The Role of Privacy Obstacles in Privacy Paradox: A System Dynamics Analysis

: People use social media to achieve particular gratiﬁcations despite expressing concerns about the related privacy risks that may lead to negative consequences. This inconsistency between privacy concerns and actual behaviour has been referred to as the privacy paradox. Although several possible explanations for this phenomenon have been provided over the years, they each consider only some of the obstacles that stand in the way of informed and rational privacy decisions, and they usually assume a static situation, thus neglecting the changes taking place over time. To overcome these limitations, this article incorporates all the key privacy obstacles into a qualitative system dynamics model and examines the conditions under which the privacy paradox emerges over time in the context of social media. The results show that the privacy obstacles prevent adequately accounting for the negative consequences by (1) reinforcing gratiﬁcations, thus inducing social media adoption and use, while (2) hampering the realisation of (all) negative consequences, thus reducing the motivation for social media discard. Moreover, gratiﬁcations kick off early and often seem to dominate even major long-term negative consequences, thereby resulting in users becoming only gradually concerned about privacy, by which time they are usually deeply engaged in the platform to consider discarding, and therefore arriving in a paradoxical situation that seems not viable to escape from (i.e., the boiling frog syndrome). Conversely, major short-term negative consequences are more likely to conﬂict with gratiﬁcations already earlier, thereby resulting in users becoming less engaged, more concerned, and therefore still able to discard the platform, thus resolving the paradoxical situation.


Introduction
Social media, such as Facebook and Instagram, are platforms that have changed how people interact and share experiences by acting as mediators between users and content [1].Users satisfy different needs by actively constructing their online identities, to which they often attach intricate details about their private life, both for personal self-expression and professional self-promotion [2].As a result, users draw the attention of other users with whom they engage in data sharing, hence achieving high gratifications and inducing further social media adoption and use.
Platforms are social infrastructures of the digital age that promote social inclusion, by offering the ability to form meaningful communities, while also presenting new privacy challenges, since they typically collect and process large amounts of personal data as a constitutive characteristic of their business models.That is, meaningful participation in society now often comes in exchange for personal data, and therefore with loss of privacy, as some kind of entrance fee [3,4].This new social reality was one of the main motivations for the General Data Protection Regulation (GDPR), which came into effect within the European Union (EU) in 2018 to give users the right to know about and object to the upcoming collection, processing, and dissemination of their data (Articles [12][13][14][15]21), the right to rectify and erase their data (Articles [16][17], and the right not to be subject to automated decision-making (Article 22) [5].However, users seem to have a limited understanding of their rights, doubt the effectiveness of their rights [6], and eventually accept that 'paying with their data' for 'free' platforms is a situation that must be learned to live with [5].
At the same time, surveys show that users express high concerns about the privacy of their data: 67% of EU citizens are concerned about not having complete control over the information they provide online, 55% are concerned about their data being collected, and 74% of US citizens are more alarmed than ever about privacy [7,8].However, these concerns are only partially reflected in the actual behaviour of users: 43% of EU citizens provide personal information online because they are required to do so, and 69% of US citizens accept certain online privacy risks due to convenience [7,8].This inconsistency between privacy concerns and actual behaviour has been referred to as the privacy paradox [9,10], which reflects this new social reality, where the benefits of social inclusion come inevitably at the cost of privacy.
Over the last couple of decades, privacy researchers have provided several possible explanations for the privacy paradox, focusing mainly on people's (in)ability to evaluate the potential benefits and costs of privacy decisions, which are affected by heuristics, cognitive biases, and social factors [11][12][13].In addition, privacy researchers have identified numerous challenges, which have been condensed into eight concrete privacy obstacles [14] (see Section 3.3), that prevent the full appraisal of a situation, causing people to not be fully aware of their data being collected, analysed, and processed [3], thus diminishing the possibilities of people making informed and rational privacy decisions.However, current privacy paradox explanations consider only subsets of the eight privacy obstacles in separation, hence the pieces of the puzzle remain scattered, and the "whole picture" is still missing from current privacy literature [12].
Methodologically, previous privacy paradox studies have used mainly two crosssectional approaches: (1) surveys, which rely on self-reported behaviour that often differs from actual behaviour, and (2) experiments, which often fail to recreate a realistic context [12].However, actual behaviour unfolds in a dynamic manner (i.e., over time) and therefore cannot be fully explained by cross-sectional approaches.
To overcome these limitations, this article incorporates existing privacy knowledge, including all eight privacy obstacles, into a qualitative system dynamics model [15] and examines the conditions under which the privacy paradox emerges over time in the context of social media.
The research questions guiding this article are: RQ1: How do the privacy obstacles affect people's privacy behaviour over time?, and RQ2: How do the privacy obstacles help understand the privacy paradox?The results show that the eight privacy obstacles prevent adequately accounting for the negative consequences of adopting and using social media by (1) reinforcing gratifications, thus inducing social media adoption and use, while (2) hampering the realisation of (all) negative consequences, thus reducing the motivation for social media discard.Moreover, gratifications kick off early and often seem to dominate even major long-term negative consequences, thereby resulting in users becoming only gradually concerned about privacy, by which time they are usually deeply engaged in the platform to consider discarding, and therefore arriving in a paradoxical situation that seems not viable to escape from (i.e., the boiling frog syndrome [16]).Conversely, major short-term negative consequences are more likely to conflict with gratifications already earlier, thereby resulting in users becoming less engaged, more concerned, and therefore still able to discard the platform, thus resolving the paradoxical situation.Finally, the contributions of this article also include demonstrating the potential of system dynamics as a tool for analysing privacy behaviour.
The rest of the article is organised as follows.Section 2 summarises the social media uses and gratifications, and Section 3 reviews literature on informational privacy, privacy paradox, and privacy obstacles.Section 4 describes the system dynamics modelling methodology, and Section 5 presents the model of the social media platform affected by the eight privacy obstacles.Section 6 analyses the model, and Section 7 discusses the prospect of addressing the privacy obstacles and therefore reducing the extent of the privacy paradox.Finally, Section 8 concludes the article.

Social Media Uses and Gratifications
One of the most commonly utilised frameworks for studying people's motivations to use different types of media, including social media, is the uses and gratifications theory, which assumes that media consumption is driven by the needs of individuals that they seek to satisfy [17].As such, people actively search for and distinguish between different types of media and content, which is intended for specific uses in order to satisfy different cognitive, affective, and social needs and to achieve particular gratifications [18,19].McQuail identifies four motivations for traditional media use: (1) entertainment, (2) integration and social interaction, (3) personal identity, and (4) information [20].Although these four motivations have been found relevant and applicable to social media too, Muntinga, Moorman, and Smit extend McQuail's set by proposing two additional motivations, which are uniquely related to social media use: (5) remuneration and ( 6) empowerment [21].
First, the entertainment motivation covers gratifications related to escaping from problems and routine, relaxing, killing time, getting cultural and aesthetic enjoyment, and seeking emotional release and sexual arousal [22][23][24][25][26].The second motivation is integration and social interaction, which covers gratifications related to the sense of belonging, the need to connect with peers and family, and the need to seek emotional support [23][24][25][26][27][28].Third, the personal identity motivation covers gratifications related to constructing an identity by communicating and projecting a desired identity in order to gain self-fulfilment [24,28,29].The fourth motivation is information, which covers gratifications related to seeking and sharing information, keeping up with or gaining knowledge about others and the world, and storing personal information as a means of backup [22,29,30].Fifth, the remuneration motivation covers gratifications related to the expectancy to receive rewards, such as vouchers, financial discounts, promotional deals, and free samples [31,32].Finally, the sixth motivation is empowerment, which covers gratifications related to voicing out discontent, fighting unfairness, providing solutions, judging inaccuracy, and encountering arguments to different views [31,[33][34][35][36].
The six social media uses and gratifications are summarised in Table 1.
Table 1.Social media uses and gratifications.Adapted with permission from ref. [17].2020 SAGE Publications.

