User Centric Privacy Policy Modelling

UNIVERSITY OF MANCHESTER

USER CENTRIC PRIVACY POLICY MODELLING

A thesis submitted to the University of Manchester for the degree of Doctor of Philosophy in the Faculty of Humanities

2018

SOPHIA KUNUNKA

ALLIANCE MANCHESTER BUSINESS SCHOOL

MANAGEMENT SCIENCES AND MARKETING

TABLE OF CONTENTS

LIST OF FIGURES ...... 6 LIST OF TABLES ...... 7 LIST OF ACRONYMS ...... 8 ABSTRACT ...... 9 DECLARATION ...... 10 COPYRIGHT STATEMENT ...... 11 ACKNOWLEDGEMENTS ...... 12 DEDICATION ...... 13 PUBLICATIONS IN RELATION TO THIS THESIS ...... 14 1 INTRODUCTION ...... 17 1.1 Research motivation ...... 18 1.2 Research aim, objectives and questions ...... 20 1.3 Research contribution ...... 22 1.4 Methodology and thesis structure...... 23 1.4.1 Methodology ...... 23 1.4.2 Thesis structure ...... 26 2 LITERATURE REVIEW ...... 29 2.1 Conceptualization of privacy...... 29 2.1.1 Privacy as a right ...... 29 2.1.2 Privacy as a state ...... 29 2.1.3 Privacy as a control ...... 30 2.2 Common misconceptions of privacy ...... 30 2.2.1 Security ...... 30 2.2.2 Ethics ...... 31 2.2.3 Anonymity ...... 31 2.3 Relationship between privacy and other constructs ...... 31 2.3.1 Privacy attitudes ...... 31 2.3.2 Behavioural reactions ...... 32 2.3.4 Privacy paradox ...... 32 2.3.5 Privacy calculus ...... 32 2

2.3.6 Regulation ...... 33 2.4 Constructs that impact on privacy policies...... 33 2.4.1 Privacy policies ...... 33 2.4.2 Privacy breaches ...... 35 2.4.3 Stakeholder privacy concerns ...... 38 2.4.4 Privacy representation issues ...... 40 2.4.5 Privacy monetisation trade-offs ...... 42 2.4.6 Privacy policy languages ...... 43 2.4.7 Classification of privacy content ...... 45 2.4.8 Privacy policy representations ...... 47 2.4.9 Privacy preserving systems, methods and tools ...... 50 2.5 Related work...... 51 2.5.1 Empirical studies ...... 51 2.5.2 Theories ...... 54 2.6 Summary ...... 55 3 RESEARCH METHODOLOGY ...... 57 3.1 Philosophical stand point...... 57 3.2 Application of design science research in user centric privacy policy design ...... 60 3.3 Data collection and analysis methods ...... 61 3.3.1 Qualitative research ...... 61 3.3.2 Data collection ...... 62 3.3.3 Think aloud protocol...... 64 3.3.4 Observation ...... 64 3.3.5 Data analysis ...... 64 3.4 Research ethics ...... 65 3.5 Summary ...... 65 4 TYPOLOGY OF ASPECTS COVERED IN PRIVACY POLICIES ...... 68 4.1 Taxonomy development research process ...... 68 4.2 Materials ...... 70 4.3 Method...... 72 4.3.1 Taxonomy development steps ...... 74 4.4 Results ...... 83

4.4.1 Taxonomy dimensions ...... 84 4.4.2 Validity and relevance of the taxonomy ...... 86 4.4.3 User data transitivity relationships analysis ...... 86 4.5 Discussion and impact of research outcome ...... 89 4.6 Limitations and summary ...... 91 5 USER NEEDS AND PRIORITIES CONCERNING PRIVACY REQUIREMENTS ...... 93 5.1 Conceptual framework ...... 93 5.2 Observation study design ...... 95 5.2.1 Demographics ...... 96 5.2.2 Task 1: Prioritisation of privacy aspects in taxonomy ...... 96 5.2.3 Task 2: Participants design privacy policy ...... 98 5.2.4 Task 3: Assessment of alternative policy representations against privacy representation parameters ...... 106 5.3 Comparison of alternative policy representations preferences against participants’ policy designs ...... 108 5.3.1 Findings ...... 110 5.3.2 Mental models ...... 110 5.4 Limitations and summary ...... 111 6 USER-FRIENDLY REPRESENTATION SUPPORTING PRIVACY NEGOTIATION.. 114 6.1 Design effort and discussion ...... 115 6.1.1 Abstraction gradient ...... 116 6.1.2 Diffuseness ...... 117 6.1.3 Closeness of mapping ...... 118 6.1.4 Visibility and juxaposability ...... 118 6.1.5 Secondary notation and escape from formalism ...... 119 6.1.6 Hidden dependencies ...... 119 6.1.7 Premature commitment ...... 120 6.2 Prototype notation redesign ...... 120 6.2.1 Main interface of the alternative policy representation ...... 120 6.3 Limitations and summary ...... 123 7 END USER SUMMATIVE EVALUATION OF MONETISATION-FRIENDLY REPRESENTATION SUPPORTING PRIVACY NEGOTIATION ...... 125 7.1 Study design ...... 125

7.1.1 Materials and procedure ...... 126 7.1.2 Study tasks ...... 128 7.1.3 Talk-aloud protocol analysis ...... 129 7.2 Results and discussion ...... 130 7.2.1 Time required in finding information in policy representation ...... 131 7.2.2 User control over privacy ...... 132 7.2.3 Accuracy ...... 132 7.2.4 Appeal in information finding ...... 133 7.2.5 Likelihood to read policies if they resembled representation ...... 133 7.3 Summary ...... 134 8 DISCUSSION ...... 136 8.1 Comprehensiveness of privacy policy information ...... 136 8.2 Informativeness of the policy representation artefact ...... 138 8.3 User control over privacy in the policy representation artefact ...... 139 8.4 User opinions ...... 140 8.5 Summary ...... 141 9 CONCLUSIONS ...... 143 9.1 Research contributions ...... 143 9.1.1 Contributions to knowledge ...... 143 9.1.2 Implications of work ...... 144 9.2 Reflection on the research process ...... 145 9.3 Research limitations ...... 149 9.4 Future research ...... 149 REFERENCES...... 152 APPENDICES ...... 175 Appendix A: Research ethics approval ...... 175 Appendix B: Participant information sheet ...... 179 Appendix C: Consent form ...... 181 Appendix D: User perspectives of privacy policies study ...... 182 Appendix F: Summative privacy policy study design ...... 195 Appendix G: Summative privacy policy study: Cognitive walkthrough procedure ...... 202

Word count 42,834 5

LIST OF FIGURES

Figure 1: Mapping the structure of the thesis ...... 24 Figure 2: A Framework for design science (Wieringa, 2014) ...... 59 Figure 3: Mapping the research phases to design science ...... 60 Figure 4: Overview of taxonomy development research process ...... 68 Figure 5: Taxonomy development method, adapted from Nickerson, et al., (2013) ...... 72 Figure 6: Data exchange dependencies between apps’ websites and third parties ...... 88 Figure 7: Conceptual framework adopted from Sharp, et al. (2006) ...... 94 Figure 8: Ranking of the importance of privacy aspects in a policy ...... 97 Figure 9: Comparison between participants’ designs vs preferred policy representations ...... 109 Figure 10: Design stages of the alternative representation prototypes ...... 114 Figure 11: Prototype of improved privacy policy ...... 117 Figure 12: Prototype of final user centric policy representation ...... 121 Figure 13: Prototype showing the 'We collect' - data collection section ...... 121 Figure 14: Prototype of the 'Why' - data use section ...... 122 Figure 15: Prototype of the ‘Security’ section ...... 122 Figure 16: Prototype of the proposed alternative policy representation vs conventional policy representation ...... 128 Figure 17: User rating of privacy policy representations ...... 130 Figure 18: Evaluation of policy representations ...... 131

LIST OF TABLES

Table 1: Mapping research objectives to thesis chapters ...... 27 Table 2: Digital privacy breaches ...... 37 Table 3: Digital privacy policy representations challenges ...... 42 Table 4: Privacy policy languages ...... 45 Table 5: Review of taxonomies ...... 47 Table 6: Digital privacy policy notation styles ...... 49 Table 7: Categories of mobile applications used in study ...... 71 Table 8: Ending conditions adapted from Nickerson, et al. (2013) ...... 73 Table 9: Results of Round 1 of the taxonomy development ...... 77 Table 10: Results of Round 2 of the taxonomy development ...... 79 Table 11: Results of Round 3 of the taxonomy development ...... 80 Table 12: Results of Round 4 of the taxonomy development ...... 81 Table 13: Mobile applications privacy policy taxonomy...... 85 Table 14: Third party domains associated with the websites ...... 87 Table 15: Mobile applications data handling ...... 90 Table 16: Privacy analysis features ...... 100 Table 17: User preferences of policy representations ...... 108 Table 18: Prototype of list format policy ...... 116 Table 19: Participants’ grouping criteria ...... 126 Table 20: Participants’ grouping schedule ...... 127 Table 21: Mapping of research objectives to research contributions ...... 146

LIST OF ACRONYMS

API Application Programming Interface APPEL A P3P Preference Exchange Language ATCT Automatic Taxonomy Construction from Text

CalOPPA The California Online Privacy Protection Act

DPA Data Protection Act DSR Design Science Research EPAL Enterprise Privacy Authorization Language EPR Enterprise Resource Planning

FTC Federal Trade Commission

GPS Global Positioning System ICO Information Commissioners’ Office ID Identity IETF Internet Engineering Task Force IP Internet Protocol IS Information Systems IT Information Technology

PET Privacy Enhancing Technologies PII Personally Identifiable Information

P3P Platform for Privacy Preferences

TISSA Taming Info-Stealing Smartphone Apps

URL Uniform Resource Locator VPN Virtual Private Network W3C World Wide Web Consortium XACML eXtensible Access Control Markup Language

ABSTRACT

The growing uptake of mobile applications (apps) has significant implications for end user privacy. The default solution is the provision of mobile privacy policies which serve as a contract between users and app service providers. However, privacy policies have been critiqued as difficult to understand by users and not providing any degree of control over personal privacy. This is because policies are written by service providers and are legal-like and technical motivated by requirements for compliance rather than users’ ability to understand. Research into the design of alternative policy representations exists yet the involvement of users in the design of alternative representations has generally been limited. This work aims to design effective representation of a privacy policy by incorporating the end users perspective into the design of policies. An exploration of the privacy policy domain was conducted through the analysis of 100 representative app privacy policies from which a reference model of privacy terms was developed. The end users’ perspective has been explored through an early user study set to establish users’ mental models, control needs and representation preferences. Findings show that whilst initial mental models are largely reflective of the predominant conventional full length privacy policies, users are open to innovations and in fact show clear preference for alternative policy representations that are more structured and visual in nature. The reference model of privacy terms and the findings of the early user study enabling user centric design of privacy policy are two of the contributions of this thesis. The third and main contribution of this thesis is the integration of these two results in the user- centred design of an effective privacy policy representation. Effectiveness means the representation is comprehensive, informative and facilitates greater user control over privacy. The representation developed in this thesis is evaluated against the conventional policy. Results demonstrate that the representation’s comprehensiveness is rated 10% better and was tested by measuring users’ accuracy in information finding, certainty of finding desired information, and appeal in information finding. Its informativeness was rated 59% better and was tested by measuring users’ likelihood to read policies if they resembled the representation and the time needed to find information. Its level of user control over privacy was rated 32% better and was tested by measuring users’ ability to specify and alter privacy options. Overall, the proposed policy representation meets the aim of this thesis by incorporating the user perspectives allowing the creation of privacy policies which facilitate informed consent and user control over personal information.

DECLARATION

No portion of the work referred to in this thesis has been submitted in support of an application for another degree or qualification of this or any other university or other institute of learning.

The following three notes on copyright and the ownership of intellectual property rights:

I. The Author of this thesis (including any appendices and/or schedules to this thesis) owns any copyright in it (the "Copyright") and he has given The University of Manchester the right to use such Copyright for any administrative, promotional, educational and/or teaching purposes. II. Copies of this thesis, either in full or in extracts, may be made only in accordance with the regulations of the John Rylands University Library of Manchester. Details of these regulations may be obtained from the Librarian. This page must form part of any such copies made. III. The ownership of any patents, designs, trademarks and any and all other intellectual property rights except for the Copyright (the "Intellectual Property Rights") and any reproductions of copyright works, for example graphs and tables ("Reproductions"), which may be described in this thesis, may not be owned by the author and may be owned by third parties. Such Intellectual Property Rights and Reproductions cannot and must not be made available for use without the prior written permission of the owner(s) of the relevant Intellectual Property Rights and/or Reproductions. IV. Further information on the conditions under which disclosure, publication and exploitation of this thesis, the Copyright and any Intellectual Property Rights and/or Reproductions described in it may take place is available from the Head of School Manchester Business School (or the Vice-President) and the Dean of the faculty of Humanities, for faculty of Humanities' candidates.

ACKNOWLEDGEMENTS

I would like express my gratitude to my supervisors Prof. Nikolay Mehandjiev and Dr Pedro Sampaio for their guidance, support and encouragement afforded to me in the course of my research. Their time, constructive feedback and contributions to my research have enabled me to successfully complete my research. I appreciate their mentorship and advice given to me over the different stages of my research.

My gratitude goes out to the Alliance Manchester Business School for sponsoring me financially through the studentship scheme.

I would also like to thank all the participants involved in the different studies conducted in this research. Their time and valuable contributions is appreciated.

Thanks to my colleagues and the staff of Alliance Manchester Business School for all their support and help in the course of my research.

Thanks to my friends and spiritual mentors who have supported me socially and spiritually in the course of my research.

Thanks to my family members for their love, patience, prayers and support. They have always believed in me and encouraged me to be the best I can be.

DEDICATION

To the King eternal, immortal, invisible, the only God, be honour and glory for ever and ever. Amen.

PUBLICATIONS IN RELATION TO THIS THESIS

Two papers have been presented at international conferences as a result of part of the research in this thesis.

Paper 1:

Kununka S., Mehandjiev N., Sampaio P. (2018) A Comparative Study of Android and iOS Mobile Applications’ Data Handling Practices Versus Compliance to Privacy Policy. In: Hansen M., Kosta E., Nai-Fovino I., Fischer-Hübner S. (eds) Privacy and Identity Management. The Smart Revolution. Privacy and Identity 2017. IFIP Advances in Information and Communication Technology, vol 526. Springer, Cham

Abstract: The providers of mobile applications (apps) offer free apps and services but monetise user information and attention. However, end users (users) have limited control and inadequate understanding over the manner in which apps use their personal data. This study is a first step to taking a user-centred approach in the design of app privacy policies to ensure they are easy to understand by non-technical users. To this end we capture the views of 41 users on four different privacy policy representations and analyse them to extract user priorities and needs. We have found that one of the alternative policy representations is liked best by users, and that users focused on data collection and use, neglecting other privacy aspects such as data monetisation and legal issues. As a result of our analysis, we propose an interactive representation to enhance the informativeness of privacy policies, especially with respect to data monetisation, whilst facilitating greater user control over personal data privacy. We evaluate our proposal using the cognitive dimensions framework.

Keywords: Mobile applications, Privacy policy, End user development

Paper 2:

Kununka S., Mehandjiev N., Sampaio P., Vassilopoulou K. (2017) End User Comprehension of Privacy Policy Representations. In: Barbosa S., Markopoulos P., Paternò F., Stumpf S., Valtolina S. (eds) End-User Development. IS-EUD 2017. Lecture Notes in Computer Science, vol 10303. Springer, Cham (Assessed as REF standard 3 according to internal AMBS RRE)

Abstract: The prevalent use of mobile applications (apps) involves the dissemination of personally identifiable user data by apps in ways that could have adverse privacy implications for the apps users. More so, even when privacy policies are provided as a safeguard to user privacy, apps’ data handling practices may not comply with the apps privacy commitments as stated in its privacy policy. We conducted an assessment of the extent to which apps’ data practices matched their privacy policies. This study provides an exploratory comparison of Android and iOS apps’ privacy compliance. Our findings show potential sensitive user data flows from apps that do not match the apps’ privacy policies and further, that neither Android nor iOS app data handling practices fully comply with their privacy policies.

Keywords: Mobile applications, Privacy policy, Compliance

CHAPTER 1 Introduction

1 INTRODUCTION

There is currently an unprecedented level of information exchange, processing and storage through channels such as websites (Selvadurai, 2013) and mobile applications (apps) (Enck et al., 2014) etc. Users offer or entrust diverse personal data to organizations with the confidence that users’ data privacy will be maintained by limiting data use to the specified purposes. However, gaps have been observed in service providers’ privacy practices as users’ consent is not always sought before organizations engage in the marketing, exposure and renting of customer information (Anderson, 2013). Companies work with third party data brokers to aid advertisers to developing targeted ads (Alsenoy et al., 2015) through advances such as user profiling (Cecere and Rochelandet, 2013). Profiling is rewarding to the user as it addresses their specific requirements (Sismeiro and Bucklin, 2004) however could be used to effect price discrimination for individuals with less favourable characteristics and exposes users to further privacy intrusion (Hui and Png, 2006). There is likelihood for the misuse of users’ data by governments and business institutions on the premises of enforcing legislation, improvements in service delivery, advertising and marketing (Jin-Park and Mo-Jang, 2014; Ricarda et al., 2014). Such conduct disregards users’ views and poses a threat to user data privacy.

In an endeavour to protect user privacy, regulatory bodies such as the United Kingdom (UK)’s Information Commissioner’s Office and the United States (US) Federal Trade Commission have enacted laws such as the European Data Protection Act (Steinke, 2002), the new European Union (EU) General Data Protection Regulation (GDPR, 2018) and the Federal Trade Commission Act (FTC, 2018) respectively. These legislations provide data protection guidance and demand that service providers address users’ privacy concerns. Moreover, legislations necessitate that digital services providers such as apps or websites provide privacy policies to their service end users (GDPR, 2018; FTC, 2018) and as such apps provide users with privacy policies as evidenced by the research on privacy policies (Anton, et al., 2003; Capistrano and Chen, 2015; Tsai, et al., 2011). Privacy policies aim to guarantee data gathering and dissemination (Bargh, et al., 2003; Youssef, et al., 2005).

While service providers provide these policies to their service end users, they fall short of achieving the intended purpose as envisaged by the legislations’ fair information practices which

is to provide informed user consent and control over privacy. This is evidenced by critiques of the conventional full length privacy policy representation who argue that it is ineffective in addressing user privacy concerns (Jensen, et al., 2005; Sadeh, et al., 2009). Possible explanations for this criticism are that: policies offer a ‘take it or leave it’ approach in which service end users are not able to exercise specific control over their privacy (Costante, et al., 2012). However, policy users require assistance in expressing their desire policy preferences (Johnson, 2012). Further, policies are lengthy and burdensome to read (Capistrano and Chen, 2015). Policies also face a challenge in the provision of the right amount of information to support privacy comprehension (Tsai, et al., 2011; Nissenbaum, 2011). More so, the predominant privacy policy design has a limited user perspective. This has resulted in privacy policies that focus on issues such as compliance with legislation rather than on what is important to users in terms of their privacy requirements (Earp, et al., 2005). This is important because while several factors impact on app uptake by users, such as apps’ pricing and functionality, non-functional factors like regulatory requirements e.g. privacy policies, also impact on whether users download and use apps (Boyles et al., 2012). This thesis is part of on-going research exploring ways of addressing the gaps identified in the conventional privacy policy representation’s ability to effectively address user privacy concerns. In particular, it investigates the design of an alternative privacy policy representation that more effectively addresses the requirement for improved user awareness, consent and control over privacy. The thesis incorporates the users’ perspective into the design of privacy policy representation. As opposed to limiting users to the evaluation of the policy representation, endeavours are made to involve users from the onset of the design process capturing users’ mental models, control needs and representation preferences in what is referred to as the early user study in this thesis.

1.1 Research motivation

This research is motivated by challenges observed in the way privacy policy information is conveyed to the end user when using the conventional full length privacy policy representation. The challenges facing privacy policies include but are not limited to: the complexity of privacy policies and limitations in user control over privacy; policies having a service provider or industry focus as opposed to a user focus; and a privacy transparency paradox that makes it difficult to determine the adequacy of information presented within the policies. Moreover, users are provided with the same privacy policy whether they access services through a company’ website or mobile application. However, users find it particularly challenging to access a privacy policy through an

app due to the limited mobile phone interfaces. As such, this thesis explores ways in which privacy policy representation can be enhanced such that they are useful to users even when presented through mobile applications.

Complex monolithic privacy policies. The conventional full length privacy policy representation faces criticism for its complex and monolithic ‘blanket’ nature (Capistrano and Chen, 2015). Its ‘blanket’ nature limits the options available to end users to either accepting the entire policy or rejecting it in which case users forfeit the use of the app service (Costante et al., 2012). This privacy predicament gives service providers an advantage over the end users. The end users find themselves in a position in which they have no mechanisms for exercising their user rights to informed consent and control over their personal data due to the limiting nature of the policy representation. As (Johnson, 2012) asserts, provision of fine grained controls facilitates users with the ability to specify individual content preferences. Addressing this predicament necessitates the design of a privacy policy representation that facilitates appropriate interactive mechanisms that enhance users’ privacy informativeness and allow users to express control over specific aspects of their personal privacy (Knijnenburg, 2017).

Limited user focused in policy design. A privacy policy represents an agreement between the app service provider and the app users. While app service providers are concerned with issuing information to articulate what the provider intends expressed as a contractual agreement, app service users’ issues relate to the actual use of the service. Generally, privacy policies are expressed in legal-like vocabulary (Sen, et al., 2014). They to aim to adhere to regulators’ and industrial requirements as opposed to facilitating transparency and usability of policies for the end user (Earp, et al., 2005). However, (Schaub et al., 2015) assert the necessity of determining the different audiences targeted by a privacy notice and advocate for user involvement in the design and evaluation of the notices. They propose a structure method and vocabulary to discuss and compare privacy notices through a taxonomy with four dimensions namely: timing, channel, modality and control. Timing related to the most appropriate time to show the privacy notice, whereas channel focus on the different methods of delivering the notice. Modality is determined by what the notice intends to achieve whether it’s visual or audio etc. and, control relates to the ability to opt in or out. It is argued that privacy policies that have a greater user orientation are required, which would easily provide users with the necessary knowledge about their privacy. The willingness of users to share their data can be enhanced through incentives such as convenience or monetary benefits or discounts (Dinev, 2014). While privacy policies play a substantial role in 19

expressing the conflicts between users and service providers, (Bélanger and Crossler, 2011) stress that there is inadequate research on this subject. Likewise, research into data handling approaches that optimise monetary and privacy interests such as pricing-by-privacy trade-offs have been recommended (Gerlach, et al., 2015), who found a substantial linear effect on consumers’ risk perceptions and behaviour to from alterations in the granular content of the policy.

Privacy transparency paradox. Users want access to their services in the shortest time possible. While users are concerned about their data privacy, they may not be willing to read the lengthy (Cellan-Jones, 2014), find policies difficult to understand (Reidenberg et al., 2015) and time consuming (McDonald and Cranor, 2008). Diverse privacy policy enhancements have been proposed including: nutritional labels (Kelley et al., 2010), privacy icons (Holtz et al., 2011), multilayer privacy notices (Cranor, 2012), goals and vulnerabilities’ policy representation (Earp et al., 2007). These approaches are addressed in more detail in the literature review section. Whereas these alternative approaches to representation of privacy information seek to enhance privacy policies’ effectiveness and comprehension they are often overshadowed by a transparency paradox in which they are faced with the danger of eliminating relevant information which could decrease the meaningfulness of the information provided by the policies (Nissenbaum, 2011). A possible solution could be the provision of a guideline such as a privacy terms reference model, indicating the concepts and associations that should be covered within privacy representations. In tandem, it would also address usability concerns (Wesson et al., 2010), whereby complications arise from constraints in the display interfaces which limit the amount of privacy information that can be displayed (Schaub et al., 2015).

In summary, this doctoral work seeks to optimize users’ privacy representation in policies by i) the simplification of privacy information representation, ii) providing users with sufficient information, iii) facilitating user engagement in controlling their privacy and iv) facilitating monetisation interests of service providers and the privacy protection interests of end users. To accomplish this, this thesis sets out to develop a user-centred privacy policy representation design that addresses the challenges identified with the conventional full length policy representation.

1.2 Research aim, objectives and questions

The multifaceted nature of website and mobile application privacy faces the challenge of how to

optimise the representation of privacy information. In particular, how to address the lengthiness and complexity of the information presented to users such that it is adequate and indeed facilitates informed user consent. This thesis explores ways of provisioning privacy information that is of interest to users while, hiding what is not of interest and, retaining full control to the extent desired by users. Achieving this requires a knowledge base with vocabulary representative of the app privacy domain, concepts and relationships between different components in the privacy domain. This knowledge then requires aligning with end user privacy perspectives and requirements such as to form a presentation vocabulary of how these components fit together in an effective policy representation. This highlights the research gap addressed in this doctoral work and is discussed in Chapter 2.

This research aims to create constructs and a notation of a privacy policy representation language to incorporate the perspectives of end users. This will alleviate the tension between the capabilities of users to understand digital service policies, and the need for service providers to convey sufficient information and mechanisms to enable informed user consent. To achieve the aim, the following Research Objectives are set:

RO1: To create a reference model of terms used in privacy policies, and use its contents as vocabulary constructs for a privacy representation language. The sub-objectives here are to identify the main concepts of existing privacy policies, and to structure them in a system of domain knowledge.

RO2: To uncover users’ perspectives in terms of their mental models, control needs and representation preferences through exploring their attitudes towards, and understanding of the different aspects of the system of domain knowledge as encoded in several alternative policy representations.

RO3: To design and evaluate a proposed notation which incorporates the user perspective to alleviate the tension between user understanding, control of consent and coverage of the information content of privacy policies.

The pursuit of the objectives is described in different chapters of this thesis as outlined in Table 1 at the end of this chapter. Each objective is aligned with one of the following research questions:

RQ1: How can privacy policy information be organized into a reference model of terms that can be used as constructs for a privacy representation language?

RQ2: What are the needs and requirements of end users towards privacy policy representations?

RQ3: What would constitute an effective notation incorporating the user perspective so as to alleviate tensions between user understanding, control of consent and coverage of the information content of privacy policies?

1.3 Research contribution

This thesis explores the design of a privacy policy representation that is easy to understand by non-technical users. The research takes on a user centric privacy policy representation modelling approach. The goal of this research is not to replace the predominant full length privacy policy representation. However, this research is geared towards the provision of an alternative policy representation that incorporates the user perspective in the design. At the same time, it seeks to provide adequate and simplified privacy information to support user understanding, and to provide interactive mechanisms that facilitate improved user control over personal privacy. This work draws knowledge from the conventional privacy policies by exploring the current privacy domain. It incorporates this knowledge with the understanding from user mental models and perspectives in order to propose an interactive user-centred privacy policy representation.

The contributions of this doctoral research are presented below:

1). A vocabulary for a privacy policy design language. This privacy vocabulary encapsulates terms and concepts within the privacy domain and classifies them into a reference model of privacy terms in form of a taxonomy. It is envisaged that this vocabulary will assist policy designers in developing privacy policy representations that facilitate greater privacy awareness and understanding.

2). Investigation of users’ conceptual views of privacy. This research establishes an understanding of users’ mental models, and users’ need to control personal privacy and representation preferences. This knowledge is gathered in the early stages of the research and is pertinent in the development of a user centric policy notation.

3). A user centric privacy policy representation notation. This notation structures the knowledge of privacy policies into a more structured and visual format that conveys key messages around information rights and obligations of policies. The aim of the notation is to illustrate how policy representations can enhance user informativeness and control over personal privacy. 4). A summative evaluation study. This study assesses the impact of the proposed artefact on user privacy choices and preferences. Specifically, it analyses the artefact in terms of : Users’ accuracy in answering questions; how appealing information finding was for users; users’ ability to exercise control over privacy; the likelihood for users to read policies if all policies looked like that representation; and the time taken to locate information in policy.

1.4 Methodology and thesis structure

1.4.1 Methodology

The work in this thesis is guided by the design science research method. Whereas design research and action research are both commonly used in Information Systems (IS) research, (Iivari, 2009) claim that design research is focused on cutting edge solutions while action research appears to work towards safe solutions based on robust technology. Design science was considered as a suitable approach for this research because this thesis aims to produce an artefact. Defining design science, several authors (Blessing and Chakrabarti, 2009; Vaishnavi and Kuechler, 2011) state that design science is an investigation into the usage and performance of designed artefacts to comprehend, clarify and very often to enhance on the behaviour of characteristics of IS. Figure 1 shows a mapping of the structure of the thesis. The design science process is initiated with awareness of a problem that needs to be solved and as such suggestions sought on how to address the problem. The suggestions are developed into partial or full solutions that are evaluated. Several iterations may be required between the suggestion, development and evaluation steps in order to obtain a desired solution. a). Awareness of problem

Problem awareness could arise from existing literature on a research subject, industrial advancement or changes in a discipline. This is the stage at which the research proposal emerges. Literature suggests that failure to take user privacy views into account when designing privacy policies has far reaching effects. Stressing the importance of users’ privacy perspectives, several authors (Hofstede, 2001; Sadeh, et al., 2009) argue that the execution of numerous solutions has 23

failed due to privacy related user fears. Chapters 1 and 2 of the thesis provide a rigorous exploration into current privacy issues and explore possible ways of addressing them.

Start

Awareness of the problem Chapters 1 and 2 Understanding and contribution to knowledge Research design Chapter 3

First design iteration

Privacy taxonomy (Chapter 4) Evaluation (Chapter 4.4)

Second design iteration Policy notation prototype 1 Evaluation (Chapter 5.2) (Chapter 5)

Third design iteration

Policy notation prototype 2 Evaluation (Chapter 6.1) (Chapter 6)

Fourth design iteration Final policy notation (Chapter 6.2) End user evaluation (Chapter 7)

Theorizing on research implications (Chapters 8 and 9)

End

Figure 1: Mapping the structure of the thesis b). Solution proposition

The proposition of solutions or ideas follows the awareness of the problem. Suggestion of ideas involves creativity for new developments forecasted on new configurations for current or novel

elements. Critics claim that ‘suggestion’ may not be repeatable due to lack of adequate understanding of human processes. Still, creativity is analogous within all research methods e.g. the positivists research creativity is embedded in the development from curiosity over the idea to development of relevant constructs to operationalize the phenomena (Vaishnavi and Kuechler, 2005). Ideas on potential ways of addressing identified research issues are often conceived in the course of investigating the issue. Creativity is required in the suggestion stage for instance as new functionality is forecasted. Steps into addressing the research problem are identified by proposing ways of solving the problem such as the necessity of establishing a privacy vocabulary as a fundamental step in addressing the research gap identified in this thesis. The understanding derived from the privacy vocabulary then forms a basis for further research into development of prototypes of policy representation. c). Prototype development

Using the suggestions and ideas on design, a tentative artefact is developed. The design approach varies dependent on the artefact under consideration. This is presented in Chapters 4, 5 and 6 in which the different steps of the design of the artefact are depicted through several iterations. The prototype development process is initiated with the development of a taxonomy that classifies privacy information facilitating the establishment of a privacy vocabulary. The next step in development uses the understanding acquired from the taxonomy to establish user privacy priorities and this knowledge is used to design a prototype policy representation. The final stage of development in this thesis explores user mental models on privacy and incorporates them into the improvement of the prototype design so as to produce the artefact that is presented in this research. d). Evaluation

The artefact design is evaluated against a predetermined set of criteria in the evaluation stage. Each stage of the development process produces an artefact that the subsequent development stage improves on. The initial development stage of the thesis develops a reference model of privacy terms in form of a taxonomy as the artefact. The second development stage produces a policy representation prototype as artefact. The policy representation prototype artefact is further enhanced in the third and fourth development stages to form the final policy notation representation artefact. Each development stage evaluates the artefact at that level of development and the final artefact presented in this doctoral work is validated through an end user evaluation summative study. 25

e). Conclusion In the conclusion stage of research, the final Chapters 8 and 9 of this thesis theorize on the implications of this work. While the final solution may not meet all the criteria, the results are satisfactory and knowledge has been added to the knowledge base.

1.4.2 Thesis structure

The thesis has 9 chapters. Chapter 1 introduces the research, describing the context, the research problem and discusses how they relate within the wider online ecosystem. Chapter 2 surveys the knowledge base, establishing developments in the subject area of user data privacy, citing research gaps and opportunities as well as limitations in the approaches and methods that have been applied. Literature on several related areas is explored including; knowledge on privacy, user requirements and perspectives on privacy and, representation of privacy. In Chapter 3, the research method is positioned within the design science framework. Next, Chapters 4, 5 and 6 present the different stages of the artefact development. Specifically, Chapter 4 describes the development of a reference model of privacy terms in form of a taxonomy that provides a knowledge base comprised of vocabulary found within the website and mobile applications privacy policy domain. In Chapter 5, the taxonomy developed in Chapter 4 is used to survey users’ control needs and representation preferences and the derived understanding is used in the design of an initial policy representation prototype. Chapter 6 present the design effort involved in the development of the alternative policy artefact. A summative evaluation is presented in Chapter 7 in which the representation is evaluated by users in order to assess the proposed representation’s impact on users’ privacy policy understanding, control and choices. Chapter 8 provides a synthesis of the research through a discussion and, the research conclusions are presented in Chapter 9. A mapping of the research objectives to the chapters is presented in Table 1.

Table 1: Mapping research objectives to thesis chapters

Research Objectives Chapters

RO1 To create a reference model of terms used in privacy policies, and use Chapter 4 its contents as vocabulary constructs for a privacy representation language. The sub-objectives are to identify the main concepts of existing privacy policies, and to structure them in a system of domain knowledge.

RO2 To uncover users’ perspectives in terms of their mental models, control Chapters 5, 6 needs and representation preferences through exploring their attitudes towards, and understanding of the different aspects of the system of domain knowledge as encoded in several alternative policy representations.

RO3 To design and evaluate a proposed notation which incorporates the user Chapters 4, 5, 6, 7 perspective to alleviate the tension between user understanding, control of consent and coverage of the information content of privacy policies.

CHAPTER 2 Literature Review

2 LITERATURE REVIEW

Privacy research has been conducted for over a 100 years in social sciences in the areas of philosophy, psychology, sociology, economics, law, management, marketing and management information systems (Smith et al., 2011). While privacy literature is multi-disciplinary, research tends to focus on the privacy aspects of the various disciplines as opposed to privacy as a whole with scholars disagreeing on the definition of privacy (Reddy and Venter, 2010). The privacy concept according to (Solove, 2006) is in ‘disarray and nobody can articulate what it means.’ The lack of a coherent conceptualization of privacy fails to guide the development of laws and resolution of disputes (Bennett, 1992; Solove, 2006) as well as making it difficult to develop national and management policies and practices to safeguard the privacy of staff, clients and citizens. Several definitions have been posited by scholars in an attempt to provide coherence in the conceptualization of privacy.

2.1 Conceptualization of privacy

2.1.1 Privacy as a right

The view of privacy as a human right has been debated with scholars questioning whether such a right exists, how it came into existence (Schoeman, 1984) and who bears responsibility for its protection (Milberg et al., 2000). Privacy as a right was not upheld by the constitution of the United States of America until the 20th century. Taking on a different standpoint form the British system, privacy has been viewed an emerging right in the USA, with roots related to the Warren and Brandeis’s 1890 article in the Harvard Law Review which defined general privacy as ‘the right to be left alone.’

2.1.2 Privacy as a state

A range of scholars define privacy as state. According to (Westin, 1967) privacy is comprised of unique substrates of anonymity, solitude, reserve, and intimacy. Moreover, privacy is described as a state of ‘being apart from others’ (Weinstein, W. L., 1971). Similarly, (Schoeman, 1984) defines privacy as a state of ‘limited access to a person’. Privacy has further been viewed as a contextual concept related to definite three dimensional contexts namely self-ego, environment and interpersonal (Laufer and Wolfe, 1977). Other metrics for privacy were developed for solitude, 29

isolation, anonymity, reserve, intimacy with friends and intimacy with family by (Darhl, 1997) who conveys them as ‘types of privacy’ and also refers to them as ‘types of privacy behaviours’ and ‘psychological functions of privacy’. However, there is no consensus in terminologies as a result of a lack of common agreement as to what general privacy is (Solove, 2006).

2.1.3 Privacy as a control

Research into the conceptualization of privacy as control has grown in the spheres of information systems and marketing (Altman 1975; Culnan, 1993; Smith, et al., 1996) as it’s relatable to aspects of information privacy. According to (Margulis, 1977b), ‘Privacy, as a whole or in part, represents the control of transactions between person(s) and other (s) , the ultimate aim of which is to enhance autonomy and /or to minimise vulnerability’ (Margulis, 1977a). It is pertinent to users’ interests that they have knowledgeable over which aspects of their private data are handled by firms and with whom it is shared (Yee et al., 2006). Control facilitates individuals with the ability to make a compromise between privacy and utility (Aïmeur et al., 2016). Nonetheless, some scholars stress that control is not necessarily equivalent to privacy but rather an attribute of privacy (Laufer and Wolfe, 1977).

2.2 Common misconceptions of privacy

2.2.1 Security

Misunderstandings arise between the relationship between privacy and security. Discussions about information privacy may be difficult without considering security (Johnson et al., 2010). In an attempt to distinguish between privacy and security, (Dourish and Anderson, 2006) view privacy as a social construct while security is perceived as a technical construct. Security relates to safeguarding of the integrity, authentication and confidentiality of personal information (Smith et al, 2011). Information integrity guarantees that no alternations are made to information; authentication focuses on ensuring users’ identity and authorization to access data, whereas confidentiality ensures that data is used for agreed purposes by authorized parties (Belanger et al. 2002; Camp, 1999; Chellappa, 2008). Dispelling confusion between security and privacy, (Ackerman, 2004) states that ‘security is necessary for privacy, but security is not sufficient to safeguard against subsequent use, to minimize the risk of disclosure, or to reassure users’. Security may facilitate methods through which privacy can be enforced (Dourish and Anderson, 2006).

