Leveraging Privacy Profiles to Empower Users in the Digital Society

Privacy and ethics of citizens are at the core of the concerns raised by our increasingly digital society. Profiling users is standard practice for software applications triggering the need for users, also enforced by laws, to properly manage privacy settings. Users need to manage software privacy settings properly to protect personally identifiable information and express personal ethical preferences. AI technologies that empower users to interact with the digital world by reflecting their personal ethical preferences can be key enablers of a trustworthy digital society. We focus on the privacy dimension and contribute a step in the above direction through an empirical study on an existing dataset collected from the fitness domain. We find out which set of questions is appropriate to differentiate users according to their preferences. The results reveal that a compact set of semantic-driven questions (about domain-independent privacy preferences) helps distinguish users better than a complex domain-dependent one. This confirms the study's hypothesis that moral attitudes are the relevant piece of information to collect. Based on the outcome, we implement a recommender system to provide users with suitable recommendations related to privacy choices. We then show that the proposed recommender system provides relevant settings to users, obtaining high accuracy.


Introduction
Privacy and ethics of citizens are at the core of the concerns raised by our increasingly digital society.Profiling users is standard practice for software applications triggering the need for users, also enforced by laws, to properly manage privacy settings and moral preferences.This deals with the way users give their consent to storing, sharing to third parties, as well as disseminating sensitive personal information and express moral preferences like, for example, ticking to pay a decarbonization tax.Mobile apps have been becoming increasingly popular as they can provide users with a wide range of functionalities.
For different reasons, apps often require access to intimate information about the users and hosting device, triggering privacy concerns.This requires proper management of privacy, with the ultimate aim of protecting users' preferences as well as personally identifiable information.
In this paper, we focus on the privacy dimension of an ordinary user with little technical knowledge of the privacy mechanisms of the digital systems she seamlessly uses but with an evident moral character.While choosing strict settings may help protect her data, this may prevent the complete availability of the functionalities provided by the software.In contrast, loosening privacy settings mitigates the restriction on functionalities, but it may come with the price of compromising her data privacy.In this respect, Artificial Intelligence (AI) technologies can empower the user in maintaining a reasonable trade-off between accessibility and protection, and reflecting the user privacy preferences can be the key enabler of a trustworthy digital society.
Understanding the commonalities and differences among users based on profiles has been among the main issues in data privacy research [1,2,3].Categorizing profiles contributes to better identification of users' behaviors and supports administrators in comprehending privacy choices.At the same time, personal profiles may enable the design of functionalities that help users set privacy preferences of the digital technologies they use.Various proposals to categorize or group end-users into clusters based on their security or privacy attitudes/be-haviors in specific domains have been made [4,5].Users' preferences were analyzed in an extensive study [6] on permission settings from real Android mobile users to recommend personalized default settings.Sanchez et al. [7] analyzed user-privacy preferences in the fitness domain employing a specifically designed questionnaire consisting of both domain-specific and general questions to recommend personalized privacy settings for the fitness apps.
Though a lot of achievements have been reported, as discussed in [8], we believe that there is still the need to understand how to characterize user's privacy behavior in a general setting.Indeed privacy is a dimension of ethics and should be part of the ethical profile of a user and driven by ethical consideration rather than by contextual attitudes or practices in given domains.For example, relying on the analysis of current or past users' preference settings as in [6] does not guarantee a correspondence between what users believe as their general privacy profile and what they actually (can) do when setting privacy preferences.
Moreover, data privacy awareness in the digital society is only recently exiting the specialists' fields (legal, ethical, economic, social) to impact the wider society.The pandemic has also dramatically advanced the penetration of digital technologies in the society from market to education [9,10].This means that a large body of collected data on privacy settings may not reflect the attitude and attention to privacy that present users have and will have in the future.
In this work, we explore a different research direction by relying on the data of the study in the fitness domain [7] that were collected by means of a questionnaire and a simulator. 1We analyze both general and domain-specific questions with the aim of (i) identifying general questions that reflect moral attitudes of the users; and (ii) recommending privacy preferences accordingly.Moreover, we design and implement a recommender system [11] to provide users with suitable recommendations with respect to privacy choices.The experimental results are positively interesting, revealing that a compact set of general questions helps distinguish users better than a more complex domain-dependent one.We also show that the proposed recommender system provides relevant settings to users, obtaining high prediction accuracy.
The main contributions of our work are summarized as follows.
• We investigate which sets of (general) privacy questions are more relevant for classifying users with respect to their privacy moral preferences.
• By means of an empirical evaluation, we show that self-assessment about privacy attitudes given by users does not reflect the way they act in practice.
• We develop PisaRec, a recommender system to provide suitable privacy settings that reflect user preferences.This aims to help users relieve the burden of setting privacy configurations when they go online.
We organize the paper into the following sections.In Section 2, we present a motivating example and a categorization of privacy profiles.Section 3 describes the proposed approach which makes use of both unsupervised and supervised learning to handle user profiles.The methods used to evaluate our approach are detailed in Section 4. We report and analyze the experimental results in Section 5. Discussion related to the limitations and threats to validity are provided in Section 6.We review related work in Section 7. Finally, Section 8 sketches future work and concludes the paper.

