Chao Wu

DOI: https://doi.org/10.1016/j.techsoc.2024.102457

IF: 6.879

2024-01-01

Technology in Society

Abstract:In recent years, data privacy has attracted increasing public concerns, especially with public scandals from top Internet companies, emerging over inappropriate data collection, lack of transparency in data usage, and manipulation of users' preferences. This has led to responsive efforts from multiple sectors of society to constrain the violation of individuals’ data privacy. Among these efforts, the regulations like GDPR are the most influential, which are believed to be able to change the foundation of the whole data ecosystem. The main concern of current regulation is data transparency, designed to enable individuals to make rational decisions about their data. However, I argue that transparency cannot mitigate a key issue of data privacy, which is the right of receiving benefits from data. This issue is getting severe with the rapid development of the data economy and will become the essential problem of social welfare and fairness in the AI era. I further point out that the key to solving this issue is to migrate the current centralized data utilization paradigm to a new decentralized paradigm. Based on the recent technical advancements, I propose an applicable pathway to implement such a paradigm. And to realize a fair and sustainable data eco-system, joint efforts should be made within this paradigm.

David Wright,Serge Gutwirth,Michael Friedewald,Paul De Hert,Marc Langheinrich,Anna Moscibroda

DOI: https://doi.org/10.1016/j.clsr.2008.11.004

2009-01-01

Abstract:The authors contend that the emerging ubiquitous Information Society (aka ambient intelligence, pervasive computing, ubiquitous networking and so on) will raise many privacy and trust issues that are context dependent. These issues will pose many challenges for policy-makers and stakeholders because people's notions of privacy and trust are different and shifting. People's attitudes towards privacy and protecting their personal data can vary significantly according to differing circumstances. In addition, notions of privacy and trust are changing over time. The authors provide numerous examples of the challenges facing policy-makers and identify some possible responses, but they see a need for improvements in the policy-making process in order to deal more effectively with varying contexts. They also identify some useful policy-making tools. They conclude that the broad brush policies of the past are not likely to be adequate to deal with the new challenges and that we are probably entering an era that will require development of “micro-policies”. While the new technologies will pose many challenges, perhaps the biggest challenge of all will be to ensure coherence of these micro-policies.

law

Ryan Amos,Gunes Acar,Eli Lucherini,Mihir Kshirsagar,Arvind Narayanan,Jonathan Mayer

DOI: https://doi.org/10.1145/3442381.3450048

2021-07-21

Abstract:Automated analysis of privacy policies has proved a fruitful research direction, with developments such as automated policy summarization, question answering systems, and compliance detection. Prior research has been limited to analysis of privacy policies from a single point in time or from short spans of time, as researchers did not have access to a large-scale, longitudinal, curated dataset. To address this gap, we developed a crawler that discovers, downloads, and extracts archived privacy policies from the Internet Archive's Wayback Machine. Using the crawler and following a series of validation and quality control steps, we curated a dataset of 1,071,488 English language privacy policies, spanning over two decades and over 130,000 distinct websites. Our analyses of the data paint a troubling picture of the transparency and accessibility of privacy policies. By comparing the occurrence of tracking-related terminology in our dataset to prior web privacy measurements, we find that privacy policies have consistently failed to disclose the presence of common tracking technologies and third parties. We also find that over the last twenty years privacy policies have become even more difficult to read, doubling in length and increasing a full grade in the median reading level. Our data indicate that self-regulation for first-party websites has stagnated, while self-regulation for third parties has increased but is dominated by online advertising trade associations. Finally, we contribute to the literature on privacy regulation by demonstrating the historic impact of the GDPR on privacy policies.