2.2.2 Ethics

Several ethical theoretical lens such contract theory, duty-based theory, stakeholder theory and virtue ethics theory have been used in the exploration of general privacy (Caudill and Murphy, 2000). Whereas it may be philosophically argued that there is ethical requirements to safeguard or acknowledge privacy (Smith et al, 2011), privacy does not equate to ethics.

2.2.3 Anonymity

Anonymity is defined as the ability to conceal identity (Rensel, et al., 2006; Qian and Scott, 2007). Anonymity is frequently supported by privacy enhancing tools for instance tools that limit the use of cookies in browsing or the tracking of IP addresses. The extent of anonymity varies from total anonymity, pseudonymous, or identifiable anonymity (Kobsa and Schreck, 2003; Qian and Scott, 2007). However, while privacy is related to anonymity ‘anonymity is not privacy’ (Camp, 1999).

2.3 Relationship between privacy and other constructs

The assessment of privacy within social sciences empirical research is largely based on measuring proxies that have a relationship with privacy. These proxies may be termed as attitudes, beliefs and perceptions and are more generally referred to as privacy concerns (Smith et al, 1996; Bélanger and Crossler, 2011; Li, 2011; Smith et al, 2011).

2.3.1 Privacy attitudes

Studies into privacy attitudes have investigated how consumers perceive and behave towards information privacy practices, techniques and tools. Attitudes towards privacy are conceptualized differently within the various studies. Privacy attitudes are perceived as an independent variable in many studies, impacting on aspects such as consumers granting access to their information and the adoption of invasive technologies (Alge, et al., 2006; Miyazaki and Krishnamurthy, 2002; Thiesse, 2007). However, less research explores privacy attitudes as a dependent variable (Cao and Everard, 2008; Dillion, et al., 2008). According to (Smith et al., 2011), the dependent variables that standout are those related to how consumers react to privacy concerns. A study on privacy experiences found that there is a higher concern about privacy amongst consumers whose data has been breached (Smith et al, 1996). This is underpinned by (Cespedes and Smith, 1993; Smith, 1993) who state that consumer’s privacy concerns are activated by a discovery that companies

have accessed and or used their personal data without the consumers’ consent. Similarly, (Nowak and Phelps 1995) assert that the level of privacy concerns among consumers is lower when organizations seek their consent before handling their data. However, (Culnan and Armstrong, 1999) argue that stronger privacy concerns may not impact on consumers’ willingness to grant access to their personal data. This is because individuals’ perceptions may change when they are reassured that their data will be lawfully managed or, that measures to guarantee personal privacy will be enforced (Berendt et al., 2005).

2.3.2 Behavioural reactions

Research has been conducted into how individuals’ privacy concerns are depicted by behaviour. This involves individuals’ willing to participate in ecommerce and willingness to grant access to their data. Whereas (Belanger et al. 2002) puts forward trust as an antecedent of privacy, (Zu et al, 2005) views it as a mediator between privacy concerns and information disclosure. According to a study (Schoenbachler and Gordon, 2002), consumers are more willing to disclose their information and have minimal privacy concerns when they trust a company. Moreover, users’ perceived trust of websites is positively impacted by privacy seals (Rifon et al., 2003), and trust can be boosted reducing privacy fears by ensuring fair information practices (Eastlick et al, 2006) and provision of clearly communicated privacy policies (Xu et al., 2005).

2.3.4 Privacy paradox

Consumers have been found to act contrary to their stated privacy concerns (Jensen et al, 2005; Kokolakis, 2017). A study found a positive correlation between privacy concerns and provision of incomplete data in registration whereas there was a negative correlation between privacy concerns and frequency of website registrations (Sheehan and Hoy, 1999). The reason behind such a privacy attitude or behaviour could be the impact of bounded rationality on the users’ choice making process (Acquisti and Grossklags, 2005). However, (O’Donoghue and Rabin, 2001) argue that economic influences could result in users having a tendency to discount future costs or benefits of sharing their data.

2.3.5 Privacy calculus

Research indicates that consumers assess the risk-benefit analysis involved in the provision of their data to companies before a decision is made (Hann, et al., 2008; Xu, et al., 2010). This is 32

aligned with earlier work (Klopfer and Rubenstein, 1977) that disagreed with the concept of privacy as an absolute right but instead view it as subject to ‘economic terms’.

Privacy risk is described by several scholars (Malhotra, et al., 2004; Pavlou, 2003) as the extent to which consumers associate a high possibility of loss of personal data to a company. Risk assessment entails calculation of negative impact and perceived severity (Peter and Tarpley, 1975). Studies have cited risks such; as insider effect, access to data by unauthorized parties or theft (Rindfleishch, 1997), and third party disclosure of data for monetary purposes or to government (Wald, 2004; Budnitz, 1998). However, disclosure also provides benefits including financial compensation, profiling and social adjustment (Lu et al., 2004). Indeed, studies indicate that remuneration of individuals financially boosts information disclosure (Xu et al, 2010; Hann et al, 2008) and has the ability to overlook privacy concerns (Chellappa and Sin, 2005).

2.3.6 Regulation

Consumers may opt for state regulation in instances where they perceive firms are offering inadequate protection to their privacy (Milberg et al, 2002). The recently inaugurated General Data Protection Regulation in Europe (GDPR, 2018), provides privacy as a fundamental right and thus resulting in an opt-in market such that subjects’ data is only acquired if they so choose to opt- in. However, there is disagreement between the view of privacy as a right verses as a commodity between Europe and the USA respectively (Jentzsch, 2001; Smith, 2001). Europe has firmer financial privacy controls but, the USA is gradually converging to the European model. The USA provides for industry specific regulations in some instances such as for credit reports and sensitive health data (Smith, 2004).

2.4 Constructs that impact on privacy policies

2.4.1 Privacy policies

There is growing emphasis on research on digital privacy information artefacts (Lowry et al., 2017) and on understanding the impact of digital privacy (Adjerid et al., 2018). End user design techniques are also being applied to create consumer focused policy artefacts (Wetherall, et al., 2011). Extant literature clearly shows that consumers are concerned about their privacy (Dinev, 2014; Jiang, et al., 2013). A study undertaken by the Pew Internet Project on consumer mobile data revealed that 57% of app users had either changed their minds about downloading an app or,

uninstalled an app due to the apprehension of sharing personal data (Boyles, et al., 2012). In hindsight, regulatory bodies such as the UK’s Information Commissioner’s Office and the US Federal Trade Commission have enacted laws such as the Data Protection Act (Steinke, 2002), the General Data Protection Regulation (GDPR, 2018) and the Federal Trade Commission Act (FTC, 2018) respectively. Privacy legislations provide data protection guidance and demand that service providers address consumers’ privacy concerns. Moreover, legislations mandate that digital service providers such as of apps and websites make privacy policies available to their service consumers.

According the General Data Protection Regulation (GDPR, 2018), privacy policies are a means for data controllers to inform data subjects (end users of the app) about what personal data will be collected and for what purpose and as such are a key element in ensuring informed consent. Moreover, compliance with the new GDPR legislation necessitates that companies provide evidence of their handling and sharing of user data and requires the following issues to be addressed (Robol et al., 2016):

i) ‘be able to accurately set the data collection time and the identity of the collector ii) be able to provide a list of all entities that possess a copy of the original data iii) be able to determine modifications on the data, if any iv) be able to determine the data accuracy and validity, with mechanisms on how to address inaccuracy and invalid data v) be able to configure the data lifetime, with controls to allow data owners to request data to be erased (right to be forgotten).’

Indeed, this necessitates that the user privacy issues stipulated in the GDPR are addressed within privacy policies. Privacy policies aim to express data collection and exchange practices (Bargh, et al., 2003; Youssef, et al., 2005).

According to (Wu, et al., 2010), users’ privacy confidence is boosted by ‘consistent information quality, behaviour guidelines and information exchange rules’. This builds customer loyalty that hinges on trust and a mutual commitment to privacy principles (McKnight et al., 2002). Studies show that privacy policies are an important step in tackling users’ privacy fears (Bansal, et al., 2016) and increasing confidence in digital services (Wu, et al., 2010). Still, the ubiquitous textual representations of privacy policies are widely regarded as ineffective means of conveying information regarding what data is collected, exchanged, and used by service providers and third 34

parties. Research has shown that privacy policies are written with legal terminologies (Sen et al., 2014); are ‘too long’, complex and time consuming (Schaub et al., 2015) and often ignored (Felt et al., 2011). The privacy representation issues are further discussed later on in this chapter and illustrated in Table 3. Moreover, difficulties in understanding privacy policies contribute to policies not being read concerns’ (Earp, et al., 2005). Literature shows that consumers are unaware of apps’ data handling practices (Backes et al., 2014); require increased data transparency to allow informed user consent on data dissemination to third parties (Shklovski et al., 2014), and that enhanced policy artefact design is required to foster greater privacy awareness (Zhou, et al., 2011).

2.4.2 Privacy breaches

Information privacy pertains to individuals having the ability to control what information others are able to access (Westin, 1967). However, privacy incidents occur when individuals’ personal information is misused (Acquisti et al, 2006) through illegal sales, usage or lack of protection. Prior to a privacy incident or breach, a relationship to allow information exchange should have been established (Mamonov and Benbunan-Fich, 2015) between the user and service provider.

Breaches may occur unintentionally through users, unauthorized access, bad security practices, hacking, unauthorized disclosure due to insider effect, etc. as shown in Table 2; moreover the consequences may be detrimental or at times insignificant. A breach of privacy could result from the unintentional disclosure of a user’s private information such as in incidents when a user posts news about a friend’s pregnancy before the implicated friend is ready to publicize the occurrence. The gravity of such an incident may be limited in terms of the number of people affected and may have no economic implications. However, the gravity of privacy breaches tends to be greater for intentional breaches such as with eternal malicious ‘hacking’ attacks in which electronic personal data is accessed by an outside party, malware and spyware as in the case of the Marriott data breach (Chapman and Anderson, 2018). Data breaches from within the company have also been experienced such as in instances of software errors (Sourcedna, 2015). Breaches could also result from insider actions (Ayyagari, 2012) whereby someone with legitimate access intentionally breaches information such as a contractor or a disgruntled employee. An example is the Real Networks incident which involved the tracing of users’ listening habits, against the company’s stated privacy commitments (Acquisti, et al., 2006). Indeed direct violation by the service provider of norms within the privacy policy guidelines and restrictions can result in a privacy breach.

Further, indirect breach of information privacy may result from third parties’ data exchange dependencies. A third party often serves multiple applications and so collects a broader range picture of user details than individual applications. This is facilitated by popular business models in the app service provision which present access to apps and services as free, with providers monetizing the information gathered about the users and their attention by selling personalised advertisements and providing aggregated information to third parties (Karwatzki et al., 2017). This exchange of data could be for strategic or monetary reasons (Tallon et al., 2015) and carried out by data brokers in a flourishing multi-billion Dollar digital marketplace (Bansal et al., 2016). In the process, personal data is used in ways not fully intended or comprehended by users (Mayer and Mitchell, 2012) as users find it difficult to understand the data exchange dependencies and the governing terms within the privacy policies. For instance, Instagram, a widely used social media app had declared in its terms that ‘you hereby grant to Instagram a non-exclusive, fully paid and royalty-free, transferable, sub-licensable, worldwide license to use the content you post on or through the service’ (Mamonov and Benunan-Fich, 2015). Such complex terms of privacy results in a situation in which the majority of users consent to the terms of online services without reading the polices (Finley, 2012). Indeed app users can agree to weakly restricted access to their data because they either don’t pay attention or don’t realize the full consequences of granting access to their personal data. Stressing the importance of privacy implications associated with the exploitation of users’ data, (OAG, 2013) argues that third parties must manage users’ personal data in an acceptable manner. As such, users should be provided with adequate information and support to make informed choices about sharing their personal data through app privacy policies.

The complexity and repercussions of data privacy breaches is difficult to predict and depends on the associated stakeholders and the sensitivity of the implicated data. The greatest consumer risks that arise from a privacy breach are impersonation, fraud and identity theft (Acquisti et al., 2006; 4iQ, 2018). In addition to identity theft, breaches of financial information result in monetary loss and credit issues. Even though fraud may not always materialize, there is usually higher probability of phishing (Thomas et al., 2017). Research has also explored the breach of geo- location information through apps (Ho and Chau, 2013; Ho, 2012; Wicker, 2012) and perceived privacy risks which according to (Raab and Bennett, 1998) necessitate appropriate protection. Moreover, consumers’ sense of dignity according to (Post, 2000) can be impacted by their privacy expectations. Likewise, the self-image and emotional health of consumers may be adversely influenced by their privacy perceptions, and privacy perceptions have been observed to impact on

users’ sense of control (Diener et al., 1999) and as such (Demott, 2006) argues that breach of trust should be compensated.

Table 2: Digital privacy breaches

Nature of Privacy Breach Description Literature Breach User A single post by a user about a friend could easily end up as an (Gurses et al., 2008) (Unintended) unintentional breach of privacy. The fast paced developments in technology have resulted in unclear parameters around privacy and ownership of information. More so, users could willingly but unintentionally make their social online information more available than actually desired due to ‘poor usability’ issues of platforms such as limited or unclear privacy controls.

Unauthorized In an incident involving Real Networks, users’ comprehension (Acquisti et al., 2006) access of the privacy terms is reported to have been violated when the company analysed users’ listening patterns, an action that was against the company’s privacy statement.

In another widely publicized privacy incident, DoubleClick, an (Tallon et al., 2015; ad network owned by Google, played a key role in the Safari Arthur, 2012) browser cookie rejection settings privacy breach that resulted in Google facing a fine of $ 22.5m. Even though the cookie settings link provided by Google was no longer used and no direct permission was granted to Google, the devices could still be tracked by the DoubleClick network.

Bad security Intrusion into Target’s payment systems occurred when access (Howland, 2015; practices credentials that the company provided to a third party Riley et al., 2014) contracted to support Target’s climate systems. The breach succeeded as a result of Target’s poor network segmentation with third parties so as to protect Target from third party access to its payment systems. Target incurred a net cost of more than $100 million as a result of this breach.

Hacking Marriott International was recently hacked and experienced a (Chapman and substantial data breach involving 500 million guest details such Anderson, 2018) as names, passport numbers, credit card details, date of birth, emails etc. While the payment card information was encrypted, there was no guarantee that encrypted keys were not taken.

Unauthorized In 2014 and 2015, Facebook is reported to have permitted (Isaak and Hanna, disclosure global harvesting of 87 million user profiles which Cambridge 2018) (Insider) Analytica then used in research that impacted on national polling campaigns and referendum. Facebook was implicated in the breach since data was kept beyond the time limit for attaining its original research purpose.

In the event of a data breach in which personal data is lost or is accessed by unauthorized parties and as such presenting the possibility of the compromise of data, privacy law states that affected clients should be notified in time (FTC, 2018; GDPR, 2018). Regulators require the publicity of breaches with the aim of revealing the inadequate security and privacy measures in the implicated firms so as to motivate other firms to enforce adequate data protection. Further, in order to preserve consumers’ rights, regulations (FTC, 2018; GDPR, 2018) require that consumers are informed when a breach has been identified enabling them to make informed judgments on an ensuing action plan to alleviate identity theft (Romanosky et al., 2011). Regulatory penalties with financial implications as a result of breaches may also be issued for instance, Facebook received a penalty of half a million Pounds Sterling (ICO, 2018) for its role in the Cambridge Analytical data breach. Firms may also have to deal with ensuring liabilities such as in the case of the BJ’s Inc. incident in which the firm was sued for up to thirteen million U.S Dollars. While low consumer support has been associated with companies that have experienced a data breach, (Ponemon, 2005) argue that there is insufficient evidence of actions taken by consumers against such firms. Moreover, exploring the impact of privacy breaches on company price, (Acquisti et al., 2006) point out that even in instances when breaches have repercussions on market conditions such as a drastic fall of company shares, these repercussions not frequent and soon wear off. However, this situation is currently shifting given the 19% decrease in share prices suffered by Facebook in the aftermath of Facebook-Cambridge Analytica scandal (Guardian, 2018). In hindsight, it is clear that in the long run firms may have to deal with damaged consumer trust. The impact of privacy breaches on consumers and firms underpins the value of research on the subject. There is a need to understand privacy breaches and explore ways to limit their impact.

2.4.3 Stakeholder privacy concerns

Technological developments in digital services facilitate seamless and ever increasing collection and use of user data (Barth and Jong, 2017). Digital services gather user data either directly, in which case users provide their details (Cecere and Rochelandet, 2013) or, indirectly where by users’ details are collected automatically often without any user input (Leon et al., 2013). Direct means of data collection could be during registration, surveys or through online forms (Cecere and Rochelandet, 2013). On the other hand, data could also be collected indirectly through cookies and logs that monitor device IP, Identity (ID), software etc. However, the widespread data processing by digital services has generated privacy concerns amongst stakeholders (Zang et al., 2015).

Stakeholders in the digital services ‘ecosystem’ include; end users, service providers, third parties and regulators each with diverging privacy interests.

Assurance of privacy protection impacts on users’ online decisions as it is an indicator of transaction integrity (Eastlick, et al., 2006). An investigation of the impact of consumers’ perceived e-tailor reputation on trust, commitment and purchase intent and, the effect of opt-in verse opt-out choice strategies on consumers’ privacy concerns and trust was conducted (Eastlick, et al., 2006. It was found that privacy concerns impact on purchase intent with strong negative consequences whether directly or indirectly through trust. This leads to uncertainty around personal information security and privacy which (Ha and Stoel, 2009) highlights as one of the inhibiting factors to increased utility of digital services. This was established in a study that incorporated e-shopping quality, enjoyment, and trust in the technology acceptance model so as to comprehend consumer acceptance of e-shopping.

Moreover, companies are interested in collecting as much data as possible for their user profiling and marketing. This is illustrated by research conducted on 101 common smartphone apps by the Wall Street Journal that found that: 56 apps conveyed the gadgets’ unique ID to third parties, 47 conveyed the locality, and five communicated the consumers’ personal details to third parties without the users’ knowledge or authorization (Thurm and Kane, 2010). Whereas society has openly taken on online digital services, (Cheung, 2014) asserts that they are means of surveillance. While the data gathered by providers is used to achieve the benefits of tailored services, users that do not comprehend and cannot manage mobile related information surveillance are potentially vulnerable to privacy violations (Park, 2014). In hindsight, it is not surprising that opinion polls indicate growth in users’ interest in digital services privacy and users are now taking actions to preserve their privacy (Porter, 2000; Wetherall, et al., 2011).

Consumers should be availed with adequate information and support to facilitate them with the ability to make knowledgeable judgement about sharing their personally identifiable information (PII). PII is defined by (Krishnamurthy and Wills, 2010) as ‘information which can be used to distinguish or trace an individual’s identity either alone or when combined with other public information that is linkable to a specific individual.’ Facilitating consumers with the ability to make informed decisions about their information would reduce the possibility of consumers unduly holding back data required for the running of a service or deriving the benefit they require from the app (CCP, 2011). In an attempt to preserve personal privacy, consumers have been

known to provide false data. Provision of fabricated data negatively impacts on the service providers’ information base and could result in ineffective business decisions ultimately negatively affecting its product / services base and profits.

2.4.4 Privacy representation issues

A variety of privacy policy representation challenges have been identified in literature. These challenges are referred to as ‘representation parameters’ within this thesis. A discussion on a select number of representation parameters is presented in this section. These representation parameters are fundamental to the exploration of user needs and priorities concerning privacy requirements discussed in Chapter 5.

Privacy policies have been criticised for their complexity (Jentzsch et al., 2012) which arises from the legal-‘like’ language used to convey information within policies. This makes it difficult for end users to read and understand privacy policies. Conducting research on the Dow Jones Corporations, (Li, et al., 2012) found that all their policies were academic in context requiring a college level education to understand. As such, ‘simplicity in understanding’ is identified as one of the privacy representation parameters that are explored within this research. Policies should be ‘clear and conspicuous’ (Sumeeth et al., 2010) and understandable (Antón and Earp, 2004). Further, privacy policies are often deemed ineffective. Privacy should facilitate control over information sharing as opposed to not sharing (Acquisti et al., 2016). In addition to control over privacy, users require contextual information (Johnson, 2012) to provide insight in making decisions about their privacy. This view is shared by (Wu, et al., 2010) who assert that an effective privacy policy is one that enhances users’ ‘perceived control over their information disclosure and the secondary use of personal information’. Based on the need for more effective policies, ‘effectiveness' was selected as the second privacy representation parameter to be considered in this research.

Likewise, the length of policies can be a deterrent to their use since reading policies is deemed as time consuming by users. In their work on policies, (McDonald and Cranor, 2008) investigated the time requirements for reading polices and that in order to read online privacy policies, users required approximately 244 hours per year. This time was computed using the average word length of the most commonly used websites and multiplying it with the words per minute reading speeds, followed by an online exercise recording the time required for participants to answer questions. Using an approximation of 244 hours a year, it found that a normal user would be 40

required to invest two-thirds of an hour a day in reading privacy policies. This is underpinned by the fact that users find reading policies as burdensome (Earp, et al., 2006). It also highlights the necessity of designing policies in a way that makes policies effortless to read and as such, ‘effort in use’ was selected as the third privacy representation parameter considered in this research.

In addition to the amount of user effort required, there is need to assess how easy users find it to remember related relevant information in a policy. This is because in order for users to grant informed consent over their personal data, they may require to relate different aspects of their personal privacy. Also, the current arrangement of privacy information in policies appears not to take the order in which privacy information is presented to users into consideration (Lin et al., 2012). As such, ‘ease of remembering related information’ is the fourth representation parameter that is considered within this thesis. In sum, four privacy representation parameters related to privacy policies issues are identified and addressed within this research namely: simplicity in understanding, effectiveness, effort in use, and ease of remembering related information. Further details on privacy representation parameters are illustrated in Table 3.

Table 3: Digital privacy policy representations challenges

Representation Issue Example Literature Parameters characterisation Simplicity in Legal jargon: ‘The way most privacy policies (Anton, et al., 2003; understanding Difficult to read and are written rather protects the Earp, et al., 2005; understand due to organization from potential Sen, et al., 2014; technical legal privacy lawsuits than addresses Singh, et al., 2011; vocabulary. users’ privacy concerns’ Nissenbaum, 2011) Consumers often need a higher than average reading level and vocabulary of legal terms to properly comprehend the content.

Complex, abstruse, 70% of people surveyed in study (Angulo, et al., 2011; difficult to understand disagreed with the statement McDonald and Cranor, ‘privacy policies are easy to 2008; Complicated and understand’. Nissenbaum, 2011; ambiguous. Schaub, et al., 2015; National individual cost of time Singh, et al., 2011 spent on reading / comparing Tsai, et al., 2011) policies roughly $781. Effectiveness Often static out-dated ‘Significant limitations hound (Capistrano and Chen, trust-building, such as managing 2015) Not interactive, “all or a dilemma of adopting either an nothing approach” “all-or-nothing” approach...’ Effort in use Time consuming and The average time required to (McDonald and Burdensome read online privacy policies Cranor, 2008) found that users required approximately 244 hours per year to read online polices. Ease of Format and structure: ‘A simplified, unified format that (Milne and Culnan, remembering presents information in a 2004; Derby and Levy, related No widely used condensed and accessible format 2001; James, et al., information standard or is needed’ 1986). classification framework to organize policy information.

Difficult to compare and contrast policies for comparable web services and apps.

2.4.5 Privacy monetisation trade-offs

Studies have been conducted on how users’ willingness to disclose their data is influenced by privacy policies (Gerlach, et al., 2015); mismatches between users’ intentions to share information 42

and their actions (Barth and Jong, 2017; Kokolakis, 2017) and trade-offs between privacy and personalization (Li and Unger, 2012). Privacy monetisation trade-offs offer an economic model that seeks to achieve some balance between risk and reward, cost and benefit related with the sharing and revealing or transmission of information (Dourish and Anderson, 2006). There is need for comprehension of the conflict of interests that exist between the stakeholders such as the service providers and the end users. The service provider is required to find equilibrium between privacy-preservation which greatly limits data monetisation and, privacy-invasiveness that allows the monetisation of user data in order to ensure business viability (Gerlach, et al., 2015). To ensure clarity in a policy’s privacy preservation or invasiveness, users should be facilitated with means of making and executing specific user choices regarding data monetisation. While privacy policies play a substantial role in addressing the conflicts of interests between stakeholders, (Bélanger and Crossler, 2011) stress that there is inadequate research on this subject.

The willingness of users to share their data can be enhanced through incentives such as convenience or monetary benefits or discounts (Dinev, 2014). While actual money may not be given to users, trade-offs between sharing their data with for instance the benefit of using the app for free could be facilitated. Indeed, (Gerlach, et al., 2015) asserts the need for data handling approaches that optimize monetary and privacy interests. The facilitation of privacy monetisation trade-offs requires mechanism through which ‘negotiations’ between stakeholders e.g. the end user and service provider can be conducted. As such, privacy policy languages have been proposed to this end with different degrees of success.

2.4.6 Privacy policy languages

‘A policy language is a set of syntax and semantics that is used to express policies’ (Kasem- Madani and Meier, 2015). In particular, a privacy policy language articulates rules that enforce the protection of specific objects safeguarding the confidentiality of personally identifiable information which includes the protection of context information and metadata. Protection is required for personally identifiable information because such data can be linked back to the owner or source and as such can be used to expose the owners’ identity. Personally identifiable information included the user’s name, email, telephone number, gender, age, social security number, card number etc., (Wetherall et al., 2011). Moreover, (Montjoye, et al, 2015) state that non-personally identifiable data can be aggregated and, that metadata has the potential danger of

re-identification of specific users (Christin, et al., 2011; Henze, et al., 2016) particularly in location privacy (Ziegeldorf et al., 2014).

Service providers depend on privacy policy languages to enable users to enforce their preferred privacy levels using controls and permissions. Privacy policy languages are often proposed with a focus on dealing with emerging privacy control difficulties in a range of specific settings (Kumaraguru et al., 2007). Policy languages may focus on the user side, the policy designers or enforcers (Costante et al., 2012). Several policy languages have been developed with some examples depicted in Table 4. An extensive study on security and privacy policy languages, (Kasem-Madani and Meier, 2015) established the need to address ‘description of privacy-utility trade-off agreements’ as a gap in policy languages. This is underpinned by (Gerlach et al., 2015) who term this trade off as pricing-by-privacy asserting that it simultaneously limits utility of users’ data by service providers.

Research in this thesis seeks to contribute to the process of privacy policy language development. Specifically, it aims to develop privacy policy representation language constructs that facilitate user understanding of privacy policies. It is hoped that the constructs will support the provision of adequate information to facilitate informed user consent, and privacy controls to enforce privacy preferences. To achieve this, there is need to explore the concepts and vocabulary in the current privacy domain and to establish areas that are of relevance to the end users. While several approaches could be employed in exploring this challenge, this thesis approached it by seeking to develop a reference model for privacy terms as highlighted in the next section.

Table 4: Privacy policy languages

Privacy Language Language description

Platform for Privacy Proposed with the aim of addressing the growing collection of user data by Preferences websites. The development of P3P led to the inception of machine- (P3P, 2007) readable privacy policy languages (Azraoui et al., 2014).

Several data handling issues are addressed by the P3P including: who collects the data, what data is collected, the reason for its collection, the retention of the data and who the data is shared with.

P3P can be used by service providers to enlighten users on their data handling practices. As such, users are able to crosscheck these against their preferences.

User preference if automated can be automatically compared to P3P, e. g., in A P3P Preference Exchange Language (APPEL) (Ashley et al., 2002) which was another project by W3C.

The Enterprise Privacy Introduced obligations to data processing requirements. Obligations are Authorization service provider invoked initiatives and activated by events. For instance, Language (EPAL) the erasure of personal data under retention can be rearticulated as an (TC, 2006) obligation to delete data. As such, obligations can be used to create default P3P data retention periods.

The eXtensible Access EPAL was replaced with a Privacy Profile (IBM, 2010) of the eXtensible Control Markup Access Control Markup Language. Language (XACML) (Cranor et al., 2002)

The GeoPriv Formulated by the Internet Engineering Task Force (IETF) to manage (Schulzrinne, 2018) privacy in the growing number of applications that require geo-location information about the user when providing context-aware services.

Sparkle An organizational privacy management benchmark that facilitates the (Brodie et al., 2005) writing and implementation of comprehensible privacy policies. It draws on natural language privacy policies, performs compliance checks then translates the policies into machine readable and enforceable formats e.g. EPAL, XACML.

2.4.7 Classification of privacy content 2.4.7.1 The role of the taxonomy

In order to establish an understanding of the current privacy domain, there is need to organise its content into meaningful classifications from which knowledge can be derived. The development of a taxonomy of mobile application privacy policies can be defined as a ‘conceptual analysis of

classification and identification’ (Bailey, 1994; Simpson, 1961; Sneath and Sokal, 1975). It is important in determining the content within the privacy policy domain. In the field of IS, a taxonomy is a ‘class of theories that go beyond basic description in analysing or summarizing salient attributes of phenomena and relationships among phenomena. The relationships specified are classificatory, compositional or associative, not explicitly causal’ (Gregor, 2006). A limited availability of published taxonomies and coding for the classification is cited by (Nickerson et al., 2013). Moreover, to the best of the researcher’s knowledge there is limited work on mobile privacy policies classification.

Literature provides a range of justifications for the development of taxonomies. A privacy taxonomy supports order and arrangement of domain knowledge facilitating the analysis of concepts and associations between the concepts from which hypotheses can be drawn (Dezdar and Sulaiman, 2009). It is argued that taxonomies simplify comparison and appropriate application to research (Dayarathna, 2011), facilitate identification of research gaps (Yu and Buyya, 2005) and enhance understanding of specific IS domains (McKinney and Yoos, 2010; Rivard and Lapointe, 2012). This is underpinned by (Bapna, et al., 2004; Nickerson, et al., 2013) stating that taxonomies can be used in the development of theory. In industry, taxonomies provide practitioners with understanding and form a basis for discussion on the subject matter (Dayarathna, 2011). Taxonomies also support decision-making (Silic, et al., 2015; Solove, 2006) and policy design (Antón and Earp, 2004). In summary, taxonomies are useful in two cases: ‘(i) when little is known about a topic and categories, concepts, and constructs need to be identified and (ii) much is known about a topic but that knowledge has not been organised in meaningful ways (Strode, 2016).’

2.4.7.2 Review of taxonomies

A review of taxonomies relating to a variety of application areas is presented in Table 5. While this review is not exhaustive, it provides understanding of the methods used to build taxonomies.

What these studies share in common is that during taxonomy development, (i) an initial step of assessing current literature in the application domain is undertaken to understand associated factors needed for analysis and (ii) a proliferation of deductive as well as inductive type of methods that can be employed for the development of the taxonomy. This knowledge is pertinent in exploring the privacy domain knowledge base through the development of the privacy taxonomy. Likewise, the privacy taxonomy is important as it informs the development of improved privacy policy representations. 46

Table 5: Review of taxonomies

Authors Taxonomy Research Method / Data Collection

(Devolder et Taxonomy of intra-group An extensive review of academic literature in al., 2012) behaviour similarities: information systems adoption models followed by a development of an open questionnaire-based of medical staff using the framework for understanding electronic patient record (EPR) in the Ghent University the process of technology Hospital. acceptance by its users.

(Bouguettaya A taxonomy concerning The researchers differentiate between technology- and privacy on the web. enabled and regulatory-enabled solutions. Further Eltoweissy, subdivisions are made between the technology-driven 2003) solutions as client-based, server-based, and combined solutions. Categories are also made with the regulatory-related solutions. (Meijer et al., Domain taxonomy from text A semantic approach to taxonomy construction 2014) corpora, using an automated comprising four steps: (i) terms extracted from a derivation technique building corpus of documents; (ii) using a filtering approach to called Automatic Taxonomy select the terms; (iii) the selected terms are Construction from Text disambiguated by means of a word sense (ATCT). disambiguation technique and concepts are generated; and (iv) broader–narrower relations between concepts are determined using a subsumption technique.

(Abbas and A Survey of Privacy PETs are classified into cryptographic and non- Khan, 2014) Enhancing Technologies cryptographic approaches and, then subdivided the (PETs) for e-Health clouds. cryptography-based solutions into public key, symmetric key, and other alternative encryption schemes. (Antón and Requirements taxonomy for A review of 23 website policies using goal mining Earp, 2004) analysing website techniques for the extraction of pre-requirements goals vulnerabilities. from post-requirements text artefacts from which a taxonomy was developed.

(Reddy and Information privacy in two The study focuses on developing a classification Venter, dimensions scheme for information privacy research from various 2010) academic disciplines.

2.4.8 Privacy policy representations

Diverse approaches have been put forward to enhance privacy policies’ effectiveness, user comprehension and to mitigate privacy breaches. These approaches include alternative representations such as use of “nutritional labels” (Kelley, et al., 2010), privacy icons (Holtz, et al., 2011) and multilayer privacy notices (Cranor, 2012). The different alternative representations

are expounded in Table 6. However, such approaches are often overshadowed by a transparency paradox where they introduce a danger of eliminating relevant information that could curtail the meaningfulness of the information provided by the policies (Nissenbaum, 2011).

They endeavour to improve the legibility of policies by reducing the length of privacy policies and providing alternative representations to the conventional textual policy representation. Alternative policy representations have been inspired by innovations such as the US Food and Drug Administration facts label on medicines (FDA, 2015) and nutrition labels on food (Cannoosamy et al., 2014) in which information for consumer consumption is compacted so as to facilitate the viewing of the most important details. Proposed miniature policy representations seek to express privacy information with clarity that aids user comprehension of personal privacy. These efforts include shorter policies similar to nutritional (Kelley et al., 2010), and machine- readable policies (P3P, 2018) such as platform for privacy preferences (P3P, 2007) and privacy beacons (Langheinrich, 2001). Several representation styles, their characteristics and challenges are presented in Table 6.

The impact of these alternative policy representations varies. One of the challenges identified with alternative policy representations is that these clasped or miniature policies still consume a lot of space. Reductions in the amount of space occupied by these policy representations have included efforts such as the design of privacy icons (Holtz, et al., 2011; Leif-Erik, et al., 2011). Similarly, multi-layered privacy notices (Cranor, 2012) have been proposed. Multi-layered privacy notices present titles and summaries on the first page with links to more details. However, a setback with this representation is that if data is not included in the summary on first page, a user may have to go through the entire policy if they do not know the exact location of the relevant section from which to search for specific information. In addition, supplementary approaches that address policy representation challenges have focused on the policy languages’ complexity and inconsistent structuring, which aspects make policies difficult to compare.

Taking the various approaches to alternative policy representations into consideration, the design of effective policies still faces a challenge of eliminating relevant information that could reduce the meaningfulness of the information provided by the policies. It is argued that the limited user involvement in policy representation design early in the design process is a contributor to this challenge.

Table 6: Digital privacy policy notation styles

Style Characterisation Challenges Literature

Nutritional These concise representations Tabular structures consume a (Kelley, et al., labels express the privacy policy with a significant visual area and are 2010), degree of clarity that users can difficult to adapt to a easily understand. smartphone screen.

Limitations in representing complex policy logic involving if then else statements and exceptions.

Privacy icons Used to visualize specific Extreme variations in icon (Holtz, et al., statements or properties, e.g., for design visual languages with 2011), emergency fire exits or subway lack of standards across cultural stations. contexts.

‘Icon design not as important as category selection and taxonomic representation i.e. icons should make sense in context of the categories they are associated with.’

Multilayer This format presents titles and Users have to navigate a (Cranor, 2012) privacy summaries on the first page with complex choice space to find notices links to more details. required information.

Goals and It is based on a conventional Representation still contains full (Earp, et al., vulnerabilities’ full-length policy representation content of a conventional policy 2006) policy in which goals or vulnerability making it burdensome to read. representation statements relevant to consumer privacy are bolded and highlighted. On cursor over, these statements present a pop- up box which displays the protection goals and vulnerabilities.

User centric A user-centred and Trade-off between privacy and (Kununka, policy monetisation-friendly mobile monetization not fully compliant 2018) representation app compatible privacy policy with the General Data Protection artefact representation. This exhibits Regulation requirements effectiveness, is comprehensive, (GDPR, 2018). informative and facilitates greater user control over privacy.

Addressing this privacy paradox require the development of more precise policies while ensuring that the relevant information that gives meaningfulness to policies is not eliminated. In hindsight, studies have been conducted to compare effectiveness of different alternative policy representations. These studies have at times yielded conflicting results. For instance, (Cranor, et al., 2010) reports that users favoured shorter and tabulated privacy policy representations over the full length conventional policy representation while (Earp, et al., 2007) found that the full length policy was perceived as more secure and thorough by participants as compared to other alternatives. However, the differences could be attributed to differences in context, while (Cranor, et al., 2010) focuses on enjoyability and ease of finding information in policy, (Earp, et al., 2007) explored comprehension and perceptions on privacy security offered by policies.