Entertainment
The relaxation, enjoyment, and emotional relief generated by temporarily escaping from daily routines.

Integration and social interaction
The sense of belonging (e.g., connectedness), the supportive peer groups (e.g., bandwagon), and the enhanced interpersonal connections associated with media use (e.g., community building).

Personal identity
The need to shape an identity through self-expression by sharing an image of this identity through selfpresentation in order to gain self-assurance and self-recognition.

Information
The need to seek and share information, watch what others are doing (i.e., surveillance), and document personal information (i.e., lifelogging).

Remuneration
The expectancy to gain future benefits and rewards that basically stand apart from the behaviour.

Empowerment
The aim to exert influence or power on others by voicing opinions in order to enforce excellence and accuracy.
At the same time, people express concerns about the privacy risks and potential negative consequences related to social media [37].However, previous privacy studies show that motivations to use social media do not necessarily conflict with privacy concerns, and therefore the gratifications achieved from using social media result in neither negligible nor strict privacy preferences and concerns.Hence, motivations to use social media seem to be independent from rather than aligned with the need for privacy, and for this reason people will use social media regardless of being concerned about privacy or not [38].

Privacy
The privacy concept has three aspects: (1) territorial privacy, which refers to the protection of a person's physical surroundings, (2) privacy of the person, referring to the protection of a person against undue interference, and (3) informational privacy, which refers to the control of the collection, storing, processing, and dissemination of personal data [12,39,40].The focus of this article is restricted to the third aspect.

Informational Privacy
Two of the most influential privacy theories are those developed by Alan Westin [41] and Irwin Altman [42].Westin defines privacy as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.[Moreover] . . .privacy is the voluntary and temporary withdrawal of a person from the general society through physical or psychological means" [41].Altman defines privacy simply as "the selective control of access to the self" [42].
Both privacy theories by Westin and Altman discuss privacy as a dynamic process (i.e., over time) of interpersonal boundary control or regulation that can be either successful or unsuccessful.For example, in his privacy regulation theory, Altman differentiates between actual and desired privacy levels [42,43].In this regard, privacy regulation is either successful, in case of an optimal privacy level (actual = desired level), or unsuccessful, in case of too much (actual > desired level) (e.g., crowding) or too little (actual < desired level) (e.g., social isolation) privacy.Petronio extends privacy regulation theory to develop her communication privacy management theory (CPM) by articulating "[a] most complicated set of dynamics" [44].In CPM theory, individuals form their subjective privacy boundaries, which can be either completely open or completely closed.Open boundaries reflect a willingness to disclose private information while closed boundaries a tendency to conceal and protect it.These boundaries are regulated by three rules: (1) linkage, determining who else can know, (2) permeability, determining how much others can know, and (3) ownership, determining the rights of others over what they know.These rules essentially reflect the control of individuals over their private information, and they are also dynamic as they might change over time.Failure of individuals to effectively control their private information signifies a boundary turbulence.
However, not all people share the same privacy preferences.Westin's privacy segmentation divides the public into three (empirically-and not theoretically-derived) groups: (1) privacy fundamentalists, who see privacy as paramount, (2) privacy unconcerned, who see no need for privacy, and (3) privacy pragmatists, who weigh potential personal or societal benefits of information disclosure, assess privacy risks, and then decide whether they will agree or disagree with specific information activities [45,46].While Altman's theory has a broader social interaction scope, Petronio's extension focuses on informational privacy and so does Westin's theory.Since the focus of this article is exclusively on informational privacy as well, Petronio's CPM theory acts as a key driver for the model development.

Privacy Paradox
The term 'privacy paradox' emerged from studying privacy in the context of consumer behaviour.In 2001, Brown "uncovered something of a privacy paradox" through a series of interviews with online shoppers; despite expressing high privacy concerns, consumers were still willing to give their personal details to online retailers as long as they had something to gain in return [9,12].Some of the most important explanations for the privacy paradox are based on: (1) privacy calculus, (2) incomplete information, bounded rationality, and decision biases, and (3) social influence [12,13,46].The first two explanations are centred around a cost-benefit analysis in privacy decision-making that ultimately favours benefits over costs.Explanations based on privacy calculus assume a rational assessment of privacy risks within the cost-benefit analysis, whereas explanations based on incomplete information, bounded rationality, and decision biases assume an irrational assessment of privacy risks.Finally, explanations based on social influence assume that benefits are prevalent in privacy decision-making.As a result, negligible or no assessment of privacy risks takes place, and a thorough cost-benefit analysis cannot be performed [11].

Privacy Calculus
The privacy calculus theory studies the privacy concept from an economic point of view and assumes that privacy decisions are driven by the efforts of people to maximise their benefits [47].For example, when making data sharing decisions, people evaluate the potential benefits of disclosure against the expected privacy costs and decide to share their data only when potential benefits outweigh expected costs [12,48].The benefits of data sharing can be intangible, such as inner satisfaction of belonging to a community, or tangible, such as financial discounts.On the other hand, the costs of data sharing are mainly intangible and include the privacy risks and potential negative consequences of disclosure, such as data misuse by third parties or social criticism and humiliation [13].Nevertheless, even if people decide to share their data, considering that potential benefits outweigh expected costs, they might still express concerns about their data being lost, leading to the apparent inconsistency between expressed privacy concerns (or attitude) and actual behaviour [13].

Incomplete Information, Bounded Rationality, and Decision Biases
The privacy calculus theory assumes that people are rational agents, who engage in high-effort cognitive processing when making privacy decisions, and it therefore neglects different heuristics and cognitive biases [49] that have been found to affect privacy decision-making [50,51].For example, assuming people to have perfect foresight of all potential benefits and costs when making data sharing decisions seems practically impossible.On the contrary, people are often unaware of their data being collected [52].As a result, their privacy decisions are based on incomplete information, which can lead to underor overestimation of potential benefits and costs when making these privacy decisions.Moreover, even if people have access to complete information, they might still not be able to assess it properly because of limitations in the human cognitive processing ability.This effect has been defined as bounded rationality [53].To compensate for their bounded rationality, people use different heuristics -rules of thumb-to make decisions.However, heuristics often result in imperfect decisions that suffer from cognitive biases (i.e., the resulting gaps between normative behaviour and heuristically determined behaviour) [49].Hence, the original intention or expressed attitude towards the behaviour might not be reflected in the actual behaviour [13].Some common examples of cognitive biases are the following:

•
The affect bias: People tend to judge and make decisions quickly based on their current emotions, thereby underestimating the risks of things they like and overestimating the risks of things they dislike [54].

•
The availability bias: People tend to overestimate and rely on information they can easily recall, because it might be present in the media, rather than information that is relevant [55].

•
The confirmation bias: People tend to search for, interpret, favour, and recall information in a way that confirms or supports their beliefs or values [56].
• The hyperbolic discounting/immediate gratification bias: People tend to forego more rewarding future benefits in order to obtain less rewarding immediate benefits [57].

•
The optimism bias: People tend to overestimate the likelihood of experiencing positive events and underestimate the likelihood of experiencing negative events compared to others [58].

•
The overconfidence bias: People tend to overestimate their skills and talent [59] and often their ability to control events [60].
Finally, the imperfect decisions driven by heuristics have been argued to derive from misperceptions of feedback [61,62].People fail to adequately account for the delay between their decisions and the effects of these decisions.As such, people will try to correct the unintended consequences of their decisions only when they start to realise them.Nevertheless, efforts to address previously unintended consequences might still result in further unexpected outcomes.
A privacy paradox explanation based on misperceptions of feedback is missing from current privacy literature and can be provided by the model of this article.