Computers and Society

Jana Korunovska,Bernadette Kamleitner,Sarah Spiekermann

DOI: https://doi.org/10.48550/arXiv.2005.08967

2020-05-18

Abstract:The new information and communication technology providers collect increasing amounts of personal data, a lot of which is user generated. Unless use policies are privacy-friendly, this leaves users vulnerable to privacy risks such as exposure through public data visibility or intrusive commercialisation of their data through secondary data use. Due to complex privacy policies, many users of online services unwillingly agree to privacy-intruding practices. To give users more control over their privacy, scholars and regulators have pushed for short, simple, and prominent privacy policies. The premise has been that users will see and comprehend such policies, and then rationally adjust their disclosure behaviour. In this paper, on a use case of social network service site, we show that this premise does not hold. We invited 214 regular Facebook users to join a new fictitious social network. We experimentally manipulated the privacy-friendliness of an unavoidable and simple privacy policy. Half of our participants miscomprehended even this transparent privacy policy. When privacy threats of secondary data use were present, users remembered the policies as more privacy-friendly than they actually were and unwittingly uploaded more data. To mitigate such behavioural pitfalls we present design recommendations to improve the quality of informed consent.

Computers and Society

Ram D. Gopal,Hooman Hidaji,Sule Nur Kutlu,Raymond A. Patterson,Niam Yaraghi

DOI: https://doi.org/10.1287/isre.2022.1178

IF: 4.9

2023-02-16

Information Systems Research

Abstract:Widespread abuse of internet users' privacy online has prompted user advocacy groups to implore governments to intervene and protect consumer rights. To study such interventions' effects, we examine data-protection policies that policy makers and governments can enforce on websites, including consent-based user information sharing and subsidizing competing websites. Interestingly, we find that even though a consent-based policy may improve user surplus, it has the unintended consequence of increasing the number of third-parties and, thus, sharing of user information. We also determine that both consent-based and website subsidization policies may reduce competition by driving websites out of the market—to the detriment of user surplus and social welfare. Moreover, consent-based policies are not beneficial to websites, but are beneficial for third-parties. Policy makers should consider the different policy mechanisms at their disposal. Website subsidization is similar to a scalpel, enabling them to sculpt around and impact specific target markets. Consent-based policies are more comparable to a sledgehammer that uniformly affects all market segments. For circumstances where it is difficult for the government to enact a law for the entire market, website subsidization policies may be appealing alternatives, as they may yield higher user surplus than consent-based policies.

information science & library science,management

Karl van der Schyff,Suzanne Prior,Karen Renaud

DOI: https://doi.org/10.1016/j.cose.2024.104065

IF: 5.105

2024-08-20

Computers & Security

Abstract:Online users often neglect the importance of privacy policies - a critical aspect of digital privacy and data protection. This scoping review addresses this oversight by delving into privacy policy analysis, aiming to establish a comprehensive research agenda. The study's objective was to explore the analytic techniques employed in privacy policy analysis and to identify the associated challenges. Following the Preferred Reporting Items for Systematic Reviews and Meta-Analyses for Scoping Reviews (PRISMA-ScR) checklist, the review selected n = 97 relevant studies. The findings reveal a diverse array of techniques used, encompassing automated machine learning and natural language processing, and manual content analysis. Notably, researchers grapple with challenges like linguistic nuances, ambiguity, and complex data harvesting methods. Additionally, the lack of privacy-centric theoretical frameworks and a dearth of user evaluations in many studies limit their real-world applicability. The review concludes by proposing a set of research recommendations to shape the future research agenda in privacy policy analysis.

computer science, information systems

Vincent Freiberger,Erik Buchmann

2024-03-13

Abstract:Privacy policies are expected to inform data subjects about their data protection rights. They should explain the data controller's data management practices, and make facts such as retention periods or data transfers to third parties transparent. Privacy policies only fulfill their purpose, if they are correctly perceived, interpreted, understood, and trusted by the data subject. Amongst others, this requires that a privacy policy is written in a fair way, e.g., it does not use polarizing terms, does not require a certain education, or does not assume a particular social background. In this work-in-progress paper, we outline our approach to assessing fairness in privacy policies. To this end, we identify from fundamental legal sources and fairness research, how the dimensions informational fairness, representational fairness and ethics/morality are related to privacy policies. We propose options to automatically assess policies in these fairness dimensions, based on text statistics, linguistic methods and artificial intelligence. Finally, we conduct initial experiments with German privacy policies to provide evidence that our approach is applicable. Our experiments indicate that there are indeed issues in all three dimensions of fairness. For example, our approach finds out if a policy discriminates against individuals with impaired reading skills or certain demographics, and identifies questionable ethics. This is important, as future privacy policies may be used in a corpus for legal artificial intelligence models.

