Juniper Lovato,Philip Mueller,Parisa Suchdev,Peter S. Dodds

DOI: https://doi.org/10.48550/arXiv.2302.08936

2023-02-17

Computation and Language

Abstract:Collecting personally identifiable information (PII) on data subjects has become big business. Data brokers and data processors are part of a multi-billion-dollar industry that profits from collecting, buying, and selling consumer data. Yet there is little transparency in the data collection industry which makes it difficult to understand what types of data are being collected, used, and sold, and thus the risk to individual data subjects. In this study, we examine a large textual dataset of privacy policies from 1997-2019 in order to investigate the data collection activities of data brokers and data processors. We also develop an original lexicon of PII-related terms representing PII data types curated from legislative texts. This mesoscale analysis looks at privacy policies overtime on the word, topic, and network levels to understand the stability, complexity, and sensitivity of privacy policies over time. We find that (1) privacy legislation correlates with changes in stability and turbulence of PII data types in privacy policies; (2) the complexity of privacy policies decreases over time and becomes more regularized; (3) sensitivity rises over time and shows spikes that are correlated with events when new privacy legislation is introduced.

Maaz Bin Musa,Steven M. Winston,Garrison Allen,Jacob Schiller,Kevin Moore,Sean Quick,Johnathan Melvin,Padmini Srinivasan,Mihailis E. Diamantis,Rishab Nithyanand

2024-10-05

Abstract:The development of tools and techniques to analyze and extract organizations data habits from privacy policies are critical for scalable regulatory compliance audits. Unfortunately, these tools are becoming increasingly limited in their ability to identify compliance issues and fixes. After all, most were developed using regulation-agnostic datasets of annotated privacy policies obtained from a time before the introduction of landmark privacy regulations such as EUs GDPR and Californias CCPA. In this paper, we describe the first open regulation-aware dataset of expert-annotated privacy policies, C3PA (CCPA Privacy Policy Provision Annotations), aimed to address this challenge. C3PA contains over 48K expert-labeled privacy policy text segments associated with responses to CCPA-specific disclosure mandates from 411 unique organizations. We demonstrate that the C3PA dataset is uniquely suited for aiding automated audits of compliance with CCPA-related disclosure mandates.

Computation and Language,Information Retrieval

Karl van der Schyff,Suzanne Prior,Karen Renaud

DOI: https://doi.org/10.1016/j.cose.2024.104065

IF: 5.105

2024-08-20

Computers & Security

Abstract:Online users often neglect the importance of privacy policies - a critical aspect of digital privacy and data protection. This scoping review addresses this oversight by delving into privacy policy analysis, aiming to establish a comprehensive research agenda. The study's objective was to explore the analytic techniques employed in privacy policy analysis and to identify the associated challenges. Following the Preferred Reporting Items for Systematic Reviews and Meta-Analyses for Scoping Reviews (PRISMA-ScR) checklist, the review selected n = 97 relevant studies. The findings reveal a diverse array of techniques used, encompassing automated machine learning and natural language processing, and manual content analysis. Notably, researchers grapple with challenges like linguistic nuances, ambiguity, and complex data harvesting methods. Additionally, the lack of privacy-centric theoretical frameworks and a dearth of user evaluations in many studies limit their real-world applicability. The review concludes by proposing a set of research recommendations to shape the future research agenda in privacy policy analysis.

computer science, information systems

Mukund Srinath,Pranav Venkit,Maria Badillo,Florian Schaub,C. Lee Giles,Shomir Wilson

2024-02-17

Abstract:Privacy policies are crucial for informing users about data practices, yet their length and complexity often deter users from reading them. In this paper, we propose an automated approach to identify and visualize data practices within privacy policies at different levels of detail. Leveraging crowd-sourced annotations from the ToS;DR platform, we experiment with various methods to match policy excerpts with predefined data practice descriptions. We further conduct a case study to evaluate our approach on a real-world policy, demonstrating its effectiveness in simplifying complex policies. Experiments show that our approach accurately matches data practice descriptions with policy excerpts, facilitating the presentation of simplified privacy information to users.

