Three Essays on Collective Privacy and Information Security

Memarian Esfahani, Sara

07 1900

In Essay 1, we seek to expand the insights on an individual's decision to share group content. Social networking sites (SNS) have become a ubiquitous means of socializing in the digital age. Using a survey, we collected data from 520 respondents with corporate work experience to test our research model. Our analysis highlights the complex interplay between individual and group factors that shape users' risk-benefit analysis of sharing group content on social networking sites. Furthermore, the results of this study have important implications for social networking site design and policy, particularly with regard to providing granular control over the privacy settings of group content and clear and concise information about the potential risks and benefits of sharing group content. Essay 2 aims to extend the knowledge of information security policy (ISP) compliance. Using a comprehensive approach, we extended the perspective of control mechanisms in the context of ISPs. It is evident that maintaining information security is an important concern for organizations of all sizes and industries. Organizations can establish policies and procedures to regulate and ensure compliance with information security policies, and various control mechanisms can be employed to ensure compliance. Among these control mechanisms, enforcement, punishment, evaluation, and recognition have been identified as important factors that influence information security policy compliance. In Essay 3, we delve deep into the current digital era and the reality of individuals becoming particularly vulnerable to privacy breaches. In the third essay, we offer a thorough examination of existing literature to gain insight into the disparities between users' stated privacy concerns and their actual information-sharing behavior. Our analysis reveals that, in addition to technological and environmental factors, cultural and personal differences significantly contribute to the paradoxical behavior observed among individuals. Utilizing the S-O-R (stimulus-organism-response) framework, we emphasize the necessity of examining the intricate interplay between technological aspects, individual attributes, and environmental factors in order better to understand the complexities of individuals' privacy decision-making processes. By addressing these factors and their interactions, we can develop more effective strategies to improve individuals' privacy awareness, decision-making, and overall online experiences. This will ultimately create more secure and privacy-respecting digital communities for users with various characteristics.

Group Privacy

Group Content Sharing

Information Security

Security Policy Compliance

Privacy Paradox

Psychology, Behavioral

Sociology, Theory and Methods

Psychology, Experimental

[pt] O DESIGN DE INTERFACE COMO FACILITADOR NA COMUNICAÇÃO DO PROCESSO DE TRATAMENTO DE DADOS DIGITAIS DOS USUÁRIOS / [en] THE ROLE OF INTERFACE DESIGN AS AN ENABLER IN THE COMMUNICATION OF PERSONAL DATA PROCESSING

ANA LUIZA CASTRO GERVAZONI

30 October 2023

[pt] A adoção de modelos de inteligência artificial está alterando a relação entre organizações e consumidores e o volume de produtos digitais dependentes de dados pessoais cresce a cada dia. As políticas de privacidade são o principal instrumento de informação do cidadão sobre como suas informações serão tratadas por empresas com as quais se relaciona. Porém, atualmente, as interfaces destes instrumentos não comunicam de forma objetiva suas informações. O presente estudo demonstra que a aplicação de diretrizes de design nas políticas de privacidade promove uma experiência mais satisfatória e uma aquisição de informação mais rápida de seu conteúdo pelos usuários. A metodologia do estudo abarcou uma revisão bibliográfica, pesquisa documental, adaptação da escala Internet Users’ Information Privacy Concerns, teste de usabilidade e análise de conteúdo. Literaturas de direito e design foram relacionadas para identificar requisitos legais que poderiam ser melhor atendidos por meio do design, o nível de preocupação com a privacidade dos participantes foi verificado e um teste comparativo de usabilidade foi conduzido. Uma réplica da política do Facebook foi comparada à nova proposta, que contava com elementos que representavam diretrizes de design. Os dados mostraram redução no tempo para localização de informações e na taxa de erro entre os usuários que acessaram a nova proposta, assim como maior frequência de declarações positivas a respeito desta versão. A pesquisa contribui para a ampliação do conhecimento sobre a influência do design de interface na construção destes instrumentos ao esclarecer que a consideração de boas práticas deste campo facilita a aquisição de informação. / [en] The use of artificial intelligence models is changing the relationship between organizations and consumers, and the volume of digital products dependent on personal data is growing every day. Privacy policies are the primary tool for informing citizens about how their information will be handled by companies with which they interact. However, currently, the interfaces of these instruments do not objectively communicate their information. The present study demonstrates that the application of design guidelines in privacy policies promotes a more satisfactory experience and faster user acquisition of information from its content. The study methodology encompassed a bibliographical review, documentary research, adjustment of the Internet Users Information Privacy Concerns scale, usability testing, and content analysis. Literature from law and design fields could be interconnected to identify legal requirements that could be addressed more effectively through design, the level of privacy concern of the study s participants was verified, and a comparative usability test was conducted. A replica of Facebook s policy was compared to a new interface, which included elements that represented design guidelines. The data showed a reduction in the time to find information, the error rate among users who accessed the new proposal, and a higher frequency of positive statements regarding this version. This research enhances the understanding of how interface design affects the creation of such instruments by showing that following best practices in this area facilitates information acquisition.