Computation and Language,Artificial Intelligence,Computers and Society

Christine Utz,Sabrina Amft,Martin Degeling,Thorsten Holz,Sascha Fahl,Florian Schaub

DOI: https://doi.org/10.48550/arXiv.2203.11387

2022-10-05

Abstract:Modern websites frequently use and embed third-party services to facilitate web development, connect to social media, or for monetization. This often introduces privacy issues as the inclusion of third-party services on a website can allow the third party to collect personal data about the website's visitors. While the prevalence and mechanisms of third-party web tracking have been widely studied, little is known about the decision processes that lead to websites using third-party functionality and whether efforts are being made to protect their visitors' privacy. We report results from an online survey with 395 participants involved in the creation and maintenance of websites. For ten common website functionalities we investigated if privacy has played a role in decisions about how the functionality is integrated, if specific efforts for privacy protection have been made during integration, and to what degree people are aware of data collection through third parties. We find that ease of integration drives third-party adoption but visitor privacy is considered if there are legal requirements or respective guidelines. Awareness of data collection and privacy risks is higher if the collection is directly associated with the purpose for which the third-party service is used.

Human-Computer Interaction

Eleanor Birrell,Jay Rodolitz,Angel Ding,Jenna Lee,Emily McReynolds,Jevan Hutson,Ada Lerner

DOI: https://doi.org/10.48550/arXiv.2312.15383

2023-12-24

Abstract:Growing recognition of the potential for exploitation of personal data and of the shortcomings of prior privacy regimes has led to the passage of a multitude of new online privacy regulations. Some of these laws -- notably the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) -- have been the focus of large bodies of research by the computer science community, while others have received less attention. In this work, we analyze a set of Internet privacy and data protection regulations drawn from around the world -- both those that have frequently been studied by computer scientists and those that have not -- and develop a taxonomy of rights granted and obligations imposed by these laws. We then leverage this taxonomy to systematize 270 technical research papers published in computer science venues that investigate the impact of these laws and explore how technical solutions can complement legal protections. Finally, we analyze the results in this space through an interdisciplinary lens and make recommendations for future work at the intersection of computer science and legal privacy.

Computers and Society

Victor Morel,Raúl Pardo

DOI: https://doi.org/10.48550/arXiv.1908.06814

2020-09-11

Abstract:Privacy policies are the main way to obtain information related to personal data collection and processing. Originally, privacy policies were presented as textual documents. However, the unsuitability of this format for the needs of today's society gave birth to other means of expression. In this paper, we systematically study the different means of expression of privacy policies. In doing so, we have explored the three main categories, which we call facets, ie, natural language, graphical and machine-readable privacy policies. Each of these facets focuses on the particular needs of the communities they come from, ie, law experts, organizations and privacy advocates, and academics, respectively. We then analyze the benefits and limitations of each facet, and explain why solutions based on a single facet do not cover the needs of other communities. Finally, we set guidelines and discuss challenges of an approach to expressing privacy policies which brings together the benefits of each facet as an attempt to overcome their limitations.

Computers and Society,Human-Computer Interaction

Jesse Wright,Beatriz Esteves,Rui Zhao

2024-08-17

Abstract:This paper presents a sociotechnical vision for managing personal data, including cookies, within Web browsers. We first present our vision for a future of semi-automated data governance on the Web, using policy languages to describe data terms of use, and having browsers act on behalf of users to enact policy-based controls. Then, we present an overview of the technical research required to {prove} that existing policy languages express a sufficient range of concepts for describing cookie policies on the Web today. We view this work as a stepping stone towards a future of semi-automated data governance at Web-scale, which in the long term will also be used by next-generation Web technologies such as Web agents and Solid.

