Article

The Biggest Lie on the Internet: Ignoring the Privacy Policies and Terms of Service Policies of Social Networking Services

Authors:
To read the full-text of this research, you can request a copy directly from the author.

Abstract

This paper addresses ‘the biggest lie on the internet’ with an empirical investigation of privacy policy (PP) and terms of service (TOS) policy reading behavior. An experimental survey (N=543) assessed the extent to which individuals ignore PP and TOS when joining a fictitious social networking site, NameDrop. Results reveal 74% skipped PP, selecting ‘quick join.’ For readers, average PP reading time was 73 seconds, and average TOS reading time was 51 seconds. Based on average adult reading speed (250-280 words per minute), PP should have taken 30 minutes to read, TOS 16 minutes. A regression analysis revealed information overload as a significant negative predictor of reading TOS upon signup, when TOS changes, and when PP changes. Qualitative findings further suggest that participants view policies as nuisance, ignoring them to pursue the ends of digital production, without being inhibited by the means. Implications were revealed as 98% missed NameDrop TOS ‘gotcha clauses’ about data sharing with the NSA and employers, and about providing a first-born child as payment for SNS access.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the author.

... This is referred to as the principle of notice and choice [30,50] or notice and consent [1]. However, privacy policies are often inefective, as users do not read and fail to understand them [32]. While most users, about 74%, do not read privacy policies at all, if they read them, the average reading time for the entire policy is 73 seconds, which is way too short to read and understand the whole text [32]. ...
... However, privacy policies are often inefective, as users do not read and fail to understand them [32]. While most users, about 74%, do not read privacy policies at all, if they read them, the average reading time for the entire policy is 73 seconds, which is way too short to read and understand the whole text [32]. The reasons for this include their length, their abstract legal language, and that they are often hidden somewhere at the end of the website [13,25,28,32,38]. ...
... While most users, about 74%, do not read privacy policies at all, if they read them, the average reading time for the entire policy is 73 seconds, which is way too short to read and understand the whole text [32]. The reasons for this include their length, their abstract legal language, and that they are often hidden somewhere at the end of the website [13,25,28,32,38]. ...
... Even after reading PPs, users are unlikely to remain aware of them -particularly considering the plethora of services and irregular updates of PPs. Even though plain text PPs are rarely read and understood due to various reasons including their length, their difficult legal language, and abstract nature, PPs are still the primarily used way to inform users about the usage of their personal information [27,30,34]. According to Obar [34], the described issues with PPs lead to 74% of users not reading PPs at all. ...
... Even though plain text PPs are rarely read and understood due to various reasons including their length, their difficult legal language, and abstract nature, PPs are still the primarily used way to inform users about the usage of their personal information [27,30,34]. According to Obar [34], the described issues with PPs lead to 74% of users not reading PPs at all. ...
... This is called the principle of notice and choice [46,62]. Unfortunately, users often do not read PPs [34] and do not understand them the way they are currently implemented, so they do not fulfill their aim of informing the users [42]. Among other reasons, their length and the complexity of their legal language are problematic for users [12]. ...
... Even where limited options exist for control of what user data is stored, those options are often hard to find, and the default setting favors the gathering of user data. Some companies have abused Terms and Conditions that users must agree to in means that have encouraged irresponsible acceptances [2][3][4]. They use vague language and are so excessive in length that a layperson could not be reasonably expected to have read or understood them [2][3][4]. ...
... Some companies have abused Terms and Conditions that users must agree to in means that have encouraged irresponsible acceptances [2][3][4]. They use vague language and are so excessive in length that a layperson could not be reasonably expected to have read or understood them [2][3][4]. Users are rarely if ever educated on what data will be collected, and how that data will be used [2][3][4]. The burden of selfelucidation is left to the user, and this burden is too great [2][3][4]. ...
... They use vague language and are so excessive in length that a layperson could not be reasonably expected to have read or understood them [2][3][4]. Users are rarely if ever educated on what data will be collected, and how that data will be used [2][3][4]. The burden of selfelucidation is left to the user, and this burden is too great [2][3][4]. ...
Preprint
Full-text available
We review how existing trends are relevant to the discussion of brain-computer interfaces and the data they would generate. Then, we posit how the commerce of neural data, dubbed Neurocapitalism, could be impacted by the maturation of brain-computer interface technology. We explore how this could pose fundamental changes to our way of interacting, as well as our sense of autonomy and identity. Because of the power inherent in the technology, and its potentially ruinous abuses, action must be taken before the appearance of the technology, and not come as a reaction to it. The widespread adoption of brain-computer interface technology will certainly change our way of life. Whether it is changed for the better or worse, depends on how well we prepare for its arrival.
... This is referred to as the principle of notice and choice [44,70] or notice and consent [7]. Most users are concerned about their online privacy [67], however, they do not read privacy policies and often do not understand them [47]. Reasons for not reading privacy policies are their length, the difficult legal language in which they are written, and their location, which is often not very prominent [42,40,54,47,22]. ...
... Most users are concerned about their online privacy [67], however, they do not read privacy policies and often do not understand them [47]. Reasons for not reading privacy policies are their length, the difficult legal language in which they are written, and their location, which is often not very prominent [42,40,54,47,22]. It can be concluded that privacy policies, when they are presented as they are today, do not fulfill the purpose of informing the users. ...
... It takes a long time to read them, but users usually do not take that time. Obar found that the average time for reading privacy policies is 73 seconds [47], which is not enough to read and comprehend them. The difficulty of the legal language in which they are written is another reason for users' struggle to understand privacy policies [40]. ...
... The study described above confirms previous studies [14,15], according to which users, on average, take only moderate efforts to improve their privacy settings or to retrieve information on the use of their own data in the privacy notice. In many cases, this contradicts the user's own need for privacy, which is one of the key drivers for performing privacy related activities. ...
... Studies regarding the frequency of use of privacy notices have been performed by Moallem [14] and Obar & Oeldorf-Hirsch [15]. Our study confirms the results of these studies, but has eight / 2.5 times more participants, respectively, cross-sectional through society. ...
... All these improvement aspects are important and could benefit from our intention model as a baseline for requirements. The consequences of lacking acceptance of privacy notices have been analyzed in different surveys [15,18,19]. This is relevant for our work insofar as the (expected) consequences affect on the user's intention towards privacy notices. ...