Cryptography and Security,Machine Learning

Henry Hosseini,Martin Degeling,Christine Utz,Thomas Hupperich

DOI: https://doi.org/10.2478/popets-2021-0081

2021-07-23

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract Privacy policies have become a focal point of privacy research. With their goal to reflect the privacy practices of a website, service, or app, they are often the starting point for researchers who analyze the accuracy of claimed data practices, user understanding of practices, or control mechanisms for users. Due to vast differences in structure, presentation, and content, it is often challenging to extract privacy policies from online resources like websites for analysis. In the past, researchers have relied on scrapers tailored to the specific analysis or task, which complicates comparing results across different studies. To unify future research in this field, we developed a toolchain to process website privacy policies and prepare them for research purposes. The core part of this chain is a detector module for English and German, using natural language processing and machine learning to automatically determine whether given texts are privacy or cookie policies. We leverage multiple existing data sets to refine our approach, evaluate it on a recently published longitudinal corpus, and show that it contains a number of misclassified documents. We believe that unifying data preparation for the analysis of privacy policies can help make different studies more comparable and is a step towards more thorough analyses. In addition, we provide insights into common pitfalls that may lead to invalid analyses.

Jana Korunovska,Bernadette Kamleitner,Sarah Spiekermann

DOI: https://doi.org/10.48550/arXiv.2005.08967

2020-05-18

Abstract:The new information and communication technology providers collect increasing amounts of personal data, a lot of which is user generated. Unless use policies are privacy-friendly, this leaves users vulnerable to privacy risks such as exposure through public data visibility or intrusive commercialisation of their data through secondary data use. Due to complex privacy policies, many users of online services unwillingly agree to privacy-intruding practices. To give users more control over their privacy, scholars and regulators have pushed for short, simple, and prominent privacy policies. The premise has been that users will see and comprehend such policies, and then rationally adjust their disclosure behaviour. In this paper, on a use case of social network service site, we show that this premise does not hold. We invited 214 regular Facebook users to join a new fictitious social network. We experimentally manipulated the privacy-friendliness of an unavoidable and simple privacy policy. Half of our participants miscomprehended even this transparent privacy policy. When privacy threats of secondary data use were present, users remembered the policies as more privacy-friendly than they actually were and unwittingly uploaded more data. To mitigate such behavioural pitfalls we present design recommendations to improve the quality of informed consent.

Computers and Society

Zachary Lindner

DOI: https://doi.org/10.48550/arXiv.2003.04972

2020-02-13

Abstract:Privacy policies are legal documents that describe how a website will collect, use, and distribute a user's data. Unfortunately, such documents are often overly complicated and filled with legal jargon; making it difficult for users to fully grasp what exactly is being collected and why. Our solution to this problem is to provide users with a coverage analysis of a given website's privacy policy using a wide range of classical machine learning and deep learning techniques. Given a website's privacy policy, the classifier identifies the associated data practice for each logical segment. These data practices/labels are taken directly from the OPP-115 corpus. For example, the data practice "Data Retention" refers to how long a website stores a user's information. The coverage analysis allows users to determine how many of the ten possible data practices are covered, along with identifying the sections that correspond to the data practices of particular interest.

Computation and Language,Machine Learning

Mukund Srinath,Shomir Wilson,C. Lee Giles

DOI: https://doi.org/10.18653/v1/2021.acl-long.532

2024-03-30

Abstract:Organisations disclose their privacy practices by posting privacy policies on their website. Even though users often care about their digital privacy, they often don't read privacy policies since they require a significant investment in time and effort. Although natural language processing can help in privacy policy understanding, there has been a lack of large scale privacy policy corpora that could be used to analyse, understand, and simplify privacy policies. Thus, we create PrivaSeer, a corpus of over one million English language website privacy policies, which is significantly larger than any previously available corpus. We design a corpus creation pipeline which consists of crawling the web followed by filtering documents using language detection, document classification, duplicate and near-duplication removal, and content extraction. We investigate the composition of the corpus and show results from readability tests, document similarity, keyphrase extraction, and explored the corpus through topic modeling.

