UNDERSTANDING USER PERCEPTIONS AND PREFERENCES FOR MASS-MARKET INFORMATION SYSTEMS – LEVERAGING MARKET RESEARCH TECHNIQUES AND EXAMPLES IN PRIVACY-AWARE DESIGN

With cloud and mobile computing, a new category of software products emerges as mass-market information systems (IS) that addresses distributed and heterogeneous end-users. Understanding user requirements and the factors that drive user adoption are crucial for successful design of such systems. IS research has suggested several theories and models to explain user adoption and intentions to use, among them the IS Success Model and the Technology Acceptance Model (TAM). Although these approaches contribute to theoretical understanding of the adoption and use of IS in mass-markets, they are criticized for not being able to drive actionable insights on IS design as they consider the IT artifact as a black-box (i.e., they do not sufficiently address the system internal characteristics). We argue that IS needs to embrace market research techniques to understand and empirically assess user preferences and perceptions in order to integrate the "voice of the customer" in a mass-market scenario. More specifically, conjoint analysis (CA), from market research, can add user preference measurements for designing high-utility IS. CA has gained popularity in IS research, however little guidance is provided for its application in the domain. We aim at supporting the design of mass-market IS by establishing a reliable understanding of consumer’s preferences for multiple factors combing functional, non-functional and economic aspects. The results include a “Framework for Conjoint Analysis Studies in IS” and methodological guidance for applying CA. We apply our findings to the privacy-aware design of mass-market IS and evaluate their implications on user adoption. We contribute to both academia and practice. For academia, we contribute to a more nuanced conceptualization of the IT artifact (i.e., system) through a feature-oriented lens and a preference-based approach. We provide methodological guidelines that support researchers in studying user perceptions and preferences for design variations and extending that to adoption. Moreover, the empirical studies for privacy- aware design contribute to a better understanding of the domain specific applications of CA for IS design and evaluation with a nuanced assessment of user preferences for privacy-preserving features. For practice, we propose guidelines for integrating the voice of the customer for successful IS design. -- Les technologies cloud et mobiles ont fait émerger une nouvelle catégorie de produits informatiques qui s’adressent à des utilisateurs hétérogènes par le biais de systèmes d'information (SI) distribués. Les termes “SI de masse” sont employés pour désigner ces nouveaux systèmes. Une conception réussie de ceux-ci passe par une phase essentielle de compréhension des besoins et des facteurs d'adoption des utilisateurs. Pour ce faire, la recherche en SI suggère plusieurs théories et modèles tels que le “IS Success Model” et le “Technology Acceptance Model”. Bien que ces approches contribuent à la compréhension théorique de l'adoption et de l'utilisation des SI de masse, elles sont critiquées pour ne pas être en mesure de fournir des informations exploitables sur la conception de SI car elles considèrent l'artefact informatique comme une boîte noire. En d’autres termes, ces approches ne traitent pas suffisamment des caractéristiques internes du système. Nous soutenons que la recherche en SI doit adopter des techniques d'étude de marché afin de mieux intégrer les exigences du client (“Voice of Customer”) dans un scénario de marché de masse. Plus précisément, l'analyse conjointe (AC), issue de la recherche sur les consommateurs, peut contribuer au développement de système SI à forte valeur d'usage. Si l’AC a gagné en popularité au sein de la recherche en SI, des recommandations quant à son utilisation dans ce domaine restent rares. Nous entendons soutenir la conception de SI de masse en facilitant une identification fiable des préférences des consommateurs sur de multiples facteurs combinant des aspects fonctionnels, non-fonctionnels et économiques. Les résultats comprennent un “Cadre de référence pour les études d'analyse conjointe en SI” et des recommandations méthodologiques pour l'application de l’AC. Nous avons utilisé ces contributions pour concevoir un SI de masse particulièrement sensible au respect de la vie privée des utilisateurs et nous avons évalué l’impact de nos recherches sur l'adoption de ce système par ses utilisateurs. Ainsi, notre travail contribue tant à la théorie qu’à la pratique des SI. Pour le monde universitaire, nous contribuons en proposant une conceptualisation plus nuancée de l'artefact informatique (c'est-à-dire du système) à travers le prisme des fonctionnalités et par une approche basée sur les préférences utilisateurs. Par ailleurs, les chercheurs peuvent également s'appuyer sur nos directives méthodologiques pour étudier les perceptions et les préférences des utilisateurs pour différentes variations de conception et étendre cela à l'adoption. De plus, nos études empiriques sur la conception d’un SI de masse sensible au respect de la vie privée des utilisateurs contribuent à une meilleure compréhension de l’application des techniques CA dans ce domaine spécifique. Nos études incluent notamment une évaluation nuancée des préférences des utilisateurs sur des fonctionnalités de protection de la vie privée. Pour les praticiens, nous proposons des lignes directrices qui permettent d’intégrer les exigences des clients afin de concevoir un SI réussi