Chapter
Privacy is a vital aspect of IT systems and services, and it is demanded from users and by law. Thus, most data-processing services provide interfaces for users to support transparency (e.g., privacy notices) and self-determination(e.g., privacy settings). In this paper, we present evidence that users do not make use of these privacy interfaces—although they generally would like to. Based on our findings, we present an intention model in order to explain this behavior. The model combines aspects such as privacy demands, motivation and barriers in order to argue about the resulting intention of the user regarding the application of privacy interfaces. We show the applicability of our model by instantiating it to a concrete use case.
... The ambassadors then provided transcripts (using the notation recommended by [18]) from these interviews which were analysed by the authors for common themes. Although there was overlap with those found in the initial literature review, a further 8 motivators were elicited: (14) Supporting family/Home life Figure 1: Illustrative example of how a laddering exercise leads a student to reveal a core value that that they hold about a given motivation to study (15) Interestingly, negative motivators related to fear and failure were elicited as well as a sense of wanting to rise above current circumstances and broaden opportunities; both perhaps representing the types of students recruited for the sessions. ...
... More work is needed to see what differences in student perceptions of LA there are in different disciplines but embedding both the lecturer and the physical lecture into LA seems to be important. When it comes to the issue of students who signed-up generally ignoring the privacy policy, this is a common problem with privacy policy reading behaviour [15] and at this point has been identified as a future refinement. Ideally though, LA would be integrated into the institutional I.T. Policies and Procedures, meaning that consent would be gained as part of University enrolment. ...
Conference Paper
Current Learning Analytics (LA) systems are primarily designed with University staff members as the target audience; very few are aimed at students, with almost none being developed with direct student involvement and undertaking a comprehensive evaluation. This paper describes a HEFCE funded project that has employed a variety of methods to engage students in the design, development and evaluation of a student facing LA dashboard. LA was integrated into the delivery of 4 undergraduate modules with 169 student sign-ups. The design of the dashboard uses a novel approach of trying to understand the reasons why students want to study at university and maps their engagement and predicted outcomes to these motivations, with weekly personalised notifications and feedback. Students are also given the choice of how to visualise the data either via a chart-based view or to be represented as themselves. A mixed-methods evaluation has shown that students' feelings of dependability and trust of the underlying analytics and data is variable. However, students were mostly positive about the usability and interface design of the system and almost all students once signed-up did interact with their LA. The majority of students could see how the LA system could support their learning and said that it would influence their behaviour. In some cases, this has had a direct impact on their levels of engagement. The main contribution of this paper is the transparent documentation of a User Centred Design approach that has produced forms of LA representation, recommendation and interaction design that go beyond those used in current similar systems and have been shown to motivate students and impact their learning behaviour.
... Often provided as a 'tick box' opt-in, the ACCC (2019) argues that meaningful consent is not being obtained through this process. This argument is supported by Obar and Oeldorf-Hirsch (2016), who suggests that there are deep flaws in assuming people can interpret legal policy associated with 'opting in' via a tick box. Pragmatically, this has also been demonstrated across multiple platforms. ...
Article
As a result of the growing commercial marketplace for teachers’ digital data, a new organization that includes educational data brokers has evolved. Educational data brokerage is relatively intangible due to the ease of de-identified data being collected and sold via educational technology. There is an urgent need to expose how the brokerage of educational data relates to the commercial mediation of consent and privacy in educational settings. It is difficult due to a lack of consistent terminology about organizations that buy and sell data. This paper offers an extensive analysis of the social learning platform Edmodo and provides evidence that justifies the term ‘educational data broker’. The results aim to provide new terminology to a largely obfuscated process in educational settings and bring to light a concrete example of brokerage activity focusing on teachers’ online activity.
... This results in many us deciding to simply "click though" notices rather than reading them (Ben-Shahar & Schneider, 2010;Schaub et al., 2015). Disturbingly, a study of online social networking services estimated that this "click through" rate could be as high as 74% (Obar & Oeldorf-Hirsch, 2018). Eventually, this notice fatigue can cause us to become "apathetic users"those who decide to consent every time to a service's data collection practices because they "no longer care" about their data privacy. ...
Preprint
Full-text available
In the the current post-GDPR landscape, privacy notices have become ever more prevalent on our phones and online. However, these notices are not well suited to their purpose of helping users make informed decisions. I suggest that instead of utilizing notice to eliciting informed consent, we could repurpose privacy notices to create the space for more meaningful, value-centered user decisions. Value-centered privacy decisions, or those that accurately reflect who we are and what we value, encapsulate the intuitive role of personal values in data privacy decisions. To explore how notices could be repurposed to support such decisions, I utilize Suzy Killmister's four-dimensional theory of autonomy (4DT) to operationalize value-centered privacy decisions. I then assess the degree that an existing technology, Personalized Privacy Assistants (PPAs), uses notices in a manner that allows for value-centered decision-making. Lastly, I explore the implications of the PPA assessment for designing a new assistant, called a value-centered privacy assistant (VcPA). A VcPA could ideally utilized notice to assists users in value-centered app selection and in other data privacy decisions.
... This results in many us deciding to simply "click though" notices rather than reading them (Ben-Shahar & Schneider, 2010;Schaub et al., 2015). Disturbingly, a study of online social networking services estimated that this "click through" rate could be as high as 74% (Obar & Oeldorf-Hirsch, 2018). Eventually, this notice fatigue can cause us to become "apathetic users"-those who decide to consent every time to a service's data collection practices because we "no longer care" about our data privacy. ...
Article
Full-text available
In the current post-GDPR landscape, privacy notices have become ever more prevalent on our phones and online. However, these notices are not well suited to their purpose of helping users make informed decisions. I suggest that instead of utilizing notice to elicit informed consent, we could repurpose privacy notices to create the space for more meaningful, value-centered user decisions. Value-centered privacy decisions, or those that accurately reflect who we are and what we value, encapsulate the intuitive role of personal values in data privacy decisions. To explore how we could design for such decisions, I utilize Suzy Killmister’s Four-Dimensional Theory of Autonomy (4DT) to operationalize value-centered privacy decisions. I then utilize 4DT to help design a system—called a value-centered privacy assistant (VcPA)—that could help create the space for value-centered data privacy decisions using privacy notices. Using this 4DT lens, I further assess the degree that an existing technology, personalized privacy assistants (PPAs), use notices in a manner that allows for value-centered decision-making. I lastly utilize insights from the PPA assessment to inform the design of a VcPA, concluding that a VcPA could utilize notices to assist users in value-centered app selection and in other data privacy decisions.
