammed but buying something we really have no use for. I guess they’re free to advertise to anybody. I just don’t like it."

Protective Strategies Exist, But Rendered Ineffective

Some participants adopted an avoidance strategy when dealing with annoying or problematic ads, which typically involved ignoring them or removing them from their online feeds. This approach was particularly common among participants who held positive or neutral views about ads, as P11 explained, "All you have to do is click on the X...hide the ad...ignore it. And if there are too many ads and it annoys you, then you don’t go to those sites."

However, avoidance-focused strategies do not fundamentally stop the excessive volume of ads. Some participants mentioned clicking on 'unsubscribe' in marketing emails but encountered challenges, as they either could not find the link or had to wait a long time before they stopped receiving unwanted emails. Adding to previous work on users' basic understanding of online advertising and privacy settings, a few participants, like P3, expressed distrust in the 'unsubscribe' feature, suspecting that clicking on it would trigger malware or even more spam:

"I am concerned that you can generate more dissemination of information...that I wouldn’t want people to have...[I] can’t always trust that the unsubscribe location is really going to the service that I want to unsubscribe from...If it’s a hacker...they’re gonna take the information...and hack you some more."

These ineffective strategies may explain why many participants felt they had limited control over what advertisers knew about them. As P4 described, their level of control was "probably none, except just avoiding." A few participants, like P3, believed they had some control, but these participants were relatively experienced in using ad settings: "There’s always a setting somewhere that can be adjusted...It is left up to me to explore and see." P22 was the only participant who felt they had a good amount of control, although their perception was narrowly based on the information they disclosed rather than inferences made by advertisers: "I don’t put a lot out there. I think that certainly gives me an edge on not getting advertising I don’t need or don’t want."

Social Networking

While many participants used Facebook and Zoom, about half primarily connected with others via phone calls and text messages. A few participants mentioned other channels including emails, Instagram, Messenger, Twitter, and WhatsApp.

Benefit-Risk Analysis for Adoption and Use

Similar to findings in previous work, participants considered the benefits versus risks and costs associated with specific social media platforms. While the benefits of staying connected and acquiring information apply to all age groups, they became more noticeable among participants during the COVID-19 pandemic, which worsened feelings of social isolation and loneliness. As such, P12 described their "calculated risk" for social media use: "The very fact that I have to use YouTube to do certain functions puts me at risk, and it’s a calculated risk...But we’re so isolated as it is...It is unhealthy not to know what’s going on in the world."

Interestingly, in contrast to previous research, participants' major concerns regarding social media use—before privacy was specifically asked about—revolved around disturbing or controversial content and false or misleading information. In terms of privacy-related concerns, P36 mentioned possibilities of different social contexts mixing: "If you use social media extensively, you are bound to have problems like misinterpretation...someone taking your post out of context." P13 disliked the monetization of user data, a recurring concern also seen in the online advertising scenario: "Facebook is notorious for sharing information and also establishing a profile...I don’t want to make Mark Zuckerberg any richer."

A few participants also voiced concerns about scams on social media: scams are already a recurring theme in the cybercrime scenario, but social media can amplify the reach of scams. P8, for example, shared their experience with romance scams: "I have some weird guy that sent me [pictures]...He sent the same picture to my daughter-in-law...It’s really a jungle out there." Dealing with scams and harassment was even more challenging for participants with limited technology skills and low income, as in the case of P6:

"One day I got 1,000 friend requests [on Messenger]...but I accepted them all onto my page. Then I realized...I’m getting all these telephone calls [from] people trying to swagger me...They would call me up at two...in the morning and say, ‘Hi, handsome. How are you?’"

Limited Risk Perceptions of Zoom

Zoom, a video conferencing service, experienced a significant increase in its user base during the COVID-19 pandemic. Half of the participants mentioned adopting Zoom during the pandemic to maintain social, informational, and educational needs. A few shared concerns about Zoombombing, and P9 even experienced it firsthand: "There [was] this particular conversation that the council is having. And dirty pictures popped up. And then they had to shut down the Zoom thing."

Nonetheless, participants who had heard of Zoombombing but had not experienced it personally expressed limited concerns, as they believed they would not be targeted. P36 shared, "I don’t think we will attract the attention of the criminals....It’s only the doctor and myself. So what is there to bomb? You want [to] bomb into a Zoom with 20 CEOs and the president of the United States." Similarly, P7 speculated that Zoom would not engage in excessive data collection due to its business model: "Why would they record a meeting amongst a family of four? They’re not going to be able to monetize that." However, Zoom has faced controversy for making false claims about end-to-end encryption while engaging in data exchanges with Facebook for monetization purposes. These problematic data practices rarely influenced participants' usage and trust in the platform. A few participants, like P14, further mentioned relying on Zoom and its partner institutions for data protection: "You heard so much about Zoom over the last two years that you figure, well, it’s got to be a reasonable company. Hopefully, they have security measures in place."

Skills and Confidence in Self-Protection

In response to their concerns, participants actively used protective strategies rather than relying on passive measures. P11 mentioned the option to limit their profile visibility: "You can restrict your profile pretty well. So I do. You can’t see my friends." P28 described being careful about sharing sensitive information: "I normally don’t post it while we’re away. I wouldn’t want to advertise to the world that we’re going to be out of town for a week." P2 would block or unfriend someone in the case of scams or interpersonal conflicts: "If I find people that are offensive...I will stop following them." Some participants also adjusted their Zoom settings, such as muting themselves as needed and using a virtual background, similar to findings from previous work with younger populations. Most of these proactive strategies showed participants' effectiveness in navigating regular privacy settings on social media.

As in the online advertising scenario, participants' perceived level of control over their information on social media was closely tied to their confidence in configuring privacy settings. Many participants felt they had some control. Some participants, like P39, even noted they had total control, though this perception was—similar to that in the online advertising scenario—primarily based on their knowledge of what they proactively shared rather than the inferences and data exchanges happening behind the scenes: "I’m in control of what I put out there...If you put out everything, you expect to have some fallout...I don’t put out personal stuff."

Cybercrime

Concerns and Negative Experiences with Scams and Fraudulent Charges

While previous work has identified cybercrime as a growing problem for older adults, these findings reveal older adults' concerns about specific types of cybercrime, both when asked directly and when mentioned without prompting. When asked about their initial thoughts on the term 'cybercrime,' some participants mentioned hacking attempts targeting government agencies and companies, while others focused on cybercrime targeting individuals. For example, P21 was concerned about account compromises leading to financial loss: "I do have some concerns about somebody stealing...not just your bank account, but your investments." P42 highlighted concerns about scams: "I think about a lot of the scam emails that I’ve been getting."

About half of the participants reported receiving scam calls or phishing emails, with most successfully avoiding becoming victims. Out of the 43 participants, only three had experienced unrecoverable financial losses. One potential factor contributing to participants' increased susceptibility to exploitation is concurrent financial hardship, as P32 recalled their experiences:

"I was getting these text messages...to be like a mystery shopper...I received a check for about $1,500...So I went to the bank...showed them the check....And I was broke. And then she [bank manager] told me that it was a scam...That is how they get you because you’d be thinking about the money [when you’re broke]."

Participants' vulnerability to scam attempts also relates to their level of digital literacy. P26, who considered themselves "computer illiterate," suspected their identity was stolen without realizing it was a social security scam: "I got a call from the government that said somebody in Texas is using my social security number to extrapolate the funds out of bank...Maybe I have been a victim." Nevertheless, having a technical background did not guarantee immunity to scams either, as in the case of P43, who ran a computer supply company but once lost $150 to a ransomware scam:

"We had our computer locked up by a software company...They sold us a software package for $150 that would guarantee that we would not have our system locked up. And when I called the Geek Squad...they said all we had to do was just click on the control, alt, delete, and that would have restored us."

Perceived Higher Vulnerability Among Older Adults

Since previous literature and news media have portrayed older adults as susceptible targets of cybercrime, participants were asked about their perceptions of age-related vulnerability to cybercrime. About half of the participants believed that older adults were more vulnerable and identified factors that could contribute to higher vulnerability, noting that older adults "are naive with respect to technology" (low tech-savviness), "believe everything that they see" (too trusting), and "are more susceptible to [scammers] working on our emotions, like the grandparent scam...Seniors are lonely and just want somebody to talk to" (subject to emotional manipulation). Interestingly, participants often used "they" when referring to older adults and rarely considered their own vulnerability. For instance, P33 were confident in their own resistance to cybercrime but expressed concern for others: "I don’t see why anybody would want to go after me...I’m not really worried about myself...There are a lot of [older] people that don’t know or get scammed. That worries me."

While older adults being more vulnerable to cybercrime is the dominant view, some participants believed that vulnerability to cybercrime is independent of age. P19, for instance, attributed cybercrime vulnerability to individual information-sharing habits: "If you’re careful and you don’t expose yourself, I think you’re going to be safer than if you just put your information out there willy-nilly." Interestingly, a few participants considered younger adults more vulnerable due to more careless online behavior. As P14 said, "The younger people spend so much time on their devices...They’re savvy...but sometimes, you just think these people are not paying attention to what kind of danger they’re putting themselves in."

Adopting Protective Strategies

Participants shared a variety of strategies to protect themselves against cybercrime; the most prominent ones were frequent monitoring of financial accounts, avoiding phone calls (from unfamiliar numbers or in general), and looking for common indicators of phishing attempts (e.g., checking the sender’s email address). These strategies aligned with established expert advice for online safety and did not require advanced tech expertise. A strategy unique to older adults was relying on their crystallized intelligence, meaning knowledge and skills acquired throughout life, as opposed to younger adults' fluid intelligence. In participants' own words, they relied on "common sense" they had developed over decades, as described by P35:

"When someone comes to me asking questions about something I said that I did not put out to the public...that’s a big red flag and an automatic delete...Because I’m older and already have...a whole bag of tricks from these many years of living."

Participants' ability to recognize scams could also come from their professional background. P28, for instance, had worked for the Internal Revenue Service and was able to quickly react to tax scams:

"I once got a call from someone who said they were from IRS and they said...if we didn’t make a payment, there would be a warrant out for our arrest. I said, ‘Well, I work for IRS and I know you’re not from IRS. So I think you better stop what you’re doing.’...And I hung up and report it."

However, participants' strategies were not perfect and sometimes led to unnecessary difficulties or feelings of powerlessness. P26, for example, changed their phone number to avoid excessive spam calls, unaware of alternative strategies like blocking specific numbers or registering on the national Do Not Call list that do not involve changing phone numbers. P20 shared their reliance on service providers such as credit card companies and identity theft monitoring vendors for handling scams rather than self-protection: "I would trust that the credit card company would tell me...Other than they tell me, throw that card away...we’ll send you a new one, I don’t think there’s anything I personally can do."

Cross-Contextual Insights

Having presented findings for each scenario, common themes, similarities, and differences across scenarios are now discussed.

Heightened and Cross-Scenario Concerns About Cybercrime

The findings highlight cybercrime as a prominent and recurring concern for participants across scenarios. In the initial general discussions on privacy (see Section 4.1), cybercriminals already emerged as the primary threat actors. Participants' definitions and concerns regarding cybercrime revolved around scams, fraud, phishing attacks, fraudulent charges, and identity theft. These definitions largely align with Bossler and Berenblum's categorization, focusing on two of their four categories—cyber-trespass and cyber-theft. Importantly, it was observed that cybercrime concerns and experiences were widespread across scenarios, as participants discussed worries about identity theft fueled by health information, being victimized by ad fraud, and encountering scams/harassment on social media, even before cybercrime was directly asked about.

In terms of vulnerability, cybercrime was also the only scenario where a significant portion of participants perceived higher vulnerability within their own age group compared to younger generations. Although participants rarely viewed themselves as more vulnerable than others—a possible sign of optimism bias—they often expressed concerns for other individuals in their age group or older. Conversely, in the other scenarios, almost all participants believed that vulnerability was equally distributed across age groups and identified various factors contributing to heightened vulnerability regardless of age. For instance, P10 identified health conditions and patient portal use as factors contributing to health-related privacy risks: "I do have medical issues, I’m in and out of the patient portal more than a lot of people...I think the more you use a system, the higher the risk of being compromised." P11 emphasized the importance of education level in dealing with problematic advertising: "Somebody with less education might be distracted by these ads, whatever their age is...Have you learned to research? Have you learned critical thinking?...Just don’t follow what people tell you."