In both studies (Cranor, et al., 2010; Earp, et al., 2007), it was confirmed that full length conventional policy representation yielded the worst accuracy results in terms of users’ ability to find and correctly interpret privacy information, as compared to shorter alternative policy representations. This may be a pointer to inadequate user understanding of full length privacy policy representation. Readability is a vital factor in supporting users’ interpretation of policies and a lack of readability in policies has led to user complaints regarding their privacy (Sumeeth et al., 2010). A policy that lacks clarity or readability may not be clearly understood and could lead to uninformed user privacy consent increasing opportunities for unanticipated and unwanted uses and disclosures of users’ data. Readability relates to a policy’s clarity, ease-of-readability, the extent to which it’s comprehendible (Sumeeth et al., 2010). However, the preference of the full length conventional policy representation in (Earp, et al., 2007) could be attributed to users being hesitant to use policy representations that they are not familiar with. This indicates that as alternative policy representations are developed, there is need to build user trust for these new policy representations. User trust could be achieved through repeated use of new alternative representations and user education. In addition to privacy policies, a range of other tools and methods have been proposed in an effort to preserve privacy as discussed in the next section.

2.4.9 Privacy preserving systems, methods and tools

In addition to efforts to develop better policy representations, other efforts to provide mobile application users with ways in which to protect their privacy majorly focus on three mechanisms:

First, there is considerable research into mechanisms that allow users to selectively consent to ways in which their data may be collected by mobile applications. The ‘Do not track’ tool when 50

activated in a user’s browser indicates a desire for restricted data collection of their browsing activities. In the US, the Federal Trade Commission requires that apps include the ‘Do not track’ feature as a measure to enhance protection of personal data. Likewise, the two dominant mobile applications platforms have also developed related tools i.e. the ‘Limit Ad Tracking’ option by iOS and the ‘Opt out of interest-based ads’ by Google.

Second, mechanisms that dispatch false data to apps’ data requests have been devised. When apps send out some Application Program Interface (API) calls, tools such as TISSA, AppFence and MockDroid respond by relaying incorrect data (Beresford, et al., 2011; Zhou, et al., 2011; OAG, 2014). Technically, endeavours have been made to introduce some controls. Some of these approaches have been developed to send incorrect data to some applications in a bid to block movement of information as observed in MockDroid (Beresford, et al., 2011). MockDroid provides a mechanism for user control over the gathering and spread of personal data. However, some functionality may be lost by applications due to the use of mock data.

Third, app stores are charged with the responsibility for the provision of relevant information to users about how they relay users’ data to the third parties associated with the mobile applications. Mobile applications are now able to display information about the third parties with whom they collaborate on their websites. This information may also be communicated through the apps’ privacy policies. However, the length and complexity of privacy policies implies that users may not properly comprehend the information on how their data is shared.

There has been a range of other tools targeted at preserving privacy. Apex, a policy enforcement framework facilitates granting of specific permissions to applications and limits the use of resources (Nauman et al., 2010). Apex facilitates the addition, modification or deletion of permissions at runtime. In addition, there are methods looking at the development of novel methods that limit data exposure like privacy preserving online advertising (Guha et al., 2011).

2.5 Related work

2.5.1 Empirical studies

An empirical study (Moll et al., 2014) on Online Social Networks (OSNs) investigated users’ actual knowledge of the content actually disclosure online and which audiences could access their content. Using Facebook as the OSN case study, (Moll et al., 2014) argue that the privacy control 51

mechanism provided by Facebook are unfriendly and difficult to use with the result that users don’t not have a clear picture of who has access to their information. The study further explored the metacognitive accuracy of this information that is the extent to which the representation of this knowledge was accurate. Metacognition comprises of cognition about cognition (Flavell, 1979) and is often explored in the contexts of learning. In general, ‘metacognitive accuracy is measured as the association between the performance on as specific cognitive task (say a vocabulary test) and different judgements measures such as prospective feeling-of-knowing judgements or retrospective confidence judgments about one’s task performance’ (Hattie, 2013; Nelson, 1990).

The study uses 45 users between the ages of 14-19 years based in Germany. Standard interviews were used to capture the profile categories that users had disclosed information to and which the audience that could view the information. Findings indicate a low metacognitive accuracy for both content accuracy and audience judgements, however, judgements appear to be better regarding content disclosed as opposed to the audience to whom its disclosed. The study concludes that users’ knowledge on privacy setting involves higher complexity than knowledge about the content disclosed. This misunderstanding on the information visibility is shown in the behavioural economics field (Akerlof, 1970). Indeed the findings of (Moll et al., 2014) show that mobile technologies present more likelihood to convey and also misuse consumers’ information as underpinned by (Park, 2014). However, the generalizability of the study is limited because a convenience sample was used and as such it makes a contribution as a first exploration of knowledge and metacognitive awareness in OSNs.

In another study on understanding privacy knowledge and skill in mobile communication, (Park, 2014) explored young people’s familiarity and use of mobile phones based on their socio- demographic characteristics. Specifically, the study focused on African Americans because while they lag behind in broadband penetration, they have a greater mobile diffusion than digital devices. A mixed methods design was used with quantitative and qualitative in-depth interviews. The study also involved 60 individual observations and a survey tool. Non probability purposive and snowballing sampling was used to obtain participants aged between18-24. Results showed that mobile familiarity was not directly proportional to mobile knowledge and skill. Moreover, it was also found that below 50% of the participants had fundamental privacy and location knowledge, privacy skills nor understanding of data monetisation. In theory, the research sought to build on the concept of privacy literacy (Park, 2013) providing comprehension of mobile phone privacy protection skill and knowledge. 52

Further, an empirical study on information privacy policy features and online experience (Capistrano and Chen, 2015) used the design features of the policies’ length, visibility and relevance to assessing their success in evaluating information sensitivity, perceived importance and policy’s relevance to share personal information. Using 300 participants based in a leading business college in the Philippines, the study uses a hypothetical website and users are asked to read through website and the privacy policy. A questionnaire survey was used to ask one group of the participants low sensitive questions while the other participants answered questions that require high sensitive information. The variables were manipulated such that the policy was either lengthy or brief in content; while for visibility the privacy policy link was located at the top imply high visibility while the alternative was a link at the bottom of the website page implying low visibility. Specificity wise, the policy content was written in normal easy to understand English text implying ‘more specific’ while the ‘less specific’ option was written in technical phrases that are difficult to understand users. The results show that visibility and specificity have greater priority. Also, that high information sensitivity invokes greater perceptions of importance and relevance. Whereas the policy’s visibility and specificity influence both importance and relevance, the length affects its relevance. The significance of these finding is that apart from the policy content, the way that the policy is designed and conveyed carries the same significance.

In other related research, (Steinfeld, 2016) explored if the likelihood of users reading policies is higher if policies are presented by default and also assessed how policies are read. Policies of hundred most popular websites were coded in order to design the policy for the study. The study used a computer aided eye tracking tool to analyse the eye movements as they focused on different sections of the policy. Of the 64 participants, some were presented the policy by default while this was not the case for the rest. A post session questionnaire was also used to capture the importance they assign to privacy and the presence of policies on websites. This was done to find any relationships between perceived significance of privacy and policies and the time spent reading them and, no relationships were established. Further, the time participants spent focusing on different sections of the policy were noted. The study established that users read policies more thoroughly when presented by default, whereas users will avoid the policy if given the option of agreeing without reading the policy. Further, when participants are presented with the policy by default, they dedicated more time and effort reading it than when participants opted to read the policy. The provision of policies by default was related to better user understanding of policies’ content. It was observed that in either condition, policy content was read as it appeared. Another

recent study using 717 participants found that interactive privacy policies have a likelihood of impacting on the trust that consumers towards providers (Aïmeur et al., 2016). As a result, they argue that the provision of opt-in and out options is correlated to more trust.

In research involving 298 undergraduate students in an online anonymous survey, (O'Connor et al., 2016) investigated their awareness of the university’s social media policies, free speech, privacy perceptions and views and the university’s observation of their personal social media posts and fairness with regard to the associated disciplinary measures. Students were found uniformed about the existence of a university social media policy and the extent to which freedom of speech or privacy protection would shield them from university discipline. Moreover, 78% were against university’s observation of their social media activities while 68% thought that it was acceptable for the university to monitor the social media profiles of athletics.

2.5.2 Theories

Privacy research has drawn on a range of theories in the investigation of the privacy domain. The self-disclosure theory proposes that consumers’ judgements of the costs, risks and benefits involved in sharing their personal information impacts on their willingness to share their information (Laufer and Wolfe, 1977). Privacy policies enable firms and consumers to communicate and negotiate on aspects regarding the handling of personal information (Christopher, et al., 2010; Muhammad, et al., 2010). Yet, the social constructs theory points out that consumers lack the time, emotional ability and awareness required in order for consumers to make choices aligned with their preferences (Dunfee et al., 1999). As such, there is need to mitigate against information processing excesses which may lead to undesired outcomes (Jacoby, 1977; Malhotra, 1982), particularly when taking into account issues such as information asymmetry (Acquisti and Grossklags, 2005). Information theory therefore argues for the need to assess the amount of information provided to consumers. Effective messages according to the signally theory are direct, comprehendible and representative of consumers (Nehf, 2007).

Moreover, the theory of the status quo bias in decision making posits that when a particular behaviour is presented to consumers as the norm, this result in a bias toward that behaviour (Capistrano and Chen, 2015). Similarly, mental models have been used to explain behaviour, revealing that when consumers engage with a system repeatedly, they adopted their models to the system (Gray, 1990).

The information boundary theory (Altman, 1975; Petronio, 1991) provides a method for boundary coordination allowing consumers’ communication control such as to balance personal disclosure and privacy. It proposes that consumers formulate rules that act as information boundaries which are managed based on conditions surrounding their choices e.g. cost-benefit ratio.

2.6 Summary

In conclusion, different approaches have been proposed to address users’ privacy concerns. These include privacy policies and tools that use mechanisms with the focus of enforcing privacy in systems. Efforts are also in place for the provision of sufficiently understandable information to users through exploration of various policy representations. In spite of these efforts, policy representations still face challenges of time required to find privacy information; difficulty in understanding privacy information provided by the policies; the need for taxonomic presentation and standardization of privacy information and that, the conventional policy representation have minimal end user consideration. This necessitates the development of a policy representation that addresses these challenges such that policy representations are shorter or require less time to read yet are complete in privacy information representation, more understandable, easy to navigate and, that incorporate the user focus. The next section presents the research methodology of this thesis research.

CHAPTER 3

Research Methodology

3 RESEARCH METHODOLOGY

In this chapter, the research methodology used in this thesis is presented together with a discussion on the philosophical views related to this work. It also presents the different research methods used in the research for purposes of data collection, analysis and development of the artefact presented. The research uses the design science approach (Wieringa, 2014) as the overarching research methodology. A justification for the process that the research adopted is provided.

3.1 Philosophical stand point

Information systems research seeks to explore phenomena that result from the relationships between technological and social systems as opposed to merely studying these systems individually or in parallel (Lee, 2001). In spite of arguments on the composition and type of artefacts in IS, this field is perceived as synonymous with artefact design, creation and usage (Gregor and Jones, 2007; Orlikowski and Iacono, 2001). Unlike natural phenomena, artefacts refer to artificial or man made things (Simon, 1996). This is underpinned by (March and Smith, 1995) asserting that design science uses methods in an endeavour to produce products that meet peoples’ requirements.

Design science was used as the overarching method in this thesis because it is widely adopted in IS research and it provides a structured approach to addressing the research problem. This method enables the development of original artefacts and their evaluation resulting in enhancements in IS artefacts and understanding of their behaviour (Vaishnavi and Kuechler, 2004). It facilitates the exploration of relationships between the technological and social systems (Lee, 2001). Design science also effectively address wicked problems, which according to (Rittel and Webber, 1984) are the type of problems characterised by poorly defined requirements in ambiguous contexts with multifaceted inter-linkages between the subsystems of the problem and its resolution and, whose outcomes are based on peoples’ social skills. This thesis sets out to address a wicked problem due to the complexity of the privacy domain.

In order to obtain full comprehension of design science as a standard in IS research, it is imperative to note that design science is (i) a process or series of actions and, (ii) a product or artefact. The actions output novel products or solutions (Hevner et al., 2004). The artefact is then evaluated yielding feedback in a series of iterations (Markus et al., 2002), leading to improved

comprehension of the problem at hand and, ultimately results in enhancement of the artefact and design process. It should be noted that distinctions exist between the usual (routine) design and design science. The former sets out to solve business challenges by employing known knowledge whereas the latter seeks to solve challenges that do not have a known solution through new ways or, to solve challenges through enhanced means. Ultimately, contribution of new knowledge to the knowledge base is key in design research (Vaishnavi and Kuechler, 2005). Design science has two processes and four categories of artefacts (outputs). The processes are build and evaluate. Building is comprised of developing or constructing an artefact to meet specific requirements. Basing on relevant standards, the process of evaluation then assesses the extent to which the artefact that has been built measures up to its requirements (March and Smith, 1995). The artefacts are generally expressed as ‘constructs (vocabulary and symbols), models (abstractions and representations), methods (algorithms and practices), and instantiations (implemented and prototype systems)’ (Hevner, et al., 2004; March and Smith, 1995).

In particular, this thesis bases it research process on the framework for design science (Wieringa, 2014) as shown in Figure 2 which is comparable to the framework by (Hevner, et al., 2004). It is dissimilar in the sense that it looks at design and investigation as separate entities (Wieringa, 2014). The stakeholders in the social context comprise of those entities that impact on the project or that are impacted by it e.g. users, maintainers, operators, instructors, etc. Knowledge is drawn upon in design science work and knowledge may be enriched as new designs emerge. The composition of the knowledge context includes theories, available designs, relevant information, lessons from existent research and common sense, etc.

While companies often have the same privacy policy for both their website and mobile application, research on privacy information representation has often focused on websites (Cranor, 2012; Earp, et al., 2007; Gerlach, et al., 2015; Holtz, et al., 2011; Kelley, et al., 2010). Such work has compared privacy information representations for health care websites (Earp, et al., 2007); proposed privacy icons to address the challenge of policy complexity and length (Holtz, et al., 2011); standardized website privacy notices (Cranor, 2012); developed privacy nutritional labels (Kelley, et al., 2010); explored the impact of website policies on users’ willingness to disclose personal information (Gerlach, et al., 2015); and investigated the likelihood default policies (Steinfeld, 2016). Indeed whereas the prior studies highlight important insights into a range of privacy related questions, they focus is mainly limited to websites. Moreover, literature shows that privacy research on mobile applications has focuses on privacy preserving tools and methods 58

(Beresford, et al., 2011; Nauman, et al., 2010; Quercia, et al., 2011); factors affecting perceptions on privacy breaches (Stanislav and Raquel, 2015); privacy attitudes and behaviours (Kokolakis, 2017); and discrepancies between privacy concerns and actual online behaviour (Barth and Jong, 2017). However, there is a lack of a privacy information representation with a focus on mobile applications. As such, this thesis sought to develop a policy representation usable by websites and compatible with mobile applications due to their limitations on the display interface. In the mobile applications ecosystem, the social context of stakeholders indicated in Figure 2 is comprised of: app users, app service providers, technology, regulators, etc. The two main stakeholders considered in this thesis are the mobile app users and service providers. Specifically, app user roles, requirements and preferences of the capabilities provided to users through the available app privacy options are taken into account.

Social Context: Stakeholders

Design Science

Design Artefacts and Investigation

contexts to investigate Design an artefact to Answering knowledge improve a problem Knowledge and questions about the context new design problems artefact in context

Knowledge Context

Figure 2: A Framework for design science (Wieringa, 2014)

Considering app service providers, aspects such as the providers’ service, strategies and associated third parties are analysed. This includes the service providers’ associated processes in handling user data together with the arising privacy concerns and measures to mitigate the concerns. In terms of technology, considerations include the infrastructure associated with app service provision and their commercial aspects for example the iOS and Android platforms and the ad network platforms respectively. Regulatory considerations entail the laws and regulations that 59

protect user data privacy and the extent to which these are adhered to by the service provision with the available platforms.

3.2 Application of design science research in user centric privacy policy design

Adapting the framework for design science depicted in Figure 2, Figure 3 maps the research phases in this thesis to design science. The privacy representation development process oscillates between the design phase and investigation phase.

Design phase Investigation phase

Steps Taxonomy 1) Create taxonomy 1) What is important to users in the taxonomy?

2) Design early user study Survey tool 2) What are the user needs and priorities concerning privacy?

3) Create policy Prototype 3) User assessment of representation prototype prototype.

Prototype 4) Refine prototype design 4) What are the users’ mental models?

5) Finish prototype design Final artefact 5) End user summative evaluation of artefact.

Legend Design Recommendation:

Knowledge Future design actions by Transition Service providers

Artefact/Tool

Figure 3: Mapping the research phases to design science

The privacy representation development process is initiated in the design phase with the creation of the taxonomy in Step 1 of Figure 3. This is then used in a study to explore what is important to users within reference model of privacy terms expressed in the taxonomy in Step 2. The knowledge gathered is input into the next design phase for the development of the first policy representation prototype in Step 3. The prototype is used in the investigation phase in a study to analyse whether users like the prototype. The acquired knowledge is then input into the design phase to further refine the policy representation in Step 4. The refined prototype is then used in a study within the investigation phase to investigate users’ mental models on policy representations. The gathered knowledge is input into the design phase in the creation of the final policy representation in Step 5. This representation is then input into the investigation phase in an end user evaluation summative study of the proposed privacy notation. The results are used in forming recommendations for future design actions for service providers. In conclusion, the thesis research ultimately contributes to the knowledge base through the novel improvements presented in the developed artefact, a user-centric privacy policy representation design.

3.3 Data collection and analysis methods

The thesis uses a mixture of primary and secondary data collection methods. Secondary data is based on analysis of research authored by other researchers (Bell, 2010) and generally costs less than primary data collection. The primary data used in the thesis is collected through a questionnaire survey instrument, while the secondary data is comprised of app privacy policies sourced online. A qualitative thematic analysis of app policies is implemented with the NVivo text mining tool. The results of the thematic analysis were fundamental to the development of a privacy taxonomy using the (Nickerson, et al., 2013) taxonomy development method. Based on the privacy taxonomy together with results from the questionnaire survey, a user centric app policy representation design is proposed and validated using the cognitive dimensions framework (Green and Petre, 1996). The final artefact developed in this thesis is evaluated through an end user summative study.

3.3.1 Qualitative research

Within the design science framework that guides this thesis, qualitative research is used in the classification of privacy issues presented in Chapter 4. Qualitative analysis is also conducted in parts of the studies in Chapters 5 and 6 on users’ requirements, perspectives and mental models on

privacy policy representation. The objective of qualitative research is to derive significance, sentiment and define circumstances (Ravenswood, 2011). Qualitative research is based on reality and is subjective to the perceptions of those involved in the research. The qualitative approach has the benefits of being able to facilitate a deep level of understanding through the one-on-one dialogue and additionally the generation of ideas (Creswell, 2003). However, it is associated with challenges of being difficult to reproduce, having limited transparency, and has issues with generalization and being too subjective (Bell and Bryman, 2006). Still, (Gill and Johnson, 2002) argue that issues of validity and generalizability are to an extent countered by research evaluation analysis.

3.3.2 Data collection

Empirical research data can generally be collected using two methods of data collection. The first is the analytical or primary method that entails direct inspection or examination of the area of interest. It has pragmatic approaches such as; the case study approach, survey approach and the problem solving approach (Naoum, 2007). The second method is the descriptive or secondary research and it involves the review of research by other researchers (Bell, 2010; Greener, 2008). Research in this doctoral work draws on both primary and secondary means of data collection.

3.3.2.1 Primary data collection

Primary data collection in the thesis is conducted within the investigation phase of the design science process as depicted in Figure 3. While interviews could have been used in this thesis because of their ability to facilitate the capturing of how participants think and feel about privacy including their opinions, interviews were not used because they are time consuming in terms of setting up, interviewing, transcribing, analysing, feedback and reporting (Evalued, 2006). Another method that was considered was focus groups as they are not as expensive in monetary terms and time as compared to interviews. However, focus groups are disadvantageous in that they can be intimidating for some participants who may feel the need to consent to the dominant group view. As such, a survey questionnaire tool is used to capture users’ privacy requirements, mental models and users’ assessments of the prototypes. It is fairly easy to administer questionnaires and to evaluate results. Questionnaires may be applied in the investigation of sensitive issues that participants may be uncomfortable revealing to interviewers (Evalued, 2006). The questionnaire survey tools are advantageous in exploring users’ privacy issues which have varying degrees of sensitivity. However, questionnaires are disadvantaged in that they are not appropriate in the

investigation of complex issues (Evalued, 2006). As such, the survey study was designed as an observational study within a controlled environment enabling facilitators to observe participants and to note times taken to answer different questions. However, participants may feel uncomfortable being observed. As such, they were informed before the experiment that an observer would sit with them and observe them so as to gain insights into what participants were working on. This enabled the participants to be at ease while working alongside an observer. A combination of open-ended and close-ended questions was used in the questionnaire survey. Open-ended questions capture participants’ responses in their own words (Johnson and Turner, 2003). This was important in capturing the participants’ views and preferences concerning various policy representations. More so, the study included a section that allows users to draw their ideas on how they envisage a privacy policy to be. This was to facilitate the capturing of how users think about privacy policies, an aspect of privacy that cannot be captured with a simple questionnaire survey instrument. Primary data collection was further required in the user evaluation summative study of the artefact developed in this work. The number of study participants in the primary data collection was controlled. This is because one of the disadvantages of the observational nature of the study is that it makes studies time consuming.

3.3.2.2 Secondary data collection

Secondary data collection in the thesis is conducted in Step 1 within the taxonomy creation process of the design phase as shown in Figure 3. It involves a qualitative analysis of mobile app privacy policies that are published within the apps. Secondary data collection is cheap (Greener, 2008) in terms of time and cost and was used in the privacy policies analysis study which involved a relatively sizable sample. There are several sources through which a wealth of secondary data can be conveniently accessed. The secondary data in the thesis is collected from the readily available mobile application privacy policies which can be directly downloaded using the privacy policy link provided within each app. However, some concerns have been raised regarding the use of secondary data. It is faced with the challenge of quality (Creswell, 2003) and legitimacy (Naoum, 2007). This is because compared to primary data, the researcher has less control over the process (Bell, 2010). There is also a possibility of bias in secondary data due to of loss of objectivity by the researcher (Greener, 2008). Measures to mitigate these concerns in this thesis include; vigilance to ensure the credibility of the data and, emphasis made to ensure relevance of data to the topic of study. On compilation of the secondary data in form of app privacy policies, the policy content was analysed so as to select the most appropriate policies for inclusion in the 63

study. The analysis involved; evaluation, comparing and contrasting information with the research aim and objectives of the thesis.

3.3.3 Think aloud protocol

The think aloud protocol is implemented within the end user summative evaluation in Step 5 of the investigation phase of the design science process as shown in Figure 3. This approach has been used in a usability study (Sedlmayr et al., 2018) and facilitates the collection of information in usability testing. This protocol may be used to explore variations between participants’ problem solving approaches, variations in effort required to solve tasks, and factors that impact participants’ problem solving ability, etc., (Someren et al., 1995). Likewise, evaluation of participants’ high level thought processes involving active memory can be achieved with the think aloud protocol technique (Olson et al., 1984). In particular, the think aloud protocol enabled capturing of the participants’ thinking as they compared the different policy representations on the computer monitors within the summative study presented in Chapter 7. However, the think aloud protocol process is time consuming and expensive (Pressley and Afflerbach, 1995). As such, the summative study was limited to 16 participants.

3.3.4 Observation

The observation approach is implemented within the study on whether users like the prototype representation in Step 3 of the investigation phase of the design science process depicted in Figure 13. The observation method, unlike the think aloud protocol only requires you to look but not talk. As such, the observation method is comprised of ‘watching’ and ‘paying attention’ taking note of actions and circumstances (Oates, 2006). Observations could be used to collect both qualitative and quantitative data (Walliman, 2006). The use of the observation of behaviour in the user centric policy design study facilitated the researcher with greater information about the problem solving process. This included extra information such as how soon a participant answered a question, questions the type of questions the participants raised and, any points of hesitation, etc.

3.3.5 Data analysis

The taxonomy creation process in Step 1 of the design phase of the design science process in Figure 3 involved a qualitative analysis of mobile application privacy policies. The NVivo 10 software was used in implementing a qualitative thematic textual analysis (Bazeley and Richards, 2000). A representative sample of privacy policies was selected and used in a pilot study. The 64

pilot study surveyed the content of ten privacy policies in terms of their completeness and content composition. The results of the pilot study while not conclusive due to the small sample size, were useful for strengthening and improving the study. In essence, the pilot study provided a fundamental understanding of the policies. Following the pilot study, the NVivo 10 software was used to analyse 100 privacy policies. This was an iterative process involving code generation and analysis of the codes to identify themes and any subsets within the themes and to finally generate the reference model of privacy terms in form of a privacy taxonomy. Next, under the investigation phase in Figure 3, a user study seeking to capture user perspectives and whether users liked the prototype was conducted and the Statistical Package for Social Sciences (SPSS) Statistics 20 software used to analyse the data. This software has an easy to use interface and provides an ample data management solution that enables statistical analysis and correlations on the data. Statistical analysis included the Spearman’s correlation, the Means test and the Independent samples’ test.

3.4 Research ethics

The participants in the studies conducted in this doctoral work were handled as guided by the University of Manchester research ethics guidelines. Each participant was provided with a participant’s information sheet containing an explanation of why the studies were important and how their input would be used. They were also informed that their data would be handled anonymously. Participants were also provided with a consent form which they were required to sign as an indicator of their agreement to participate. Both the participant’s information sheets and consent forms were provided at the venue of the study before its commencement. Further, they were also informed that even after agreeing to participate they could change their minds and stop the study at any point during the study.

3.5 Summary

In this chapter, a detailed presentation of the methodology followed in this thesis was provided. First, a discussion on design science and the reasons as to its selection as the overarching research framework in this thesis were articulated. This was followed by the mapping of the design science and privacy policy modelling techniques explored in the thesis. Next the data collection and analysis methods used were presented with justifications for their use and their associated limitations. The next three Chapters (4, 5 and 6) present the studies conducted in this thesis, 65

starting with an investigation into typological issues in privacy policies that is presented in Chapter 4.

CHAPTER 4 Typology of Aspects Covered in

Privacy Policies

4 TYPOLOGY OF ASPECTS COVERED IN PRIVACY POLICIES

This chapter addresses the information representation and communication gap relating to mobile privacy policies. It is positioned within the design phase of the design science process shown in Figure 3 in Chapter 3. An in-depth qualitative thematic analysis of the mobile application privacy policies is presented. The sub-objectives here are to identify the main concepts of existing privacy policies, and to structure them in a system of domain knowledge. It investigates the essential information gathered about individuals, the terms of use of the gathered information and how the collected information is used by service providers/third parties as described in the privacy policies, etc. A reference model of terms contained within privacy policies is developed and its contents drawn upon as vocabulary constructs for the privacy representation language. The reference model of terms in privacy policies is presented in form of a privacy taxonomy with six emergent conceptual dimensions i.e. data collection, data use, data security, user rights, legal, and data exchanges. The taxonomy is pertinent in the provision of privacy knowledge and vocabulary based on the current privacy domain.

4.1 Taxonomy development research process

An outline of the taxonomy development process is presented in Figure 4 below:

Research process steps Research quality and validity checks

Problem formulation and articulation Relevance and rigor of research questions

Taxonomy Development Method: Nickerson et al. (2013) Define: Meta-characteristics Subjective and objective ending Data saturation conditions conditions to ensure validity via

Approach: Empirical to conceptual saturation point ResearchPerspective Conceptual to empirical

Validity: Ending conditions cience S User data transitivity analysis Validation of taxonomy in a digital data

market place setting Design Design Theorizing on taxonomy implications

Figure 4: Overview of taxonomy development research process 68

The classification of privacy policies’ content involved a thematic analysis based on the current privacy domain through a qualitative analysis of one hundred mobile application privacy policies. The motivation is two-fold: (a) to identify the main attributes, domain knowledge, precision and completeness of privacy related information; and (b) to build a taxonomy categorizing the nature and usage of the collected attributes facilitating objectivity in the analysis and comparison of mobile application privacy policies. This tackles the fundamental issue of classifying the core dimensions of mobile policies from the perspective the end user subjected to the policies and also serves as a basis to engendering privacy by design techniques (Klitou, 2014). Next, the resulting taxonomy is evaluated for its relevance and applicability. The evaluation is conducted as a sensitivity scenario that explores potential avenues of user data transitivity relationships through apps that could result in leakage of users’ personal data in the data marketplaces.

The taxonomy development method is guided by the taxonomy development steps identified by (Nickerson, et al., 2013) which is generally accepted as a rigorous approach and employed in several taxonomy studies (Haas, et al., 2014; Mrosek, et al., 2015; Schneider, et al., 2014). NVivo software is used in the qualitative analysis as used by similar taxonomy development research conducted by Larsen (2003), facilitating an in-depth thematic qualitative analysis of the policies. Whilst research involving taxonomy development differs in the terminology used in establishing the components of the taxonomy, the underlying process of analysis is related. It involves an iterative observation and analysis procedure used to develop dimensions, categories, sub- categories, etc., of the taxonomy. Further, it’s based on a coding scheme, rules, and tests for reliability or if the ending conditions are met, and revising of categories until the desired artefact is attained (Prat, et al., 2015; Nickerson, et al., 2013; Williams, et al., 2008).

The process of policy analysis has several iterations of coding of the policy content in order to generate conceptual dimensions, categories, sub-categories, etc. In determining the taxonomy structure, literature indicates that the IS domain does not stipulate best practices on how taxonomies should be structured (Land et al., 2013). Taxonomies can be expressed in a tabular format (McKinney and Yoos, 2010), hierarchical structure (Son and Kim, 2008), and conceptual models (Bapna, et al., 2004). The hierarchical taxonomy structure is adopted as the most suitable format to present the artefact in this thesis.

After building an artefact, design science guidelines necessitate its evaluation. Nickerson, et al. (2013) stress that in the case of taxonomies, a limited availability of literature on measures for

assessing taxonomy effectiveness or usefulness makes an optimal solution difficult to gauge. This is underpinned by (Bailey, 1994) stating that ‘a classification is no better than the dimensions or variables on which it is based’. However, several authors (Bowen, 2008; Kerr, et al., 2010; Roe and Just, 2009) argue that the research quality and validity of the findings is questionable if a data saturation point is not reached. As such, the iterations involved in the course of developing the privacy taxonomy are determined by the ending conditions stated in (Nickerson, et al., 2013), as they facilitated the identification of a data saturation point in the taxonomy development process. The general consensus in research on data saturation guidelines is that there should be no additional content, themes (i.e. dimensions, categories, sub-categories, etc.) or coding and, that the work should be replicable (Guest et al., 2006). Other considerations taken into account in considering when to end the iteration process are: assessing whether there is sufficient data to reproduce the research (O’Reilly and Parker, 2013; Walker, 2012), whether the ability to obtain extra data has been reached and, if as a result, the continuation of coding would be impractical (Guest, et al., 2006). When the data saturation point is reached, the iterative process ends as the artefact quality goals are satisfied at that point. The resulting artefact is a taxonomy that facilitates improved privacy understanding and can support the development of improved policy representations that can contribute to reduced privacy breaches.

4.2 Materials

One hundred privacy policies were manually sourced by the researcher from apps on Google Play and the Apple App stores. Sample sizes used in related studies on mobile app privacy vary: (Zang, et al., 2015) used 110 mobile apps; (Graves, 2015) also uses 110 apps; while (Ntantogian, et al., 2015) used 13 apps. Based on the sample sizes of related studies, it is deemed that the sample of 100 apps is sufficient to facilitate the attainment of a point of data saturation at which the research would be replicable. The primary requirements for the selection of apps are that the apps have a privacy policy with adequate content. The researcher’s judgement is required in determining the adequacy of the content. As a minimum threshold of acceptable content level, policies selected were required to have information about the data collected and how it was used. Other selection criteria includes the mobile apps’ specifications i.e. categorization, rating by users, number of installations, developer details and the platforms (iOS, Android or both).

The Android and iOS platforms provide the specified specifications with the exception that iOS does not provide the number of app installs. As Android is the dominant mobile app platform, the 70

specifications on the Android platform are used for cases of apps that run only on Android and also those that run on both platforms. iOS specifications are only used in cases of apps that are limited to the iOS platform. As such, app names are used as they appear on Google play. While, the majority of the apps are selected on the basis of popularity i.e. with downloads above 1 million. Endeavours were made to have a more inclusive sample by including the not so popular apps which have downloads as low as 5000. Specifications of apps used are as follows: Number of app installs - 74% of the apps had above 1,000,000 installations implying 26% are comprised of the not so popular apps. User rating of apps - Android users rate apps out of a score of 5, 90% of the apps have a rating above 3.5 while the remaining 10% of apps are rated between 2.8 to 3.4.

Developing a policy that covers all personal information is challenging considering that different organizations or companies have different businesses procedures (Brodie et al., 2005). The study considers diverse categories of Android and iOS apps in order to broaden the spectrum of privacy policies covered which would improve the applicability of the results. The app category selection is reflective of (Zang, et al., 2015) who explore app’s third party data handling practices. Endeavours were made to maintain the naming of categories as they appear in the app stores, however in some cases the categories are combined and renamed. The final app sample of 100 apps is composed of five main categories namely: ‘health and fitness’, ‘social networks and messenger’, e-commerce, ‘traffic and navigation’, and business as shown in Table 7.

Table 7: Categories of mobile applications used in study

Category Types of apps Number of Apps Health and fitness  Health and fitness 26  Medical Social networks and messenger  Social 20  Communication  Photograph E-commerce  Lifestyle 20  Shopping Traffic and navigation  Travel and local 21  Navigation  Transport Business  Finance 13  Business  Productivity and tools

4.3 Method

First, guided by Nickerson’s method (Nickerson, et al., 2013) as shown in Figure 5, the meta- characteristics are determined. These are features that reflect the reason for the taxonomy’s development in line with the requirements of the taxonomy’s users. The meta-characteristics are determined by undertaking a general review of policies to establish a fundamental understanding of their content. The resulting meta-characteristics are: ‘Data collected by privacy policies’ and the ‘associated information flows’.

Figure 5: Taxonomy development method, adapted from Nickerson, et al., (2013)

Second, ending conditions are adopted as recommended by Nickerson, et al. (2013) which can be subjective and objective. Subjective ending conditions necessitate that the taxonomy exhibits the following properties: concise, robust, comprehensive, expandable and explanatory. The ending conditions are shown in Table 8. Third, as discussed under the materials section, a systematic process is used to select the privacy policies. The select policies’ data objects are thematically analysed using Nvivo which facilitates the generation of codes and the comparison of concepts within the data objects and, identification of any similarities or differences. These concepts serve as a basis for developing the dimensions to form the first version of the taxonomy. Subsequent

iterations using NVivo facilitate identification of additional categories and sub-categories that are grouped under the appropriate dimensions. This yields a hierarchical structure simplifying the process of assessing the content of privacy policies. The analysis of category of apps was initiated with the ‘health and fitness’ apps, followed by the ‘social networks and messenger’ apps, then the e-commerce, the ‘traffic and navigation’, and was completed with the business apps. The addition of a taxonomy dimension from any category of apps analysed, required that the new dimension was validated in the subsequent analyses of app categories so as to ascertain that the characteristics of each dimension added was aligned with the dimension/s established in previous round/s of analyses. This implies that while irrespective of the order in which the categories were analysed, the dimensions of the resulting taxonomy should be reflective of the content of the majority of the policies analysed.

Table 8: Ending conditions adapted from Nickerson, et al. (2013)

Ending Conditions

Objective All objects or a representative sample of the objects have been examined. No object was merged with a similar object or split into multiple objects in the last iteration. At least one object is classified under every characteristic of every dimension. No new dimensions or characteristics were added, merged or split in the last iteration. Every dimension is unique and not repeated. Every characteristic is unique within its dimension. Each cell is unique and not repeated.

Subjective Concise, Robust, Comprehensive, Expandable, Explanatory

The process has several iterations through which some dimensions are discarded due to insufficient data and, some categories and sub-categories within established dimensions are combined or in some cases dropped in the process of refining the taxonomy. Specifically using NVivo, the empirical-to-conceptual approach depicted in Figure 5 is adapted as the main approach in developing the taxonomy’s baseline concepts and, also for the exploration of new dimensions through the different iterations. The empirical-to-conceptual approach is used because the data objects (privacy policies) were easily accessible. The commercial development of mobile privacy policies has rapidly advanced in industry and the researcher was familiar with the wealth of consumer and media reports criticizing the content provided in existing mobile policies within the privacy domain. The empirical-to-conceptual iterations stages (4e – 6e) depicted in Figure 5 73

involved: identification of categories of the objects, finding common characteristics, categorizing and grouping characteristics into dimensions to form (refine) the taxonomy. In addition to the empirical-to-conceptual iterations undertaken in the taxonomy development process, an iteration using the conceptual-to-empirical approach is also used to further develop the taxonomy from another angle based on the researcher’s understanding about the subject area. The conceptual-to- empirical iteration involves stages (4c – 6c) shown in Figure 5, and is comprised of: the conceptualization of additional characteristics and dimensions, assessment of literature for these characteristics and dimensions, and then revising the taxonomy accordingly.

Overall, the taxonomy development process required 6 iterations before the reaching the point at which the ending conditions as shown in Table 8 were satisfied. Authors (Bauer, 2000; Nickerson, et al., 2013) support having several iterations in a taxonomy development process. The taxonomy design goal is to: incorporate established concepts and terminology in app privacy policies, engineer extensions to cater for the specificities of the mobile app domain and, to ensure practicality and relevance to support end user decision making and reasoning about mobile privacy policies. The next section provides a detailed discussion on the taxonomy development steps.

