Project

Privacy Communication

Goal: Information privacy–related organizational actions are obscured by enormous potential for hidden information and hidden action so that organizations have strong incentives to respond to normative requirements through lip service or even stronger forms of resistance. organizations that intend to act in a socially-responsible way with respect to information privacy are confronted with a vast array of opportunities for substantive action with unclear interdependencies, utility, and effects. To make substantive communication of privacy practices a reality, normative and commercial incentives must be bridged and matched. On the one hand, normative principles must be refined to enable organizations, regulators, and consumers to differentiate between lip service and substantive privacy communication, and to identify deficiencies in privacy communication. On the other hand, more general design knowledge is required to enable organizations that want to establish substantive privacy communication to ascertain not only what can be done but to ascertain what should be done under what conditions. In this project, we develop the fundamental knowledge to make substantive privacy communication the reality.

Date: 1 January 1970 - 31 December 2022

Updates
0 new
1
Recommendations
0 new
0
Followers
0 new
3
Reads
0 new
40

Project log

Tobias Dehling
added a project goal
Information privacy–related organizational actions are obscured by enormous potential for hidden information and hidden action so that organizations have strong incentives to respond to normative requirements through lip service or even stronger forms of resistance. organizations that intend to act in a socially-responsible way with respect to information privacy are confronted with a vast array of opportunities for substantive action with unclear interdependencies, utility, and effects. To make substantive communication of privacy practices a reality, normative and commercial incentives must be bridged and matched. On the one hand, normative principles must be refined to enable organizations, regulators, and consumers to differentiate between lip service and substantive privacy communication, and to identify deficiencies in privacy communication. On the other hand, more general design knowledge is required to enable organizations that want to establish substantive privacy communication to ascertain not only what can be done but to ascertain what should be done under what conditions. In this project, we develop the fundamental knowledge to make substantive privacy communication the reality.
 
Tobias Dehling
added a research item
Patient-centered health information technology services (PHS) provide personalized electronic health services to patients. Since provision of PHS entails handling sensitive medical information, a special focus on information security and privacy aspects is required. We present information security and privacy requirements for PHS and examine how security features of large-scale, inter-organizational health information technology networks, like the German health information technology infrastructure (HTI), can be used for ensuring information security and privacy of PHS. Moreover, we illustrate additional security measures that complement the HTI security measures and introduce a guideline for provision of PHS while ensuring information security and privacy. Our elaborations lead to the conclusion that security features of health information technology networks can be used to create a solid foundation for protecting information security and privacy in patient-centered health information technology ser vices offered in public networks like the Internet.
Tobias Dehling
added an update
Information privacy–related organizational actions are obscured by enormous potential for hidden information and hidden action so that organizations have strong incentives to respond to normative requirements through lip service or even stronger forms of resistance. Organizations that intend to act in a socially-responsible way with respect to information privacy are confronted with a vast array of opportunities for substantive action with unclear interdependencies, utility, and effects. To make substantive communication of privacy practices a reality, normative and commercial incentives must be bridged and matched. On the one hand, normative principles must be refined to enable organizations, regulators, and consumers to differentiate between lip service and substantive privacy communication, and to identify deficiencies in privacy communication. On the other hand, more general design knowledge is required to enable organizations that want to establish substantive privacy communication to ascertain not only what can be done but
to ascertain what should be done under what conditions.
In this project, we develop the fundamental knowledge to make substantive privacy communication the reality.
 
Tobias Dehling
added 9 research items
Datenschutzkommunikation wird nur dann funktionieren, wenn die Informationsbedürfnisse der Verbraucher, die weder statisch noch einheitlich sind, adressiert werden. Ein vielversprechender, praktisch realisierbarer Ansatz ist es, die Kommunikation an Verbraucherarchetypen anzupassen. Diese Studie identifiziert die verschiedenen Archetypen basierend auf einer Webumfrage. Die identifizierten Archetypen liefern eine solide Grundlage für die Verwirklichung funktionierender Datenschutzkommunikation.
Privacy policies are notices posted by providers and intended to inform users about privacy practices. However, extant research shows that privacy policies are often of poor quality and do not address users’ concerns. In this paper, we design and develop PPC – a privacy policy content assessment instrument to support assessments of whether offered privacy policy content provides comprehensive information addressing users’ privacy concerns. PPC is developed based on extant research, standards, and guidelines. Application of PPC to 62 privacy policies of mHealth apps available in iOS and Android demonstrates utility of PPC and suitability of PPC as assessment instrument for privacy policy content. Contributions of our research are twofold: For research, we conduct improvement design science research contributing to design theory on assessment of privacy policy content. For practice, potential applications of PPC are support in privacy policy development and identification of deficiencies in offered privacy policies. In addition, through evaluation of PPC, we reveal an insufficient current state of mHealth app privacy policy content.
Background: Mobile health (mHealth) apps aim at providing seamless access to tailored health information technology and have the potential to alleviate global health burdens. Yet, they bear risks to information security and privacy because users need to reveal private, sensitive medical information to redeem certain benefits. Due to the plethora and diversity of available mHealth apps, implications for information security and privacy are unclear and complex. Objective: The objective of this study was to establish an overview of mHealth apps offered on iOS and Android with a special focus on potential damage to users through information security and privacy infringements. Methods: We assessed apps available in English and offered in the categories “Medical” and “Health & Fitness” in the iOS and Android App Stores. Based on the information retrievable from the app stores, we established an overview of available mHealth apps, tagged apps to make offered information machine-readable, and clustered the discovered apps to identify and group similar apps. Subsequently, information security and privacy implications were assessed based on health specificity of information available to apps, potential damage through information leaks, potential damage through information manipulation, potential damage through information loss, and potential value of information to third parties. Results: We discovered 24,405 health-related apps (iOS; 21,953; Android; 2452). Absence or scarceness of ratings for 81.36% (17,860/21,953) of iOS and 76.14% (1867/2452) of Android apps indicates that less than a quarter of mHealth apps are in more or less widespread use. Clustering resulted in 245 distinct clusters, which were consolidated into 12 app archetypes grouping clusters with similar assessments of potential damage through information security and privacy infringements. There were 6426 apps that were excluded during clustering. The majority of apps (95.63%, 17,193/17,979; of apps) pose at least some potential damage through information security and privacy infringements. There were 11.67% (2098/17,979) of apps that scored the highest assessments of potential damages. Conclusions: Various kinds of mHealth apps collect and offer critical, sensitive, private medical information, calling for a special focus on information security and privacy of mHealth apps. In order to foster user acceptance and trust, appropriate security measures and processes need to be devised and employed so that users can benefit from seamlessly accessible, tailored mHealth apps without exposing themselves to the serious repercussions of information security and privacy infringements.