Limited Concerns and Options for Protecting Health Information

Participants expressed the fewest privacy concerns in the healthcare scenario. Unlike in other scenarios, where participants easily identified threat actors and specific concerns without prompting, participants generally did not talk about healthcare-related privacy issues until asked. This might be due to the relatively hidden nature of health information misuse, particularly when discrimination is involved. None of the participants had personally experienced medical fraud or any related financial losses. Participants' perceptions may also have been shaped by news media—a common source of information—which provides limited coverage of security and privacy events in the healthcare industry.

In contrast to the diverse range of protective strategies observed in other scenarios, participants shared fewer strategies for safeguarding their health information. However, this limited action should not be equated with a lack of care. As aging-related health issues arise, older adults may have more frequent doctor's visits, naturally building trust in their healthcare providers. While people may switch to a different service provider after negative privacy experiences like a data breach, most patients reasonably make decisions based on cost, coverage, and quality of care when selecting healthcare providers. The "notice and choice" framework for protecting individual privacy has long been criticized for placing the burden of self-protection on consumers, and these shortcomings become even more problematic in the healthcare sector as consumers often have limited or virtually no choice.

Concerns and Behaviors Centered on Information Collection

Solove's taxonomy of privacy categorizes privacy harms into four stages: information collection, information processing, information dissemination, and invasion. Frik et al.'s study also described older adults' threat models along these four stages. Nevertheless, participants' primary concerns and strategies mostly focused on the information collection stage. For instance, some participants discussed limiting content/profile visibility in the social networking scenario and avoiding interactions with ads in the online advertising scenario. In both cases, participants' perceived control was tied to the amount of information they explicitly shared with other users and service providers. They felt more in control knowing they did not "put much out there." Only a few tech-savvy participants (e.g., P10 and P12) shared concerns about how companies combined and drew conclusions from collected data. Very few participants mentioned concerns about information dissemination, except in the case of health-based discrimination, where disclosing sensitive health information could jeopardize their health benefits.

Trust in Service Providers

Participants' trust in various service providers was a recurring theme across scenarios: trusting banks and credit card companies for detecting and resolving fraudulent charges, trusting healthcare providers and wearable device manufacturers for safeguarding health information, and trusting Zoom and partner institutions for ensuring the security of video conferencing data. This trust is shaped by positive experiences with service providers, unawareness regarding certain threats, and limited options for self-protection. Previous work has shown older adults' trust in healthcare professionals and preference for discussing health in-depth with a person rather than non-human sources. In contrast, these findings suggest that older adults' trust extends beyond interpersonal contacts to include healthcare-related social-technical platforms, such as patient portals and video conferencing tools facilitating virtual doctor's appointments.

Trust in service providers, particularly in the healthcare scenario due to the health needs of older adults, can be reasonable. However, there is a risk that excessive trust leads to delegating or even abandoning useful protective strategies. For instance, one might have limited control over how information in their health portal is used, but they can take retroactive measures when a breach happens. In contrast, with regard to cybercrime, many alternative measures can be taken to actively combat threats, such as using secure mobile payments to limit card fraud and placing credit freezes to mitigate credit fraud, rather than relying solely on protections provided by financial institutions.

Discussion

Comparisons with Prior Work

Consistent with previous work, participants raised security-related concerns, such as scams and identity theft, even when online privacy was explicitly asked about. This suggests that participants perceive security and privacy as interchangeable concepts, aligning with other work that highlights the diversity in privacy definitions and potential differences between expert and end-user understandings. In contrast to previous studies that emphasized older adults' reliance on passive risk reduction strategies, participants employed various active coping strategies, such as configuring privacy/authentication settings and exercising caution when disclosing sensitive information.

The findings also affirm and expand upon previous research conducted within individual scenarios. For instance, older adults' privacy concerns and behaviors on social media have been thoroughly researched. The findings align with previous work on common protective strategies, but the study also uncovered new insights triggered by the COVID-19 pandemic as participants shared their adoption of Zoom and other video conferencing tools. Participants were skilled at navigating corresponding privacy settings and expressed greater trust in service providers compared to more traditional social media platforms such as Facebook.

Contrary to previous research, participants showed more risk awareness when using public and used devices than those in Frik et al.'s study. Additionally, in contrast to previous studies that highlighted older adults' negative perceptions of health monitoring technologies, participants expressed limited privacy concerns about their health information. However, it is important to understand this finding within the sample, as most participants lived independently and were not using technologies traditionally considered intrusive, such as in-home activity sensors and always-on web cameras.

While the study did not quantitatively compare privacy vulnerability between older and younger adults by recruiting both populations—making the findings less comparable to previous work that has done so—the findings add more detail to the negative portrayals of older adults. Participants' vulnerability varied and could not be simply attributed to age. This difference could come from the sample, as participants were recruited locally, and some recruited via senior centers might have learned about privacy self-protection there. However, it is also likely that the cross-contextual interview approach and specific probing into participants' self-perceived vulnerability contributed to the new and different findings, as further explained in Sections 5.2 and 5.3.

Contextual Effects of Privacy Concerns

Previous work, like Acquisti et al., emphasizes the role of context in understanding privacy concerns: "Individuals can, depending on the situation, exhibit anything ranging from extreme concern to apathy about privacy." Nissenbaum’s theory of contextual integrity similarly suggests that societal norms shaping people’s perceptions of what is private versus public vary across contexts. These findings support the importance of context to some extent, as shown by concerns that are unique to certain scenarios, such as health-based discrimination in healthcare and password compromises in account/device sharing. Nevertheless, it is also observed that privacy concerns are not entirely context-dependent, as certain concerns transcend contexts. Specifically, cybercrime was a pressing concern among participants, as they shared related concerns not only in the cybercrime scenario but also in healthcare, online advertising, and social networking scenarios. Another cross-contextual concern relates to surveillance capitalism, which was mentioned in both the online advertising and social networking scenarios, as participants expressed discomfort with the widespread collection and monetization of personal data by advertisers and social media platforms.

These findings highlight the need for further research to qualitatively and quantitatively distinguish privacy concerns at the population, context, or individual level. For example, the findings already illuminate some population-level differences qualitatively: none of the participants identified the government as a threat, in contrast to other high-risk populations who have heightened concerns about government surveillance. Other research has also contributed to this direction quantitatively, such as Herbert et al.'s work that compares the digital security experiences of four at-risk groups (including older adults) and Xu et al.'s context-contingent theory that explains the mechanisms through which contexts influence privacy concerns and behaviors. Notably, it is observed that even within the same context, participants' concerns and vulnerabilities varied substantially and were shaped by many individual factors beyond age, as discussed below.

Rethinking Privacy Vulnerability and Aging

In light of the growing research on specific populations who experience disproportionate privacy harms, it is important to consider the nuanced differences between marginalization and vulnerability. According to Liang et al., marginalization indicates a failing of society as marginalized individuals are underserved, underrepresented, or forgotten, whereas vulnerability may imply that the person is weak, needs help, and is a burden.

This distinction between marginalization and vulnerability is crucial in research with older adults. The findings show the specific ways in which older adults experience marginalization. For example, P27 shared how they struggled with technologies not designed for their needs: "The worst thing for me is manipulating that tiny [phone] keyboard...I have to use a stylus, with a little rubber on the end of it...because I just can’t cope with that little keyboard." P12 witnessed marginalization among their peers and expressed concerns: "There are some [people] that do not join into our Zoom calls because they are afraid of the technology or they can’t afford the technology. And they are completely left out." Negative media portrayals can worsen feelings of marginalization and take an emotional toll on older adults themselves. This is also supported by findings related to cybercrime: even though very few participants experienced direct negative consequences, such as unrecoverable financial losses, many shared recurring concerns and stress, often accompanied by demanding behaviors (e.g., checking financial accounts frequently and avoiding phone calls) that come with emotional effort.

Nonetheless, this research challenges the common view of older adults as vulnerable, supported by multiple layers of findings. First, a few participants who were knowledgeable about both privacy and technology played a crucial role in supporting and influencing their peers—this suggests that broadly labeling older adults as a vulnerable group is an oversimplification. Second, almost all participants believed that older and younger adults faced equal risks of privacy violations in most scenarios; even in the case of cybercrime, which triggered the most concerns among participants, opinions were mixed. Third, participants' quotes and analysis reveal that factors such as education, income, technology use, and online information disclosure influence one's privacy vulnerability more significantly than age. While these factors may correlate with age, they more often operate independently of age. For cybercrime, participants with stronger resistance drew knowledge from their work background, accumulated wisdom, and prior negative experiences; participants with more challenges navigating cybercrime tended to be those with concurrent financial hardship or low tech-savviness, although being tech-savvy does not guarantee immunity to scams either.

These findings highlight the need for more comprehensive frameworks that combine and quantify the various factors contributing to one's privacy vulnerability. Particularly for older adults, the findings provide empirical support for Knowles et al.'s plea to "seek design inspiration in narratives of positive aging." This philosophy presents numerous avenues for designing privacy interventions, technologies, and education for everyone growing old, as older adults are a highly diverse population with unique traits that enable interesting research and design opportunities.

Technical and Educational Implications

The findings open up several directions for future work on technologies that enhance privacy. For example, participants were motivated to share accounts and devices in anticipation of death and emergencies. However, some participants only became aware of this need after being asked, and others were unsure about the practical steps. There are opportunities to develop tools that support data preparation for death specifically for older adults. Drawing from these findings and previous work on safety settings for older adults with memory concerns, such tools should enable multiple users to engage in social and technical discussions about control and power (especially involving financial interests) and ease the anxiety that older adults may experience when contemplating their own mortality.

Besides building new tools, this research contributes insights into improving existing tools tailored to older adults' preferences while addressing misconceptions. In the account and device sharing scenario, participants often struggled to safely decommission old devices. Participants were more familiar with physical methods of destroying a device completely, while knowing about but not trusting features like a factory reset. To make a factory reset more useful and understandable, digital devices could implement more detailed settings aligned with the user's goal (e.g., recycling, trading in, selling, donating to friends or strangers) as well as more personalized advice (e.g., recommending reputable sites in the area based on the user's location). In another scenario, online advertising, some participants found age-based targeted ads discriminatory or offensive. To address such concerns, platforms should allow users to create a list of topics they wish to avoid in ad targeting—a suggestion also made by previous work. While some platforms already provide adjustments for specific topics like alcohol, parenting, and politics, there is a need for co-designing ad filtering features with older adults who can provide unique insights into topics that may perpetuate age-based views.

Lastly, the findings highlight the need to support older adults in learning about privacy self-defense through educational efforts. Participants suggested specific topics for education such as password management, privacy settings, the usefulness of protection services (e.g., antivirus and identity theft monitoring), and device decommissioning. In developing the online self-defense workshop materials, these topics were incorporated while mirroring participants' mental models and language choices (e.g., disregarding the nuanced differences between security and privacy topics, and using 'hackers' to refer to malicious actors broadly). Going forward, there are opportunities to integrate this training into broader efforts to help older adults build digital literacy skills, such as workshops on 'how to use smartphones' or 'how to find jobs online.' The findings suggest that community and commercial resources are reasonable starting points for deploying such training, and it might be useful to join forces with existing initiatives such as Apple’s iPhone classes for older adults. The findings also suggest that older adults may turn to peers who are influencers and guardians—roles that a few of the participants already played—rather than acquiring new knowledge on their own. As such, a core part of training should be supporting older adults in developing self-learning and information-seeking skills, so that educational efforts are sustainable and can generate influence at scale.

Open Article as PDF

Abstract

A growing body of research has examined the privacy concerns and behaviors of older adults, often within specific contexts. It remains unclear to what extent older adults' privacy concerns and behaviors vary across contexts and whether old age is the primary factor influencing privacy vulnerabilities. To address this gap, we conducted semi-structured interviews with 43 older adults (aged 65 to 89) in the United States. Our interviews were grounded in five scenarios: account and device sharing, healthcare, online advertising, social networking, and cybercrime. Our cross-contextual analysis showed that cybercrime was a recurring and pressing concern across scenarios; privacy concerns and protective behaviors were rarely mentioned in the healthcare scenario. Across all scenarios, participants' threat models and strategies revolved around data collection rather than other stages in which privacy harms may occur; they employed various active strategies to safeguard their privacy while trusting service providers to protect their information. Our findings underscore the need to revisit the discussion around privacy vulnerability and aging. Vulnerability levels among our participants varied widely and were often influenced by factors beyond age, such as tech savviness and income. We discuss opportunities for privacy interventions, technologies, and education that promote positive aging and recognize diversity among older adults.