"If You Can't Beat them, Join them": A Usability Approach to Interdependent Privacy in Cloud Apps

Cloud storage services, like Dropbox and Google Drive, have growing ecosystems of 3rd party apps that are designed to work with users' cloud files. Such apps often request full access to users' files, including files shared with collaborators. Hence, whenever a user grants access to a new vendor, she is inflicting a privacy loss on herself and on her collaborators too. Based on analyzing a real dataset of 183 Google Drive users and 131 third party apps, we discover that collaborators inflict a privacy loss which is at least 39% higher than what users themselves cause. We take a step toward minimizing this loss by introducing the concept of History-based decisions. Simply put, users are informed at decision time about the vendors which have been previously granted access to their data. Thus, they can reduce their privacy loss by not installing apps from new vendors whenever possible. Next, we realize this concept by introducing a new privacy indicator, which can be integrated within the cloud apps' authorization interface. Via a web experiment with 141 participants recruited from CrowdFlower, we show that our privacy indicator can significantly increase the user's likelihood of choosing the app that minimizes her privacy loss. Finally, we explore the network effect of History-based decisions via a simulation on top of large collaboration networks. We demonstrate that adopting such a decision-making process is capable of reducing the growth of users' privacy loss by 70% in a Google Drive-based network and by 40% in an author collaboration network. This is despite the fact that we neither assume that users cooperate nor that they exhibit altruistic behavior. To our knowledge, our work is the first to provide quantifiable evidence of the privacy risk that collaborators pose in cloud apps. We are also the first to mitigate this problem via a usable privacy approach.Comment: Authors' extended version of the paper published at CODASPY 201

Towards Mass Adoption of Contact Tracing Apps - Learning from Users’ Preferences to Improve App Design

Contact tracing apps have become one of the main approaches to control and slow down the spread of COVID-19 and ease up lockdown measures. While these apps can be very effective in stopping the transmission chain and saving lives, their adoption remains under the expected critical mass. The public debate about contact tracing apps emphasizes general privacy reservations and is conducted at an expert level, but lacks the user perspective related to actual designs. To address this gap, we explore user preferences for contact tracing apps using market research techniques, and specifically conjoint analysis. Our main contributions are empirical insights into individual and group preferences, as well as insights for prescriptive design. While our results confirm the privacy-preserving design of most European contact tracing apps, they also provide a more nuanced understanding of acceptable features. Based on market simulation and variation analysis, we conclude that adding goal-congruent features will play an important role in fostering mass adoption

Leveraging Market Research Techniques in IS: A Review and Framework of Conjoint Analysis Studies in the IS Discipline

