Julien Cloarec,Charlotte Cadieu,Nour Alrabie

DOI: https://doi.org/10.1016/j.techfore.2023.123101

IF: 12

2024-03-01

Technological Forecasting and Social Change

Abstract:Our research highlights the evolving landscape of online privacy, emphasizing the growing compliance pressure on tech companies and website owners due to GDPR regulations, particularly concerning cookie banners. The regulation of these banners for personalization underscores the trade-off known as the personalization-privacy paradox. Although recent studies emphasize the positive role of transparency and control in enhancing the digital experience, they often approached them in a static and isolated manner. We introduce a new approach to operationalizing transparency and control in our study within the context of Doctissimo, a well-known French health and wellness website recognized for aggregating user-generated health data and employing advertising trackers for marketing objectives. In Study 1, we examined banner transparency, demonstrating its positive effect on click-through intention via a preference for personalization over privacy. Study 2 focused on banner privacy controls and revealed that the impact of control was entirely mediated by the intrusion of information boundaries and the preference for personalization over privacy. This research contributes to the literature by investigating the personalization privacy paradox using an innovative operationalization within the transparency-control framework.

business,regional & urban planning

Evita Bakopoulou,Anastasia Shuba,Athina Markopoulou

DOI: https://doi.org/10.48550/arXiv.2008.08973

2020-08-19

Cryptography and Security

Abstract:Mobile devices have access to personal, potentially sensitive data, and there is a large number of mobile applications and third-party libraries that transmit this information over the network to remote servers (including app developer servers and third party servers). In this paper, we are interested in better understanding of not just the extent of personally identifiable information (PII) exposure, but also its context i.e., functionality of the app, destination server, encryption used, etc.) and the risk perceived by mobile users today. To that end we take two steps. First, we perform a measurement study: we collect a new dataset via manual and automatic testing and capture the exposure of 16 PII types from 400 most popular Android apps. We analyze these exposures and provide insights into the extent and patterns of mobile apps sharing PII, which can be later used for prediction and prevention. Second, we perform a user study with 220 participants on Amazon Mechanical Turk: we summarize the results of the measurement study in categories, present them in a realistic context, and assess users' understanding, concern, and willingness to take action. To the best of our knowledge, our user study is the first to collect and analyze user input in such fine granularity and on actual (not just potential or permitted) privacy exposures on mobile devices. Although many users did not initially understand the full implications of their PII being exposed, after being better informed through the study, they became appreciative and interested in better privacy practices.

Gaston Pugliese

DOI: https://doi.org/10.1515/itit-2015-0015

2015-12-01

Abstract:Abstract Nowadays, website owners, advertisers, and data vendors can draw on a variety of techniques to track users on the Web. Here, the tracking range can vary from single websites to long-term browsing sessions across several websites and devices. Even though they are widely used, most of these techniques have in common that they are not familiar to average and even web-minded users. Therefore, most users are not able to realize the magnitude of web tracking and its consequences, not to mention to resist tracking. In times of rising concerns about data protection and privacy, this paper is intended to illustrate how web tracking works and which standard techniques are commonly used. The paper also provides an outlook on promising new tracking techniques based on behavioral biometrics. Furthermore, since browser forensics is already a subject to digital investigations, the usefulness of tracking techniques for forensic purposes and their applicability in light of the principle of proportionality is discussed. Finally, possible countermeasures and their effectiveness are indicated.

Emmanuel Syrmoudis,Robert Luzsa,Yvonne Ehrlich,Dennis Agidigbi,Kai Kirsch,Danny Rudolf,Daniel Schlaeger,Joelle Weber,Jens Grossklags

DOI: https://doi.org/10.1080/07370024.2024.2325347

IF: 6.4588

2024-03-22

Human-Computer Interaction

Abstract:In recent years, online services have started to make personal data of users more accessible by offering dedicated ways of exporting data. The introduction of download portals is associated with increasing demands by privacy regulations regarding the rights of users, such as the Right of Access (Art. 15) and the Right to Data Portability (Art. 20) of the European Union's General Data Protection Regulation (GDPR). These rights aim to empower users by increasing their control over the personal data that online services hold about them. They allow users to export their personal data and thereby gain insights on the scope of personal data held by the services and to transfer this data to other services. However, until now, little is known about how users experience and evaluate the process of accessing and exporting their data and how it impacts individual-level factors such as privacy-related attitudes (i.e. attitudes regarding sharing personal data, perceived control over data, and using privacy-protective strategies). In this paper, we report the results of an online survey with an experimental condition ( N = 728) and a second online survey ( N = 817) where participants from two university courses were asked to request real data exports from online services and inspect the exported data afterward. We find that inspecting exported personal data has a statistically significant positive effect on users' privacy-related attitudes. However, users perceive limited usefulness in switching scenarios where personal data is transferred to a new substitutional service and rather prefer to use the data at multiple complementary services.