Privacy and Older Adults

Older adults are using digital tools more often, which means they face new privacy and security risks. Some research has viewed older adults as easily affected by privacy issues, which could impact their safety and well-being. For example, those with health problems might need monitoring technology for independent living, which involves ongoing surveillance. Older adults with limited digital skills might avoid technology, missing chances to learn how to manage their privacy and protect themselves. Even well-meaning family members or caregivers might watch over older adults, which affects their independence.

Privacy behavior often depends on the situation, or "context." While many studies have looked at older adults' privacy, most have not compared their behaviors across different situations. Some research has focused on specific areas like social media or healthcare. To fill this gap, a study was done with 43 older adults (ages 65-89) in the United States. Researchers explored their privacy concerns, actions, and risks in five areas: sharing accounts and devices, healthcare, online advertising, social networking, and cybercrime.

The study found that participants consistently worried about becoming victims of cybercrime, like scams or fraudulent charges, across all five areas. They felt more at risk for cybercrime than younger people, a difference rarely noted in other situations. However, participants were not often worried about their health information in healthcare settings, prioritizing good care and health insurance over privacy. Previous studies described older adults' privacy concerns using four categories of harm: data collection, processing, sharing, and invasion. The current study found that participants' concerns and protective actions mainly focused on data collection. Unlike prior research that suggested older adults mainly used passive ways to manage privacy, participants in this study used various active methods, such as adjusting privacy settings and carefully choosing what information to share. They also trusted service providers to protect their privacy.

A key takeaway from these findings is that we need to broaden our understanding of privacy risks. The study challenges the idea that all older adults are a vulnerable group. Participants believed that older and younger adults faced similar risks in most situations (except cybercrime). The analysis showed that actual risk varied greatly among individuals, with those who used less technology, had lower digital skills, or lower incomes experiencing more real privacy problems. Some tech-savvy participants even acted as privacy protectors for their communities, which goes against older ideas that focused only on older adults' weaknesses. This research supports the idea that linking privacy vulnerability solely to old age is too simple. The study concludes with suggestions for creating privacy tools, technologies, and education that highlight the positive aspects of getting older.

Related Research

Privacy Risk and Aging

Vulnerability is an important idea in how people interact with computers and in privacy research focused on humans. It highlights how technology can continue social and historical injustices. However, the term "vulnerability" has been criticized for being unhelpful and promoting negative labels, especially in research about accessibility. In privacy research, older adults have been called a vulnerable group. This label is sometimes reinforced by past studies that focus on their weaknesses, saying older adults are "more likely to be tricked," "worry less about information privacy," or are "especially vulnerable to certain risks and have trouble dealing with them" compared to younger adults or the general public. However, some experts suggest looking beyond age-related limits and instead focusing on older adults' wisdom and unique viewpoints. Other experts say it's important to separate age from other factors that might affect someone's vulnerability.

One such factor is health, as aging can bring changes to a person's senses, body, and mind. Older adults with mild cognitive problems might struggle to spot scams or fully understand what it means to share personal information. Ongoing health conditions might require using health monitoring technology to stay physically independent, but adopting such technology brings up privacy and ethical concerns. Worsening health can make older adults more dependent on others, like family, neighbors, and professional caregivers, to manage their privacy and technology use, leading to "care surveillance." In fact, fraud committed by a family member is a common type of financial abuse against older adults. Even when caregivers mean well, strict oversight can limit older adults' independence and prevent them from learning about digital threats and how to protect themselves.

Digital skills are another important factor that should be considered separately from age. While younger and older adults may use technology differently, older adults are increasingly using new technologies and engaging in various online activities. This makes it important to study their privacy behaviors across different situations. However, older adults might not use technology due to cost, poor design, lack of confidence, low interest, and fears driven by negative stereotypes about age. Low technology use and digital skills can then limit a person's ability to protect their own privacy. The study's findings contribute to a growing body of research that shows how varied older adults' technology use is, and how tech-savvy older adults often guide and protect their peers.

Older Adults' Concerns and Behaviors

This review of existing research is organized by the five situations explored in the interviews. The discussion notes how the study's findings add to the current understanding for each situation. It also examines previous research on how privacy concerns and behaviors differ by age, as this relates to the study's findings on privacy risks.

Account and Device Sharing. Sharing digital accounts and devices is a common practice among romantic partners and in workplaces. Several studies show that older adults—especially those less skilled with technology, with physical or mental challenges, or living in cultures where groups are prioritized—often give family members or professional caregivers access to their personal accounts and devices. This practice can lead to conflicts over privacy and independence.

Older adults may also share account or device access to prepare their digital information to be passed on to family and friends after their death. However, this practice of preparing digital data for death has mostly been studied in younger populations. This study looked at account and device sharing by older adults, recognizing that they face the prospect of death but may feel anxious and unsure about planning for it. The study also included questions about public and used devices to compare with a previous study, where older adult participants showed limited awareness of risks and concerns in these situations.

Healthcare. Previous research has shown that older adults often find health monitoring technologies intrusive and limiting. However, they tend to accept these technologies as a necessary trade-off for safety, care, and staying in their homes as they age. Older adults generally feel comfortable sharing their health data with doctors, caregivers, and family members, but not with unknown parties. They prefer that data collection and sharing only happen when necessary, such as during emergencies.

The interviews for this study took place during the COVID-19 pandemic. Beyond the direct health dangers of COVID-19, the fear, stress, and loneliness from social isolation during the pandemic also affected older adults' health and well-being. This study offers updated insights into older adults' privacy concerns and behaviors related to healthcare, shaped by the pandemic. It also examined older adults' privacy considerations when using patient portals, a topic that has been studied but rarely with a specific focus on privacy.

Online Advertising. Online advertising often targets individuals based on their internet activities, personal information, and guessed interests. Because ad tracking is complex and not always clear, most consumers have limited knowledge about how much advertisers can access their personal data. Consumers might also have mistaken ideas, such as confusing online tracking with computer viruses. While some people find targeted ads helpful and relevant, others find them intrusive and unsettling. Recent research has also looked into how users perceive ads that are problematic, untrustworthy, or unpleasant.

Notably, most studies in this area have focused on general adult or younger populations. Limited previous research involving older adults has suggested that they engage more with certain types of advertising, like social video ads, while being doubtful about social media-based advertising. Older adults are also particularly likely to see problematic advertising (such as scams or clickbait) on platforms like Facebook. This study addressed this gap by deeply exploring older adults' privacy issues related to online advertising, especially their understanding and attitudes toward advertising based on age.

Social Networking. The use of social media among older adults in the U.S. continues to grow, but their usage is still lower than that of younger groups. Privacy concerns can discourage older adults from using social media, especially when these concerns outweigh the potential social benefits. Some studies have found differences between older and younger adults: older adults are more concerned about who can access their information, while younger generations, particularly teenagers, are more concerned about how different parts of their lives might overlap online or how they present themselves.

Zoom and other video conferencing tools also became very popular during the COVID-19 pandemic for staying in touch. Previous research on younger users' privacy attitudes toward remote communication found that users often lack control over choosing conferencing tools and microphone/webcam use. This study examined older adults' privacy considerations regarding video conferencing tools and compared them to findings from before the pandemic about other social networking sites like Facebook, considering the pandemic's impact on people's social behaviors.

Cybercrime. Bossler and Berenblum define cybercrime as "computer-assisted crime" across four categories: cyber-trespass (e.g., unauthorized system access), cyber-theft (e.g., identity theft and online fraud), cyber-obscenity (e.g., child pornography), and cyberviolence (e.g., cyberstalking). They also note a lack of standardized legal definitions in this field. Mainstream media often portrays older adults as susceptible to cybercrime, especially cyber-theft. However, findings from academic research are mixed. Simons et al. found that older adults are disproportionately affected by certain types of fraud, such as tech-support scams and impersonation. Ross et al. argue that there is no strong evidence of higher consumer fraud rates among older adults. Several studies suggest that factors like income and gender can influence how easily someone falls for scams or phishing attacks.

Studies with older adults highlight that media portrayals increase their anxiety about spam emails and scam calls. Being defrauded affects older adults' health and well-being regardless of financial loss, as victims experience ridicule and criticism. In Frik et al.'s study, older adult participants had different views on their own vulnerability: some believed they were easy targets due to low technical skills and lack of support, while others doubted that their information was valuable enough to be exploited. Unlike the previous sections, cybercrime is mainly associated with risks and harms, whereas other contexts like healthcare also offer clear benefits. The decision was made to include cybercrime as an interview topic because of its relevance to older adults and the ageist stereotypes surrounding it. Researchers were particularly interested in uncovering more subtle factors that contribute to older adults' self-perceived and actual vulnerability to cybercrime.

Age-based differences. Several studies have examined the privacy concerns and behaviors of older adults in North America. These studies found that older adults' concerns focused on security issues (e.g., scams and identity theft) and threats from institutions (e.g., data sold to third parties) rather than privacy between individuals. Passive strategies (like limiting or avoiding technology use) were commonly used, while active protective strategies were rarer and only used after privacy violations occurred. Older adults' privacy concerns and behaviors also depend on their culture. Studies in countries with cultures that prioritize the group, such as India and China, have shown that older adults' privacy management is a group effort, with household members overseeing older adults to ensure their safety.

While some previous research has described older adults as generally vulnerable to privacy risks and violations, empirical findings on differences between older and younger adults are mixed. Some studies indicate that older adults are less likely to react to privacy risks and adopt fewer protective behaviors on social media. Other research suggests that older adults are not necessarily worse at protecting themselves; rather, they have different concerns and priorities. For example, older adults often see higher risks in online banking and e-commerce and are more likely to make privacy decisions based on a calculation of privacy costs and benefits. Some studies have found no significant age differences in online privacy sensitivity and attention to privacy policies. These inconsistent findings might be due to different studies examining different situations and using concepts with different levels of detail (e.g., general attitudes versus specific concerns).

Methods

To understand the privacy experiences of older adults in different situations, researchers conducted interviews with 43 individuals aged 65 or older in the United States. The interviews took place between August and October 2021, using video calls and in-person meetings based on participant preference. The study materials, including a screening survey, interview questions, and a codebook, are available online.

Interview Questions

The interview questions had two main parts:

Part 1: Participants first described their technology ownership and use. Then, they were indirectly asked about their privacy concerns by discussing any issues they had with technologies they used. If privacy concerns did not come up naturally, researchers asked more direct questions about what information participants wanted to protect and who they saw as potential threats. This approach, saving direct privacy questions for later and only asking them if needed, aimed to reduce potential researcher bias and the tendency for participants to give socially desirable answers, similar to methods used in other studies dealing with sensitive topics.

Part 2: Researchers then explored participants' privacy views and strategies in five specific situations. Using scenarios is common in research about how people interact with technology to understand values and attitudes. The chosen scenarios were based on previous research and were highly relevant to older adults' daily lives, though specific findings for older adults and/or privacy varied. For example, previous work on account/device sharing and online advertising mainly focused on younger populations. Healthcare and social networking had more research specific to older adults, but most of it was done before the COVID-19 pandemic, which changed how people socialize and manage health issues. Cybercrime is often linked with ageist stereotypes (assuming older adults are always more vulnerable), and the goal was to compare these stereotypes with the actual experiences and perceptions of older adults.

The interview process for all scenarios followed a similar structure: first, broad questions about participants' understanding and personal experiences, then questions about more specific concerns and protective strategies (if relevant). To assess participants' views on age-related vulnerability, they were asked, "How do you feel about your chances of experiencing X (a negative event) compared to older/younger people?" with "X" adjusted for each scenario. To avoid imposing assumptions, researchers used participants' own words in follow-up questions and confirmed their understanding of the responses. The order of scenarios was randomized for each participant to prevent the order from affecting answers or participants getting tired during later scenarios. The interview ended by asking participants for suggestions on how to help older adults protect their privacy.

Participant Recruitment and Demographics

The study aimed to recruit individuals aged 65 or older living in the United States, following the CDC's definition of older adults. Various methods were used for recruitment: three local senior centers, a participant group for clinical and health research at the University of Michigan, another participant group hosted by the Healthier Black Elders Center at Wayne State University, and asking current participants to suggest others (snowball sampling). Most participants came from the university groups and senior centers; only three joined through snowball sampling.

Interested individuals completed a screening survey, available online, by phone, or on paper. This survey was used to confirm age and to recruit a diverse group in terms of age, race, gender, and income. However, individuals with serious cognitive impairments were excluded because working with this population requires special procedures that could not be implemented. Non-English speakers were also excluded due to language limitations within the research team.