... While this is a relevant concern for some users, previous research finds that users' privacy requirements for research on social media are highly contextual and extend past merely the possibility of being identified (Fiesler and Proferes 2018). And while Facebook users sign agreements that authorize their data for use in research, prior research shows that few users understand the meaning of these agreements, or indeed read them at all (Fiesler, Lampe, and Bruckman 2016;Obar and Oeldorf-Hirsch 2018). Thus, the existence of differential privacy alone does not ameliorate all privacy concerns for users, and indeed may facilitate the violation of users' privacy, as some of this dataset's organizers describe in Kifer et al. (2020). ...
Article
Full-text available
It has been difficult to address the impact and targeting of online foreign influence operations, because researchers rarely have insight into the demographic characteristics of users who interact with content on large social media platforms. To address this gap, we combine insights from an anonymized estimated demographic dataset of Facebook data and a deeply-researched dataset of user interactions from Twitter. We use as a case study the well-characterized influence operation revolving around the Syria Civil Defence, also known as White Helmets, to understand how different audiences in the United States interact with “ecosystems'' of mainstream and alternative web domains according to age, gender, and Facebook’s political affinity score. We reflect on the unusual left-leaning tilt of alternative, conspiracy-oriented web domains in our dataset in light of the historical context of United States military interventions. We also discuss the ethical considerations of using an anonymized demographic dataset provided by a private company.
... Often provided as a 'tick box' opt-in, the ACCC (2019) argues that meaningful consent is not being obtained through this process. This argument is supported by Obar and Oeldorf-Hirsch (2020), who suggest that there are deep flaws in assuming people can interpret legal policy associated with 'opting in' via a tick box. Rennie et al. (2019), in an exploration of privacy and app use in Australian primary schools, found that 60% of teachers did not explicitly consider privacy. ...
Article
Full-text available
The introduction of digital platforms in K-12 Education has seen the identity of the teacher shift with the roles of technology in teaching and learning. Commercial Platforms, Learning Designers, and Employers are increasingly using data collected in the classroom to profile teachers via measurable outcomes. These algorithmically measured outcomes embed new identities for the teacher in classrooms. As a result, ubiquitous learning moves away from how commercial platforms may be used to support learning outcomes, and toward how teacher data is used to support the development of algorithmically measured outcomes. Drawing on interdisciplinary research, three lenses to explore the changing identity of the teacher are presented via a theoretical discussion paper: a Learning Analytics lens, a Media and Communications lens, and an Educational lens. Underpinned by Postdigital theory, the lenses are used to introduce a postdigital teacher identities praxis that explores the role of technologies in educational systems. Acknowledging and celebrating that these lenses are valid in specific contexts, in this paper, I argue that postdigital teacher identities is indeed a liberating praxis. It is by recognizing the implications of technologies in education associated with re-conceptualized forms of teacher identity that we may explore human values and technology more deeply.
... While it is well understood that lengthy terms of service are often not sufficiently readable [44], and that most people do not read them [45], it is of concern that so many applications, including those from QS market leaders, fail to make fundamental information about the way their services function available in situ. With data protection regimes such as the EU's GDPR strengthening the requirements for clear privacy notices at the time of data collection, it is evident that this is being regularly subverted by many QS applications. ...
Preprint
BACKGROUND The recent proliferation of self-tracking technologies has allowed individuals to generate significant quantities of data about their lifestyle. These data can be used to support health interventions and monitor outcomes. However, these data are often stored and processed by vendors who have commercial motivations, and thus, they may not be treated with the sensitivity with which other medical data are treated. As sensors and apps that enable self-tracking continue to become more sophisticated, the privacy implications become more severe in turn. However, methods for systematically identifying privacy issues in such apps are currently lacking. OBJECTIVE The objective of our study was to understand how current mass-market apps perform with respect to privacy. We did this by introducing a set of heuristics for evaluating privacy characteristics of self-tracking services. METHODS Using our heuristics, we conducted an analysis of 64 popular self-tracking services to determine the extent to which the services satisfy various dimensions of privacy. We then used descriptive statistics and statistical models to explore whether any particular categories of an app perform better than others in terms of privacy. RESULTS We found that the majority of services examined failed to provide users with full access to their own data, did not acquire sufficient consent for the use of the data, or inadequately extended controls over disclosures to third parties. Furthermore, the type of app, in terms of the category of data collected, was not a useful predictor of its privacy. However, we found that apps that collected health-related data (eg, exercise and weight) performed worse for privacy than those designed for other types of self-tracking. CONCLUSIONS Our study draws attention to the poor performance of current self-tracking technologies in terms of privacy, motivating the need for standards that can ensure that future self-tracking apps are stronger with respect to upholding users’ privacy. Our heuristic evaluation method supports the retrospective evaluation of privacy in self-tracking apps and can be used as a prescriptive framework to achieve privacy-by-design in future apps.
... Protecting such data is a key theme today, raising many concerns about consumer protection. At the same time, research has shown that hardly anyone reads the fine print in contracts (for business to consumer relationships see Obar and Oeldorf-Hirsch 2016; for similar cases in business to business relationships see MacAulay 1963). Despite being offered the chance to confirm what the provider of goods or services will do, people delegate tasks with less governance than what is available. ...
... Most people do not completely read privacy policies or terms and conditions forms, they just accept these forms to enter web sites (Obar, 2016). Selling information in BSDM is a good incentive for users to guard their privacy and read terms and conditions as this may imply that users will not give their information before checking if the profit they make is a fair exchange. ...