computer science, theory & methods, cybernetics

Dario Pizzul,Michele Veneziano

DOI: https://doi.org/10.1080/1369118X.2023.2232840

2023-07-06

Information, Communication and Society

Abstract:In the early months of the COVID-19 pandemic, European countries implemented several non-pharmaceutical interventions with country-specific policies and reduced coordination. Digital Contact Tracing (DCT) was one of the few interventions on which European countries had a common approach oriented toward DCT apps' interoperability. As most EU countries implemented interoperable apps relying on an Apple and Google's framework, France developed the app autonomously. Recent literature argues that France's choice was mainly due to its strong stance in defense of national digital sovereignty. However, current contributions do not largely cover the issue empirically. Therefore, we aim to better explore the role played by digital sovereignty in the political debate related the development of DCT apps. To do so, we conducted a thematic analysis of 16 documents from France's political bodies, selected from a larger corpus of 438 documents dealing with DCT. Three main relevant dimensions related to digital sovereignty emerge. First, the initially sponsored EU interoperability progressively faded in the French political debate. Then, Apple and Google's involvement in the healthcare domain was perceived as highly problematic. Finally, having national players developing the DCT app was largely preferred. Based on our empirical findings, we further engaged with the concept of digital sovereignty, pointing out its difference from digital sovereignism by highlighting the ontological distinction between practices and ideas. Building on these reflections, we argue that France's stance towards DCT and the related digital sovereignty practices subtended digital sovereignism positions.

David Rodriguez,Jose M. Del Alamo,Celia Fernández-Aller,Norman Sadeh

DOI: https://doi.org/10.1109/access.2024.3349425

IF: 3.9

2024-01-01

IEEE Access

Abstract:In an era marked by ubiquitous reliance on mobile applications for nearly every need, the opacity of apps’ behavior poses significant threats to their users’ privacy. Although major data protection regulations require apps to disclose their data practices transparently, previous studies have pointed out difficulties in doing so. To further delve into this issue, this article describes an automated method to capture data-sharing practices in Android apps and assess their proper disclosure according to the EU General Data Protection Regulation. We applied the method to 9,000 random Android apps, unveiling an uncomfortable reality: over 80% of Android applications that transfer personal data off device potentially fail to meet GDPR transparency requirements. We further investigate the role of third-party libraries, shedding light on the source of this problem and pointing towards measures to address it.

computer science, information systems,telecommunications,engineering, electrical & electronic

Christos Perentis,Michele Vescovi,Chiara Leonardi,Corrado Moiso,Mirco Musolesi,Fabio Pianesi,Bruno Lepri

DOI: https://doi.org/10.1145/3017431

IF: 5.3

2017-05-28

ACM Transactions on Internet Technology

Abstract:The wide adoption of mobile devices and social media platforms have dramatically increased the collection and sharing of personal information. More and more frequently, users are called to make decisions concerning the disclosure of their personal information. In this study, we investigate the factors affecting users’ choices toward the disclosure of their personal data, including not only their demographic and self-reported individual characteristics, but also their social interactions and their mobility patterns inferred from months of mobile phone data activity. We report the findings of a field study conducted with a community of 63 subjects provided with (i) a smart-phone and (ii) a Personal Data Store (PDS) enabling them to control the disclosure of their data. We monitor the sharing behavior of our participants through the PDS and evaluate the contribution of different factors affecting their disclosing choices of location and social interaction data. Our analysis shows that social interaction inferred by mobile phones is an important factor revealing willingness to share, regardless of the data type. In addition, we provide further insights on the individual traits relevant to the prediction of sharing behavior.

computer science, information systems, software engineering

Konrad Kollnig,Reuben Binns,Pierre Dewitte,Max Van Kleek,Ge Wang,Daniel Omeiza,Helena Webb,Nigel Shadbolt

