Implementation and Assessment of Contextual Privacy Policies

Thema:
Implementation and Assessment of Contextual Privacy Policies
Art:
MA
BetreuerIn:
Niels Henze
BearbeiterIn:
Maximiliane Windl
ErstgutachterIn:
Niels Henze
ZweitgutachterIn:
David Elsweiler
Status:
abgeschlossen
Stichworte:
CPP, privacy, policies, implementation, evaluation
angelegt:
2020-05-11
Antrittsvortrag:
2020-05-18
Abschlussvortrag:
2020-10-20

Hintergrund

Online services collect an increasing amount of data about their users. Privacy policies are currently the only common way to inform users about the kinds of data collected, stored, and processed by online services. Previous work showed that users do not read and understand privacy policies, due to their length, difficult language, and often non-prominent location (see e.g. [5]). A promising approach is embedding privacy-relevant information directly in the context of use to help users understand the privacy implications of using online services [2, 3]. This has been coined Contextual Privacy Policies (CPPs). By prototypically implementing CPPs as a browser extension we showed, that they are generally well-received by participants [1].

Zielsetzung der Arbeit

In our previous work, we evaluated CPPs in a natural setting over multiple days with a prototypical implementation for seven common websites. Which and where we showed privacy information was, however, hardcoded. Supporting an additional website required to manually retrieve the site’s privacy policy, identifying relevant information that can be shown in context as well as identifying anchors to show the CPP. Thus, the approach was sufficient to study the effects of CPPs but does not scale to real-world use.

This thesis aims to evolve CPPs from a prototypical implementation to a real-world browser extension to show that CPPs are indeed a feasible approach to make privacy policies accessible to the average web users. The CPPs will be evaluated through a naturalistic deployment.

Konkrete Aufgaben

  • Build an extension for Chrome and Firefox browsers to show snippets of privacy policies in their corresponding contexts. This includes:
  • Creating a large corpus of privacy policies
    • Using the corpus with privacy policies to train a word-embedding model
    • Building a segmenter to automatically break down the privacy policy to fine-grained segments to be used in a machine learning process
    • Building classifiers to automatically assign categories and attributes to the segments of the privacy policies
    • Automatically determining links to website’s privacy policies, as well as context elements to embed privacy information (Account, Check-Out, Advertisements, …)
    • Showing the relevant snippet from the privacy policy in the corresponding contexts
    • Explore making the extension language-independent by translating policies to English before predicting, translating back, and showing the snippets in the original language
  • Conduct a study to evaluate the extension through a naturalistic deployment
  • Analyzing and interpreting the results

Erwartete Vorkenntnisse

Experience with browser extension development for Chrome/Firefox

Weiterführende Quellen

  1. Anna-Marie Ortloff, Maximiliane Windl, Valentin Schwind, and Niels Henze. 2020. Implementation and In Situ Assessment of Contextual Privacy Policies. In Proceedings of the 2020 on Designing Interactive Systems Conference (DIS ’20). Association for Computing Machinery, New York, NY, USA. DOI: http://dx.doi.org/10.1145/3357236.3395549
  2. Anna-Marie Ortloff, Lydia Güntner, Maximiliane Windl, Denis Feth, and Svenja Polst. 2018. Evaluation kontextueller Datenschutzerklärungen. In Mensch und Computer 2018 - Workshopband, Raimund Dachselt and Gerhard Weber (Eds.). Gesellschaft für Informatik e.V., Bonn.
  3. Denis Feth. 2017. Transparency through Contextual Privacy Statements. In Mensch und Computer 2017-Workshopband, Manuel Burghardt, Raphael Wimmer, Christian Wolff, and Christa Womser-Hacker (Eds.). DOI: http://dx.doi.org/10.18420/muc2017- ws05- 0406
  4. Hamza Harkous, Kassem Fawaz, Rémi Lebret, Florian Schaub, Kang G. Shin, and Karl Aberer. 2018. Polisis: Automated Analysis and Presentation of Privacy Policies Using Deep Learning. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 531–548. https://www.usenix.org/conference/usenixsecurity18/ presentation/harkous
  5. Singh, R. I., Sumeeth, M., & Miller, J. (2011). A user-centric evaluation of the readability of privacy policies in popular web sites. Information Systems Frontiers, 13(4), 501-514.