Human-Computer Interaction,Computers and Society

Shara Monteleone

Abstract:Information notice and data subject's consent are the current main legal safeguards of data protection and privacy rights: they reflect individuals' instances, such as self-determination and control over one's own private sphere, that have been acknowledged in many jurisdictions. However, the theoretic strength of these safeguards appears frustrated by current online practices that seem suggesting to give-up with their most common form of implementation: privacy notices and request for consent. These measures are proving to be unsuccessful in increasing users' awareness and in fostering a privacy protective-behaviour. As recent studies have shown, although people declare privacy concerns, their actual behaviour diverges from their statements (the "privacy paradox"), as they seem to increasingly disclose personal data and to not even read privacy notices available online; eventually, the current privacy notices are not effective in regulating user's data disclosure. Behaviourally informed approaches to regulatory problems, already applied to different areas of information provision and public policy, helped to clarify the reasons of similar peoples' behaviour that cannot be reduced to a simplistic "users do not care about privacy." Highlighting the regulatory weakness of traditional information notices, applied behavioural science has also demonstrated to be particularly effective in improving users' decision-making and attaining concrete policy objectives if accompanied by ad hoc design interventions to display the relevant, salient information. As users do not read privacy policies or act in contradiction with them, other strategies might be more successful in promoting, "nudging," privacy-protective behaviour. The use of innovative information notices, like salient alerts and nudges, seems to be a promising means of behavioural change also in the area of digital privacy, a possible new area of application of behavioural insights. Building on recent studies in the field ( conducted mainly in the U.S.), this paper considers new forms of privacy notices (like "visceral" 2 Syracuse Journal of International Law and Commerce, Vol. 43, No. 1 [2015], Art. 4 https://surface.syr.edu/jilc/vol43/iss1/4 2015] Addressing the 'Failure' of Informed Consent 71 notices), as alternative or complement to current legal (technical) measures for data protection. For the informed consent approach (or "notice and choice" approach) to work, it needs to be improved with welldesigned, transparent and regulated nudging system, capable to help citizens in their decision-making as regards their privacy. Without disregarding the challenges and limitations of nudging strategies in public policy in general and in the privacy area in particular, and examining their legal grounds, the paper aims also to integrate that branch of legal-policy research that see "nudging" methods as an effective way to gently encourage safer behaviours in the citizens.

Computer Science,Economics,Law

Henry Hosseini,Martin Degeling,Christine Utz,Thomas Hupperich

DOI: https://doi.org/10.2478/popets-2021-0081

2021-07-23

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract Privacy policies have become a focal point of privacy research. With their goal to reflect the privacy practices of a website, service, or app, they are often the starting point for researchers who analyze the accuracy of claimed data practices, user understanding of practices, or control mechanisms for users. Due to vast differences in structure, presentation, and content, it is often challenging to extract privacy policies from online resources like websites for analysis. In the past, researchers have relied on scrapers tailored to the specific analysis or task, which complicates comparing results across different studies. To unify future research in this field, we developed a toolchain to process website privacy policies and prepare them for research purposes. The core part of this chain is a detector module for English and German, using natural language processing and machine learning to automatically determine whether given texts are privacy or cookie policies. We leverage multiple existing data sets to refine our approach, evaluate it on a recently published longitudinal corpus, and show that it contains a number of misclassified documents. We believe that unifying data preparation for the analysis of privacy policies can help make different studies more comparable and is a step towards more thorough analyses. In addition, we provide insights into common pitfalls that may lead to invalid analyses.