Information Retrieval,Cryptography and Security

Greta Valentine,Kate Barron

DOI: https://doi.org/10.18438/eblip30122

2022-09-19

Evidence Based Library and Information Practice

Abstract:Objective – The tension between upholding privacy as a professional value and the ubiquity of collecting patrons’ data to provide online services is now common in libraries. Privacy policies that explain how the library collects and uses patron records are one way libraries can provide transparency around this issue. This study examines 78 policies collected from the public websites of U.S. Association of Research Libraries’ (ARL) members and examines these policies for compliance with American Library Association (ALA) guidelines on privacy policy content. This overview can provide library policy makers with a sense of trends in the privacy policies of research-intensive academic libraries, and a sense of the gaps where current policies (and guidelines) may not adequately address current privacy concerns. Methods – Content analysis was applied to analyze all privacy policies. A deductive codebook based on ALA privacy policy guidelines was first used to code all policies. The authors used consensus coding to arrive at agreement about where codes were present. An inductive codebook was then developed to address themes present in the text that remained uncoded after initial deductive coding. Results – Deductive coding indicated low policy compliance with ALA guidelines. None of the 78 policies contained all 20 codes derived from the guidelines, and only 6% contained more than half. No individual policy contained more than 75% of the content recommended by ALA. Inductive coding revealed themes that expanded on the ALA guidelines or addressed emerging privacy concerns such as library-initiated data collection and sharing patron data with institutional partners. No single inductive code appeared in more than 63% of policies. Conclusion – Academic library privacy policies appear to be evolving to address emerging concerns such as library-initiated data collection, invisible data collection via vendor platforms, and data sharing with institutional partners. However, this study indicates that most libraries do not provide patrons with a policy that comprehensively addresses how patrons’ data are obtained, used, and shared by the library.

Yan Shvartzshnaider,Noah Apthorpe,Nick Feamster,Helen Nissenbaum

DOI: https://doi.org/10.48550/arXiv.1809.02236

2018-09-07

Abstract:In this paper, we demonstrate the effectiveness of using the theory of contextual integrity (CI) to annotate and evaluate privacy policy statements. We perform a case study using CI annotations to compare Facebook's privacy policy before and after the Cambridge Analytica scandal. The updated Facebook privacy policy provides additional details about what information is being transferred, from whom, by whom, to whom, and under what conditions. However, some privacy statements prescribe an incomprehensibly large number of information flows by including many CI parameters in single statements. Other statements result in incomplete information flows due to the use of vague terms or omitting contextual parameters altogether. We then demonstrate that crowdsourcing can effectively produce CI annotations of privacy policies at scale. We test the CI annotation task on 48 excerpts of privacy policies from 17 companies with 141 crowdworkers. The resulting high precision annotations indicate that crowdsourcing could be used to produce a large corpus of annotated privacy policies for future research.

Computers and Society

Aamir Hamid,Hemanth Reddy Samidi,Tim Finin,Primal Pappachan,Roberto Yus

DOI: https://doi.org/10.48550/arXiv.2308.05890

2023-12-14

Abstract:As the adoption of smart devices continues to permeate all aspects of our lives, user privacy concerns have become more pertinent than ever. Privacy policies outline the data handling practices of these devices. Prior work in the domains of websites and mobile apps has shown that privacy policies are rarely read and understood by users. In these domains, automatic analysis of privacy policies has been shown to help give users appropriate insights. However, there is a lack of such an analysis in the domain of smart device privacy policies. This paper presents a comprehensive study of the landscape of privacy policies of smart devices. We introduce a methodology that addresses the unique challenges of smart devices, by finding information about them, their manufacturers, and their privacy policies on the Web. Our methodology utilizes state-of-the-art analysis techniques to assess readability and privacy of smart device policies and compares it policies of e-commerce websites and mobile applications. Overall, we analyzed 4,556 smart devices, 2,211 manufacturers, and 819 privacy policies. Despite smart devices having access to more intrusive data about their users (using sensors such as cameras and microphones), more than 1,167 of the analyzed manufacturers did not have policies available. The study highlights that significant improvement is required on communicating the data management practices of smart devices.