4.3.1 Taxonomy development steps

This section presents a detailed description of the iterative process involved in the development of the taxonomy. The process involved six iterations referred to as Round (1- 6). In each round, a category of apps is used in exploring new dimensions. At the same time, for each subsequent category of app introduced, while they are used to explore new dimensions, they were concurrently assessed against the dimensions developed in previous rounds where applicable.

In each round are stages that correspond with either the empirical to conceptual or the conceptual to empirical sections in Figure 5 above. The process begins with establishing the meta- characteristics and ending conditions as shown in Figure 5. The taxonomy development process starts with Stage 1 and Stage 2 which are not iterative. Next, the iterative stages begin within Rounds 1 to Round 6. Iterations occur within the rounds with each round running through Stage 3 to Stage 7.

Stage 1: Determine meta-characteristics: This includes the data collected by privacy policies and the associated information flows.

Stage 2: Determine ending conditions: The ending conditions shown in Table 8 are adopted as recommended by (Nickerson, et al., 2013) and can be subjective and objective. Subjective ending conditions necessitate that the taxonomy exhibits the following properties: concise, robust, comprehensive, expandable and explanatory. The ending conditions guide the assessment towards determining the number of rounds that should be conducted in order to obtain the final taxonomy.

Round 1

Round1 - Stage 3: Approach: Due to the availability of the privacy policies from the selected mobile apps, the empirical-to-conceptual approach is used.

Round1 - Stage 4e: The first category of mobile apps to be analysed is the health and fitness category comprised of 26 mobile app privacy policies: Beddit Sleep Tracker, Amwell: Live Doctor Visit Now, Anthem Blue Cross Blue Shield (Anthem), Calorie Counter - MyFitnessPal, Cody, Drugs.com Medication Guide, Endomondo - Running and Walking, Epocrates Plus, Fitbit, Fitnet Personal, Fitocracy Workout Fitness Log, Garmin Connect Mobile, GoodRx Drug Prices and Coupons, iTriage Health, Loseit, Mindbody Express, Moves, nib Health Insurance, Nike+ Running, Pact: Earn Cash for Exercising, Pedometer and Weight Loss Coach, Run with Map My Run, Runkeeper - GPS Track Run Walk, Speedo Fit - Swim Fitness, Strava Running and Cycling GPS, WebMD for Android.

Round1 - Stage 5e: An assessment of any mention of data handling is conducted. The following characteristics are found in line with the data collected meta-characteristic: How the data is collected, the type of data collected and the type of data not collected, who has access to the data, the purpose for requiring access to the data and, the retention of data. The category of ‘type of data not collected’ is discarded due to insufficient data to support it. i. Data can be collected in an automated way or require user input. Automated data collection occurs indirectly, for instance, through cookies and logs that monitor device Internet Protocol (IP), Identity (ID), software version, etc. In cases that require user input, users provide their details for example during registration, survey or online forms, etc. ii. The type of data collected can either be personal data or non-personal data. Personal data includes name and address, while examples of non-personal data include gender, profession, etc. Another sub-category is what is implicitly collected i.e. which the policy may not state explicitly but still collect.

iii. Who has access to data: user data can be accessed by app service providers or third-parties. iv. Purposes for accessing data included: app service provision and improvement, communication and support, third party service provision, marketing, new ownership and law enforcement and big data. However, big data subcategory is discarded due to insufficient data to support it as a sub-category.

App service providers may access user data for purposes of service provision and communication. Services included general service provision, service improvements and payments. Communication purposes include instances of offering support to users, notices and contacts required for responding to users’ queries.

Third parties could require access to user data for a range of purposes such as: third-party service provision, law enforcement, marketing, and in case of change in business ownership. Third party service providers may be subcontracted by the app to provide support services such as handling payments. Law enforcement could require access to data, for example, when investigating potential fraud. Third-parties could gain access to user data so as to personalize marketing content. When there is change in ownership of the app, the new owners will require access to data for service provision.

v. Data retention deals with data management in terms of the length of time the data is stored. This could be temporal or permanent. It handles aspects such as how long it would require for users’ data to be deleted if they requested to opt-out of using the app. Retention of data could be short term such as for the duration of the use of the service or long term in which case the data may be retained even after the user discontinues the use of the service.

Round1 - Stage 6e: The resulting characteristics were used to form the initial taxonomy with two dimensions.

i. Data collection dimension: how data is collected (DC), the type of data collected (DT). ii. Data use dimension: who has access to the data (DA), purpose for accessing the data (DP), data retention (DR).

The results are summarized in Table 9 health and fitness apps (H&F), Social networks and messenger apps (SN), E-commerce apps (EC), Traffic and navigation apps (T&N). Highlighted area represents the dimension and corresponding sub dimensions developed in this round (see stage 6e). The figures in the cells correspond to the number of privacy policies in which a 76

particular sub dimension appeared in. Empty taxonomy table cells to be populated as new taxonomy dimensions are developed in subsequent rounds.

This table provides the different dimensions of the taxonomy as they emerged starting with the data collection and data use, followed by the security, user rights and legal dimensions. The sub dimensions of each taxonomy dimension are also indicated and abbreviated as follows: how data is collected (DC), the type of data collected (DT), who has access to the data (DA), the purpose of accessing the data (DP), data retention (DR), security measures (SM), security limitations (SL), changes in policy (PC), user responsibility (UR), consent to data collection (DC), user access to data (DA), opt-out options (OO), laws and jurisdictions (LJ) and children’s protection (CP). The category of polices considered in each round is also indicated and abbreviated as: health and fitness apps (H&F), Social networks and messenger apps (SN), E-commerce apps (EC), Traffic and navigation apps (T&N). Highlighted area represents the dimension and corresponding sub dimensions developed in this round (see stage 6e). The figures in the cells correspond to the number of privacy policies in which a particular sub dimension appeared in. Empty taxonomy table cells to be populated as new taxonomy dimensions are developed in subsequent rounds.

Table 9: Results of Round 1 of the taxonomy development

Round1 - Stage 7: Having generated the data collection and data use dimensions in this round, the taxonomy is explanatory, concise and could be extended. However, it was not collectively exhaustive due to having only two dimensions and, the addition of new dimensions at this stage implied that not all the objective conditions shown in Table 8 have been satisfied. Hence another iteration was required.

Round 2

Round 2 - Stage 3: Approach: The empirical-to-conceptual approach is repeated so as to facilitate the exploration of more categories of mobile app privacy policies.

Round 2 - Stage 4e: This new round examines 20 policies in the social networks and messenger apps category: Badoo - Meet New People, Facebook, Flickr, Google+, Instagram, Kik, LinkedIn, Periscope, Pinterest, Skype - free IM and video calls, Snapchat, Tango - Free Video Call and Chat, Timehop, Tumblr, Twitter, Viber, Vine - video entertainment, WeChat, WhatsApp Messenger, Yik Yak - Your Local Feed.

Round 2 - Stage 5e: The following characteristics are observed in line with the meta- characteristic: Data security measures, security limitations, user responsibility in security enforcement and changes in privacy policies.

i. Data security measures inform users of the technical and administrative measures that are enforced to safeguard users’ data. Technical measures include e.g. data encryption, while administrative measures include e.g. requiring that staff adhere to the company’s data privacy policy. ii. Limitations to security addresses the confines within which the data security is provided especially considering that no system can guarantee flawless security for users’ data. A policy may explicitly state its limitations to the security provided or the limitations may be implied. iii. Changes in privacy policies highlight ways in which a user will be informed of any changes to the policy. This could require that users regularly check the policy for updates or, that communication regarding changes is made by email etc. It could also state the time frame within which the changes will be effected after the notice has been provided to users. iv. User responsibility in security enforcement depicts the role of the user in enhancing the security of the data such as the use of strong passwords and the careful protection of the user’s password.

Round 2 - Stage 6e: The round facilitated the development of the security dimension of the taxonomy.

Security dimension: security measures (SM), security limitations (SL), user responsibility (UR), and changes in the policy (PC).

See details in Table 10.

Round 2 - Stage 7: With the addition of the security dimension to the taxonomy, greater robustness, better explanatory capabilities, conciseness and extensibility are achieved. The apps in this round are also used to validate the dimension developed in the previous round i.e. Round 1, to ensure consistency. At this point, another iteration is deemed appropriate since the current round added a new dimension implying that not all the objective conditions in Table 8 are satisfied.

Table 10: Results of Round 2 of the taxonomy development

Round 3 Round 3 - Stage 3: Approach: The empirical-to-conceptual approach is selected to facilitate the exploration of another set of privacy policies.

Round 3 - Stage 4e: In this round, 20 mobile app policies from the e-commerce category were examined. These were: Amazon Shopping, Beep'nGo - Wallet and Coupons, Cartwheel by Target, eBay - Buy, Sell and Save, Etsy, Gilt - Shop Designer Sales, Home Depot, JackThreads: Shopping for Guys, Joss and Main, LivingSocial UK and Ireland, Lowe's Events App, Macy’s, Mobile Costco, Target, Tinder, Victoria’s Secret for Android Walgreens, Walmart, ‘Zappos: Shoes, Clothes and More’, Zulily.

Round 3 - Stage 5e: The following characteristics are observed in line with the meta- characteristic; user consent, how user data can be accessed and updated and, the process of opting- out. i. Consent to data collection can either be granted or denied by the user depending on whether they are comfortable with the data required and also the intended purpose. In particular, there could be hesitation in granting permission for the collection of personal data due to the privacy implications involved. ii. Access to data that has been collected could be required by users so as to enable them to view their data, make changes or remove certain aspects of the data.

iii. Opt-out options ensure that the collection of data is discontinued in cases where users no longer desire to use either part of the app service or the complete service. For instance a user may want to opt-out of using the navigation facility of an app so as to disengage the collection of their location data or, alternatively may desire to discontinue use of the app entirely.

Round 3 - Stage 6e: The round facilitated the development of the user rights dimension.

User rights dimension: consent to data collection (DC), user access to data (DA), opt-out options (OO). See details in Table 11.

Round 3 - Stage 7: The addition of a new dimension to the taxonomy at this stage implies that not all the objective conditions in shown in Table 8 have been satisfied. The apps in this round are also used to validate the dimensions developed in the previous round i.e. Round 2, to ensure consistency. At this point the taxonomy is expandable, concise and explanatory. Another round is required to further develop its robustness and satisfy all the objective conditions.

Table 11: Results of Round 3 of the taxonomy development

Round 4 Round 4 - Stage 3: Approach: The empirical-to-conceptual approach is used to analyse another set of mobile app privacy policies.

Round 4 - Stage 4e: This round examined 21 additional privacy policies from the traffic and navigation category: AA, Beat the traffic, CoPilot GPS Sat-Nav Navigation, Discovery Insure, 'Expedia Hotels, Flights and Cars', GPS Navigation and Maps Sygic, Here Maps - Offline Navigation, Inrix Traffic, 'kayak Flights, Hotels and Cars', Localscope - Find places and people around you, MapQuest GPS Navigation and Maps, Navigon USA, 'Priceline Hotels, Flight and Car', RAC, Route 66 Navigate, Scout GPS Navigation and Meet Up, TomTom GPS Navigation Traffic, Uber, 'Waze - GPS, Maps and Traffic', Wikiloc outdoor navigation GPS, Yelp. 80

Round 4 - Stage 5e: The following characteristics are observed in line with the meta- characteristic: applicable laws and jurisdiction of data handling and, children’s protection. i. Laws and jurisdictions can be viewed from the national or international perspective. For instance when a United States (US) app also handles data from European Union (EU) users. This would necessitate compliance with the legal requirements of the different jurisdictions in this case both the US and EU regulations. ii. Children’s protection specifies measures to protect children’s privacy. This includes minimum age required to use the app, any requirements for parental consent and, applicable children or minors’ protection laws.

Round 4 - Stage 6e: This round added the legal dimension to the taxonomy.

Legal dimension: laws and jurisdictions (LJ), children’s protection (CP)

See details in Table 12.

Round 4 - Stage 7: At this point, the taxonomy is concise, explanatory, expandable and more robust. The apps in this round are also used to validate the dimensions developed in the previous round i.e. Round 3, to ensure consistency. The addition of a new dimension at this stage implied that not all objective conditions in Table 8 had been satisfied, hence requiring another iteration. At this point of the taxonomy development process, a decision is made to further explore the taxonomy by switching to the conceptual-to-empirical approach of Nickerson’s method (illustrated in Figure 5). The partial taxonomy at this point includes a core set of concepts that can be further developed and complemented by existing research therefore the conceptual-to-empirical approach is employed.

Table 12: Results of Round 4 of the taxonomy development

Round 5 Round 5 - Stage 3: Approach: In this round, the approach changes from the empirical-to- conceptual used in the previous rounds to the conceptual-to-empirical approach. This was done so as to facilitate the exploration of some characteristics based on existing literature.

Round 5 - Stage 4c: It is conceptualized that after data collection by apps, the data flows into data marketplaces (OECD, 2015). The following characteristics in line with the meta-characteristic are identified: analytics, monetization. i. Analytics facilitate correlations between data and involves the use of metadata and aggregate data. Metadata provides information about existing data while aggregated data is data collected and summarized from several sources. ii. Monetization of data is carried out through several avenues including: advertising, subscription fees, freemium and blended monetization strategies.

Round 5 - Stage 5c: The identified characteristics facilitate data flows in a number of ways. For instance, data analytics can be used to forecast users’ future health status. Data monetization creates monetary value based on knowledge gained from user’s data and services designed to maximize app user’s benefits. For example, freemium users are able to purchase virtual goods such as more time to use an app.

Round 5 - Stage 6c: This led to the emergence of a new dimension called data exchanges that provides insights into how data flows across the data marketplaces.

Data exchanges dimension: data analytics, monetization.

Details are depicted in Table 13.

Round 5 - Stage 7: At this point the taxonomy is concise, explanatory, expanding and robust. The dimension developed in this round is validated against the dimensions developed in the previous rounds to ensure consistency. Since a new dimension is added, iteration is necessary in order to satisfy all the objective conditions in shown in Table 8.

Round 6

Round 6 - Stage 3: Approach: This round reverted to the empirical-to-conceptual approach so as to analyse another set of policies.

Round 6 - Stage 4e: A total of 13 mobile app privacy policies under the business category were analysed. These were: Esurance Mobile, Geico Mobile, HDFC Life Insurance, Life Happens Needs Calculator, Progressive, ‘Sure - Personalized insurance for travel, property, and life’, USAA Mobile, Zurich HK, Jobs by CareerBuilder, Indeed Job Search, Jobsite Jobs, Job Search – Snagajob, Job Search by ZipRecruiter.

Round 6 - Stage 5e: No new characteristics are observed in line with the meta-characteristic at this stage.

All the observed characteristics fit within the existing taxonomy structure.

Round 6 - Stage 6e: No dimension is added to the taxonomy.

Round 6 - Stage 7: No new characteristics are added as all the characteristics in the privacy policies are consistent with the present state of the taxonomy hence no new dimension is added at this stage.

Round 6 - Stage 7: The taxonomy at this stage is concise, explanatory, expandable and robust. There is no alteration or addition to the taxonomy dimensions. A data saturation point has been reached with all the subjective and objective conditions as stated in Table 8 are satisfied. Therefore, the iteration process is ended. The final taxonomy comprises of six dimensions as shown in Table 13 and is discussed in the next section.

4.4 Results

A privacy taxonomy with six dimensions is derived containing privacy aspects that are comprised within privacy policies as shown in Table 13. Each of the dimensions is subdivided into categories and, further sub-categories. The six dimensions are: data collection, data use, data security, user rights, legal and data exchanges. This taxonomy facilitates information representation and communication relating to mobile privacy policies. It enables understanding of the concepts and characteristics involved in existing mobile application policies by organizing the information and domain knowledge into an intuitive and clear classification scheme. In particular, it is essential to identify the information gathered about individuals, the terms of use of the gathered information and how the collected information is used by service providers/third parties as described in the privacy policies.

4.4.1 Taxonomy dimensions

The first dimension in the taxonomy is data collection which is comprised of two categories: (a) How data is collected, (b) Type of data collected. These together have the following sub- categories: ‘automated, requires user input’ and ‘personal data, non-personal data, implicitly stipulated’ respectively.

The second dimension in the taxonomy is data use which is comprised of three categories: (a) Who has access to data, (b) Purposes for accessing data and, (c) Data retention. These together have the following sub-categories: ‘app service providers, third parties', 'service provision and improvement, communication and support, third party service provision, marketing, change of ownership, law enforcement’ and 'temporary, permanent' respectively.

The third dimension in the taxonomy is data security which is comprised of four categories namely: (a) Security measures, (b) Limitations to security, (c) Changes in privacy policy and, (d) User responsibility. These together have the following sub categories, 'technical, administrative', 'explicitly stipulated, implicitly stipulated', 'method of notification, time frame' and 'role, action' respectively.

The fourth dimension in the taxonomy is user rights which is comprised of three categories namely: (a) Consent to data collection, (b) Access to data and, (c) Opt-out options. These together have the following subcategories: 'grant access, deny access', 'view, change, remove', 'opt out of entire service, and opt out of part of the service' respectively.

The fifth dimension in the taxonomy is legal which is comprised of two categories namely: (a) Laws and jurisdiction and, (b) Children’s protection. These together have the following subcategories: 'national, international and ‘minimum age, parental consent, laws' respectively.

The sixth dimension in the taxonomy is data exchanges which is comprised of two categories namely: (a) Data analytics and, (b) Monetization. These together have the following subcategories: 'aggregated data, metadata ’ and ‘advertising, subscription, fees, freemium and blended' respectively as shown in Table 13. References to sections within the thesis text where the components of the dimensions are discussed are included in Table 13.

Table 13: Mobile applications privacy policy taxonomy

DIMENSIONS CATEGORIES SUB-CATEGORIES Subcategories (references in text within Section 4.3.1)

Data How data is collected Automated Round 1, stage 5e, Collection Requires user input section (i) The type of data Personal data Round 1 , stage 5e, collected Non personal data section (ii) Implicitly stipulated Data Use Who has access to data App service providers Round 1, stage 5e, Third parties section (iii) Purposes for accessing Service provision and Round 1, stage 5e, data improvement Section (iv) Communication and support Third party service provision Marketing Change of ownership Law enforcement Data retention Temporary Round 1, stage 5e, Permanent section (v) Data Security Security measures Technical Round 2, stage 5e, Administrative section (i) Limitations to security Explicitly stipulated Round 2 , stage 5e, Implicitly stipulated section (ii) Changes in privacy Method of notification Round 2 , stage 5e, policy Time frame section (iii) User responsibility Role Round 2 , stage 5e, Action section (iv) User Rights Consent to data Grant access Round 3, stage 5e, collection Deny access section (i) Access to data View Round 3, stage 5e, Change section (ii) Remove Opt out options Opt out of entire service Round 3, stage 5e, Opt out of part of the service section (iii) Legal Laws and jurisdiction National Round 4, stage 5e, International section (i) Children’s protection Minimum age Round 4, stage 5e, Parental consent section (ii) Minors’ protection laws Data Data analytics Aggregated data Round 5, stage 5e, Exchanges Metadata section (i) Monetization Advertising Round 5, stage 5e, Subscription section (ii) Fees Freemium Blended

4.4.2 Validity and relevance of the taxonomy

According to Hevner, et al. (2004), ‘A design science artefact is complete and effective when it satisfies the requirements and constraints of the problem it was meant to solve’. The Nickerson, et al. (2013) method followed in the taxonomy development process has an inbuilt taxonomy validation mechanism that ensures that the predetermined subjective and objective ending conditions are met before the iterations are ended. This addresses validity concerns, ensuring that the taxonomy development process reaches a data saturation point through several rounds of iterations that aim to develop and refine the taxonomy’s dimensions, categories and sub- categories. In the process of shaping the taxonomy and assessing ending conditions, endeavours were made to ensure consistency and alignment with theoretical and practical research findings from information systems and privacy research fields.

The taxonomy is usable as a knowledge base into the current privacy domain. It provides a reference model of privacy terms or vocabulary that addresses communication issues surrounding the privacy preferences and facilitates reasoning with the content of privacy policies. Privacy preferences can underpin human to computer relationships such as when users sign up to a privacy policy or, between computer to computer relationships such as when a privacy advisor expert system reasons about the different privacy options and implications highlighting potential breaches. For example, privacy breaches can occur within the rules and constraints specified by policies. This can happen when applications monetize user data by passing it on to third parties. A third party often serves multiple applications and so collects a much fuller picture of user details than individual applications. The next section provides an investigation that illustrates the relevance of the taxonomy through a sensitivity scenario. This scenario depicts transactions between users, apps and third parties and, highlights how breaches could occur. For purposes of this sensitivity scenario, the term third party refers to any entity that has access to users’ data, other than the end user or the app/s under consideration.

4.4.3 User data transitivity relationships analysis

A sensitivity analysis of user data transitivity relationships in the digital market place was conducted. As an example, five apps representative of each category of apps involved in the study were selected for illustrating data transitivity relationships. The apps were: Facebook (social networks and messenger), Uber (traffic and navigation), Fitbit and Beddit (health and fitness),

Anthem (insurance business). The number of apps was limited to five due to the extensive level of analysis required.

In the process of sourcing for the privacy policies used in this study, it was established that the privacy policy link provided within the mobile application pointed to the privacy policy published on the website of the companies that were considered. In principle, that implied that for the companies that owned the apps considered such as Facebook, users were offered the same privacy commitment for data handling irrespective of whether the users were using the company websites or apps. As such, in order to gain insights into data handling practices of the companies that owned the five apps under consideration, an analysis of their websites was conducted. Hence by establishing the data dependencies of the five apps’ associated websites, inference can be made about the apps’ data dependencies using the apps’ associated websites i.e. Facebook.com, Uber.com, Fitbit.com, Beddit.com and Anthem.com. Lightbeam (Mozilla, 2015), a Mozilla Firefox browser add-on that provides a visual display of websites’ connections, interactions and further traces sites to which they relay information is used to investigate website to website and, website to third party dependencies between these five apps’ websites. Prior to using Lightbeam, its reset option is applied as a control to clear all browsing history. Initially, each of the five apps’ associated websites is loaded one at a time in the Mozilla browser to enable Lightbeam to analyse individual website’s connections and dependencies. Next, the apps’ websites are loaded concurrently so as to explore how the websites’ and third parties’ dependencies were interlinked. Findings show that when the 5 websites are loaded, more than 20 different interactions and connections with third party domains emerge as shown in Table 14. The most recurring third parties are Google-analytics, Doubleclick.net, Optimizely.com and Mnxpnl.com.

Table 14: Third party domains associated with the websites Note: ‘*’ represents ‘.com’

WEBSITES Anthem.com Fitbit.com Beddit.com Uber.com Facebook.com

Doubleclick.net Doubleclick.net Googleanalytics Doubleclick.net Fbcdn.net Dsmmadvantage Google.co.uk Gravatar* Facebook* Akamaihd.net * Google* Wp* Facebook.net

Eloqua* Googleadservices* Youtube.cm Google.co.uk OMAINS

D En25* GoogleAnalytics* Zendesk.* Google* Google.co.uk Googletagmanager* Googleanalytics*

Google* Mixpanel* Mxpnl* PARTY Omtrdc.net Mxpnl* Optimizely* Optimizely* Quantserve*

T.co Tiqcdn.* THIRD Twitter* 87

The extensive network of dependencies that resulted is depicted by highlighting the website to website and website to third party dependencies between the five apps’ websites. A detailed description of the maze of interdependencies is as follows: starting at the bottom right of, there is a Facebook-Uber dependency link, followed by four Uber-Fitbit dependency links through: Optimizely.co (OP), Doubleclick.net (DC), Google.com (GC) and Google.co.uk (GK). Likewise, there’s a Fitbit-Beddit link facilitated by Mxpnl.com (MX) and Google-analytics.com (GA). This is followed by a Beddit-Anthem link through Googletagmanager.com (GT). Anthem then links to Fitbit through Googleservices.com (GS), Google.com (GC), Doubleclick.net (DC) and Google.co.uk (GK). GK also facilitates a link between Anthem and Uber. The graphical display of dependencies in is only a portion of the network of potential data exchanges since each of the apps has further dependencies. It clearly illustrates the complexity that exists from the use of a few basic websites or mobile apps. The highlighted dependency links clearly point to potential data flow routes that are ‘hidden’ from the user. These dependencies align with the data exchanges / monetization dimension of the taxonomy. The next section provides a discussion on the impact of these findings.

Figure 6: Data exchange dependencies between apps’ websites and third parties

4.5 Discussion and impact of research outcome

First, a privacy taxonomy was developed facilitating the organization of privacy information into a clear classification about the mobile app privacy domain. The taxonomy contributes towards the understanding of the information dimensions that are comprised within policies and the privacy implications of the dimensions. This is pertinent in supporting developers in meeting the mandate to develop ‘privacy policies that are clear and accurate’ (OAG, 2013). According to (Long, 2016), a lack of user trust in mobile applications data handling practices has had a detrimental impact on the uptake of mobile applications. The taxonomy can therefore be used to facilitate greater transparency and control over the apps’ data handling practices and to boost app user confidence. Addressing user concerns is necessary for the growth of the mobile industry (Son and Kim, 2008) and gives companies a competitive advantage (Ginosar and Arie, 2017).

The user data transitivity relationships analysis depicted in Figure 6 illustrates aggregations and relationships based on the data conveyed to third parties, from apps such as Facebook, Uber, Fitbit etc. This transcends the issues covered by the permissions and privacy aspects encoded in the privacy policies. These relationships allow third party data market aggregators like Google analytics to perform unforeseen tasks such as assessing health insurance risks or predicting life expectancy. This is underpinned by (WHO, 2018) who argue that new forms of privacy risks and data exploitation have emerged which involve the trading of health data that are generated as a result of the interaction with mobile privacy policies and internet services. Indeed, the tasks performed by aggregators can only be thoroughly assessed from a privacy point of view of advisors with a global view of the complex network of interdependences between mobile applications and third parties. Employing social media analytics (Abbasi et al., 2016), companies can conduct personal profiling obtaining user data through a range of avenues such as data brokers, insurance credit bureaus or through the app ecosystem interdependencies and relationships as illustrated in the user data transitivity relationships analysis depicted in Figure 6. For instance, the business model of insurance companies such as Anthem, one of the apps used in the user data transitivity relationships analysis require the acquisition of user data to determine their clients’ insurance premiums. The data required includes: age, gender, area of residence, health indicators (Botkin, 2018) etc. It is argued that through the data links such as highlighted in Figure 6 between the five apps under consideration, the Anthem app which deals with health care insurance could access sensitive user data from the other apps ( this is not an assertion that it does

so, just that it can potentially do it). Based on the privacy policy analysis conducted in this research, findings show that a range of data can be accessed from the apps as shown in Figure 15.

Table 15: Mobile applications data handling

App User data handled Facebook name, age, gender, profession, hobbies, and friends’ contacts Uber phone number, email, credit card details, zip / postcode Fitbit height, weight, distance/steps travelled, calories burned Beddit sleep patterns, heart rate, breathing / snoring patterns

The user data collected and aggregated from the apps could indirectly flow to the insurance provider without the app users’ explicit knowledge or consent due to the complexity of the data exchange dependencies between app providers and third parties. Depending on the sensitivity of the user data obtained by the insurance provider, it could potentially result in implications such as higher insurance premium charges payable from the ‘unsuspecting’ mobile app user. Infringements on privacy by industry have occurred. A case in point is cited by (Hill, 2012), in which Target’s advanced data analytics used clients’ shopping trends of unrelated items to predict potential pregnancies with a high level of success. This led to a father accidentally discovering about his teenage daughter’s pregnancy, a clear privacy breach of the teenager’s personal data. Underpinning this argument, (Henze et al., 2016) assert that car based telematics systems gather information that could that can be exceptionally valued by insurance companies as it can be used to raise insurance fees or decline renewal of contracts.

It is argued that while this complex network of interdependences can occur between five apps as in the illustration provided, apps’ privacy polices do not capture the rich picture of dependencies displayed through the sensitivity analysis in Figure 6. The analysis showed that certain dimensions within the taxonomy are better developed within the policies than others. For instance, the data collection and to an extent the data use dimension are fairly well expressed. However, other dimensions such as the user rights, security, data exchanges, legal etc., appear underdeveloped within policies. As such, the taxonomy can be used to cross-reference policy objects (Son and Kim, 2008; Heurix, et al., 2015) such as personal information items with how these are used within the business models of their service providers. The next, section presents the limitations and summary of this chapter.

4.6 Limitations and summary

In this chapter, the detailed process involved in the development of the reference privacy taxonomy is presented. The proposed taxonomy provides insights into the key privacy characteristics addressed in privacy policies. To underpin the value derived from the taxonomy, a user data transitivity relationships analysis is implemented providing an explicit illustration of the interactions between users, apps and third parties. The number of apps used in the illustration was limited as an in-depth analysis of the resulting network was involved. The taxonomy is used to highlight data exchanges and monetization practices within the privacy domain which can be derived from data exchange network analysis despite the lack of explicit mention to these practices in the privacy policies presented to users. This chapter forms a foundation for the next two chapters in which users’ privacy requirements and their conceptual views are analysed and findings used to propose user friendly policy representation.

CHAPTER 5 User Needs and Priorities Concerning Privacy

Requirements

5 USER NEEDS AND PRIORITIES CONCERNING PRIVACY REQUIREMENTS

This chapter sets out to explore the users’ perspective of policies. It investigates the conceptual views of users on privacy policies by analysing how they think about policies’ in terms of their textual, visual, consent, exploratory and, structural features. It also seeks to ascertain what is important to users in terms of their needs, priorities and requirements as aligned with the privacy aspects comprised within the reference model of privacy terms (taxonomy). To this end an early user study is conducted to capture users’ views on four alternative privacy policy representations, and the results analysed to extract user priorities and needs. This study is a first step in taking a user centred approach to elicit the users’ perspective of policies which is required in the next chapter to inform the design of mobile application privacy policies that are easy to understand by non-technical users.

The user perspectives study is guided by a conceptual design covered in Section 5.1. This is followed by an observation design in which participants were required to undertake three tasks in Section 5.2. Findings show that the participants’ priorities within the reference model of privacy terms focused on data collection and use, neglecting other privacy aspects such as data monetisation and legal aspects. Also, when participants were asked to express their idea of a policy representation in Section 5.3, the designs participants expressed were reflective of the conventional full length privacy policy features. However, when asked to make a choice between select alternative policies representations, the characteristics of the participants’ preferred representations differed substantially to what participants had expressed in their policy designs.

5.1 Conceptual framework

This section presents the conceptual framework shown in Figure 7 that guided the user study. The conceptual framework is based on the (Sharp et al., 2006) and involves four main phases which are elicitation of end user requirements, design, prototyping and assessment of artefact. End user requirements pertaining to privacy policies were established by determining user needs and by a user assessment of several alternative representations.

The participants’ user needs were established by asking the participants to prioritize the different privacy aspects captured within the reference model of privacy terms. This was followed by

requesting the study participants to assess four alternative privacy policy representations. Three of the alternative policy representations considered were sourced from related studies (Cranor, et al., 2010; Earp, et al., 2007) as discussed in Chapter 2. The privacy representation parameters used to assess the alternative policy representation are also discussed in Chapter 2. Unlike the first three alternative representation used in this study, the fourth alternative representation was developed as part of this thesis in an effort to apply the knowledge gathered on user needs regarding the prioritization of privacy aspects in the reference model of privacy terms. This representation is used as the fourth policy representation in this study and is termed as the ‘list format’ representation. This was partly inspired by (Jaferian et al., 2014) who initiated their study on the design of policy interfaces by first designing a ‘low fidelity prototype’ that was then enhanced through several iterations of feedback.

End User Requirements Identification User Needs Privacy Representation Parameters used to assess alternative policy representations

. Prioritization of . Simplicity in understanding privacy aspects . Effectiveness . Effort in use . Ease of remembering related informatio n

Design and Prototyping

Assessment . Users . Cognitive Dimensions Framework Redesign . Summative evaluation study

Final Artefact User-centric and monetisation -friendly mobile app compatible privacy policy

Figure 7: Conceptual framework adopted from Sharp, et al. (2006)

In the next phase, the understanding on end user requirements was used to inform the design and prototyping process as detail in Chapter 6. The alternative privacy representation that was rated highest in the end user requirements gathering phase was selected for use as the base design onto which the design and prototyping process was based. In the assessment phase, the resultant prototype was evaluated using the cognitive dimensions framework. The cognitive dimensions framework provides an outlook of the process perspective of a system and, is recommended as a suitable means of assessing design artefacts in their initial phases (Green and Petre, 1996). The feedback established in the evaluation stage guided the prototype redesign process through several iterations. The output of the design process at this stage is the first version of a representation towards the user-centred and monetisation-friendly privacy policy representation prototype for mobile apps developed in this research.

5.2 Observation study design

Volunteers were sourced online using email with a link to Qualtrics (Qualtrics, 2017), a statistical tool for data collection and analysis. The participants were offered £15 Amazon vouchers for their participation and were filtered based on gender, age, education and Information Technology (IT) proficiency. A pilot study of 8 participants was conducted at the start and the feedback used to make improvements on the survey tool. A total of 112 responses received. The study had 6 sessions scheduled in order to control the numbers of participants per session and to provide more options as to when the participants could participate in the study. Participants were selected based on their availability to commit to the available sessions. This ruled out 59 of the potential participants. Another 10 responses were invalidated due to invalid emails while 2 contacted the researcher apologizing for a last minute cancellation. In total, 41valid responses were received.

The questionnaire was physically administered and conducted over two days with two weeks in between. Each day had three sessions scheduled and each session an hour and a half long. Three facilitators were present to support participants in each session and to provide any clarification required about the survey tool. Sessions began with a brief presentation introducing the purpose of the research and explaining basic privacy concepts to participants. The introductory presentation was provided to ensure that the participants had a comparable level of understanding of privacy. In a related study (Jaferian et al., 2014); participants were trained on the basic use of the tool that they were required to use. Moreover, another study on policy authoring allowed the participants to

do a sample task so as to provide them with experience and enable them to differentiate between the policy and template authors (Johnson et al., 2010). As such, the introductory presentation to the user study in this thesis was provided so as to ensure that all participants had a fundamental understanding of privacy and to give them an idea why the study was important. Caution was made to ensure the presentation would not bias the participants’ responses in the study. The details of the presentation introducing the study are shown in Appendix F under the participants’ information section. The next section presents the demographics of the population sample used in the study followed by the 3 main user tasks in the survey, their results and implications of the findings in the subsequent sections.

5.2.1 Demographics

The participants selected were aged 18 years and above and have a representative cross-section of skills, gender and education. Gender-wise, it had been expected that the participation would approximately yield a 50% female and 50% male gender representation, while in terms of education, the desired outcome had been a representation of 10% A level, 30% Undergraduate and below, 30% masters and 30% PhD. It had also been expected that a fairly equal distribution between the 3 age groups considered would be obtained, and a 50% IT proficiency and 50% other IT proficiency level would have been obtained. The resulting demographic percentages differed from the expected outcomes but are useful nonetheless. Gender-wise, 63.4% were female and 36.6% male. Age statistics were 56.1% below 26 years, 43.9% between 26 – 36 years, and 2.4% above 36 years. Considering education levels of the participants, 29.3% had an advanced level education, 12.2% undergraduate, 48.8% masters, 7.3% PhD, and 2.4% other. IT proficiency statistics were 0% none, 22% basic, 43.9% intermediate, 26.8% advanced, and 7.3% expert.

5.2.2 Task 1: Prioritisation of privacy aspects in taxonomy

In the first task shown in (Appendix D: User perspectives of privacy policies study), participants are presented with a definition of a privacy policy and a brief description of the six privacy aspects found in privacy policies as depicted within the reference model of privacy terms developed in Chapter 4 which are: data security, user rights, data collection, legal, data use, data exchanges (monetisation). Participants were required to rank these privacy aspects according to what they consider the most important on a scale of 1 (least important) to 6 (most important). Based on the findings, the researcher sought to understand the reasons as to why participants had ranked the

lowest privacy aspects as such, and possible mechanisms that could be used to improve their rating among users.

5.2.2.1 Results of user ranking of privacy aspects

The participants’ ranking of the least to the most important privacy aspects in a policy are shown in Figure 8 as follows: Legal (L), Data Exchanges (DE), Data Security (DS), User Rights (UR), Data Use (DU), Data Collection (DC).

5 4.2 4.3 3.8 4 3.3 3 3 2.5

2 Ranking of privacy aspects 1(least important) to

1 6(most important) Rating importance of 0 L DE DS UR DU DC Privacy aspects in privacy policies

Figure 8: Ranking of the importance of privacy aspects in a policy

The data exchanges/monetisation and the legal privacy aspects were considered the least important. This is due to the inadequate user understanding of the lowly ranked privacy aspects whereas participants ranked the most important privacy elements (data collection and use) as such because they felt they had a clearer understanding of these aspects. Indeed, both Android and iOS operating systems now offer greater permissions granularity. Such interfaces highlight the user data collected together with the corresponding permissions to which users are required to consent to in order for the download to continue. Permissions requirements give users a clearer idea of the data collected which contributes to user understanding and boosts user confidence. As such, user ratings about the privacy aspects that were deemed as the least important could be improved by presenting these privacy aspects in more educative and easy to understand ways.

Second, the low ranking of legal and data exchanges/monetisation could also be an indicator that users feel that these aspects of privacy are out of their control and, thus indicating a need to introduce more user control in these areas. Facilitating users with more control over their privacy

could promote user trust, greater use and willingness to share data. However, more in-depth insights into the rationale behind why the data exchanges/monetisation and legal privacy aspects were ranked lowest could not be captured as the study sought to establish ranking of the importance of privacy aspects as a fundamental step to understanding the participants’ views. Subsequent work could explore the rationale behind the ranking.