[pt] DESIGN DE INTERFACE

[pt] USABILIDADE MOVEL

[pt] POLITICAS DE PRIVACIDADE

[pt] PRIVACIDADE DE DADOS

[en] INTERFACE DESIGN

[en] MOBILE USABILITY

[en] PRIVACY POLICY

[en] DATA PRIVACY

To Tell or not to Tell? An Examination of Stepparents' Communication Privacy Management

Hsu, Tsai-chen

08 1900

This study examined stepparents' privacy boundary management when engaging in communicative interactions with stepchildren. I utilized Petronio's communication privacy management theory to investigate stepparents' motivations of disclosing or concealing from stepchildren as well as how stepparents' gender influences such motivations. Moreover, present research also explored types of privacy dilemma within stepfamily households from stepparent perspectives. Fifteen stepfathers and 15 stepmothers received in-depth interviews about their self-disclosing and concealment experiences with stepchildren. I identified confidant dilemma and accidental dilemma in stepfamily households from stepparents' perspectives, as well as stepparents' gender differences in self-disclosing and concealing motivations. Findings also suggest that stepparents reveal and conceal from stepchildren out of same motivations: establishing good relationships, viewing stepchildren as own children, helping stepchildren with problems resulting from the divorce and viewing stepchildren as "others." The result also indicates that stepparents experienced dialectical tensions between closedness and openness during the decision of revealing or concealing from stepchildren.

Communication Privacy Management

dialectical tension

self-disclosure

stepparent-stepchild communication

CPM

Stepparents.

Communication in families.

Parent and child.

Self-disclosure.

Privacy.

Studenters integritetsoro kring hantering av personlig information : En kvalitativ studie inom e-bank, e-handel och e-hälsa / Students privacy concern regarding management of personal information : A qualitative study within e-bank, e-commerce and e-health