The interview questions were tested with three pilot participants. Based on this pilot data, minor adjustments were made to the questions, and the interview length was set to 60-90 minutes to ensure all scenarios were covered without tiring participants. For the main data collection, the first author conducted interviews with 43 participants. Most interviews were one-on-one; two sessions were held with couples who preferred to be interviewed together. Interviews continued until no new information was being gathered. Interviews were conducted by phone, Zoom, or at one of the partner senior centers, depending on the participant's choice. Interviews lasted 82 minutes on average. A few participants took breaks, but none withdrew or expressed concerns about the length. Each participant received a $30 check for their time. With consent, interviews were recorded and transcribed by a professional service.

The participants were diverse in income, race, and self-reported health conditions, but had a higher level of education than the general U.S. population. Most lived in their own or rented homes and did not have caregivers. Seven participants used assistive devices like wheelchairs, canes/walking sticks, and hearing aids.

Regarding technology use, most participants regularly used computers (41) and smartphones (34). More than half (26) also regularly used tablets. Using multiple devices was common: 24 used all three types of devices, and 15 used two. In comparison, smartphones were in 84% of all U.S. households in 2018, followed by desktops/laptops at 78% and tablets at 63%, indicating that the participants' technology adoption was similar to the general population. Smart device adoption was relatively low in the sample: 11 used smart TVs, and seven used smart speakers or voice assistants.

Data Analysis

After transcribing and carefully checking all interview records, the primary author reviewed them to create an initial list of codes for analysis. This was done using both a deductive approach (applying existing knowledge from interview questions and prior research) and an inductive approach (creating new codes based on what participants actually said).

To ensure the coding process was reliable and consistent, the first and second authors each independently coded one transcript. They then met to compare their codes, resolve any differences, and update the codebook. This back-and-forth process was repeated for six transcripts until both researchers agreed that the codes covered all relevant information. The two authors then used the 'training' feature in Dedoose, a tool for qualitative data analysis, to measure how consistently they coded before working independently. The first author coded another 14 transcripts to ensure all codes were applied sufficiently. The second author then coded the same sections of text as the first author. The two researchers achieved a Cohen's kappa score of 0.74 across all codes, which indicates good agreement between them. The remaining 21 transcripts were then divided and coded independently. The first author applied the final codebook to the initial six transcripts again to ensure full consistency. Other co-authors participated in discussions about the codebook and early findings through regular meetings.

The final codebook included 296 codes organized into six categories: one for general privacy concerns and behaviors, and five for each of the specific scenarios. Codes within each category were grouped into consistent sub-categories to make comparisons across scenarios easier. These sub-categories included general attitudes, specific concerns, challenges in addressing concerns, protective behaviors, and age-based differences.

Since this was a qualitative study, the focus was on describing specific themes rather than making numerical claims about how often themes appeared. Following common practices in qualitative research, the following terms were used to estimate the frequency of themes: a few (0-20%), some (20-40%), about half (40-60%), many (60-80%), and almost all (80-100%).

Ethics

The study was reviewed and found to be exempt from oversight by the University of Michigan’s Institutional Review Board. Using a community-based approach, participants and community partners were involved throughout the research process to ensure a mutually beneficial experience. For example, staff at the senior centers provided feedback on the draft interview questions to ensure they were appropriate. Trauma-informed practices were used during interviews, such as actively and empathetically listening when participants shared their stories, and clearly communicating options to skip questions or stop participation. As a way to contribute to the community, the research insights were used to develop a workshop series on online self-defense, which was then offered at the partnering senior centers. Thirteen of the interview participants attended these workshops; all spoke positively about the experience and how relevant the workshop topics were to their concerns.

Limitations

While the qualitative approach offered deep insights into participants' real-life experiences, it has limitations. Some limitations relate to the qualitative method and how participants were selected. For example, the sample cannot be claimed to represent all older adults in America; the main goal was not to achieve broad representation but to capture diverse viewpoints. Participants were diverse in income and race, but they were concentrated geographically and had higher education levels than the general U.S. population. These sample characteristics may have resulted from the local recruitment efforts, chosen to build trust with participants, reach individuals who might not be accessible through online recruitment, and expand the reach of the workshops. Because the study was conducted in the U.S., some findings might be specific to that country or region. Caution should be used when generalizing these findings beyond the U.S., and the study creates opportunities for future similar studies in other countries with different cultural values and consumer protection rules.

Another limitation of the study relates to the interview scenarios, as cybercrime focuses more on risks and harm compared to other scenarios. Nevertheless, cybercrime was included due to its high relevance to older adults' existing concerns and the ageist stereotypes surrounding this topic. While it is possible that discussions about cybercrime might have made participants more likely to bring up this topic in other scenarios, this was partly managed by randomizing the scenario order for each participant. It was also observed that participants who discussed the cybercrime scenario later in their interviews often still spontaneously mentioned it in earlier scenarios.

Findings

First, participants' general understanding of threats and privacy concerns are discussed. Then, their concerns and behaviors for specific scenarios are covered. Finally, findings across all five scenarios are compared.

General Threat Models

Heightened concerns about financial information. Since the idea of "privacy" can be broad and unclear, participants were asked about the specific types of information they wanted to protect. About half of the participants mentioned financial information, such as bank account and credit card numbers. Some also highlighted social security numbers, a unique personal identifier used in the United States. One participant (P34) discussed negative events that could lead to financial loss as their top concerns:

I may not have any money. I may have an outstanding debt . . .My major concern is my identity being taken, and as a result of my identity being taken, my financial security has been compromised or has been taken away from me.

However, privacy harms include more than just financial losses; they also involve damage to reputation, mental well-being, independence, discrimination, and more. Participants did not recognize these other harms as much. As one participant (P3) said, “Financial information is probably the most relevant thing. The rest of my life is pretty much an open book . . . Somebody sees that I go on a porn site. That’s me.” Another participant (P18) brought up that leaked passwords could lead to financial accounts being compromised: “One of the big things that I worry about is somebody getting a hold of my passwords and user ID that would get them into info on my banking and other financial institutions.” One participant (P15) mentioned health information but indicated it was less important than financial information when it came to privacy concerns: “I don’t worry about the portal so much . . .I’ve already got my Medicare, and so far I can’t be refused for having [my] problems . . .It’s mostly financial.”

Cybercriminals as the major threat actor. Consistent with concerns about financial information, about half of the participants identified cybercriminals as the main threat to their personal information. They used terms like "hackers," "scammers," "spammers," "people trying to steal things," and "people operating from the dark web." Some participants shared personal experiences with scams and fraudulent charges. One participant (P1) recounted stories heard in the news:

There are lonely seniors. You’ll hear some news about a guy . . . gets hacked . . .A somewhat younger pretty lady will connect with him, and be able to access his finances . . . So, my concern is mainly [about] if they hack and get my personal information because hackers are those intelligent criminals.

A few participants identified technology companies as another threat, especially Google/Alphabet and Meta. One participant (P13) discussed the extensive data collection and aggregation practices these companies use: “Google captures . . . anytime you do any online shopping. That information is captured and shared between organizations. In aggregate, they can build up a pretty detailed profile view of what your interests are.” Another participant (P12) expressed different levels of trust in various companies, suggesting that not all tech companies are seen as equally threatening:

Microsoft, I’m not as worried about information being shared by them . . . not so much privacy. I would say anything involving the Alphabet as an organization . . .I have too many firsthand experiences that I’ve been uncomfortable with. Information is shared from one site to another without express consent. And I can’t seem to find any features that I could turn on that prevent it . . .It’s something personally I can’t trust.

Interestingly, no participant mentioned the government as a threat. In fact, a few indicated they were not concerned about government surveillance, believing they had nothing to hide—a common but flawed argument about privacy. For example, one participant (P1) said: “I’m not a member of any political party or secret organization . . .I have no fear of the police, FBI, or any governmental agent.” This lack of concern about the government contrasts with heightened worries about government surveillance among other high-risk groups like undocumented immigrants, migrant domestic workers, and Muslim-American women, likely because the participants' identities and backgrounds did not align much with these populations. Similarly, no participant identified their family members or caregivers as threats, even though they are a major source of elder fraud.

Learning from community and commercial resources. Previous research involving older adults in the U.K. identified social, community, and commercial resources, as well as broadcast and digital media, as major sources of cybersecurity information. Participants in this study mentioned all five as ways they learned about privacy self-defense, with community resources, commercial resources, and the media being more popular. Regarding community resources as a source of support, one participant (P22) highlighted senior center classes: “The senior center had contacts with the lawyer, and he’d come in and just discuss [the credit freeze] . . .People would ask whatever question they had.” Another participant (P41) mentioned the American Association of Retired Persons (AARP): “They have print materials . . . Zoom classes . . .If you’re a member, every month they’ll send you a newsletter.”

Another source of support was commercial resources, including customer support services like AppleCare and professional tech support. For instance, one participant (P28) subscribed to Geek Squad and highlighted the benefits of their regular checkups: “Once or twice a year, [we] have what they call a checkup where they just delete duplicate files . . .make sure you’ve updated all your programs, and you’ve installed everything you need.” While experts no longer recommend third-party antivirus software, some participants continued to use it. One participant (P9) noted trust and brand loyalty as important factors: “I’ve used Norton for so long . . .I have trusted them with whenever it comes up for renewal. I don’t even question how they’ve been pricing.” The protections offered by third-party antivirus software might be more than needed, but they did increase participants' awareness of basic risks and encouraged positive behaviors, as in the case of one participant (P27):

I have Malwarebytes, and I’m quite happy with that. I think they’ve done a fairly good job. . . . They have a newsletter every week, and it’s quite informative . . . They often tell you that there’s all this phishing going on, and to be very careful about opening some of these emails that look suspicious. And so I take them at that word, and I do just discard a lot of [emails] because they’re obviously not legitimate.

Previous research, using narratives that focused on deficits, portrayed older adults as passive information consumers who found it difficult or unnecessary to learn about cybersecurity or privacy. The current findings offer a more detailed perspective, as some participants acted as educators and influencers within their communities. One participant (P32) acknowledged the challenges involved in this:

She will want me to order something through my account. . . . She got mad at me the other day because I said I’m not doing it . . .I have done it a few times for her. But I want her to [learn]. She doesn’t want to be tech-savvy. I’m not tech-savvy, but I know . . . the only way to learn stuff is you might make a mistake.

Two participants (P19 and P38) helped run computer classes at their senior centers. P38 identified common challenges among their peers, including managing passwords and using "BCC" when sending mass emails. P19 was concerned about the potential exclusion of less tech-savvy peers from educational programs:

I’m super literate with computers . . . There are a few people like me, but not many. And as they get older, they have a harder time using the technology that’s available, but they need that technology even more . . . You’re missing a whole segment of the bell curve. Those are people who simply don’t come [to the classes]. They have home phones and they don’t use cell phone technology, and they don’t get emails.

Account and Device Sharing

Sharing digital assets in preparation for death or accidents. Half of the participants mentioned sharing passwords, mostly with family members and sometimes with close friends. Previous research has shown convenience and building trust as key reasons for password sharing among younger adults, and participants gave similar reasons. For example, one participant (P13) shared streaming service logins with their son; another (P33) shared "everything" with their partner after decades of marriage.

However, most participants' main reason for sharing was to prepare for unexpected events like death or emergencies. For example, one participant (P18) shared, “My mom and my sister have my social security number and my passwords . . .I trust [them] implicitly, and I feel better too because you’ll never know.” For similar reasons, some participants also shared access to their financial accounts with family members and occasionally with a financial advisor or attorney. One participant (P8) made efforts to ensure clear communication between multiple parties:

I take care of all my own finances. My lawyer knows where all my accounts are. And . . .my adopted son is my advocate, and he’s also my executor. So he knows . . . But he also knows where my lawyer is. And my lawyer knows where he is if something should happen.

When asked about preparing digital assets for after death, some participants had already made plans. Others, like one participant (P7), only realized the importance of this after being prompted:

If I were in a car accident and died, nobody would be able to get into my accounts, which will be bad. It would be weeks of sending mail and death certificates and wedding documents to prove that my wife is my heir and beneficiary. So I should do that. I’ll put that on my list of things sometime.

Struggles with password management. During conversations about account sharing, participants often highlighted password management as a recurring challenge. Unlike studies involving younger people, participants in this study relied more on physical methods for managing passwords: about half mentioned writing passwords down, and a few tried to rely only on their memory. No participant felt their current password management strategies were ideal; for instance, those who wrote passwords down still worried about a "single point of failure" if their password notebook were stolen. While remembering all passwords is generally difficult, one participant (P30) emphasized age-related memory decline as a specific concern:

For important things like my banking, I want to keep going with the same one. I can’t . . . They want a different one than you’ve used in the last 10 years. I can’t remember 10 years’ worth. What I do worry about, actually, is as I get older it’s going to become harder and harder to do all that to keep track of it all.