5.2.3 Task 2: Participants design privacy policy

In order to analyse how the participants think about policies, they were asked to implore their creativity and to design a simple privacy policy. To stimulate their thinking, they were provided with a list of the main privacy aspects in policies as aligned with the reference model of privacy terms presented in Chapter 4. The privacy aspects provided to participants also include a brief description of each privacy aspect so as to give participants an idea of each privacy aspect’s composition. Participants were also advised that their design could include: pictures, different fonts, abbreviations, shapes, lines, diagrams, text etc. Each participant was provided with a pen and a design space of three quarters of an A4 size paper space on which to design their policy.

The analysis of the participants’ designs explored characteristics such as the: textual, visual, consent, exploratory and, structural features. In order to facilitate a thorough analysis of each of these features, each feature was divided onto a five point Likert scale of 1 – 5 as shown in Table 16. A detailed description relating to each point of the Likert scale for each of the features is provided below:

A. The textual feature depicts the ratio of the ‘word-to-sentence’ count of the policy. It explores the extent to which the content in a privacy policy in expressed either with only words such as in instances when abbreviations are used to communicate content or extent to which sentences are used. On a scale of 1 – 5, (1) refers to ‘only words’, while (5) refers to ‘only sentences’, see more details in Table 16. B. The visual feature explores the ‘text-to-icon’ or visual consideration of a policy. This explores the extent to which the policy content is graphical. On a scale of 1 – 5, (1) refers to ‘only text’, while (5) refers to ‘icons only’, see Table 16 for more details. C. The consent feature considers ways in which users express their consent to policy. It explores the level of detail to which a user can express content on specific areas of their privacy. On a scale of 1 – 5, (1) refers to ‘no consent considered’ i.e. refers to ‘blanket consent’, while (5) refers to ‘Checkbox for each privacy item’, more details are provided in Table 16. 98

D. The exploratory feature considers how the policy fairs between states of being static and explorative. It relates to the extent to which a user can interact with the content conveyed within a privacy policy. On a scale of 1 – 5, (1) refers to content that is ‘all on one page’ i.e. all policy content on placed on one page, while (5) refers to a ‘summary of items (privacy) with a swipe through capability’ that generates more content on each item, more details provided in Table 16. E. The structural feature explores different ways in which a policy could be segmented. It refers to the extent to which the content in policy is partitioned or organized in order improve its presentation. On a scale of 1 – 5, (1) refers to ‘heading’, while (5) refers to ‘sub-sub privacy details’ e.g. detailing privacy to lowest level possible such as name, email etc, see Table 16 for more details.

Table 16: Privacy analysis features

Textual (Word-to-sentence) Visual (Text-to-icon)

1. Only words 1. Only text 2. Mostly words, some sentences 2. Mostly text , some icons 3. Mix of words and sentences 3. Mix of text and icons 4. Mostly sentences, some words 4. Predominately icons, some text 5. Only sentences 5. Icons only

Consent Exploratory

1. No consent considered - blanket consent e.g. 1. All content into one page using navigation button (ok, close window) 2. Abstract plus detailed page (whole policy) 2. Check box for blanket consent separate from 3. Summary of privacy aspects in content and navigation. details for each item available in pop up 3. Two or three check boxes about different 4. Summary of privacy aspects in content and aspects e.g. marketing details per item available at different page 4. Consent provision for each privacy aspect in by clicking into item taxonomy. 5. Summary of privacy aspects in content and 5. Check box for each privacy item e.g. email, swipe through one item at time address etc.

Structural granularity Explanations of structural granularity 1. Heading 1. Text only, no heading 2. Intro 2. Introductory 3. Privacy aspects comment/welcome/instructions 4. Sub privacy aspects 3. Heading for main privacy aspects e.g. 5. Sub sub privacy details data we collect 4. Sub headings within privacy elements e.g. contacts 5. Details e.g. name, email etc.

5.2.3.1 Results and discussion of the analysis of participants’ privacy policy designs

This section presents the results of the analysis of the privacy policy designs drawn by the participants. It shows the percentage representation for each of the features analysed i.e. textual, visual, consent, exploratory and, structural features.

The textual representation The textual representation was analysed along a five point Likert scale between 1 and 5. Each point in the Likert scale is listed below with its description and the corresponding number of participants and the percentage of policy content it represents: 100

1) Only words: 6 participants corresponding to 15% of the policy content. 2) Mostly words, some sentences: 11 participants corresponding to 27.5 % of the policy content. 3) Mix of words and sentences: 4 participants corresponding to 10% of the policy content. 4) Mostly sentences, some words: 5 participants corresponding to 12.5% of the policy content. 5) Only sentences: 15 participants corresponding to 35% of the policy content.

The word - to - sentence comparison of the participants’ policy designs show that while 35% of policy content is represented in ‘only sentence’ form, 27.5% of the policies had ‘mostly words and some sentences’. This was followed by content that contained ‘only words’ at 15%, then at 12.5% content that had ‘mostly sentences and some words’, and finally at 10% was content that had a fair equal ‘mix of words and sentences’.

The results show that the biggest percentage of policy content (35%) is in sentence form. This is due to the unconscious influence from the predominately available conventional full length policy and that users are reluctant to change. This is because if the ‘only sentence’ choice was the participants’ natural view of policies, then naturally it would have been expected that next in line would have been the ‘mostly sentences and some words’ option, however this featured fourth at 12.5%. The participants’ second and third preferences were ‘mostly words and some sentences’ followed by ‘only words’ at 27.5% and 15% respectively. This implies that while the conventional full length policy impacts on users’ conceptual views, once they overcome the influence of the conventional policy, participants’ preference appears to be towards more simplified content representation expressed in terms of shorter phrases or words and less sentences.

The visual representation The visual representation was analysed along a five point Likert scale between 1 and 5. Each point in the Likert scale is listed below with its description and the corresponding number of participants and the percentage of policy content it represents:

1) Only text: 18 participants corresponding to 42.5% of the policy content. 2) Mostly text, some Icons: 9 participants corresponding to 22.5% of the policy content. 3) Mix of text and icons: 9 participants corresponding to 22.5% of the policy content. 4) Predominately icons, some text: 5 participants corresponding to 12.5% of the policy content. 5) Icons only: 0 participants corresponding to 0% of the policy content. 101

The findings show that in terms of visual representation (graphical), the highest content is represented by ‘only text’ at 42.5%. This is followed by a draw between content that is ‘mostly text with some icons’ and, content that has a fairly equal ‘mix of text with icons’ both at 22.5%. Fourth at 12.5% is content that is represented by ‘mostly icons with some text’ and lastly, there is no content represented by ‘only icons’ which is expected but was included to so as not to limit the participants possible ways of expression.

The fact that content expressed by ‘only text’ emerges as the largest percentage is expected as it reflects the predominant conventional full length policy. Worth noting is the draw between content that had ‘mostly text with some icons’ and, content with a fairly equal ‘mix of text with icons’. This is a pointer that while participants appreciate the importance of conveying privacy information using text, participants are open to more creative and graphical ways of expressing information.

Consent provision representation The consent representation was analysed along a five point Likert scale between 1 and 5. Each point in the Likert scale is listed below with its description and the corresponding number of participants and the percentage of policy content it represents:

1) No consent considered - blanket consent e.g. using navigation button: 23 participants corresponding to 55% of the policy content. 2) Check box for blanket consent separate from navigation: 6 participants corresponding to 15% of the policy content. 3) Two or three check boxes about different aspects e.g. marketing: 7 participants corresponding to 17.5% of the policy content. 4) Consent provision for each privacy aspect: 2 participants corresponding to 5% of the policy content. 5) Check box for each privacy item under the privacy aspect e.g. email, address: 3 participants corresponding to 7.5% of the policy content.

The results show that 55% of the participants’ policy designs did not consider consent. In such cases, blanket consent is assumed through actions such as using navigation buttons (e.g. options such as ‘ok’ or ‘close window’ etc.). This finding closely mirrors the conventional full length policy in which the option provided for users is to either ‘take it or leave it’. However, 15% use a check box to indicate blanket consent separate from navigation buttons. A slightly higher 102

percentage (17.5%) use two or three check boxes allowing greater flexibility in consenting about different aspects of privacy such as marketing options. 5% facilitates the provision of consent for each major privacy aspect of a policy while a further 7.5% provides facilities that allow participants to express their consent to an even greater degree at a privacy item level e.g. email, address etc.

Interestingly, a higher percentage of the policies (17.5%) provide 2 – 3 check boxes to allow consent for different privacy elements as compared to the percentage of policies (15%) that provide only one check box to indicate blanket consent. Likewise, a higher percentage (7.5%) is found to provide consent at a privacy item level i.e. category level of taxonomy thus more granular control, as compared to the 5% who provide consent at a privacy aspect level i.e. level of the dimensions in the taxonomy. These findings could indicate that in instances in which participants are aware of the possibility of provision of non-blanket consent, there is a tendency for them to require the ability to express their consent at a level of greater granularity.

Exploratory nature of policy The exploratory representation was analysed along a five point Likert scale between 1 and 5 i.e. (1) All content into one page; (2) Abstract plus detailed page; (3) Summary of privacy aspects in content and details for each item available in pop-up; (4) Summary of privacy aspects in content and details per item available at different page by clicking into item; and (5) Summary of privacy aspects in content and swipe through one item at time. Each point in the Likert scale is listed below with its description and the corresponding number of participants and the percentage of policy content it represents:

1) All content into one page: 32 participants corresponding to 77.5% of the policy content. 2) Abstract plus detailed page (whole policy): 1 participant corresponding to 2.5% of the policy content. 3) Summary of privacy aspects in content and details for each item available in pop-up: 1 participant corresponding to 2.5% of the policy content. 4) Summary of privacy aspects in content and details per item available at different page by clicking into item: 5 participants corresponding to 12.5% of the policy content. 5) Summary of privacy aspects in content and swipe through one item at time: 2 participants corresponding to 5% of the policy content.

103

When exploring how privacy policies designed by the participants fair between states of being static and explorative, it is found that the largest percentage are static policies (77.5%) which have all policy content on one page with no options for further exploration of policy. This is followed at 12.5% by policies with content presented as an abstract or summary together with options for obtaining more information on specific privacy aspects by clicking on them. Next at 5% are policies that have an abstract and the possibility of obtaining more details by swiping between the different privacy aspects (one per screen). Lastly, there is a draw at 2.5% each, between policies that had an abstract with a pop up on clicking a particular privacy aspect and, policies that had abstracts with a single link to the rest of the whole policy.

The results show that the majority of the privacy policies designed by the participants are static, which is not surprising as it reflects the conventional full length policy representation features. Policies that are exploratory tend to be more legible and this is reflected by in the designs of some participants. For such participants, their preference appears to be for policies with abstracts together with the ability to get more information on specific privacy aspects by either clicking on them (12.5%) or by swiping between the different privacy aspects (5%).

Structural granularity The structural granularity representation was analysed along a five point Likert scale between 1 and 5. Each point in the Likert scale is listed below with its description and the corresponding number of participants and the percentage of policy content it represents:

1) 1 Structural criterion: 5 participants corresponding to 12.5% of the policy content. 2) 2 Structural criterions: 16 participants corresponding to 37.5% of the policy content. 3) 3 Structural criterions: 12 participants corresponding to 30% of the policy content. 4) 4 Structural criterions: 8 participants corresponding to 20% of the policy content. 5) 5 Sub-sub privacy details: 0 participants corresponding to 0% of the policy content.

The investigation into the level of structural granularity of the layout of the participants’ privacy policy designs was analysed based on a criteria of five levels as shown above. Each criterion is scored with a weight of one. For each criterion found within the privacy policy, a weight of one is awarded implying that if none of the criterion is found the policy gets a score of zero for that particular criterion, while if all the five criteria are found within the policy, a score of five is awarded. The five levels of criteria considered under structural granularity are provision of:

104

general heading; introductory comment/welcome/instructions; headings for main privacy aspects as reflected in the taxonomy e.g. data we collect; sub headings within the privacy aspects e.g. contacts; and specific privacy details e.g. name, email, etc.

Results indicated that 37.5% of the policies have two of the five structural criteria, 30% have 3 of the criteria, 20% have 4 of the criteria and none (0%) had all five structural criteria. Together, 87.5% of the policies have 2 – 4 of the criteria. This could indicate the participants’ openness or desire for a greater level of segmentation in the presentation of privacy information. Greater granularity provides improved clarity, making it easy for participants to locate specific information and fosters better understanding of the information. However, the fact that none of the policies have all the five criteria could imply that whereas segmentation is desired, it should be used with discretion depending on the needs of the different privacy aspects, as it is not necessary to always have all criteria taken into account.

In summary, the results of the participants design when considering the five policy features i.e.: textual, visual, consent, exploratory and, structural, are as follows:

 The textual feature which relates to the ratio between the use of ‘words’ verses the use of ‘sentences’, the Only sentences option had the highest ranking at 35%.  The visual feature which focuses on the ratio between the use of ‘text’ verses ‘icons/graphical’ representation, the Only text option ranked highest at 42.5%.  Considering the consent feature which examines the levels at which users are able to control specific aspects of their privacy, the option of No consent considered i.e. blanket consent was ranked highest at 55%.  The exploratory feature considers the extent to which a policy is static or can be further explored by users. The option of having content All into one page was ranked highest at 77.5%.  The structural feature focuses on the level of segmentation of the privacy policy. Out of five possible levels of segmentation, the option of having two levels of segmentation i.e. the number of criterion of 2 was ranked highest at 37.5% ranking highest.

When considering the above statistics for the highest ranking elements on the Likert scale within the examined privacy representations features i.e. textual, visual, consent, exploratory and, structural, it can be noted that they are reflective of characteristics associated with the

105

conventional full length privacy policies. It is arguable that these characteristics are highly visible in the participants’ designs of policies due to the influence of the conventional full length policies.

This section has presented the results and discussion of the policy designs as drawn by the participants. The next section, participants are shown 4 alternative privacy policy representations and are required to rank them according to their preference.

5.2.4 Task 3: Assessment of alternative policy representations against privacy representation parameters

In the third task, a privacy policy of a fictitious app referred to as Jupiter X is used. The content of privacy information used in the Jupiter X app privacy policy is carefully selected so as to match it to real privacy practices of companies. Its privacy information content is presented in four different representation formats as shown in Appendix D. Three of the privacy policy representations presented to the participants were sourced from related research. Specifically, these are the three best representations from research by (Cranor, et al., 2010) and (Earp, et al., 2007). The fourth policy representation used was the initial policy representation sketch developed in this thesis.

Specifically, two policy representations were selected from (Cranor, et al., 2010) which are the ‘standardized table’ and the ‘short text policy’ representation. The standardized table policy representation highlights data collection versus data use and data sharing. It also uses different colours to signify default and non-default data collection and, clearly indicates optional data. On the other hand, the short text policy representation is a textual natural language representation of the information presented by the ‘standardized table’ representation, with related rows combined to ensure conciseness. Further, a third policy representation referred to as the ‘goals and vulnerabilities’ policy representation was selected from (Earp, et al., 2007). It is based on a conventional full length policy representation in which goals or vulnerability statements relevant to consumer privacy are bolded and highlighted. On mouse over, these statements present a pop up box which displays the protection goals and vulnerabilities. The fourth representation was an original design developed in this research which is referred to as the ‘list format’ policy representation. The ‘list format’ policy representation is composed of the main privacy aspects as reflected in the taxonomy that was developed in the previous chapter. This representation shows the main privacy aspects with the associated brief description of each privacy aspect.

106

5.2.4.1 Questionnaire survey tool

The four privacy representations are abbreviated as follows: the standardized table (R1), the short text (R2), the goals / vulnerabilities (R3) and, the list format (R4) respectively. Using five point Likert scales in the questionnaire survey, participants’ preferences on the different policy representations were captured by assessing the policies against the areas addressed by the four privacy representation parameters identified in the conceptual framework in Figure 7 i.e.: i) simplicity in understanding, ii) effort required, iii) effectiveness of policy, iv) ease of remembering related information, and lastly the participants’ overall assessment of the policy representations. The Likert scales ranges were: strongly disagree, disagree, neutral, agree, and strongly agree.

While data collection could have been conducted using several approaches e.g. semi-structured interviews, Likert scales were used because they are convenient and easily quantifiable. However, Likert scales are subject to midline or outlier confusions and participants may fake responses. As such, participants were asked open ended questions as to why they had given their particular response on the Likert scale. This encouraged participants to think before providing Likert responses and also provided the researcher with more insight helpful for the interpretation of participants’ responses.

5.2.4.2 Results of user ranking of alternative policy representations

The ranking of the participants’ preferences of the four policy representations i.e. the standardized table (R1), the short text (R2), the goals / vulnerabilities (R3) and, the list format (R4) are as follows. Findings show that the most ‘simple to understand’ to the least ‘simple to understand’ policy representations are: R4, R2, R3 and R1 respectively. In terms of the least ‘effort in use’ to the most required ‘effort in use’, results were: R4, R2, R3 and R1 respectively. Results for the most ‘effective’ to the least ‘effective’ policy representation are: R4, R2, R1 and R3. In light of ‘ease of remembering related information’, the easiest to remember to the most difficult are: R4, R1, R2 and R3 respectively. The overall assessment of the policy representations by the participants shows that ranking from the most agreeable to least agreeable representations were: R4, R2, R3 and R1 as shown in Table 17. R4 has the most user preference in terms of simplicity, effort, effectiveness and ease of remembering related information, followed by R2, R3 and R1 the least agreeable representation. A summary of the results is shown in Table 17 with the

107

abbreviations of the policy representations as: the standardized table (R1), the short text (R2), the goals and vulnerabilities (R3), the list format (R4).

Table 17: User preferences of policy representations

Privacy representation parameters First Second Third Fourth Simplicity R4 R2 R3 R1 Effortlessness R4 R2 R3 R1 Effectiveness R4 R2 R1 R3 Ease of remembering R4 R1 R2 R3 Overall Results R4 R2 R3 R1

5.2.4.3 Correlations analysis of privacy representation parameters

A Spearman's correlation was conducted to analyse any relationships between the participants’ privacy preferences as depicted by the privacy representation parameters and the factors of age, gender and education. Only three statistically significant correlations are observed between gender and: R2 – effectiveness factor (rs =.333, p < .05), the R4 – effort factor (rs =.400, p < .05) and, R4

– remember factor (rs =.321, p < .05) where rs = coefficient, where R2 and R4 correspond to the short text representation and the list format representation respectively. However, they are weak linear relationships and therefore no further tests were conducted on them. The weak relationships observed in the gender factor indicated that the gender imbalance in the sample population used has no significant effect on the participants’ privacy preferences. Similarly, no significant relationships were observed between the demographic factors of age and education with the participants’ preferences. As such further exploration of the preferences across their demographic population was deemed unnecessary in this study.

5.3 Comparison of alternative policy representations preferences against participants’ policy designs

The participants’ designs or drawings of what they think a policy should look like were established in Task 2. Thereafter, the participants’ preferred policy representation from four alternative privacy policy representations was explored in Task 3. In the final stage of the study, the results from each participant’s policy design are compared with the participants’ preferred 108

policy representation based on the criteria of the: textual, visual, consent, exploratory and, structural features. An analysis of how the participants’ designs of a privacy policy faired in relation to the participants preferred privacy policy representations facilitated a more thorough understanding on users’ conceptual views on policies.

Notably, only 30% of the participants’ designs matched their preferred policy representation, implying that 70% differed. The ratios of each of the features explored are shown in Figure 9 in terms of ratios of matched: unmatched. Overall, the percentage of the differences is greater than the similarities between the participants’ policy design and their preferred representation.

The exploratory feature had the highest level of similarities between the participants’ policy design and their preferred representation with a similarities:differences ratio of 2.7:1 respectively. Next was the visual feature with a 1:1.9 ratio between the similarities:differences of the participants’ policy design and their preferred representation. The structural feature had a 1:3.1 ratio between the similarities:differences of the participants’ policy design and their preferred representation. The consent feature had a 1:9.4 ratio between the similarities:differences of the participants’ policy design and their preferred representation. The textual feature had the greatest differences between the participants’ policy design and their preferred representation with a similarities:differences ratio of 1:12.7.

Note: Matched (similarities), Unmatched (differences)

Exploratory 1 2.7

Visual 1.9 1

Structure 3.1 Unmatched 1 Matched

Consent 9.4 1

Textual 12.7 1

0 2 4 6 8 10 12 14

Figure 9: Comparison between participants’ designs vs preferred policy representations

109

5.3.1 Findings

Substantial mismatches between the participants’ designs and their preferred policy representations were found. This could be due to users’ mental models as expressed in their policy designs not matching the mental models that are reflected in their preferred policy representations. The designs that the participants drew were characterised by features that closely resemble the largely used conventional full length privacy policy. It is argued that a possible explanation is that users’ mental models have been conditioned by the conventional full length privacy policies. Hence when required to draw or design their ideas of a policy, users’ designs correlated a lot to the conventional privacy policies that they frequently encounter in use. As such, due to conditioning, the participants’ mental models differ when their policy designs are compared to their preferred policy representations. A discussion on the impact of mental models particularly on users’ conceptual views of policies is presented in the next section.

5.3.2 Mental models

Mental models are conceptual representations within a person’s mind that are used to help the person understand and interact with the world. Individuals create mental models on how they think about and understand tasks (Byrne and Johnson-Laird, 1989). Literature depicts that mental models are valuable for training or understanding users’ behaviour. As such, mental models are drawn upon in an endeavour to understand the participants’ conceptualization of policies that resulted in the disparities between the type of policies they drew and the type of policies they selected.

Mental models can be viewed as perceived by the users’ (user’s model), the designer’s conceptual view (designers’ model) and, the systems that users interact with as they are implemented (system image). Using mental models to explain behaviour, (Gray, 1990) found that as users engaged with the system overtime, their models were adopted to the system. Illustrating this argument, Taylor and (Tversky, 1992) cite that when individuals are asked to draw a map of a location that they read about in text, their mapping of the locations on the map reflects the mapping of the location in the text. This is also aligned with the ‘advantage of first mention’ (Gernsbacher and Kathleen Varner, 1990). This knowledge underpins the argument made that exposure of mobile application users to the conventional full length policy has the ability to condition the users’ mental models so as to conceptualize privacy policies’ characteristics in line with the conventional policy features.

110

Consequently, when users are required to draw or design their ideas of what a policy should look like, their designs mirror the features found in the conventional privacy policy representation.

Moreover, usability is enhanced when users have more precise models of systems. As such, knowledge of the factors that impact on users’ mental models of privacy policies is vital for policy designers. It facilitates the development of more precise design models that can be used to inform the design of privacy policies whose models are more precisely aligned with the users’ model. This would result in greater policy understanding and usability. However, critiques argue that mental models face issues such as a lack of coherent methodology and a lack of unified definition. These can lead to confusion and inconsistent findings, particularly when studies in the field use verbal protocol analysis in which the experimenters could introduce bias. As a mitigation measure, this research used verbal protocol analysis in combination with a survey tool. Moreover, audio recordings of the verbal responses were made allowing them to be analysed by more than one researcher so as to limit the level of bias. Another criticism of mental models asserted by (Payne , 2003) is that different mental models are formed by people about the same system. However, other authors argue that such differences in models are important in highlighting redesign areas that could lead to improvements. This appreciation of users’ mental models about privacy policy representation is pertinent in the endeavour to develop a user centric privacy policy representation.

5.4 Limitations and summary

In this chapter, the users’ conceptual views of privacy policies are surveyed. Overall, there were substantial mismatches between what the users designed and their preferred policy representations, with 70% of the participants’ designs differing from their preferred policy representation. The participants’ designs were reflective of the conventional full length policy where as their preferred policy representations more structural and visual.

Users’ mental models as expressed in their policy designs did not match the mental models that are reflected in their preferred policy representations. For each of the explored features (i.e. textual, visual, consent, exploratory and, structural), the participants’ designs predominantly resonated with the characteristics of the conventional full length policy. This was attributed to the conditioning of users’ mental models by exposure to the conventional policy representation. This understanding shows that while users may have expressed policies in the form of the traditional policy, they prefer alternative policy representations. As such, the derived understanding on users’

111

mental models is used to inform the design of a user centric privacy policy representation in the next chapter.

112

CHAPTER 6 User-friendly Representation Supporting Privacy Negotiation

113

6 USER-FRIENDLY REPRESENTATION SUPPORTING PRIVACY NEGOTIATION

This chapter presents the design a mobile applications privacy policy notation with a user perspective to alleviate the tension between user understanding, control of consent and coverage of the information content in privacy policies. It presents the development of a user-centred privacy policy representation by drawing on the understanding of the users’ perspective explored in Chapter 5 in tandem with the knowledge on the privacy policy domain established in Chapter 4 in which a reference model of privacy terms was developed. The incorporation of the users’ perspectives into the design of a policy representation is an important step towards addressing the challenge of users finding policies difficult to use or understand due to the design of policies having a limited user perspective. The notation proposed in this thesis thus aims to enhance understanding and usability of policies among non-technical users.

A summary of the development of the representation is shown in Figure 10. It involves an iterative prototyping process transforming the initial prototype (Representation A) into the final artefact (Representation C). Evaluations are conducted after the development of each representation in form of user feedback, the cognitive dimensions framework and the summative evaluation study respectively.

REPRESENTATION A Table 18 Chapter 5, 6 User feedback (Section 5.2.4)

REPRESENTATION B Figure 11 Chapter 6

Cognitive dimensions Framework (Section 6.1) Chapter 7 REPRESENTATION C Figure 12

Summative Evaluation

Figure 10: Design stages of the alternative representation prototypes

114

An in depth discussion of the design stages of the alternative policy representation are presented in the subsequent sections. Section 6.1 presents the design and evaluation of a prototype notation based on an initial representation sketch. In Section 6.2, the resulting prototype notation went through a redesign process to generate the final artefact. The resulting artefact is a interactive representation to enhance the informativeness of privacy policies, especially with respect to data monetisation, whilst facilitating greater user control over personal data privacy.

6.1 Design effort and discussion

As a starting point of the design process, ‘the list format’ representation which was the most preferred representation as shown as R4 in Table 17 was chosen as a base design. The list format prototype (see Table 18) is an original tabular design of this thesis based on a synthesis of literature with knowledge derived from the reference model of privacy terms that was developed as part of this thesis. The design was further developed as informed by insights from the analysis of user priorities, needs and mental models of privacy policies. This included insights into what is important to users in terms of privacy information, together with the understanding gathered about users’ preferences in terms of policy representation features i.e. the textual, visual, consent, exploratory and, structural. The resultant policy representation prototype is shown in Figure 11, and was evaluated using the cognitive dimensions framework (Green and Petre, 1996). This framework according to (Green and Petre, 1996) should not be confused for rules of design, but should be seen as a means of explaining the artefact-user relationship. The next section presents a discussion of the changes made to the list policy representation (R4) when generating the improved version of the artefact. These changes are discussed as aligned with the relevant cognitive dimensions framework dimensions which are: Abstraction gradient, diffuseness, closeness of mapping, visibility and juxaposability, secondary notation and escape from formalism, hidden dependencies, premature commitment, role expressiveness, viscosity, consistency, errorproness, hard mental operations and progressive evaluation.

115

Table 18: Prototype of list format policy

The Jupiter X App Details Requires access to Contacts information, demographic information, financial information, location information, cookie information To providing the service and maintenance of the site, profiling and Why support from other companies To keep app free We may monetize your data e.g. marketing Data may be revealed to others for research purposes Data security measures Data encryption, require staff to adhere the company’s data privacy policy Your responsibility Use strong, carefully kept passwords Your rights Consent to data collection Access and update date, opt-out Keeping your data No more than 3 months after you opt-out Changes in privacy policies Email notification 7 days before change

6.1.1 Abstraction gradient

The abstraction dimension of the cognitive dimensions framework addresses the encapsulation or clustering of items into one to achieve simplicity. Depending on users’ privacy concerns, it can be subdivided into three degrees of abstraction: abstraction hating, abstraction tolerant and abstraction hungry. Privacy freaks (Norberg and Horne, 2007) are likely to be positioned under abstraction hating as they desire as much privacy information as possible. The average user is interested in privacy (Schaub, et al., 2015) and given empowerment will exercise it. They are considered as abstraction tolerant. The abstraction hungry could represent careless users (Wesson, et al., 2010) that take no thought of privacy either due to lack of awareness or interest. The relevance of representation is asserted by (Acquisti, et al., 2016) who state that the transformation of data into information and thus the extent of its usability is greatly impacted by how the data is represented. A major focus in improving app privacy policy representations is content minimization due to the limitations of mobile phone interfaces. Moreover, efforts were made to attain a means of incorporating the different abstractions that are represented by users into the improved prototype in Figure 11. This improved artefact seeks to provide content minimization 116

which is consistent with abstraction-hungry representation. To this end, the artefact presents privacy information in a two column tabular format that presents a particular privacy aspect with its corresponding brief description adjacent to it. At the same time, the artefact seeks to cater for the abstraction tolerant by providing a ‘more’ link which provides a pop up interface with a brief description of a specific privacy aspect such as the data monetisation. Further, abstraction hating users are provided with access to the full privacy policy through an easily accessible link.

£ 4

Figure 11: Prototype of improved privacy policy

6.1.2 Diffuseness

Depending on the objective, representations may be tabular, graphical, textual, visual etc. The number of symbols or space required to convey information differs with different notations. In order to enhance readability the word count of sentences within the policy content was reduced. The result is a reduction in the amount of information held in memory and as such facilitates faster information processing (Wesson, et al., 2010). It also facilitates a better view of the policy on the limited mobile phone interfaces. Likewise, in some sections of the representation such as the ‘Why’ section, comma separated key words were used to replace whole sentences therefore facilitating simpler relaying of privacy information.

117

6.1.3 Closeness of mapping

The cognitive dimensions framework dimension of ‘closeness of mapping’ explores mapping of the problem world to a solution. The artefact seeks to address the problem of representing privacy information such that it reflects what users deem as most important to their privacy challenges. There is limited research on the order in which privacy information is presented within a policy yet the aspects of privacy that users are interested in differ. Based on the findings of the participants’ prioritisation of the different aspects of privacy information, the prototype as shown in Figure 11 rearranges the order in which privacy information is presented to users to reflect their needs. For instance, to highlight the key aspects of user privacy, the ‘your rights’ privacy aspect is moved from the bottom of the representation to third position in order of appearance. The motivation here is to support informed consent as much as possible even in instances where users may be in a hurry to download apps. This facilitates quick and easy access to the aspects of privacy that are most important to users even in the event they do not want to explore all the privacy aspects of an app’s policy. In addition, the ‘your responsibility’ section is collapsed under the ‘data security’ privacy aspect where it logically fits better. This also resulted in a visually less cluttered representation appearance. The importance of this action is underpinned by (Acquisti, et al., 2016) who state that ‘every notation highlights some kinds of information at the expense of obscuring other kinds’.

6.1.4 Visibility and juxaposability

The ability to display relevant information or provision of intuitive access to information or further being able to display related information adjust to each other is underlined in the visibility and juxaposability dimension of the cognitive dimensions framework. This is particularly important due to the large amount of information presented to users in conventional full length privacy policy representation. Specifically the ‘To keep app free’ section of the policy representation prototype is developed to be more intuitive by appending a ‘more’ link at its right hand side as shown in the prototype depicted in Figure 11. This facilitates the simplified prototype representation with mechanisms through which users can obtain more comprehensive details should they be required. Juxaposability comes into effect when the ‘more’ link is clicked, providing an interface that presents a summary of several ways in which data may be monetized for instance through: service provision, marketing, order catalogues, third parties, data spread etc. In addition, the interface displays the cost of the app which could for example be £10. Further, it

118

informs users that they can choose to consent to the different ways in which their data may be monetized by checking adjacent checkboxes. Users are also informed that for each type of data monetisation they consent to, the price of the app reduces by a certain amount for instance £2. At the bottom of that interface, the final cost of the app is automatically calculated and displayed based on the number of consent checks a user has provided. An ‘ok’ option together with an option to exit the interface is provided returning the user to the policy representation’s main interface. Visibility and juxaposability are particularly important in helping address the challenge of how to improve users’ perceptions of privacy aspects such as the data exchanges/monetisation which users ranked lowest in importance. By designing the artefact as described above, the data exchanges/monetisation is developed to be more informative and to facilitate greater user control over user privacy.

6.1.5 Secondary notation and escape from formalism

The cognitive dimensions framework dimension of secondary notation and escape from formalism focuses on how information may be relayed in unconventional ways. This could include use of aesthetics to enhance readability. The use of secondary notation has at times been critiqued as being a platform via which service providers try to influence users by stressing certain information while ignoring what is ‘truly’ important to the users. However, the artefact seeks to support users in the privacy aspect of data exchanges/monetisation. Colours were used to put emphasis on prices and checkboxes to enable user to indicate consent and thus to facilitate the policy’s interactiveness and user control over their privacy.

6.1.6 Hidden dependencies

The cognitive dimensions framework dimension of ‘hidden dependencies’ deals with exposing interdependencies between or within privacy aspects that may not be obvious to the users. The enhancement of the data exchanges/monetisation privacy aspect is only a first step in dealing with this challenge. This is because while the user knows and thus consents on the ways in which their data may be monetised, they are not aware of how their data will spread out in the data market places especially through the third parties associated with the apps in use. This is important as it could have significant consequences in cases of sensitive data exposure such as health data in instances where user consent is granted based on inadequate information (Lin, et al., 2012). This underpins the necessity for more research into how to express hidden dependencies in privacy policy representations. 119

6.1.7 Premature commitment

There are several instances or factors in privacy policy representation that could result in premature commitment or consent by users. As discussed earlier, hidden dependencies could be a contributing factor, the order of privacy information within a policy could be another contributor as a user may not be ready to read the entire policy, or yet still the complexity and ambiguity of privacy as it’s represented in the conventional full length policy representation. The design enhancements presented in the improved policy representation artefact curb premature commitment to an extent. However, research into user-centred design of all the key privacy aspects in a policy is required in order to minimize premature commitment.

On completion of the evaluation of the prototype with the cognitive dimensions framework, further redesign work was conducted on the policy representation prototype. These design efforts are presented in the next section.

6.2 Prototype notation redesign

The design prototype discussed in the previous sections focused mainly on the content composition of the main interface of the policy representation and the monetisation privacy aspect. In this round of design, design efforts were geared towards developing the remaining privacy policy aspects, providing facilities for more information and greater consent control over the privacy content. It also improves the visual representation and appeal of information within the policy. As such, this section presents the design process involved in the different privacy aspects.

6.2.1 Main interface of the alternative policy representation

Redesign efforts generated the final proposed alternative policy representation shown in Figure 12. In this design, the privacy information about the different privacy aspects is positioned in the centre of the policy. The composition of the information is carefully selected so as to achieve a word-to-sentence count that provides adequate information in a clutter-free format. Icons are used before and after the information presented about each privacy aspect. This presents the information in a visually appealing way. The first column of icons is complemented with words allowing users to visually identify the privacy aspects of the policy either using the image or word depending on which is more intuitive to the user. On the opposite side of the policy, another column of information icons provide the same information as the corresponding image/word icon.

120

This is done to provide easy access to information depending on what icon may attract the users’ attention. At the bottom of the policy representation are a set of buttons. The first provides access to contact details through which inquiries may be made by users. This is followed by a button link to the monetisation interface through which users can determine the extent to which their data may be monetised. The third button gives users access to the entire policy i.e. a link to the conventional full length policy. This is important because the alternative representation focuses on provision of what is important so as to enable users provide informed consent about their personal data yet minimising the amount of content provided. However, this is helpful in instances when users may want access to the full policy. The fourth button enables the user to accept the policy if they are satisfied with its conditions.

Figure 12: Prototype of final user centric Figure 13: Prototype showing the 'We policy representation collect' - data collection section

Optional items checked, while defaults have no check options

121

6.2.1.1 Data collection

The data collection privacy aspect within the notation presents information about the user data collected. Clicking the first set of icons provides more details about the data collected as shown in Figure 13. A user is informed about what data is collected and provided with some descriptions about the data collected. In addition, data required as a prerequisite for the mobile application functionality is indicated by a check box that is checked by default. Users can consent to the collection of optional data by checking the check box next to each data item.

6.2.1.2 Data use

The data use privacy aspect provides the reason for the data collection. By clicking on any of the icons for additional information, users are informed why their data is collected and who is collecting the data as shown in Figure 14.

Figure 14: Prototype of the 'Why' - data use Figure 15: Prototype of the ‘Security’ section section Optional items with checkbox, marketing option checked reducing price by £2 so it now costs £ 4 Additional information on security measures

122

This section of the policy also has check boxes that users can either check or uncheck as an indicator to of their consent. As earlier discussed the policy would then automatically calculate how much a user would have to pay towards the use of an app given that it was commercial.

6.2.1.3 Security, user rights and legal

Under the security privacy aspect, clicking any of the icons for additional information provides a summary of the different security measures enforced to protect users’ data such as the technical and administrative measures as shown in Figure 15. This could also include key information about agreements with any third parties authorised to process user data. Similarly, clicking on the icons corresponding to the user rights icon provides additional information and facilities that allow users to exercise their right to access, update or delete data held about them by the app. The legal icons provide users with a summary of legalities such as the laws governing the data handing and jurisdictions of data processing.

6.3 Limitations and summary

This chapter has synthesised the results on the reference model of privacy policy terms with the knowledge on what is important to users’ privacy. Starting with a privacy representation sketch, this understanding is used to inform the design of a prototype notation which through subsequent redesign is transformed into the proposed user-centric alternative privacy policy representation. The representation is interactive and enhances the informativeness of privacy policies, especially with respect to data monetisation, whilst facilitating greater user control over personal data privacy. The next chapter presents a summative study between the proposed alternative privacy policy representation and the conventional fully length privacy policy. The summative study provides a user assessment of the two representations and seeks to determine the extent, if any, to which the proposed alternative privacy policy improves on informativeness and control over consent among others.