Background
The following example illustrates the need for personalized automated privacy assistance that a user interacting with multiple systems at a time may require.Then we briefly report the most relevant aspects for our research taxonomies for privacy profiles proposed in the literature.

Motivating example
After a long day at work, Alice is at the subway station.After the pandemic outbreak, she will meet pals at the cinema.She is on time but learns that she cannot buy a ticket from the subway station attendant due to rigorous hygiene regulations.In addition, vending machines are out of commission for contactless technology upgrades.Instead, a QR code and simple instructions to buy an electronic ticket online are posted in front of the vending machines.Her train is about to arrive, she opens her camera app and frames the QR code.The site structure appears in a split second, but as Alice scrolls down to find the ticket she needs, a popup asks for her privacy settings.Above a very long list of radial button options about disclosing GPS position, information about her mobile phone, consent to save various types of cookies on her device, share her list of contacts, etc., she is presented with three buttons: accept all, strictly necessary, decline all.
Alice is very concerned about her privacy, and when not strictly necessary for the purpose she wants to perform, she does not wish to disclose private information.Since the service she is asking for is simple as asking for a one-ride ticket, she clicks decline all.The next page seems to load slowly, images and structure are shown in a non-adaptive way, so she has to pinch-in to zoom and scroll to read the text that informs her that a cryptographic key used for her session management cannot be stored due to her preferences, so the session is not secure also the page asks her to choose language, timezone, type of device and the web browser she is using, payment options, etc.While reading, Alice realizes that her train is about to arrive at the station.So, she decides to click the back button on her browser, reload the page and click strictly necessary when prompted.The site then stays fast and steady, adapted to the display of her device, prompting if she wants to take a one-ride ticket or a full day one.Her mobile wallet handles the payment instantly, and she receives her ticket just before the train comes.On time to the cinema, Alice enjoys the film with her friends, soon forgetting the online ticket purchase experience.Her preferences are saved on her phone, so she will buy train tickets quickly and easily in the future.Alice does not know that the strictly necessary option, although excluding third-party tracking and marketing, includes all alternatives that are strictly essential to all services offered by the booking site, including - In this work, we show that it is possible to protect users by first understanding their privacy profiles, which can be automatically identified by considering a small set of general and domain-independent questions that are shown to be enough to reflect the user's moral attitude.Thus, our approach is to categorize personal privacy profiles from an ethical perspective [13].Profiles can then be used to automate app and web settings, leveraging recommender systems like in this paper or other technologies.

Categorizations of privacy profiles
Table 1 gives a summary of the most notable taxonomies of privacy categories.Starting from the question: "How important is privacy to you? " from left to right of the table, an increasing level of privacy concerns is shown.Westin [1] proposed the first categorization of user profiles with three levels, i.e., Uncon-

Proposed Approach
Typically, users specify privacy preferences by directly interacting with the privacy settings provided by the used software.Similar to other techniques [13,12,8] we propose an approach that relies on a software layer that automatically identifies privacy profiles and interacts with the user or the software system to recommend privacy preferences accordingly.
Concerning what we present in this paper, the assisted selection phase of privacy preferences started on training data consisting of general, domain-specific, and app-specific answers given to the questions defined in [7] (see "Full set of questions" in Figure 1).We have empirically analyzed the full set of questions to identify the corresponding subset (consisting of general questions) that is sufficient to automatically identify our three user privacy profile categories, i.e., Inattentive, Attentive, and Solicitous (see activity 1 in Figure 1).