DOI: https://doi.org/10.48550/arXiv.2106.09407

2021-06-18

Abstract:Third-party tracking allows companies to collect users' behavioural data and track their activity across digital devices. This can put deep insights into users' private lives into the hands of strangers, and often happens without users' awareness or explicit consent. EU and UK data protection law, however, requires consent, both 1) to access and store information on users' devices and 2) to legitimate the processing of personal data as part of third-party tracking, as we analyse in this paper. This paper further investigates whether and to what extent consent is implemented in mobile apps. First, we analyse a representative sample of apps from the Google Play Store. We find that most apps engage in third-party tracking, but few obtained consent before doing so, indicating potentially widespread violations of EU and UK privacy law. Second, we examine the most common third-party tracking libraries in detail. While most acknowledge that they rely on app developers to obtain consent on their behalf, they typically fail to put in place robust measures to ensure this: disclosure of consent requirements is limited; default consent implementations are lacking; and compliance guidance is difficult to find, hard to read, and poorly maintained.

Computers and Society

Rajae Touzani,Emilien Schultz,Stéphanie Vandentorren,Pierre Arwidson,Francis Guillemin,Anne-Déborah Bouhnik,Alexandra Rouquette,Julien Mancini

DOI: https://doi.org/10.1016/j.ijmedinf.2023.104994

Abstract:Objectives: To estimate the proportion of users of the TousAntiCovid app(lication) and identify factors associated with its non-use for contact tracing. Methods: We conducted an online survey of a quota sample of French adults between 8 and 18 January 2021. Three categories of TousAntiCovid use were considered: contact tracing, other or temporary usage, and no use. A weighted multiple logistic regression was performed to analyze the factors associated with these different uses. Results: Among the 1000 respondents, 63.3% declared they had never downloaded the TousAntiCovid app, 23.5% used it for contact tracing. The remaining 13.2% did not enable contact tracing, mainly because of excessive battery consumption and fear of misuse of personal data. Trust in political representatives, financial deprivation and other factors were associated with never downloading the app. Conclusion: This study confirms the previously suggested links between trust in political representatives, financial deprivation and the use of contact tracing apps in France.

Scott Seidenberger,Oluwasijibomi Ajisegiri,Noah Pursell,Fazil Raja,Anindya Maiti

2024-10-11

Abstract:This study explores the widespread perception that personal data, such as email addresses, may be shared or sold without informed user consent, investigating whether these concerns are reflected in actual practices of popular online services and apps. Over the course of a year, we collected and analyzed the source, volume, frequency, and content of emails received by users after signing up for the 150 most popular online services and apps across various sectors. By examining patterns in email communications, we aim to identify consistent strategies used across industries, including potential signs of third-party data sharing. This analysis provides a critical evaluation of how email marketing tactics may intersect with data-sharing practices, with important implications for consumer privacy and regulatory oversight. Our study findings, conducted post-CCPA and GDPR, indicate that while no third-party spam email was detected, internal email marketing practices were pervasive, with companies frequently sending promotional and CRM emails despite opt-out preferences. The framework established in this work is designed to be scalable, allowing for continuous monitoring, and can be extended to include a more diverse set of apps and services for broader analysis, ultimately contributing to improved user perception of data privacy practices.

