Chao Wu

DOI: https://doi.org/10.1016/j.techsoc.2024.102457

IF: 6.879

2024-01-01

Technology in Society

Abstract:In recent years, data privacy has attracted increasing public concerns, especially with public scandals from top Internet companies, emerging over inappropriate data collection, lack of transparency in data usage, and manipulation of users' preferences. This has led to responsive efforts from multiple sectors of society to constrain the violation of individuals’ data privacy. Among these efforts, the regulations like GDPR are the most influential, which are believed to be able to change the foundation of the whole data ecosystem. The main concern of current regulation is data transparency, designed to enable individuals to make rational decisions about their data. However, I argue that transparency cannot mitigate a key issue of data privacy, which is the right of receiving benefits from data. This issue is getting severe with the rapid development of the data economy and will become the essential problem of social welfare and fairness in the AI era. I further point out that the key to solving this issue is to migrate the current centralized data utilization paradigm to a new decentralized paradigm. Based on the recent technical advancements, I propose an applicable pathway to implement such a paradigm. And to realize a fair and sustainable data eco-system, joint efforts should be made within this paradigm.

Christopher G. Bradley

DOI: https://doi.org/10.2139/ssrn.4408244

2023-01-01

SSRN Electronic Journal

Abstract:Despite being subjected to decades of sharp criticism, privacy policies published by companies remain a linchpin of privacy regulation. Representations in these policies provide the main measure against which consumer privacy can be judged. Policies are rarely read by consumers and are most often interpreted by decision makers within companies who have to determine if a proposed course of action is consistent with stated policies as well as underlying privacy law. The degree to which policies provide constraint will rely on whether the policies are sufficiently clear that even a company-friendly reading requires a consumer-data-protective course of action.Experimental evidence on the interpretation of privacy policies provides no grounds for encouragement about such constraint, because it suggests that policies are often so ambiguous that neither laypeople nor experts can consistently interpret them. This Article supports those experimental findings with real-world evidence. It draws on a data set of court filings of experts appointed to consider the legality of transfers of consumers’ private data. The study finds that even independent, court appointed experts rely on interpretive practices that are unreliable and inconsistent. It reveals divergences concerning what even relatively common, standard privacy policy provisions actually mean, in relatively common situations, such as the attempt to sell data as part of a reorganization or liquidation. This suggests that privacy regulation should not rely too heavily on the language of privacy policies unless greater consensus can be reached. The Article then proposes to put the interpretation of privacy policies on more sound footing. It explores two primary approaches. Privacy policies could be subjected to more certain meaning through a turn to standardization, where policies are communicated by reference to interpretive principles laid out by regulation or by understanding grounded in empirical research on the meaning of the various terms. Alternatively, privacy policies could be subjected to a set of interpretive principles that would provide a more certain basis for interpretation and also encourage drafters of policies to state themselves more clearly.

Jana Korunovska,Bernadette Kamleitner,Sarah Spiekermann

DOI: https://doi.org/10.48550/arXiv.2005.08967

2020-05-18

Abstract:The new information and communication technology providers collect increasing amounts of personal data, a lot of which is user generated. Unless use policies are privacy-friendly, this leaves users vulnerable to privacy risks such as exposure through public data visibility or intrusive commercialisation of their data through secondary data use. Due to complex privacy policies, many users of online services unwillingly agree to privacy-intruding practices. To give users more control over their privacy, scholars and regulators have pushed for short, simple, and prominent privacy policies. The premise has been that users will see and comprehend such policies, and then rationally adjust their disclosure behaviour. In this paper, on a use case of social network service site, we show that this premise does not hold. We invited 214 regular Facebook users to join a new fictitious social network. We experimentally manipulated the privacy-friendliness of an unavoidable and simple privacy policy. Half of our participants miscomprehended even this transparent privacy policy. When privacy threats of secondary data use were present, users remembered the policies as more privacy-friendly than they actually were and unwittingly uploaded more data. To mitigate such behavioural pitfalls we present design recommendations to improve the quality of informed consent.

Computers and Society

Tao Fu

DOI: https://doi.org/10.1177/1742766519846644

2019-05-27

Global Media and Communication

Abstract:By examining the privacy policies of leading Chinese Internet and information service providers (IISPs), this study found their privacy policies to be generally compliant with China’s personal information protection provisions. These IISPs use proper mechanisms showing their commitment, measures and enforcement to data security, but their Fair Information Practices need improvement. Personal information protection in China is severe. Privacy policies offer more ‘notice’ than they do ‘choice’. Chinese IISPs collect and use information extensively in the guise of providing value to users, but have given insufficient consideration to transborder data flows and change of ownership. Societal and technological mechanisms have not been widely sought.