Nilsson, Philip, Jonson, Joel

January 2022

Insamling av personlig information utförs av företag i kommersiella syften och används till att skapa profiler och beteendemönster. Utnyttjandet av användares personliga information har upprepande gånger lett till konflikter där människors oro över sin personliga integritet har belysts. Detta har resulterat i skapandet av förordningar som GDPR, California Consumer Privacy Act och ett flertal nationella lagar som syftar till att stärka och skydda individers personuppgifter. Tidigare statistiska undersökningar har visat att studenter är en population som upplever oro över personlig datainsamling. Därav kommer urvalet för denna studie fokusera på studenter.  Syftet med studien är att skapa en förståelse över när en student känner oro i att lämna ifrån sig personlig information. Tidigare forskning visar på att frågor inom integritetsoro är djupt förknippad med en kontext och betydelsen av att placera situationen i ett sammanhang. Domänområdena e-bank, e-handel och e-hälsa har därför valts ut att undersökas i denna studie på grund av deras känsliga samband till integritetsoro men även dess påtagliga relevans inom IS-området.  Studiens resultat bekräftar att integritetsoro skiljer sig genom kontexter i viss mån men studien pekar även på tydliga samband. En oro över faktorn obehörig tillgång förekommer bland tre domäner, dock skiljer sig situationen åt i varje domän. Människors medvetenhet har visat sig vara oberoende av domän då studenter förstår att personlig information samlas in, men vet inte vad den används till. / Today’s companies use Personal data collection for commercial purposes and use it to create profiles and analyze behavior patterns. This abuse of users' personal information has repeatedly led to conflicts in which people's concerns about their privacy have been enlightened. This has resulted in the creation of several regulations such as the GDPR, the California Consumer Privacy Act and a number of national laws that strengthen and protect individuals' personal data. Previous statistical surveys have shown that students are a population that is concerned about personal data collection. Hence, the selected group for this study will be students.  The purpose of this study is to create an understanding of when a student is concerned about disclosing personal information. Previous research shows that privacy concerns are deeply associated with placing the situation in a context. The domain areas of ebanking, e-commerce and e-health have therefore been selected to be examined in this study due to their sensitive connection to privacy concerns but also its noticeable relevance within the IS-area.  The result of this study confirms that integrity concerns differ through contexts to some extent, however the result also shows that there are certain similarities. A concern about the factor improper access occurs among three domains, however, the situation differs in each domain. People's awareness has been shown to be independent by domain as students, regardless of the discussed domain, understand that personal information is collected, but do not know what it is used for.

Domains

Context

IPC

Personal information

Privacy Calculus

Domäner

Kontext

IPC

Personlig information

Privacy Calculus

Information Systems

<b>EXPLORING FEMTECH: INVESTIGATING CLUE AND PRIVACY CONCERNS AMONG MENSTRUATORS</b>

Claire Elyse Rightley (18423219)

22 April 2024

<p dir="ltr">FemTech is a booming subset of mHealth applications that was worth $51 billion in 2021 (Stewart, 2022b). FemTech largely focuses on menstruation, pregnancy, and fertility tracking. As with any technology, it comes with privacy and security risks for users, but these risks are more acute due to the sensitive nature of the data being collected. While privacy and security shortcomings have been highlighted for years, concerns were discussed widely in the United States after the Supreme Court released its <i>Dobbs v. Jackson</i> decision on June 24, 2022, which overturned <i>Roe v. Wade</i>, a 1973 decision that protected abortion as a constitutional right and limited states’ abilities to place restrictions on abortions. With abortion no longer a constitutional right, many states have outlawed or heavily restricted the procedure, and individuals expressed concern about their digital data being used in investigations as it has been in select previous cases (e.g., <i>State of Indiana v. Purvi Patel</i>, 2015; <i>State of Mississippi v. Latice Fisher</i>, 2018; <i>The State of Nebraska v. Celeste Burgess</i>, 2023; <i>The State of Nebraska v. Jessica Burgess</i>, 2023). While Big Tech has been scrutinized for turning user data over to law enforcement, many have more heavily questioned the protections offered by period tracking app companies due to the abundant amount of health data these companies possess about their users (e.g., Basu, 2022; Bradley et al., 2022; Cole, 2022). These apps have historically fallen short in protections for their user data in general (e.g., Beilinson, 2020; <i>Developer of Popular Women’s Fertility-Tracking App Settles FTC Allegations That It Misled Consumers About the Disclosure of Their Health Data</i>, 2021; Quintin, 2017). Clue is one of the most popular FemTech apps with millions of downloads across the Apple App Store and Google Play Store, and the company has spoken out widely about their privacy protections in the wake of the <i>Dobbs v. Jackson</i> decision (<i>‎Clue Period Tracker & Calendar</i>, n.d.; <i>Clue Period Tracker & Calendar</i>, n.d.; <i>Clue’s Response to Roe vs Wade Decision</i>, 2022). This research presents a forensic analysis of Clue on both iOS and Android after two months of data population, finding that some user-entered data was available in the app cache or .db-wal files on both iOS and Android but was entirely erased after the deletion of the app on the phones. This research also presents results from a survey of 31 menstruators in the United States, finding that online privacy in general is a concern for many users, and most find it unacceptable for period tracking applications to share user health data with advertisers or law enforcement.</p>

