Advertisement

The impact of transparency on mobile privacy decision making

  • Jan Hendrik BetzingEmail author
  • Matthias Tietz
  • Jan vom Brocke
  • Jörg Becker
Research Paper

Abstract

Smart devices provide unprecedented access to users’ personal information, on which businesses capitalize to offer personalized services. Although users must grant permission before their personal information is shared, they often do so without knowing the consequences of their decision. Based on the EU General Data Protection Regulation, which mandates service providers to comprehensively inform users about the purpose and terms of personal data processing, this article examines how increased transparency regarding personal data processing practices in mobile permission requests impact users in making informed decisions. We conducted an online experiment with 307 participants to test the effect of transparency on users’ decisions about and comprehension of the requested permission. The results indicate increased comprehension of data processing practices when privacy policies are transparently disclosed, whereas acceptance rates do not vary significantly. We condense our findings into principles that service providers can apply to design privacy-transparent mobile apps.

Keywords

Mobile privacy decision making Transparency EU General Data Protection Regulation Privacy notice Consent Experimental research 

Notes

Acknowledgements

The research leading to these results has received funding from the RISE Programme of the European Union’s Horizon 2020 Programme under REA grant agreement no. 645751 (RISE-BPM H2020-MSCA-RISE-2014). The information and views set out in this publication are those of the author(s) and do not necessarily reflect the official opinion of the European Union. Neither the European Union institutions and bodies nor any person acting on their behalf may be held responsible for the use which may be made of the information contained therein.