With cloud and mobile computing, information systems (IS) have evolved towards mass-market services. While IS success requires user involvement, the IS discipline lacks methods that allow organizations to integrate the “voice of the customer” into mass-market services with individual and dispersed users. Conjoint analysis (CA), from marketing research, provides insights into user preferences and measures user trade-offs for multiple product features simultaneously. While CA has gained popularity in the IS domain, existing studies have mostly been one-time efforts, which has resulted in little knowledge accumulation about CA’s applications in IS. We argue that CA could have a significant impact on IS research (and practice) if this method was further developed and adopted for IS application areas. From reviewing 70 CA studies published between 1999 and 2019 in the IS discipline, we found that CA supports in initially conceptualizing, iteratively designing, and evaluating IS and their business models. We critically assess the methodological choices along the CA procedure to provide recommendations and guidance on “how” to leverage CA techniques in future IS research. We then synthesize our findings into a framework for conjoint analysis studies in IS that outlines “where” researchers and practitioners can apply CA along the IS lifecycle

Leveraging Market Research Techniques in IS – A Review of Conjoint Analysis in IS Research

With the increasing importance of mass-market information systems (IS), understanding individual user preferences for IS design and adoption is essential. However, this has been a challenging task due to the complexity of balancing functional, non-functional, and economic requirements. Conjoint analysis (CA), a marketing research technique, estimates user preferences by measuring tradeoffs between products attributes. Although the number of studies applying CA in IS has increased in the past years, we still lack fundamental discussion on its use in our discipline. We review the existing CA studies in IS with regard to the application areas and methodological choices along the CA procedure. Based on this review, we develop a reference framework for application areas in IS that serves as foundation for future studies. We argue that CA can be leveraged in requirements management, business model design, and systems evaluation. As future research opportunities, we see domain-specific adaptations e.g., user preference models

Learning From the Past to Improve the Future

Contact tracing apps were considered among the first tools to control the spread of COVID-19 and ease lockdown measures. While these apps can be very effective at stopping transmission and saving lives, the level of adoption remains significantly below the expected critical mass. The public debate as well as academic research about contact tracing apps emphasizes general concerns about privacy (and the associated risks) but often disregards the value-added services, as well as benefits, that can result from a larger user base. To address this gap, the study analyzes goal-congruent features as drivers for user adoption. It uses market research techniques – specifically, conjoint analysis – to study individual and group preferences and gain insights into the prescriptive design. While the results confirm the privacy-preserving design of most European contact tracing apps, they emphasize the role of value-added services in addressing heterogeneous user segments to drive user adoption. The findings thereby are of relevance for designing effective contact tracing apps, but also inform the user-oriented design of apps for health and crisis management that rely on sharing sensitive information

Privacy as a Part of the Preference Structure of Users App Buying Decision

Information privacy and personal data in information systems are referred to as the ‘new oil’ of the 21st century. The mass adoption of smart mobile devices, sensor-enabled smart IoT-devices, and mobile applications provide virtually endless possibilities of gathering users’ personal information. Previous research suggests that users attribute very little monetary value to their information privacy. The current paper assumes that users are not able to monetize their value of privacy due to its abstract nature and non-transparent context. By defining privacy as a crucial product attribute of mobile applications the authors provide an approach to measure the importance of privacy as part of users’ preference structure. The results of the conducted choice-based conjoint Analysis emphasize the high relevance of privacy in users’ preference structure when downloading an app and provide an interesting contribution for theory and practice

DO THEY REALLY CARE ABOUT TARGETED POLITICAL ADS? INVESTIGATION OF USER PRIVACY CONCERNS AND PREFERENCES

Reliance on targeted political ads has skyrocketed in recent years, leading to negative reactions in media and society. Nonetheless, only few studies investigate user privacy concerns and their role in user acceptance decisions in the context of online political targeting. To fill this gap, in this study we explore the magnitude of privacy concerns towards targeted political ads compared to “tradi-tional” targeting in the product context. Surprisingly, we find no notable differences in privacy concerns between these use purposes. In the next step, user preferences over ad types are elicited with the help of a discrete choice experiment in the mobile app adoption context. Among others, our findings from simulations on the basis of a mixed logit model cautiously suggest that while targeted political advertising is perceived as somewhat less desirable by respondents, its presence does not consequentially deter users from choosing such an app, with user preferences being high-ly volatile. Together, these results contribute to a better understanding of users’ privacy concerns and preferences in the context of targeted political advertising online. Acknowledgment This work has been funded by the Federal Ministry of Education and Research of Germany (BMBF) under grant no. 16DII116 (“Deutsches Internet-Institut”)