The automated creation of user privacy profiles phase (see activity 2 in
Figure 1) relies on an unsupervised clustering module, which can automatically group users in the training data.The automated assignment of privacy profiles to users phase (see 3 ) relies on a supervised classifier using a feed-forward neural network to automatically assign to the given user the corresponding privacy profile among one of those identified in 2 .Finally, a recommender system is used to further validate the activities 1 and 2 , and to provide users with privacy settings recommendations (see activity 4 ) according to the privacy settings of other users belonging to privacy profiles as detected in 3 .
Details on the results obtained from the performed Empirical Study are given in the Experimental results section, whereas the activities 2 , 3 , and 4 are described as follows.

Automated creation of user privacy profiles
To automatically create user privacy profiles, we employed a clustering process by relying on the graph-based representation of users and privacy settings as shown in Figure 2.This representation is also used by the developed neural network for classifying users presented in Section 3.2.Each user u is represented by a vector φ = (φ 1 , φ 2 , .., φ F ), where φ i is the weight of term s i , computed as the term-frequency inverse document frequency value as follows: The similarity between two users u and v is computed using their corresponding feature vectors φ = {φ i } i=1,..,F and ω = {ω j } j=1,..,F by means of the cosine similarity function: where n is the cardinality of all settings that were set to 1 by both u and v. Intuitively, u and v are characterized by using vectors in an n-dimensional space, and Equation 2 measures the cosine of the angle between them.As an example, in Fig. 2, we see that the two users u 2 and u 4 are similar since they both set two settings s 1 and s 3 .
A set of n users is grouped into κ pre-defined number of clusters, with the aim of maximizing both the similarity among instances within a single cluster, and the dissimilarity among independent clusters.To this end, we calculate the distance between every pair of users and feed as the input for the clustering engine.The K-medoids algorithm [16] has been chosen to group users into clusters due to its simplicity and efficiency.
In the clustering process, the distance scores, computed as , are used to assign users to clusters.Initially, a set of medoids (users) is generated randomly, then a medoid is selected as the user in the cluster that has minimum average distance to all the other users in the cluster.
Afterwards, users are assigned to the cluster with the closest medoid, using a greedy strategy [16].

Automated assignment of privacy profiles to users
Supervised learning algorithms can simulate humans' learning activities, mining knowledge from labeled data and performing predictions for unknown data [17].Among others, neural networks have been widely adopted in various applications, including pattern recognitions [18], or forecasting [19].A feed-forward neural network consists of connected layers of neurons, where the output of a layer is transferred to the next layer's neurons, except for the output layer.
(2) 21 We built a feed-forward neural network to classify users into different privacy groups, using preferences as features.The network consists of three layers explained as shown in Figure 3.The input layer has L neurons, being equal to the number of input settings, i.e., X = (x 1 , x 2 , ..., x L ).The middle layer consists of M neurons, i.e., H = (h 1 , h 2 , ..., h M ), M can be configured during the evaluation.There are κ neurons in the output layer, corresponding to κ output categories, i.e., ŷ = (ŷ 1 , ŷ2 , .., ŷκ ).The predicted value ŷk for neuron k of the output layer is computed to minimize the error between the real values and the predicted ones.As discussed in the Experimental results section, the conceived neural network has played an important role in the performed analysis, especially to understand to what extent self-declared privacy profiles reflect the actual user category.