Jana Korunovska,Bernadette Kamleitner,Sarah Spiekermann

DOI: https://doi.org/10.48550/arXiv.1911.09386

IF: 6.4588

2019-11-21

Human-Computer Interaction

Abstract:Users disclose ever-increasing amounts of personal data on Social Network Service platforms (SNS). Unless SNSs' policies are privacy friendly, this leaves them vulnerable to privacy risks because they ignore the privacy policies. Designers and regulators have pushed for shorter, simpler and more prominent privacy policies, however the evidence that transparent policies increase informed consent is lacking. To answer this question, we conducted an online experiment with 214 regular Facebook users asked to join a fictitious SNS. We experimentally manipulated the privacy-friendliness of SNS's policy and varied threats of secondary data use and data visibility. Half of our participants incorrectly recalled even the most formally "perfect" and easy-to-read privacy policies. Mostly, users recalled policies as more privacy friendly than they were. Moreover, participants self-censored their disclosures when aware that visibility threats were present, but were less sensitive to threats of secondary data use. We present design recommendations to increase informed consent.

Parvaneh Shayegh,Vijayanta Jain,Amin Rabinia,Sepideh Ghanavati

DOI: https://doi.org/10.48550/arXiv.1910.04133

2019-10-06

Abstract:The massive growth of the Internet of Things (IoT) as a network of interconnected entities [18], brings up new challenges in terms of privacy and security requirements to the traditional software engineering domain [4]. To protect the individuals' privacy, the FTC's Fair Information Practice Principles (FIPPs) [6] proposes to companies to give notice to the consumer about their data practices, provide them with choices and give them means to have control over their own data.. Using privacy policy is the most common way for this type of notices. However, privacy policies are not generally effective due to two main reasons: first, privacy policies are long and full of legal jargon which are not understandable by a normal user; second, it is not guaranteed that an IoT device behave as it is explained in its privacy policy. In this technical report, we propose and discuss our methodologies to analyze privacy policies. By the help of this analysis, we reduce the length of a privacy policy and make it organized based on privacy practices to improve understanding level for the user. We also come up with a method to find the inconsistencies between IoT devices and their privacy policies.

Cryptography and Security

Yu Tao,Wendy Hui Wang

DOI: https://doi.org/10.1080/1369118X.2023.2166361

2023-01-14

Information, Communication and Society

Abstract:With the wide use of social media and other online services, people are getting more concerned about online privacy. Social media platforms and other online companies are collecting users' information for various purposes, including targeted advertising. While these data are anonymous, it is possible to identify people through publicly available information and machine learning algorithms. Members of some groups are more vulnerable to such privacy attacks and more likely to be identified. This raises a concern regarding the fair or equitable protection of online privacy, or the protection of all online users' instead of most users' private information. This research addresses this relatively new topic from the sociological perspective and focuses on fair privacy protection in online datasets. Questionnaire data show that college students rate the current privacy protection in online datasets low, but they have great support for general privacy protection and greater support for fair privacy protection. Factors that affect their support for general and fair privacy protection include prior cautious online behavior and how essential they rate company practice and government policies that ensure fair privacy. When they perceive a lack of fair privacy in online datasets, most of them would reduce or stop using certain online services. Factors affecting such reactions include prior cautious online behavior, hours on social media, the perception of being included in online datasets, and perceived importance of fair privacy policies. The findings highlight the pivotal role of institutional privacy measures, namely fair privacy company practice and government policies, especially the latter.

Bailing Liu,Paul A. Pavlou,Xiufeng Cheng

DOI: https://doi.org/10.1287/isre.2021.1045

IF: 4.9

2022-03-01

Information Systems Research

Abstract:Companies face a trade-off between creating stronger privacy protection policies for consumers and employing more sophisticated data collection methods. Justice-driven privacy protection outlines a method to manage this trade-off. We built on the theoretical lens of justice theory to integrate justice provision with two key privacy protection features, negotiation and active-recommendation, and proposed an information technology (IT) solution to balance the trade-off between privacy protection and consumer data collection. In the context of mobile banking applications, we prototyped a theory-driven IT solution, referred to as negotiation, active-recommendation privacy policy application, which enables customer service agents to interact with and actively recommend personalized privacy policies to consumers. We benchmarked our solution through a field experiment relative to two conventional applications: an online privacy statement and a privacy policy with only a simple negotiation feature. The results showed that the proposed IT solution improved consumers’ perceived procedural justice, interactive justice, and distributive justice and increased their psychological comfort in using our application design and in turn reduced their privacy concerns, enhanced their privacy awareness, and increased their information disclosure intentions and actual disclosure behavior in practice. Our proposed design can provide consumers better privacy protection while ensuring that consumers voluntarily disclose personal information desirable for companies.