Social Influence
As social media are considered an integral part of modern life [3], non-participation for people who wish to maintain their social lives may simply be infeasible regardless of privacy preferences and concerns [63].As a result, most people are not autonomous in their decisions to accept or reject the use of social media, since they are significantly influenced by the opinion and behaviour of their social environment [13].In addition, while peers and family can create social pressure towards certain decisions, they can also create a social stigma for anyone who deviates from these decisions [64].Hence, the expressed attitude is apparently echoing the unbiased opinion, but it is not necessarily reflected in the actual behaviour, which is often affected by social factors [13].

Privacy Paradox in Social Media
The privacy paradox remains a controversial phenomenon, with privacy researchers providing contradictory results that either support or challenge the existence of the inconsistency between privacy concerns and actual behaviour.On one hand, studies show that concerns about data misuse by service providers or third parties may cause people to configure their privacy settings [38] and even limit information disclosure [65,66].In this case, the existence of the privacy paradox could be challenged, since privacy concerns are found to be consistent with actual behaviour.On the other hand, studies also show that certain biases, such as the tendency to connect with others who share the same characteristics and interests (i.e., similarity bias), and social factors, such as the tendency to share data in response to previous rewards (i.e., norm of reciprocity), may leverage privacy concerns and increase information disclosure [37,67].In this case, the existence of the privacy paradox could be supported, since privacy concerns are found to be inconsistent with actual behaviour.
In addition, in the context of social media, the privacy paradox has often been studied in terms of the effect of privacy concerns on potential efforts to follow a privacy protective but nevertheless active use of social media.In other words, studies have been focusing mainly on potential privacy protection strategies, such as giving false personal information [68][69][70], configuring privacy settings [71], and deleting previously shared information [72], that people may apply in order to achieve a more cautious social media activity, in case they express concerns about their privacy.As such, studies seeking to understand the possibility of privacy concerns resulting in a merely passive use of social media (e.g., viewing information shared by others without sharing any information) or even a temporary termination of social media use (e.g., account deactivation) remain scarce [73].
A privacy paradox study based on both passive and active social media use is missing from current privacy literature and can be provided by the model of this article.

Summary of Privacy Paradox Explanations
The privacy paradox explanations are summarised in Table 2.However, the privacy paradox remains a complex phenomenon that has not been fully explained yet.First, current explanations consider only separate subsets of the problems and shortcomings that stand in the way of informed and rational privacy decisions, hence remaining incomplete [12].Second, current explanations are based on studies that have used mainly cross-sectional approaches, thus neglecting the changes taking place over time.

Privacy calculus
People perform a perfectly informed and rational cost-benefit analysis and decide to share their data only when the potential benefits of disclosure outweigh the expected privacy costs.However, people might still express concerns about their data being lost, resulting in the apparent inconsistency between expressed privacy concerns (or attitude) and actual behaviour.

Incomplete information, bounded rationality, and decision biases
People compensate for limitations in information, time, and cognitive capabilities by using heuristics, which might still result in unexpected outcomes.Hence, the original intention or expressed attitude towards the behaviour might not be reflected in the actual behaviour.

Little to no risk assessment
Social influence People's expressed attitude is apparently echoing their unbiased opinion.However, people's actual behaviour is often affected by social factors.Hence, the expressed attitude is not necessarily reflected in the actual behaviour.

Privacy Obstacles
Over the years, privacy researchers have identified numerous problems and shortcomings, behind current explanations, that make informed and rational privacy decisions conceptually and practically demanding.These problems and shortcomings have been distilled into eight concrete privacy obstacles, which are also categorised into three groups based on how easy they are to be addressed with appropriate tools: (1) solvable, which seem more practical in nature and have the potential to be solved with appropriate tools, (2) challenging, which have the potential to be mitigated but exhibit aspects being likely unsolvable, and (3) insuperable, which feature social dimensions and seem unsolvable regardless of any tools made available [14].
The first solvable obstacle is Timing and Duration, which refers to the difficulty of estimating long-term costs.To make matters worse, the indefinite duration of the consent does not always give the option to revisit privacy decisions or even revoke consent at a future date.The second solvable obstacle is Non-negotiability, referring to the limited (often all-or-nothing) consent options offered by service providers.That is, either accepting the terms in full to be able to use the service or rejecting them and not use the service.The last solvable obstacle is Scale, which refers to the number of privacy decisions that individuals are supposed to make due to (1) the lengthiness and complexity of privacy policies and settings and (2) the number of different services one normally faces.
The first challenging obstacle is Aggregation, which refers to the data produced with analytic techniques from the data shared by individuals.In other words, data collecting entities aggregate openly expressed (e.g., photo sharing) and exhaust (e.g., website clickstreaming) data and analyse it to reveal new -latent-data, which individuals are often not aware of.The second challenging obstacle is Downstream Uses, referring to unexpected flows of data to third parties, again often without awareness of the individuals involved, even though individuals may have consented to such data flows.Both Aggregation and Downstream Uses are mainly due to the apparent inability of individuals to be (1) properly informed of what exactly they are consenting to and (2) aware of the negative consequences such consent may have.Therefore, individuals are not able to determine for themselves when, how, and to what extent information about them is communicated to others [41,74].
The last challenging obstacle is Cognitive Demands, which refers to the limits of human decision-making ability.
The first insuperable obstacle is Social Norm, which refers to individual decisions being regulated by mass decisions.That is, the more people conform and use online services, the harder it becomes to deviate from the norm and not participate regardless of privacy preferences and concerns.Finally, the second insuperable obstacle is Social Data, referring to individual activities leaking -incidental-data about others (often without them being aware of the leak).Therefore, privacy can be affected by the choices of others, and the outcomes of data sharing decisions are not only private.
The eight privacy obstacles are summarised in Table 3.

Timing and Duration
Estimating costs is difficult due to timing of decisions and the typically unlimited duration of the consent.

Non-negotiability
The terms are not negotiable enough.

Scale
The cost-benefit analysis does not scale well to a large number of separate privacy decisions.

Aggregation
Data is aggregated and analysed to produce new data, leading to implicit disclosure of latent data.

Downstream Uses
Data flows to parties and purposes not foreseen at the time of consenting.

Cognitive Demands
The cognitive limitations of all human decision-making hamper cost-benefit analysis.

Insuperable
Social Norm Pressure to conform can strongly affect the decisions people make.

Social Data
Privacy decisions are framed as individual choices, but the data and the decisions can also affect others.

Relation of Privacy Paradox Explanations to Privacy Obstacles
The relation of privacy paradox explanations to the eight privacy obstacles is summarised in Table 4. First, the privacy calculus theory assumes that people make perfectly informed and rational privacy decisions, and it therefore neglects different conditions, such as incomplete information and bounded rationality, that affect privacy decision-making.The eight privacy obstacles essentially reveal the futility behind this assumption.
Second, incomplete information might result in inability to evaluate the potential benefits and costs of privacy decisions.The obstacles of Social Data, Aggregation, and Downstream Uses refer to the data sharing and processing practices that aggravate incomplete information.Similarly, bounded rationality might result in inability to make objectively right and unbiased decisions.The obstacles of Timing and Duration and Cognitive Demands refer to the limitations in both time and cognitive processing ability that aggravate bounded rationality.Furthermore, even if complete information and unbounded rationality were possible, they might still not suffice to prevent imperfect privacy decisions.The obstacles of Non-negotiability and Scale refer to the limitations in privacy control that aggravate boundary regulation efforts.
Finally, previous privacy paradox studies have used different terms, such as social theory [12] and social influence [13], to describe the social pressure that affects privacy decision-making.The obstacle of Social Norm refers to the same effect.