References

  1. Acquisti, A. (2009). Nudging privacy: the behavioral economics of personal information. IEEE Security and Privacy, 7(6), 82–85.Google Scholar
  2. Acquisti, A., & Grossklags, J. (2005). Privacy and rationality in individual decision making. IEEE Security and Privacy, 3(1), 26–33.Google Scholar
  3. Acquisti, A., Brandimarte, L., Loewenstein, G. (2015). Privacy and human behavior in the age of information. Science, 347(6221), 509–515.Google Scholar
  4. Adjerid, A., Peer, E., Acquisti, A. (2018). Beyond the privacy paradox: objective versus relative risk in privacy decision making. MIS Quarterly, 42(2), 465–488.Google Scholar
  5. Almuhimedi, H., Schaub, F., Sadeh, N., Adjerid, I., Acquisti, A., Gluck, J., Cranor, L.F., Agarwal, Y. (2015). Your location has been shared 5,398 Times!. In Proceedings of the 33rd annual ACM conference on human factors in computing systems. CHI ’15 (pp. 787–796). Seoul.Google Scholar
  6. Aydin, A., Piorkowski, D., Tripp, O., Ferrara, P., Pistoia, M. (2017). Visual configuration of mobile privacy policies. In R. Huisman (Ed.) , Fundamental approaches to software engineering (pp. 338–355). LNCS 10202.Google Scholar
  7. Balebako, R., Jung, J., Lu, W., Cranor, L.F., Nguyen, C. (2013). “Little brothers watching you:” raising awareness of data leaks on Smartphones. In Proceedings of the 9th symposium on usable privacy and security. SOUPS ’13. Newcastle.Google Scholar
  8. Balebako, R., Schaub, F., Adjerid, I., Acquisti, A., Cranor, L. (2015). The impact of timing on the salience of Smartphone App Privacy Notices. In Proceedings of the 5th annual ACM CCS workshop on security and privacy in Smartphones and mobile devices. SPSM ’15 (pp. 63–74). Denver.Google Scholar
  9. Bartelheimer, C., Betzing, J.H., Berendes, I., Beverungen, D. (2018). Designing multi-sided community platforms for local high street retail. In 26th European conference on information systems. ECIS ’18. Portsmouth.Google Scholar
  10. Berinsky, A.J., Huber, G.A., Lenz, G.S. (2012). Evaluating online labor markets for experimental research: Amazon.com’s Mechanical Turk. Political Analysis, 20(3), 351–368.Google Scholar
  11. Betzing, J.H. (2018). Beacon-based customer tracking across the high street: perspectives for location-based smart services in retail. In 24th Americas conference on information systems. AMCIS ’18. New Orleans.Google Scholar
  12. Böhme, R., & Grossklags, J. (2011). The security cost of cheap user interaction. In Proceedings of the 2011 new security paradigms workshop. NSPW ’11 (pp. 67–82). Marin County.Google Scholar
  13. Brandimarte, L., Acquisti, A., Loewenstein, G. (2013). Misplaced confidences: privacy and the control paradox. Social Psychological and Personality Science, 4(3), 340–347.Google Scholar
  14. Carolan, E. (2016). The continuing problems with online consent under the EU’s emerging data protection principles. Computer Law and Security Review, 32(3), 462–473.Google Scholar
  15. Chellapa, R., & Sin, R.G. (2005). Personalisation vs. privacy: an empirical examination of the online consumers’ dilemma. Information Technology and Management, 6(2–3), 181–202.Google Scholar
  16. Cohen, C. (1988). Statistical power analysis for the behavioral sciences. Hillsdale: Lawrence Erlbaum Associates.Google Scholar
  17. Dhar, S., & Varshney, U. (2011). Challenges and business models for mobile location-based services and advertising. Communications of the ACM, 54(5), 121–129.Google Scholar
  18. Dinev, T., Tamara, T., Hart, P. (2006). An extended privacy calculus model for E-Commerce transactions. Information Systems Research, 17(1), 61–80.Google Scholar
  19. Dolnicar, S., & Grün, B. (2014). Including don’t know answer options in brand image surveys improves data quality. International Journal of Market Research, 56(1), 33–50.Google Scholar
  20. Eastin, M.S., Brinson, N.H., Doorey, A., Wilcox, G. (2016). Living in a big data world: predicting mobile commerce activity through privacy concerns. Computers in Human Behavior, 58, 214–220.Google Scholar
  21. European Union. (2016). Regulation 2016/679 of the European parliament and the Council of the European Union. http://eur-lex.europa.eu/eli/reg/2016/679/oj. (visited on 11/07/2018).
  22. Executive Office of the President. (2015). Big data and differential pricing. Tech. rep. Washington: Executive Office of the President.Google Scholar