Article
Blockchain has the potential to render the transaction of information more secure and transparent. Nowadays, transportation data are shared across multiple entities using heterogeneous mediums, from paper collected data to smartphone. Most of this data are stored in central servers that are susceptible to hacks. In some cases shady actors who may have access to such sources, share the mobility data with unwanted third parties. A multi-layered Blockchain framework for Smart Mobility Data-market (BSMD) is presented for addressing the associated privacy, security, management, and scalability challenges. Each participant shares their encrypted data to the blockchain network and can transact information with other participants as long as both parties agree to the transaction rules issued by the owner of the data. Data ownership, transparency, auditability and access control are the core principles of the proposed blockchain for smart mobility data-market. In a case study of real-time mobility data sharing, we demonstrate the performance of BSMD on a 370 nodes blockchain running on heterogeneous and geographically-separated devices communicating on a physical network. We also demonstrate how BSMD ensures the cybersecurity and privacy of individual by safeguarding against spoofing and message interception attacks and providing information access management control
... This requires that the Web converts from the current state of often long legal texts to human-friendly interfaces. In an interesting title, Obar called this state of play the biggest lie on the Internet [5]. To give a paradigmatic example, it has been shown that Users accepted free Wi-Fi in exchange for ridiculous conditions such as giving their first-born child away. ...
Article
Full-text available
Consent is a corner stone in any Privacy practice or public policy. Much beyond a simple "accept" button, we show in this paper that obtaining and demonstrating valid Consent can be a complex matter since it is a multifaceted problem. This is important for both Organisations and Users. As shown in recent cases, not only cannot an individual prove what they accepted at any point in time, but also organisations are struggling with proving such consent was obtained leading to inefficiencies and noncompliance. To a large extent, this problem has not obtained sufficient visibility and research effort. In this paper, we review the current state of Consent and tie it to a problem of Accountability. We argue for a different approach to how the Web of Personal Information operates: the need of an accountable Web in the form of Personal Data Receipts which are able to protect both individuals and organisation. We call this evolution the Web-of-Receipts: online actions, from registration to real-time usage, is preceded by valid consent and is auditable (for Users) and demonstrable (for Organisations) at any moment by using secure protocols and locally stored artefacts such as Receipts. The key contribution of this paper is to elaborate on this unique perspective, present proof-of-concept results and lay out a research agenda.
... Unfortunately, ToS or conditions of use are so long and complex that very few people ever read them. One study of the time people take to read them indicates that "participants view policies as nuisance, ignoring them to pursue the ends of digital production, without being inhibited by the means" (Obar and Oeldorf-Hirsch 2018). 2 This means that social media companies are largely free to pursue their ends in data surveillance, insofar as users are obligated to act to protect their own privacy or security. ...
Book
This book explores the political economics and cultural politics of social media news sharing, investigating how it is changing journalism and the news media internationally. News sharing plays important economic and cultural roles in an attention economy, recommending the stories audiences find valuable, making them more visible, and promoting the digital platforms that are reshaping our media ecologies. But is news sharing a force for democracy, or a sign of journalism’s declining power to set news agendas? In Sharing News Online, Tim Dwyer and Fiona Martin analyse the growth of commendary culture and the business of social news, critique the rise of news analytics and dissect virality online. They reveal that surprisingly, we share political stories more highly than celebrity news, and they probe how deeply affect drives our sharing behaviour. In mapping the contours of a critical digital media phenomenon, this book makes essential reading for scholars, journalists and media executives.
... Most people do not completely read privacy policies or terms and conditions forms, they just accept these forms to enter web sites [27]. Selling information in BSDM is a good incentive for users to guard their privacy and read terms and conditions as this may imply that users will not give their information before checking if the profit they make is a fair exchange. ...
Preprint
Blockchain has the potential to render the transaction of information more secure and transparent. Nowadays, transportation data are shared across multiple entities using heterogeneous mediums, from paper collected data to smartphone. Most of this data are stored in central servers that are susceptible to hacks. In some cases shady actors who may have access to such sources, share the mobility data with unwanted third parties. A multi-layered Blockchain framework for Smart Mobility Data-market (BSMD) is presented for addressing the associated privacy, security, management, and scalability challenges. Each participant shares their encrypted data to the blockchain network and can transact information with other participants as long as both parties agree to the transaction rules issued by the owner of the data. Data ownership, transparency, auditability and access control are the core principles of the proposed blockchain for smart mobility data-market. In a case study of real-time mobility data sharing, we demonstrate the performance of BSMD on a 370 nodes blockchain running on heterogeneous and geographically-separated devices communicating on a physical network. We also demonstrate how BSMD ensures the cybersecurity and privacy of individual by safeguarding against spoofing and message interception attacks and providing information access management control.
... There are fundamental problems with this approach, the most obvious being that while pre-GDPR laws assume a tick in a box as legal consent, in practice it is very rare that users actually have read the terms, and even less so that they have understood them. Crudely but vividly demonstrating how such mechanisms are not an effective way to gain meaningful consent, a 2016 study found that of people who agreed to terms, only 25% of participants looked at the agreement at all, and only 2% could demonstrate reasonable comprehension (Obar & Oeldorf-Hirsch, 2016). One-size-fits-all approaches, whereby user agreements are written in such a way as to obtain all the permission the device or system could ever need, structurally remove the ability for users to be selective about which features of a system they actually want to use, and thus denies them the GDPR protection for 'specific unambiguous' consent. ...
... Superficially, the exchange is simple: users of this sort of software gain the capacity to monitor and analyze their health and fitness, while the software's developers gain access to a wealth of valuable personal data. However, surveys reveal that users often do not understand the level of exposure they undertake by agreeing to share their personal information (Obar and Oeldorf-Hirsch 2016). 16 As Joseph Turow notes, "[M]ost people don't know the rules of the new digital marketplace and they think the government protects them more than it does" (Turow 2017, p. 252). ...
Article
Full-text available
We offer an ethical assessment of the market for data used to generate what are sometimes called “consumer scores” (i.e., numerical expressions that are used to describe or predict people’s dispositions and behavior), and we argue that the assessment has ethical implications on how the market for consumer scoring data should be regulated. To conduct the assessment, we employ two heuristics for evaluating markets. One is the “harm” criterion, which relates to whether the market produces serious harms, either for participants in the market, for third parties, or for society as a whole. The other is the “agency” criterion, which relates to whether participants understand the nature and significance of the exchanges they are making, if they can be guaranteed fair representation, or if there is differential need for the market’s good. We argue that consumer scoring data should be subject to the same sort of regulation as the older FICO credit scores. Although the movement in the 1990s that was aimed at regulating the FICO scores was not aimed at restraining a market per se, we argue that the reforms were underwritten by concerns about the same sorts of problems as those outlined by our heuristics. Therefore, consumer data should be subject to the same sort of regulation.