Privacy settings recommendation
We conceptualize PisaRec, a Privacy settings assistant running on top of a Recommender system to provide users with suitable data protection configurations.PisaRec works based on the assumption that "if users of the same privacy profile already share some common privacy settings, then they are supposed to share additional similar settings" [20].In this way, we utilize the proposed graph-based representation to model the relationship among users and use a collaborative-filtering algorithm [21] to recommend missing settings.To feed as input for the recommendation engine, we adopt the user-item paradigm [22], in which each user corresponds to one row, a column represents each setting.In this way, a cell in the matrix dictates the rating given by a user to a setting.
The two values 0 and 1 correspond to deny and allow, respectively.An example of a user-setting matrix for the set of four users and five settings is as follows: Accordingly, the user-item ratings matrix built to model the occurrence of the settings is depicted in Figure 4.The following collaborative-filtering formula is utilized [20] to predict the inclusion of a setting s i for user u: where r u and r v are the mean of the ratings of u and v, respectively; v belongs to the set of top-k most similar users to u or neighbour users, i.e., topsim(u); sim(u, v) is the similarity between u and a similar user v, computed using Equation 2.
The clusters obtained from the previous section allow us to identify users with similar privacy preferences.Based on the obtained categorization, given an input user, the neural network assigns the user to a specific category.Afterward, we build a graph only for this category following the paradigm in Figure 2.Such a sub-graph contains fewer nodes and edges than a full graph for all categories, aiming to optimize the computation.On top of this, PisaRec recommends missing settings to users.The outcome of the computation is a ranked list of probable settings, and we select the top-N of them to present as the final recommendations.

Evaluation
To study the proposed approach's performance, we first introduce three research questions.Afterward, we describe the dataset and metrics used in our evaluation.

Research questions
The following research questions are considered to evaluate our proposed approach.
• RQ 1 : How well does the users' self-assessment reflect their privacy category?As users in the considered dataset [23] have been allowed to selfassess their privacy category, we examine if such a self-evaluation reflects their real category.
• RQ 2 : Which sets of questions are relevant for assessing privacy concerns?We are interested in finding the set of questions that can better distinguish between user profiles.For this research question, we cluster the users with different sets of features, and identify the one that brings the best clustering solution.The aim is to find a set of privacy questions that better represents the user profiles.
• RQ 3 : To which extent is PisaRec able to utilize the obtained categorization in recommending relevant privacy settings to users?We investigate how well the conceived recommender system learns from existing profiles, providing users with additional configurations that reflect their preferences.

Dataset
We opted for an existing dataset that has been collected through a domainspecific survey about the usage of a fitness app including user privacy preferences [7].As shown in Table 2, there are 444 data entries which have been divided into three main groups as follows: • Domain specific: This is the set of questions being explicitly related to the fitness activity.There are a total of 202 questions in this category.
• App related : These questions are about the use or setting of the app, consisting of 113 questions.
• Generic: This set of questions consists of generic questions that are not related to other groups.There are 129 generic questions in total.

Evaluation metrics
• Compactness.The metric measures how closely relevant the users within a cluster are [24].In this respect, a lower value represents a better clustering solution and vice versa.

444
• Silhouette.It measures how similar a user u is to all the remaining users of the same cluster [24], computed using the following formula: where a(u) is the mean distance between u and the others, b(u) is the minimum mean distance.A silhouette value falls into the range [-1,..+1], where a higher score means a better clustering solution.
Furthermore, we also use Precision, Recall, ROC curve and AUC to study the performance of the proposed approach.
First, there are the following definitions: True positive (TP) is the settings that match with ground-truth data; False positive (FP) is the recommended settings but do not match with the ground-truth data; False negative (FN): the settings that should be recommended, but they are excluded.Then, the metrics are as follows: • Precision and Recall.Precision measures the fraction of the number of settings properly classified to the total number of recommended items and Recall (or true positive rate -TPR) is the ratio of the number of correctly classified items to the total number of items in the ground-truth data.The metrics are defined as follows: • False positive rate (FPR).This metric measures the ratio of the number of items that are falsely classified into a category c, to the total number of items that are either correctly not classified, or falsely classified into the category: • ROC curve and AUC.The relationship between FPR and TPR is sketched in a 2D space, using a receiver operating characteristic (ROC) [25], which spans from (0,0) to (1,1).An ROC close to the upper left corner represents a better prediction performance.

