Evaluating the Contextual Integrity of Privacy Regulation: Parents' IoT Toy Privacy Norms Versus COPPA

Increased concern about data privacy has prompted new and updated data protection regulations worldwide. However, there has been no rigorous way to test whether the practices mandated by these regulations actually align with the privacy norms of affected populations. Here, we demonstrate that surveys based on the theory of contextual integrity provide a quantifiable and scalable method for measuring the conformity of specific regulatory provisions to privacy norms. We apply this method to the U.S. Children's Online Privacy Protection Act (COPPA), surveying 195 parents and providing the first data that COPPA's mandates generally align with parents' privacy expectations for Internet-connected "smart" children's toys. Nevertheless, variations in the acceptability of data collection across specific smart toys, information types, parent ages, and other conditions emphasize the importance of detailed contextual factors to privacy norms, which may not be adequately captured by COPPA.Comment: 18 pages, 1 table, 4 figures, 2 appendice

M-health review: joining up healthcare in a wireless world

In recent years, there has been a huge increase in the use of information and communication technologies (ICT) to deliver health and social care. This trend is bound to continue as providers (whether public or private) strive to deliver better care to more people under conditions of severe budgetary constraint

Secure Identification in Social Wireless Networks

The applications based on social networking have brought revolution towards social life and are continuously gaining popularity among the Internet users. Due to the advanced computational resources offered by the innovative hardware and nominal subscriber charges of network operators, most of the online social networks are transforming into the mobile domain by offering exciting applications and games exclusively designed for users on the go. Moreover, the mobile devices are considered more personal as compared to their desktop rivals, so there is a tendency among the mobile users to store sensitive data like contacts, passwords, bank account details, updated calendar entries with key dates and personal notes on their devices. The Project Social Wireless Network Secure Identification (SWIN) is carried out at Swedish Institute of Computer Science (SICS) to explore the practicality of providing the secure mobile social networking portal with advanced security features to tackle potential security threats by extending the existing methods with more innovative security technologies. In addition to the extensive background study and the determination of marketable use-cases with their corresponding security requirements, this thesis proposes a secure identification design to satisfy the security dimensions for both online and offline peers. We have implemented an initial prototype using PHP Socket and OpenSSL library to simulate the secure identification procedure based on the proposed design. The design is in compliance with 3GPP‟s Generic Authentication Architecture (GAA) and our implementation has demonstrated the flexibility of the solution to be applied independently for the applications requiring secure identification. Finally, the thesis provides strong foundation for the advanced implementation on mobile platform in future

Location data privacy : principles to practice

A thesis submitted in partial fulfillment of the requirements for the degree of Doctor in Information Management, specialization in Geographic Information SystemsLocation data is essential to the provision of relevant and tailored information in location-based services (LBS) but has the potential to reveal sensitive information about users. Unwanted disclosure of location data is associated with various threats known as dataveillance which can lead to risks like loss of control, (continuous) monitoring, identification, and social profiling. Striking a balance between providing a service based on the user’s location while protecting their (location) privacy is thus a key challenge in this area. Although many solutions have been developed to mitigate the data privacy-related threats, the aspects involving users (i.e. User Interfaces (UI)) and the way in which location data management can affects (location) data privacy have not received much attention in the literature. This thesis develops and evaluates approaches to facilitate the design and development of privacy-aware LBS. This work has explicitly focused on three areas: location data management in LBS, the design of UI for LBS, and compliance with (location) data privacy regulation. To address location data management, this thesis proposes modifications to LBS architectures and introduces the concept of temporal and spatial ephemerality as an alternative way to manage location privacy. The modifications include adding two components to the LBS architecture: one component dedicated to the management of decisions regarding collected location data such as applying restriction on the time that the service provider stores the data; and one component for adjusting location data privacy settings for the users of LBS. This thesis then develops a set of UI controls for fine-grained management of location privacy settings based on privacy theory (Westin), privacy by design principles and general UI design principles. Finally, this thesis brings forth a set of guidelines for the design and development of privacy-aware LBS through the analysis of the General Data Protection Regulation (GDPR) and expert recommendations. Service providers, designers, and developers of LBS can benefit from the contributions of this work as the proposed architecture and UI model can help them to recognise and address privacy issues during the LBS development process. The developed guidelines, on the other hand, can be helpful when developers and designers face difficulties understanding (location) data privacy-related regulations. The guidelines include both a list of legal requirements derived from GDPR’s text and expert suggestions for developers and designers of LBS in the process of complying with data privacy regulation