Social and Information Networks,Cryptography and Security

Aldine do Socorro Corrêa Cruz,Edgar Bisset Alvarez,Luciane Paula Vital

DOI: https://doi.org/10.4108/eetsis.v9i5.2611

2022-08-25

EAI Endorsed Transactions on Scalable Information Systems

Abstract:INTRODUCTION: Web applications and information systems are predominantly constituted as platforms for acquiring data and services over the Internet. Such applications integrate a technological context filled with intelligent devices interactive amongst themselves, connected to the network, hardware, and software, and accessible to the most varied social segments. OBJECTIVES: This article aims to present a digital mechanism based on product marketing for the acquisition of personal data used by a company in the cosmetics industry; to characterize privacy and data protection in view of the regulatory acts prevailing in Brazil; as well as to discuss how such scenarios affect the consumer. METHODS: We performed a bibliographic survey with a qualitative approach to the information collected, and used a digital platform for commercial operation as object to analysis. RESULTS: We confirmed the use of a digital platform, accessible by different electronic devices, to spread commercial content reaching a considerable volume of users, which then propagated it. We verified an indirect relationship of supply of goods through the transfer of identification, communication and location data. We identified users being directed to the Terms of Promotion and User Privacy Policy, as well as different media resources aiding their understanding. CONCLUSION: The customer's vulnerability in consumer relations stands out, something increasingly frequent in digital environments, which enables a directly proportional flow of information between market and consumer. Finally, we observed that Digital Humanities constitute a broad field of research under an extensive methodological domain, due to its interdisciplinary character, for the digital study of cultural phenomena, and promote critical reflection on the effects that computational methods have on society.

Anastasia Kozyreva,Philipp Lorenz-Spreen,Ralph Hertwig,Stephan Lewandowsky,Stefan M. Herzog

DOI: https://doi.org/10.1057/s41599-021-00787-w

2021-05-14

Humanities and Social Sciences Communications

Abstract:Abstract People rely on data-driven AI technologies nearly every time they go online, whether they are shopping, scrolling through news feeds, or looking for entertainment. Yet despite their ubiquity, personalization algorithms and the associated large-scale collection of personal data have largely escaped public scrutiny. Policy makers who wish to introduce regulations that respect people’s attitudes towards privacy and algorithmic personalization on the Internet would greatly benefit from knowing how people perceive personalization and personal data collection. To contribute to an empirical foundation for this knowledge, we surveyed public attitudes towards key aspects of algorithmic personalization and people’s data privacy concerns and behavior using representative online samples in Germany ( N = 1065), Great Britain ( N = 1092), and the United States ( N = 1059). Our findings show that people object to the collection and use of sensitive personal information and to the personalization of political campaigning and, in Germany and Great Britain, to the personalization of news sources. Encouragingly, attitudes are independent of political preferences: People across the political spectrum share the same concerns about their data privacy and show similar levels of acceptance regarding personalized digital services and the use of private data for personalization. We also found an acceptability gap: People are more accepting of personalized services than of the collection of personal data and information required for these services. A large majority of respondents rated, on average, personalized services as more acceptable than the collection of personal information or data. The acceptability gap can be observed at both the aggregate and the individual level. Across countries, between 64% and 75% of respondents showed an acceptability gap. Our findings suggest a need for transparent algorithmic personalization that minimizes use of personal data, respects people’s preferences on personalization, is easy to adjust, and does not extend to political advertising.

English Else

Christine Utz,Sabrina Amft,Martin Degeling,Thorsten Holz,Sascha Fahl,Florian Schaub

DOI: https://doi.org/10.48550/arXiv.2203.11387

2022-10-05

Abstract:Modern websites frequently use and embed third-party services to facilitate web development, connect to social media, or for monetization. This often introduces privacy issues as the inclusion of third-party services on a website can allow the third party to collect personal data about the website's visitors. While the prevalence and mechanisms of third-party web tracking have been widely studied, little is known about the decision processes that lead to websites using third-party functionality and whether efforts are being made to protect their visitors' privacy. We report results from an online survey with 395 participants involved in the creation and maintenance of websites. For ten common website functionalities we investigated if privacy has played a role in decisions about how the functionality is integrated, if specific efforts for privacy protection have been made during integration, and to what degree people are aware of data collection through third parties. We find that ease of integration drives third-party adoption but visitor privacy is considered if there are legal requirements or respective guidelines. Awareness of data collection and privacy risks is higher if the collection is directly associated with the purpose for which the third-party service is used.

Human-Computer Interaction

Silvia Puglisi,David Rebollo-Monedero,Jordi Forné,Jordi Forne

DOI: https://doi.org/10.1109/medhocnet.2016.7528432

2016-06-01

Abstract:On today's Web, users trade access to their private data for content and services. Advertising sustains the business model of many websites and applications. Efficient and successful advertising relies on predicting users' actions and tastes to suggest a range of products to buy. It follows that, while surfing the Web users leave traces regarding their identity in the form of activity patterns and unstructured data. We analyse how advertising networks build user footprints and how the suggested advertising reacts to changes in the user behaviour.