Experimental results
This section reports and analyzes the experimental results by answering the research questions introduced in Section 4.1.In the dataset [7] considered in our evaluation, each user has assigned themselves to one of the following four groups: Privacy Conservative (Class 0), Unconcerned (Class 1), Fence-Sitter (Class 2), and Advanced User (Class 3).We investigate if the self-assessment is consistent, i.e., if all the users properly perceive their real privacy category.This is important since a proper self-clustering can be utilized in additional profiling activities.
We conducted evaluation using the conceived neural network as the classifier.
Such a technique has been successfully applied to classify various types of data, e.g., text [26], chemical patterns [27], metamodels [28], to name a few.Similarly, we use the privacy settings as features, and the labels specified by humans to train the classifier.We opt for the ten-fold cross validation technique [29], where the dataset is split into ten equal parts, and the evaluation is done in ten rounds.The evaluation metrics are computed on the test set, i.e., for each user the network predicts a label, which is then compared with the self-assessed label to evaluate the performance.Finally, ROC curves are sketched by combining the scores obtained from all the ten folds.achieves very low prediction performance on both configurations.In particular, the curves bend over the diagonal line, being close to a random guess.Moreover, the AUC values of the four categories are always lower than 0.65.In other words, we encounter negative results, where the neural network fails to predict a proper category for a user.These results suggest that there are noises in the training data [30], which could possibly be both in the features and the labels.
To confirm the hypothesis, we measure the similarity between each user and all the remaining others.Interestingly, we found out that 96.20% of the users have very similar users in completely different self-assessed categories.This demonstrates that while users share similar preferences, they classify themselves differently, causing a low prediction performance for the neural network.
Answer to RQ 1 .The self-assessment given by users does not reflect their real privacy category: Users with highly similar settings perceive themselves as completely different groups.In practice, this means administrators should not rely on such a self-categorization, but have to perform privacy profiling on their own.5.2.RQ 2 : Which sets of questions are relevant for assessing privacy concerns?
As seen in RQ 1 , the self-assessment given by users is not consistent, thus it is necessary to find another way to group users into clusters.We performed experiments on different subsets of the questionnaire to study the influence of each set on the clustering results.The ultimate aim is to identify a set of questions that helps classify users better.In particular, we are interested in analyzing the following groups of questions: • QS 1 : It is a set of question sets as follows: Domain specific (D); App related (A); Generic (G) and their combination (i.e., D+A+G) named COM.. Furthermore, we also include the set G+AP2 where AP2 contains generalizable questions like "Do you believe the company providing this fitness tracker is trustworthy in handling your information?"Indeed, this is to ask if the company is trustworthy, and therefore we consider it as a general question.QS 1 permits to compare compactness and silhouette performances between a single set and combinations of all questions.
• QS 2 : It is a set of questions sets as follows: DP1, AP1, and GP1 that are the subsets of D, A, and G consisting only of privacy relevant questions, respectively.COM. is the union of the three subsets, i.e., COM.= DP1+AP1+GP1.QS 2 permits to understand the actual influence of the privacy-related questions.
• QS 3 : It consists of subsets of generic questions G defined as follows: G1 are the questions related to disclosure of information about user's identity with the app; G2 the questions related to the time spent by the user in completing the survey; G3 the questions related to user's identity; G4 the questions related to disclosure of private information with the app; G5 the questions related to concerns about privacy.COM. is the combination of all the subsets, i.e., COM.= G1+G2+G3+G4+G5.QS 3 is to ascertain the influence of the generic questions with respect to the overall set of questions.We compute and report for each set the corresponding compactness and silhouette scores.Answer to RQ 2 .According to the performed evaluation, generic questions plus generalizable ones (i.e., G+AP2) provide the best clustering solution.