  23. Faul, F., Erdfelder, E., Lang, A.-G., Buchner, A. (2007). G*Power 3: a flexible statistical power analysis program for the social, behavioral, and biomedical sciences. Behavior Research Methods, 39(2), 175–191.Google Scholar
  24. Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D. (2012). Android permissions: user attention, comprehension, and behavior. In Proceedings of the 8th symposium on usable privacy and security. SOUPS ’12. Washington, D.C. Google Scholar
  25. Fisher, D., Dorner, L., Wagner, D. (2012). Short paper: location privacy: user behavior in the field. In Proceedings of the second ACM workshop on security and privacy in smartphones and mobile devices. SPSM ’12 (pp. 51–56). Raleigh.Google Scholar
  26. Gimpel, H., Kleindienst, D., Nüske, N., Rau, D., Schmied, F. (2018). The upside of data privacy—delighting customers by implementing data privacy measures. Electronic Markets, 28(4), 437–452.Google Scholar
  27. Harbach, M., Hettig, M., Weber, S., Smith, M. (2014). Using personal examples to improve risk communication for security & privacy decisions. In Proceedings of the SIGCHI conference on human factors in computing systems. CHI ’14 (pp. 2647–2656).Google Scholar
  28. Hern, A., & Waterson, J. (2018). Sites block users, shut down activities and flood inboxes as GDPR rules loom. In The Guardian. http://www.theguardian.com/technology/2018/may/24/sites-block-eu-users-before-gdpr-takes-effect. (visited on 11/03/2018).
  29. Jensen, C., & Potts, C. (2004). Privacy policies as decision-making tools: an evaluation of online privacy notices. In Proceedings of the SIGCHI conference on human factors in computing systems. CHI ’04 (pp. 471–478). Vienna.Google Scholar
  30. Johnson, D., & Grayson, K. (2005). Cognitive and affective trust in service relationships. Journal of Business Research, 58(4), 500–507.Google Scholar
  31. Keith, M.J., Thompson, S.C., Hale, J., Lowry, P.B., Greer, C. (2013). Information disclosure on mobile devices: re-examining privacy calculus with actual user behavior. International Journal of Human Computer Studies, 71(12), 1163–1173.Google Scholar
  32. Keith, M.J., Babb, J., Furner, C.P., Abdullat, A., Lowry, P.B. (2016). Limited information and quick decisions: consumer privacy calculus for mobile applications. AIS Transactions on Human-Computer Interaction, 8(3), 88–130.Google Scholar
  33. Kelley, P.G., Consolvo, S., Cranor, L.F., Jung, J., Sadeh, N., Wetherall, D. (2012). A conundrum of permissions: installing applications on an Android Smartphone. In International conference on financial cryptography and data security (pp. 68–79).Google Scholar
  34. Kelley, P.G., Cranor, L.F., Sadeh, N. (2013). Privacy as part of the app decision-making process. In Proceedings of the SIGCHI conference on human factors in computing systems. CHI ’13 (pp. 3393–3402). Paris.Google Scholar
  35. Kosinski, M., Matz, S.C., Gosling, S.D., Popov, V., Stillwell, D. (2015). Facebook as a research tool for the social sciences: opportunities, challenges, ethical considerations, and practical guidelines. American Psychologist, 70(6), 543–556.Google Scholar
  36. Kumaraguru, P., & Cranor, L.F. (2005). Privacy indexes: a survey of Westin’s studies (pp. 1–22). Tech. rep. Pittsburgh: Institute for Software Research International (ISRI).Google Scholar
  37. Landis, J.R., & Koch, G.G. (1977). The measurement of observer agreement for categorical data. Biometrics, 33, 159–174.Google Scholar
  38. Libert, T., Graves, L., Kleis Nielsen, R. (2018). Changes in third-party content on European News Websites after GDPR. Tech. rep. Oxford: Reuters Institute for the Study of Journalism.Google Scholar
  39. Lin, J., Sadeh, N., Amini, S., Lindqvist, J., Hong, J.I., Zhang, J. (2012). Expectation and purpose: understanding users’ mental models of mobile App privacy through Crowdsourcing. In Proceedings of the 2012 ACM conference on ubiquitous computing. UbiComp ’12 (pp. 501–510). Pittsburgh.Google Scholar
  40. Marrs, M. (2016). App Onboarding 101: 7 tips for creating engaged, informed users. http://info.localytics.com/blog/app-onboarding-101. (visited on 11/07/2018).
  41. Mason, W., & Suri, S. (2012). Conducting behavioral research on Amazon’s Mechanical Turk. Behavior Research Methods, 44(1), 1–23.Google Scholar
  42. Mayring, P. (2014). Qualitative content analysis. Theoretical foundation, basic procedures and software solution (p. 143). Klagenfurt: Beltz.Google Scholar