Only a few participants, typically those with a technical background, mentioned using password managers in their browsers and operating systems. The adoption rate of password managers was much lower compared to studies involving younger adults. Echoing previous research, one participant (P20) shared that not using them was due to distrust in cloud services storing their passwords:

I do not use any of the password apps where they say you can put in all your passwords, and it’ll be secure, I just don’t trust it. In my opinion, all of these systems were created by a person, and there’s always a way . . . somebody else can figure out how to get into it.

Risk Awareness of Public and Second-Hand Devices. A specific situation involving device sharing is using public devices and Wi-Fi networks, which carry risks of data leaks and fake Wi-Fi networks. This scenario is especially relevant for older adults given that they might own fewer personal computers or smartphones but have communal spaces like senior centers that allow device sharing. Many participants reported using public computers and Wi-Fi networks in libraries, hotels, and shops.

Unlike findings in a previous study, where few participants expressed concerns about public devices and Wi-Fi networks, participants in this study (even with similar backgrounds) showed a greater awareness of these risks. Although they could not always pinpoint specific negative events, they recognized situations with increased risk. For example, one participant (P23) commented, “I think it’s easier to compromise my information [when using public devices]. I think people can get into them more easily.” About half of the participants mentioned that they consciously avoided sensitive activities like banking when using public devices or Wi-Fi networks. One participant (P19) compared banking with other types of online activities in terms of their sensitivity:

If somebody wants to hack into my gaming group and screw with my pictures . . . that’s not going to kill me. So I don’t really particularly care about that as much, but I stay away from banks and things that are high security. When we’re traveling, oftentimes I’m looking up what attractions are there? What time does the museum open? . . . things that are not security-driven.

A few participants also cleared their browsing history when they finished using a public computer. One participant (P32) shared how they developed this habit after someone compromised their social media account when it remained signed in:

Some years ago I did not sign out on Facebook [at libraries]. And so whoever came [next], they put a whole bunch of crazy stuff up there. And so my son called me up, ‘Ma, was it really [you]?’ ‘Where were you at?’ I said, ‘I was at the library.’ . . . So he deleted [my post] . . .Now I make sure I sign out if I’m on a public device.

The exchange of used devices can also lead to data leaks. Some participants, like one participant (P6), worried about data that had not been wiped: “When you get second-hand phones, they’re contaminated . . .It’s not good to buy used phones unless they’ve been cleaned or wiped.” Additionally, participants felt unsure about how to securely get rid of their old devices, particularly when selling or donating to strangers, and wanted more guidance. As one participant (P16) said, “I have two laptops . . .just ready to go to the recycling, but I have to get the stuff off of them . . .I probably will pay to have somebody do it because I don’t know what I’m doing.”

Healthcare

Findings within the healthcare context mainly focused on patient portals and smartwatches, as almost all and some participants used these, respectively. A few participants also mentioned using health-tracking apps, step counters, and blood pressure monitors.

Trust in healthcare providers and smartwatch manufacturers. While a few participants expressed privacy concerns about their health information, about half of the participants shared that they trusted service providers (e.g., hospitals and smartwatch manufacturers) to handle their health information securely. This trust is notable because the healthcare industry is often a target for data breaches, and there are instances of health providers exchanging data with social media companies for business reasons. Participants' trust in confidential information exchange with healthcare providers could stem from social norms and existing laws, especially the Health Insurance Portability and Accountability Act (HIPAA), as one participant (P25) said: “Any doctor that I’m dealing with can go to my portal and look up what other doctors have done or said . . .It’s already in there. I don’t feel that that’s being shared inappropriately.”

Interestingly, one participant (P25) extended the same level of trust to smartwatch manufacturers, even though these companies are under different rules and wearable devices have limited protection under HIPAA: “My Fitbit . . .it’s like a watch . . . as far as I know, there are no data to take. It’s just something I’m looking at . . . for my information only.” One participant (P12) explained that their trust in smartwatch manufacturers came from their own good experiences and from what others said:

You know that the Apple Health app . . .I have not personally heard of any episode where that recorded information was used [in]appropriately . . .I encountered a person in a focus group . . .where they were trying out the Apple Watch and recording various aspects of it. That person felt comfortable . . . and that was significant for me. I am not looking and would not be comfortable with any other entity.

Concerns about breaches and health-based discrimination. Although participants generally trusted health devices and portals, some raised concerns about their health information potentially being compromised in data breaches when prompted. As one participant (P41) said: “You kind of hear all the time where these health organizations are hacked . . . That’s a big concern, and that’s real.” Another participant (P9) also worried about health information being used for identity theft: “Somebody can get a hold of a copy of your driver’s license and your health care card and piece together enough to use it for some other purpose.” In addition, some participants expressed concerns about their health information being used for advertising and insurance purposes. These concerns often overlapped with worries about discrimination based on health or age, as one participant (P5) explained:

It seems to me that the misuse of health information is not within the healthcare world . . .it’s in the application, the decision-making of lenders and hirers . . . that would look at a health condition and determine that it’s an additional risk . . . That’s the abuse of the healthcare information that I’m concerned about.

Nonetheless, only a few participants mentioned specific protective behaviors in response to their concerns. Examples included monitoring financial statements (after a healthcare breach notification) and removing prescription labels from medication bottles (to prevent medical identity theft). Overall, participants discussed far fewer privacy-protective behaviors (in terms of both variety and frequency) in the healthcare scenario compared to other scenarios.

Online Advertising

Negative attitudes toward targeted advertising. Almost all participants had experiences with targeted ads, and many held negative feelings about them. About half expressed frustration with the overwhelming number of annoying targeted advertisements. One participant (P10) voiced concern about the surveillance capitalism model that drives targeted advertising: “Every time I look at an ad, somebody knows that. And they put that data in a file somewhere that’s linked to me somehow . . . They’re going to sell that information to the manufacturer or the marketer . . . That’s bothersome.” Other participants, like one participant (P17), suspected that advertisers invaded their privacy by listening to their conversations, a common misconception caused by unclear ad explanations: “My son bought a patio wood-burning oven pizza maker [called] Ooni . . .We were over to his house . . . talking a lot about the Ooni . . .I get home, and I look at Facebook, and I’m being sold Ooni pizza ovens.”

Consistent with previous research on the public's mixed feelings about targeted advertising, a few participants did find targeted advertising useful and relevant. As one participant (P38) said, “I think targeting ads helps people . . .I like knowing about something that I may not have known about that fits my situation.” Furthermore, some participants had relatively neutral views, as they simply did not pay attention to ads or believed their personal opinions were not easily influenced by ads. The findings also align with previous research on consumers' difficulties in understanding the full scope of online advertising: when asked about the types of information potentially used for targeted ads, about half of the participants only mentioned website activities (e.g., browsing and search histories). Participants mainly gave examples of targeted ads in the context of tracking across different websites, showing limited awareness of other individual and demographic factors used in ad targeting; only a few discussed factors like age, race, ZIP code, and IP address.

Experiences with deceptive and discriminatory advertising. About half of the participants described experiences with "bad ads," particularly deceptive ones, meaning the claims and appearances could be misleading and different from consumers' actual experiences. One participant (P17), for example, recounted an emotionally manipulative ad:

It was this little plastic gadget . . . that supposedly some teenage boy with autism had invented . . .And I have a special place for people with disabilities . . .I see this on Facebook . . . Totally sell me with the story. My charge card is out . . .And it comes, and it’s a piece of crap . . .And I realized, "Oh, you dummy. You fell prey. You were such an easy target because of the autistic kid.

Regarding advertising specifically targeting older adults, participants identified ads on Medicare, assistive technology, and funeral services as examples. While a few participants found age-based targeting positive (as it made ads more relevant) or neutral (equating it with other targeting categories like gender), some participants, like one participant (P21), found the practice discriminatory and harmful for reinforcing ageist stereotypes: “It’s annoying because it just reminds you that you’re older.” In addition, one participant (P30) was concerned about older adults' vulnerability to ad scams, showing that concerns over cybercrime carried over into this scenario:

The older we get, the less astute we are in paying attention to what this really means. That puts a lot of people at risk. We’ve heard about how many people can lose their money, not necessarily scammed but buying something we really have no use for. I guess they’re free to advertise to anybody. I just don’t like it.

Protective strategies exist, but rendered ineffective. Some participants used an avoidance strategy when dealing with annoying or problematic ads, which typically involved ignoring them or removing them from their online feeds. This approach was particularly common among participants who had positive or neutral views about ads, as one participant (P11) explained, “All you have to do is click on the X . . . hide the ad . . .ignore it. And if there are too many ads and it annoys you, then you don’t go to those sites.”

However, strategies focused on avoidance do not fundamentally stop the excessive volume of ads. Some participants mentioned clicking 'unsubscribe' in marketing emails but faced challenges, as they either could not find the link or had to wait a long time before they stopped receiving unwanted emails. Adding to previous research on users' common understandings of online advertising and privacy settings, a few participants, like one participant (P3), expressed distrust in the 'unsubscribe' feature, suspecting that clicking it would trigger malware or even more spam:

I am concerned that you can generate more dissemination of information . . . that I wouldn’t want people to have . . . [I] can’t always trust that the unsubscribe location is really going to the service that I want to unsubscribe from . . .If it’s a hacker . . . they’re gonna take the information . . . and hack you some more.

These ineffective strategies may explain why many participants felt they had limited control over what advertisers knew about them. As one participant (P4) described, their level of control was “probably none, except just avoiding.” A few participants, like one participant (P3), believed they had some control, but these participants were relatively experienced in using ad settings: “There’s always a setting somewhere that can be adjusted . . .It is left up to me to explore and see.” One participant (P22) was the only one who felt they had a good amount of control, although their perception was narrowly based on the information they disclosed rather than inferences made by advertisers: “I don’t put a lot out there. I think that certainly gives me an edge on not getting advertising I don’t need or don’t want.”

Social Networking

While many participants used Facebook and Zoom, about half primarily connected with others via phone calls and text messages. A few participants mentioned other channels including emails, Instagram, Messenger, Twitter, and WhatsApp.

Benefit-risk analysis for adoption and use. Similar to findings in previous research, participants weighed the benefits against the risks/costs associated with specific social media platforms. While the benefits of staying connected and getting information apply to all age groups, they became more noticeable among participants during the COVID-19 pandemic, which worsened feelings of social isolation and loneliness. As such, one participant (P12) described their "calculated risk" for social media use: “The very fact that I have to use YouTube to do certain functions puts me at risk, and it’s a calculated risk . . . But we’re so isolated as it is . . .It is unhealthy not to know what’s going on in the world.”

Interestingly, unlike previous research, participants' main concerns regarding social media use—before specific questions about privacy—focused on disturbing or controversial content and false/misleading information. In terms of privacy-related concerns, one participant (P36) mentioned the possibility of context collapse: “If you use social media extensively, you are bound to have problems like misinterpretation . . . someone taking your post out of context.” One participant (P13) disliked the monetization of user data, a recurring concern also seen in the online advertising scenario: “Facebook is notorious for sharing information and also establishing a profile . . .I don’t want to make Mark Zuckerberg any richer.”

A few participants also voiced concerns about scams on social media: scams are already a recurring theme in the cybercrime scenario, but social media can increase their reach. One participant (P8), for example, shared their experience with romance scams: “I have some weird guy that sent me [pictures] . . .He sent the same picture to my daughter-in-law . . .It’s really a jungle out there.” Dealing with scams and harassment was even more challenging for participants with limited tech skills and low income, as in the case of one participant (P6):

One day I got 1,000 friend requests [on Messenger] . . . but I accepted them all onto my page. Then I realized . . .I’m getting all these telephone calls [from] people trying to swagger me . . . They would call me up at two . . .in the morning and say, ‘Hi, handsome. How are you?’

Limited risk perceptions of Zoom. Zoom, a video conferencing service, saw a significant increase in users during the COVID-19 pandemic. Half of the participants mentioned adopting Zoom during the pandemic to meet social, informational, and educational needs. A few shared concerns about "Zoombombing," and one participant (P9) even experienced it firsthand: “There [was] this particular conversation that the council is having. And dirty pictures popped up. And then they had to shut down the Zoom thing.”