RQ 3 :
To which extent is PisaRec able to utilize the obtained categorization in recommending relevant privacy settings to users?
An issue with clustering is whenever there is a new user to be classified, it is necessary to re-run the whole process.This is a time consuming phase, especially where there is a large number of users.Thus, we propose a more feasible way to assign new users to clusters, avoiding repetitive clustering. is much better compared to that before clustering in Figure 5 and Figure 6.
This suggests that properly clustering user profiles can substantially increase the neural network's prediction performance.
Next, we validate the performance of PisaRec as follows.We opted for the ten-fold cross validation technique [29], where the dataset is split into ten equal folds, and the evaluation is done in ten rounds.By each round, one fold is utilized as testing, and the other nine folds are merged to create the training data.In a testing fold, for each user, the features are split into two parts, one part is fed as query, and the remaining part is removed to be used as groundtruth data.The ratio of the number of settings used as query to the total number of settings is called α.This simulates a real scenario, where the user already specified some settings, and the system is expected to recommend the rest, corresponding to the ground-truth data.For each user, PisaRec returns a ranked list of N settings (N is configurable), and the evaluation metrics are computed on the test set as follows.The recommended items are then compared with the ground-truth data to evaluate the performance.Eventually, we average out the metrics obtained from the testing folds to produce the final results.
We experiment with different configurations by varying α, k: the number of neighbor users used for the computation, N : the number of recommended items.In particular, α = {0.1,0.3, 0.5}; k = {3, 5, 10, 15}; and N is varied from 1 to 50, simulating a real-world scenario where users have to set several settings.
The precision-recall curves are then sketched following these parameters.
As seen in Figure 9, when α = 0.1, i.e., only a small amount of data is used as query, PisaRec recommends relevant settings to users, however with considerably low precision and recall.For instance, when k = 3, a maximum precision of 0.52 is obtained and the maximum precision is 0.7 when k = 15.
Similarly, the recall scores are low, i.e., smaller than 0.4 by all the configurations.
Altogether, this implies a mediocre performance which is understandable as the configuration with α = 0.1 corresponds to the case where the user only specified a few settings, and the system has limited context to recommend additional settings.When we increase α to 0.3, there is an improvement in both precision and recall as in Figure 10, compared to the results obtained with α = 0.1 in Figure 9.
Precision scores are always larger than 0.55 in the configurations, with 0.80 being the maximum value.Similarly, we also see that recall scores are gradually improved.For instance, a maximum recall of 0. Such an improvement is more evident when α = 0.50, i.e., a half of the settings is used as query.In Figure 11, apart from some outliers, most of the precision scores are larger than 0.70, with 0.85 as the maximum value.Compared to the previous configurations with α = 0.1 and α = 0.3, the recall scores are also better, i.e., with a longer list of items, recall increases substantially.In particular, a recall of 0.73 is seen when k = 10 and k = 15.
Concerning the number of neighbors used for computing recommendations, i.e., k (see Section 3.3 and Formula 3), by considering Figure 9, Figure 10, and Figure 11 together, it is evident that adding more users for the computation contributes to a better prediction performance.For instance, by increasing k from 3 to 5, 10, and 15, we boost both precision and recall by all the cut-off values N .
Altogether, the experimental results show that even if users perceive their categories differently as shown in RQ 1 , once we have identified their right privacy group PisaRec can exploit the categories to provide relevant settings to users, though the considered dataset is pretty small.We anticipate that its performance can be further enhanced, if there is more data for training.
Answer to RQ 3 .PisaRec recommends highly relevant settings to a user, though there is limited amount of data available for training.The prediction performance improves alongside the amount of data fed as input.

Discussion
This section provides discussion related to the possible extensions of our work, as well as the threats to validity of our findings.

Extendability
Dataset.In our work, we utilized a small dataset for the evaluation.The amount of training data may impact the performance of both the clustering and classification phases.Moreover, as PisaRec is a collaborative-filtering recommender system, its performance is heavily driven by the quality and amount of data.We anticipate that we may need to calibrate the systems' parameters to maintain both timing efficiency and effectiveness with more data.
The unsupervised algorithm.In the scope of this paper, we used the K-Medoids algorithm to cluster the user profiles.Such a technique has been chosen due to its simplicity and effectiveness.In fact, several clustering algorithms could be employed to categorize user profiles.Thus, the outcome of a clustering solution depends heavily on the considered techniques.We plan to extend our work by considering other clustering algorithms, such as CLARA [31], or DBSCAN [32].
The supervised classifier.The neural network used to classify user profiles may be suitable only for the considered dataset.For a different dataset, it is necessary to find adequate network configurations employing an empirical evaluation.For instance, the number of hidden layers, or the number of neurons for each layer, should be considerably increased to deal with a larger number of user profiles.

