Evaluating the Contextual Integrity of Privacy Regulation: Parents' IoT Toy Privacy Norms Versus COPPA

Increased concern about data privacy has prompted new and updated data protection regulations worldwide. However, there has been no rigorous way to test whether the practices mandated by these regulations actually align with the privacy norms of affected populations. Here, we demonstrate that surveys based on the theory of contextual integrity provide a quantifiable and scalable method for measuring the conformity of specific regulatory provisions to privacy norms. We apply this method to the U.S. Children's Online Privacy Protection Act (COPPA), surveying 195 parents and providing the first data that COPPA's mandates generally align with parents' privacy expectations for Internet-connected "smart" children's toys. Nevertheless, variations in the acceptability of data collection across specific smart toys, information types, parent ages, and other conditions emphasize the importance of detailed contextual factors to privacy norms, which may not be adequately captured by COPPA.Comment: 18 pages, 1 table, 4 figures, 2 appendice

Expecting the Unexpected in Security Violations in Mobile Apps

personal data. This increased access and control may raise users’ perception of heightened privacy leakage and security issues. This is especially the case if users’ awareness and expectations of this external access and control is not accurately recognized through proper security declarations. This proposal thus attempts to put forth an investigation on the effect of mobile users’ privacy expectation disconfirmation on their continued usage intention of mobile apps sourced from app distribution stores. Drawing upon the APCO framework, security awareness literature and the expectation-disconfirmation perspective, two key types of security awareness information are identified; namely access annotation and modification annotation. It is noted that these types of information can be emphasized in app distribution stores to reduce subsequent privacy expectation disconfirmation. Hence, this study plans to examine the downstream effect of privacy expectation disconfirmation on users’ continued usage intention. To operationalize this research, a laboratory experiment will be conducted

Strategic Niche Management (SNM) beyond sustainability. An exploration of key findings of SNM through the lens of ICT and privacy

Recently the governance of socio-technical transitions to sustainability is gaining attention in the field of innovation studies. One particular approach is that of Strategic Niche Management (SNM), which advocates the creation of protected space to experiment with radically new sustainable socio-technical practices. This paper contributes by asking whether this approach is also useful for analysis and governance of other types of socially desirable change. This question is addressed through a review of six key-findings of Strategic Niche Management and an original case study in the field of Near Field Communication (NFC) technologies for mobile payment. The social value at stake in this case is not sustainability but privacy. We draw three main conclusions. First, we find that the key-findings and concepts in SNM for sustainability are helpful to understand and interpret much of the data collected for the NFC case and privacy. However, there are notable differences in each of the key-findings, i.e findings related to a) the local-global distinction in SNM, b) expectations, c) social networks, d) learning, e) protection, and f) niche-regime interactions. Second, in relation to governance, the role of sustainability values (being a promising value to pursue) and privacy values (being a bottom-line value to defend) are notably different. Third, these differences result in different roles of public bodies in niche development. The paper ends with discussing the consequences for SNM for sustainability research and future research topics.Strategic Niche Management, sustainability, NFC, mobile payment, privacy

Security, Privacy, and Technology Development: The Impact on National Security

The evolution of modern communications and information technology sparked a revolution of unprecedented proportions, bringing about an explosion in terms of users and capabilities, as well as increasing demands for both security and privacy. To meet these security demands, new technologies are evolving that can in fact provide a secure and protected environment. At the same time, however, the technology-development path is being increasingly impacted by two other major dynamics: the legal environment and user expectations with respect to privacy. Within the past four years in particular, several major court decisions as well as the official release of documents and illicit “leaks” have drawn enormous attention to what privacy protections must be afforded to various types of data and communications. Users, increasingly aware of intrusions into their data and communications—ranging from intelligence services to hackers and criminals—are demanding greater levels of protection. While technological approaches to greater privacy are possible, they are not costfree— particularly in terms of the computational overhead and other constraints imposed on new systems

Security, Privacy, and Technology Development: The Impact on National Security

The evolution of modern communications and information technology sparked a revolution of unprecedented proportions, bringing about an explosion in terms of users and capabilities, as well as increasing demands for both security and privacy. To meet these security demands, new technologies are evolving that can in fact provide a secure and protected environment. At the same time, however, the technology-development path is being increasingly impacted by two other major dynamics: the legal environment and user expectations with respect to privacy. Within the past four years in particular, several major court decisions as well as the official release of documents and illicit “leaks” have drawn enormous attention to what privacy protections must be afforded to various types of data and communications. Users, increasingly aware of intrusions into their data and communications—ranging from intelligence services to hackers and criminals—are demanding greater levels of protection. While technological approaches to greater privacy are possible, they are not costfree— particularly in terms of the computational overhead and other constraints imposed on new systems

