“I agree to the terms and conditions”: (How) do users read privacy policies online? An eye-tracking experiment

Privacy policies are widely used by online service providers to regulate the use of personal data they collect, but users often skip on reading them and are unaware of the way information about them is being treated, and how they can control the ways in which that information is collected, stored or shared. Eye tracking methodology was used to test if a default presentation of a policy encourages reading it, and how the document is being read by users. Results show that when a privacy policy is presented by default, participants tend to read it quite carefully, while when given the option to sign their agreement without reading the policy, most participants skip the policy altogether. Surprisingly, participants who actively choose to read the policy spend significantly less time and effort on reading it than participants in the default condition. Finally, default policy presentation was significantly related to understanding user rights and restrictions on the use of personal data.     

A service provisioning system for distributed personalization with private data protection

Personalized services can provide significant user benefits since they adapt their behavior to better support the user. Personalized services use a variety of data related to the user to decide their behavior. Thus personalized service needs a provisioning system that can collect the data that impacts service behavior and allows selection of the most appropriate service. However, in the coming ubiquitous environment, some data necessary for determining service behavior might be unavailable due to two possible reasons. One is that the data does not exit. The other is that the data exists but cannot be accessed. For example, users do not want to disclose their personal information, and service providers do not also want to expose data related to their knowhow in services. This paper describes a new service provisioning system for distributed personalization with private data protection. Specifically, the system selects applicable services by assessing how well each candidate service behaves when some data is missing. It then executes those selected services while hiding the users’ and providers’ private data in a distributed manner. We first summarize the requirements for a personalized service system, and introduce our fundamental policies for the system. The two main components of our system are then described in detail. One component is a service assessment mechanism that can judge if a service can work without data that can be used for adaptation. The second component is a service execution mechanism that can utilize private data while still ensuring privacy. This component divides service logic and executes divided logic where necessary data is available. The paper finally describes our prototype implementation and its performance evaluation results.     

RFID and privacy: what consumers really want and fear

This article investigates the conflicting area of user benefits arising through item level radio frequency identification (RFID) tagging and a desire for privacy. It distinguishes between three approaches feasible to address consumer privacy concerns. One is to kill RFID tags at store exits. The second is to lock tags and have user unlock them if they want to initiate reader communication (user model). The third is to let the network access users’ RFID tags while adhering to a privacy protocol (network model). The perception and reactions of future users to these three privacy enhancing technologies (PETs) are compared in the present article and an attempt is made to understand the reasoning behind their preferences. The main conclusion is that users do not trust complex PETs as they are envisioned today. Instead, they prefer to kill RFID chips at store exits even if they appreciate after sales services. Enhancing trust through security and privacy ‘visibility’ as well as PET simplicity may be the road to take for PET engineers in UbiComp.     

Multi-agent based middleware for protecting privacy in IPTV content recommender services

This work presents our efforts to design an agent based middleware that enables the end-users to use IPTV content recommender services without revealing their sensitive preference data to the service provider or any third party involved in this process. The proposed middleware (called AMPR) preserves users’ privacy when using the recommender service and permits private sharing of data among different users in the network. The proposed solution relies on a distributed multi-agent architecture involving local agents running on the end-user set up box to implement a two stage concealment process based on user role in order to conceal the local preference data of end-users when they decide to participate in recommendation process. Moreover, AMPR allows the end-users to use P3P policies exchange language (APPEL) for specifying their privacy preferences for the data extracted from their profiles, while the recommender service uses platform for privacy preferences (P3P) policies for specifying their data usage practices. AMPR executes the first stage locally at the end user side but the second stage is done at remote nodes that can be donated by multiple non-colluding end users that we will call super-peers Elmisery and Botvich (2011a, b, c); or third parties mash-up service Elmisery A, Botvich (2011a, b). Participants submit their locally obfuscated profiles anonymously to their local super-peer who collect and mix these preference data from multiple participants. The super-peer invokes AMPR to perform global perturbation process on the aggregated preference data to ensure a complete concealment of user’s profiles. Then, it anonymously submits these aggregated profiles to a third party content recommender service to generate referrals without breaching participants’ privacy. In this paper, we also provide an IPTV network scenario and experimentation results. Our results and analysis shows that our two-stage concealment process not only protect the users’ privacy, but also can maintain the recommendation accuracy     

Examining the impact of privacy, trust and risk perceptions beyond monetary transactions: An integrated model

