TPRC47: Research Conference on Communications, Information and Internet Policy

Click here for full paper.

Abstract

Privacy expectations during disasters differ significantly from non-emergency situations. Recent scandals, such as inappropriate disclosures from FEMA to contractors, illustrate that tradeoffs between emergencies and privacy must be made carefully. Increased use of social technologies to facilitate communication and support first responders provide more opportunities for privacy infringements, despite increased regulation of disaster information flows to government agencies and with trusted partners of the government. This paper specifically explores the actual practices followed by popular disaster apps. Our empirical study compares content analysis of privacy policies and government agency policies, structured by the contextual integrity (CI) framework, with static and dynamic app analysis documenting the personal data they send. We identify substantive gaps between regulation and guidance, privacy policies, and information flows generated by apps/platforms, resulting from ambiguities and exploitation of exemptions. Results also indicate gaps between governance and practice, including: (1) many apps ignore transmission principles self-defined in policy; (2) while some policies state they “might” access location data under certain conditions, those conditions are not met as 12 apps included in our study capture location immediately upon download; and (3) not all third parties data recipients are identified in policy, including instances that violate expectations of trusted third parties. We visually map disaster information flows during disasters and around third party and government apps within the disaster response domain, and emphasize information exchanges between specific actors and the differences between actual flows of personal information and regulatory and policy specifications. 

Click here for full paper

Abstract

A major concern about the rapidly progressing erosion of privacy is that it enables manipulation in political, economic, and social realms. While this concern is well grounded, the technologies that magnify these threats also offer promising means for ameliorating the damage to human society they cause. Although greatly increased manipulation by individuals and organizations will surely be a notable feature of society in the future, it is already giving rise to a new kind of privacy. The information opacity necessary for the new forms of privacy is arising and will be magnified through the use of obfuscation, deepfakes, and related methods that are rapidly improving and becoming more widely available.

Click here for Paper

With the rapid proliferation of personal data online, we are seeing an increase in potential dangers, leading some advocates to call for broad limits on personal data generation, collection, and use, emphasizing consumer privacy over beneficial use. Other advocates have expressed concern that broad limits on personal data will stifle innovation. Significantly, a range of privacy enhancing technologies (PETs) have developed which promise to protect consumer privacy while also allowing for the development of personal data-driven products and services that are desired by consumers. While PETs have been discussed in academia and in policy circles as a potential technical solution, this paper describes the actual technologies and implementations that are available or soon to be available. We analyze the potential of current and emerging PETs, with a specific focus on the recent emergence of blockchain-based identity management, to address the fundamental challenges posed by the rapid increase in the generation, collection, and use of personal data. We conclude that these technologies may offer the potential to protect consumer privacy while still supporting innovative products and services enabled by personal data.

View full paper here

This paper explores different relationships among various cybersecurity aspects and online transactions. Particularly, we focus on three online security aspects: (1) perception of network security, (2) being victim of a cyberattack, and (3) engaging in risky online activities. Using a Structural Equations Model (SEM) and the After Access 2017-2018 dataset (for six Latin American countries), we characterize the relationships between each of these three aspects, along with the importance of other structural variables. The main results are: (1) user’s perception of security plays a key role in e- commerce activities adoption - individuals who report feeling insecure in the Internet tend to engage in significantly fewer online transactions; (2) there is a strong positive relationship between e-commerce use and the likelihood of being a cyberattack victim - this group of e-commerce users would be more vulnerable; (3) individuals with lower educational and socioeconomic levels, and females, are in greater disadvantage in the adoption of e-commerce activities.
Keywords: cybersecurity, e-commerce, ICT

For full paper click here

In this paper, we validate the hypothesis that in the context of Indian municipal governance, the trade-off between government efficiency and privacy is not a zero-sum game; rather one can improve these seemingly contrasting forces simultaneously. India is on dual trajectories. On one hand, there is a nationwide push to improve municipal governance through increased transparency and efficiency, especially in the functions that involve citizen interaction. On the other hand, as a country, India must embrace the Supreme Court Bench decision of August, 2017, that privacy is a constitutional right.[9] There are two primary aspects to reaching our conclusion. The first is the addition of a new category of data of significant volume; we have been provided access to 383,959 real citizen transactions across all services for the 112 urban local bodies (ULBs) for one state for all of 2018. The logs include the details of each ULB functionary involved in each stage of responding to a citizen request. This has enabled us to consider our previously defined metrics, the Governance Efficiency Index and Information Privacy Index, at multiple levels of granularity. The second aspect is the government-defined service level agreements that define acceptable completion times. This allows us to evaluate completion times. The further analysis provided in this paper demonstrates that that ULBs from all three size tiers can and do reach our Model ULB designation of performance. We conclude from this analysis that ULBs of all sizes and across all services have the capacity to maximize both efficiency and privacy.