Serge Abiteboul,Julia Stoyanovich

DOI: https://doi.org/10.48550/arXiv.1903.03683

2019-03-09

Abstract:The data revolution continues to transform every sector of science, industry and government. Due to the incredible impact of data-driven technology on society, we are becoming increasingly aware of the imperative to use data and algorithms responsibly -- in accordance with laws and ethical norms. In this article we discuss three recent regulatory frameworks: the European Union's General Data Protection Regulation (GDPR), the New York City Automated Decisions Systems (ADS) Law, and the Net Neutrality principle, that aim to protect the rights of individuals who are impacted by data collection and analysis. These frameworks are prominent examples of a global trend: Governments are starting to recognize the need to regulate data-driven algorithmic technology. Our goal in this paper is to bring these regulatory frameworks to the attention of the data management community, and to underscore the technical challenges they raise and which we, as a community, are well-equipped to address. The main take-away of this article is that legal and ethical norms cannot be incorporated into data-driven systems as an afterthought. Rather, we must think in terms of responsibility by design, viewing it as a systems requirement.

Databases,Computers and Society

Darren P Mundy

DOI: https://doi.org/10.1080/14639230600804820

Abstract:Privacy has been and continues to be one of the key challenges of an age devoted to the accumulation, processing, and mining of electronic information. In particular, privacy of healthcare-related information is seen as a key issue as health organizations move towards the electronic provision of services. The aim of the research detailed in this paper has been to analyse privacy policies on popular UK healthcare-related websites to determine the extent to which consumer privacy is protected. The author has combined approaches (such as approaches focused on usability, policy content, and policy quality) used in studies by other researchers on e-commerce and US healthcare websites to provide a comprehensive analysis of UK healthcare privacy policies. The author identifies a wide range of issues related to the protection of consumer privacy through his research analysis using quantitative results. The main outcomes from the author's research are that only 61% of healthcare-related websites in their sample group posted privacy policies. In addition, most of the posted privacy policies had poor readability standards and included a variety of privacy vulnerability statements. Overall, the author's findings represent significant current issues in relation to healthcare information protection on the Internet. The hope is that raising awareness of these results will drive forward changes in the industry, similar to those experienced with information quality.

Eva-Maria Schomakers,Chantal Lidynia,Dirk Müllmann,Roman Matzutt,Klaus Wehrle,Indra Spiecker gen. Döhmann,Martina Ziefle

DOI: https://doi.org/10.48550/arXiv.1911.06569

2019-11-15

Computers and Society

Abstract:Web 2.0, social media, cloud computing, and IoT easily connect people around the globe, overcoming time and space barriers, and offering manifold benefits. However, the technological advances and increased user participation generate novel challenges for protecting users' privacy. From the user perspective, data disclosure depends, in part, on the perceived sensitivity of that data, and thus on a risk assessment of data disclosure. But in light of the new technological opportunities to process and combine data, it is questionable whether users are able to adequately evaluate the risks of data disclosures. As mediating authority, data protection laws try to protect user data, granting enhanced protection to 'special categories' of data. In this publication, the legal, technological, and user perspectives on data sensitivity are presented and compared. From a technological perspective, all data can be referred to as 'potentially sensitive.' The legal and user perspective on data sensitivity deviate as some data types are granted special protection by the law but are not perceived as very sensitive by the users, and vice versa. Merging the three perspectives, the implications for informational self-determination are discussed.

Urvashi Kishnani,Sanchari Das

2024-10-19

Abstract:As e-commerce continues to expand, the urgency for stronger privacy and security measures becomes increasingly critical, particularly on platforms frequented by younger users who are often less aware of potential risks. In our analysis of 90 US-based e-commerce websites, we employed a dual-technique approach, combining automated tools with manual evaluations. Tools like CookieServe and PrivacyCheck revealed that 38.5% of the websites deployed over 50 cookies per session, many of which were categorized as unnecessary or unclear in function, posing significant risks to users' Personally Identifiable Information (PII). Our manual assessment further uncovered critical gaps in standard security practices, including the absence of mandatory multi-factor authentication (MFA) and breach notification protocols. Additionally, we observed inadequate input validation, which compromises the integrity of user data and transactions. Based on these findings, we recommend targeted improvements to privacy policies, enhanced transparency in cookie usage, and the implementation of stronger authentication protocols. These measures are essential for ensuring compliance with CCPA and COPPA, thereby fostering more secure online environments, particularly for younger users.