... A recent survey on policy-reading behaviour (Obar and Oeldorf-Hirsch 2016) reveals that consumers rarely read the contracts they are required to accept. This resonates with our direct experience and with what has long been said, that the biggest lie on the Internet is "I have read and agree to the terms and conditions". ...
Article
Full-text available
Terms of service of on-line platforms too often contain clauses that are potentially unfair to the consumer. We present an experimental study where machine learning is employed to automatically detect such potentially unfair clauses. Results show that the proposed system could provide a valuable tool for lawyers and consumers alike.
... Or is it possible that explanations are vulnerable to the same unreflected big-data assumptions as processing itself? Would people (data subjects as well as other stakeholders such as monitoring agents) just ignore additional inundations of information, as they do with privacy notices [22] and consent prompts (see Section 3.2)? Similar arguments are made about breach notices [23], as one indicator of 'the limits of notice and choice" [6]. ...
Chapter
The EU’s General Data Protection Regulation is poised to present major challenges in bridging the gap between law and technology. This paper reports on a workshop on the deployment, content and design of the GDPR that brought together academics, practitioners, civil-society actors, and regulators from the EU and the US. Discussions aimed at advancing current knowledge on the use of abstract legal terms in the context of applied technologies together with best practices following state of the art technologies. Five themes were discussed: state of the art, consent, de-identification, transparency, and development and deployment practices. Four traversal conflicts were identified, and research recommendations were outlined to reconcile these conflicts.
... Another study proved what we already assumedthat ToS agreements are not read by the majority of users. Obar and Oeldorf-Hirsch (2016) tested 543 participants to see if they read and understood the ToS of a fictional website and empirically concluded that the "vast majority of participants completely missed a variety of potentially dangerous and life-changing clauses". While this unfamiliarity of the majority of consumers might pass under a SFC legal concept known as the "informed minority" hypothesis that claims "regulation is effective if it at least increases the proportion of informed consumers to a critical mass able to influence sellers' decisions" (D'Agostino, 2015), the exact proportion needed to make a difference is difficult to determine. ...
Article
Full-text available
With a budding market of widespread smart contract implementation on the horizon, there is much conversation about how to regulate this new technology. Discourse on standard form contracts (SFCs) and how they have been adopted in a digital environment is useful toward predicting how smart contracts might be interpreted. This essay provides a critical review of the discourse surrounding digitised SFCs and applies it to issues in smart contract regulation. An exploration of the literature surrounding specific instances SFCs finds that it lacks a close examination of the textual and documentary aspects of SFCs, which are particularly important in a digital environment as a shift in medium prompts a different procedural process. Instead, common perspectives are either based on outdated notions of paper versions of these contracts or on ideologies of industry and business that do not sufficiently address the needs of consumers/users in the digital age. Most importantly, noting the failure of contract law to address the inequities of SFCs in this environment can help prevent them from being codified further with smart contracts.
... Obar and Oeldorf-Hirsch [5] found that 74% of the 543 people in their study did not even read the privacy policy. Where websites force users to read and agree to their policies (e.g. ...
... There are fundamental problems with this approach, the most obvious of which being that while users often tick boxes saying they have read terms and conditions, the tick is no indication of whether they have actually read the text, nor whether they have understood it. In one study only 25% of participants looked at the agreement at all, and as little as 2% could demonstrate comprehension of the agreement's content [28]. User agreements that obtain a wide spectrum of consent, whereby a user gives all the permission a device or service could ever possibly need, stifle users' agency to be selective about which features of a system they would like to use (which in turn seems to contravene the GDPR-protected right for specific and unambiguous consent). ...
Chapter
In this paper we highlight design challenges that the Internet of Things (IoT) poses in relation to two of the guiding design paradigms of our time; Privacy by Design (PbD) and Human Centered Design (HCD). The terms IoT, PbD, and HCD are both suitcase terms, meaning that they have a variety of meanings packed within them. Depending on how the practices behind the terms are applied, notwithstanding their well-considered foundations, intentions, and theory, we explore how PbD and HCD can, if not considered carefully, become Heffalump traps and hence act in opposition to the very challenges they seek to address. In response to this assertion we introduce Object Oriented Ontology (OOO) and experiment with its theoretical framing order to articulate possible strategies for mitigating these challenges when designing for the Internet of Things.
... It's no surprise to find that half of the non-OA articles posted to ResearchGate infringed copyright and/or publisher policies (Rumsey, 2018;Jamali, 12 Voluntary principles for article sharing on scholarly collaboration networks, revised 8 th June 2015. https://www.stmassoc.org/2015_06_08_Voluntary_principles_for_article_sharing_on_scholarly_collaboration_networks.pdf 9 2017) because hardly anyone reads terms and conditions (Obar & Oeldorf-Hirsch, 2018). There's a growing appetite for informal publishing: Crossref has noticed a 30% growth in preprints for the past two years powered by bioRxiv ( figure 4) (Lin, 2018) and SSRN, Elsevier's recently acquired preprint platform, launched four new sections and is now being used to offer a preprint and preview service to Elsevier's prestige brands, The Lancet and Cell 13 . ...
Preprint
Full-text available
Progress to open access has stalled with perhaps 20% of new papers ‘born-free’ and half of all versions of record paywalled. Since all stakeholders in scholarly communications agree that open access is the objective, the question is why. In this preprint, I review the last 12 months: librarians showing muscle in negotiations; publishers’ Read and Publish deals; and funders determined to force change with initiatives like Plan S. I conclude that these efforts won’t yield fruit. Flipping to supply-side business models such as article processing charges (APCs) simply flips the paywall to a ‘play-wall’ to the disadvantage of authors without financial support. Besides, the focus on open access makes us to miss the bigger picture: today’s scholarly communications is unaffordable with today’s budgets. Open access isn’t the problem, the publishing process is the problem. Using the principles of digital transformation, I argue for a two-step publishing paradigm where articles are published first as preprints then editors invite authors to submit only papers that ‘succeed’. This would reduce costs significantly opening a sustainable pathway to open access. The catalyst for this change is for the reputation economy to accept preprints as it does articles in minor journals today.