123

CHAPTER 7 Summative Evaluation of Monetisation-friendly Representation Supporting Privacy Negotiation

124

7 END USER SUMMATIVE EVALUATION OF MONETISATION-FRIENDLY REPRESENTATION SUPPORTING PRIVACY NEGOTIATION

The evaluation of artefacts is important in design science research. Evaluation is an attempt to assess the worth or value of some innovation, intervention, service, or approach. Evaluation serves several purposes and it should be purpose-driven to be effective. Artefact evaluation seeks to assess the artefact’s relevance and enhancement over existent norms (Research, 1990; Vaishnavi and Kuechler, 2008). In addition, it provides a feedback mechanism on whether the problem is understood, suitable assumptions have been used, the appropriateness of the design process and, the possible change requirements in the artefact (Hevner, et al., 2004). Evaluation results may be combined with social science methods to theoretically explain the artefacts’ behaviour (March and Smith, 1995), thus contributing to knowledge. Evaluation methods range from descriptive methods that use logic and scenarios to prove utility, to empirical methods that include experimentation and case studies (Hevner, et al., 2004). Evaluation may be ‘ex ante evaluation’ that is centered on design conditions or ‘ex post evaluation’ which is conducted after the artefacts have been built (Pries-Heje, 2008). Literature on Design Science Research (DSR) offers limited guidance on the selection of strategies and methods for evaluation. While the computer science community focuses on the build phases and robustness in terms of technology, the IS community focuses on the comprehension of the artefacts’ impact on organizational elements and uses evaluation to this end. DSR combines both perspectives. The summative study presented in this chapter seeks to evaluate the user-centred privacy policy representation designed in the previous chapter. It was developed in an attempt to provide an alternative to the conventional representation used by the Google Play marketplace (for Android users) and iPhone marketplace (for iOS users).

7.1 Study design

The process of planning for an assessment and evaluation should consider factors such as the artefacts’ type, context and environment (March and Smith, 1995). This summative evaluation study aims to evaluate how the artefact (alternative privacy policy representation) compares to the conventional full length policy as a means of conveying privacy information to mobile application users. Study participants were sourced through Qualtrics. A total of 16 participants were used and each given a £15 Amazon voucher for participation. The evaluation was organised using the

125

“within subjects” configuration, whereby participants were divided into four groups and each group was further subdivided into groups of two participants as shown in Table 19. The participant composition of each group was controlled based on factors of gender, education and IT proficiency. Specifically, each group constituted 2 males and 2 females, 2 undergraduates and 2 postgraduates, 2 participants with a below average IT proficiency and 2 above average IT proficiency.

Table 19: Participants’ grouping criteria

Group Gender Education IT Proficiency

Group1 2 Female 2 Undergraduates 2 Above average

2 Male 2 Postgraduates 2 Below average

Group 2 2 Female 2 Undergraduates 2 Above average

2 Male 2 Postgraduates 2 Below average

Group 3 2 Female 2 Undergraduates 2 Above average

2 Male 2 Postgraduates 2 Below average

Group 4 2 Female 2 Undergraduates 2 Above average

2 Male 2 Postgraduates 2 Below average

7.1.1 Materials and procedure

Whereas the study was scheduled to take 45 minutes, participants could leave on completion of tasks. The study is essentially an observational study (rather than experimental). It involves a talk- aloud protocol analysis approach, with an observer sat next to each participant. This allowed the observer to occasionally ask the participant questions to help clarify their actions/thinking as the participant navigated through each policy representation on a computer monitor. The audio of this process was recorded using OBS Studio, a free open-source streaming and recording program. The recordings required transcribing and thus the need to limit the number of study participants.

The study involved case studies of two app privacy policies sourced from real industry. The apps selected were those that users would conceivably interact with as each of them had installation of above one million. The policies were from the different industries. This was a control measure

126

against learning effect, the so as to ensure that the content was different because the participants had to work with each policy. Also, as a measure of completeness of the policies’ content, the content of the two privacy policies considered were required to have all the the privacy aspects identified in the reference model of privacy terms that was developed in Chapter 4. This was to ensure that the policies had the same level of information complexity and thus requirements for understanding. The selected policies were of a gaming app referred to as Star-warz for purposes of this study and the second a trip advisor app referred to as Trip planner in this study. The content in each case study was represented in the form of both the conventional representation and the alternative policy representation developed in this research. The tasks required participants to answer questions about each of the representations. However, the order in which the participants were presented with the representations differed for each group as depicted in Table 20. Furthermore, questions asked about the two representations were related but different so as to encourage the participants to think about each representation thoroughly before providing answers.

Table 20: Participants’ grouping schedule

Group Participants Policy Representation shown

Group1 2 Star-warz Alternative representation first

2 Trip planner Conventional representation second

Group 2 2 Star-warz Conventional representation first

2 Trip planner Alternative representation second

Group 3 2 Trip planner Alternative representation first

2 Star-warz Conventional representation second

Group 4 2 Trip planner Conventional representation first

2 Star-warz Alternative representation second

Interactive mock up versions of the conventional and alternative representations as illustrated in Figure 16 were developed using the Balsamiq rapid prototyping software (Balsamiq, 2018). The mock ups facilitated participants with real time interaction with the policy representations in accordance to the uniqueness of each representation. This was particularly useful for assessing the extent of control over user privacy that each representation provided. Using a computer monitor,

127

each participant was shown an automated version of the policy representations running on the free cloud version of the Balsamiq software. Participants were presented with one representation at a time and could interact with it using a mouse to navigate through each representation in the course of conducting the tasks.

Figure 16: Prototype of the proposed alternative policy representation vs conventional policy representation (Each was developed for both case studies)

7.1.2 Study tasks

The evaluation was conducted in the form of a series of tasks that required users to interact with each policy representation so as to find answers to the questions within the tasks as shown in Appendix G. The answers to the questions were: yes, no, or not sure. The tasks in the evaluation were categorized into five types of tasks. The first category consisted of the ‘demographics and privacy tasks’. These tasks involved gathering of standard demographic information together with

128

a question to assess the participants’ privacy policy reading tendency. The second category consisted of simple information finding tasks’. These tasks involved direct questions that require finding answers by simply looking at one part of the policy. The third category consisted of ‘complex information finding tasks’. These questions required more effort as they involved interaction with data and how it may be used or shared. The fourth category involved ‘tasks involving user control over personal privacy in policy’. The fifth category consisted of ‘single policy likeability tasks and, policy comparison likeability tasks’ in which qualitative feedback on both policy representations was collected.

The evaluation of the tasks focused on parameters that were established from literature and are provided below: i. Accuracy. This was measured by analysing the extent to which the answers provided to questions were correct. This involved the participants’ level of certainty when answering questions. This was analysed by the number of times participants selected a ‘not sure’ response rather than a ‘yes’ or a ‘no’. ii. How appealing information finding was. The participants indicated level of each representation’s appeal using a Likert scale. iii. Users’ control over privacy. The participants indicated the level that each representation facilitated for the control of their privacy using a Likert scale. iv. Likelihood to read policies if all policies looked like that representation. The participants indicated the likelihood of reading policies if they resembled each representation using a Likert scale. v. Time taken to locate information in policy. This was measured by tracking the total time required by participants to answers questions.

7.1.3 Talk-aloud protocol analysis 7.1.3.1 Guidelines

This involved defining the users of the policy and conducting a context of use analysis. The most appropriate tasks and sub tasks for the walkthrough were determined. A group of participants were assembled. Some ground rules for the participants were set. This involved: a) no discussions were allowed about ways to redesign the interface during the walkthrough, b) policy designers were not to defend the policy design, c) study participants were not to engage in twittering, checking emails, or other behaviours that would distract from the evaluation, and d) the study facilitator had

129

to remind participants of the ground rules and to note infractions during the walkthrough. Participants were presented with the interfaces of policy representations. As each participant interacted with the policy representations, the following were observed and noted (based on the cognitive walkthrough): a) Does the user try to achieve the right effect? b) Does the user notice that the correct action is available? c) Does the user associate the correct action with the effect that the user is trying to achieve? d) If the correct action performed, does the user see that progress is being made toward the solution of the task? A record was made of the successes, failures, design suggestions, and problems that were not the direct output of the walkthrough, and other information that could be useful in design. A standard form was used to record this process. Compilation of shared understanding of the identified strengths and weaknesses from participants was done. Based on the identified strengths and weaknesses, brainstorming on potential solutions to any identified problems was done.

7.1.3.2 Talk-aloud protocol analysis exercise

At the start of the exercise, the participants were given a short presentation introducing the importance of the study. The presentation provided a definition/explanation of privacy policies, including rules for the talk-aloud protocol. It helped ensure that participants were comfortable and confident about the study session. Participants were asked to follow instructions and to give as much feedback as possible.

7.2 Results and discussion

This section presents the findings from the evaluation of the proposed alternative representation

artefact against the conventional privacy policy representation.

Alternative

Conventional Representations 0 1 2 3 4 5 6 7 Participants' ratings

Figure 17: User rating of privacy policy representations 130

Overall, users indicated a 30% higher preference for the alternative representation as compared to the conventional representation as shown in Figure 17. Next, the results of each evaluation parameter are presented in Figure 18 followed by a discussion on the findings.

1 1 1 1 0.97 1 1 1 0.92 0.9

0.8 0.68 0.7 0.65 0.6 0.57 0.5 0.4 0.3 0.25 0.2 0.1

Participants' ratings Participants' 0 Time Control Correctness Certainty Appeal Liklihood to read Evaluation parameters Alternative representation Traditional representation

Figure 18: Evaluation of policy representations

7.2.1 Time required in finding information in policy representation

The greatest differences between the two types of representation are observed in the time taken to locate specific information within the policies. It should be noted that the values of the time parameter shown in Figure 18 are reversed in order to allow for simplified comparison with the other parameters. As such, it implies that the alternative representation required 25% of the time required to work with the traditional representation i.e. a time ratio of 1:4 respectively. This could be due to aspects in the alternative representation such as improved segmentation of information based on the taxonomy developed in this thesis. Also, the alternative policy representation has less information on its interface as it uses dynamic links to provide additional information. This allows participants to easily locate the information they are interested in. Icons are also helpful in identifying different sections of the privacy policy.

131

7.2.2 User control over privacy

Participants indicated that the alternative policy representation provides them with more control over their privacy as compared to the conventional policy representation with score ratios of 1:0.68 respectively. Whereas the conventional policy representation is static, the alternative policy representation facilitates users with granular control over specific aspects of privacy. This is provided through various opt in or opt out options in the different sections of the policies. Users of the alternative policy representation have the ability to determine whether or not certain personal data is collected and, in which ways their personal data may be monetised by checking or unchecking available options. As such, users of the alternative policy representation can determine the percentage of the app cost they are willing to pay through the various consent controls.

7.2.3 Accuracy

The level of accuracy of how participants answered the questions is assessed based on how many correct answers the participants provide in the information finding tasks. Considering the level of the participants’ correctness in answering questions, the ratio of the alternative policy representation to conventional policy representation was 0.92:1 respectively. A number of explanations may be considered for the conventional policy representation having a higher accuracy score than the alternative policy representation. First, the amount of textual content used in the conventional policy representation that was presented to the study participants has only about half a page of content, yet a full length conventional policy representation frequently has several pages of content. The amount of textual content provided in conventional policy representation was limited to half a page so as to give the users a sense of what it felt like to work with the conventional policy representation within the limited available time for each session. As such, it was easier to use the shorter conventional policy representation used in the study that allowed participants to navigate up and down the page in finding answers. Its short length made it easy to locate information as compared to the alternative policy representation in which the participants were required to navigate through several options/links in order to locate information.

In addition to correctness, the level of uncertainty was also assessed. Certainty was determined by assessing the number of responses to which the participants answered not sure instead of yes or no. Results indicate that the ratio of certainty of the alternative policy representation to conventional policy representation was 1:0.97 respectively based on the number of questions that

132

the participants answered as ‘not sure’. As such, the participants appear to be more certain about finding answers to questions when using the alternative policy representation.

7.2.4 Appeal in information finding

Substantial differences are observed between how pleasurable information finding is between the policy representations. The alternative policy representation appears to appeal more to users as compared to the conventional policy representation with an appeal rating of 1:0.65 respectively. Participants find working with the alternative policy representation more appealing due to a number of reasons. The alternative policy representation is less cluttered as it contains less content. Its privacy information is presented in a more segmented format making it easier to locate specific information. Participants also find working with the alternative policy representation appealing because of the manner in which it provides a summary of the privacy information and, uses dynamic links to provide more information to participants should it be required. The alternative policy representation also uses colours and icons in information presentation making it more visually appealing to users. In contrast, participants find the conventional policy representation burdensome to work with due to the dull and rather legal like format in which it is presented.

7.2.5 Likelihood to read policies if they resembled representation

Participants show preference for the alternative policy representation and indicate that they are more likely to read policies if all policies looked like the alternative policy representation. This likelihood was shown with a score ratio of 1:0.57 between the alternative policy representation and conventional policy representation respectively. While participants are largely in favour of having policies represented in the format of the alternative policy representation, a smaller percentage of participants still prefer that policy representation should remain in form of the conventional policy representation. This may be due to the fact that as earlier discussed the amount of textual content presented to participants in the conventional policy representation was substantially reduced. As such participants were unable to experience the effect of having to read through an entire policy often several pages long. The conventional policy representation is also favoured by those who prefer to have all information on one interface or page such that they do not have to click through other interfaces in locating information. The detailed user ratings of the privacy policy representation are shown in Figure 18. All the parameters with the exception of

133

time are such that the higher the rating scores, the more favourable to users. However, the time parameter differs because the shorter the time spent working through a policy representation, the better. As such, the alternative representation performed substantially better in terms of time.

7.3 Summary

This chapter has presented an end user summative evaluation of the alternative privacy policy representation developed in the course of the research in this thesis. It provided the method used to facilitate a rigorous evaluation. The evaluation set out to explore the artefacts’ performance against the conventional representation using identified parameters. Five parameters are used in the evaluation and these are: accuracy in answering questions, appeal in information finding, users’ control over privacy, likelihood to read policies if all policies looked like that representation and, time taken to locate information in policy. Overall, the participants ranked the alternative policy representation better as compared to the conventional policy representation in all the assessment parameters except for the accuracy test. However, it’s argued that accuracy scores for the conventional could experience a decline if study participants have to use the full length conventional policy representation. As such, the proposed alternative representation artefact can be used as a guide for the development of improved user centric policy representations supporting usability, provision of privacy information in a way that promotes user understanding and control over specific aspects of personal privacy. Such considerations in policy design would make policies more appealing to work with and enable more users to read and understand them. Such policies would also facilitate informed user consent through the greater level of granularity provided over privacy control.

Overall, the findings show that the alternative representation provides improved timing when working with policies, user control over privacy, user certainty when locating information in policies, the appeal of the policy to users and users’ likelihood to read policy convey in a manner similar to the alternative representation.

134

CHAPTER 8 Discussion

135

8 DISCUSSION

This chapter provides a synthesis of the results of research conducted in this thesis and demonstrates how the different stages of research work together. The aim of this research is to create constructs and notation of a privacy policy representation language which incorporates the perspectives of the end users, alleviating the tension between the capabilities of users to understand digital service policies, and the need for service providers to convey sufficient information and mechanisms to enable informed user consent. Achieving this aim involved an analysis of the privacy policy content reflected within the current privacy domain leading to the development of a reference model of privacy terms that informed the determination of the content composition of the proposed alternative representation. Additionally, an exploration of user requirements, needs and perceptions on privacy policy representations was conducted, and user mental models are drawn upon to explain the findings on user preferences. Insights from user preferences were incorporated into the design of the policy representation prototypes leading to the final policy representation artefact presented in this thesis. A summative evaluation study is used to provide justification for the privacy policy artefact presented and the extent of its effectiveness in terms of the representation’s comprehensiveness, informativeness and facilitation of greater user control over privacy. Each one of these aspects aligns with one of the main contributions of this thesis and each of the pairs will now reviewed in further detail.

8.1 Comprehensiveness of privacy policy information

This work set out to design an effective representation of a privacy policy incorporating the perspectives of end users. It also sought to facilitate a mechanism for service providers to convey sufficient information for enabling end users to make knowledgeable decisions and thus offer informed consent over their personal privacy. Establishing the privacy policy domain knowledge involved an analysis of representative app privacy policies so as to establish the information coverage that service providers present within privacy policies. The motivation was two-fold: (a) to identify the main attributes, domain knowledge, precision and, completeness of privacy related information; (b) to build a taxonomy categorizing the nature and usage of the collected attributes facilitating objectivity in the analysis and comparison of mobile application privacy policies. Indeed a taxonomy is considered to provide a structured, clear, meaningful and simple to understand set of vocabulary’ (Dayarathna, 2011). The results of the analysis were used to develop 136

a reference model of privacy terms in the form of a privacy taxonomy with six emergent conceptual dimensions including data collection, data use, data security, user rights, legal, and data exchanges. In essence this stage of the research was aligned with Research Objective one which is “To create a reference model of terms used in privacy policies, and use its contents as vocabulary constructs for the privacy representation language”.

The proposed privacy taxonomy provides insights into the key privacy concepts captured within the current privacy domain. The emergent dimensions of the privacy taxonomy are interlinked and yet they support different aspects of user privacy. The privacy taxonomy was evaluated for its relevance and applicability. This was implemented in the form of an exploration into the dynamic interplay between the different privacy dimensions of the taxonomy, their roles and relevance in the transactions between users, apps and third parties. In particular, the evaluation analysis focused on the potential avenues of user data transitivity relationships through apps which could result in leakage of users’ personal data in the data marketplaces. The findings show potential for sensitive data flows from users to ‘undesired’ destinations in the data marketplaces. These findings underpin the relevance of the concepts represented by each taxonomy dimension to user privacy. Notably, it articulates the need for greater emphasis on the inherent data exchanges involved in users’ personal data so as to minimize data leakages and breaches.

The taxonomy sheds light on data monetization practices by service providers, which can be derived from data exchange network analysis despite the lack of explicit mention to these practices in the privacy policies presented to users. The taxonomy also provides benefits to policy makers and mobile application providers by defining objective attributes within the privacy domain that should be considered for incorporation into the scope of content when developing privacy policies. This ensures that the scope of privacy information conveyed by policies is sufficient to provide informed user consent. It facilitates the design of policies with the ability to provide users with greater clarity on service providers’ handling of users’ personal data and its propagation across data marketplaces. Such policies could contribute to the gradual change in users’ attitudes so that users are not merely interested in what data is gathered about them. Rather, users will now have a better comprehension of the user data transitivity relationships involving their personal data, resulting in increased user vigilance in safeguarding against privacy breaches. As such, the reference model of privacy terms developed in this thesis facilitates the achievement

137

of comprehensiveness of the information composition within the proposed policy representation and is the first contribution made by this research.

8.2 Informativeness of the policy representation artefact

In addition to the requirement for the effective user-centred privacy policy representation to be able to convey sufficient information i.e. comprehensive, a second requirement was that it should be informative. Conventional policies are designed by service providers and are legal-like and contain technical details motivated by requirements for compliance rather than users’ ability to understand. This makes it difficult for users to comprehend the privacy information conveyed by policies. The exploration of the informativeness of the policy design involved an investigation into the users’ perspective of privacy policies. The end users’ perspective has been explored through an early user study set to establish users’ mental models, control needs and representation preferences. This is aligned with Research Objective two which is “To uncover users’ perspectives in terms of their mental models, control needs and representation preferences through exploring their attitudes towards, and understanding of the different aspects of the system of domain knowledge as encoded in several alternative policy representations.”

While the ‘average users privacy preferences’ may not necessarily be possible to establish, (Knijnenburg, 2017) contends that privacy preferences can be established in specific contexts. As such, an investigation was conducted into users’ attitudes and understanding of the different aspects of the system of domain knowledge encoded in different policy representations in order to identify user privacy needs priorities and requirements. Users assessed the privacy policy representations in terms of four privacy parameters i.e.: simplicity in understanding, effectiveness, effort in use, and ease of remembering related information. The results were used to inform the development of the policy representation prototype. Users were also required to prioritize the privacy aspects as represented by the different dimensions of the privacy taxonomy. Findings show that users neglected the monetisation and legal aspects while they showed interest in the data collection and data use aspects. This can be attributed to inadequate user understanding of the data monetisation and legal issues in privacy policies. A study on user understanding of policies found that the average policy user finds it challenging to understand financial information (Reidenberg, et al., 2015). Another explanation could be that users regard the monetisation and legal aspects of privacy as out of their control. This underpins the necessity for supporting users’ understanding

138

about these issues within policies and for the provision of mechanism to give users control over these aspects.

In an effort to further refine the policy representation prototype, an analysis was conducted in order to understand users’ mental models of policy representations. This required user assessments of policy representations in terms of their: textual, visual, consent, exploratory and, structural features. Results demonstrate that initial mental models are largely reflective of the predominant conventional full length privacy policies. It is argued that this is a result of users’ mental models being conditioned by the commonly available conventional full length policy. However, results also demonstrate that when provided with alternatives, users are open to innovations and in fact show clear preference for alternative policy representations that are more structured and visual in nature. The understanding on user mental models was used to further refine the representation prototype. As such, the findings of the early user study enabling user centric design of privacy policy representation in this thesis facilitates the achievement of informativeness in the proposed policy representation and is the second contribution made by this research.

8.3 User control over privacy in the policy representation artefact

The third evaluation aspect involves the integration of the reference model of privacy terms with the findings of the early user study into the user-centred design of an effective privacy policy representation. This is aligned with Research Objective three which is “To design and evaluate a proposed notation which incorporates the user perspective to alleviate the tension between user understanding, control of consent and coverage of the information content of privacy policies.” In addition to the representation exhibiting comprehensiveness and informativeness, it was also required to facilitate a mechanism of user control over different aspects of personal privacy. The current design of privacy policies is static and does not provide users with any direct control over their personal privacy. In order to address the challenge of carte blanche access to user data by applications, (WEF, 2013) argues that privacy controls should be provided to users over their personal data.

As such, the process of representation prototyping sought to enhance user control by introducing mechanism that allows users to interact with the various aspects of the privacy policy. In order to enforce the fair information practice of notice and consent, privacy regulatory institutions demand that users have control over the dissemination of their data and that users are provided awareness

139

of the consequences of their choices (GDPR, 2018). Controls were incorporated in the data collection, data use and user rights constructs. The policy representation presented enables users to provide specific consent over the data collection of non-default personal data items as shown in Figure 14. Users have no control over default data items as these are required for the functionality of the app.

In addition, the proposed policy representation artefact could be used in commercial apps to help users to determine the extent to which an app could monetise their personal data. Provision of informed user choice requires users to clearly comprehend the intentions of service providers and the value they gain from allowing access to their data. As such, the data exchanges construct of the proposed policy representation artefact allows users to determine how much they pay for an app. Users can effect this by using the opt in or opt options provided. For every selected opt in option the app costs less while users would be required to pay for every option that they opt out of. This enables users to retain full control to the desired extent. Current monetisation business models do not offer permissions at this level. Providing greater control over user privacy, the proposed artefact provides users with the ability to conduct a trade-off between their personalization benefits with possible privacy risks (Knijnenburg and Kobsa, 2013; Laufer and Wolfe, 1977). This is underpinned by (Knijnenburg, 2017) who advocates for ‘user-tailored privacy’ which incorporates user privacy needs in facilitating ‘adaptive privacy decision support’. However, no controls were incorporated into the data security and legal constructs of the policy which only have links to additional information. Incorporation of controls into the security and legal construct of the policy require substantial research into these two areas so as to determine the feasibility of possible controls. This was out of the scope of this thesis research due to the limited timeframe for this thesis research. As such, the integration of the findings from the reference model of privacy terms and the early user study on user preferences in the user-centred design of an effective privacy policy representation in this thesis facilitates the achievement of user control over privacy in the policy representation artefact and is the third and main contribution of this research.

8.4 User opinions

Overall, the proposed policy representation meets the aim of this thesis by incorporating the users’ perspectives and allowing the creation of privacy policies which facilitate informed consent and user control over personal information. This thesis presents a user-centred and monetisation-

140

friendly mobile app compatible privacy policy representation. This exhibits effectiveness as it is comprehensive, informative and facilitates greater user control over privacy.

The proposed policy representation artefact in this thesis was appraised by users against the conventional full length policy in the contexts of: users’ accuracy in information finding; how appealing it was to use; level of control users can exercise over privacy; if users’ were more likely to read policies if they were in that format; and the time required to find information. In all of the contexts except the accuracy context, the proposed policy representation artefact scored better than the conventional policy representation. Generally, the proposed policy representation was rated 30% higher than the conventional full length policy representation. The most substantial benefit that the proposed artefact offers over the conventional representation is in the time required to find information as it requires only 25% of the time required to find the same information in the conventional policy representation. Stressing the importance of the time factor, (McDonald and Cranor, 2008) state that if reading of policies is costly in terms of time, it could act as a hindrance to policies being read.

8.5 Summary

In summary, the ‘user-centred and monetisation-friendly mobile app compatible privacy representation’ presented in this thesis engages non-technical users in the design of user-centric privacy policy representation. It provides a comprehensive privacy policy information scope that is easily navigable. It facilitates improved understanding of privacy and enhances control over several privacy areas especially over monetization. It depicts a policy representation that is comprehensive, informative and provides user control over privacy.

141

CHAPTER 9 Conclusions

142

9 CONCLUSIONS

This chapter presents the contributions of this work to the field of mobile privacy policies, and its application for achieving a user focused policy design. It reflects on how the results address the stated aim and objectives. It also reviews the limitations of this research and highlights the future work needed.

9.1 Research contributions

This research set out to create constructs and notation of a privacy policy representation language which alleviates the tension between the limitations of users to understand complex digital service policies, and the need for service providers to convey sufficient information to enable informed user consent. The result is a user-centred privacy policy design which facilitates compliance in mobile apps and allows user comprehension and control. It makes contributions to the theory and practice of privacy policy management as discussed in the next section.

9.1.1 Contributions to knowledge

A key outcome of design science research is that there should be a contribution to knowledge that either provides better understanding of a problem, or that can be used to provide or design a solution or to improve an artefact’s design (Hevner et al. 2004). This research has a number of theoretical implications for mobile applications privacy research. First, the research makes a contribution to knowledge by developing a vocabulary for a privacy policy design language expressed as a reference model of privacy terms in form of a taxonomy. The taxonomy facilitates the organization of a Body of Knowledge (Smith et al., 2011) about the mobile app privacy domain. It supports understanding of the information dimensions that are comprised within policies and the implications of the dimensions to users’ privacy. As such, the taxonomy provides an informative reference point for supporting research (Son and Kim, 2008) on policy development.

Second, the research makes a contribution to the understanding of users’ conceptual views on privacy policies through an early user study enabling user centric design of privacy policies. It provides knowledge on users’ mental models, control needs and representation preferences. Using the full privacy domain vocabulary encoded within the taxonomy, the early user study identifies the parts of the privacy domain that are of interest to the users. The study also explores users’ 143

mental models on key design aspects such as representation structure, interactiveness, and the relationship between the visual and textual aspects of policies. This provides knowledge on factors that contribute to ‘easy to understand’ representations and can be used in further research into new alternative representations.

Third, the research develops a user centric privacy policy representation notation artefact. It uses an end user development approach engaging users in the design process rather than limiting their input to the evaluation stage. As such, it presents the privacy functionality as perceived by non- technical users. It facilitates user understanding and control over personal privacy facilitating compliance to regulation.

A fourth contribution is the summative evaluation study in which the proposed alternative policy representation artefact is evaluated against the conventional policy representation. The study provides knowledge on user opinions about the two representations in terms of what aspects users liked, criticised, suggested improvements, and the questions asked questions about the representations. It also highlights the benefits to users’ privacy that the proposed alternative policy representation presents.

9.1.2 Implications of work

The alternative privacy policy representation artefact presents a representational template design with language constructs that may be used in user centric policy design. This presentation language depicts how privacy components fit together i.e. visual, textual etc. It provides concepts within policies, the relationships between these concepts and, how to best represent them to users. As such, it serves as a guide to structuring of polices with concepts that privacy managers or mobile app developers should address when designing privacy policies. Indeed, (Beckers, 2012) asserts the need for guidance for requirements engineers to support elicitation conceptualization, identification and validation of stakeholder requirements. This can be provided by the privacy terms and attributes in the privacy reference model. The taxonomy and representation notation developed in this research will enable service providers to systematically design better privacy policies that embody how the data collected could be handled in a monetisation-friendly manner based on the underlying business models of the app providers. The resultant policies would contain comprehensive information for the service users, establishing a trust-based collaboration that supports privacy-by-design practices. In such collaborations users will be more confident to hand over real data with the enhanced understanding of how the data is used. 144

Second, the taxonomy provides privacy terminology in precise terms and attributes (Skinner et al., 2006) that are prevalent in mobile application privacy policies. This facilitates systematic comparison of different privacy policies to establish the extent of their compliance to the taxonomy when used as a benchmark. As a reference point, the taxonomy can also be informative to policy regulation (Solove, 2006) facilitating the work of regulators in the process of the development and assessment of privacy standards for industry (Askland, 2008), such as the data protection compliance assessments (EDPS, 2016) and data protection toolkits (Beckers, 2012). Likewise, the taxonomy dimensions can be leveraged to further elaborate on existing regulatory frameworks. The extended frameworks can underpin more sophisticated compliance mechanisms covering more aspects of privacy management. Stakeholders spanning from end users to authorities would also gain better awareness of the different privacy aspects of mobile applications.

Lastly, rather than limit the scope of the research to one category of mobile applications, several categories of mobile applications from different industries were considered in the development of the taxonomy so as to produce comprehensive privacy taxonomy. This facilitates more generalization and applicability of the results.

9.2 Reflection on the research process

This research explores ways of effectively conveying privacy information to mobile application end users. The major result of this thesis is a privacy policy notation artefact with constructs built on a privacy classification scheme. This notation takes into account the visual representation and the privacy reasoning capabilities that introduce user controls over data privacy. The thesis set out to explore three objectives. This section discusses the extent to which the Research Objectives have been attained and the methods used. A mapping of the Research Objectives and questions is presented in Table 21.

145

Table 21: Mapping of research objectives to research contributions

Research Research Objectives Research Evaluation Questions Contribution

RQ1 Research Objective 1: RC1 Subjective and objective ending conditions to To create a reference model of terms The development of ensure validity via used in privacy policies, and use its the constructs of a saturation point contents as vocabulary constructs for privacy representation a privacy representation language. language expressed as Digital data market The sub-objectives were to identify a reference model of place sensitivity analysis the main concepts of existing privacy the privacy terms in scenario policies, and to structure them in a form of a taxonomy. system of domain knowledge. (Chapter 4)

RQ2 Research Objective 2: RC2 Cognitive dimensions framework To uncover users’ perspectives in The development of a terms of their mental models, control user-centred and needs and representation preferences monetisation-friendly through exploring their attitudes privacy policy towards, and understanding of the representation different aspects of the system of prototype. domain knowledge as encoded in (Chapters 5 and 6) several alternative policy representations.

RQ3 Research Objective 3: RC3 Summative study

To design and evaluate a proposed The integration of the notation which incorporates the user results of the reference perspective alleviating the tension model of privacy terms between user understanding, control and the early user of consent and coverage of the study in user-centred information content of privacy design of an effective policies. privacy policy representation. (Chapters 4, 5 and 6)

Research Objective one. To create a reference model of terms used in privacy policies, and use its contents as vocabulary constructs for a privacy representation language. The sub-objectives are to identify the main concepts of existing privacy policies, and to structure them in a system of domain knowledge.

146

The representation of privacy information requires determining the ‘appropriate’ composition of information that should be presented in a policy. The information should be sufficient to support user understanding, and yet not excessive as this could result in reduced user attention and thus loss of meaning of the information. The content composition of privacy information within the privacy domain was explored through an analysis of privacy policies in order to identify main concepts, attributes and vocabulary in policies through a rigorous privacy taxonomy development process. The process of developing the privacy language constructs through taxonomy is detailed in Chapter 4 together with a sensitivity scenario depicting the constructs’ usability. The privacy language constructs are expressed in the form of the taxonomy’s dimensions, categories and subcategories. These constructs represent the main concepts within the privacy domain and can be used as benchmarks or guidelines in determining the sufficiency of privacy information content when designing privacy policies. Policies whose content composition is guided by the taxonomy have the benefit of having comprehensive information coverage and yet are visually ‘clutter’ free. In addition, the information composition selection is guided facilitating informed user decision making and consenting. The development of the constructs represented by the reference model of privacy terms as a taxonomy is the first contribution made in this research. It answers RQ1 in Chapter 4 and depicts the successful achievement of Research Objective one of this thesis.

Research Objective 2. To uncover users’ perspectives in terms of their mental models, control needs and representation preferences through exploring their attitudes towards, and understanding of the different aspects of the system of domain knowledge as encoded in several alternative policy representations.

Addressing objective two, Chapter 5 analyses what is important to users in terms of their needs, priorities and requirements based on the privacy aspects highlighted by the reference model of privacy terms. This is accomplished by capturing end users’ attitudes and understanding of system domain knowledge encoded in alternative policy representations. Capturing users’ requirements enabled the discovery of the areas within the privacy domain that are of interest to users, and the privacy areas that users pay less attention to, and yet are relevant to user privacy. Potential solutions that address the privacy areas neglected by users were explored and incorporated into the privacy representation prototype building process in Chapter 5. The design artefact developed at this stage was a user-centred and monetisation-friendly privacy policy representation prototype for mobile apps. The representation prototype introduces user interaction with privacy policies, giving control back to the end users as it facilitates a mechanism through which users can reason about 147

their privacy as presented in the privacy policy. The prototype is validated to ensure cognitive effectiveness using the cognitive dimensions framework.

In Chapter 6, work was conducted to further enhance the representation prototype by exploring users’ mental models of privacy policy representations. Results indicate that while user mental models are conditioned by the conventional policy representations, users are open to alternative representations when presented with options. Based on the findings, the representation prototype was cross examined to determine the extent to which it was reflective of the findings on users’ mental models and the design improved accordingly when developing the final artefact. The final representation artefact was validated through a summative study. Thus, the findings of the early user study conducted in Chapters 5 and 6 enabled the user centric design of privacy policy representation and represent the second contribution of this research. It also answers RQ2 and depicts the successful achievement of Research Objective two of this thesis.

Research Objective 3. To design and evaluate a proposed notation which incorporates the user perspective to alleviate the tension between user understanding, control of consent and coverage of the information content of privacy policies.

The design of the proposed privacy representation notation is developed sequentially within Chapters 4, 5, and 6 in which Research Objectives one, two and three were addressed. At each stage, an artefact is developed and evaluated. The overall evaluation of the final research artefact is conducted in Chapter 7 through a summative evaluation study in which the proposed artefact is validated against the conventional privacy policy representation. First, findings show that the representation’s comprehensiveness is rated 10% better than the conventional privacy policy representation. This was tested by measuring users’ accuracy in information finding, certainty of finding desired information, and appeal in information finding. Second, the alternative representation’s informativeness was rated 59% better than the conventional privacy policy representation. This was tested by measuring users’ likelihood to read policies if they resembled the representation and the time needed to find information. Third, the alternative representation’s level of user control over privacy was rated 32% better than the conventional privacy policy representation. This was tested by measuring users’ ability to specify and alter privacy options. Overall, user preferences indicate a 30% higher rating of the alternative policy representation over the conventional full length policy representation. As such, the third and main contribution of this

148

thesis is the integration of the results of the reference model of privacy terms and the early user study in the user-centred design of an effective privacy policy representation. This answers RQ3 and depicts the successful achievement of Research Objective three of this thesis.

9.3 Research limitations

All the various stages of the research process have limitations. The research is conducted within these limitations and thus the necessity of taking limitations into account when claims about the results and findings and the extent of their applicability is made. Qualitative research faces a limitation of lower sample size than quantitative research, yet (Ghauri and Gronhaug, 2005) argue that the in-depth studies conducted through qualitative research provide a ‘thick description’ that is not feasible with large observations. Indeed, qualitative research derives value from the contextual data’s depth and richness as opposed to generalisation through repeatable results. The quality of research is scrutinized through evaluation criteria. Each stage of the research process incorporates evaluation of the artefact at that level of development.

The scope of the work covers the development of a privacy notation that attempts to incorporate the user perspective in the way information is conveyed within the notation. While a notation vocabulary or constructs for a privacy language is developed, the work is limited in that the syntax or rules required to operate the vocabulary have not been developed. A privacy language would require having a vocabulary and syntax for its full functionality.

While the legal aspects are considered, specific legal perspectives are not taken into account because there are many laws that govern data privacy. However, the work is a step towards facilitating compliance within privacy policy representations especially in light of the general data protection regulation (GDPR, 2018).

9.4 Future research

A vocabulary for a privacy policy language was developed in this thesis. Future research can focus on developing rules or grammar required for the vocabulary or constructs that are embedded in the taxonomy developed in this thesis. This would facilitate a privacy policy language with vocabulary representations and interactions that would enable policy design for enhanced user privacy.

149

This research identified two areas within the privacy taxonomy that users appear to ignore namely the data exchanges and the legal aspects of the privacy domain. It was suggested that lack of attention to these aspects could be due to limited control and a possible lack of understanding. While this thesis has attempted to explore ways of enhancing users’ understanding and control over the data exchanges area, future work could concentrate on how to enhance users’ understanding over the legal area.