Computers and Society

Gunjan Balde,Aryendra Singh,Niloy Ganguly,Mainack Mondal

2023-06-20

Abstract:Data privacy in healthcare is of paramount importance (and thus regulated using laws like HIPAA) due to the highly sensitive nature of patient data. To that end, healthcare organizations mention how they collect/process/store/share this data (i.e., data practices) via their privacy policies. Thus there is a need to audit these policies and check compliance with respective laws. This paper addresses this need and presents a large-scale data-driven study to audit privacy policies from healthcare organizations in three countries -- USA, UK, and India. We developed a three-stage novel \textit{workflow} for our audit. First, we collected the privacy policies of thousands of healthcare organizations in these countries and cleaned this privacy policy data using a clustering-based mixed-method technique. We identified data practices regarding users' private medical data (medical history) and site privacy (cookie, logs) in these policies. Second, we adopted a summarization-based technique to uncover exact broad data practices across countries and notice important differences. Finally, we evaluated the cross-country data practices using the lens of legal compliance (with legal expert feedback) and grounded in the theory of Contextual Integrity (CI). Alarmingly, we identified six themes of non-alignment (observed in 21.8\% of data practices studied in India) pointed out by our legal experts. Furthermore, there are four \textit{potential violations} according to case verdicts from Indian Courts as pointed out by our legal experts. We conclude this paper by discussing the utility of our auditing workflow and the implication of our findings for different stakeholders.

Computers and Society,Cryptography and Security,Human-Computer Interaction

Hamza Harkous,Kassem Fawaz,Rémi Lebret,Florian Schaub,Kang G. Shin,Karl Aberer

DOI: https://doi.org/10.48550/arXiv.1802.02561

2018-02-07

Computation and Language

Abstract:Privacy policies are the primary channel through which companies inform users about their data collection and sharing practices. These policies are often long and difficult to comprehend. Short notices based on information extracted from privacy policies have been shown to be useful but face a significant scalability hurdle, given the number of policies and their evolution over time. Companies, users, researchers, and regulators still lack usable and scalable tools to cope with the breadth and depth of privacy policies. To address these hurdles, we propose an automated framework for privacy policy analysis (Polisis). It enables scalable, dynamic, and multi-dimensional queries on natural language privacy policies. At the core of Polisis is a privacy-centric language model, built with 130K privacy policies, and a novel hierarchy of neural-network classifiers that accounts for both high-level aspects and fine-grained details of privacy practices. We demonstrate Polisis' modularity and utility with two applications supporting structured and free-form querying. The structured querying application is the automated assignment of privacy icons from privacy policies. With Polisis, we can achieve an accuracy of 88.4% on this task. The second application, PriBot, is the first freeform question-answering system for privacy policies. We show that PriBot can produce a correct answer among its top-3 results for 82% of the test questions. Using an MTurk user study with 700 participants, we show that at least one of PriBot's top-3 answers is relevant to users for 89% of the test questions.

Sonu Gupta,Ellen Poplavska,Nora O'Toole,Siddhant Arora,Thomas Norton,Norman Sadeh,Shomir Wilson

DOI: https://doi.org/10.48550/arXiv.2206.14169

2022-06-29

Abstract:The landscape of privacy laws and regulations around the world is complex and ever-changing. National and super-national laws, agreements, decrees, and other government-issued rules form a patchwork that companies must follow to operate internationally. To examine the status and evolution of this patchwork, we introduce the Government Privacy Instructions Corpus, or GPI Corpus, of 1,043 privacy laws, regulations, and guidelines, covering 182 jurisdictions. This corpus enables a large-scale quantitative and qualitative examination of legal foci on privacy. We examine the temporal distribution of when GPIs were created and illustrate the dramatic increase in privacy legislation over the past 50 years, although a finer-grained examination reveals that the rate of increase varies depending on the personal data types that GPIs address. Our exploration also demonstrates that most privacy laws respectively address relatively few personal data types, showing that comprehensive privacy legislation remains rare. Additionally, topic modeling results show the prevalence of common themes in GPIs, such as finance, healthcare, and telecommunications. Finally, we release the corpus to the research community to promote further study.