... 37 % reported that they knew about their data being collected and used [24]. An experiment with a fictitious social networking site found that three quarters of participants skipped reading its terms of service altogether [20]. A mere 15 % of the participants in this study reported concerns with intentionally disadvantageous policies, containing clauses such as free disposal over data to e.g. ...
... While it is well understood that lengthy terms of service are often not sufficiently readable [42] and that most people do not read them [43], it is of concern that so many applications, including those from QS market leaders, fail to provide information about the way their services function in situ. With data protection regimes such as the EU's GDPR strengthening the requirements for clear privacy notices at the time of data collection, it is evident that this is being regularly subverted by many self-tracking applications. ...
Article
Full-text available
Background: The recent proliferation of self-tracking technologies has allowed individuals to generate significant quantities of data about their lifestyle. These data can be used to support health interventions and monitor outcomes. However, these data are often stored and processed by vendors who have commercial motivations, and thus, they may not be treated with the sensitivity with which other medical data are treated. As sensors and apps that enable self-tracking continue to become more sophisticated, the privacy implications become more severe in turn. However, methods for systematically identifying privacy issues in such apps are currently lacking. Objective: The objective of our study was to understand how current mass-market apps perform with respect to privacy. We did this by introducing a set of heuristics for evaluating privacy characteristics of self-tracking services. Methods: Using our heuristics, we conducted an analysis of 64 popular self-tracking services to determine the extent to which the services satisfy various dimensions of privacy. We then used descriptive statistics and statistical models to explore whether any particular categories of an app perform better than others in terms of privacy. Results: We found that the majority of services examined failed to provide users with full access to their own data, did not acquire sufficient consent for the use of the data, or inadequately extended controls over disclosures to third parties. Furthermore, the type of app, in terms of the category of data collected, was not a useful predictor of its privacy. However, we found that apps that collected health-related data (eg, exercise and weight) performed worse for privacy than those designed for other types of self-tracking. Conclusions: Our study draws attention to the poor performance of current self-tracking technologies in terms of privacy, motivating the need for standards that can ensure that future self-tracking apps are stronger with respect to upholding users' privacy. Our heuristic evaluation method supports the retrospective evaluation of privacy in self-tracking apps and can be used as a prescriptive framework to achieve privacy-by-design in future apps.
... While the expressed feedback focuses on what the customers say they do, the measured feedback reveals what they actually do with the product [10], [40], [183]. A study on software privacy policies conducted in 2016 [194] further points out that there is a gap between what people say they wish and what they actually want. In this study, on a sample of (N=543) individuals, 98% of participants stated that they agree on donating their firstborn child in exchange of an access to a social network. ...
Thesis
Full-text available
Accurately learning what customers value is critical for the success of every company. Despite the extensive research on identifying customer preferences, only a handful of software companies succeed in becoming truly data-driven at scale. Benefiting from novel approaches such as experimentation in addition to the traditional feedback collection is challenging, yet tremendously impactful when performed correctly. In this thesis, we explore how software companies evolve from data-collectors with ad-hoc benefits, to trustworthy data-driven decision makers at scale. We base our work on a 3.5-year longitudinal multiple-case study research with companies working in both embedded systems domain (e.g. engineering connected vehicles, surveillance systems, etc.) as well as in the online domain (e.g. developing search engines, mobile applications, etc.). The contribution of this thesis is three-fold. First, we present how software companies use data to learn from customers. Second, we show how to adopt and evolve con-trolled experimentation to become more accurate in learn-ing what customers value. Finally, we provide detailed guidelines that can be used by companies to improve their experimentation capabilities. With our work, we aim to empower software companies to become truly data-driven at scale through trustworthy experimentation. Ultimately this should lead to better soft-ware products and services.
... First, we are embedded in and relying on too many automated systems and routinized socio-technical processes and therefore it is impossible to be in control of all of them. A striking example is that we accept such a high number of "terms of service" agreements and privacy policies when we use internet-based services that our available time would not be sufficient to read all of them (Obar & Oeldorf-Hirsch, 2016). Comparably, we would not have the time to accompany all routinized sociotechnical servicessuch as delivering electrical power through a highly decentralized grid systemby fined grained interaction. ...
Preprint
Full-text available
This paper transfers the concept of human-computer intervention to the context of routinized socio-technical processes. Intervening interaction is defined as activities that alter the behavior of a process that is regularly highly automated and /or continuously proceeds according to a plan. Rules and principles of interaction design and socio-technical design are taken into consideration to derive hints and requirements of how intervention interfaces should be designed in the socio-technical context.
... A second approach we consider for the representation of a sentence is to exploit a constituency parse tree, which naturally encodes the structure of the sentence (see Figure 1) by describing the grammatical relations between sentence portions through a tree. Similarity between tree structures can be exploited with tree kernels (Moschitti 2006) (TK). A TK consists of a similarity measure between two trees, which takes into account the number of common substructures or fragments. ...
Preprint
Terms of service of on-line platforms too often contain clauses that are potentially unfair to the consumer. We present an experimental study where machine learning is employed to automatically detect such potentially unfair clauses. Results show that the proposed system could provide a valuable tool for lawyers and consumers alike.
... This is because consumers might not expect such uses and give superficial consent while not understanding the consequences. (O'Doherty et al. 2016;Obar and Oeldorf-Hirsch 2016). (4) Unnecessary use of health service Further worries have been raised that DTC GT might lead to a futile increase in use of public health services because of consumers who take subjectively alarming results to their doctors for clarification and seek treatment, even though it is not necessary (Plöthner et al. 2017). ...
Article
Full-text available
Direct-to-consumer genetic testing (DTC GT) has been available for several years now, with varying degrees of regulation across different countries. Despite a restrictive legal framework it is possible for consumers to order genetic tests from companies located in other countries. However, German laypeople’s awareness and perceptions of DTC GT services is still unexplored. We conducted seven focus groups (participants n = 43) with German laypeople to explore their perceptions of and attitudes towards commercial genetic testing and its ethical implications. Participants were critical towards DTC GT. Criticism was directed at health-related, predictive testing, while lifestyle tests were accepted and even welcomed to some extent. Participants expressed strong reservations regarding commercial provision of genetic diagnostics and expressed a lack of trust in respective companies. They preferred non-commercial distribution within the public healthcare system. Participants also expressed high expectations of physicians’ abilities to interpret information obtained via DTC GT companies and provide counseling. Legal restrictions on commercial distribution of genetic tests were opposed, with participants arguing that it should be available to consumers. DTC GT companies are not perceived as trustworthy when compared to the public healthcare system and its professional ethical standards and practices. Laypeople rated general consumer autonomy higher than their own concerns, thus recommending against strong legal regulation. We conclude that medicine’s trustworthiness may be negatively affected if commercial provision is not visibly opposed by the medical professions, while DTC GT companies may gain in trustworthiness if they adapt to standards and practices upheld in medicine.