Digital forensics

FemTech

digital forensics

mobile forensics

digital privacy

online privacy

mHealth applications

period tracking apps

Clue period tracker

Beyond Personalization Paradox - Content Personalization &amp; Culture : Exploring the Drivers of Personal Information Sharing for Content Personalization, Considering Different Cultural Backgrounds

Tzotzi, Maria, Andaroudi, Yasaman

January 2024

Marketing is one of the industries most impacted by the rapid development of AI and its applications. This study, in particular, illuminates the significant field of content personalization, which is a highly successful marketing strategy. In a world where content personalization is increasingly implemented by e-commerce websites, movie platforms, music platforms, and even news websites, the practice of collecting personal information for content personalization has raised concerns among consumers, leading many to reject such practices. Individuals' beliefs and cultural characteristics play a significant role in their attitudes toward content personalization. Therefore, this study aims to explore the drivers that would lead someone to share their personal information for content personalization. However, rather than just examining this trade-off, the study seeks to gain a deeper understanding of the issue by exploring how these drivers are related to individual cultural characteristics. To explore consumers' opinions and the drivers that would motivate someone to share their personal information for content personalization, interviews were conducted with individuals from Northern Europe and Greece, who have different cultural characteristics. By examining the topic through personal experiences and perspectives, the study revealed that certain drivers are considered regardless of culture, while others are culturally specific, thus creating specific patterns for how individuals of different cultures think. This information can guide marketers, policymakers, and professionals in the field to align their practices with the diverse cultural characteristics of individuals.

Content Personalization

Culture

Personal Information Sharing

Privacy Benefits

Privacy Concerns

Personal Concerns

Business Administration

Företagsekonomi

Communication Studies

Kommunikationsvetenskap

Testing Privacy and Security of Voice Interface Applications in the Internet of Things Era