Computation and Language

Haoran Ou,Yong Fang,Wenbo Guo,Yongyan Guo,Cheng Huang

DOI: https://doi.org/10.1145/3545948.3545952

2022-01-01

Abstract:To provide users with personalized services, the website collects and tracks user’s activity data. At the same time, each website uses a privacy policy to ensure the legality of these actions. The purpose of the implementation of the General Data Protection Regulation (GDPR) is to protect the privacy of user data. Because GDPR is a programmatic regulation, there is no specific guidance on what a privacy policy should contain. Therefore, there may still be potential violations on the website, thus cause a risk of leak users’ private data. In this paper, we define a violating behavior that data collected by the website without a declaration in the privacy policy is illegal. To complete the violating behavior detection, we first interpret the GDPR and analyze 1000 website privacy policies to present a personal data classification including eight categories. Based on this, we propose a privacy policy annotation scheme including these eight categories and collect 145 related Web APIs. Then we propose an automated method to detect GDPR suspected compliance violations in websites. On the one hand we use the multi-label text classification model to extract data collection stated in the privacy policy, with a precision of 0.9817. For another, we dynamically monitor the JavaScript calls of the website related to personal data collection during user visits. Finally, we compare the two results to determine whether violating behaviors appeared. We use this method to detect the European top 500 websites (actually 451 websites). A total of 159 (35.3%) websites appear in violation of the GDPR. We analyze the detection results from different perspectives, including statistics on the types of data declared in the privacy policy, statistics on data collected by the website, and which data collection is likely to cause violations. Then we classify the violating websites and find that websites in the Social category present the most violations. Finally, we count the rankings of the offending websites. Surprisingly, top-ranking sites are even more prone to breaches. There are even some globally well-known websites with violations, such as BBC, Nokia, Ebay, Google etc.

Eleanor Birrell,Jay Rodolitz,Angel Ding,Jenna Lee,Emily McReynolds,Jevan Hutson,Ada Lerner

DOI: https://doi.org/10.48550/arXiv.2312.15383

2023-12-24

Abstract:Growing recognition of the potential for exploitation of personal data and of the shortcomings of prior privacy regimes has led to the passage of a multitude of new online privacy regulations. Some of these laws -- notably the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) -- have been the focus of large bodies of research by the computer science community, while others have received less attention. In this work, we analyze a set of Internet privacy and data protection regulations drawn from around the world -- both those that have frequently been studied by computer scientists and those that have not -- and develop a taxonomy of rights granted and obligations imposed by these laws. We then leverage this taxonomy to systematize 270 technical research papers published in computer science venues that investigate the impact of these laws and explore how technical solutions can complement legal protections. Finally, we analyze the results in this space through an interdisciplinary lens and make recommendations for future work at the intersection of computer science and legal privacy.

