Jens Grossklags, Na Wang & Heng Xu: A field study of social applications’ data practices & authentication and authorization dialogues

Jens Grossklags, Na Wang & Heng Xu: A field study of social applications’ data practices & authentication and authorization dialogues

Comment by: Ross Anderson

PLSC 2012

Workshop draft abstract:

Several studies have documented the constantly evolving privacy practices of social networking sites and users’ misunderstandings about them. Justifiably, users have criticized the interfaces to “configure” their privacy preferences as opaque, disjointed, uninformative and ultimately ineffective. The same problems have also plagued the constantly growing economy of third-party applications and their equally troubling authentication and authorization dialogues with important options being unavailable at installation time and/or widely distributed across the sites’ privacy options pages.

In this paper, we report the results of a field study of the current authorization dialogue as well as four novel designs of installation dialogues for the dominant social networking site. In particular, we study and document the effectiveness of installation-time configuration and awareness-enhancing interface changes when 250 users investigate our experimental application in the privacy of their homes.

Heng Xu, John W. Bagby and Terence Ryan Melonas, Incentivizing Innovation in Wireless Advertising Messaging (WAM): Balancing Privacy Enhancing Security with Regulation

Heng Xu, John W. Bagby & Terence Ryan Melonas, Incentivizing Innovation in Wireless Advertising Messaging (WAM): Balancing Privacy Enhancing Security with Regulation

Comment by: Andrew Serwin

PLSC 2009

Workshop draft abstract:

The ubiquity of computing and the miniaturization of mobile devices have generated unique opportunities for wireless marketing that could be customized to an individual’s preferences, geographical location, and time of day. Unsurprisingly, the commercial potential and growth of wireless marketing have been accompanied by concerns over the potential privacy intrusion that consumers experience, such as wireless spam messages or intrusive location referencing. This research analyzes privacy issues in the developing wireless advertising messaging (WAM) technologies. In this article, WAM is provisionally defined as advertising messages sent to wireless devices such as cellular telephones, personal data assistants (PDAs) and smart phones. This research extends the author team’s prior work by based on analysis of WAM systems  in the European, Asian and American markets. This article examines the privacy debate assessing the relative effectiveness of industry self-regulation versus government legislation in ensuring consumer privacy and as a WAM innovation incentive and the extent to which industry self-regulation and regulatory approaches to privacy risks.

The article opens with a review of the regulatory uncertainties about WAM by raising questions of regulatory authority from among various regulators operating under several statutory schemes. The FTC’s authority is uncertain when directed at WAM given variations in the emerging technologies deployed and the business practices that comprise WAM architectures. For example, the FTC now appears to prefer self-regulation of online behavioral marketing. Recently proposed FTC Guidelines encourage self-regulation while encouraging innovation and maintaining flexibility in the WAM architectures and business model development. Useful analogies emerge from the FTCs ongoing behavioral and “eHavioral” advertising program; at least partially driven by the Google takeover of DoubleClick and FTC enforcement experience in Milliman and Ingenix.

Fragmentation in regulation of service provider outsourcing is dependent on uncertain WAM architecture and this complicates matters. WAM architectures embody business models generally requiring some outsourcing in the information supply chain; from the collection of personally identifiable information (PII), through data archiving and data mining, real time location referencing, and frequently delivered through an Internet Service Provider (ISP) or other telecommunication network and ultimately through wireless carriers to the user’s wireless device. Regulation of responsible parties when marketing assistance is outsourced is not uniformly regulated under various contexts analogous to WAM including telemarketing, fax marketing, spam regulation of email. This article discusses the divergent standards for consumer protection and privacy when support services are outsourced identifying difficulties in framing public policies that protect reasonable expectations for privacy yet accommodate innovation in the emergent field of behavioral marketing delivered to mobile devices.

Fair information practice principles (FIPP), the global standards for the ethical use of personal information, are generally recognized as a U.S. development that diminish consumer privacy risk perceptions. Interdisciplinary literature argues that FIPP signals how PII is secured with procedural, interactional and distributive justiceVarious researchers provide evidence that self-regulation often fails with codes of conduct and self-policing by trade associations. Examples, from seals programs using trusted third-parties (e.g., Online Privacy Alliance, TRUSTe) are analyzed as alternatives to government regulation. The privacy literature from marketing, management information systems, and public policy is integrated to address the question of relative effectiveness. This debate over self-regulation vs. regulation also highlights two ideological camps: those insisting privacy is a fundamental human and those taking the  instrumentalist view of privacy as a commodity. This analysis of interdisciplinary privacy literature helps to demonstrate that the distinction between these two camps undergirds much of the dissonance between U.S. and European privacy laws as implemented in the “opt in” versus “opt out” information management schema.