Sören Preibusch

The Privacy Jungle:On the Market for Data Protection in Social Networks

We have conducted the first thorough analysis of the market for privacy practices and policies in online social networks. From an evaluation of 45 social networking sites using 260 criteria we find that many popular assumptions regarding privacy and social networking need to be revisited when considering the entire ecosystem instead of only a handful of well-known sites. Contrary to the common perception of an oligopolistic market, we find evidence of vigorous competition for new users. Despite observing many poor security practices, there is evidence that social network providers are making efforts to implement privacy enhancing technologies with substantial diversity in the amount of privacy control offered. However, privacy is rarely used as a selling point, even then only as auxiliary, nondecisive feature. Sites also failed to promote their existing privacy controls within the site. We similarly found great diversity in the length and content of formal privacy policies, but found an opposite promotional trend: though almost all policies are not accessible to ordinary users due to obfuscating legal jargon, they conspicuously vaunt the sites’ privacy practices. We conclude that the market for privacy in social networks is dysfunctional in that there is significant variation in sites’ privacy controls, data collection requirements, and legal privacy policies, but this is not effectively conveyed to users. Our empirical findings motivate us to introduce the novel model of a privacy communication game, where the economically rational choice for a site operator is to make privacy control available to evade criticism from privacy fundamentalists, while hiding the privacy control interface and privacy policy to maximize sign-up numbers and encourage data sharing from the pragmatic majority of users.

A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs

We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims’ birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11–18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one’s date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.

Implementing privacy negotiations in e-commerce

This paper examines how service providers may resolve the trade-off between their personalization efforts and users’ individual privacy concerns. We analyze how negotiation techniques can lead to efficient contracts and how they can be integrated into existing technologies to overcome the shortcomings of static privacy policies. The analysis includes the identification of relevant and negotiable privacy dimensions for different usage domains. Negotiations in multi-channel retailing are examined as a detailed example. Based on a formalization of the user’s privacy revelation problem, we model the negotiation process as a Bayesian game where the service provider faces different types of users. Finally an extension to P3P is proposed that allows a simple expression and implementation of negotiation processes. Support for this extension has been integrated in the Mozilla browser.

Privacy behaviors after Snowden

Despite continuing media coverage, the publics privacy behaviors have hardly changed.

Fairly truthful: The impact of perceived effort, fairness, relevance, and sensitivity on personal data disclosure

While personal data is a source of competitive advantage, businesses should consider the potential reaction of individuals to certain types of data requests. Privacy research has identified some factors that impact privacy perceptions, but these have not yet been linked to actual disclosure behaviour. We describe a field-experiment investigating the effect of different factors on online disclosure behaviour. 2720 US participants were invited to participate in an Amazon Mechanical Turk survey advertised as a marketing study for a credit card company. Participants were asked to disclose several items of personal data. In a follow-up UCL branded survey, a subset (N=1851) of the same participants rated how they perceived the effort, fairness, relevance, and sensitivity of the first phase personal data requests and how truthful their answers had been. Findings show that fairness has a consistent and significant effect on the disclosure and truthfulness of data items such as weekly spending or occupation. Partial support was found for the effect of effort and sensitivity. Privacy researchers are advised to take into account the under-investigated fairness construct in their research. Businesses should focus on non-sensitive data items which are perceived as fair in the context they are collected; otherwise they risk obtaining low-quality or incomplete data from their customers.

Price versus privacy: an experiment into the competitive advantage of collecting less personal information

In previous privacy studies, consumers have reported their unease with online retailers that collect a lot of personal data. Consumers claim they will switch to alternative providers or cancel transactions if data collection is deemed excessive. Therefore, privacy appears to be a competitive factor in electronic commerce.This paper describes a study which quantifies the degree to which privacy is a competitive advantage for online retailers. In an experiment, we offered 225 participants the option to purchase one DVD from one of two online stores. Throughout the study, one online shop asked for more invasive personal data—as confirmed by an exit-questionnaire. In the test treatment, the privacy-invasive store sold DVDs for one Euro less than the other, and in the control treatment, both stores sold DVDs for the same price. Across both treatments, 74 participants made a purchase and had the DVD they bought delivered.In our study we found that, when the price of DVDs was the same between both stores, the shop asking for less personal data did not amass the entire market. When consumers were offered a trade-off between price and privacy, the vast majority of customers chose to buy from the cheaper, more privacy-invasive, firm; this firm got both a larger market share and higher revenue. The cheaper shop generated strong dissatisfaction with their privacy practises; in contrast, consumers of the more expensive store displayed only weak dissatisfaction with price. We established the validity of our analysis by checking users made informed choices, and did not select one firm over the other due to hasty decision-making or ordering effects. We found no support for either a materialistic lifestyle nor the quest for immediate gratification as to why customers chose the cheaper but privacy-unfriendly store.

A Privacy-Protecting Business-Analytics Service for On-Line Transactions

Analysis of consumer-related and consumer-generated data is a very important way to measure the success of on-line retailing. The software packages for data analysis have two major shortcomings: (1) solutions are not offered as a service reachable by standard procedures over the Internet, but as isolated standalone applications or ERP system modules; (2) privacy restrictions need to be integrated into a framework of business analytics for Web retailers. The first aspect can be addressed with standardized developer software for Web services, but the second must consider privacy legislation, privacy specifications on Web sites (P3P), and data reidentification problems. These shortcomings are addressed by a proposed formal model of these problems and an implementation of the model as a declarative specification of privacy constraints, expressed as an extension of P3P. The constraints are complemented by a logic identifying the elements in a given set of Web analytics that might lead to data reidentification and therefore violate implicit privacy constraints. A Web-based service is presented that uses these components to automatically adapt the set of available Web analytics to an on-line retailers P3P policy. The system was tested on a large data set from a major European multichannel retailer.

The Privacy Economics of Voluntary Over-disclosure in Web Forms

The Web form is the primary method of collecting personal data from individuals on the Web. Privacy concerns, time spent, and typing effort act as a major deterrent to completing Web forms. Yet consumers regularly provide more data than required. In a field experiment, we recruited 1,500 Web users to complete a form asking for ten items of identity and profile information of varying levels of sensitivity. We manipulated the number of mandatory fields (none vs. two) and the compensation for participation (

Better decision support through exploratory discrimination-aware data mining: foundations and empirical evidence

0.25 vs.

The Privacy Landscape: Product Differentiation on Data Collection

0.50) to quantify the extent of over-disclosure, the motives behind it, and the resulting costs and privacy invasion. We benchmarked the efficiency of compulsion and incentives in soliciting data against voluntary disclosure alone.We observed a high prevalence of deliberate and unpaid over-disclosure of data. Participants regularly completed more form fields than required, or provided more details than requested. Through careful experimental design, we verified that participants understood that additional data disclosure was voluntary, and the information provided was considered sensitive. In our experiment, we found that making some fields mandatory jeopardised voluntary disclosure for the remaining optional fields. Conversely, monetary incentives for disclosing those same fields yielded positive spillover by increasing revelation ratios for other optional fields. We discuss the implications for commercial website operators, regulators, privacy-enhancing browser standards, and further experimental research in privacy economics.