Privacy Harms

Privacy harms have become one of the largest impediments in privacy law enforcement. In most tort and contract cases, plaintiffs must establish that they have been harmed. Even when legislation does not require it, courts have taken it upon themselves to add a harm element. Harm is also a requirement to establish standing in federal court. In Spokeo v. Robins, the U.S. Supreme Court has held that courts can override Congress’s judgments about what harm should be cognizable and dismiss cases brought for privacy statute violations. The caselaw is an inconsistent, incoherent jumble, with no guiding principles. Countless privacy violations are not remedied or addressed on the grounds that there has been no cognizable harm. Courts conclude that many privacy violations, such as thwarted expectations, improper uses of data, and the wrongful transfer of data to other organizations, lack cognizable harm. Courts struggle with privacy harms because they often involve future uses of personal data that vary widely. When privacy violations do result in negative consequences, the effects are often small – frustration, aggravation, and inconvenience – and dispersed among a large number of people. When these minor harms are done at a vast scale by a large number of actors, they aggregate into more significant harms to people and society. But these harms do not fit well with existing judicial understandings of harm. This article makes two central contributions. The first is the construction of a road map for courts to understand harm so that privacy violations can be tackled and remedied in a meaningful way. Privacy harms consist of various different types, which to date have been recognized by courts in inconsistent ways. We set forth a typology of privacy harms that elucidates why certain types of privacy harms should be recognized as cognizable. The second contribution is providing an approach to when privacy harm should be required. In many cases, harm should not be required because it is irrelevant to the purpose of the lawsuit. Currently, much privacy litigations suffers from a misalignment of law enforcement goals and remedies. For example, existing methods of litigating privacy cases, such as class actions, often enrich lawyers but fail to achieve meaningful deterrence. Because the personal data of tens of millions of people could be involved, even small actual damages could put companies out of business without providing much of value to each individual. We contend that the law should be guided by the essential question: When and how should privacy regulation be enforced? We offer an approach that aligns enforcement goals with appropriate remedies

Video Manipulation Techniques for the Protection of Privacy in Remote Presence Systems

Systems that give control of a mobile robot to a remote user raise privacy concerns about what the remote user can see and do through the robot. We aim to preserve some of that privacy by manipulating the video data that the remote user sees. Through two user studies, we explore the effectiveness of different video manipulation techniques at providing different types of privacy. We simultaneously examine task performance in the presence of privacy protection. In the first study, participants were asked to watch a video captured by a robot exploring an office environment and to complete a series of observational tasks under differing video manipulation conditions. Our results show that using manipulations of the video stream can lead to fewer privacy violations for different privacy types. Through a second user study, it was demonstrated that these privacy-protecting techniques were effective without diminishing the task performance of the remote user.Comment: 14 pages, 8 figure

A Look into User Privacy and Third-Party Applications in Facebook

Purpose A huge amount of personal and sensitive data are shared on Facebook, which makes it a prime target for attackers. Adversaries can exploit third-party applications connected to a user’s Facebook profiles (i.e. Facebook apps) to gain access to this personal information. Users’ lack of knowledge and the varying privacy policies of these apps make them further vulnerable to information leakage. However, little has been done to identify mismatches between users’ perceptions and the privacy policies of Facebook apps. This paper aims to address this challenge in the work. Design/methodology/approach The authors conducted a lab study with 31 participants, where the authors received data on how they share information on Facebook, their Facebook-related security and privacy practices and their perceptions on the privacy aspects of 65 frequently-used Facebook apps in terms of data collection, sharing and deletion. The authors then compared participants’ perceptions with the privacy policy of each reported app. Participants also reported their expectations about the types of information that should not be collected or shared by any Facebook app. Findings The analysis reveals significant mismatches between users’ privacy perceptions and reality (i.e. privacy policies of Facebook apps), where the authors identified over-optimism not only in users’ perceptions of information collection but also in their self-efficacy in protecting their information in Facebook despite experiencing negative incidents in the past. Originality/value To the best of the knowledge, this is the first study on the gap between users’ privacy perceptions around Facebook apps and reality. The findings from this study offer direction for future research to address that gap through designing usable, effective and personalized privacy notices to help users to make informed decisions about using Facebook apps