The (Co)-Location Sharing Game

Most popular location-based social networks, such as Facebook and Foursquare, let their (mobile) users post location and co-location (involving other users) information. Such posts bring social benefits to the users who post them but also to their friends who view them. Yet, they also represent a severe threat to the users’ privacy, as co-location information introduces interdependences between users. We propose the first game-theoretic framework for analyzing the strategic behaviors, in terms of information sharing, of users of OSNs. To design parametric utility functions that are representative of the users’ actual preferences, we also conduct a survey of 250 Facebook users and use conjoint analysis to quantify the users’ benefits of sharing vs. viewing (co)-location information and their preference for privacy vs. benefits. Our survey findings expose the fact that, among the users, there is a large variation, in terms of these preferences. We extensively evaluate our framework through data-driven numerical simulations. We study how users’ individual preferences influence each other’s decisions, we identify several factors that significantly affect these decisions (among which, the mobility data of the users), and we determine situations where dangerous patterns can emerge (e.g., a vicious circle of sharing, or an incentive to over-share) – even when the users share similar preferences

Interdependent and Multi-Subject Privacy: Threats, Analysis and Protection

In Alan Westin's generally accepted definition of privacy, he describes it as an individual's right 'to control, edit, manage, and delete information about them[selves] and decide when, how, and to what extent information is communicated to others.' Therefore, privacy is an individual and independent human right. The great Mahatma Gandhi once said that 'interdependence is and ought to be as much the ideal of man as selfsufficiency. Man is a social being.' To ensure this independent right to inherently social beings, it will be difficult, if not impossible. This is especially true as today's world is highly interconnected, technology evolves rapidly, data sharing is increasingly abundant, and regulations do not provide sufficient guidance in the realm of interdependency. In this thesis, we explore the topic of interdependent privacy from an adversarial point of view by exposing threats, as well as from an end-user point of view, by exploring awareness, preferences and privacy protection needs. First, we quantify the effect of co-locations on location privacy, considering an adversary such as a social-network operator that has access to this information: Not only can a user be localized due to her reported locations and mobility patterns, but also due to those of her friends (and the friends of her friends and so on). We formalize this problem and propose effective inference algorithms that substantially reduce the complexity of localization attacks that make use of co-locations. Our results show that an adversary can effectively incorporate co-locations in attacks to substantially reduce users' location privacy; this exposes a real and severe threat. Second, we investigate the interplay between the privacy risks and the social benefits of users when sharing (co-)locations on OSNs. We propose a game-theoretic framework for analyzing users' strategic behaviors. We conduct a survey of Facebook users and quantify their benefits of sharing vs. viewing information and their preference for privacy vs. benefits. Our survey exposes deficits in users' awareness of privacy risks in OSNs. Our results further show how users' individual preferences influence, sometimes in a negative way, each other's decisions. Third, we consider various types of interdependent and multi-subject data (photo, colocation, genome, etc.) that often have privacy implications for data subjects other than the uploader, yet can be shared without their consent or awareness. We propose a system for sharing such data in a consensual and privacy-preserving manner. We implement it in the case of photos, by relying on image-processing and cryptographic techniques, as well as on a two-tier architecture. We conduct a survey of Facebook users; it indicates that there is interest in such a system, and that users have increasing privacy concerns due to prejudice or discrimination that they have been or could still easily be exposed to. In conclusion, this thesis provides new insights on users' privacy in the context of interdependence and constitutes a step towards the design of novel privacy-protection mechanisms. It should be seen as a warning message for service providers and regulatory institutions: Unless the interdependent aspects of privacy are considered, this fundamental human right can never be guaranteed