Shafei, Hassan, 0000-0001-6844-5100

04 1900

Voice User Interfaces (VUI) are rapidly gaining popularity, revolutionizing user interaction with technology through the widespread adoption in devices such as desktop computers, smartphones, and smart home assistants, thanks to significant advancements in voice recognition and processing technologies. Over a hundred million users now utilize these devices daily, and smart home assistants have been sold in massive numbers, owing to their ease and convenience in controlling a diverse range of smart devices within the home IoT environment through the power of voice, such as controlling lights, heating systems, and setting timers and alarms. VUI enables users to interact with IoT technology and issue a wide range of commands across various services using their voice, bypassing traditional input methods like keyboards or touchscreens. With ease, users can inquire in natural language about the weather, stock market, and online shopping and access various other types of general information.However, as VUI becomes more integrated into our daily lives, it brings to the forefront issues related to security, privacy, and usability. Concerns such as the unauthorized collection of user data, the potential for recording private conversations, and challenges in accurately recognizing and executing commands across diverse accents, leading to misinterpretations and unintended actions, underscore the need for more robust methods to test and evaluate VUI services. In this dissertation, we delve into voice interface testing, evaluation for privacy and security associated with VUI applications, assessment of the proficiency of VUI in handling diverse accents, and investigation into access control in multi-user environments. We first study the privacy violations of the VUI ecosystem. We introduced the definition of the VUI ecosystem, where users must connect the voice apps to corresponding services and mobile apps to function properly. The ecosystem can also involve multiple voice apps developed by the same third-party developers. We explore the prevalence of voice apps with corresponding services in the VUI ecosystem, assessing the landscape of privacy compliance among Alexa voice apps and their companion services. We developed a testing framework for this ecosystem. We present the first study conducted on the Alexa ecosystem, specifically focusing on voice apps with account linking. Our designed framework analyzes both the privacy policies of these voice apps and their companion services or the privacy policies of multiple voice apps published by the same developers. Using machine learning techniques, the framework automatically extracts data types related to data collection and sharing from these privacy policies, allowing for a comprehensive comparison. Next, researchers studied the voice apps' behavior to conduct privacy violation assessments. An interaction approach with voice apps is needed to extract the behavior where pre-defined utterances are input into the simulator to simulate user interaction. The set of pre-defined utterances is extracted from the skill's web page on the skill store. However, the accuracy of the testing analysis depends on the quality of the extracted utterances. An utterance or interaction that was not captured by the extraction process will not be detected, leading to inaccurate privacy assessment. Therefore, we revisited the utterance extraction techniques used by prior works to study the skill's behavior for privacy violations. We focused on analyzing the effectiveness and limitations of existing utterance extraction techniques. We proposed a new technique that improved prior work extraction techniques by utilizing the union of these techniques and human interaction. Our proposed technique makes use of a small set of human interactions to record all missing utterances, then expands that to test a more extensive set of voice apps. We also conducted testing on VUI with various accents to study by designing a testing framework that can evaluate VUI on different accents to assess how well VUI implemented in smart speakers caters to a diverse population. Recruiting individuals with different accents and instructing them to interact with the smart speaker while adhering to specific scripts is difficult. Thus, we proposed a framework known as AudioAcc, which facilitates evaluating VUI performance across diverse accents using YouTube videos. Our framework uses a filtering algorithm to ensure that the extracted spoken words used in constructing these composite commands closely resemble natural speech patterns. Our framework is scalable; we conducted an extensive examination of the VUI performance across a wide range of accents, encompassing both professional and amateur speakers. Additionally, we introduced a new metric called Consistency of Results (COR) to complement the standard Word Error Rate (WER) metric employed for assessing ASR systems. This metric enables developers to investigate and rewrite skill code based on the consistency of results, enhancing overall WER performance. Moreover, we looked into a special case related to the access control of VUI in multi-user environments. We proposed a framework for automated testing to explore the access control weaknesses to determine whether the accessible data is of consequence. We used the framework to assess the effectiveness of voice access control mechanisms within multi-user environments. Thus, we show that the convenience of using voice systems poses privacy risks as the user's sensitive data becomes accessible. We identify two significant flaws within the access control mechanisms proposed by the voice system, which can exploit the user's private data. These findings underscore the need for enhanced privacy safeguards and improved access control systems within online shopping. We also offer recommendations to mitigate risks associated with unauthorized access, shedding light on securing the user's private data within the voice systems. / Computer and Information Science

Computer science

Alexa voice applications

Privacy and security in IoT

Smart speaker

Voice assistant

Voice User Interface (VUI)

VUI data privacy

Integritet online ur olika generationers perspektiv : En studie om hur generation digital natives &amp; pre-internet värdesätter sin integritet online

König, Lovisa, Romney, Ellen

January 2020

Den digital utvecklingen har gjort att vi idag rör oss i digitala miljöer för att jobba, kommunicera, söka information, shoppa och underhållas. Företag kan idag kan spara, kartlägga, mäta och analysera privatpersoners aktiviteter online vilket ställt högre krav på näringsidkare att hantera denna personliga information korrekt. Ett exempel på detta är GDPR som infördes under 2018. Lagen har lyft frågan om integritet online och gjort gemene man mer medveten om informationsinsamlingen som pågår runt oss då företagen är skyldiga att informera om den. Syftet med denna studie är att se hur två olika grupper, de generationer som har växt upp med internet sen barnsben gentemot de generationer som har tagit till sig internet vid vuxen ålder, resonerar kring integritet online. Vi vill se vilka skillnader/likheter som finns mellan grupperna, ifall det finns faktorer utöver ålder som är avgörande och ifall det finns någon paradox mellan åsikter och agerande i praktiken. I slutändan ämnar vi kunna ge praktiska råd kring hur företag ska kunna hantera konsumenternas integritet online. För att undersöka detta har vi studerat tidigare forskning på området samt gjort fem djupintervjuer inom vardera grupp. Den teoretiska referensramen innehåller teorier om the privacy paradox, medvetenhet kring informationsinsamling, Communication Privacy Management och Customer Relationship Management. Även GDPR och riktad marknadsföring behandlas, vilket sammantaget har ställs i relation till det insamlade materialet från respondenterna. Därefter har vi besvarat vår problemformulering: “Hur resonerar generation digital natives i jämförelse med generation pre-internet kring företags hantering av deras integritet online?” Resultatet av studien visar att det viktigaste för bägge respondentgrupper var att det finns ett relevant och tydligt syfte för att de ska delge sin information, samt ifall de får någon typ av kompensation. Den största skillnaden gick att se i deras delgivningsnormer, där den yngre respondentgruppen kände större press att dela med sig på social media och därmed indirekt till företag. Den mest framstående skillnaden på individnivå gällde medvetenhet kring insamling, där det varierade från respondent till respondent. Bägge grupperna känner dock en oro inför framtiden, då de ofta känner sig övervakade online. Denna oro härleds ur en känsla av maktlöshet och okunskap kring hur de kan skydda sin data. I spår av maktlösheten har många skapat sig en fabricerad trygghet där de i brist på kunskap istället hoppas på att de ska skyddas av lagar, regleringar och att vara “en i mängden”. Utifrån våra slutsatser rekommenderar vi företag att informera konsumenterna när och varför insamling sker, ge kompensation i någon form samt skydda den data de innehar.