Privacy calculus
The eight privacy obstacles reveal the futility of assuming a perfectly informed and rational cost-benefit analysis in privacy decision-making.

Irrational risk assessment
Incomplete information, bounded rationality, and decision biases Social Data, Aggregation, and Downstream Uses relate to issues that prevent access to complete privacy information.
Timing and Duration and Cognitive Demands relate to issues that prevent objectively right and unbiased privacy decision-making.
Non-negotiability and Scale relate to issues that prevent real choice within boundary regulation.

Little to no risk assessment
Social influence Social Norm refers to the social pressure that affects privacy decision-making as described by social influence.

System Dynamics Modelling
System dynamics is a methodology to understand how feedback loops, accumulations, and time delays between different factors affect the behaviour of complex systems over time [15].System dynamics models can include both social and technical elements and are therefore a potent tool for studying complex sociotechnical systems, such as social media.
In system dynamics, stock-flow diagrams consist of variables, shown as named nodes, related by causal links, shown as arrows.Stocks are shown as rectangles and represent accumulations of either matter or information.Flows are shown as pipes and valves and regulate the rate of change of the stocks.Finally, intermediate variables between stocks and flows indicate auxiliaries, which essentially clarify the sequence of events that cause the flows to change the stocks.
The direction of a causal link indicates the direction of causation for a pair of variables: an independent variable (i.e., a cause) at the tail of the causal link and a dependent variable (i.e., an effect) at the head of the causal link.All causal links indicate that the dependent variable changes in the same direction as the independent variable unless they are labelled with a minus sign (−), in which case the dependent variable changes in the opposite direction.In addition, delay is the process by which an effect lags behind its cause in time, and it is shown by a causal link that is broken by parallel lines.
Finally, feedback is the process whereby an initial cause is changed on the basis of its effect, thereby forming a loop.Variables constituting feedback loops are at the same time both causes and effects.Feedback loops are either reinforcing (R), which amplify change, or balancing (B), which counteract and oppose change.
System dynamics has been used in studies from many different contexts, such as construction projects [75], product development [76,77], and safety critical organizations [78], but also for fields related to the topic of this article, including the attitude-behaviour gap [79] and the platform value creation process [80].A common theme emerging from these studies is the trade-offs between the more gratifying future benefits of long-term goals and the less gratifying immediate benefits of short-term goals.Another theme is the means by which feedback loops and time delays hamper the best course of action [81] and therefore often result in imperfect decisions.For this reason, modelling tools, such as system dynamics, are useful in examining the unintended consequences of decisions.
In system dynamics, the modelling process involves five steps: (1) problem articulation, defining reference modes that illustrate the problem as a pattern of behaviour over time, (2) formulation of a dynamic hypothesis, aiming to explain the problematic behaviour shown in the reference modes in terms of the underlying feedback and stock-flow structure of the system, (3) model development, specifying the structure of the system, (4) model testing and validation, ensuring the validity of the model, and (5) policy design, recommending strategies and structures for addressing the problem [15].The application of these steps is described in the following sections.

Dynamic Model of Interdependencies between Privacy Obstacles and Social Media Adoption and Use
The modelling process begins with the problem articulation.The adoption of platforms is typically expected to follow an S-shaped growth pattern: initially, the number of users grows slowly in a positive acceleration phase; subsequently, the number of users grows exponentially; finally, the growth in users becomes slow again, but this time in a negative acceleration phase, until it ultimately stabilises [82].For this reason, the privacy paradox in the context of social media is illustrated in this article using two reference modes: (1) an S-shaped growth of highly concerned users, who remain passive in the platform without sharing their data, illustrates a situation in which privacy concerns are consistent with actual behaviour, thus at least partially resolving the privacy paradox, and (2) an S-shaped growth of highly concerned users, who create platform content by actively sharing their data, illustrates a situation in which privacy concerns are inconsistent with actual behaviour, thus reflecting the privacy paradox.Using these two modes of dynamic behaviour, the purpose of the model is to explain how the decisions of people regarding adoption and use of social media are affected by the eight privacy obstacles (Figure 1).The second step in the modelling process is the formulation of a dynamic hypothesis.The Bass model of innovation diffusion, which describes the adoption of new products or services (over time) through advertising and word-of-mouth [83], is a widely used and well-established model in platform literature that can produce S-shaped growth patterns [46,80,82].For this reason, the dynamic hypothesis guiding the model development is that by extending the feedback structure of the Bass model of innovation diffusion to include the eight privacy obstacles, it is possible to produce the two modes of dynamic behaviour.Here, in addition to platform adoption, the model also considers platform use, and current users are disaggregated into passive and active users.Passive users are the platform's lurkers, who remain in the platform without engaging in data sharing.However, they do provide some basic amount of data required for opening their account, and they may also reveal part of their interests and habits by viewing the platform's content.Conversely, active users are the platform's content creators, who generate information by sharing their data.

Feedback Loops
The third step in the modelling process is the model development.The model consists of six reinforcing (R) and nine balancing (B) feedback loops.
Platform adoption (B1-3): The first feedback loops of the model relate to platform adoption.When the platform is launched, the initial number of users is zero, so the only source of adoption are external influences, such as advertising (B1: "Market Saturation").When the first users enter the platform, the adoption rate increases through word-of-mouth (B2: "Market Saturation").The advertising and word-of-mouth effects are largest at the start of the platform diffusion process and steadily diminish as the stock of potential users is depleted (B1-2: "Market Saturation").Finally, passive users may decide to discard the platform and re-enter the stock of potential users (since they may be persuaded to adopt again in the future).In this case, the discard rate depends on the number of passive users, the net value of benefits minus costs they receive from the platform, and the social pressure towards platform adoption (B3: "Discard").
Platform engagement (R1, B4-6): The feedback loops related to platform engagement are similar to these of platform adoption.In the beginning, the initial number of active users is zero, which implies zero user interactions.As a result, platform activity emerges from the incentives used by the platform to encourage the creation of content (B4: "Engage").Incentives can be implicit, such as emotional rewards of belonging to a community, or explicit, such as monetary rewards.When the first users become active in the platform, the engagement rate increases through word-of-mouth (R1: "Word of Mouth").The incentives and word-of-mouth effects are largest at the start of the engagement process and steadily diminish as the stock of passive users is depleted (B4-5: "Engage").Finally, active users may decide to stop engaging in data sharing and become passive.In this case, the disengagement rate depends on the number of active users, the net value of benefits minus costs they receive from the platform, and the social pressure towards platform engagement (B6: "Disengage").
Network effect and Social Norm (R2-5): Network effect and Social Norm are each represented by two reinforcing feedback loops.As the number of users grows, platform value (i.e., the difference of benefits and costs) increases, thus inducing further platform adoption (R2: "Network Effect") and use (R3: "Network Effect") [84].At the same time, the social pressure towards platform adoption and use becomes stronger and consequently harder to deviate from.As a result, more potential users conform and adopt the platform (R4: "Social Norm"), and more passive users conform and become active in the platform (R5: "Social Norm") [3,85].
Data network effect (R6): The feedback loop related to data network effect is similar to these of network effect.As the amount of data increases, platform value increases, thus inducing further platform adoption and use (R6: "Data Network Effect").The operation of data sharing platforms, such as social media, describes a process that takes accumulated data as an input and produces value as an output.In other words, the data shared by users accumulates to the platform, and it enables users to interact in a valuable manner [86], which becomes one of the core motivations to adopt and use the platform and also the chief denominator to measure changes in value across the platform [87].
Boundary regulation (B7): Boundary regulation [44] is represented by one balancing feedback loop.The more knowledgeable users become about privacy, the platform's data processing practices, and potential privacy protection strategies, the better users become able to control whether and how their data can be aggregated and analysed (Aggregation) or shared with third parties (Downstream Uses) (B7: "Boundary Regulation").
Boundary turbulence (B8-9): The final feedback loops of the model relate to boundary turbulence [44].Inadequate privacy control options offered by the platform result in failure or inability of users to control their data and therefore higher privacy concerns.The higher the concerns, the less the value that users receive from the platform (B8: "Boundary Turbulence") and the less the social pressure that users create towards platform adoption and use (B9: "Boundary Turbulence").