Hyunjin Kang,Jeong Kyu Lee,Edmund WJ Lee,Cindy Toh

DOI: https://doi.org/10.2196/48986

2024-03-08

JMIR mhealth and uhealth

Abstract:Background: Contact tracing technology has been adopted in many countries to aid in identifying, evaluating, and handling individuals who have had contact with those infected with COVID-19. Singapore was among the countries that actively implemented the government-led contact tracing program known as TraceTogether. Despite the benefits the contact tracing program could provide to individuals and the community, privacy issues were a significant barrier to individuals' acceptance of the program. Objective: Building on the privacy calculus model, this study investigates how the perceptions of the 2 key groups (ie, government and community members) involved in the digital contact tracing factor into individuals' privacy calculus of digital contact tracing. Methods: Using a mixed method approach, we conducted (1) a 2-wave survey (n=674) and (2) in-depth interviews (n=12) with TraceTogether users in Singapore. Using structural equation modeling, this study investigated how trust in the government and the sense of community exhibited by individuals during the early stage of implementation (time 1) predicted privacy concerns, perceived benefits, and future use intentions, measured after the program was fully implemented (time 2). Expanding on the survey results, this study conducted one-on-one interviews to gain in-depth insights into the privacy considerations involved in digital contact tracing. Results: The results from the survey showed that trust in the government increased perceived benefits while decreasing privacy concerns regarding the use of TraceTogether. Furthermore, individuals who felt a connection to community members by participating in the program (ie, the sense of community) were more inclined to believe in its benefits. The sense of community also played a moderating role in the influence of government trust on perceived benefits. Follow-up in-depth interviews highlighted that having a sense of control over information and transparency in the government's data management were crucial factors in privacy considerations. The interviews also highlighted surveillance as the most prevalent aspect of privacy concerns regarding TraceTogether use. In addition, our findings revealed that trust in the government, particularly the perceived transparency of government actions, was most strongly associated with concerns regarding the secondary use of data. Conclusions: Using a mixed method approach involving a 2-wave survey and in-depth interview data, we expanded our understanding of privacy decisions and the privacy calculus in the context of digital contact tracing. The opposite influences of privacy concerns and perceived benefit on use intention suggest that the privacy calculus in TraceTogether might be viewed as a rational process of weighing between privacy risks and use benefits to make an uptake decision. However, our study demonstrated that existing perceptions toward the provider and the government in the contact tracing context, as well as the perception of the community triggered by TraceTogether use, may bias user appraisals of privacy risks and the benefits of contact tracing.

health care sciences & services,medical informatics

Davide Caputo,Francesco Pagano,Giovanni Bottino,Luca Verderame,Alessio Merlo

DOI: https://doi.org/10.1109/TDSC.2022.3146020

2022-01-30

Abstract:Mobile applications (hereafter, apps) collect a plethora of information regarding the user behavior and his device through third-party analytics libraries. However, the collection and usage of such data raised several privacy concerns, mainly because the end-user - i.e., the actual owner of the data - is out of the loop in this collection process. Also, the existing privacy-enhanced solutions that emerged in the last years follow an "all or nothing" approach, leaving the user the sole option to accept or completely deny the access to privacy-related data. This work has the two-fold objective of assessing the privacy implications on the usage of analytics libraries in mobile apps and proposing a data anonymization methodology that enables a trade-off between the utility and privacy of the collected data and gives the user complete control over the sharing process. To achieve that, we present an empirical privacy assessment on the analytics libraries contained in the 4500 most-used Android apps of the Google Play Store between November 2020 and January 2021. Then, we propose an empowered anonymization methodology, based on MobHide, that gives the end-user complete control over the collection and anonymization process. Finally, we empirically demonstrate the applicability and effectiveness of such anonymization methodology thanks to HideDroid, a fully-fledged anonymization app for the Android ecosystem.