Article
In the last decade education has experienced a shift from privatization to commercialization. This paper argues that the commercialization of education has evolved more recently as a result of artificially intelligent corporate players, enabling forms of insights sales called ‘Dark Advertising’. It unpacks how Dark Advertising are profiting from data-driven predictions that reveal where demand is emerging, rather than responding to perceived problems by examining reports by the Australian Competition and Consumer Commission (ACCC). Able to produce techno-solutions ‘just in time’ through Dark Advertising, Dark Advertising are considered to be enabling new forms of governance and influencing educational policy. Findings of the examination reveal associations in terms of teachers’ privacy, ability to provide consent, and agency. Arguably, circumnavigating Codes of Conduct and Privacy legislation, the author calls for greater scrutiny into various information asymmetries associated with Insight Sales strategies that predict, nudge and experiment with teachers’ behavior for profit.
Article
To be literate in a society where the information shared online is often exploited, learners should be exposed to multiple aspects of contemporary predictive modeling. Explore a lesson in which students learned an algorithm used in practice to automate the process of making recommendations.
Article
In the wake of Snowden's revelations about National Security Agency (NSA) surveillance, demands that Internet carriers be more forthcoming about their handling of personal information have intensified. Responding to this concern, this report evaluates the data privacy transparency of forty-three Internet carriers serving the Canadian public. Carriers are awarded up to ten stars based on the public availability of information satisfying ten transparency criteria. Carriers earn few stars overall, just 92.5 out of 430, an average of two of ten possible stars. A variety of policy recommendations are provided to encourage and guide further data privacy transparency efforts in Canada as well as around the world.
Article
Full-text available
Health social networks (HSNs) allow individuals with health information needs to connect and discuss health-related issues online. Political-technology intertwinement (e.g. GDPR and Digital Technology) highlights that users need to be aware, understand, and willing to provide electronic consent (eConsent) when sharing personal information online. The objective of this study is to explore the ‘As-Is’ factors which impact individuals’ decisional autonomy when consenting to the privacy policy (PP) and Terms and Conditions (T&Cs) on a HSN. We use a Situational Awareness (SA) lens to examine decision autonomy when providing eConsent. A mixed-methods approach reveals that technical and privacy comprehension, user perceptions, and projection of future consequences impact participants’ decision autonomy in providing eConsent. Without dealing with the privacy paradox at the outset, decision awareness and latterly decision satisfaction is negatively impacted. Movement away from clickwrap online consent to customised two-way engagement is the way forward for the design of eConsent.
Chapter
Big Data are a product of the computer era, enabling the knowledge economy, in which academic researchers are key players, although researchers have been slow to adopt Big Data as a source for academic enquiry. This may be in part because Big Data are curated by commercial or governmental entities, not by researchers. Big Data present several challenges to researchers, including those associated with the size of the data, the development and growth of data sources, and the temporal changes in large data sets. Further challenges are that Big Data are gathered for purposes other than research, making their fit-for-purpose problematic; that Big Data may easily lead to overfitting and spuriousness; and the biases inherent to Big Data. Linkage of data sets always remains problematic. Big Data results are hard to generalize, and working with Big Data may raise new ethical problems, even while obviating old ethical concerns. Nonetheless, Big Data offer many opportunities, allowing researchers to study previously inaccessible problems, with previously inconceivable sources of data. Although Big Data overcome some of the challenges of small data studies, Big Data studies will not supplant small data studies—these should work in concert, leading to real-world translation that can have a lasting impact.
Conference Paper
Collaboration across institutional boundaries is widespread and increasing today. It depends on federations sharing data that often have governance rules or external regulations restricting their use. However, the handling of data governance rules (aka. data-use policies) remains manual, time-consuming and error-prone, limiting the rate at which collaborations can form and respond to challenges and opportunities, inhibiting citizen science and reducing data providers’ trust in compliance. Using an automated system to facilitate compliance handling reduces substantially the time needed for such non-mission work, thereby accelerating collaboration and improving productivity. We present a framework, Dr.Aid, that helps individuals, organisations and federations comply with data rules, using automation to track which rules are applicable as data is passed between processes and as derived data is generated. It encodes data-governance rules using a formal language and performs reasoning on multi-input-multi-output data-flow graphs in decentralised contexts. We test its power and utility by working with users performing cyclone tracking and earthquake modelling to support mitigation and emergency response. We query standard provenance traces to detach Dr.Aid from details of the tools and systems they are using, as these inevitably vary across members of a federation and through time. We evaluate the model in three aspects by encoding real-life data-use policies from diverse fields, showing its capability for real-world usage and its advantages compared with traditional frameworks. We argue that this approach will lead to more agile, more productive and more trustworthy collaborations and show that the approach can be adopted incrementally. This, in-turn, will allow more appropriate data policies to emerge opening up new forms of collaboration.
Chapter
A privacy policy statement discloses the practices carried out by an organization to gather, use, and share users’ data. Previous studies have shown concern of users about understanding the content of privacy policies due to its textual format that has remained an open challenge because of complexity, verbosity, and legal jargon. Video format is proven to have higher impact on engagement and comprehensibility compared to other formats in domains such as education and entertainment. This study focuses on using video as a tool to represent online text-based privacy policies. We created modular animated video-based policies of two different organizations and compared them with their textual counterparts. The results were evaluated in terms of duration and accuracy to comprehend the content of both formats. Our findings suggest that animated video privacy policies have a significant effect on user engagement, delivery of content, and comprehensibility of information.