The General Data Protection Regulation has recently been enacted (GDPR, 2018). It has tightened the requirements of service provider in relation to user privacy. As such, future research could focus on the extent to which mobile app privacy policies adhere to the GDPR. Further, the taxonomy could be extended to capture the full regulatory requirements of the GDPR.

Future research could also explore end users’ attitudes and understanding of complex interdependencies relating to the app ecosystem. As such, the privacy taxonomy could be used as a foundation for the development of a privacy advisory system that would analyse the complex relationships in the app ecosystem and warn users if any application to be installed will “close” a transitivity loop and allow privacy breaches. This advisory system would have capabilities such as privacy policy auditing and reasoning to identify potential breaches, facilitating enforcement towards addressing leakages and breaches.

150

References

151

REFERENCES

4iQ, 2018. Identities in the Wild: The Tsunami of Breached Identities Continues. [Online] Available at: https://4iq.com/introducing4iq-identity-breach-report-2018/ [Accessed 26 March 2019].

Abbasi, A., Sarker, S. & Chiang, R.H., 2016. Big Data Research in Information Systems: Toward an Inclusive Research Agenda. Journal of the Association for Information Systems, 17(2).

Abbas, A. & Khan, S., 2014. A Review on the State-of-the-Art Privacy-Preserving Approaches in the e-Health Clouds. IEEE Journal of Biomedical and Health Informatics, 18(4), pp.1431-41.

Ackerman, M., 2004. Privacy in pervasive environments: next generation labeling protocols. Personal and Ubiquitous Computing, 8(6), pp.430-39.

Acquisti, A., Friedman, A. & Telang, R., 2006. Is there a cost to privacy breaches? An event study. In Twenty Seventh International Conference on Information Systems., 2006.

Acquisti, A. & Grossklags, J., 2005. Privacy rationality in individual decision making. IEEE Security and Privacy , 3(1), pp.26-33.

Acquisti, A., Taylor, C.R. & Wagman, L., 2016. The economics of privacy.

Adjerid, I., Peer, E. & Acquisti, A., 2018. BEYOND THE PRIVACY PARADOX: OBJECTIVE VERSUS RELATIVE RISK IN PRIVACY DECISION MAKING.. MIS Quarterly, 42(8), pp.465-A5. 29p.

Aïmeur, E., Lawani, O. & Dalkir, K., 2016. When changing the look of privacy policies affects user trust: An experimental study. Computers in Human Behavior, 58, pp.368-79.

Aïmeur, E., Lawani, O. & Dalkir, K., 2016. When changing the look of privacy policies affects user trust: An experimental study. Computers in Human Behavior, 58, pp. 368–379.

Akerlof, G.A., 1970. The market for ‘lemons’: Quality uncertainty and the market mechanism. Q. J. Econ, 84(3), pp.488–500.

Alge, B.J., Ballinger, G.A. & Oakley, J., 2006. Information privacy in organizations: Empowering creative and extrarole performance. Journal of applied psychology , 91(1), pp.221-32.

Alsenoy, B.V. et al., 2015. From social media service to advertising network: a critical analysis of facebook’s revised policies and terms. [Online] Available at: https://www.law.kuleuven.be/citip/en/news/item/facebooks-revised-policies-and-terms-v1-2.pdf [Accessed 28 March 2019].

Altman, I., 1975. The Environment and Social Behavior: Privacy, Personal Space, Territory. Monterey, CA: Brooks/Cole Publishing.

152

Anderson, B., 2013. Cygilant. [Online] Available at: https://blog.cygilant.com/blog/bid/313892/the-difference-between-data-privacy-and-data-security [Accessed 18 April 2018].

Angulo, J., Fischer-Hübner, S., Pulls, T. & König, U., 2011. HCI for Policy Display and Administration. In PrimeLife - Privacy and Identity Management for Life in Europe., 2011. Springer.

Angulo, J., Fischer-Hübner, S., Wästlund, E. & Pulls, T., 2012. Towards usable privacy policy display and management. Information Management & Computer Security, 20(1), pp.4-17.

Antón, A.I. & Earp, J.B., 2004. A requirements taxonomy for reducing Web site privacy vulnerabilities. Requirements Engineering, 9(3), pp.169-85.

Arthur, C., 2012. Google to pay record $22.5m fine to FTC over Safari tracking. [Online] Available at: https://www.theguardian.com/technology/2012/aug/09/google-record-fine-ftc-safari [Accessed 26 March 2019].

Ashley, a., Hada, S., Karjoth, G. & Schunter, M., 2002. E-p3p privacy policies and privacy authorization. In Proceedings of the 2002 ACM Workshop on Privacy in the Electronic Society, WPES '02. New York, 2002. ACM.

Askland, A., 2008. The governance of privacy: policy instruments in global perspective. Wiley Online Library.

Ayyagari, R., 2012. An Exploratory Analysis of Data Breaches From 2005-2011: Trends and Insights. Journal of Information Privacy & Security, 8(2), p.33.

Azraoui, M. et al., 2014. A-PPL: An accountability policy language. In DPM 2014, 9th International Workshop on Data Privacy Management. Warsaw, 2014.

Backes, M. et al., 2014. You can run but you can't read: Preventing disclosure exploits in executable code. In Conference on computer and communications security., 2014. ACM SIGSAC.

Bailey, K.-D., 1994. Typologies and taxonomies: An introduction to classificatin techniques. Thousand Oaks, USA: Sage Publictions.

Balsamiq, 2018. Balsamiq Cloud. [Online] Available at: https://balsamiq.com/ [Accessed 11 May 2018].

Bansal, G., Zahedi, F.M. & Gefen, D., 2016. Do context and personality matter? Trust and privacy concerns in disclosing private information online. Information & Management, 53(1), pp.1-21.

Bapna, R., Goes, P., Gupta, A. & Jin, Y., 2004. User heterogeneity and its impact on electronic auction market design: An empirical exploration. Mis Quarterly, pp.21-43.

Bargh, S., Eijk, R., Ebben, P. & Salden, H., 2003. Agent-Based Privacy Enforcement of Mobile Services. L’Aquila, Italy, 2003. 153

Barth, S. & Jong, M.D.T.d., 2017. The privacy paradox – Investigating discrepancies between expressed privacy concerns and actual online behavior – A systematic literature review. Telematics and Informatics, 34(7), pp.1038-58.

Bauer, M.W., 2000. Classical Content Analysis: A review. In Qualitative Researching with Text, Image handbook. Beverly Hills CA: Savage. pp.131-51.

Bazeley, P. & Richards, L., 2000. The NVivo qualitative project book. London: Sage.

Beckers, K., 2012. Comparing privacy requirements engineering approaches. Comparing privacy requirements engineering approaches. In Availability, Reliability and Security (ARES)., 2012.

Bélanger, F. & Crossler, R., 2011. Privacy in the digital age: a review of information privacy research in information systems. MIS Quarterly, 35(4), pp.1017-1042.

Bélanger, F. & Crossler, R.E., 2011. Privacy in the digital age: a review of information privacy research in information systems. MIS quarterly, 35(4), pp.1017-42.

Bell, J., 2010. Doing Your Research Project: A Guide For First-time Researchers in Education and Social Science. 5th ed. Maidenhead: Open University Press.

Bell, E. & Bryman, A., 2006. The Ethics of Management Research: An Exploratory Content Analysis. Wiley Online Library.

Bennett, C., 1992. Regulating privacy : data protection and public policy in Europe and the United States. Ithaca NY: Cornell Univeristy Press.

Berendt, B., Gunther, O. & Spiekermann, S., 2005. Privacy in e-commerce: stated preferences vs actual behaviour. Communications of the ACM, 48(4), pp.101-06.

Beresford, A., Rice, A. & Skehin, N., 2011. MockDroid: trading privacy for application functionality on smartphones. In 12th Workshop on Mobile Computing Systems and Applications., 2011.

Beresford, A., Rice, A., Skehin, N. & Sohan, R., 2011. MockDroid: trading privacy for application functionality on smartphones. HotMobile .

Bernal, P., 2014. Internet Privacy Rights : Rights to Protect Autonomy. Cambridge : Cambridge University Press.

Blessing, M. & Chakrabarti, A., 2009. DRM: A Design Reseach Methodology. London: Springer.

Botkin, K., 2018. 10 Factors That Affect Your Health Insurance Premium Costs. [Online] Available at: http://www.moneycrashers.com/factors-health-insurance-premium-costs/ [Accessed 10 May 2018].

Bouguettaya, A.R.A. & Eltoweissy, M.Y., 2003. Privacy on the Web: facts, challenges, and solutions. IEEE Security & Privacy Magazine, 99(6), pp.40-49. 154

Bowen, G.A., 2008. Naturalistic inquiry and the saturation concept: A research note. Qualitative Research , 8(1), pp.137-52.

Boyles, J., Smith, A. & Madden, M., 2012. Privacy and Data Management on Mobile Devices. [Online] Available at: https://www.pewinternet.org/2012/09/05/privacy-and-data-management-on- mobile-devices/ [Accessed 26 March 2019].

Britannica, 2019. Rights of privacy. [Online] Available at: https://www.britannica.com/topic/rights-of-privacy [Accessed 29 March 2019].

Brodie, C., Karat, C.-M., Karat, J. & Jinjua, F., 2005. Usable security and privacy: a case study of developing privacy management tools. In Symposium on usable privacy and security (SOUPS). Pittsburgh, 2005.

Budnitz, M.E., 1998. Privacy protection for consumer transactions in electronic commerce: why self-regulation is inadequate. South Carolina Law Review, 4, 49, pp.847 – 886.

Byrne, R. & Johnson-Laird, P., 1989. Spatial Reasoning. Journal of memory and language, 28, pp.564-75.

CalOPPA, 2014. California Online Privacy Protection Act. [Online] Available at: http://consumercal.org/about-cfc/cfc-education-foundation-2014/what-should-i-know-about- privacy-policies/california-online-privacy-protection-act-caloppa/.

Camp, L.J., 1999. Web security and privacy: An American Perspective. Information society, 15(4), pp.249-56.

Cannoosamy, K., Pugo-Gunsam, P. & Jeewon, R., 2014. Consumer Knowledge and Attitudes Toward Nutritional Labels. Journal of Nutrition Education and Behavior, 46(5), pp.34-40.

Cao, J. & Everard, A., 2008. User attitude towards instant messaging: The effect of espoused national cultural values on awareness and privacy. Journal of global information technology management, 11(2), pp.30-57.

Capistrano, E. & Chen, J., 2015. Information privacy policies: The effects of policy characteristics and online experience. Computer Standards & Interfaces, 42, pp.24-31.

Caudill, E.M. & Murphy, P.E., 2000. Consumer online privacy: legal and ethical issues. Journal of public policy and marketing, 19(1), pp.7-19.

CCP, 2011. Online personal data: the consumer perspective. [Online] Available at: https://www.communicationsconsumerpanel.org.uk/downloads/what-we-do/previous- projects/internet/online-personal-data/Online%20personal%20data%20final%20240511.pdf [Accessed 10 May 2008].

Cecere, G. & Rochelandet, F., 2013. Privacy intrusiveness and web audiences: empirical evidence. Telecommunications Policy, 37(2013), pp.1004-14.

155

Cellan-Jones, R., 2014. Social media told to simplify terms and conditions. [Online] Available at: http://www.bbc.co.uk/news/technology-30234789 [Accessed 27 January 2017].

Cespedes, F.V. & Smith, H.J., 1993. Database marketing: new rules for policy and practice. Sloan Management Review, 34, pp.7 – 22.

Chapman, M. & Anderson, M., 2018. Marriott security breach exposed data of up to 500M guests. [Online] Available at: https://www.apnews.com/d496fce7a77347d6aa058470d38a69bc [Accessed 25 March 2019].

Chellappa, R.K., 2008. Consumers' trust in electronic transactions: The role of perceived privacy and perceived security. unpublished manuscript, Emory University , Atlanta, GA.

Chellappa, R.K. & Sin, R., 2005. Personalization versus privacy: An empirical examination of online consumers' dilemmna. Information technology and management, 6(2), pp.181-202.

Cheung, A., 2014. Location privacy: The challenges of mobile service devices. Computer Law & Security Review: The International Journal of Technology Law and Practice, 30(1), pp.41-54.

Christin, D., Reinhardt, A., Kanhere, S. & Hollick, M., 2011. A survey on privacy in mobile participatory sensing applications sensing applications. Journal of Systems and Software, 84(11), pp.1928-46.

Christopher, Z. et al., 2010. Knowing your customers: Using a reciprocal relationship to enhance voluntary information disclosure. Decision Support Systems, 48(2), pp.395-406.

Costante, E., Sun, Y., Petković, M. & Den-Hartog, J., 2012. A machine learning solution to assess privacy policy completeness. In ACM workshop on privacy in the electronic society., 2012. WPES.

Cranor, F., 2012. Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice. J. on Telecomm. & High Tech., 10(273).

Cranor, L., Kelley, P.G., Cesca, L. & Bresee, J., 2010. Standardizing privacy notices: an online study of the nutrition label approach. In Human Factors in Computing Systems: Proceedings of the SIGCHI Conference., 2010. ACM.

Cranor, L., Langheinrich, M. & Marchiori, M., 2002. A p3p preference exchange language 1.0 (appel 1.0) WD-P3P-preferences-20020415. In World Wide Web Consortium, Working Draft., 2002.

Creswell, J., 2003. Research Design Qualitative, Quantitative, and mixed methods approach. 2nd ed. Thousand Oaks: Sage Publications.

Culnan, M.J., 1993. "How Did They Get My Name?": An Exploratory Investigation of Consumer Attitudes toward Secondary Information Use. MIS Quarterly, 17(3), pp.341-63.

156

Culnan, M., 2001. Protecting Privacy Online: Is Self-Regulation Working? Journal of Public Policy & Marketing, 19(1), pp.20-26.

Culnan, M.J. & Armstrong, P.K., 1999. Information privacy concerns, procedural fairness and impersonal trust: An empirical investigation. Organization science, 10(1), pp.104-15.

Darhl, P., 1997. PSYCHOLOGICAL FUNCTIONS OF PRIVACY. Journal of Environmental Psychology, 17(2), pp.147-56.

Dayarathna, R., 2011. Taxonomy for Information Privacy Metrics. Journal of International Commercial Law and Technology, 6(4).

Demott, D., 2006. Breach of Fiduciary Duty: On Justifiable Expectations of Loyalty and Their Consequences. Arizona law review, 48, p.925.

Derby, B.M. & Levy, A.S., 2001. Do Food Labels Work? Gauging the Effectiveness of Food Labels. In G.T.G. P. Bloom, ed. Handbook of Marketing and Society. Thousand Oaks : Sage Publications, Inc. pp. 372-398.

Devolder, P. et al., 2012. Framework for user acceptance: Clustering for fine-grained results. Information & Management, 49(5), pp.233–39.

Dezdar, S. & Sulaiman, A., 2009. Successful enterprise resource planning implementation: taxonomy of critical factors. Industrial Management & Data Systems, 8, pp.1037 - 1052.

Diener, E., Suh, E., Lucas, R. & Smith, H., 1999. Subjective Weil-Being: Three Decades of Progress. Annu. Rev. Psychol, 125(2), pp.276-302.

Dillion, T.W., Hamilton, A.J., Thomas, D.S. & Usry, M.L., 2008. The importance of communication workplace privacy policies. Employee responsibiliites and rights journal, 20(2), pp.119-39.

Dinev, T., 2014. Why would we care about privacy? EJIS, 23(2), pp.97-102.

Dinev, T., Xu, H., Smith, J.H. & Hart, P., 2012. Information privacy and correlates: an empirical attempt to bridge and distinguish privacy-related concepts. European Journal of Information Systems, 22(3), p.295.

Dourish, P. & Anderson, K., 2006. Collective Information Practice: Exploring Privacy and Security as Social and Cultural Phenomena. Human–Computer Interaction, 21(3), pp.319-42.

Dunfee, T., Smith, C. & Ross, W.T., 1999. Social contracts and marketing ethics. J. Mark, 63(3), pp.14-32.

Earp, J.B., Vail, M. & Anton, A.I., 2007. Privacy policy representation in web-based healthcare. In 40th Annual Hawaii International Conference., 2007.

157

Eastlick, M., Lotz, S. & Warrington, P., 2006. Understanding online B-to-C relationships: an integrated model of privacy concerns, trust, and commitment. J Bus Res, 59(2006), pp.877–86.

EDPS, 2016. Guidelines on the protection of personal data processed by mobile applications provided by European Union institutions. In European Commission., 2016.

Enck, W. et al., 2014. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. 32(2).

Evalued, 2006. Questionnaires. [Online] Available at: http://www.evalued.bcu.ac.uk/tutorial/4a.htm [Accessed 22 February 2018].

FDA, 2015. OTC Drug Facts Label. [Online] Available at: http://www.fda.gov/Drugs/ResourcesForYou/Consumers/ucm143551.htm [Accessed 19 April 2018].

Felt, A.P. et al., 2011. A survey of mobile malware in the wild. SPSM.

Finley, K., 2012. techcrunch.com. [Online] Available at: https://techcrunch.com/2012/08/13/putting-an-end-to-the-biggest-lie-on-the- internet/?guccounter=1&guce_referrer_us=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_refer rer_cs=DAtmBr2UC5Q6om3GR7SzJA [Accessed 26 March 2019].

Flavell, J.H., 1979. Metacognition and cognitive monitoring: A new area of cognitive– developmental inquiry. American Psychologist, 34(10), pp.906-11.

FTC, 2018. Federal Trade Commission Act. [Online] Available at: https://www.ftc.gov/enforcement/statutes/federal-trade-commission-act [Accessed 5 March 2018].

GDPR, 2018. General Data Protection Regulation. [Online] Available at: https://www.eugdpr.org/ [Accessed 23 April 2018].

Gerlach, J., Widjaja, T. & Buxmann, P., 2015. Handle with care: How online social network providers’ privacy policies impact users’ information sharing behavior. The Journal of Strategic Information Systems., 24(1), pp.33-43.

Gernsbacher, M. & Kathleen Varner, M.F., 1990. Investigating differences in general comprehension skill. Journal of Experimental Psychology: Learning, Memory, and Cognition, 16(3), pp.430-45.

Gill, J. & Johnson, P., 2002. Research Methods for Managers. 3rd ed. London.

Ginosar, A. & Arie, Y., 2017. An analytical framework for online privacy research: What is missing? Information & Management.

Graves, J., 2015. An Exploratory Study of Mobile Application Privacy Policies. Journal of Technology Science.

158

Gray, S.H., 1990. Using Protocol Analyses and Drawings to Study Mental Model Construction during Hypertext Navigation. International Journal of Human-Computer Interaction, 2, pp.359- 77.

Greener, S., 2008. Business Research Methods. Ventus PUblishing.

Green, G. & Petre, M., 1996. Usability Analysis of Visual Programming Environments: A ‘Cognitive Dimensions’ Framework. Journal of Visual Languages and Computing, 7(2), pp.131- 74.

Gregor, S., 2006. The nature of theory in information systems. MIS quarterly, 30(3), pp.611 - 642.

Gregor, S. & Jones, D., 2007. The Anatomy of a Design Theory. Journal of the Association for Information Systems, 8(5), pp.312-35.

Guardian, 2018. The Guardian. [Online] Available at: https://www.theguardian.com/technology/2018/jul/26/facebook-market-cap-falls-109bn-dollars- after-growth-shock [Accessed 8 March 2019].

Guest, G., Bunce, A. & Johnson, L., 2006. How many interviews are enough? An experiment with data saturation and variability. Field Methods, 18(1), pp.59-82.

Guha, S., Cheng, B. & Francis, P., 2011. Privad: Practical Privacy in Online Adverting., 2011. NSDI.

Gurses, S., Rizk, R. & Gunther, O., 2008. Privacy Design in Online Social Networks:Learning from Privacy Breaches and Community Feedback. In International Conference on Information Systems. Paris, 2008. AIS Electronic Library.

Haas, P., Blohm, I. & Leimeister, J.M., 2014. An empirical taxonomy of crowdfunding intermediaries. In Thirty Fifth International Conference on Information Systems. Auckland, 2014.

Hann, I.H., Lee, S.Y.T. & Png, I.P.L., 2008. Overcoming online information privacy concerns: An information-processing theory approach. Journal of management information systems, 24(2), pp.13-42.

Ha, S. & Stoel, L., 2009. Consumer e-shopping acceptance: antecedents in a technology acceptance mode. Journal of Business Research, 62(5), pp.565–71.

Ha & Stoel, L., 2009. Consumer e-shopping acceptance: antecedents in a technology acceptance mode. J Bus Res, 62, pp.565–71.

Hattie, J., 2013. Calibration and confidence: Where to next? Learning and instruction, 24, pp.62- 66.

Henze, M. et al., 2016. A comprehensive approach to privacy in the cloud-based Internet of Things. Journal Future Generation Computer Systems, 56(C), pp.701-18.

159

Heurix, J., Zimmermann, P., Neubauer, T. & Fenz, S., 2015. A taxonomy for privacy enhancing technologies. Computers and Security, 53, pp.1-17.

Hevner, A., March, S., Park, J. & Ram, S., 2004. Design Science in Information Systems Research1. MIS Quarterly, pp.75-105.

Hill, K., 2012. Tech. [Online] Available at: How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did. [Accessed 10 May 2018].

Ho, S.Y., 2012. The effects of location personalization on individuals’ intention to use mobile services. Decision Support Systems, 53(4), pp.802-12.

Ho, S.Y. & Chau, P.Y.K., 2013. The effects of location personalization on integrity trust and integrity distrust in mobile merchants. International Journal of Electronic Commerce, 17(4), pp.39-71.

Hofstede, G., 2001. Culture’s consequences: Comparing values, behaviors, institutions,and organizations across nations. Thousand Oaks, CA: Sage Publications.

Holtz, L.E., Zwingelberg, H. & Hansen, M., 2011. Privacy policy icons. Privacy and Identity Management for Life, pp.279-85.

Horst, R. & Webber, M., 1973. Dilemmas in a General Theory of Planning. Policy Sciences, 4, pp.155-69.

Howland, D., 2015. Target reaches $39.4 M settlement with banks over massive breach. [Online] Available at: https://www.retaildive.com/news/target-reaches-394m-settlement-with-banks-over- massive-breach/410208/ [Accessed 26 March 2019].

Hui, K.-L. & Png, I.P.L., 2006. The Economics of Privacy. In Handbook of Information. Singapore: Elsevier. p.471.

IAPP, 2015. What does privacy mean? [Online] Available at: https://privacyassociation.org/about/what-is-privacy. [Accessed 26 March 2015].

IBM, 2010. Ibm research tokyo. [Online].

ICO, 2018. ICO issues maximum £500,000 fine to Facebook for failing to protect users’ personal information. [Online] Available at: https://ico.org.uk/about-the-ico/news-and-events/news-and- blogs/2018/10/facebook-issued-with-maximum-500-000-fine/ [Accessed 26 March 2019].

Iivari, J., 2009. Action research and design science research - Seemingly similar but decisively dissimilar. In European Conference on Information Systems., 2009. AISeL.

Isaak, J. & Hanna, M., 2018. User Data Privacy: Facebook, Cambridge Analytica, and Privacy Protection. IEEE Computer Society, pp.56-59.

160

Jacoby, J.L., 1977. Information Load and consumer decision quality: some contested issues. Journal of Marketing, 14(4), pp.569-73.

Jaferian, P., Rashtian, H. & Beznosov, K., 2014. To Authorize or Not Authorize: Helping Users Review Access Policies in Organizations. In Symposium on Usable Privacy and Security. CA, 2014. Usenix.

James, B., John, P. & Richard, S., 1986. Cognitive considerations in designing effective labels for presenting risk information. Journal of Public Policy & Marketing, 5(1).

Jensen, C., Potts, C. & Jensen, C., 2005. Privacy Practices of Internet Users: Self-Report Versus Observed Behavior. International Journal of Human Computer Studies, 63(1-2), pp.203-227.

Jentzsch, N., 2001. The Economics and Regulation of Financial Privacy: A Comparative Analysis of the United States and Europe. [Online] Available at: http://userpage.fu- berlin.de/jentzsch/privacypaper.pdf [Accessed 27 March 2019].

Jentzsch, N., Preibusch, S. & Harasser, A., 2012. Study on monetising privacy: An economic model for pricing personal information. In ENISA., 2012.

Jiang, Z., Heng, C. & Choi, B., 2013. Privacy Concerns and Privacy-Protective Behavior. Information Systems Research, 24(3), pp.579–95.

Jin-Park, Y. & Mo-Jang, 2014. Understanding privacy knowledge and skill in mobile communication. Computers in Human Behavior, 38, pp.296-303.

Johnson, M., 2012. Toward Usable Access Control for End-users: A Case Study of Facebook Privacy Settings. [Online] Available at: https://www.cs.columbia.edu/~smb/student_theses/maritza-johnson.pdf [Accessed 27 March 2019].

Johnson, M., Karat, J., Karat, C.-M. & Grueneberg, K., 2010. Optimizing a policy authoring framework for security and privacy policies., 2010. SOUPS.

Johnson, B. & Turner, L., 2003. Data collection strategies in mixed methods research. Thousand Oaks: SAGE.

Karwatzki, S., Dytynko, O., Trenz, M. & Veit, D., 2017. Beyond the Personalization–Privacy Paradox: Privacy Valuation, Transparency Features, and Service Personalization. Journal of Management Information Systems, 34(2), pp.369-400.

Kasem-Madani, S. & Meier, M., 2015. Security and Privacy Policy Languages: A Survey, Categorization and Gap Identi.

Kelley, P., Bresee, L.C.J. & Cranor, L., 2010. Standardizing privacy notices: An online study of the nutrition label approach. In SIGCHI Conference on Human Factors in Computing Systems., 2010. ACM.

161

Kerr, C., Nixon, A. & Wild, D., 2010. Assessing and demonstrating data saturation in qualitative inquire supporting patient-reported outcomes research. Expert Review of Pharmacoeconomics & Outcomes Research, 10(3), pp.269 - 281.

Klitou, D., 2014. Privacy-Invading Technologies and Privacy by Design. Information Technology and Law Series.

Klopfer, P.H. & Rubenstein, D.I., 1977. The concept privacy and its biological basis. Journal of social issues, 33(3), pp.52-65.

Knijnenburg, P., 2017. Privacy? I Can’t Even! Making a Case for User- Tailored Privacy. IEEE Security & Privacy, 15(4), pp.62-67.

Kobsa, A. & Schreck, J., 2003. Privacy through pseudonymity in user-adaptive systems. ACM transactions on internet technology, 3, pp.149-83.

Kokolakis, S., 2017. Privacy attitudes and privacy behaviour: A review of current research on the privacy paradox phenomenon. Computers & Security, 64, pp.122-34.

Krishnamurthy, B. & Wills, C., 2010. On the Leakage of Personally Identifiable Information Via Online Social Networks. ACM SIGCOMM Computer Communication Review, 40.

Kumaraguru, P., Cranor, L., Lobo, J. & Calo, S., 2007. A survey of privacy policy languages. In security, S.'.P.o.t.3.s.o.U.p.a., ed. SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security. NewYork, 2007.

Kununka, S., Mehandjiev, N. & Sampaio, P., 2018. A Comparative Study of Android and iOS Mobile Applications’ Data Handling Practices versus Compliance to Privacy Policy. Ispra, 2018. Springer.

Kununka, S., Mehandjiev, N., Sampaio, P. & Vassilopoulou, K., 2017. End User Comprehension of Privacy Policy. In International Symposium on End User Development. Eindhoven, 2017. Lecture Notes in Computer Science.

Land, L., Smith, S. & Pang, V., 2013. Building a Taxonomy for Cybercrimes Information Systems. In Pacific Asia Conference on., 2013.

Langheinrich, M., 2001. Privacy by design - Principles of privacy-aware ubiquitous systems. In Ubicomp 2001: Ubiquitous Computing., 2001. Springer Berlin Heidelberg.

Larsen, K., 2003. A taxonomy of antecendents of infomration systems sucess: variable analysis studies. Journal of Management Information Systems, 20(2), pp.169 - 246.

Laufer, S. & Wolfe, M., 1977. Privacy as a Concept and a Social Issue: A Multidimensional Developmental Theory. Journal of Social Issues, 33(3), pp.22-42.

Laufer, R. & Wolfe, M., 1977. Privacy as a Concept and a Social Issue: A Multidimensional Developmental Theory. Journal of Social Issues, 33(3), pp.22 - 42. 162

Lee, A.S., 2001. Editor's Comments. MIS Quarterly, 25(1), pp.iii-vii.

Leif-Erik, H., Zwingelberg, H. & Hansen, M., 2011. Privacy policy icons. Privacy and Identity Management for Life, pp.279-85.

Leon, P.G. et al., 2013. What matters to users?: Factors that affect users’ willingness to share information with online advertisers. In symposium on usable privacy and security., 2013. SOUPS.

Li, Y., 2011. Empirical studies on online information privacy concerns: Literature review and an integrative framework. Communications of the association of informtation systems, 28(28), pp.453-96.

Lin, J. et al., 2012. Expectation and purpose:understanding users’ mental models of mobile app privacy through crowdsourcing., 2012. ACM UbiComp.

Li, Y. et al., 2012. Online Privacy Policy of the Thirty Dow Jones Corporations: Compliance with FTC Fair Information Practice Principles and Readability Assessment. [Online] Available at: http://scholarworks.lib.csusb.edu/ciima/vol12/iss3/5/ [Accessed 6 April 2018].

Liu, C. & Arnett, K., 2002. An Examination of Privacy Policies in Fortune 500 Web Sites. American Journal of Business, 17(1), p.Journal of Business.

Li, T. & Unger, T., 2012. Willing to pay for quality personalization? Trade-off between quality and privacy. European Journal of Information Systems, 21(6), pp.621-42.

Long, C., 2016. Lack of consumer trust in apps hindering mobile ecosystem. [Online] Available at: Lack of consumer trust in apps hindering mobile ecosystem [Accessed 10 May 2018].

Lowry, P., Dinev, T. & Willison, R., 2017. Why Security and Privacy Research Lies at the Centre of the Information Systems (IS) Artefact: Proposing A Bold Research Agenda. European Journal of Information Systems, 26(6), pp.546-63.

Lu, Y., Tan, B. & Hui, K.-L., 2004. Inducing Customers to Disclose Personal Information to Internet Businesses with Social Adjustment Benefits. In ICIS., 2004. Association for information systems.

Malhotra, N.K., 1982. Information load and consumer decision making. Journal of Consumer Research, 8(4), pp.419-430.

Malhotra, N.K., Kim, S.S. & Agarwal, J., 2004. Internet users' information privacy concerns (IUIPC). Information Systems Resesearch, 15(4), pp.336-55.

Mamonov, S. & Benbunan-Fich, R., 2015. An empirical investigation of privacy breach perceptions among smartphone application users. Computers in Human Behavior, 49(2015), pp.427–36.

March, S. & Smith, G., 1995. Design and natural science research on information technology. Decision Support Systems, 15(4), pp.251-66. 163

Margulis, S., 1977a. Conceptions of Privacy: Current Status and Next Steps. Journal of Social Issues, 33(3), pp.5-21.

Margulis, S., 1977b. Privacy as a Behavioral Phenomenon - Introduction. Journal of Social Issues, 33(3), pp.1-4.

Markus, L., Majchrzak, A. & Gasser, L., 2002. A Design Theory for Systems that Support Emergent Knowledge Processes. MIS Quarterly, pp.179 - 212.

Mayer, J.R. & Mitchell, J.C., 2012. Third-party web tracking: Policy and technology. In 2012 IEEE Symposium on Security and Privacy., 2012.

Mccullagh, D. & Tam, D., 2012. Instagram apologizes to users : We won't sell your photo. [Online] Available at: https://www.cnet.com/news/instagram-apologizes-to-users-we-wont-sell- your-photos/ [Accessed 4 March 2019].

McDonald, A.M. & Cranor, L.F., 2008. The cost of reading privacy policies., 2008. ISJLP.

McKinney, E.H. & Yoos, C.J., 2010. Information about information: A taxonomy of views. MIS quarterly, pp.329-44.

McKnight, D., Choudhury, V. & Kacmar, C., 2002. The impact of initial consumer trust on intentions to transact with a web site: a trust building model. J Strateg Inf Syst, 11(3/4), p.J Strateg Inf Syst.

Meijer, K., Frasincar, F. & Hogenboom, F., 2014. A semantic approach for extracting domain taxonomies from text. Decision Support Systems, 62, pp.78–93.

Milberg, S., Smith, H. & Burke, S., 2000. Information privacy: Corporate management and national regulation. Organization Science, 11(1), pp.35-57.

Milne, G. & Culnan, M., 2004. Strategies for reducing online privacy risks: Why consumers read (or don't read) online privacy notices. Journal of interactive marketing banner, 18(3), pp.15-29.

Miyazaki, A. & Krishnamurthy, S., 2002. Internet seals of approval: Effects on online privacy policies and consumer perceptions. Journal of Consumer Affairs, 36(1), pp.28-49.

Moll, R., Pieschl, S. & Bromme, R., 2014. Competent or clueless? Users’ knowledge and misconceptions about their online privacy management. Computers in Human Behavior, 41, pp.212-19.

Montjoye, Y., Radaelli, L., Singh, V. & P, A., 2015. Unique in the shopping mall: On the reidentifiability of credit card metadata. Science, 347(6221), pp.536-39.

Morgan, R. & Hunt, S., 1994. The commitment–trust theory of relationship marketing. J Market, 58(3), pp.20–38.

164

Mozilla, 2015. Lightbeam for Firefox. [Online] Available at: https://www.mozilla.org/en- GB/lightbeam/ [Accessed 28 October 2015].

Mrosek, R., Dehling, T. & Sunyaev, A., 2015. Taxonomy of health IT and medication adherence. Health Policy and Technology, 4(3), pp.215-24.

Muhammad, A., Sylvain, S. & Denis, O., 2010. Can the Media Richness of a Privacy Disclosure Enhance Outcome? A Multifaceted View of Trust in Rich Media Environments. International Journal of Electronic Commerce, 14(4), pp.103-26.

Naoum, S., 2007. Dissertation research and writing for construction students. 2nd ed. Routledge: Butterworth-Heinmann.

Nauman, M., Khan, S. & Zhang, X., 2010. Apex: extending android permission model and enforcement with user-defined runtime constraints. In ASIACCS ’10. NY, USA, 2010.

Nauman, M., Khan, S. & Zhang, X., 2010. Apex: extending android permission model and enforcement with user-defined runtime constraints. In ASIACCS ’10. NY, USA, 2010. ACM.

Nehf, J.P., 2007. Shopping for Privacy on the Internet. Journal of Consumer Affairs, 41(2), pp.351-75.

Nelson, T., 1990. Metamemory: A Theoretical Framework and New Findings. Psychology of Learning and Motivation, 26, pp.125-73.

Nickerson, R.C., Varshney, U. & Muntermann, J., 2013. method for taxonomy development and its application in information systems. European Journal of Information Systems, 22(3), pp.336- 59.

Nissenbaum, H., 2011. A Contextual Approach to Privacy Online. Daedalus, 140(4), pp.32-48.

Norberg, P.A. & Horne, D.R., 2007. Privacy Attitudes and Privacy- Related Behavior. Psychology & Marketing, 24(10), pp.829-47.

Noushin, A. & Jean-Pierre, K., 2005. Online Privacy Policies: An Empirical Perspective on Self- Regulatory Practices. Journal of Electronic Commerce in Organizations, 3(4), pp.61-74.

Ntantogian, C., Apostolopoulos, D., Marinakis, G. & Xenakis, C., 2015. Evaluating the privacy of Android mobile applications under forensic analysis. Computers & Security, 42(66-76).

O’Donoghue, T. & Rabin, M., 2001. Self Awareness and Self Control. In G.L.a.D.R. Roy Baumeister, ed. Economic and Psychological Perspectives on Intertemporal Choice. Russell Sage Foundation Press.

O’Reilly, M. & Parker, N., 2013. Unsatisfactory saturation: A critical exploration of the notion of saturated sample sizes in qualitative research. Qualitative Research , 13(2), pp.190 - 197.

165

OAG, 2013. Privacy on the go. [Online] Available at: http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/privacy_on_the_go.pdf [Accessed 19 April 2018].

OAG, 2014. Making Your Privacy Practices Public:Recommendations on Developing a Meaningful Privacy Policy. [Online] Available at: https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public. pdf.

Oates, B., 2006. Researching information systems and computing. London: SAGE Publications.

O'Connor, K., Schmidt, G. & Drouin, M., 2016. Suspended because of social media? Students' knowledge and opinions of university social media policies and practices. Computers in Human Behavior, 65, p.619.

OECD, 2015. Data-Driven Innovation: Big Data for Growth and Well-Being. Paris.

Olson, G.J., Duffy, S.A. & Mack, R.L., 1984. Thinking-out-loud as a method for studying real time comprehension processes. In (Eds.), D.E.K.&.M.A.J. New methods in reading comprehension research. Hillsdale, NJ: Erlbaum. pp.253-86.

Orlikowski, W.J. & Iacono, C.S., 2001. Research Commentary: Desperately Seeking the "IT" in IT Research-A Call to Theorizing the IT Artifact. Information Systems Research, 12(2), pp. 121- 134.

P3P, 2007. Platform for privacy preferences. [Online] Available at: https://www.w3.org/P3P/ [Accessed 6 January 2017].

Papanikolaou, N., Creese, S. & Goldsmith, M., 2012. Refinement checking for privacy policies. Science of Computer Programming, pp.1198-209.

Park, Y.-J., 2013. Digital Literacy and Privacy Behavior Online. Communication Research, 40(2), pp.215-36.