information science & library science,management

Xinjie Lin,Han Liu,Zhen Li,Gang Xiong,Gaopeng Gou

DOI: https://doi.org/10.1016/j.cose.2022.102606

IF: 5.105

2022-01-01

Computers & Security

Abstract:In the booming development of China's digital economy, the privacy and security issues of personal data in website applications are vital important. Websites need to implement basic personal information protection measures according to China's existing statutory requirements for privacy protection, such as disclosing personal information protection policies. However, there still is possibility to leak personal information although the sites adopt the self-regulation way. In this study, we first propose the measurement study of popular websites in China combining strategy analysis and web verification, in hope of providing countermeasures for the development of the personal information protection legal system in China. The study is achieved by analysing a collection of 199,060 network behaviours from 663 websites spanning half a year, studying the consistency between behaviour and policy in websites and conducting a systematic analysis of the privacy policies disclosed on all websites. The findings are multi-fold, 67.6% of popular websites in China have publicly disclosed their privacy policies and all compliance requirements have reached more than 60%, while less than 5% of websites have clearly disclosed and strictly followed the policy statement on third-party sharing and cookie retention. Overall, we conclude that the website has a moderate level of transparency under the existing legal conditions, but there is still a lack of functional and usable mechanisms and regulations for users to consent to or deny processing of their personal data on the Internet. To this end, we analyse the measurement results and put forward appropriate recommendations for the website owners, legal institutions and regulatory authorities. (C) 2022 Elsevier Ltd. All rights reserved.

Xiang Gong,Kem Z.K. Zhang,Chongyang Chen,Christy M.K. Cheung,Matthew K.O. Lee

DOI: https://doi.org/10.1108/itp-03-2018-0132

2019-11-05

Information Technology and People

Abstract:Purpose Drawing on the control agency theory and the network effect theory, the purpose of this paper is to examine the effect of privacy assurance approaches, network externality and technology complementarity on consumers’ self-disclosure in mobile payment (MP) applications. The authors identify four types of privacy assurance approaches: perceived effectiveness of privacy setting, perceived effectiveness of privacy policy, perceived effectiveness of industry self-regulation and perceived effectiveness of government legislation. The research model considers how these privacy assurance approaches influence privacy concerns and consumers’ self-disclosure in MP applications under boundary conditions of network externality and technology complementarity. Design/methodology/approach An online survey with 647 sample users was conducted to empirically validate the model. The target respondents were current consumers of a popular MP application. The empirical data were analyzed by a structural equation modeling approach. Findings The empirical results reveal several major findings. First, privacy assurance approaches can effectively decrease privacy concerns, which ultimately formulates consumers’ self-disclosure in MP applications. Second, network externality and technology complementarity weaken the effect of perceived effectiveness of privacy setting on privacy concerns. Third, network externality and technology complementarity strengthen the relationship between perceived effectiveness of government legislation and privacy concerns, while they have non-significant interaction effect with perceived effectiveness of privacy policy and industry self-regulation on privacy concerns. Practical implications MP providers and stakeholders can harness the efficacy of privacy assurance approaches in alleviating privacy concerns and promoting consumers’ self-disclosure in MP applications. Originality/value The authors’ work contributes to the information privacy literature by identifying effective privacy assurance approaches in promoting consumers’ self-disclosure in MP applications, and by highlighting boundary conditions of these privacy assurance approaches.