Nonetheless, participants who had heard of Zoombombing but had not experienced it personally expressed limited concerns, believing they would not be targeted. One participant (P36) shared, “I don’t think we will attract the attention of the criminals. . . .It’s only the doctor and myself. So what is there to bomb? You want [to] bomb into a Zoom with 20 CEOs and the president of the United States.” Similarly, one participant (P7) speculated that Zoom would not engage in excessive data collection due to its business model: “Why would they record a meeting amongst a family of four? They’re not going to be able to monetize that.” However, Zoom has faced controversy for making false claims about end-to-end encryption while sharing data with Facebook for monetization purposes. These problematic data practices rarely influenced participants' use and trust in the platform. A few participants, like one participant (P14), further mentioned relying on Zoom and its partner institutions for data protection: “You heard so much about Zoom over the last two years that you figure, well, it’s got to be a reasonable company. Hopefully, they have security measures in place.”

Skills and confidence in self-protection. In response to their concerns, participants actively used protective strategies rather than relying on passive measures. One participant (P11) mentioned the option to limit their profile visibility: “You can restrict your profile pretty well. So I do. You can’t see my friends.” One participant (P28) described being careful about sharing sensitive information: “I normally don’t post it while we’re away. I wouldn’t want to advertise to the world that we’re going to be out of town for a week.” One participant (P2) would block or unfriend someone in the case of scams or interpersonal conflicts: “If I find people that are offensive . . .I will stop following them.” Some participants also adjusted their Zoom settings, such as muting themselves as needed and using a virtual background, similar to findings from previous research with younger populations. Most of these proactive strategies showed participants' effectiveness in navigating standard privacy settings on social media.

As in the online advertising scenario, participants' perceived level of control over their information on social media was closely linked to their confidence in configuring privacy settings. Many participants felt they had some control. Some participants, like one participant (P39), even noted they had total control, although this perception—similar to that in the online advertising scenario—was primarily based on their knowledge of what they proactively shared rather than the hidden inferences and data exchanges: “I’m in control of what I put out there . . .If you put out everything, you expect to have some fallout . . .I don’t put out personal stuff.”

Cybercrime

Concerns and negative experiences with scams and fraudulent charges. While previous research has identified cybercrime as a growing problem for older adults, the study's findings reveal older adults' concerns about specific types of cybercrime, both when directly asked and when mentioned spontaneously. When asked about their initial thoughts on the term 'cybercrime,' some participants mentioned hacking attempts targeting government agencies and companies, while others focused on cybercrime targeting individuals. For example, one participant (P21) was concerned about account compromises leading to financial loss: “I do have some concerns about somebody stealing . . . not just your bank account, but your investments.” One participant (P42) highlighted concerns about scams: “I think about a lot of the scam emails that I’ve been getting.”

About half of the participants reported receiving scam calls or phishing emails, with the majority successfully avoiding becoming victims. Out of the 43 participants, only three had experienced financial losses that they could not recover. One potential factor contributing to participants' increased susceptibility to exploitation is concurrent financial hardship, as one participant (P32) recalled their experiences:

I was getting these text messages . . . to be like a mystery shopper . . .I received a check for about $1,500 . . . So I went to the bank . . . showed them the check. . . .And I was broke. And then she [bank manager] told me that it was a scam . . . That is how they get you because you’d be thinking about the money [when you’re broke].

Participants' vulnerability to scam attempts also relates to their level of digital literacy. One participant (P26), who considered themselves "computer illiterate," suspected their identity was stolen without realizing it was a social security scam: “I got a call from the government that said somebody in Texas is using my social security number to extrapolate the funds out of bank . . .Maybe I have been a victim.” Nevertheless, having a technical background did not guarantee immunity to scams either, as in the case of one participant (P43), who ran a computer supply company but once lost $150 to a ransomware scam:

We had our computer locked up by a software company . . . They sold us a software package for $150 that would guarantee that we would not have our system locked up. And when I called the Geek Squad . . . they said all we had to do was just click on the control, alt, delete, and that would have restored us.

Perceived higher vulnerability among older adults. Since previous literature and news media have portrayed older adults as easy targets for cybercrime, participants were asked about their perceptions of age-related vulnerability to cybercrime. About half of the participants believed that older adults were more vulnerable and identified factors that could contribute to this higher vulnerability, noting that older adults "are naive with respect to technology" (low tech-savviness), "believe everything that they see" (too trusting), and "are more susceptible to [scammers] working on our emotions, like the grandparent scam . . . Seniors are lonely and just want somebody to talk to" (subject to emotional manipulation). Interestingly, participants often used "they" when referring to older adults and rarely considered their own vulnerability. For instance, one participant (P33) was confident in their own resistance to cybercrime but expressed concern for others: “I don’t see why anybody would want to go after me . . .I’m not really worried about myself . . . There are a lot of [older] people that don’t know or get scammed. That worries me."

While older adults being more vulnerable to cybercrime is the prevailing view, some participants believed that vulnerability to cybercrime is independent of age. One participant (P19), for instance, attributed cybercrime vulnerability to individual habits of sharing information: “If you’re careful and you don’t expose yourself, I think you’re going to be safer than if you just put your information out there willy-nilly.” Interestingly, a few participants considered younger adults more vulnerable due to more careless online behavior. As one participant (P14) said, “The younger people spend so much time on their devices . . . They’re savvy . . . but sometimes, you just think these people are not paying attention to what kind of danger they’re putting themselves in.”

Adopting protective strategies. Participants shared a variety of strategies to protect themselves against cybercrime; the most common ones were frequently checking financial accounts, avoiding phone calls (from unknown numbers or in general), and looking for common signs of phishing attempts (e.g., checking the sender’s email address). These strategies aligned with established expert advice for online safety and did not require advanced technical expertise. A strategy unique to older adults was relying on their accumulated knowledge and skills throughout life, often called crystallized intelligence, as opposed to younger adults' fluid intelligence. In participants’ own words, they relied on "common sense" developed over decades, as described by one participant (P35):

When someone comes to me asking questions about something I said that I did not put out to the public . . . that’s a big red flag and an automatic delete . . . Because I’m older and already have . . . a whole bag of tricks from these many years of living.

Participants' ability to recognize scams could also come from their professional background. One participant (P28), for instance, had worked for the Internal Revenue Service and was able to quickly react to tax scams:

“I once got a call from someone who said they were from IRS and they said . . .if we didn’t make a payment, there would be a warrant out for our arrest. I said, ‘Well, I work for IRS and I know you’re not from IRS. So I think you better stop what you’re doing.’ . . .And I hung up and report it.”

Participants also described learning protective strategies through direct experiences with scams, echoing previous research on security advice and behavior. For example, one participant (P31) shared:

The guy said that he was working for Amazon . . .He was able to put [a charge] back into my account . . . But in the meantime, I noticed that . . .when he took control, he started going into different information . . .And then something dawned on me. I said, ‘Well, wait a minute. Why are you going through all these steps?’ . . .A red flag would be when they start asking you for your financial information. I learned that now, because after this investigation, I was told by my financial institution never [to] give out your financial information.

However, participants' strategies were not perfect and sometimes led to unnecessary inconveniences or a feeling of helplessness. For example, one participant (P26) changed their phone number to avoid too many spam calls, unaware of other strategies like blocking specific numbers or registering on the national Do Not Call list that do not require changing one's number. One participant (P20) shared their reliance on service providers like credit card companies and identity theft monitoring vendors for handling scams, rather than protecting themselves: “I would trust that the credit card company would tell me . . .Other than they tell me, throw that card away . . .we’ll send you a new one, I don’t think there’s anything I personally can do.”

Cross-Contextual Insights

After presenting findings for each scenario, common themes, similarities, and differences across scenarios are discussed.

Heightened and cross-scenario concerns about cybercrime. The findings highlight cybercrime as a major and recurring concern for participants across different situations. In the initial general discussions about privacy, cybercriminals already emerged as the primary threats. Participants' definitions and concerns about cybercrime focused on scams, fraud, phishing attacks, fraudulent charges, and identity theft. These definitions largely align with existing categories of cyber-trespass and cyber-theft. Importantly, cybercrime concerns and experiences were common across scenarios, as participants discussed worries about identity theft fueled by health information, being victims of ad fraud, and encountering scams/harassment on social media, even before cybercrime was specifically asked about.

Regarding vulnerability, cybercrime was also the only scenario where a significant number of participants believed their own age group was more vulnerable compared to younger generations. Although participants rarely saw themselves as more vulnerable than others—possibly due to optimism bias—they often expressed concerns for other individuals in their age group or older. Conversely, in the other scenarios, almost all participants believed that vulnerability was equally distributed across age groups and identified various factors that made people more vulnerable regardless of age. For instance, one participant (P10) identified health conditions and patient portal use as factors contributing to health-related privacy risks: “I do have medical issues, I’m in and out of the patient portal more than a lot of people . . .I think the more you use a system, the higher the risk of being compromised.” One participant (P11) emphasized the importance of education level in dealing with problematic advertising: *“Somebody with less education might be distracted by these ads, whatever their age is. *. . Have you learned to research? Have you learned critical thinking? . . . Just don’t follow what people tell you.”

Limited concerns and options for protecting health information. Participants expressed the fewest privacy concerns in the healthcare scenario. Unlike in other situations, where participants easily identified threats and specific concerns without prompting, participants generally did not discuss healthcare-related privacy issues until asked. This might be due to the relatively hidden nature of health information misuse, especially when discrimination is involved. No participants had personally experienced medical fraud or any related financial losses. Participants' perceptions may also have been shaped by news media—a common source of information—which provides limited coverage of security and privacy events in the healthcare industry.

In contrast to the wide range of protective strategies seen in other scenarios, participants shared fewer strategies for safeguarding their health information. However, this limited action should not be confused with a lack of care. As health issues related to aging arise, older adults may have more frequent doctor's visits, naturally building trust in their healthcare providers. While people might switch to a different service provider after negative privacy experiences like a data breach, most patients reasonably make decisions based on cost, coverage, and quality of care when choosing healthcare providers. The "notice and choice" framework for protecting individual privacy has long been criticized for putting the burden of self-protection on consumers, and these shortcomings become even more problematic in the healthcare sector where consumers often have limited or almost no choice.

Concerns and behaviors centered on information collection. Solove's classification of privacy harms divides them into four stages: information collection, information processing, information dissemination, and invasion. A previous study also described older adults' threat models using these four stages. However, participants' main concerns and strategies in this study primarily focused on the information collection stage. For instance, some participants discussed limiting content/profile visibility in the social networking scenario and avoiding interactions with ads in the online advertising scenario. In both cases, participants' perceived control was linked to how much information they explicitly shared with other users and service providers. They felt more in control knowing they did not "put much out there." Only a few tech-savvy participants (e.g., P10 and P12) shared concerns about how companies gathered and made assumptions from collected data. Very few participants mentioned concerns about information dissemination, except in cases of health-based discrimination, where sharing sensitive health information could jeopardize their health benefits.

Trust in service providers. Participants' trust in various service providers was a recurring theme across scenarios: trusting banks and credit card companies to detect and resolve fraudulent charges, trusting healthcare providers and wearable device manufacturers to safeguard health information, and trusting Zoom and partner institutions to ensure the security of video conferencing data. This trust is shaped by positive experiences with service providers, a lack of awareness regarding certain threats, and limited options for self-protection. Previous research has shown older adults' trust in healthcare professionals and their preference for discussing health in depth with a person rather than non-human sources. In contrast, these findings suggest that older adults' trust extends beyond personal contacts to include healthcare-related technology platforms, such as patient portals and video conferencing tools that facilitate virtual doctor's appointments.

Trust in service providers, particularly in the healthcare scenario due to the health needs of older adults, can be reasonable. However, there is a risk that too much trust leads to delegating or even abandoning useful protective strategies. For instance, one might have limited control over how information in their health portal is used, but they can take steps after a breach occurs. In contrast, regarding cybercrime, many alternative measures can be taken to actively combat threats, such as using secure mobile payments to limit card fraud and placing credit freezes to reduce credit fraud, rather than relying solely on protections provided by financial institutions.

Discussion

Comparisons with Prior Work

Consistent with previous research, participants raised concerns related to security, such as scams and identity theft, even when explicitly asked about online privacy. This suggests that participants view security and privacy as interchangeable concepts, aligning with other work that highlights the variety in privacy definitions and potential differences between experts' and users' understandings. In contrast to earlier studies that emphasized older adults' reliance on passive ways to protect themselves, participants in this study used various active coping strategies, such as setting privacy/authentication options and being cautious when sharing sensitive information.