CHORUS Deliverable 2.2: Second report - identification of multi-disciplinary key issues for gap analysis toward EU multimedia search engines roadmap

After addressing the state-of-the-art during the first year of Chorus and establishing the existing landscape in multimedia search engines, we have identified and analyzed gaps within European research effort during our second year. In this period we focused on three directions, notably technological issues, user-centred issues and use-cases and socio- economic and legal aspects. These were assessed by two central studies: firstly, a concerted vision of functional breakdown of generic multimedia search engine, and secondly, a representative use-cases descriptions with the related discussion on requirement for technological challenges. Both studies have been carried out in cooperation and consultation with the community at large through EC concertation meetings (multimedia search engines cluster), several meetings with our Think-Tank, presentations in international conferences, and surveys addressed to EU projects coordinators as well as National initiatives coordinators. Based on the obtained feedback we identified two types of gaps, namely core technological gaps that involve research challenges, and “enablers”, which are not necessarily technical research challenges, but have impact on innovation progress. New socio-economic trends are presented as well as emerging legal challenges

The future of Cybersecurity in Italy: Strategic focus area

This volume has been created as a continuation of the previous one, with the aim of outlining a set of focus areas and actions that the Italian Nation research community considers essential. The book touches many aspects of cyber security, ranging from the definition of the infrastructure and controls needed to organize cyberdefence to the actions and technologies to be developed to be better protected, from the identification of the main technologies to be defended to the proposal of a set of horizontal actions for training, awareness raising, and risk management

After Over-Privileged Permissions: Using Technology and Design to Create Legal Compliance

Consumers in the mobile ecosystem can putatively protect their privacy with the use of application permissions. However, this requires the mobile device owners to understand permissions and their privacy implications. Yet, few consumers appreciate the nature of permissions within the mobile ecosystem, often failing to appreciate the privacy permissions that are altered when updating an app. Even more concerning is the lack of understanding of the wide use of third-party libraries, most which are installed with automatic permissions, that is permissions that must be granted to allow the application to function appropriately. Unsurprisingly, many of these third-party permissions violate consumers’ privacy expectations and thereby, become “over-privileged” to the user. Consequently, an obscurity of privacy expectations between what is practiced by the private sector and what is deemed appropriate by the public sector is exhibited. Despite the growing attention given to privacy in the mobile ecosystem, legal literature has largely ignored the implications of mobile permissions. This article seeks to address this omission by analyzing the impacts of mobile permissions and the privacy harms experienced by consumers of mobile applications. The authors call for the review of industry self-regulation and the overreliance upon simple notice and consent. Instead, the authors set out a plan for greater attention to be paid to socio-technical solutions, focusing on better privacy protections and technology embedded within the automatic permission-based application ecosystem

Scrutinizing Coppa: The Privacy of Our Past, Present, and Future

As the Internet has grown, children’s lives have become increasingly intertwined with online goods and services, which has raised concerns about their digital privacy and safety. This thesis scrutinizes the economic and legal implications of Children’s Online Privacy Protection Act (COPPA, “the Rule”), which regulates the data collection and retention policies of online services to protect the privacy and safety of children. It examines selected enforcement actions, proposed amendments, privacy policies and practices of platforms used as education technology (“EdTech”), incorporating the concerns and opinions of industry experts. In doing so, this thesis finds that COPPA has shortcomings in its methods of enforcement, compliance efforts, and the legislation itself. This thesis concludes after an evaluation of the legislation and proposals to update the Rule