Effect of Privacy Obstacles on Feedback Loops
This section summarises the effect of each privacy obstacle on the feedback loops, and it therefore addresses RQ1: How do the privacy obstacles affect people's privacy behaviour over time?
Social Data: The data shared by users accumulates to the platform, and it may contain information not only about themselves but also directly reveal information about others.Social Data may be shared intentionally, such as sharing photos of other people for celebratory or social criticism and humiliation purposes, or unintentionally, such as sharing photos of public places that include other people in the background.On one hand, perfect awareness of Social Data seems practically impossible, since it might be shared in non-transparent manners (e.g., private messaging or closed user groups) or by unfamiliar individuals.On the other hand, Social Data is shared by and for users, and it enables users to engage in valuable interactions.Hence, the obstacle of Social Data refers to the users' data sharing practices that aggravate incomplete information, but it also increases platform value, thus inducing further platform adoption and use.
Aggregation and Downstream Uses: Data erosion indicates the value of old data that gradually decreases.However, as long as the accumulated data remains accurate and timely, the platform is likely to keep processing it further.First, the platform analyses the data shared by users with the purpose to reveal additional information about them (Aggregation) [88].Second, data shared by users often reaches third parties outside the platform, and conversely data shared on other platforms often reaches the current platform, thus providing more data for the service to analyse (Downstream Uses) [88].On one hand, perfect awareness of Aggregation and Downstream Uses seems practically impossible, since most platforms are typically intentionally vague about them.On the other hand, over the last decade, numerous practices of Aggregation and Downstream Uses by some market leading platforms have been brought to the fore [89][90][91][92].In addition, light on complex privacy policies has been shed, and the switching to privacy respecting platforms has been encouraged [93].Hence, the obstacles of Aggregation and Downstream Uses refer to the platform's data processing practices that aggravate incomplete information, but they also determine Online Privacy Literacy, since the existence and negative consequences of such practices have been repeatedly communicated even without relevant intricate details.
Online Privacy Literacy: Privacy information from both informal (e.g., media, activists, peer groups) and formal (e.g., training programs) sources [94] promotes the understanding of potential negative consequences related to platform participation and data sharing, and it therefore contributes to fostering online privacy literacy, which "encompasses an informed concern for privacy and effective strategies to protect it" [95].Trepte et al. elaborate that "online privacy literacy may be defined as a combination of factual or declarative ('knowing that') and procedural ('knowing how') knowledge about online privacy.In terms of declarative knowledge, online privacy literacy refers to the users' knowledge about technical aspects of online data protection, and about laws and directives as well as institutional practices.In terms of procedural knowledge, online privacy literacy refers to the users' ability to apply strategies for individual privacy regulation and data protection" [96].Hence, as users become more literate about privacy, the platform's data processing practices, and potential privacy protection strategies, they become more able to control their data Aggregation and Downstream Uses.In addition, higher numbers of users (i.e., platforms with larger installed user bases) are more likely to entail higher privacy risks and therefore increase the efforts to foster online privacy literacy.
Boundedly rational adoption and use of social media: The behaviour of potential and current users depends on the subjective and biased assessment of information that is available to them at a given point in time.In other words, potential and current users are not able to have perfect foresight of how negative consequences will develop, and they do not necessarily learn about, understand, and react to negative consequences.As a result, they make their decisions regarding platform adoption, discard, engagement, and disengagement based on their perception of platform value and social pressure to them, depending on their concerns about negative consequences that are apparent to them at the time (i.e., negative consequences of the past).
Timing and Duration: Even if insignificant short-term negative consequences related to platform participation and data sharing are apparent, it can take time for privacy risks to materialise into more significant negative consequences.In this case, users may concentrate on negative consequences that are less significant and present, thereby underestimating and caring less about these that are more significant but also more distant in time (i.e., temporal discounting) [97].As a result, users may decide (relying on heuristics [50,51]) that the immediate benefits of disclosure outweigh apparent and insignificant short-term negative consequences [52], hence becoming only gradually concerned about privacy as more significant negative consequences develop and start to be realised over time.The higher the concerns, the less the value that users receive from the platform and the less the social pressure that users create towards platform adoption and use.Hence, the obstacle of Timing and Duration, represented by a delay in the causal link between Aggregation and Downstream Uses and Online Privacy Literacy, refers to privacy concerns that are based on present rather than future negative consequences, and it therefore aggravates boundedly rational decisions regarding platform adoption, discard, engagement, and disengagement.
Cognitive Demands: Even if privacy information is made readily available, online privacy literacy is a cognitive process [96].That is, users may be reluctant to become literate [48,50] and consciously choose to ignore a certain piece of information, in case the costs of learning are disproportionate to the potential benefits of disclosure (i.e., rational ignorance theory) [98].For example, users may consider that the costs (e.g., loss of time or cognitive effort) of learning about potential negative consequences by reading complex privacy policies in their entirety outweighs potential negative consequences per se.As a result, users may decide (relying on heuristics [50,51]) that the benefits of adopting and using social media outweigh the costs of learning [52].Moreover, even if users are not reluctant to become literate, they might still not be able to make proper sense of the negative consequences they learn about [48].Here, the model assumption is that becoming more literate about potential negative consequences increases awareness of privacy risks, thereby leading to a heightened sense of vulnerability and higher privacy concerns [96,[99][100][101].The higher the concerns, the less the value that users receive from the platform and the less the social pressure that users create towards platform adoption and use.Hence, the obstacle of Cognitive Demands, represented by the italicised Privacy Concerns, Platform Value, and Social Pressure, refers to privacy concerns that are based on subjective and biased assessment of negative consequences, and it therefore aggravates boundedly rational decisions regarding platform adoption, discard, engagement, and disengagement.
Non-negotiability and Scale: Even if users become literate, they might still not be able to utilise their knowledge and control their data due to inadequate privacy control options offered by the platform.First, the platform might not negotiate the processing of data (Nonnegotiability) [74].Second, the platform's privacy policy and settings could be lengthy and complex (Scale) [48].The less negotiable the terms of service and the more lengthy and complex the privacy policies and settings, the less cognitive effort per option users can invest in controlling their data.Hence, the obstacles of Non-negotiability and Scale refer to the limitations in privacy control that aggravate boundary regulation efforts.Privacy Control determines both Online Privacy Literacy, since privacy protection strategies are developed based on available options, and Privacy Concerns, since users' perception that potential processing of their data is conducted fairly (i.e., procedural fairness) [47], and that there will be no significant negative consequences related to platform participation and data sharing, depends also on available options.Here, the model assumptions are that (1) becoming more literate about and having to choose from inadequate privacy control options reduces response efficacy (i.e., users' belief that available options are effective in privacy protection), thereby exacerbating the sense of vulnerability and privacy concerns [102,103], and (2) becoming more literate about and having to choose from adequate privacy control options increases self-efficacy (i.e., users' belief in their own ability to protect their privacy), thereby leading to a heightened sense of safety and lower privacy concerns [101,104].As such, the model takes also into consideration the possibility of a control paradox, by which users are more likely to disclose even more private information if they (believe that they) are able to effectively control their information [102].
Boundedly rational boundary regulation: Both privacy theories by Westin [41] and Altman [42] discuss access control or regulation to the self.In addition, CPM theory implies that controlling personal data should be possible [44].Thus, data analysis (Aggregation) and data flows to third parties (Downstream Uses) are affected by the privacy control options offered by the platform.However, even if adequate options are made readily available, boundary regulation is a cognitive process.That is, users may concentrate their time and entire cognitive, affective, and physical resources (i.e., cognitive absorption) [105,106] on obtaining concrete and immediate benefits from adopting and using social media and therefore care less about controlling their data Aggregation and Downstream Uses [48], hence being more likely to disclose even more private information [107] (i.e., another control paradox possibility [102]).As such, boundary regulation efforts are assumed to be boundedly rational.Failure or inability of users, resulting from inadequate available options (Non-negotiability and Scale) or bounded rationality (Timing and Duration and Cognitive Demands), to control (1) whether the platform and third parties can access their data (linkage), ( 2) the amount of their data to which the platform and third parties can have access (permeability), and (3) the extent of their data Aggregation and Downstream Uses (ownership) indicates what Petronio refers to as boundary turbulence (B8, B9: "Boundary Turbulence") [44].
The causal dependencies of the eight privacy obstacles are summarised in Table 5.The obstacles can be categorised into three groups based on their effect on informed and rational privacy decision-making in the context of social media: (1) incomplete information, which prevent perfectly informed evaluation of potential benefits and costs, (2) bounded rationality, which prevent perfectly rational assessment of potential benefits and costs, and (3) real choice limitations, which prevent perfectly thorough analysis of potential benefits and costs.