Much interest in privacy and trust studies is about shopping, but privacy research in other forms of online activities is beginning to emerge. This study examined the antecedents of privacy, trust and risk as well as their joint effect on two similar but fundamentally different activities: online transactions and retrieval of privileged information. Both activities involve the delivery of private user information, but the latter gives some leeway for users to control (or even falsify) their true identity. User shopping experience in the present study moderated the relationships and strengths of constructs. The effect of Internet literacy, social awareness and disposition to trust on privacy concern and trust was weaker for experienced shoppers. Privacy concern, trust and risk assessment played a lesser role on the two activity variables for those who were more experienced. Perceived privacy risk stood out as a strong antecedent for respondents in both experience groups, but the effect of Internet literacy, social awareness and disposition on trust was statistically insignificant for the same group. Further practical and managerial implications are provided.     

LotusNet: Tunable privacy for distributed online social network services

The evolution of the role of online social networks in the Web has led to a collision between private, public and commercial spheres that have been inevitably connected together in social networking services since their beginning. The growing awareness on the opaque data management operated by many providers reveals that a privacy-aware service that protects user information from privacy leaks would be very attractive for a consistent portion of users. In order to meet this need we propose LotusNet, a framework for the development of social network services relying on a peer-to-peer paradigm which supports strong user authentication. We tackle the trade-off problem between security, privacy and services in distributed social networks by providing the users the possibility to tune their privacy settings through a very flexible and fine-grained access control system. Moreover, our architecture is provided with a powerful suite of high-level services that greatly facilitates custom application development and mash up.     

Towards practical private processing of database queries over public data

Privacy is a major concern when users query public online data services. The privacy of millions of people has been jeopardized in numerous user data leakage incidents in many popular online applications. To address the critical problem of personal data leakage through queries, we enable private querying on public data services so that the contents of user queries and any user data are hidden and therefore not revealed to the online service providers. We propose two protocols for private processing of database queries, namely BHE and HHE. The two protocols provide strong query privacy by using Paillier’s homomorphic encryption, and support common database queries such as range and join queries by relying on the bucketization of public data. In contrast to traditional Private Information Retrieval proposals, BHE and HHE only incur one round of client server communication for processing a single query. BHE is a basic private query processing protocol that provides complete query privacy but still incurs expensive computation and communication costs. Built upon BHE, HHE is a hybrid protocol that applies ciphertext computation and communication on a subset of the data, such that this subset not only covers the actual requested data but also resembles some frequent query patterns of common users, thus achieving practical query performance while ensuring adequate privacy levels. By using frequent query patterns and data specific privacy protection, HHE is not vulnerable to the traditional attacks on k-Anonymity that exploit data similarity and skewness. Moreover, HHE consistently protects user query privacy for a sequence of queries in a single query session.     

普适计算认证过程基于粗糙集的隐私保护策略

在普适计算环境中,用户要获得需要的服务,需要向对应的服务提供商提供一定的认证信息,而这些认证信息中往往包含有用户不希望泄漏的隐私信息。为了对这些隐私信息进行保护,本文提出了认证过程中基于粗糙集的隐私保护策略：用户将认证信息扩展成粗糙集提供给服务提供商;服务提供商根据策略从粗糙集中提取用户的真实认证信息对用户请求进行认证。该策略充分利用了粗糙集合的不确定性,能够有效地防止用户隐私泄漏。     

基于可信计算的云用户安全模型

随着云计算的发展,它的安全问题不容忽视。根据云用户所面临的数据安全及身份的隐私性问题,提出了基于可信计算的云用户安全模型。安全模型以可信计算技术为支撑,除了采用传统的安全策略外,提出了建立私有虚拟机,为用户提供一个私密的运行空间,防止其他恶意用户或管理员访问该虚拟机;给出了用户信息匿名化的方法,当高安全级用户申请服务和变更服务时保证用户身份信息的私密性,防止服务提供商恶意利用和泄露用户信息,为用户提供一个安全的运行环境。     

An empirical examination of user adoption of location-based services

Location-based services (LBS) can present the optimal information and services to users based on their locations. This will improve their experience. However, this may also arouse users’ privacy concern and increase their perceived privacy risk. From both perspectives of flow experience and perceived risk, this research examined user adoption of LBS. We conducted data analysis with structural equation modeling. The results indicated that contextual offering affects trust and flow, whereas privacy concern affects trust and perceived risk. Trust, flow and perceived risk affect the usage intention. Among them, flow has a relatively larger effect.     