Priscilla Regan

DOI: https://doi.org/10.1111/1468-5973.1101003

2003-03-01

Journal of Contingencies and Crisis Management

Abstract:In the online and offline worlds, the value of personal information – especially information about commercial purchases and preferences – has long been recognised. Exchanges and uses of personal information have also long sparked concerns about privacy. Public opinion surveys consistently indicate that overwhelming majorities of the American public are concerned that they have lost all control over information about themselves and do not trust organisations to protect the privacy of their information. Somewhat smaller majorities favour federal legislation to protect privacy. Despite public support for stronger privacy protection, the prevailing policy stance for over thirty years has been one of reluctance to legislate and a preference for self‐regulation by business to protect privacy. Although some privacy legislation has been adopted, policy debates about the commercial uses of personal information have been dominated largely by business concerns about intrusive government regulation, free speech and the flow of commercial information, costs, and effectiveness. Public concerns about privacy, reflected in public opinion surveys and voiced by a number of public interest groups, are often discredited because individuals seem to behave as though privacy is not important. Although people express concern about privacy, they routinely disclose personal information because of convenience, discounts and other incentives, or a lack of understanding of the consequences. This disconnect between public opinion and public behaviour has been interpreted to support a self‐regulatory approach to privacy protections with emphasis on giving individuals notice and choice about information practices. In theory the self‐regulatory approach also entails some enforcement mechanism to ensure that organisations are doing what they claim, and a redress mechanism by which individuals can seek compensation if they are wronged. This article analyses the course of policy formulation over the last twenty years with particular attention on how policymakers and stakeholders have used public opinion about the commercial use of personal information in formulating policy to protect privacy. The article considers policy activities in both Congress and the Federal Trade Commission that have resulted in an emphasis on “notice and consent.” The article concludes that both individual behaviour and organisational behaviour are skewed in a privacy invasive direction. People are less likely to make choices to protect their privacy unless these choices are relatively easy, obvious, and low cost. If a privacy protection choice entails additional steps, most rational people will not take those steps. This appears logically to be true and to be supported by behaviour in the physical world. Organisations are unlikely to act unilaterally to make their practices less privacy invasive because such actions will impose costs on them that are not imposed on their competitors. Overall then, the privacy level available is less than what the norms of society and the stated preferences of people require. A consent scheme that is most protective of privacy imposes the largest burden on the individual, as well as costs to the individual, while a consent scheme that is least protective of privacy imposes the least burden on the individual, as well as fewer costs to the individual. Recent experience with privacy notices that resulted from the financial privacy provisions in Gramm‐Leach‐Bliley supports this conclusion. Finally, the article will consider whether the terrorist attacks of 11 September have changed public opinion about privacy and what the policy implications of any changes in public opinion are likely to be.

management

Xinjie Lin,Han Liu,Zhen Li,Gang Xiong,Gaopeng Gou

DOI: https://doi.org/10.1016/j.cose.2022.102606

2022-03-01

Abstract:In the booming development of China’s digital economy, the privacy and security issues of personal data in website applications are vital important. Websites need to implement basic personal information protection measures according to China’s existing statutory requirements for privacy protection, such as disclosing personal information protection policies. However, there still is possibility to leak personal information although the sites adopt the self-regulation way. In this study, we first propose the measurement study of popular websites in China combining strategy analysis and web verification, in hope of providing countermeasures for the development of the personal information protection legal system in China. The study is achieved by analysing a collection of 199,060 network behaviours from 663 websites spanning half a year, studying the consistency between behaviour and policy in websites and conducting a systematic analysis of the privacy policies disclosed on all websites. The findings are multi-fold, 67.6% of popular websites in China have publicly disclosed their privacy policies and all compliance requirements have reached more than 60%, while less than 5% of websites have clearly disclosed and strictly followed the policy statement on third-party sharing and cookie retention. Overall, we conclude that the website has a moderate level of transparency under the existing legal conditions, but there is still a lack of functional and usable mechanisms and regulations for users to consent to or deny processing of their personal data on the Internet. To this end, we analyse the measurement results and put forward appropriate recommendations for the website owners, legal institutions and regulatory authorities.

computer science, information systems

Richmond Y. Wong,Andrew Chong,R. Cooper Aspegren

DOI: https://doi.org/10.1145/3579515

2023-04-14

Proceedings of the ACM on Human-Computer Interaction

Abstract:Power exercised by large technology companies has led to concerns over privacy and data protection, evidenced by the passage of legislation including the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). While much privacy research has focused on how users perceive privacy and interact with companies, we focus on how privacy legislation is discussed among a different set of relationships-those between companies and investors. This paper investigates how companies translate the GDPR and CCPA into business risks in documents created for investors. We conduct a qualitative document analysis of annual regulatory filings (Form 10-K) from nine major technology companies. We outline five ways that technology companies consider GDPR and CCPA as business risks, describing both direct and indirect ways that the legislation may affect their businesses. We highlight how these findings are relevant for the broader CSCW and privacy research communities in research, design, and practice. Creating meaningful privacy changes within existing institutional structures requires some understanding of the dynamics of these companies' decision-making processes and the role of capital.

