Privacy Languages: Are we there yet to enable user controls?

Jun Zhao, Reuben Binns, Max Van Kleek and Nigel ShadboltPersonal Data and Privacy Lab

Department of Computer ScienceUniversity of Oxford

Dominic DifranzoECS, Faculty of Physical

Sciences and EngineeringUniversity of Southampton

Outline

● Motivation● Methodology● Preliminary results● Future work

Motivation

Personal data is one of the most valuable commodities

● The revenue of digital advertising in the EU in 2014 is estimated to be €30.7bn1

However,

● Users have limited knowledge about how their data are used● Users have no control of how they expect their data to be used

1. Interactive Advertising Bureau AdEx Benchmark research, http://www.iabuk.net/about/press/archive/eu-online-advertising-reaches-landmark-307bn

Tracking is ubiquitous

● There is 99.5% chance that a user will become tracked by all top 10 trackers within 30 clicks on top search results. (Gomer et al 2013)

● Users have little awareness and control

https://www.mozilla.org/en-US/lightbeam/ http://research.microsoft.com/apps/pubs/default.aspx?id=201586

Beyond the webWeb browsing is just part of a wider sphere of potential privacy harms, including:

- Employment- Health- Finance- Consumer spending

How can people express their wishes about the use of their personal data in these domains?

An example scenario: sharing of medical data

Users

- Want controls E.g, no commercial use

- Limited time + capacity to read and process notifications

Information controller

- Show commitment E.g research purpose only

- Act according to socially and/or legally binding agreements

Existing privacy enhancement approaches● Organisation-centric approaches

○ Structured privacy policy from information controllers, like P3P (https://www.w3.org/P3P/)

○ Standardisation effort: Do Not Track, and P3P

● User-centric approaches

○ More usable privacy notifications, like privacy nutrition labels

○ Browser plug-in developments, e.g. Mozilla Privacy Icons, ToS;DR

○ Privacy preference languages

Credit of privacy nutrition label to: https://cups.cs.cmu.edu/privacyLabel/files/CHI-privacyFinal2010

Users remain the weak points

Users

Control remains a weak point

- A lot of past efforts- But little uptake- Why?

Information controller

- Show commitment- Act on social and legal

binding

Our privacy language reviewPrivacy languages

● A declarative language for specifying both users’ privacy preferences and information controllers’ privacy policies in a machine-readable way+

Existing reviews

● Kumaraguru et al 2007 and Kolter 2009: focused on the purpose of languages only ● Belanger and Crossler 2011: a review of privacy in Management Information Systems ● Kasem-Madani and Meier 2015: more focus on security

Our goal

● A user-centric review: focusing on the support for users, instead of organisations● Gaining insights on design a user-centric language that is easy-to-use

+Becker et al. Practical Generic Privacy Language. Information Systems Security. Springer Berlin Heidelberg, 2010. 125-139.

Methodology of the review

● 18 privacy languages from existing review literature ● Limited to academic efforts● Eliminated those languages that describe access control only● 10 languages in the review● Assessment through 3 dimensions

○ Their design purpose○ Their user-facing tooling support○ Their consideration of interoperability

Preliminary results

Purpose of the languages

Purpose of the languages

● More emphasis on information controllers (i.e. through policy languages), than users (i.e. through preference languages)

● Some preference languages are too simple, and with limited expressivity

● Other preference languages are way too complicated to be used by end users

● Nothing we can use off-the-shelf

Tooling support

● Motivation○ Easy-to-use user facing tool is critical for adoptions of any proposed languages○ Been shown as a critical barrier to the adoptions of standards like P3P

● Observations○ Very few languages come with a user-facing tool (3 out of 10)○ Very limited usability studies (except one tool) to ensure that these tools are

truly usable for the end users●

Interoperability

● Motivation○ Privacy is a ubiquitous issue, given the fast

development of mobile devices and IoTs○ Privacy languages from different devices, users and

platforms must be interchangeable● Observations

○ Pros: Languages are defined in standard formats, like XML or RDF

○ Cons: standardisation efforts (like P3P) have failed, with the lack of social agreements and legal enforcements

Reflections

● Strengths○ Extensive understanding on privacy scenarios and challenges

● Weaknesses○ Existing languages are either too complicated for normal web users or too

simplistic to cope with the diverse requirements

○ Limited tooling development for end users

Future work● A first-step towards user-centric privacy ---

enabling users to gain control● Easy-to-use privacy preference language● Easy-to-use user-facing tools● Tracking breakage of terms on a

decentralised Web (of Things)

Thank you!