A survey on privacy in decentralized online social networks

Decentralized Online Social Networks (DOSNs) have recently captured the interest of users because of the more control given to them over their shared contents. Indeed, most of the user privacy issues related to the centralized Online Social Network (OSN) services (such as Facebook or Google+) do not apply in the case of DOSNs because of the absence of the centralized service provider. However, these new architectures have motivated researchers to investigate new privacy solutions that allow DOSN’s users to protect their contents by taking into account the decentralized nature of the DOSNs platform.In this survey, we provide a comprehensive overview of the privacy solutions adopted by currently available DOSNs, and we compare them by exploiting several criteria. After presenting the differences that existing DOSNs present in terms of provided services and architecture, we identify, for each of them, the privacy model used to define the privacy policies and the mechanisms for their management (i.e., initialization and modification of the privacy policy). In addition, we evaluate the overhead introduced by the security mechanisms adopted for privacy policy management and enforcement by discussing their advantages and drawbacks.     

A privacy preserving authorisation system for the cloud

In this paper we describe a policy based authorisation infrastructure that a cloud provider can run as an infrastructure service for its users. It will protect the privacy of users? data by allowing the users to set their own privacy policies, and then enforcing them so that no unauthorised access is allowed to their data. The infrastructure ensures that the users? privacy policies are stuck to their data, so that access will always be controlled by the policies even if the data is transferred between cloud providers or services. This infrastructure also ensures the enforcement of privacy policies which may be written in different policy languages by multiple authorities such as: legal, data subject, data issuer and data controller. A conflict resolution strategy is presented which resolves conflicts among the decisions returned by the different policy decision points (PDPs). The performance figures are presented which show that the system performs well and that each additional PDP only imposes a small overhead.     

Understanding Perceived Trust to Reduce Regret

Trust is fundamental for promoting the use of online services, such as e‐commerce or e‐health. Understanding how users perceive trust online is a precondition to create trustworthy marketplaces. In this article, we present a domain‐independent general trust perception model that helps us to understand how users make online trust decisions and how we can help them in making the right decisions, which minimize future regret. We also present the results of a user study describing the weight that different factors in the model (e.g., security, look&feel, and privacy) have on perceived trust. The study identifies the existence of a positive correlation between the user's knowledge and the importance placed on factors such as security and privacy. This indicates that the impact factors as security and privacy have on perceived trust is higher in users with higher knowledge.     

Should I stay or should I go? The moderating effect of self-image congruity and trust on social networking continued use

Recent reports show that although users of large online social networks (such as Facebook) score low in terms of satisfaction, they manage to retain, or even increase, their user base. This study sheds an exploratory light on the reuse behaviour of online social network services (SNS). Specifically, we investigate the moderating effects of self-image congruity and trust on the relationship between satisfaction and continuance to use online SNS. To capture post-adoption behaviour of SNS users, we employ the expectation–confirmation model as a core structure for our theoretical model. The model is empirically tested using survey data collected from 288 Facebook users. Results reveal a possible trend suggesting that users perceiving a high match of the SNS with their self-image will be more loyal even if they experience low satisfaction levels. The same trend has been extracted for trust and its moderating effect on the relationship between satisfaction and usage continuance intention. This paper concludes with a discussion on the theoretical and practical implications of our findings.     

TAPAS: Trustworthy privacy-aware participatory sensing

With the advent of mobile technology, a new class of applications, called participatory sensing (PS), is emerging, with which the ubiquity of mobile devices is exploited to collect data at scale. However, privacy and trust are the two significant barriers to the success of any PS system. First, the participants may not want to associate themselves with the collected data. Second, the validity of the contributed data is not verified, since the intention of the participants is not always clear. In this paper, we formally define the problem of privacy and trust in PS systems and examine its challenges. We propose a trustworthy privacy-aware framework for PS systems dubbed TAPAS, which enables the participation of the users without compromising their privacy while improving the trustworthiness of the collected data. Our experimental evaluations verify the applicability of our proposed approaches and demonstrate their efficiency.     