Rex Chen,Fei Fang,Thomas Norton,Aleecia M. McDonald,Norman Sadeh

DOI: https://doi.org/10.1145/3463676.3485

2021-09-28

Abstract:Vagueness and ambiguity in privacy policies threaten the ability of consumers to make informed choices about how businesses collect, use, and share their personal information. The California Consumer Privacy Act (CCPA) of 2018 was intended to provide Californian consumers with more control by mandating that businesses (1) clearly disclose their data practices and (2) provide choices for consumers to opt out of specific data practices. In this work, we explore to what extent CCPA's disclosure requirements, as implemented in actual privacy policies, can help consumers to answer questions about the data practices of businesses. First, we analyzed 95 privacy policies from popular websites; our findings showed that there is considerable variance in how businesses interpret CCPA's definitions. Then, our user survey of 364 Californian consumers showed that this variance affects the ability of users to understand the data practices of businesses. Our results suggest that CCPA's mandates for privacy disclosures, as currently implemented, have not yet yielded the level of clarity they were designed to deliver, due to both vagueness and ambiguity in CCPA itself as well as potential non-compliance by businesses in their privacy policies.

Computers and Society

Hui Na Chua,Anthony Herbland,Siew Fan Wong,Younghoon Chang

DOI: https://doi.org/10.1016/j.tele.2017.01.008

IF: 9.14

2017-07-01

Telematics and Informatics

Abstract:This study examines how organizations in Malaysia frame their privacy policy notice to comply with the Personal Data Protection Act (PDPA, 2010) and if these organizations differ in their level of compliance and the readability of their privacy notices. We collected the online privacy polices of 306 organizations from 12 sectors to assess their readability and compliance with PDPA requirements. The results show that private-owned organizations have higher compliance level compared to public-owned organizations. Sectors that hold more personal sensitive data obtain higher compliance scores. Non-governmental organizations demonstrate higher compliance level compared to government-owned organizations. Despite differences in the compliance scores, most organizations fail to meet the requirements of the PDPA. Our study also reveals that readability has a negative correlation with the compliance score because simple and shorter version of the privacy policies often lack detailed information. Our findings provide valuable insights into organizations’ privacy policy compliance across different sectors in Malaysia. Specifically, the Malaysian authority should implement more effective mechanisms to enforce the compliance of the PDPA. Organizations should also take corrective actions to improve the compliance scores of their online privacy policies.

information science & library science

Yannic Meier,Johanna Schäwel,Nicole C. Krämer

DOI: https://doi.org/10.17645/mac.v8i2.2846

IF: 3.043

2020-06-23

Media and Communication

Abstract:Privacy policies provide Internet users with the possibility to inform themselves about websites’ usage of their disclosed personal data. Strikingly, however, most people tend not to read privacy policies because they are long and cumbersome, indicating that people do not wish to expend much (cognitive) effort on reading such policies. The present study aimed to examine whether shorter privacy policies can be beneficial in informing users about a social networking site’s (SNS) privacy practices, and to investigate associations between variables relevant for privacy decision-making using one theory-based integrative model. In an online experiment, participants ( N = 305) were asked to create a personal account on an SNS after being given the option to read the privacy policy. Privacy policy length and the SNS’s level of privacy were varied, creating a 2 (policy length) x 2 (level of privacy) between-subjects design. The results revealed that participants who saw short policies spent less time on reading but gained higher knowledge about the SNS’s privacy practices—due to the fact that they spent more reading time per word. Factual privacy policy knowledge was found to be an indicator for participants’ subjective privacy perception. The perception and evaluation of the specific SNS ́s privacy level influenced the assessment of privacy costs and benefits. Particularly when benefits were perceived as high, self-disclosure was increased.