Model Testing and Validation
The fourth step in the modelling process is the model testing and validation.To ensure the validity of the model, with respect to the purpose of the model presented in Section 5, the model structures have been formulated based on current platform and privacy literature.The model includes a social media platform that is modelled endogenously, meaning that the dynamics of the variables constituting the feedback structure of the platform are generated by the interactions among these variables themselves.The core feedback structure of the platform has been formulated by extending the Bass model of innovation diffusion [83] and the platform adoption model of Ruutu et al. [80].

Social Data
The data shared by users may directly reveal information about others.
Social Data is affected by Data Sharing and affects Aggregation, Downstream Uses, and Platform Value.

Aggregation
The platform analyses the data shared by users with the purpose to reveal additional information about them.
Aggregation and Downstream Uses are affected by Social Data, Privacy Concerns, and Privacy Control.In addition, they affect and are also affected by Online Privacy Literacy.Downstream Uses Data shared by users often reaches third parties outside the platform, and conversely data shared on other platforms often reaches the current platform.

Timing and Duration
Privacy concerns gradually rise as more significant negative consequences develop and start to be realised over time.

Social Norm
As the number of users grows, more potential users conform, adopt, and use the platform.
Social Norm affects Adoption, Discard, Engagement, and Disengagement Fraction.

Non-negotiability
The platform might not negotiate the processing of data.
Non-negotiability and Scale affect Privacy Control.

Scale
The platform's privacy policy and settings could be lengthy and complex.
In addition, the model assumptions behind the interdependencies between the eight privacy obstacles and the social media platform are based on current privacy literature.Social Data, Aggregation and Downstream Uses, Online Privacy Literacy, and Privacy Concerns are variables that are determined by the actors represented in the model, particularly potential and current users, and are modelled endogenously.By contrast, Non-negotiability, Scale, and Privacy Control are modelled as exogenous variables.
Disaggregating current users into passive and active users allows for identifying the fraction of current users whose privacy concerns are consistent with actual behaviour towards social media use.For example, potential users may adopt the platform, but platform adoption is not necessarily an indication of platform activity and data sharing, since highly concerned users may eventually follow a merely lurking approach to using the platform or even take a break from the platform.In this case, the existence of the privacy paradox can be challenged, as discussed in Section 2, even if the platform exhibits high numbers of current users.In other words, high privacy concerns resulting in high numbers of passive users can challenge the existence of the privacy paradox, since privacy concerns are consistent with the decision to lurk and not engage in data sharing.Conversely, high numbers of active users regardless of high privacy concerns can support the existence of the privacy paradox, since privacy concerns are inconsistent with the decision to create content by engaging in data sharing.