The findings also confirm and expand on previous research conducted within individual situations. For instance, older adults' privacy concerns and behaviors on social media have been thoroughly studied. The findings align with previous work on common protective strategies, but the study also uncovered new insights prompted by the COVID-19 pandemic as participants shared their adoption of Zoom and other video conferencing tools. Participants were skilled at navigating relevant privacy settings and expressed greater trust in service providers compared to more traditional social media platforms like Facebook.

Contrary to previous research, participants showed more awareness of risks when using public and used devices than those in a previous study. Additionally, unlike previous studies that highlighted older adults' negative perceptions of health monitoring technologies, participants in this study expressed limited privacy concerns about their health information. However, it is important to consider this finding within the context of the sample, as most participants lived independently and were not using technologies traditionally considered intrusive, such as in-home activity sensors and always-on web cameras.

While the study did not quantitatively compare privacy vulnerability between older and younger adults by recruiting both groups—making its findings less comparable to previous work that has done so—the findings add more detail to the narratives that focus on older adults' weaknesses, as participants' vulnerability varied and could not be simply attributed to age. This difference could stem from the sample, as participants were recruited locally, and some recruited via senior centers might have learned about privacy self-protection there. However, it is also likely that the cross-contextual interview approach and specific questioning about participants' self-perceived vulnerability contributed to the new and different findings.

Contextual Effects of Privacy Concerns

Previous research emphasizes the role of context in understanding privacy concerns, noting that "individuals can, depending on the situation, exhibit anything ranging from extreme concern to apathy about privacy." A related theory suggests that societal norms shaping people's perceptions of what is private versus public vary across contexts. The study's findings support the importance of context to some extent, as shown by concerns unique to certain situations, such as health-based discrimination in healthcare and password compromises when sharing accounts/devices. Nevertheless, it is also observed that privacy concerns are not entirely context-dependent, as certain concerns transcend contexts. Specifically, cybercrime was a pressing concern among participants, as they shared related worries not only in the cybercrime scenario but also in healthcare, online advertising, and social networking scenarios. Another cross-contextual concern relates to surveillance capitalism, which was mentioned in both the online advertising and social networking scenarios, as participants expressed discomfort with the widespread collection and monetization of personal data by advertisers and social media platforms.

These findings highlight the need for further research to both describe and measure privacy concerns at the population, context, or individual level. For example, the findings already reveal some population-level differences: none of the participants identified the government as a threat, in contrast to other high-risk groups who express heightened concerns about government surveillance. Other research has also contributed to this direction, such as work that compares the digital security experiences of four at-risk groups (including older adults) and a theory that explains how contexts influence privacy concerns and behaviors. Notably, it is observed that even within the same context, participants' concerns and vulnerabilities varied significantly and were shaped by many individual factors beyond age.

Rethinking Privacy Vulnerability and Aging

Given the growing research on specific populations who experience a disproportionate amount of privacy harm, it is important to consider the subtle differences between being marginalized and being vulnerable. According to some researchers, marginalization means society is failing, as marginalized individuals are underserved, underrepresented, or forgotten. Vulnerability, on the other hand, might imply that a person is weak, needs help, and is a burden.

This distinction between marginalization and vulnerability is crucial in research involving older adults. The findings show specific ways older adults experience marginalization. For example, one participant (P27) shared how they struggled with technology not designed for their needs: “The worst thing for me is manipulating that tiny [phone] keyboard . . .I have to use a stylus, with a little rubber on the end of it . . . because I just can’t cope with that little keyboard.” One participant (P12) observed marginalization among their peers and expressed concerns: “There are some [people] that do not join into our Zoom calls because they are afraid of the technology or they can’t afford the technology. And they are completely left out.” Negative media portrayals can worsen feelings of marginalization and take an emotional toll on older adults themselves. This is also supported by findings related to cybercrime: even though very few participants experienced direct consequences, such as unrecoverable financial losses, many shared recurring concerns and stress, often accompanied by demanding behaviors (e.g., checking financial accounts frequently and avoiding phone calls) that involve emotional effort.

Nonetheless, this research challenges the common idea of older adults as vulnerable with several supporting findings. First, a few participants who were very knowledgeable about both privacy and technology played an important role in supporting and influencing their peers—this suggests that broadly labeling older adults as a vulnerable group is too simple. Second, almost all participants believed that older and younger adults faced equal risks of privacy violations in most situations; even regarding cybercrime, which caused the most concern among participants, opinions were mixed. Third, participants' statements and the analysis reveal that factors such as education, income, technology use, and online information sharing influence one's privacy vulnerability more prominently than age. While these factors may be related to age, they often operate independently of age. For cybercrime, participants with greater resistance gained knowledge from their work background, accumulated wisdom, and previous negative experiences; participants who struggled more with cybercrime tended to be those facing concurrent financial hardship or having low tech-savviness, although being tech-savvy does not guarantee immunity to scams either.

These findings highlight the need for more comprehensive frameworks that combine and measure the various factors contributing to someone's privacy vulnerability. Particularly for older adults, the findings empirically support the idea that designers should "seek design inspiration in narratives of positive aging." This philosophy offers many opportunities for designing privacy tools, technologies, and education for everyone as they age, since older adults are a very diverse group with unique traits that lead to interesting research and design possibilities.

Technical and Educational Implications

The findings offer several directions for future work on technologies that enhance privacy. For example, participants were motivated to share accounts and devices in anticipation of death and emergencies. However, some participants only became aware of this need after being asked, and others were unsure about the practical steps involved. There are opportunities to develop tools that specifically support older adults in preparing their data for after death. Drawing from the findings and previous research on safety settings for older adults with memory concerns, such tools should allow multiple users to discuss and agree on independence and power (especially involving financial interests) and ease the anxiety older adults may feel when thinking about their own mortality.

Besides building new tools, the research contributes insights into improving existing tools to better suit older adults' preferences while correcting misconceptions. In the account and device sharing scenario, participants often struggled to safely get rid of old devices. Participants were more familiar with physical methods of completely destroying a device, while knowing about but not trusting features like a factory reset. To make a factory reset more useful and understandable, digital devices could implement more detailed settings aligned with the user’s goal (e.g., recycling, trading in, selling, donating to friends or strangers), as well as more personalized advice (e.g., recommending reliable local sites based on the user’s location). In another scenario, online advertising, some participants found age-based targeted ads discriminatory or offensive. To address such concerns, platforms should allow users to create a list of topics they wish to avoid in ad targeting—a suggestion also made by previous research. While some platforms already offer adjustments for specific topics like alcohol, parenting, and politics, there is a need to collaboratively design ad filtering features with older adults who can provide unique insights into topics that might reinforce ageist views.

Finally, the findings highlight the need to support older adults in learning about privacy self-defense through educational efforts. Participants suggested specific topics for education such as password management, privacy settings, the usefulness of protection services (e.g., antivirus and identity theft monitoring), and securely getting rid of devices. In developing the online self-defense workshop materials, these topics were included while mirroring participants' ways of thinking and language choices (e.g., not emphasizing the subtle differences between security and privacy topics, and using 'hackers' to refer broadly to malicious actors). Moving forward, there are opportunities to integrate this training into broader efforts to help older adults build digital literacy skills, such as workshops on 'how to use smartphones' or 'how to find jobs online.' The findings suggest that community and commercial resources are good starting points for delivering such training, and it might be helpful to join forces with existing initiatives like Apple’s iPhone classes for older adults. The findings also suggest that older adults may turn to peers who are influencers and protectors—roles that a few participants already played—rather than acquiring new knowledge on their own. As such, a core part of training should be supporting older adults in developing self-learning and information-seeking skills, so that educational efforts are sustainable and can have a wide influence.

Open Article as PDF

Abstract

A growing body of research has examined the privacy concerns and behaviors of older adults, often within specific contexts. It remains unclear to what extent older adults' privacy concerns and behaviors vary across contexts and whether old age is the primary factor influencing privacy vulnerabilities. To address this gap, we conducted semi-structured interviews with 43 older adults (aged 65 to 89) in the United States. Our interviews were grounded in five scenarios: account and device sharing, healthcare, online advertising, social networking, and cybercrime. Our cross-contextual analysis showed that cybercrime was a recurring and pressing concern across scenarios; privacy concerns and protective behaviors were rarely mentioned in the healthcare scenario. Across all scenarios, participants' threat models and strategies revolved around data collection rather than other stages in which privacy harms may occur; they employed various active strategies to safeguard their privacy while trusting service providers to protect their information. Our findings underscore the need to revisit the discussion around privacy vulnerability and aging. Vulnerability levels among our participants varied widely and were often influenced by factors beyond age, such as tech savviness and income. We discuss opportunities for privacy interventions, technologies, and education that promote positive aging and recognize diversity among older adults.

Summary

Older adults are using more technology, which can lead to privacy and safety risks. Many studies have looked at these risks, but often in a broad way. This study looked at how older adults think about privacy in different everyday situations. Researchers talked to 43 older adults, aged 65 to 89, about their privacy worries and actions in five areas: sharing accounts and devices, healthcare, online ads, social media, and online crime.

The study found that older adults were most worried about online crime, like scams and fraud. They often felt that they were more likely to be victims of these crimes than younger people. However, they were less worried about their health information being private when it came to healthcare, as getting good care was more important to them. Many past studies said older adults mostly just avoided technology to protect their privacy. But this study showed that older adults actively tried to protect their privacy by changing settings and being careful about what they shared.

The study also showed that not all older adults are the same when it comes to technology and privacy. Some older adults who knew a lot about technology even helped others in their communities. This means it is too simple to say all older adults are easily harmed online. The study suggests that we should create better ways to protect privacy, like new tools and education, that respect the strengths of older adults.

Older Adults and Online Safety

Older adults are often seen as easy targets for privacy problems. Some studies have said they are more likely to be tricked or less worried about their privacy. But some experts say we should also look at the wisdom and special ways older adults see things. They also say it is important to separate age from other things that might make someone more at risk.

One of these things is health. As people get older, their senses, bodies, and minds can change. Some older adults might have trouble seeing scams or understanding what it means to share personal information. They might also need special health devices to live on their own, but these devices can track their actions. Also, older adults might rely on family or caregivers to help with technology, which can sometimes lead to others watching their online activities too much. This can take away their control and stop them from learning how to protect themselves.

Knowing how to use technology, called digital literacy, is another important factor that is separate from age. Even though younger and older adults might use technology differently, more older adults are using new technologies and going online. This makes it important to see how they handle privacy in different situations. Some older adults do not use technology because it costs too much, is not made well, or they are afraid of it. Not using technology or not knowing how to use it well can make it harder to protect one's privacy. This study adds to the idea that older adults are not all the same with technology, and that those who are good with tech often help their friends.

What Older Adults Worry About and Do

This section looks at what older adults worry about and how they act when it comes to privacy in different situations.

Account and Device Sharing

Many older adults share their account passwords, usually with family, and sometimes with close friends. While younger adults might share for ease or to build trust, older adults often do it to prepare for a time when they might not be able to manage their accounts themselves, like if they pass away or have an emergency. For example, some share bank account access with family or a lawyer. Some have already planned what will happen to their online information after they die.

Managing passwords can be hard for older adults. Unlike younger people who might use password manager apps, about half of the older adults in this study wrote their passwords down on paper. A few only tried to remember them. No one thought their way of managing passwords was the best, and many worried about losing their written lists. Some older adults worried about memory loss making it even harder to keep track of passwords as they age. Only a few who were good with technology used password managers in their computers or phones. Many did not trust these apps to keep their passwords safe online.

When using public computers or Wi-Fi, which can be risky, many older adults in this study knew about these dangers. They often avoided doing important things like banking when using public Wi-Fi. A few also made sure to clear their browsing history on public computers after using them. Some older adults worried about giving away old devices and not being able to fully erase their personal information. They wished for more guidance on how to do this safely.

Healthcare

In terms of healthcare privacy, the study mostly looked at patient portals and smartwatches, as many older adults use them.

Many older adults trusted healthcare providers, like hospitals, and smartwatch companies to keep their health information safe. This trust was often linked to common rules and laws like HIPAA (Health Insurance Portability and Accountability Act), which helps protect health information. Some even trusted smartwatch makers the same way, even though different rules apply to those devices. They felt safe because they had good experiences or because others they knew also trusted these companies.

Even with this trust, some older adults worried that their health information could be stolen in data breaches or used unfairly. They worried it could be used for identity theft, or that insurance companies or lenders might use it to treat them differently. However, fewer older adults reported taking specific steps to protect their health privacy compared to other areas. Examples of steps they did take included checking financial statements after a health data breach or removing labels from medicine bottles. Overall, they did fewer things to protect their privacy in healthcare than in other areas.