Computers and Society

Christopher G. Bradley

DOI: https://doi.org/10.2139/ssrn.4408244

2023-01-01

SSRN Electronic Journal

Abstract:Despite being subjected to decades of sharp criticism, privacy policies published by companies remain a linchpin of privacy regulation. Representations in these policies provide the main measure against which consumer privacy can be judged. Policies are rarely read by consumers and are most often interpreted by decision makers within companies who have to determine if a proposed course of action is consistent with stated policies as well as underlying privacy law. The degree to which policies provide constraint will rely on whether the policies are sufficiently clear that even a company-friendly reading requires a consumer-data-protective course of action.Experimental evidence on the interpretation of privacy policies provides no grounds for encouragement about such constraint, because it suggests that policies are often so ambiguous that neither laypeople nor experts can consistently interpret them. This Article supports those experimental findings with real-world evidence. It draws on a data set of court filings of experts appointed to consider the legality of transfers of consumers’ private data. The study finds that even independent, court appointed experts rely on interpretive practices that are unreliable and inconsistent. It reveals divergences concerning what even relatively common, standard privacy policy provisions actually mean, in relatively common situations, such as the attempt to sell data as part of a reorganization or liquidation. This suggests that privacy regulation should not rely too heavily on the language of privacy policies unless greater consensus can be reached. The Article then proposes to put the interpretation of privacy policies on more sound footing. It explores two primary approaches. Privacy policies could be subjected to more certain meaning through a turn to standardization, where policies are communicated by reference to interpretive principles laid out by regulation or by understanding grounded in empirical research on the meaning of the various terms. Alternatively, privacy policies could be subjected to a set of interpretive principles that would provide a more certain basis for interpretation and also encourage drafters of policies to state themselves more clearly.

Ayesha Qamar,Tehreem Javed,Mirza Omer Beg

DOI: https://doi.org/10.48550/arXiv.2102.12362

2021-02-21

Abstract:Privacy Policies are the legal documents that describe the practices that an organization or company has adopted in the handling of the personal data of its users. But as policies are a legal document, they are often written in extensive legal jargon that is difficult to understand. Though work has been done on privacy policies but none that caters to the problem of verifying if a given privacy policy adheres to the data protection laws of a given country or state. We aim to bridge that gap by providing a framework that analyzes privacy policies in light of various data protection laws, such as the General Data Protection Regulation (GDPR). To achieve that, firstly we labeled both the privacy policies and laws. Then a correlation scheme is developed to map the contents of a privacy policy to the appropriate segments of law that a policy must conform to. Then we check the compliance of privacy policy's text with the corresponding text of the law using NLP techniques. By using such a tool, users would be better equipped to understand how their personal data is managed. For now, we have provided a mapping for the GDPR and PDPA, but other laws can easily be incorporated in the already built pipeline.

Cryptography and Security,Computation and Language

Jayashree Mohan,Melissa Wasserman,Vijay Chidambaram

DOI: https://doi.org/10.1007/978-3-030-33752-0_6

2019-01-01

Abstract:AbstractWith the arrival of the European Union’s General Data Protection Regulation (GDPR), several companies are making significant changes to their systems to achieve compliance. The changes range from modifying privacy policies to redesigning systems which process personal data. Privacy policy is the main medium of information dissemination between the data controller and the users. This work analyzes the privacy policies of large-scaled cloud services which seek to be GDPR compliant. We show that many services that claim compliance today do not have clear and concise privacy policies. We identify several points in the privacy policies which potentially indicate non-compliance; we term these GDPR dark patterns. We identify GDPR dark patterns in ten large-scale cloud services. Based on our analysis, we propose seven best practices for crafting GDPR privacy policies.

Yousra Javed,Ayesha Sajid

DOI: https://doi.org/10.1145/3698393

IF: 16.6

2024-11-09

ACM Computing Surveys

Abstract:An organization’s privacy policy states how it collects, stores, processes, and shares its users’ personal information. The growing number of data protection laws and regulations, as well as the numerous sectors where the organizations are collecting user information, has led to the investigation of privacy policies with regards to their accessibility, readability, completeness, comparison with organization’s actual data practices, use of machine learning/natural language processing for automated analysis, and comprehension/perception/concerns of end-users via summarization/visualization tools and user studies. However, there is limited work on systematically reviewing the existing research on this topic. We address this gap by conducting a systematic review of the existing privacy policy literature. To this end, we compiled and analyzed 202 papers (published till 31st December, 2023) that investigated privacy policies. Our work advances the field of privacy policies by summarizing the analysis techniques that have been used to study them, the data protection laws/regulations explored, and the sectors to which these policies pertain. We provide actionable insights for organizations to achieve better end-user privacy.

computer science, theory & methods