Analysis
This section addresses RQ2: How do the privacy obstacles help understand the privacy paradox?People adopt and use social media in order to satisfy different needs and to achieve particular gratifications, ideally without negative consequences, such as loss of privacy.However, people also encounter problems and shortcomings (i.e., privacy obstacles), which exist within both social media and the society at large, and which entail privacy risks that may lead to negative consequences.Platform value indicates the net value resulting from the benefits (i.e., gratifications) minus the costs (i.e., negative consequences) that people receive when using social media.
When the first users become active in the platform, gratifications (R2-3, R6) kick off and (rapidly) increase, thereby dominating negative consequences (B8-9), which typically (initially) come across as minor (Figure 2).The model illustrates that platform value is determined by three effects, two positive and one negative.The gratifications achieved by social media adoption and use are represented by the two positive effects on platform value.The first positive effect implies that higher numbers of users tend to generate higher gratifications by satisfying needs like connecting with peers and family, thus increasing platform value (R2-3) and inducing further platform adoption (B1-2) and use (B4-5, R1).Similarly, the second positive effect implies that larger amounts of shared data tend to generate higher gratifications by satisfying needs like seeking and sharing information, thus increasing platform value (R6) and inducing again more potential users to adopt (B1-2) and use (B4-5, R1) the platform.The two positive effects on platform value are reinforced by social pressure.While generating higher gratifications, higher numbers of users tend to also generate stronger normative platform participation and data sharing behaviour, thus increasing social pressure (R4-5) and influencing more potential users to conform and be connected with the admired peer groups (rather than deviate and be sanctioned with attention deprivation and peer group exclusion).As such, the adoption and use of social media is often driven by the need to steer clear of social stigmas and to achieve a sense of safety, which may be considered an additional benefit along with gratifications.Hence, the obstacle of Social Norm (R4-5) reinforces gratifications (R2-3, R6), thus inducing further platform adoption (B1-2) and use (B4-5, R1).
By contrast, the negative consequences of social media adoption and use are represented by the negative effect on platform value.While generating higher gratifications, larger amounts of shared data tend to also generate larger negative consequences, such as (1) leaking larger amounts of information (Social Data), (2) deducing larger amounts of implicit information (Aggregation), and (3) moving larger amounts of information to new parties (Downstream Uses).However, not all negative consequences are (immediately) apparent, and even as some could become apparent in the short term (Timing and Duration), they typically (initially) come across as minor and are therefore either ignored (often due to an illusory sense of disproportionately high gratifications) or underestimated (often due to an illusory sense of adequate privacy control options [102]) (Cognitive Demands).As such, privacy concerns (initially) remain low, while gratifications (rapidly) increase and negative consequences continue to (slowly) develop.Hence, the privacy obstacles hamper the realisation of (all) negative consequences (B8-9), thus reducing the motivation for platform discard (B3) and disengagement (B6).
In the early phase of platform adoption and use, gratifications (R2-3, R6) have already grown too high, thereby dominating even major negative consequences (B8-9) that become apparent over time.Data sharing determines at the same time, but crucially at different rates, both social media gratifications and negative consequences.Following the early phase of platform adoption and use, privacy concerns gradually rise as the apparent negative consequences become more significant (Timing and Duration), hence coming into larger conflict with earlier generated gratifications and also reversing the belief that fixed terms (Non-negotiability) and complex privacy policies (Scale) are effective in privacy protection.However, even major negative consequences (B8-9) can be neglected often due to intense concentration (Cognitive Demands) on gratifications (R2-3, R6), which are also reinforced by social pressure (R4-5).
As high gratifications continue to be prioritised over major negative consequences, the feedback loops related to network effect (R2-3), data network effect (R6), and Social Norm (R4-5) continue to dominate the feedback loops related to boundary turbulence (B8-9).For this reason, although the feedback loops related to discard (B3) and disengagement (B6) become stronger, they continue to be dominated by the feedback loops related to adoption (B1-2) and engagement (B4-5, R1).
The privacy paradox emerges if users choose to start or continue using the platform when platform value decreases (i.e., when negative consequences come into larger conflict with gratifications).However, the exact threshold value depends also on the sensitivity of users to privacy concerns (i.e., it depends on which of e.g., Westin's segments the users belong to), as this sensitivity determines the gratifications that users are willing to forego in order to achieve their desired privacy level.Users are less likely to enter into a situation that demonstrates a clear paradox.Rather, the privacy paradox can emerge as negative consequences become apparent over time (i.e., users need to be aware of the negative consequences for the paradox to exist).Hence, paradoxical situations in social media can often be explained by the inability of users to adequately account for the negative consequences in the beginning.As such, by the time negative consequences become apparent, and therefore the paradox emerges, gratifications and social pressure have grown too high for users to discard the platform (i.e., the boiling frog syndrome [16]).One potential real-life example resembling this case could be the Facebook-Cambridge Analytica scandal [108], which caused only a temporary decline in Facebook's daily and monthly EU active users [109,110].At the same time, the monthly active users of WhatsApp and Instagram, which are owned by Facebook, have been steadily increasing [111,112].
Conversely, major short-term negative consequences (B8-9) are more likely to dominate gratifications (R2-3, R6) (Figure 4).In the early phase of platform adoption and use, when gratifications are low to be intensely concentrated on, any publication of massive (1) leaks of information (Social Data), (2) deductions of implicit information (Aggregation), and (3) movements of information to new parties (Downstream Uses) is less likely to be ignored or underestimated (Cognitive Demands).As such, negative consequences are prioritised, privacy concerns rise, and gratifications remain low.As major short-term negative consequences become disproportionate to low gratifications and inadequate privacy control options, the feedback loops related to boundary turbulence (B8-9) dominate the feedback loops related to network effect (R2-3), data network effect (R6), and Social Norm (R4-5).For this reason, the feedback loops related to discard (B3) and disengagement (B6) ultimately dominate the feedback loops related to adoption (B1-2) and engagement (B4-5, R1) (Figure 5).
Users are more likely to eventually discard the platform when they start to realise the negative consequences in the beginning, thus resolving the privacy paradox.One potential real-life example resembling this case could be Google Buzz, which was introduced in 2010 with the aim to rival Facebook.However, shortly after being launched, Google Buzz faced serious legal issues due to poor privacy practices [113].As a result, it was discontinued and superseded by Google+, which was also terminated in 2019 mainly due to low user engagement [114].
Theoretically, the opposite development (i.e., a clear paradox being dissolved over time) is less likely to emerge in real life, as this would require that data Aggregation and Downstream Uses are either reduced by the platform, to which such practices are immensely valuable to consider reducing, or controlled by users, to whom the privacy control options offered by the platform are typically inadequate.
Hence, the boiling frog explanation, by which the privacy paradox emerges only after users have already started using the platform, is a key finding of this article that cannot be provided using only conventional cross-sectional approaches, thus requiring a process theory, such as system dynamics, that also takes into account the time element.

Discussion
The modelling process ends with the policy design.The boiling frog explanation highlights that users can arrive in a privacy paradox due to their limited ability to adequately account for the negative consequences of adopting and using social media.However, by addressing the privacy obstacles with appropriate tools, it may be possible to improve costbenefit analysis in social media and therefore also reduce the extent of the privacy paradox.

Towards Informed Cost-Benefit Analysis
First, by addressing the obstacles of Social Data, Aggregation, and Downstream Uses, it may be possible to improve misinformed cost-benefit analysis in social media.However, Social Data makes privacy dependent on the decisions of others.Privacy preferences among users can be contradictory, and therefore data sharing gratifications may, from an individual perspective, outweigh the negative consequences imposed on others.Hence, Social Data seems an inherently unsolvable obstacle regardless of any tools made available.
On the other hand, although Aggregation and Downstream Uses may also seem likely impossible to be fully addressed, they might still be mitigated by increasing awareness [96] and providing transparency [115], respectively.First, becoming literate about potential negative consequences ex ante, before data is shared, could increase awareness of privacy risks, such as the production of latent data (Aggregation), which is possible only ex post, after data is shared.Increasing awareness of privacy risks could result in a better-informed concern for privacy and therefore a well-informed evaluation of negative consequences.However, due to the fact that negative consequences are moving targets, the evaluation of negative consequences cannot always be highly accurate.Nevertheless, even a coarse evaluation based on valid available information is likely to be more accurate compared to using heuristics [96].Second, as long as Downstream Uses refer to the data flows that are consented to by users, thus excluding cases of e.g., surveillance and data leaks, they could still be traced and eventually visualised.As such, abstract and complex data flows, which may seem ambiguous and confusing, could be translated into comprehensible graphical representations, from which useful insights could be pulled more efficiently (i.e., sensemaking).However, the data industry includes structural constraints, such as opaque business practices and analytical layers, which separate data sources from data uses and therefore limit the transparency of data flows [115].
Hence, a perfectly informed cost-benefit analysis in social media seems practically impossible mainly because of the inability to foresee incidental data leaks (Social Data).However, highlighting the privacy risks of latent data (Aggregation) and visualising the flows of data to new parties (Downstream Uses) could provide useful information related to the costs of adopting and using social media.The more knowledgeable users become about data Aggregation and Downstream Uses, the better users become able to evaluate and reduce the negative consequences of such practices.As a result, the extent of the privacy paradox could also be reduced.

Towards Rational Cost-Benefit Analysis
Second, by addressing the obstacles of Timing and Duration and Cognitive Demands, it may be possible to improve irrational cost-benefit analysis in social media.On one hand, Timing and Duration might be mitigated by enabling unambiguous, informed, and revocable consent.Highlighting potential negative consequences ex ante, before consent is given, could increase awareness of privacy risks, such as the production of latent data (Aggregation) and the flows of data to new parties (Downstream Uses), which are possible only ex post, after consent is given, thereby reducing the timing issue.In addition, nudges to revisit privacy decisions and prompts to revoke consent could mitigate privacy risks that have not been taken into account, thereby reducing the duration issue.Nevertheless, nudges and prompts could also likely be just another forced click of an 'agree' button without much thought [74].
On the other hand, Cognitive Demands might be mitigated by making privacy decisions less demanding.On-time provision of relevant privacy information in a comprehensible format could reduce the time or cognitive effort required to become literate.However, converting now-opaque negative consequences into transparent ones could ultimately make each decision even more complex.In this case, one potential solution could be to change the nature of privacy decisions.That is, instead of considering each decision separately, several related decisions (e.g., consents for similar services) could be gathered under one well-considered decision.
Hence, a perfectly rational cost-benefit analysis in social media seems practically impossible mainly because of limitations in both time (Timing and Duration) and cognitive processing ability (Cognitive Demands).However, timely presentation of the upcoming collection, processing, and dissemination of data in the consent process (Timing and Duration) could promote a well-reasoned assessment of privacy risks.In addition, reversing privacy decisions (Timing and Duration), by re-evaluating, updating, and revoking consent, could mitigate irrational, negligible, or no assessment of privacy risks.Finally, simplifying privacy decisions (Cognitive Demands) could reduce the cognitive effort in the assessment of privacy risks.By enabling unambiguous, informed, and revocable consent when making privacy decisions, in addition to simplifying privacy decisions, it may be possible to improve misperceptions of information.As a result, the extent of the privacy paradox could also be reduced.