Cryptography and Security,Computers and Society

Irem Aydin,Hermann Diebel-Fischer,Vincent Freiberger,Julia Möller-Klapperich,Erik Buchmann,Michael Färber,Anne Lauber-Rönsberg,Birte Platow

2024-10-11

Abstract:The growing use of Machine Learning and Artificial Intelligence (AI), particularly Large Language Models (LLMs) like OpenAI's GPT series, leads to disruptive changes across organizations. At the same time, there is a growing concern about how organizations handle personal data. Thus, privacy policies are essential for transparency in data processing practices, enabling users to assess privacy risks. However, these policies are often long and complex. This might lead to user confusion and consent fatigue, where users accept data practices against their interests, and abusive or unfair practices might go unnoticed. LLMss can be used to assess privacy policies for users automatically. In this interdisciplinary work, we explore the challenges of this approach in three pillars, namely technical feasibility, ethical implications, and legal compatibility of using LLMs to assess privacy policies. Our findings aim to identify potential for future research, and to foster a discussion on the use of LLM technologies for enabling users to fulfil their important role as decision-makers in a constantly developing AI-driven digital economy.

Computers and Society

Xinjie Lin,Han Liu,Zhen Li,Gang Xiong,Gaopeng Gou

DOI: https://doi.org/10.1016/j.cose.2022.102606

IF: 5.105

2022-01-01

Computers & Security

Abstract:In the booming development of China's digital economy, the privacy and security issues of personal data in website applications are vital important. Websites need to implement basic personal information protection measures according to China's existing statutory requirements for privacy protection, such as disclosing personal information protection policies. However, there still is possibility to leak personal information although the sites adopt the self-regulation way. In this study, we first propose the measurement study of popular websites in China combining strategy analysis and web verification, in hope of providing countermeasures for the development of the personal information protection legal system in China. The study is achieved by analysing a collection of 199,060 network behaviours from 663 websites spanning half a year, studying the consistency between behaviour and policy in websites and conducting a systematic analysis of the privacy policies disclosed on all websites. The findings are multi-fold, 67.6% of popular websites in China have publicly disclosed their privacy policies and all compliance requirements have reached more than 60%, while less than 5% of websites have clearly disclosed and strictly followed the policy statement on third-party sharing and cookie retention. Overall, we conclude that the website has a moderate level of transparency under the existing legal conditions, but there is still a lack of functional and usable mechanisms and regulations for users to consent to or deny processing of their personal data on the Internet. To this end, we analyse the measurement results and put forward appropriate recommendations for the website owners, legal institutions and regulatory authorities. (C) 2022 Elsevier Ltd. All rights reserved.

Shuang Liu,Baiyang Zhao,Renjie Guo,Guozhu Meng,Fan Zhang,Meishan Zhang

DOI: https://doi.org/10.1145/3442381.3450022

2021-04-19

Abstract:With the rapid development of web and mobile applications, as well as their wide adoption in different domains, more and more personal data is provided, consciously or unconsciously, to different application providers. Privacy policy is an important medium for users to understand what personal information has been collected and used. As data privacy protection is becoming a critical social issue, there are laws and regulations being enacted in different countries and regions, and the most representative one is the EU General Data Protection Regulation (GDPR). It is thus important to detect compliance issues among regulations, e.g., GDPR, with privacy policies, and provide intuitive results for data subjects (i.e., users), data collection party (i.e., service providers) and the regulatory authorities. In this work, we target to solve the problem of compliance analysis between GDPR (Article 13) and privacy policies. We format the task into a combination of a sentence classification step and a rule-based analysis step. We manually curate a corpus of 36,610 labeled sentences from 304 privacy policies, and benchmark our corpus with several standard sentence classifiers. We also conduct a rule-based analysis to detect compliance issues and a user study to evaluate the usability of our approach. The web-based tool AutoCompliance is publicly accessible 1.