Threats to validity
We are aware of the existence of some threats that might harm the validity of the performed experiments as they are presented as follows.
• Threats to construct validity are related to any factor that can compromise the validity of the given observations.The main threat to construct validity is related to the size of the analyzed data.The used dataset is indeed relatively small but has the advantage of coming from a recent work [7] thus reflecting users' contemporary privacy behaviors.More extensive experiments are under planning encompassing other ethical dimensions beyond privacy.
• Concerning the threats to internal validity, i.e., any confounding factor that could influence our findings, we attempted to avoid any bias in the automatic creation of user profiles and in the way we split the full data into groups.We tried to mitigate this threat by semantically analyzing and double-checking the clusters obtained by the proposed approach.
• Concerning the threats to external validity, they are related to the generalizability of our results.This is about checking the adequacy of our privacy profiles in other contexts, notably, in the traveling or IoT domains.Generalizability is actually our initial driver for extracting privacy profiles from general moral questions.Thus, further experimental evidence is planned to support the reported paper results.

Related work
This section reviews the related work and their main characteristics to position our approach in the current scenario for eliciting, profiling, and predicting user privacy preferences.

Overview
The work presented in this paper has been done in the context of the design of the EXOSOUL research project that aims at providing users with a personalized software layer that mediates users' interactions with the digital world according to user's ethics, including privacy preferences [33,13].
According to various studies [34,35], the vast majority of users do not bother to read privacy agreements because of the excessive language and confusing explanations [36,37,38,39]; it is unreasonable also to expect they will read them on a regularly basis [40].Resignation from privacy choices may also be a result of their dissatisfaction with the lack of options and excessive complexity [41].
Privacy profiling is at the core of our work therefore, most related studies are on user clustering, privacy profiling, and privacy preferences settings.The more significant part of existing studies about privacy profiling develop on the work of Westin [1].Based on a series of privacy-related surveys, the author established "Privacy Indexes" for most of these polls to summarize results, indicate trends in privacy concerns, and suggest a widely recognized segmentation methodology of "Privacy Profiles."Themethodology he applied classifies people into three categories: privacy fundamentalists, pragmatists, and unconcerned.Because of the commercial nature of Westin's surveys, the methodology and the details of how privacy indexes were calculated are not fully disclosed, so we rely on subsequent works [2] that deeply analyzed and reported them.
Westin Segmentation, and particularly the pragmatism adherence of the consumers were criticized by the work of Hoofnagle and Urban [42,43] [? ], users may also be identified by their data profiles created by their device based on time and events: researchers gathered information on how and when people use their networked devices, recording the time period in which a user interacts or transmits data and the specific place.For the sake of interpreting their findings, the researchers took into account three distinct sorts of events: voice calls, texts, and data transfers, as well as combinations of these.
The findings showed that the profiles studied may be used to identify the user.

Automating privacy settings
Concerning automating privacy preferences settings, the closest approach is by Liu et al. [6,8] and by the Personalized Privacy Assistant Project team [23].
Their approach employs user categorizations that are obtained by mining existing privacy settings in the app domain, complemented with an initial dialogue with the user to select the appropriate profile.Our approach is also based on privacy profiles.However, they are obtained by analyzing data resulting from questions that relate to the user's ethics and are not concerned with any specific domain.
Wilson et al. [44] identified the impact of privacy profiles on the preferences, sharing inclinations, and overall satisfaction levels of users of location-sharing apps.Their findings demonstrate that privacy profiles for location sharing settings can have a long-lasting impact on how users perceive their privacy, even in the face of ongoing opportunities to reflect on the sharing outcomes that result from their chosen settings.This implies that attempts to simplify privacy settings should be performed with caution since such simplicity may easily impact the people with whom the settings are intended to interact and educate.
Brandimarte et al. [45] investigated the concept that giving people a greater sense of control over the release and access to private information -even information that enables them to be personally identified -would improve their willingness to provide sensitive information.If their desire to reveal adequately rises, this control may, counter-intuitively, result in being more slack.
In their research, participants in a publication were informed that a profile comprising their information would be produced automatically and published online once the website was finished.Other participants were informed that only half of their profiles would be published online.The uncertain publishing condition was designed to reduce participants' sense of control over the public distribution of their survey responses without actually decreasing access by others.Their theories predicted that decreasing control would limit the desire to reveal in the uncertain publishing condition, notwithstanding lower external costs or hazards.According to the researchers' results, if individuals behave in enough offsetting manner, devices supposed to safeguard them might instead end up worsening the hazards they confront.