Park, Y.K., 2014. Understanding privacy knowledge and skill in mobile communication. Computers in Human Behavior, 38, pp.296-303.

Pavlou, P., 2003. Consumer Acceptance of Electronic Commerce: Integrating Trust and Risk with the Technology Acceptance Model. International Journal of Electronic Commerce, 59(4), pp.69- 103.

Payne, S., 2003. Users' mental models: The very ideas. In Carroll, J.M. HCI models, theories, and frameworks: Toward a multidisciplinary science (1st ed). San Francisco: Morgan Kaufmann. pp.135–56.

Peter, J.P. & Tarpley, L.X., 1975. A comparative analysis of three consumer decision strategies. Journal of Consumer Research, 2, pp.29‐37.

166

Petronio, S., 1991. Communication Boundary Management: A Theoretical Model of Managing Disclosure of Private Information Between Marital Couples. Communication Theory, 1(4), pp.311–35.

Ponemon, L., 2005. What does a data breach cost companies? [Online].

Porter, M., 2000. High Beam Research. [Online] Available at: http://www.highbeam.com/doc/1G1-69240565.html [Accessed 19 April 2018].

Post, R.C., 2000. Three concepts of privacy. Georgetown law journal, 89, pp.2087-98.

Prat, N., Comyn-Wattiau, I. & Akoka, J., 2015. A taxonomy of evaluation methods for information systems artifacts. Journal of Management Information Systems, 32(3), pp.229-67.

Pressley, M. & Afflerbach, P., 1995. Verbal protocols of reading: The nature of constructively responsive reading. Hillsdale, NJ: Erlbaum.

Pries-Heje, J., 2008. Strategies for Design Science Research Evaluation. In European Conference on Information Systems., 2008. AIS Electronic Library (AISeL).

Qian, H. & Scott, C., 2007. Anonymity and self-disclosure on weblogs. Journal of computer mediated communication, 12(4), pp.1428–51.

QSR, 2017. What is NVivo? [Online] Available at: http://www.qsrinternational.com/what-is-nvivo [Accessed 31 July 2017].

Qualtrics, 2017. Welcome to the qualtrics experience management platform. [Online] Available at: https://www.qualtrics.com/ [Accessed 15 March 2017].

Quercia, D. et al., 2011. Spotme if you can: Randomized responses for location obfuscation on mobile phones. In ICDCS’11. Los Alamitos, CA, USA, 2011.

Raab, C.D. & Bennett, C.J., 1998. The distribution of privacy risks: Who needs protection? Information society , 14(4), pp.263-74.

Ravenswood, K., 2011. Eisenhardt's impact on theory in case study research. Journal of Business Research , pp.680-86.

Reddy, K. & Venter, H.-S., 2010. Information Privacy in Two Dimensions - Towards a Classification Scheme for Information Privacy Research. In Second International Conference on Social Computing., 2010. IEEE.

Reidenberg, J. et al., 2015. DISAGREEABLE PRIVACY POLICIES: MISMATCHES BETWEEN MEANING AND USERS' UNDERSTANDINGt. BERKELEY TECHNOLOGY LAW JOURNAL, 30(1), p.39.

167

Rensel, A.D., Abbas, J.M. & Rao, H.R., 2006. Private transactions in public places : An exploration of the impact of the computer environment on public transactional website use. Journal of the association for information systems, 7(1), pp.19-50.

Research, S.D.i.I.S., 1990. Jay Nunamaker; Minder Chen; Titus Purdin. Journal of Management Information Systems, 7(3), pp.89-106.

Ricarda, M., Stephanie, P. & Rainer, B., 2014. Competent or clueless? Users’ knowledge and misconceptions about their online privacy management. Computers in Human Behavior, 41, pp.212-19.

Rifon, N.J., LaRose, R. & Choi, S.M., 2003. Your privacy is sealed: Effects of web privacy seals on trust and personal disclosures. Journal of consumer affairs, 39(2), pp.339-62.

Riley, M., Elgin, B., Lawrence, D. & Matlack, C., 2014. Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It. [Online] Available at: https://www.bloomberg.com/news/articles/2014-03-13/target-missed-warnings-in-epic-hack-of- credit-card-data [Accessed 26 March 2019].

Rindfleishch, T.C., 1997. Privacy information technology and health care. Communications of the ACM, 40(8), pp.92-100.

Rittel, J. & Webber, M., 1984. Planning Problems Are Wicked Problems. In Developments in Design Methodology. New York: John Wiley & Sons.

Rivard, S. & Lapointe, L., 2012. Information technology implementers' responses to user resistance: nature and effects. MIS quarterly, 36(3), pp.897-920.

Robol, M., Salnitri, M. & Giorgini, P., 2016. privacyTracker: A Privacy-by-Design GDPR- Compliant Framework with Verifiable Data Traceability Controls. In ICWE 2016 Workshops., 2016. Springer.

Roe, B.E. & Just, D.R., 2009. Internal and external validity in economics research: Tradeoffs between experiments, field experiments, natural experiments, and field data. American Journal of Agricultural Economics, 91(5), pp.1266 - 1271.

Romanosky, S., Telang, R. & Acquisti, A., 2011. Do Data Breach Disclosure Laws Reduce Identity Theft? Journal of Policy Analysis and Management, 30(2), pp.256-86.

Sadeh, N. et al., 2009. Understanding and capturing people’s privacy policies in a mobile social networking application. Personal and Ubiquitous Computing, pp.401-12.

Schaub, F., Balebako, R., Durity, A.L. & Cranor, L.F., 2015. A design space for effective privacy notices. In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015)., 2015. USENIX Association.

168

Schneider, S., Lansing, J., Gao, F. & Sunyaev, A., 2014. A taxonomic perspective on certification schemes: development of a taxonomy for cloud service certification criteria. In System Sciences (HICSS), 2014 47th Hawaii International Conference., 2014. IEEE.

Schoeman, F., 1984. Philosophical dimensions of privacy : an anthology. Cambridge: Cambridge Univerity Press.

Schoeman, F.D., 1984. Philosophical dimensions of privacy: An anthology. Cambridge, UK: Cambridge university.

Schoenbachler, D. & Gordon, G., 2002. Multi‐channel shopping: understanding what drives channel choice. Journal of Consumer Marketing, 19(1), pp.42-53.

Schulzrinne, H., 2018. A Document Format for Expressing Privacy Preferences. [Online] Available at: https://tools.ietf.org/html/rfc4745 [Accessed April 2018].

Schwartz, P. & Solove, D., 2011. PII Problem: Privacy and a New Concept of Personally Identifiable Information. NYUL Rev, 86(1814).

Sedlmayr, B., Schoffler, J., Prokosch, H.-U. & Sedlmayr, M., 2018. User-centered design of a mobile medication management. Informatics for Health and Social Care, pp.1-12.

Selvadurai, N., 2013. Protecting online information privacy in a converged digital environment – the merits of the new Australian privacy principles. Information & Communications Technology Law, 22(3), pp.299-314.

Sen, S. et al., 2014. Bootstrapping privacy compliance in big data systems. In IEEE Symposium on Security and Privacy., 2014.

Sharp, H., Rogers, Y. & Preece, J., 2006. Interaction design: beyond human-computer interaction. 2nd ed. West Sussex: John Wiley & Sons.

Sheehan, K.B. & Hoy, M.G., 1999. Flaming, complaining, abstaining: How online users respond to privacy concerns. Journal of adverstising, 28(3), pp.37-51.

Shklovski, I., Mainwaring, S., Skúladóttir, H. & Borgthorsson, H., 2014. Leakiness and creepiness in app space: perceptions of privacy and mobile app use. In SIGCHI Conference on Human Factors in Computing Systems., 2014.

Silic, M., Back, A. & Silic, D., 2015. Taxonomy of technological risks of open source software in the enterprise adoption context. Information & Computer Security, 23(5), pp.570 - 583.

Simon, H.A., 1996. The Sciences of the Artificial. MA: MIT Press.

Simpson, G.-G., 1961. Principles of animal taxonomy. New York: Colombia University Press.

Singh, R., Sumeeth, M. & Miller, J., 2011. A user-centric evaluation of the readability of privacy policies in popular web sites. Information Systems Frontiers, 13, pp.501–14. 169

Sismeiro, C. & Bucklin, R., 2004. Modeling purchase behavior at an e-commerce web site: A task-completion approach. Journal of marketing research, 41(3).

Skinner, G., Han, S. & Chang, E., 2006. An information privacy taxonomy for collaborative environments. Information Management & Computer Security, 14(4), pp.382-94.

Smith, J., 1993. Privacy policies and practices: Inside the organization maze. Communications of the ACM, 36(12), pp.104-22.

Smith, H.J., 2001. Information privacy and marketing: What the US should (and shouldn't) learn from Europe. California managment review, 43(2), pp.8-33.

Smith, H.J., 2004. Information Privacy and its Management. MIS Quarterly , 3(4), pp.201-13.

Smith, H.H., Dinev, T., Xu, H. & Dinev, T., 2011. Information privacy research: an interdisciplinary review. MIS quarterly, 35(4), pp.989-1016.

Smith, H., Milberg, S. & Burke, S., 1996. Information privacy: Measuring individuals' concerns about organizational practices. MIS Quarterly, 20(2), p.167.

Sneath, P.-H. & Sokal, R.-R., 1975. Numerical taxonomy The principles and practice of numerical classification. Systematic Zoology, 24(2), pp. 263-268.

Solove, D.J., 2006. Taxonomy of Privacy. University of Pennsylvania Law Review, 154(3), pp.477-560.

Someren, M., Barnard, Y. & Sandberg, J., 1995. THE THINK ALOUD METHOD: A practical guide to modelling cognitive processes. Information Processing and Management, 31(6), pp.906- 07.

Son, J.Y. & Kim, S.S., 2008. Internet users' information privacy-protective responses: A taxonomy and a nomological model. Mis Quarterly, pp.503-29.

Sourcedna, 2015. iOS Apps Caught Using Private APIs. [Online] Available at: http://thehackernews.com/2015/10/apple-ios-malware-apps.html [Accessed 23 May 2016].

Spiekermann, S., Acquisti, A., Böhme, R. & Hui, K.L., 2015. The challenges of personal data markets and privacy. Electronic Markets, 25(2), pp.161-67.

Stanislav, M. & Raquel, B.-F., 2015. An empirical investigation of privacy breach perceptions among smartphone application user. Computers in Human Behavior, 49, pp.427-36.

Steinfeld, N., 2016. "I agree to the terms and conditions": (How) do users read privacy policies online? An eye-tracking experiment. Computers in Human Behavior, 55, pp.992-1000.

Steinke, G., 2002. Data privacy approaches from US and EU perspectives. Telematics and Informatics, 19(2), pp.193-200.

170

Strode, D.E., 2016. A dependency taxonomy for agile software development projects. Information Systems Frontiers, 18(1), pp.23-46.

Sumeeth, M., Singh, R., Miller, J. & Sumeeth, M., 2010. Are Online Privacy Policies Readable? International Journal of Information Security and Privacy, 4(1), pp.93-116.

Tallon, P., Wixom, B. & Buff, A., 2015. Partnering for Data Monetization Success. Business Intelligence Journal, 20(3), pp.28-33.

Taylor, H. & Tversky, B., 1992. Spatial Mental Models Derived from Survey and Route Descriptions. Journal of memory and language, 31, pp.261-91.

TC, 2006. Oasis web services security (wss). [Online].

Thiesse, F., 2007. RFID, privacy and the perception of risk: A strategic framework. The journal of strategic information sytstems, 16(2), pp.214-32.

Thomas, K. et al., 2017. Data breaches, phishing, or malware?: Understanding the risks of stolen credentials. In CCS. Texas, 2017.

Thurm, S. & Kane, Y., 2010. Wall Street Journal. [Online] Available at: http://online.wsj.com/news/articles/SB10001424052748704694004576020083703574602?mg=ren o64- wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052748704694004576020 083703574602.html.

Vaishnavi, V. & Kuechler, W., 2004. Design Research in Information Systems. Association for Information Systems, Available at: http://www.citeulike.org/group/4795/article/6505471.

Vaishnavi, V. & Kuechler, W., 2005. Design research in information systems. Association for Information Systems, Available at: www.isworld.org/Researchdesign/drisISworld.htm.

Vaishnavi, V. & Kuechler, B., 2011. Promoting Relevance in IS Research: An Informing System for Design Science Research. the International Journal of an Emerging Transdiscipline, 14.

Wald, M.L., 2004. U.S. Wants Air Traveler Files for Security Test. [Online] Available at: Threats and responses: The airlines, U.S. wants all air traveler files for security test [Accessed 27 March 2019].

Walker, J.L., 2012. Research column. The use of saturation in qualitative research. Canadian Journal of Cardiovascular Nursing, 22(2), pp.37-46.

Walliman, N., 2006. Social research methods. London: Sage Publications.

Warren, S. & Brandeis, L., 1890. The right to privacy. Harvard Business Review, 4(5), pp.193 - 220.

171

WEF, 2013. Unlocking the value of personal data: From collection to usage., 2013. World Economic Forum.

Weinstein, W. L., 1971. The Private and the Free: A Conceptual Inquiry. In J.R.P.a.J.W. Chapman, ed. Privacy and Personality. New York: Atherton Press. pp.624-92.

Wesson, J.L., Akash, S. & Tonder, B.v., 2010. Can Adaptive Interfaces Improve the Usability of Mobile Applications? Brisbane, 2010. Human-Computer Interaction.

Westin, A., 1967. The right to privacy. New York : Athenaeum.

Wetherall, D. et al., 2011. Privacy revelations for web and mobile apps. Proc, HotOS XIII.

WHO, 2018. eHealth. [Online] Available at: http://www.who.int/ehealth/programmes/governance/en/ [Accessed 10 May 2018].

Wicker, S., 2012. The loss of location privacy in the cellular age. Communications of the ACM , 8.

Wieringa, R., 2010. Relevance and problem choice in design science. In Global Perspectives on Design Science Research (DESRIST). Hiedelberg, 2010. Springer.

Wieringa, R., 2014. Design Science Methodology. Heidelberg: Springer.

Williams, K., Chatterjee, S. & Rossi, M., 2008. Design of emerging digital services: a taxonomy. European Journal of Information Systems, 17(5), pp.505-17.

Wu, J.J., Chen, Y.H. & Chung, Y.S., 2010. Trust factors influencing virtual community members: A study of transaction communities. Journal of Business Research, 63(9), pp.1025-32.

Xu, H., Teo, H.H. & Tan, B.C.Y., 2005. Predicting the adaption of location based services: the roles of trust and privacy risk. In Avison, D. & DeGross, D.F.G.a.J.I., eds. International conference on information systems. Las Vegas, 2005.

Xu, H., Teo, H., Tan, B. & Agarwal, R., 2010. The role of push-pull technology in privacy calculus: the case of location-based services. Journal of managment informtation systems, 26(3), pp.137-76.

Yee, G., Korba, L. & Song, R., 2006. Legislative bases for personal privacy policy specification. In G. Yee, ed. Privacy protection for E-services. Idea Group Inc. pp.281-94.

Youssef, M., Atluri, V. & Adam, R., 2005. Preserving Mobile Customer Privacy: An Access Control System for Moving Objects and Customer Profiles.., 2005.

Yu, J. & Buyya, R., 2005. A Taxonomy of Workflow Management Systems for Grid Computing. Journal of Grid Computing, 3(3/4), pp.171-200.

Zang, J. et al., 2015. Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps. Technology Science.

172

Zhou, Y., Zhang, X., Jiang, X. & Freeh, V., 2011. Taming information-stealing smartphone applications (on Android). [Online] Available at: http://dl.acm.org/citation.cfm?id=2022245.2022255 [Accessed 19 April 2018].

Zhulei, T., Yu, H. & Michael, S., 2008. Gaining Trust Through Online Privacy Protection: Self- Regulation, Mandatory Standards, or Caveat Emptor. Journal of Management Information Systems, 24(4), pp.153-73.

Ziegeldorf, J.-H., Viol, N., Henze, M. & Wehrle, K., 2014. Privacy-preserving Indoor Localization. In Conference on security and privacy in wireless and mobile networks., 2014. ACM.

173

Appendices

174

APPENDICES

Appendix A: Research ethics approval

Manchester Business School

Application for Research Ethics Approval

When completed this form should be returned to the PGR Office.

The form should preferably be typed, where handwritten please use BLOCK CAPITALS.

Surname: Student Number: Forename(s): Programme:

Thesis title: Privacy by design: A framework for digital privacy policy modeling

The following should be addressed, where applicable, when explaining how you will address any ethical issues arising from your doctoral work. All questions must be answered. ‘Not applicable (N/A)’ is a satisfactory answer where appropriate.

1. Brief description of the research project including the main research aims and objectives including research questions and why it is important.

Mobile applications’ privacy policies are often developed from the perspective of protecting the service providers, while little consideration for users’ views is taken into account. This will involve two phases, the first phase seeks to establish user views on the artefact (privacy policy representation) and the second is a summative study to the work conducted through this PhD research. 2. Does the research involve any of the following?:

Yes No  use of questionnaires designed by the researcher   use of standard survey instrument   use of on-line surveys   use of interviews   use of focus groups  audio-taping participants or events   video-taping participants or events   research about participants involved in illegal activities   access to personal and/or confidential data without the participant’s specific  consent

 administration of any stimuli, tasks, investigations or procedures   which may be experienced by participants as physically or mentally painful, stressful or unpleasant during or after the research 175

 observation of participants without their knowledge 

3. Provide a summary of the design and methodology of the project, including the methods of data collection and the methods of data analysis.

The exercise will involve primary data collection through a questionnaire administered to 150 participants. Participants’ ages will range from 18 years and above. The exercise will take 45 minutes . Data capture during the questionnaire will involve participants indicating their preferred policy representation involving think aloud user testing.

4. Describe the research procedures e.g. how relevant research participants are identified, recruited and the organisation of the field research. The research will use participants from the University of Manchester both students and staff that use mobile applications. Mobile apps are most popular among the young people and thus the university provides a good sample space. Participants will be invited through email, posting invitation notices around the Alliance Manchester Business School and online through mechanical turk.

5. What, in your opinion, are the ethical considerations involved in this research e.g. risk to participants and researchers (physical or psychological), issues that might be sensitive, embarrassing or upsetting etc? Describe precautions to minimise or mitigate the risks and issues identified above?

The data provided by the participants will remain fully anonymous as the questionnaires will not capture their names or identity. As a result there will be no way of linking the information provided to the participants. Further, there is no risk (physical or psychological) to anyone involved in the research.

6. Will the research specifically target:

Yes No  students or staff of this University   adults (over the age of 18 and able to give informed consent)   children (anyone under the age of 18)   the elderly   people from non-English speaking backgrounds   anyone intellectually or mentally impaired who can’t provide consent   anyone who has a physical disability   patients or clients of professionals   anyone who is a prisoner or parolee   any other person whose capacity to give informed consent may be compromised   observation of participants without their knowledge 

176

Please note that you may also need to obtain satisfactory CRB clearance (or equivalent for overseas students).

7. Will payment or any other incentive be made to any research participant? If so please specify and state the level of payment to be made and/or the source of the funds/gift/free service to be used. Please explain the justification for offering payment or other incentive. Participants will receive up to £10 as an incentive for the 45 minutes required for the research. This is deemed as important to ensure that we are able to get the number of participants sought for the research. The funding will be obtained from the Alliance Manchester Business School funds that are allocated in support to students’ research.

8. Please indicate the method of recruitment by ticking the appropriate box(es). Tick all that apply.

Mail Out Email  Telephone Advertisement Recruitment carried Personal contacts out by third party Recruitment carried Contact details obtained Contact details out by researchers from public documents obtained from private sources Participants from Snowball Other (please explain) a Previous study

Previous study

If using a mail out who will be distributing it?......

If using an advertisement explain where it will be placed. Have you attached a copy? Y/N - if no please explain

…………………………………………………………………………………………………………………………… …………………………………………………………………………………………………………

If recruitment is to be conducted by a third party (e.g. friend, contact, doctor) have you attached an approval letter

- requesting their assistance? Y/N - if no please explain………………………………………………………….. - confirming their willingness to act? Y/N - if no please explain…………………………………………………..

If contact details are to be obtained from private sources have you attached an approval letter? Y/N - if no please explain…………………………………………………………………………………………………………………… ………………………………………………………………………………………………………………

9. Please give details of how informed consent is to be obtained. A copy of the proposed consent form, along with the proposed information sheet must accompany this proposal.

Participants will receive an information form together with a consent form that will have to be signed by the willing participants to indicate their consent before participation.

177

10. Data Protection and Confidentiality. Please state who will have access to the data and what measures will be adopted to maintain the confidentiality of the research participant and to comply with data protection requirements e.g. will the data be lawfully processed, anonymised, secured and not kept longer than necessary?

The data collected from the participants will only be accessed by the researchers involved in the research. All the data provided will remain fully anonymous, secured and only used for the purpose of the research and subject to UK data protection laws.

11. Will the research results be made available to the participants? If so describe how they will be disseminated.

The participants who would like to have the results of the research will indicate this on the consent form and provide their email.

12. State location(s) where the project will be carried out.

The research will be conduct in the University of Manchester.

13. The proposed period of field research is from ……………… to………………. (this must not be before the date of Ethics Committee approval)

Signature: Date: Supervisor’s Declaration:

I have discussed the above ethical issues with the student in relation to his / her proposed research and agree that the involvement of human participants / human data / material is essential for the proposed research topic.

Supervisors Name

Supervisor’s Signature:

Date:

The following section will be completed after you have submitted the form to Anusarin Lowe in the PGR Programmes Office, room 9.24 Harold Hankins

Director of PGR Programmes: ……………………………………………

Action: …………………………………………………………………………Date ………………..

NB: Should you change your research plans you will need to complete another ethics form. Please contact the PGR Ethics Committee should you have any questions.

178

Appendix B: Participant information sheet

Title of Research: Users’ Perspective of Mobile Applications’ Privacy Policies

Participant Information Sheet

You are being invited to take part in a PhD research project about mobile applications (app) privacy policies. The study is designed to capture your perceptions on privacy policies. Likewise, it also seeks to understand the factors that can increase the meaningfulness of privacy policies for users. The study will contribute to the design of better privacy policies in future that offer improved protection of your data. Before you decide it is important for you to understand why the research is being done and what it will involve. Please take time to read the following information carefully and discuss it with others if you wish. Please ask if there is anything that is not clear or if you would like more information. Take time to decide whether or not you wish to take part. Thank you for reading this.

Who will conduct the research?

………………… of the Management Sciences and Marketing Division, Alliance Manchester Business School, The University of Manchester, Booth Street West, Manchester M15 6PB, United Kingdom

Title of the Research

Summative study of Users’ Perspective of Mobile Applications’ Privacy Policies

What is the aim of the research?

This study seeks to understand what is important to users as relates to the protection of the privacy of their personal information when using mobile applications. To achieve this, the study will examine different ways in which privacy information may be represented to users. The study seeks to establish which ways are effective in communicating privacy to users and easy to understand.

Why have I been chosen?

The study will involve 150 participants in the age range of 18 years and above. This will facilitate an understanding into how privacy views vary among different age groups. The findings will contribute towards the design of more effective privacy policies.

What would I be asked to do if I took part?

As a participant you will be required to answer a questionnaire that includes some semi-structured questions on app privacy policies present privacy information to you. There is no risk, pain or discomfort involved.

What happens to the data collected?

179

The data will be analysed and the findings used to develop a framework that supports the design of privacy policies in which the users’ perspective of privacy is taken into account.

How is confidentiality maintained?

The study will be conducted anonymously in that the participants’ names will not be recorded during the study. Hence it will not be possible to link the participants to their views.

What happens if I do not want to take part or if I change my mind?

It is up to you to decide whether or not to take part. If you do decide to take part you will be given this information sheet to keep and be asked to sign a consent form. If you decide to take part you are still free to withdraw at any time without giving a reason and without detriment to yourself.

Will I be paid for participating in the research?

Participants in the study will receive up to £ 10 for their involvement.

What is the duration of the research?

45 minutes

Where will the research be conducted?

University of Manchester

Will the outcomes of the research be published?

The outcomes will be published as conference proceedings or in an academic journal.

Criminal Records Check (if applicable) N/A

Contact for further information

What if something goes wrong?

In case of any inquires / queries please contact

If a participant wants to make a formal complaint about the conduct of the research they should contact the Head of the Research Office, Christie Building, University of Manchester, Oxford Road, Manchester, M13 9PL.

180

Appendix C: Consent form

User perspectives on privacy study

CONSENT FORM

If you are happy to participate please complete and sign the consent form below

Please Initial Box

1. I confirm that I have read the attached information sheet on the above project and have had the opportunity to consider the information and ask questions and had these answered satisfactorily.

2. I understand that my participation in the study is voluntary and that I am free to withdraw at any time without giving a reason and without detriment to any treatment/service

I agree to take part in the above project

Name of participant Date Signature

Name of person taking consent Date Signature

181

Appendix D: User perspectives of privacy policies study

USER PERSPECTIVE OF PRIVACY POLICIES STUDY

Thank you for your time. All the data you provide will remain fully anonymous and subject to UK data protection laws. In case of any queries please contact:

Participant Information

The aim of this workshop is to establish your views about information privacy as related to the use of mobile applications (apps). The study will contribute to the design of better privacy policies in future that will offer improved protection of your data.

The workshop consists of two parts, scheduled for the two sessions.

PART A – Introduction (~ 45 min)

1. We will provide an introduction to privacy policies 2. You will complete Part A of this workbook that includes:  A Background  User preferences on data elements in privacy policies  Privacy policy representations to users

PART B – Alternative Privacy policy representations (~ 45 min)

1. You will then Complete Part B of this workbook that compares representations:  The standardized table format  The short text format  The goals / vulnerabilities format  The list format

Please indicate your agreement by ticking the box below as appropriate:

I would like to participate in this workshop

182

PART A-1: INTRODUCTION

In this study, we seek to understand what is important to you as a mobile application user regarding the protection of the privacy of your personally identifiable information. Personally identifiable information (personal data) is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. One of the main ways that apps currently use to protect your personal data is through the provision of privacy policies.

A privacy policy is a statement or a legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. It fulfils a legal requirement to protect a customer or client's privacy.

The aim of this workshop is to establish your views about information privacy as related to the use of mobile applications (apps).

183

PART A-2 (i): BACKGROUND Please provide the following information and tick () where appropriate:

184

PART A-2(ii): USER PREFERENCES ON DATA ELEMENTS IN PRIVACY POLICIES

185

186

PART A – 2 (iii): PRIVACY POLICY REPRESENTATIONS TO USERS

Please note that there is no right or wrong answers.

Task A

You want to use a service offered by an app. This means you need to: Go to app market place, choose an app, download the app, then install the app, use the app and, also in the process determine how this will affect the privacy of your personal information. A privacy policy may be provided informing you about how the use of the app that you want to download will affect your privacy.

A privacy policy could be provided at any of the steps below. Please indicate the steps at which you feel it would be the most meaningful and, least meaningful for you to access the policy.

In the meaningfulness indicator column below, you are required to:

1). Tick () only one box from the provided options to indicate the point at which a policy

would be the most meaningful to you and,

2). Cross (X) only one box in the provided options to indicate the point at which it would

be least meaningful to you.

Task B

The Jupiter X app requires access to information on: contacts, demographics, financial, location, purchasing and cookie information. Below are scenarios that your personal data may be used for. Please indicate by a tick () to show that you agree or, a cross (X) to show that you disagree with the ways in which your data may be used:

187

Task C

The following elements of privacy can be represented in a policy:

Data Security: informs users of the measures taken to protect user data. User rights: specifies the level of control a user has over their data after an app collects it. Data Collection: addresses the type of data collected from a user.

Legal: provides the laws that protect user data. Data use: specifies how user data is used and by who.

Data Exchanges: specifies user data movements between different parties.

Which are the most important privacy elements to you? Indicate the level of importance of each element by writing a number (1 – 6) in the box provided before each element above. 1(most important) – 6 (least important)

Task D

Below is a summary of how The Jupiter X app handles your data:

Data Security - Data encrypted. Use secure passwords. User rights - Cookie information used. You can opt-out. Data Collection - Collects contacts and financial information.

Legal – Email any questions to customer care. Data use - Service provision, app maintenance. Data Exchanges - Shares your data.

Please see next page for instructions.

188

Task description

In the box provided below, design a simple policy using the Jupiter X policy elements listed on the previous page. You are free to use: pictures, different fonts, abbreviations, shapes, lines, diagrams, text etc. Please keep your solution simple.

Your solution

goes here

189

PART B -1: ALTERNATIVE PRIVACY POLICY REPRESENTATIONS

This section presents you with part of the privacy policy found on the Jupiter X app. The policy is presented in four types of representations or formats. Read and try to understand each representation and please answer the questions that follow after each format:

VARIANT 1 (R1): The standardized table format

 Shows data collection versus data use and data sharing.  Light blue colouring signifies default data collection.  ‘Opt out’ enables ability to deny a given data handling practice.  Peach colouring indicates instances in which data collection and sharing are not default.  ‘Opt in’ provides option for instances where users may wish to share their data.

190

Please answer the following questions about VARIANT 1 (R1):

Please provide the following information and tick () where appropriate: (1) Strongly Disagree, (2) Disagree, (3) Neither, (4) Agree, (5) Strongly Agree

191

VARIANT 2 (R2): The short text format

 Textual natural language.  Information extracted from the standardized table format.  Related rows combined to ensure conciseness.

Please answer the following questions about VARIANT 2 (R2):

Please provide the following information and tick () where appropriate: (1) Strongly Disagree, (2) Disagree, (3) Neither, (4) Agree, (5) Strongly Agree

192

VARIANT 3 (R3): The Goals / vulnerabilities format

 Based on the usual full length policy.  Privacy goals or vulnerability statements relevant to consumer privacy were bolded and highlighted.  On mouse over, the statement turns to orange and presents a popup box containing the protection goals and vulnerabilities.

193

VARIANT 4 (R4): The list format

 Lists key privacy areas in policy.  Provides corresponding details

194

Appendix F: Summative privacy policy study design

SUMMATIVE PRIVACY POLICY STUDY

Participant Information

The workshop consists of two parts, scheduled for the two sessions.

PART A – Policy Representation 1 (~ 20 min)

3. We will provide an introduction to privacy policies and this study. 4. You will complete Part A of this workbook that includes:  A Background  Information finding tasks on policy representation A.  Representation assessment task on policy representation A.

PART B – Policy Representation 2 (~ 20 min)

2. You will then Complete Part B of this workbook that includes:  Information finding tasks on policy representation B.  Representation assessment task on policy representation B.

Please indicate your agreement by ticking the box below as appropriate:

I would like to participate in this workshop

I would like to be informed about the results from this workshop, and my email address is

______

Name of participant: ………...…….. ………………… Signed: ......

195

PART A-1: INTRODUCTION

A privacy policy is a statement or a legal document that discloses some or all of the ways an entity gathers, uses, discloses, and manages a customer or client's data. It fulfils a legal requirement to protect a customer or client's privacy.

The aim of the study will be to establish your comprehension and overall preferences regarding two representations of privacy policies of mobile applications (apps). The study, will last 45 minutes, however, you may leave on completion of tasks.

An observer will sit next to you so that they can occasionally ask questions to help them clarify your actions/thinking as you work. The exercise will be recorded on audio.

196

Background

Please provide the following information and tick () where appropriate:

Gender Age Education

M below 26 A-Level Masters

F 26 -36 Undergraduate PhD

above 36 Other

IT Proficiency

None not able to apply this skill

Basic able to handle only the simplest assignments or tasks

Intermediate able to handle independently many types of assignments or tasks

Advanced able to handle independently nearly all types of assignments or tasks

Expert able to handle independently all types of assignments or tasks and serves as a role model or coach for others

Privacy awareness

Please provide the following information and tick () where appropriate: (1) Strongly Disagree, (2) Disagree, (3) Neither, (4) Agree, (5) Strongly Agree

1 2 3 4 5

I am certain that I have read a privacy disagree agree policy in the last 6 months.

197

TASK 1: Policy Representation A

Using the mouse provided, follow the steps below to access the policy on your monitor.

i. Click on Play store or Apple store ii. Select the Star-warz app iii. Click on the privacy policy link You should now see the privacy policy on your screen. Take a few minutes to familiarize yourself with the policy after which you may start the tasks. You can use the mouse to help you navigate as you read he policy.

Task Description Response

1. Based on the policy, will Star-warz collect your photos? Yes No Not Sure

2. Does the policy provide information on laws that protect your data? Yes No Not Sure

3. Star-warz may use your data to support you? Yes No Not Sure

4. Does Star-warz inform you before changing content of the policy? Yes No Not Sure

5. Does the policy allow Star-warz collect my information? Yes No Not Sure

6. Does the Star-warz policy allow you to update your data so that it is more Yes No Not Sure current?

7. Why does the policy allow Star-warz to collect cookie information?  Yes  No Not Sure

8. Star-warz might want to use your information to improve their service. Yes No Not Sure Does this policy allow them to use your information to do so?

9. Does Star-warz collect your IP Address? Yes No Not Sure

10. Who does the app share your shopping patterns with? I know  I don’t know  Not sure

11 I can opt out from my data being used for marketing? Yes No Not Sure

12. Does the policy provide information on the measures in place to ensure that Yes No Not Sure third parties adequately protect your data?

198

Task 1 (a):

Having interacted with the policy provided in Task 1 (a), please answer the questions that follow:

Please provide the following information and tick () where appropriate: (1) Strongly Disagree, (2) Disagree, (3) Neither, (4) Agree, (5) Strongly Agree

1 2 3 4 5

Finding information in Star-warz privacy policy was a disagree pleasurable experience. agree I feel that I have more control over my privacy when using the Star-warz policy. disagree

If all privacy policies looked just like this I would more likely agree read them. disagree agree

Feedback Capture Grid

Please provide any comments on the two privacy policy representations (A)

Likes Criticisms

Questions Ideas

199

TASK 2: Policy Representation B

Using the mouse provided, follow the steps below to access the policy on your monitor.

i. Click on Play store or Apple store ii. Select Trip planner app iii. Click on the privacy policy link

You should now see the privacy policy on your screen. Take a few minutes to familiarize yourself with the policy after which you may start the tasks. You can use the mouse to help you navigate as you read the policy. Please navigate through the policy as you answer the following questions about the policy.

Task Description Response

1. Based on the policy may Trip Planner collect the content you have Yes No Not Sure viewed?

2. Does the policy allow your information to be used for law Yes No Not Sure enforcement?

3. Trip Planner may use my data for research? Yes No Not Sure

4. Does the policy ensure protection of your data in places where there Yes No Not Sure are no data protection laws?

5. Does the policy allow Trip Planner to share some of your information Yes No Not Sure with the public?

6. Does the Trip Planner policy allow you to opt out of ad targeting? Yes No Not Sure

7. Does the policy provide information on why Trip Planner collects  Yes  No Not Sure information about your IP?

8. Trip Planner might want to use your information to process your Yes No Not Sure payments using a third party vendor. Does this policy allow them to do so?

9. Does Trip Planner inform you about your role in ensuring that your Yes No Not Sure data is protected?

10. Does the policy allow you to exercise your right to be forgotten? Yes No Not Sure

11 I can determine whether or not I get the app for free? Yes No Not Sure

12. Can you request that your data is no longer kept by Trip Planner? Yes No Not Sure

200

Task 2 (b):

Having interacted with the policy provided in Task 1(a), please answer the questions in the task below:

Please provide the following information and tick () where appropriate: (1) Strongly Disagree, (2) Disagree, (3) Neither, (4) Agree, (5) Strongly Agree

1 2 3 4 5

Finding information in Trip Planner privacy policy disagree agree was a pleasurable experience. I feel that I have more control over my privacy when disagree agree using the Trip Planner policy. disagree agree If all privacy policies looked just like this I would more likely read them.

Feedback Capture Grid

Please provide any comments on the two privacy policy representations (B)

Criticisms Likes

Questions Ideas

Thank you for your participation.

201

Appendix G: Summative privacy policy study: Cognitive walkthrough procedure SUMMATIVE PRIVACY POLICY STUDY

Cognitive Walkthrough Materials

 A representations of the privacy policy.  A Persona  A task list with corresponding sequence of actions from start to completion of the task.  A problem reporting form and cards for listing design ideas for later use

Who will be involved / Procedure

 Facilitator: The facilitator will ensure that the walkthrough team is prepared and that rules are clear to them.  The study participants are app users age 18 years and above.  Note taker: The note taker will keep record of the output of the cognitive walkthrough.  Product expert (policy designer): To answer questions that other members of the walkthrough team may have about the policy features or feedback.

1. Users of the policy will be defined and a context of use analysis conducted. 2. The most appropriate tasks and sub task for the walkthrough will be determined. 3. A group of study participants will be assembled. 4. Ground rules for walk through: o No discussions about ways to redesign the interface during the walkthrough. o Designers will not defend the policy design. o Participants are not to engage in Twittering, checking emails, or other behaviours that would distract from the evaluation. o The facilitator will remind everyone of the ground rules and note infractions during the walkthrough. 5. Conducting the walkthrough: A. Participants will be provided with an interface of policy representation. B. As each participant interacts with the policy, the following will be observed and noted: a. Will the user try to achieve the right effect? b. Will the user notice that the correct action is available? c. Will the user associate the correct action with the effect that the user is trying to achieve? d. If the correct action is performed, will the user see that progress is being made toward the solution of the task? C. Record success stories, failure stories, design suggestions, and problems that were not the direct output of the walkthrough, assumptions about users, comments about the tasks, and other information that may be useful in design. Use a standard form for this process. 6. Bring all the analysts together to develop a shared understanding of the identified strengths and weaknesses. 7. Brainstorm on potential solutions to any problems identified.

202

203