Article
Purpose “Smart devices think you're “too lazy” to opt out of privacy defaults” was the headline of a recent news report indicating that individuals might be too lazy to stop disclosing their private information and therefore to protect their information privacy. In current privacy research, privacy concerns and self-disclosure are central constructs regarding protecting privacy. One might assume that being concerned about protecting privacy would lead individuals to disclose less personal information. However, past research has shown that individuals continue to disclose personal information despite high privacy concerns, which is commonly referred to as the privacy paradox. This study introduces laziness as a personality trait in the privacy context, asking to what degree individual laziness influences privacy issues. Design/methodology/approach After conceptualizing, defining and operationalizing laziness, the authors analyzed information collected in a longitudinal empirical study and evaluated the results through structural equation modeling. Findings The findings show that the privacy paradox holds true, yet the level of laziness influences it. In particular, the privacy paradox applies to very lazy individuals but not to less lazy individuals. Research limitations/implications With these results one can better explain the privacy paradox and self-disclosure behavior. Practical implications The state might want to introduce laws that not only bring organizations to handle information in a private manner but also make it as easy as possible for individuals to protect their privacy. Originality/value Based on a literature review, a clear research gap has been identified, filled by this research study.
Article
Full-text available
Recent work has demonstrated how data-driven AI methods can leverage consumer protection by supporting the automated analysis of legal documents. However, a shortcoming of data-driven approaches is poor explainability. We posit that in this domain useful explanations of classifier outcomes can be provided by resorting to legal rationales. We thus consider several configurations of memory-augmented neural networks where rationales are given a special role in the modeling of context knowledge. Our results show that rationales not only contribute to improve the classification accuracy, but are also able to offer meaningful, natural language explanations of otherwise opaque classifier outcomes.
Article
Full-text available
The paper examines the views of Internet users concerning the protection of their rights on the Internet. The Web survey, conducted by the snowball sampling, included 783 Internet users who expressed their views regarding the ways the state (Serbia) and private agents (Facebook and Google) relate to the right of freedom of expression and privacy on the Internet. Also, the survey was used to examine the individual responsibility of users when it comes to the use of Internet services. Several hypotheses suggested that Internet users in Serbia do not have confidence in the country and private actors on the issue of protecting their rights. However, users also do not demonstrate a satisfactory level of individual responsibility. The most important findings indicate that: 1) only one-sixth of the respondents consider that the Government of the Republic of Serbia does not violate the privacy of Internet users; 2) almost half of the respondents do not feel free to express their views criticizing the government; 3) almost 90% of users are not satisfied how Facebook protects their privacy, while it is 1% lower in the case of Google; 4) a third of respondents answered positively to the question whether they had read terms of use of the analyzed companies, but half of them did not give a correct answer to the main questions; 5) only 8.9% of respondents who claimed to have read terms of use are aware of the fact that Facebook shares their data with third parties.
Chapter
Privacy policies are the state of the practice technique for data transparency. Oftentimes, however, they are presented in a non-prominent way, are lengthy, and are not written in the users’ language. As a result, their acceptance is rather low, even though users are generally interested in privacy. Thus, we need enhanced transparency approaches. In this paper, we present a taxonomy and models that allow to describe privacy-relevant information. These models are based on practical privacy policies and legal regulations, and enable automated processing of privacy-relevant information. Automated processing based on well-defined semantics is the baseline for new ways to represent privacy-relevant information, for example by filtering, step-wise refinement or contextualization.
Chapter
This chapter analyses the business of news sharing through a political economic prism, investigating how social media platforms and analytics services are transforming journalism, news production and distribution. Martin introduces the concept of critical media ecology to investigate the interrelated business models, ownership patterns and industrial power of key platform corporations such as Facebook and Microsoft, and news intermediaries like Gigya, Chartbeat and ICUC that provide social metadata services, such as news analytics, identity management, and content placement. She also analyses the companies providing dialogic media services such as content hosting, community management and social indexing. In exploring China’s control over its sharing ecology, and the rise in social data trading, the chapter raises questions about the fate of media freedom in the twenty-first century.
Article
Full-text available
Progress to open access (OA) has stalled, with perhaps 20% of new papers ‘born‐free’, and half of all versions of record pay‐walled; why? In this paper, I review the last 12 months: librarians showing muscle in negotiations, publishers’ Read and Publish deals, and funders determined to force change with initiatives like Plan S. I conclude that these efforts will not work. For example, flipping to supply‐side business models, such as article processing charges, simply flips the pay‐wall to a ‘play‐wall’ to the disadvantage of authors without financial support. I argue that the focus on OA makes us miss the bigger problem: today’s scholarly communications is unaffordable with today’s budgets. OA is not the problem, the publishing process is the problem. To solve it, I propose using the principles of digital transformation to reinvent publishing as a two‐step process where articles are published first as preprints, and then, journal editors invite authors to submit only papers that ‘succeed’ to peer review. This would reduce costs significantly, opening a sustainable pathway for scholarly publishing and OA. The catalyst for this change is for the reputation economy to accept preprints as it does articles in minor journals today. The article is available from the Learned Publishing website. This link will lead you to the article https://link.growkudos.com/1pkl1hzxerk
Article
Full-text available
The European consumer policy relies on the ideal of consumer empowerment, which involves providing all consumers with detailed information on the goods on offer. This policy also applies to the electronic communications sector, and empowering consumers who are the end-users of internet access services. The author reviews behavioural law and economics literature that pertains to consumer empowerment and applies the resulting insights to interpret Article 4 (1) of Regulation 2015/2120 laying down measures concerning open internet access in a way that would truly empower the sophisticated consumers. The author also proposes advising or obliging the providers of internet access services to label those services to provide even the unsophisticated consumers with meaningful and understandable information.
Chapter
Bots and AI have the potential to revolutionize the way that personal data is processed. Unlike processing performed by traditional methods, they have an unprecedented ability (and patience) to gather, analyze and combine information. However, the introduction of “smarter” computers does not always mean that the nature of the processing will change; often, the result will be substantially similar to processing by a human. We cannot, then, regulate processing by bots and AI as a sui generis concept. This chapter examines the different regulatory approaches that exist under the new General Data Protection Regulation (the GDPR)—the general regulatory approach (which treats all processing in the same way), the specific regulatory approach (which imposes specific rules for automated processing) and the co-regulatory approach (where data controllers are required to analyze and mitigate the risks on their own). It then considers how these approaches interact and makes some recommendations for how they should be interpreted and implemented in the future.
ResearchGate has not been able to resolve any references for this publication.