Cryptography and Security

Siti Aqilah Jahari,Ashley Hass,Danielle Hass,Mathew Joseph

DOI: https://doi.org/10.1002/cb.2029

IF: 3.199

2022-02-08

Journal of Consumer Behaviour

Abstract:Digital contact tracing (DCT) applications, as a type of location‐based application, have been employed in many countries to help mitigate the spread of the COVID‐19 virus. However, the emergence of DCTs has amplified concerns over privacy issues as consumers are confronted with the ethical dilemma that arises regarding serving public and private interests. In other words, to what extent are consumers willing to negotiate their privacy concerns to gain perceived social benefits? Drawing on Social Exchange Theory as the theoretical lens to examine interpersonal relations between the government and consumers, this study investigates the extent to which consumers' perceived social benefits (e.g., reciprocity, trust, and reputation) mediate the relationship between privacy concerns and the intention to use DCT applications. Based on 269 usable responses, the results revealed that government trust was insignificant in mediating the relationship between privacy concerns and intention to use the DCT application. Rather, the expected reciprocal benefits and reputation enhancement were found to have significant mediating effects. Perceived government regulation was also found to moderate the relationship between privacy concerns and government trust. The paper concludes with suggestions for practitioners and policymakers on the plausible strategies to encourage the adoption of DCT applications.

business

A. De Carli,M. Franco,A. Gassmann,C. Killer,B. Rodrigues,E. Scheid,D. Schoenbaechler,B. Stiller

DOI: https://doi.org/10.48550/arXiv.2004.08812

2020-04-19

Abstract:For the protection of people and society against harm and health threats -- especially for the COVID-19 pandemic -- a variety of different disciplines needs to be involved. The data collection of very basic and health-related data of individuals in today's highly mobile society does help to plan, protect, and identify next steps health authorities and governments can, shall, or need to plan for or even implement. Thus, every individual, every human, and every inhabitant of the world is the key player -- very different to many past crises'. And since the individual is involved -- all individuals -- his/her (a) health and (b) privacy shall be considered in a very carefully crafted balance, not overruling one aspect with another one or even prioritizing certain aspects. Privacy remains the key. Thus, the solution of the current pandemic's data collection can be based on a fully privacy-preserving application, which can be used by individuals on their mobile devices, such as smartphones, while maintaining at the same time their privacy. Additionally, respective data collected in such a fully distributed setting does help to confine the pandemic and can be achieved in a democratic and very open, but still and especially privacy-protecting world. Therefore, the WeTrace approach and application as described in this paper utilizes the Bluetooth Low Energy (BTE) communication channel, many modern mobile devices offer, where asymmetric cryptography is being applied to allows for the decyphering of a message for that destination it had been intended for. Since literally every other potential participant only listens to random data, even a brute force attack will not succeed. WeTrace and its Open Source implementation is the only known approach so far, which ensures that any receiver of a message knows that this is for him/her, but does not know who the original sender was.

Cryptography and Security

Yun Shen,Pierre-Antoine Vervier,Gianluca Stringhini

DOI: https://doi.org/10.48550/arXiv.2102.12869

2021-02-25

Abstract:Mobile phones enable the collection of a wealth of private information, from unique identifiers (e.g., email addresses), to a user's location, to their text messages. This information can be harvested by apps and sent to third parties, which can use it for a variety of purposes. In this paper we perform the largest study of private information collection (PIC) on Android to date. Leveraging an anonymized dataset collected from the customers of a popular mobile security product, we analyze the flows of sensitive information generated by 2.1M unique apps installed by 17.3M users over a period of 21 months between 2018 and 2019. We find that 87.2% of all devices send private information to at least five different domains, and that actors active in different regions (e.g., Asia compared to Europe) are interested in collecting different types of information. The United States (62% of the total) and China (7% of total flows) are the countries that collect most private information. Our findings raise issues regarding data regulation, and would encourage policymakers to further regulate how private information is used by and shared among the companies and how accountability can be truly guaranteed.

Cryptography and Security

Joydeep Mitra

DOI: https://doi.org/10.48550/arXiv.2207.08978

2022-07-21

Abstract:With the onset of COVID-19, governments worldwide planned to develop and deploy contact tracing (CT) apps to help speed up the contact tracing process. However, experts raised concerns about the long-term privacy and security implications of using these apps. Consequently, several proposals were made to design privacy-preserving CT apps. To this end, Google and Apple developed the Google/Apple Exposure Notification (GAEN) framework to help public health authorities develop privacy-preserving CT apps. In the United States, 26 states used the GAEN framework to develop their CT apps. In this paper, we empirically evaluate the US-based GAEN apps to determine 1) the privileges they have, 2) if the apps comply with their defined privacy policies, and 3) if they contain known vulnerabilities that can be exploited to compromise privacy. The results show that all apps violate their stated privacy policy and contain several known vulnerabilities.

Cryptography and Security,Computers and Society