View full paper here

Abstract
Access control via permissions is an important aspect of operating systems help app developers and users handle privacy and security aspects. As such, linking changes in app permission requests with the external landscape of privacy and data protection regulations could be a potential technique for studying the impact of these policies. To this end, we collected the top free Android apps in three categories (Social, Lifestyle, and Ages 5 and Under) across three countries (US, Germany, and South Korea) before and after the European Union (EU) General Data Protection Regulation (GDPR) went into effect. Our analyses comparing pre-GDPR and post-GDPR app permission requests showed that permissions that impact privacy and security did not increase after the GDPR went into effect despite an increase in requests for other permissions. We further found no notable post-GDPR differences in permission requests across the three targeted countries despite jurisdictional differences in privacy regulations. The findings indicated that strict and comprehensive regulations in a major global market, such as the EU GDPR, is thus likely to harden the privacy and security of apps even for those that are outside its jurisdiction. Our findings further show that a longitudinal analysis of permission requests could be a useful tool for gauging the influence of privacy and data protection regulations.

View full paper here

Big data, combined with machine learning and artificial intelligence, is expected to increase the bulk of personal data in the hands of private and public entities, presenting a unique challenge to policymakers. Therefore, the question of how to incentivise firms to protect personal information is more relevant today than ever before. This study attempts to associate privacy breach announcements with the drop in share price using an event study. The results show that firms suffer a significant and immediate share price depreciation over a short window, and this is sustained over the entire forecast window after the event. Furthermore, this effect is greater when a larger number of customers are affected and the information exposed is financially sensitive. This represents a departure from previous studies, which found only a mild negative and temporary market reaction following a breach. These findings, using data from 2014-2018, will encourage policymakers to consider strict disclosure policies, thereby encouraging firms to invest in best data security practices.Keywords: Privacy, Information Security, Event Study

For full paper click here

This contribution analyses the use of third-party trackers by European countries media before and after the introduction of the EU’s General Data Protection Regulation (hereafter: GDPR) as an inroad to discuss the legal versus ethical obligations of media with regards to audiences’ privacy and the impact on the key value of trust in media. In force since 25 May 2018, GDPR provides extended rights to users to protect personal information. The legislation deals with third-party servers (represented by URLs) that play a role in compiling a webpage presented to the user. We focus on third-party servers that track, collect and analyse user behaviour.

Theoretically, the paper starts from the idea that legal discussions of and instruments to regulate third-party servers’ impact on privacy do not cover more fundamental ethical questions. Data collection may be lawful but can affect users' lives in unwanted ways and, thus, affect their trust in the service provider, i.e. media. This has two complementary theoretical perspectives: computer ethics (e.g. Moore, 1997; Brey 2005) and (public service) media values (authors, 2017) in the ‘calculated public sphere’ (Harper, 2016).

Data result from an extensive and repeated collecting of third party traffic on media-related websites. From a dataset of +32 million recordings of HTTP responses from servers for files like pictures, code or text to +12700 web pages from 1250 websites visited 25 times before and after GDPR, we selected 355 media websites from 38 European countries (#114 from EBU members, #241 from private media). Data were analysed and third-party servers were identified and categorized.

The result section, first, discusses various characteristics of third-party trackers before focusing on differences between public service and private media, comparing for EU/EEA versus the rest of Europe. Next, we analyse evolutions over time finding that public service websites are unchanged with regards to third party URLs, while private media show a decrease. Furthermore, GDPR has led to smaller third-parties disappearing to the advantage of the big ones, enhancing concentration of power for access to and collecting of user data.

Results are discussed in light of the ethical implications of what may legally be a licensed use of audiences’ data by third-party trackers. We assumed that the more third-party servers involved in a webpage visit, 1) the higher the potential exposure of personal, identifiable information and, thus, 2) the more the ethical aspects of privacy and, ultimately 3) the soft value of trust – crucial to the working of media, especially PSM - are compromised. Finally, it discusses how media policies in the area of privacy and wider individual rights need to go beyond the legal boundaries as set out in legal frameworks such as GDPR.