Towards Thorough Cost-Benefit Analysis
Finally, by addressing the obstacles of Social Norm, Non-negotiability, and Scale, it may be possible to improve incomplete cost-benefit analysis in social media.However, Social Norm makes analysis of potential benefits and costs to be driven by the need to achieve conformity with the admired peer groups [116].As such, people may neglect privacy concerns in order to reap the benefits of belonging to a community, since the costs (e.g., social stigmas) of being excluded from the community are undesirable [11].In addition, people may engage in data sharing because this is an implicit rule of belonging to a community [117].In this case, although the potential costs of data sharing may have been abstractly analysed, the concrete and immediate benefits of belonging to a community outweigh the abstract and long-term costs of data sharing [12].Hence, Social Norm seems an inherently unsolvable obstacle regardless of any tools made available.
On the other hand, there seems to be no fundamental hurdle for (1) increasing the limited negotiating power over the terms of service (Non-negotiability) and ( 2) reducing the cognitive effort per option in configuring privacy settings (Scale).First, as long as Non-negotiability refers to the limited bargaining power of each user against social media, collective action from users could be taken in order to leverage the dependence of social media on users as data sources.Establishing some kind of a coordinating entity between users and social media could at least affect the power balance of the situation, and it could ideally give users the ability to utilise their knowledge and choose whether or not to consent to the terms under which their data can be collected and processed.As such, the belief that loss of privacy in social media is a situation that must be accepted and learned to live with (i.e., learned helplessness) [118], which often leads to a state of resignation about boundary regulation [73], could also be reversed.However, it seems safe to assume that the coordinating entity could also leverage its position for its own benefit, which may or may not align with the interests of users.Second, although Scale may seem an overwhelming task, it could be argued that it is not a problem of principle, but it is largely due to the means of implementing boundary regulation in practice.Clarifying privacy policies and simplifying privacy settings could eventually make cost-benefit analysis more manageable.Simplification of privacy settings could be achieved by simplifying each setting individually, gathering several low-level settings under one higher-level setting, or addressing several similar services at once.As such, feelings of exhaustion, resignation, and even cynicism towards privacy (i.e., privacy fatigue) [119], which are caused when the lengthiness and complexity of privacy policies and settings exceed the abilities and limits of a person [73], could also be reduced.Using automation and aides for highlighting important information within privacy policies and for recommending privacy settings configuration based on privacy preferences could work in this manner.However, practical questions remain about whether or not it is possible to achieve an extent of clarity and simplification that will satisfy expectations of users while complying with privacy regulation requirements [120,121].
Hence, a perfectly thorough cost-benefit analysis in social media seems practically impossible mainly because of individual decisions being regulated by mass decisions (Social Norm).However, having a say over the terms of service (Non-negotiability) could give the ability to play the cost-benefit analysis cards right (even if the costs have been abstractly analysed) in controlling whether and how personal data can be aggregated and analysed (Aggregation) or shared with third parties (Downstream Uses).In addition, clarifying privacy policies and simplifying privacy settings (Scale) could reduce the cognitive effort per option in controlling personal data.By outsourcing negotiations and applying privacy preferences with minimal human intervention, it may be possible to reduce the gap between actually achieved and desired privacy levels.As a result, the extent of the privacy paradox could also be reduced.

Studying Privacy with System Dynamics
Methodologically, the article demonstrates the potential of system dynamics as a tool for analysing privacy behaviour.The added value of using system dynamics for this analysis is that it allowed for building on existing privacy knowledge in order to (1) formulate the feedback loops related to Social Norm (R4-5), boundary regulation (B7), and boundary turbulence (B8-9) and (2) identify the effect of the eight privacy obstacles on these loops.A privacy paradox explanation based on feedback loops in general, and specifically on the feedback loops that drive the decisions of people regarding adoption and use of social media, is missing from current privacy literature.Explanations that consider feedback loops are important, as humans typically misperceive the effects of feedbacks and delays in complex sociotechnical systems, such as social media.Hence, the original intention or expressed attitude (i.e., goals and wishes) towards the behaviour might not be reflected in the actual behaviour [61,62].
In addition, system dynamics allowed for examining the privacy paradox in a dynamic manner.In other words, the effect of the eight privacy obstacles on the feedback loops of the model does not remain static but rather changes over time.For this reason, the privacy paradox may either not emerge or emerge but vary in extent, thereby being more or less severe, at different points in time.

Directions for Future Research
In this article, a qualitative system dynamics model is used to illustrate multiple feedback loops that need to be considered for understanding the privacy paradox in the context of social media.The article's novel methodological approach to the privacy paradox opens up several fruitful avenues for future research.
First, a natural next step would be to develop the qualitative model into a fully fledged simulation model.While a qualitative model is useful in its own right for understanding causal dependencies, a quantitative simulation model would be useful in illustrating in more detail the complex behaviour over time that can result from the interaction of multiple feedback loops and time delays related to the adoption and use of social media.
Second, the model could be developed further to include a more fine-grained analysis of the diversity of privacy concerns and personal information [12].In this regard, privacy segmentation, such as Westin's [45], could be used to divide people based on their privacy preferences.First, fundamentalists could be modelled to realise negative consequences faster (i.e., short delay) and interpret them as even worse, thus being the most concerned users.Similarly, pragmatists could be modelled to realise negative consequences slower (i.e., long delay) and interpret them as somewhat worse, thus being less concerned than fundamentalists.Finally, unconcerned could be the least able to understand what the privacy fuss is all about, thus being the least concerned users.As a result, the inconsistency between privacy concerns and actual behaviour that indicates the privacy paradox would also vary in extent between the three user groups.In addition, not all three user groups would share the same amount of data, thus not all data shared by each user group would be useful for processing (Aggregation and Downstream Uses) by the platform and third parties.
Finally, the methodological approach of using system dynamics could be used for studying the privacy paradox outside the context of social media.For example, the model could be applied to further types of platforms, such as peer-to-peer (P2P) platforms (e.g., Airbnb and Uber), in order to test and expand the privacy paradox study to additional contexts.

Conclusions
This article incorporates existing privacy knowledge, including all eight privacy obstacles, into a qualitative system dynamics model and examines the conditions under which the privacy paradox emerges over time in the context of social media.The results show that the eight privacy obstacles prevent adequately accounting for the negative consequences of adopting and using social media by (1) reinforcing gratifications, thus inducing social media adoption and use, while (2) hampering the realisation of (all) negative consequences, thus reducing the motivation for social media discard.Moreover, gratifications kick off early and often seem to dominate even major long-term negative consequences, thereby resulting in users becoming only gradually concerned about privacy, by which time they are usually deeply engaged in the platform to consider discarding, and therefore arriving in a paradoxical situation that seems not viable to escape from (i.e., the boiling frog syndrome).Conversely, major short-term negative consequences are more likely to conflict with gratifications already earlier, thereby resulting in users becoming less engaged, more concerned, and therefore still able to discard the platform, thus resolving the paradoxical situation.Thereby, the article paves the way towards a more comprehensive synthetic privacy paradox explanation that is still missing from current privacy literature [12] and is difficult to be provided using only conventional cross-sectional approaches.

Figure 1 .
Figure 1.Privacy obstacles affecting the adoption and use of social media.

Table 4 .
Relation of privacy paradox explanations to privacy obstacles.

Table 5 .
Causal dependencies of privacy obstacles.