Online Advertising

Almost all older adults in the study had seen targeted ads (ads made for them based on their online actions), and many did not like them. About half were annoyed by how many targeted ads they saw. Some worried that companies were collecting too much information about them to sell products. A few thought that advertisers were listening to their conversations, which is a common misunderstanding.

However, a few older adults did find targeted ads helpful. Others did not care much, saying they simply ignored the ads. The study also showed that older adults often only thought about their browsing history when asked what information was used for ads, not other things like age or location. Many older adults also shared experiences with "bad ads," especially ads that were tricky or misleading. Some found ads specifically for older adults, like those for Medicare or funeral services, to be annoying or unfair, as they felt these ads reminded them of being old.

Some older adults tried to avoid or ignore annoying ads. They might click "X" to hide an ad or just not go to certain websites. But these actions did not really stop the ads. Some tried to "unsubscribe" from emails but found it hard or thought it might lead to more unwanted mail or computer viruses. Because of this, many older adults felt they had little control over what advertisers knew about them. Only a few who knew a lot about technology felt they had some control by changing ad settings.

Social Networking

Many older adults in the study used Facebook and Zoom, but about half still mostly used phone calls and text messages to connect with others.

Older adults thought about the good and bad parts of using social media. Connecting with others and getting information was especially important during the COVID-19 pandemic, which made many feel alone. For example, one older adult used YouTube even though it had risks, because they did not want to be "so isolated." Before privacy questions were asked, older adults were mainly worried about upsetting or confusing content and false information on social media. For privacy, some worried that different parts of their lives might mix online (context collapse). Others disliked that companies like Facebook made money from their personal information.

Some also worried about scams on social media, especially romance scams. It was even harder for older adults with less tech experience or money to deal with scams and harassment. Zoom, a video call service, became very popular during the pandemic. Some older adults worried about "Zoombombing" (when unwanted people join a call), and one even experienced it.

However, older adults who had heard of Zoombombing but not experienced it themselves were not very worried, thinking it would not happen to them. Some also thought Zoom would not collect too much data because they did not see how the company could make money from family meetings. But Zoom has had problems with how it handles data and privacy, which many older adults in the study did not know about. A few older adults trusted Zoom and the organizations they used it with to keep their data safe.

To protect themselves, older adults actively used privacy settings. They might limit who could see their profile or be careful about sharing sensitive information, like when they were away from home. Some would block or unfriend people who were causing problems or scams. Many felt they had some control over their information on social media, especially what they chose to share. They believed that if they did not post personal things, they would be safer.

Online Crime

The study looked at older adults' concerns and experiences with online crime, both when asked directly and when they brought it up themselves.

When asked about "cybercrime," some older adults thought about hacking attacks on companies or the government. Others focused on crimes against individuals, like financial loss from stolen investments or scam emails. About half of the older adults reported getting scam calls or phishing emails, but most avoided being victims. Only three out of 43 lost money that they could not get back. Being in a tough financial spot might make someone more likely to fall for a scam. Also, not being good with technology made some older adults more likely to be fooled, like one who thought their identity was stolen but it was actually a social security scam. But even those good with technology could be victims, like one who lost money to a computer virus scam.

Many older adults felt that older people were more likely to be victims of online crime. They thought older adults were "naive with technology," "too trusting," or more likely to be tricked by emotional scams, like the "grandparent scam" because they might be lonely. Interestingly, they often said "they" when talking about older adults being at risk, rather than thinking about their own risk. However, some believed that vulnerability to online crime had nothing to do with age, but rather with how careful someone was online. A few even thought younger adults might be more at risk because they spend so much time on devices and might not pay enough attention to dangers.

Older adults used many ways to protect themselves from online crime. These included regularly checking their bank accounts, not answering calls from unknown numbers, and looking for signs of phishing emails (like checking the sender's email address). These tips are good for online safety and do not require advanced tech skills. A special way older adults protected themselves was by using their "common sense" or life experience. They knew how to spot strange requests or things that seemed too good to be true. Some used their job experience to quickly spot scams, like one who used to work for the IRS and recognized a tax scam.

Older adults also learned from their bad experiences with scams. For example, one person learned never to give out financial information over the phone after a scam attempt. But their protection methods were not always perfect. One person changed their phone number to avoid spam calls, instead of using easier methods like blocking numbers. Others relied on credit card companies or identity theft services to handle scams rather than protecting themselves.

Comparing Different Situations

This section looks at how the concerns and actions of older adults were similar or different across the five situations.

Online Crime Worries Across All Situations

The study showed that online crime was a big and ongoing worry for older adults in all situations. When they first talked about privacy, online criminals were seen as the main threat. Their worries focused on scams, fraud, phishing, and identity theft. These online crime concerns showed up in discussions about healthcare (identity theft from health information), online ads (ad fraud), and social media (scams and harassment).

When it came to how vulnerable people were, online crime was the only situation where many older adults felt their age group was more at risk than younger people. While they rarely thought they themselves were more vulnerable, they often worried for other older adults. In all other situations, almost all older adults thought that everyone, young or old, faced similar privacy risks. They pointed to things like health conditions, how much technology someone used, or their education level as reasons for risk, rather than just age.

Few Worries About Health Information and Few Ways to Protect It

Older adults showed the least privacy worries in the healthcare situation. Unlike other areas where they quickly named dangers and concerns, they usually did not talk about healthcare privacy until asked. This might be because misusing health information is not always obvious, especially when it leads to unfair treatment. Also, the news, which many older adults use for information, does not often cover health privacy issues.

Older adults also shared fewer ways to protect their health information compared to other situations. However, this does not mean they were not careful. As older adults often have more doctor visits, they naturally build trust with their healthcare providers. When choosing healthcare, people often think about cost and quality of care, not just privacy. It can be hard for people to protect their own privacy when they have limited choices in healthcare.

Focus on How Information is Collected

A common idea about privacy problems is that they happen in four steps: collecting information, using it, sharing it, and breaking into private spaces. This study found that older adults mainly worried about the first step: collecting information. For example, they talked about limiting what they shared on social media or avoiding ads online. They felt they had more control if they did not "put much out there." Only a few tech-savvy older adults worried about how companies gathered and used their data to guess things about them. Very few worried about information being shared, except when it came to health information being used for unfair treatment.

Trust in Service Providers

Trusting different companies and services was a common theme in all situations. Older adults trusted banks to catch fraud, healthcare providers to keep health information safe, and Zoom to keep video calls secure. This trust came from good past experiences, not knowing about certain risks, and sometimes feeling like they had no other choice. Past studies have shown that older adults trust healthcare professionals and prefer to talk about health in person. This study suggests that older adults also trust healthcare-related online tools, like patient portals and video call services for doctors' appointments.

While trusting service providers can be sensible, especially in healthcare, too much trust can lead people to stop using other helpful ways to protect themselves. For example, while one might not control how their health portal information is used, they can still take action if a data breach happens. For online crime, there are many active steps people can take, like using secure payment methods or freezing their credit, instead of just relying on banks to fix problems.

Next Steps

How This Study Compares to Other Research

This study found that older adults worried about safety issues like scams and identity theft, even when asked about online privacy. This means older adults often see safety and privacy as the same thing, which is a common view. Unlike other studies that said older adults mostly just avoided technology to protect themselves, this study found that older adults actively used privacy settings and were careful about what they shared.

The study also confirmed and added to what is known about older adults in specific areas. For example, it agreed with other research on how older adults handle social media privacy, but it also showed new things related to using Zoom during the pandemic. Older adults in this study were good at using Zoom's privacy settings and trusted Zoom more than older social media platforms like Facebook.

Different from some past studies, older adults in this research were more aware of the risks of using public and second-hand devices. Also, unlike previous studies that said older adults did not like health tracking devices, this study found they had few privacy worries about their health information. But it is important to remember that most participants in this study lived on their own and were not using very personal tracking devices.

This study did not compare older and younger adults directly, so its findings are not exactly like studies that did. However, this research shows that older adults are not all the same when it comes to being at risk. It is too simple to say that age alone makes them vulnerable. This could be because the study talked to people locally, and some learned about privacy protection at senior centers. Also, the way the interviews were done, asking about different situations and how they felt about their own risk, might have led to these new findings.

How Different Situations Affect Privacy Worries

Other research says that what people think about privacy changes depending on the situation. This study partly supports that idea, as some worries were specific to certain situations, like health discrimination in healthcare or password problems when sharing accounts. But the study also found that some worries, like online crime, were important across all situations. Older adults often talked about online crime worries in healthcare, online ads, and social media, even before being asked about it. They also worried about companies collecting and using their personal data for money in both online advertising and social media.

These findings mean we need to understand better how privacy worries differ for groups of people, in different situations, and for each person. For example, this study showed that older adults did not see the government as a threat, which is different from other groups who worry a lot about government surveillance. The study also showed that even in the same situation, older adults' worries and risks varied a lot and were shaped by many individual things beyond age.

New Ways to Think About Privacy Risk and Aging

When thinking about groups who face extra privacy problems, it is important to tell the difference between being left out and being weak. Being left out means society is failing certain people by not serving them well. Being weak can make it sound like a person needs help and is a burden.

This difference is important for research with older adults. This study shows how older adults can be left out. For example, some struggled with technology not made for them, or could not join online activities because of fear or cost. Bad media stories can also make older adults feel left out and cause them emotional stress. This was seen with online crime worries; even if they did not lose money, many older adults felt stressed and had to keep checking their accounts.

However, this study challenges the idea that older adults are generally weak when it comes to privacy. First, some older adults who knew a lot about privacy and technology helped and influenced their friends, showing that labeling all older adults as weak is too simple. Second, most older adults believed that older and younger adults faced similar privacy risks in most situations. Even for online crime, where most older adults worried, opinions were mixed. Third, the study found that things like education, income, how much technology someone uses, and what information they share online affected their privacy risk more than age itself. These factors often act separately from age. For online crime, those who were better at resisting scams often used knowledge from their jobs, life experience, or past bad experiences. Those who struggled more often had money problems or were not good with technology, though being tech-savvy did not completely protect against scams.

These findings show that we need better ways to understand all the different things that make someone's privacy vulnerable. Especially for older adults, this study supports the idea of looking for positive stories of aging to inspire new designs. Older adults are a diverse group with special traits that can lead to interesting research and design ideas for privacy tools.

What This Means for Technology and Education

The study's findings point to several areas for future work on privacy-protecting technologies. For example, older adults were motivated to share accounts for emergencies or after death, but some did not know how or felt unsure about it. There is a chance to create tools that help older adults plan for sharing digital information after they die. These tools should allow different people to talk about control and money, and ease worries about death.

Besides new tools, the study offers ideas for making existing tools better for older adults and correcting wrong ideas. When sharing devices, older adults often found it hard to safely get rid of old devices. They trusted physical ways to destroy a device more than features like a factory reset. To make factory resets more useful, digital devices could offer more specific settings based on what someone wants to do with the device (like recycling or selling), and give personalized advice (like suggesting trusted places to recycle). In online advertising, some older adults found age-based ads unfair. To fix this, platforms should let users choose topics they do not want to see ads about. While some platforms already do this for things like alcohol or politics, there is a need to design these ad filtering features with older adults to find out what topics might reinforce old stereotypes.

Finally, the study shows that older adults need help learning about privacy protection through education. Older adults suggested topics like password management, privacy settings, how useful protection services are (like antivirus software), and how to safely get rid of old devices. When making workshops on online self-defense, these topics were included, using language older adults understood (like using "hackers" broadly for bad actors, and not getting too technical with privacy vs. security). In the future, this training could be part of bigger efforts to help older adults learn digital skills, like classes on how to use smartphones or find jobs online. The study suggests that community centers and commercial services are good places to offer this training, and working with existing programs, like Apple's iPhone classes for older adults, could be helpful. The findings also suggest that older adults might learn from friends who are good with technology, rather than trying to learn everything on their own. So, a key part of training should be helping older adults learn how to find information and teach themselves, so that these educational efforts can last and reach many people.

Open Article as PDF

Footnotes and Citation

Cite

Zou, Y., Sun, K., Afnan, T., Abu-Salma, R., Brewer, R., & Schaub, F. (2024). Cross-Contextual Examination of Older Adults’ Privacy Concerns, Behaviors, and Vulnerabilities. Proceedings on Privacy Enhancing Technologies, 2024(1), 133–150. https://doi.org/10.56553/popets-2024-0009

    Highlights