  43. McDonald, A.M., & Cranor, L.F. (2008). The cost of reading privacy policies. Journal of Law and Policy for the Information Society, 4(3), 543–568.Google Scholar
  44. NTIA. (2013). Short form notice code of conduct to promote transparency in mobile app practices. https://www.ntia.doc.gov/files/ntia/publications/july_25_code_draft.pdf. (visited on 11/07/2018).
  45. OECD. (2006). Making privacy notices simple. Tech. rep. Paris: OECD Publishing.Google Scholar
  46. Oppenheimer, D.M., Meyvis, T., Davidenko, N. (2009). Instructional manipulation checks: detecting satisficing to increase statistical power. Journal of Experimental Social Psychology, 45(4), 867–872.Google Scholar
  47. Pentina, I., Zhang, L., Bata, H., Chen, Y. (2016). Exploring privacy paradox in information-sensitive mobile app adoption: a cross-cultural comparison. Computers in Human Behavior, 65, 409–419.Google Scholar
  48. Podesta, J., Pritzker, P., Moniz, E.J., Holdren, J., Zients, J. (2014). Big data: seizing opportunities, preserving values. Tech. rep. Washington, D.C.: Executive Office of the President of USA.Google Scholar
  49. Robinson, N., Graux, H., Botterman, M., Valeri, L. (2009). Review of EU data protection directive: summary. Tech. rep. Information Commissioner’s Office.Google Scholar
  50. Rosenberg, M., Confessore, N., Cadwalladr, C. (2018). How Trump consultants exploited the Facebook data of millions. In The New York Times. https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html. (visited on 11/07/2018).
  51. Schaar, P. (2010). Privacy by design. Identity in the Information Society, 3(2), 267–274.Google Scholar
  52. Schaub, F., Balebako, R., Durity, A.L., Cranor, L.F. (2015). A design space for effective privacy notices. In Proceedings of the 11th symposium on usable privacy and security. SOUPS ’15. Ottawa.Google Scholar
  53. Schwartz, P.M. (2004). Property, privacy, and personal data. Harvard Law Review, 117(7), 2056.Google Scholar
  54. Shklovski, I., Mainwaring, S.D., Skúladóttir, H. H., Borgthorsson, H. (2014). Leakiness and creepiness in app space: perceptions of privacy and mobile app use. In Proceedings of the SIGCHI conference on human factors in computing systems. CHI ’14 (pp. 2347–2356). Toronto.Google Scholar
  55. Sombatteera, S., & Kalyuga, S. (2012). When dual sensory mode with limited text presentation enhance learning. Procedia - Social and Behavioral Sciences, 69, 2022–2026.Google Scholar
  56. Tan, J., Nguyen, K., Theodorides, M., Negòn-Arroyo, H., Thompson, C., Egelman, S., Wagner, D. (2014). The effect of developer-specified explanations for permission requests on smartphone user behavior. In Proceedings of the SIGCHI conference on human factors in computing systems. CHI ’14 (pp. 91–100). Toronto.Google Scholar
  57. Taylor, H. (2003). Most people are “privacy pragmatists” who, while concerned about privacy, will sometimes trade it off for other benefits. The Harris Poll, 17(19), 44.Google Scholar
  58. Tsai, J.Y., Egelman, S., Cranor, L., Acquisti, A. (2011). The effect of online privacy information on purchasing behavior: an experimental study. Information Systems Research, 22(2), 254–268.Google Scholar
  59. Voorhees, C.M., Fombelle, P.W., Gregoire, Y., Bone, S., Gustafsson, A., Sousa, R., Walkowiak, T. (2017). Service encounters, experiences and the customer journey: defining the field and a call to expand our lens. Journal of Business Research, 79, 269–280.Google Scholar
  60. Wetherall, C., Greenstein, H., Hornyack, J., Schechter, W. (2011). Privacy revelations for web and mobile apps. In Proceedings of the 13th USENIX conference on hot topics in operating systems. HotOS ’11. Napa.Google Scholar
  61. Wohlgemuth, S., Sackmann, S., Sonehara, N., Tjoa, A.M. (2014). Security and privacy in business networking. Electronic Markets, 24(2), 81–88.Google Scholar
  62. Xu, H., Luo, X., Carroll, J.M., Rosson, M.B. (2011). The personalization privacy paradox: an exploratory study of decision making process for location-aware marketing. Decision Support Systems, 51(1), 42–52.Google Scholar

Copyright information

© Institute of Applied Informatics at University of Leipzig 2019

Authors and Affiliations

  1. 1.European Research Center for Information SystemsUniversity of MünsterMünsterGermany
  2. 2.Institute of Information SystemsUniversity of LiechtensteinVaduzLiechtenstein

Personalised recommendations