面向云计算应用层演化的隐私保护方法研究

云计算应用层中的组合服务具有演化属性,因此,隐私数据在服务组合过程中,用户的隐私数据可能会因为服务或服务流程的演化而暴露。根据服务演化的特征,以描述逻辑为基础,提出了一种面向云计算应用层演化的隐私保护方法。对隐私协议进行形式化描述;根据服务的演化特征,对服务的演化进行监控,保证满足用户的隐私需求;利用实例研究证明该方法的正确性与可行性。     

Trust and distrust on the web: User experiences and website characteristics

The aim of this research is to study the content of trustful and distrustful user experiences on the web to identify website characteristics that enhance trust or cause distrust. We collected users’ reports about critical incidents and quantitative questionnaire data by means of an online survey. Results from N = 221 participants suggest that distrust is mostly an effect of graphical (e.g., complex layout) and structural (e.g., pop-ups) design issues of a website, whereas trust is based on social factors such as reviews or recommendations by friends. The content of a website affects both trust and distrust: privacy issues had an effect on distrust and security signs enhanced trust. Furthermore, we show how trustful and distrustful user experiences differ in terms of perceived honesty, competence, and benevolence. High honesty and competence characterize a trustful experience, whereas a distrustful experience is associated with missing honesty and missing benevolence. We discuss how different website characteristics help to enhance trust or to prevent distrust and how this impacts the allocation of design resources.     

BFF: A tool for eliciting tie strength and user communities in social networking services

The use of social networking services (SNSs) such as Facebook has explosively grown in the last few years. Users see these SNSs as useful tools to find friends and interact with them. Moreover, SNSs allow their users to share photos, videos, and express their thoughts and feelings. However, users are usually concerned about their privacy when using SNSs. This is because the public image of a subject can be affected by photos or comments posted on a social network. In this way, recent studies demonstrate that users are demanding better mechanisms to protect their privacy. An appropriate approximation to solve this could be a privacy assistant software agent that automatically suggests a privacy policy for any item to be shared on a SNS. The first step for developing such an agent is to be able to elicit meaningful information that can lead to accurate privacy policy predictions. In particular, the information needed is user communities and the strength of users’ relationships, which, as suggested by recent empirical evidence, are the most important factors that drive disclosure in SNSs. Given the number of friends that users can have and the number of communities they may be involved on, it is infeasible that users are able to provide this information without the whole eliciting process becoming confusing and time consuming. In this work, we present a tool called Best Friend Forever (BFF) that automatically classifies the friends of a user in communities and assigns a value to the strength of the relationship ties to each one. We also present an experimental evaluation involving 38 subjects that showed that BFF can significantly alleviate the burden of eliciting communities and relationship strength.     

A privacy self-assessment framework for online social networks

During our digital social life, we share terabytes of information that can potentially reveal private facts and personality traits to unexpected strangers. Despite the research efforts aiming at providing efficient solutions for the anonymization of huge databases (including networked data), in online social networks the most powerful privacy protection “weapons” are the users themselves. However, most users are not aware of the risks derived by the indiscriminate disclosure of their personal data. Moreover, even when social networking platforms allow their participants to control the privacy level of every published item, adopting a correct privacy policy is often an annoying and frustrating task and many users prefer to adopt simple but extreme strategies such as “visible-to-all” (exposing themselves to the highest risk), or “hidden-to-all” (wasting the positive social and economic potential of social networking websites). In this paper we propose a theoretical framework to i) measure the privacy risk of the users and alert them whenever their privacy is compromised and ii) help the users customize semi-automatically their privacy settings by limiting the number of manual operations. By investigating the relationship between the privacy measure and privacy preferences of real Facebook users, we show the effectiveness of our framework.     

Secure and privacy preserving keyword searching for cloud storage services

Cloud storage services enable users to remotely access data in a cloud anytime and anywhere, using any device, in a pay-as-you-go manner. Moving data into a cloud offers great convenience to users since they do not have to care about the large capital investment in both the deployment and management of the hardware infrastructures. However, allowing a cloud service provider (CSP), whose purpose is mainly for making a profit, to take the custody of sensitive data, raises underlying security and privacy issues. To keep user data confidential against an untrusted CSP, a natural way is to apply cryptographic approaches, by disclosing the data decryption key only to authorized users. However, when a user wants to retrieve files containing certain keywords using a thin client, the adopted encryption system should not only support keyword searching over encrypted data, but also provide high performance. In this paper, we investigate the characteristics of cloud storage services and propose a secure and privacy preserving keyword searching (SPKS) scheme, which allows the CSP to participate in the decipherment, and to return only files containing certain keywords specified by the users, so as to reduce both the computational and communication overhead in decryption for users, on the condition of preserving user data privacy and user querying privacy. Performance analysis shows that the SPKS scheme is applicable to a cloud environment.