Improving the Transparency of Privacy Terms Updates

Opinion Paper
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12703)


Updates are an essential part of most information systems. However, they may also serve as a means to deploy undesired features or behaviours that potentially undermine users’ privacy. In this opinion paper, we propose a way to increase update transparency, empowering users to easily answer the question “what has changed with regards to my privacy?”, when faced with an update prompt. This is done by leveraging a formal notation of privacy terms and a set of rules that dictate when privacy-related prompts can be omitted, to reduce fatigue. A design that concisely visualizes changes between data handling practices of different software versions or configurations is also presented. We argue that it is an efficient way to display information of such nature and provide the method and calculations to support our assertion.


IoT Privacy Usability Updates Transparency GDPR 



This research is a continuation of an activity that has originally received funding from the H2020 Marie Skłodowska-Curie EU project “Privacy&Us” under the grant agreement No. 675730.


  1. 1.
    Anderson, B.B., et al.: How polymorphic warnings reduce habituation in the brain: insights from an fMRI study. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (2015)Google Scholar
  2. 2.
    Anderson, B.B., et al.: Users aren’t (necessarily) lazy: using NeuroIS to explain habituation to security warnings. In: Proceedings of the 35th International Conference on Information Systems (2014)Google Scholar
  3. 3.
    App privacy details on the App Store. Apple Developer.
  4. 4.
    Bos, B.: Data Privacy Vocabulary. W3C Recommendation. W3C (2019).
  5. 5.
    Bösch, C., et al.: Tales from the dark side. In: Proceedings on Privacy Enhancing Technologies (2016)Google Scholar
  6. 6.
    Breaux, T.D., Hibshi, H., Rao, A.: Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirements. Requirements Eng. 19(3), 281–307 (2013). Scholar
  7. 7.
    Casey, S.M.: Set Phasers on Stun: And Other True Tales of Design, Technology, and Human Error (1993)Google Scholar
  8. 8.
    Cate, F.H.: The limits of notice and choice. IEEE Secur. Priv. Mag. 8, 59–62 (2010)CrossRefGoogle Scholar
  9. 9.
    Cranor, L.F.: Web Privacy with P3P (2002)Google Scholar
  10. 10.
    I. DIS. 9241–210: 2010. Ergonomics of Human System Interaction-Part 210: Human-Centred Design for Interactive Systems (2009)Google Scholar
  11. 11.
    Erickson, A.: Comparative analysis of the EU’s GDPR and Brazil’s LGPD: enforcement challenges with the LGPD. Brooklyn J. Int. Law 44, 859 (2018)Google Scholar
  12. 12.
    European Parliament and Council of European Union. Regulation 2016/679 of the European Parliament and of the Council. In: Official Journal of the European Union (2016)Google Scholar
  13. 13.
    Fagan, M., et al.: A study of users’ experiences and beliefs about software update messages. In: Computers in Human Behavior (2015)Google Scholar
  14. 14.
    GDPR Recital 58 - The Principle of Transparency.
  15. 15.
    Greveler, U., et al.: Multimedia content identification through smart meter power usage profiles. In: Proceedings of the International Conference on Information and Knowledge Engineering (IKE) (2012)Google Scholar
  16. 16.
    Harkous, H., et al.: Polisis: automated analysis and presentation of privacy policies using deep learning. In: 27th USENIX Security Symposium (2018)Google Scholar
  17. 17.
    Harkous, H., et al.: PriBots: conversational privacy with chatbots. In: 12th Symposium on Usable Privacy and Security (2016)Google Scholar
  18. 18.
    Human, S., Cech, F.: A human-centric perspective on digital consenting: the case of GAFAM. In: Zimmermann, A., Howlett, R.J., Jain, L.C. (eds.) Human Centred Intelligent Systems. SIST, vol. 189, pp. 139–159. Springer, Singapore (2021). Scholar
  19. 19.
    Mcdonald, A.M., et al.: The cost of reading privacy policies. J. Law Policy Inf. Soc. 4, 543–568 (2008)Google Scholar
  20. 20.
    Miller, G.A.: The magical number 7\(\pm \)2. In: Psychological Review (1956)Google Scholar
  21. 21.
    Morgner, P., et al.: Opinion: security lifetime labels - overcoming information asymmetry in security of IoT consumer products. In: Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks (2018)Google Scholar
  22. 22.
    Morgner, P., et al.: Privacy implications of room climate data. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 324–343. Springer, Cham (2017). Scholar
  23. 23.
    Nielsen, J.: Jakob’s Law of Internet User Experience.
  24. 24.
    Nielsen, N.: EU warns Romania not to abuse GDPR against press. EUobserver (2018).
  25. 25.
    Nokhbeh Zaeem, R., et al.: PrivacyCheck v2: a tool that recaps privacy policies for you. In: Proceedings of the 29th ACM International Conference on Information & Knowledge Management (2020)Google Scholar
  26. 26.
    Okoyomon, E., et al.: On the ridiculousness of notice and consent: contradictions in app privacy policies. In: Workshop on Technology and Consumer Protection (2019)Google Scholar
  27. 27.
    Railean, A., Reinhardt, D.: OnLITE: on-line label for IoT transparency enhancement. In: Asplund, M., Nadjm-Tehrani, S. (eds.) NordSec 2020. LNCS, vol. 12556, pp. 229–245. Springer, Cham (2021). Scholar
  28. 28.
    Raskin, J.: The Humane Interface: New Directions for Designing Interactive Systems (2011)Google Scholar
  29. 29.
    Lederman, N.G., Lederman, J.S.: The elephant in the room. J. Sci. Teacher Educ. 26(8), 669–672 (2016). Scholar
  30. 30.
    Sadeh, N., et al.: Towards usable privacy policies: semi-automatically extracting data practices from websites’ privacy policies’. In: Poster Proceedings of the 10th Symposium On Usable Privacy and Security (2014)Google Scholar
  31. 31.
    Schaub, F., et al.: A design space for effective privacy notices. In: Proceedings of the 11th Symposium On Usable Privacy and Security (2015)Google Scholar
  32. 32.
    Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27, 379–423 (1948)MathSciNetCrossRefGoogle Scholar
  33. 33.
    Su, J., et al.: One pixel attack for fooling deep neural networks. IEEE Trans. Evol. Comput. 23, 828–841 (2019)CrossRefGoogle Scholar
  34. 34.
    Vaniea, K., et al.: Betrayed by updates. In: Proceedings of the CHI Conference on Human Factors in Computing Systems (2014)Google Scholar
  35. 35.
    Vaniea, K., et al.: Tales of software updates. In: Proceedings of the CHI Conference on Human Factors in Computing Systems (2016)Google Scholar
  36. 36.
    Voss, W.G.G.: The CCPA and the GDPR are not the same: why you should understand both. In: CPI Antitrust Chronicle (2021)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2021

Authors and Affiliations

  1. 1.Institute of Computer ScienceGeorg-August-Universität GöttingenGöttingenGermany

Personalised recommendations