Baby-boomers

y

x & z

generations online

GDPR

Consumer privacy online

ePrivacy

Information privacy

The privacy paradox

Concerns for Information Privacy (CFIP)

Privacy fatigue

Integritet online

generations skillnader

persondata online

integritetskränkande aspekter

digitala social normer

riktad reklam

personlig marknadsföring online

Business Administration

Företagsekonomi

How should the protection of privacy, threatened by new technologies like radio frequency identification (RFID), be seen from a Judeo-Christian perspective?

Schmidt, Erwin Walter

11 1900

Radio Frequency Identification (RFID) is a new technology which allows people to identify objects automatically but there is a suspicion that, if people are tracked, their privacy may be infringed. This raises questions about how far this technology is acceptable and how privacy should be protected. It is also initiated a discussion involving a wide range of technical, philosophical, political, social, cultural, and economical aspects. There is also a need to consider the ethical and theological perspectives. This dissertation takes all its relevant directions from a Judeo-Christian theological perspective. On one side the use of technology is considered, and on the other side the value of privacy, its infringements and protection are investigated. According to Jewish and Christian understanding human dignity has to be respected including the right to privacy. As a consequence of this RFID may only used for applications that do not infringe this right. This conclusion, however, is not limited to RFID; it will be relevant for other, future surveillance technologies as well. / Philosophy & Systematic Theology / M. Th. (Theological ethics)

Radio frequency identification

Privacy

Human rights

Right to privacy

Technology

Information and communication technology

Privacy enhancing technology

Internet of things

Data protection

Privacy impact assessment

201.66

Technology -- Religious aspects

Technology -- Moral and ethical aspects

Human rights

Privacy, Right of

How should the protection of privacy, threatened by new technologies like radio frequency identification (RFID), be seen from a Judeo-Christian perspective?

Schmidt, Erwin Walter

11 1900

Radio Frequency Identification (RFID) is a new technology which allows people to identify objects automatically but there is a suspicion that, if people are tracked, their privacy may be infringed. This raises questions about how far this technology is acceptable and how privacy should be protected. It is also initiated a discussion involving a wide range of technical, philosophical, political, social, cultural, and economical aspects. There is also a need to consider the ethical and theological perspectives. This dissertation takes all its relevant directions from a Judeo-Christian theological perspective. On one side the use of technology is considered, and on the other side the value of privacy, its infringements and protection are investigated. According to Jewish and Christian understanding human dignity has to be respected including the right to privacy. As a consequence of this RFID may only used for applications that do not infringe this right. This conclusion, however, is not limited to RFID; it will be relevant for other, future surveillance technologies as well. / Philosophy and Systematic Theology / M. Th. (Theological ethics)

Radio frequency identification

Privacy

Human rights

Right to privacy

Technology

Information and communication technology

Privacy enhancing technology

Internet of things

Data protection

Privacy impact assessment

201.66

Technology -- Religious aspects

Technology -- Moral and ethical aspects

Human rights

Privacy, Right of