communication

Ding Wu,Chao Min,Zhijie Li,Yuejun Wang

DOI: https://doi.org/10.1016/j.dss.2023.113961

IF: 6.969

2023-01-01

Decision Support Systems

Abstract:Internet users frequently encounter diverse data requests, and their privacy disclosure decisions have attracted massive practical and scholarly attention. Nevertheless, how the accumulation of users' disclosure-related ex-periences influences their future privacy disclosure decisions is still under-explored. In this paper, we theoreti-cally derive and examine the impacts of two types of disclosure-related experiences-privacy disclosure and privacy invasion experiences. These experiences respectively represent user experiences in the participation and feedback stages of privacy disclosure events. We draw on the systematic-heuristic model of information pro-cessing and the privacy calculus model to raise the core speculation that users' disclosure-related experiences exert multiple forms of effects on their privacy disclosure decisions through multiple theoretical routes (i.e., polymorphic experience effects). To test this speculation, we conducted two online survey studies (N = 485, N = 324) and yielded three major findings: (1) users' privacy disclosure experiences can promote their information disclosure intentions through direct and mediation routes (i.e., habituation effects); (2) users' privacy invasion experiences can deter their information disclosure intentions through mediation and moderation routes, yet the latter varied across the investigated contexts (i.e., vigilance effects); (3) the moderating role of privacy disclosure experiences and the directly influencing role of privacy invasion experiences were largely insignificant. Our research reveals the polymorphic impacts of disclosure-related experiences on Internet users' privacy disclosure decisions and lays the foundation for future theoretical and practical work.

Lu Yu,He Li,Wu He,Feng-Kwei Wang,Shiqiao Jiao

DOI: https://doi.org/10.1016/j.ijinfomgt.2019.09.011

IF: 18.958

2020-04-01

International Journal of Information Management

Abstract:Based on the Elaboration Likelihood Model (ELM), this study identifies the differences between perceived privacy risks and privacy concern. Furthermore, the study analyses how perceived privacy risks and privacy concerns affect the disclosure intention and the actual information disclosure behavior of Internet users. In addition, the study discusses the moderating effects of platform types, from the perspective of privacy elaboration likelihood. By applying meta-analyses and SEM on 104 independent studies with 42,256 samples from existing empirical studies, we attempt to systematically reveal the relationship between privacy cognition and information disclosure. The results show that perceived privacy risks can significantly reduce personal information disclosure intention, as well as actual information disclosure behavior. However, privacy concerns only affect disclosure intention, but do not have a significant effect on actual information disclosure behavior. The study also verified that platform types have moderating effects on the privacy decision making of Internet users. The findings yield important and useful implications, both for research and for practice.

information science & library science

FangBing Zhu,Zongyu Song

DOI: https://doi.org/10.1177/21582440211067529

IF: 2.032

2022-01-01

SAGE Open

Abstract:Big data has an important impact on people’s production and life. The existing legal and judicial protection, sanctions, and mechanisms for the enforcement of information rights have proved insufficient to stem the serious consequences of rampant leakage and illegal activity. Based on Information Full Life Cycle Theory, this article combines qualitative analysis with quantitative analysis, uses data from the Survey Report on App Personal Information Leakage released by China Consumers Association as an example, and finds that illegal access, illegal provisions, and illegal transactions have become important sources of personal information leakage. The main reasons for this problem include limitations of the technologies used, the falsification of informed consent, the lag of legislative protections, and a lack of administrative supervision. Systematic regulation of the right to protect personal information should include a variety of initiatives. First, it should be used to identify who to protect and how to protect them. Second, there needs to be a shift from identifiable subject regulations to risk control. Third, legislation needs to be comprehensive, entailing a shift from fragmented to systemic reforms. Fourth, protection efforts should include supervision, self-regulation, and management. Finally, the jurisdiction of legislation should extend across cyberspace and physical reality as a means to achieve a balance between effective protection and the reasonable use of personal information.

social sciences, interdisciplinary

Ryan Amos,Gunes Acar,Eli Lucherini,Mihir Kshirsagar,Arvind Narayanan,Jonathan Mayer

DOI: https://doi.org/10.1145/3442381.3450048

2021-07-21

Abstract:Automated analysis of privacy policies has proved a fruitful research direction, with developments such as automated policy summarization, question answering systems, and compliance detection. Prior research has been limited to analysis of privacy policies from a single point in time or from short spans of time, as researchers did not have access to a large-scale, longitudinal, curated dataset. To address this gap, we developed a crawler that discovers, downloads, and extracts archived privacy policies from the Internet Archive's Wayback Machine. Using the crawler and following a series of validation and quality control steps, we curated a dataset of 1,071,488 English language privacy policies, spanning over two decades and over 130,000 distinct websites. Our analyses of the data paint a troubling picture of the transparency and accessibility of privacy policies. By comparing the occurrence of tracking-related terminology in our dataset to prior web privacy measurements, we find that privacy policies have consistently failed to disclose the presence of common tracking technologies and third parties. We also find that over the last twenty years privacy policies have become even more difficult to read, doubling in length and increasing a full grade in the median reading level. Our data indicate that self-regulation for first-party websites has stagnated, while self-regulation for third parties has increased but is dominated by online advertising trade associations. Finally, we contribute to the literature on privacy regulation by demonstrating the historic impact of the GDPR on privacy policies.

Computers and Society