Surveys and regulations
Based on previous research in survey technique and related domains, Redmiles et al. [46] provide a set of important recommendations for conducting self-report usability studies.There are established criteria and suggestions for collecting good quality self-report data in other sectors that depend on selfreport data, such as health and social sciences.We used this information as a guideline for selecting and refining question groups.
As discussed by Emami-Naeini et al. [47], surveys and interviews can be administered with consolidated methodologies like the Delphi Method.This method is "a method for the systematic solicitation and collection of judgments on a particular topic through a set of carefully designed sequential questionnaires interspersed with summarized information and feedback of opinions derived from earlier responses" [48].Using a three-round Delphi process, the authors conducted an expert elicitation study with 22 privacy and security experts to identify the factors that experts believe are important for consumers to consider when comparing the privacy and security of IoT devices to inform their purchase decisions.The same methodology could be used to elicit preferences from the users.
Considering the research theme, we took into account the General Data Protection Regulation (GDPR) [49], the document that governs the storing, processing, and use of personal data by the European Union (EU) as of May 25, 2018.Even if not based in the EU, the GDPR applies to all third parties that operate in the EU market or access the data of EU citizens.

Conclusion and future work
This paper proposes a holistic approach consisting of both supervised and unsupervised learning to identify privacy profiles.By finding a set of questions suitable for assessing privacy profiles, we recommend relevant privacy preferences to users.An empirical study on the proposed system using a fitness dataset shows that generic questions are suitable for categorizing user profiles and recommending privacy settings.For future work, besides developing further experimental evidence supporting the results reported in this paper, we will work in the direction of building user profiles that cover other ethical dimensions beyond privacy.Last but not least, in the scope of the Exosoul project, we will deploy the conceived techniques to analyze data collected from users, studying the characteristics of users' behaviors and their attitudes in the digital world.

Figure 2 :
Figure 2: Graph representation of users and privacy settings.

3 G
from the D and the A sets (DP1+AP1) 188 Generic G Generic questions not specifically related to the domain (fitness) or the application/software context (mobile app) G set consisting of questions related to the disclosure of information about user's identity with the app 35 G Data 2 G2 Data concerning the time spent by the users to answer the questionnaire, play with the simulator, and the sum of the two Subset 3 G3 Subset of the G set consisting of questions related to the user's identity 19 G Subset 4 G4 Subset of the G set consisting of questions related to the disclosure of private information with the app 56 G Subset 5 G5 Subset of the G set consisting of questions related to the concerns about privacy 16 Full dataset DATA Data collected with the questionnaire and the simulator (D+A+G )

5. 1 .
RQ 1 : How well does the users' self-assessment reflect their privacy category?

Figure 6 :
Figure 6: ROC curves with domain specific questions.

Figure 5 and
Figure 5 and Figure 6 depict the ROC curves obtained from the classification results for generic and domain specific questions.It is evident that the classifier (a) Compactness for QS 1 (b) Silhouette for QS 1 (c) Compactness for QS 2 (d) Silhouette for QS 2 .(e)Compactness for QS 3 (f) Silhouette for QS 3 .

Figure 7 (
a), Figure 7(c), and Figure 7(e) report the compactness scores computed for the three question sets.As it can be seen in Figure7(a), using A as input yields the most compact clusters.In particular, most of the scores are smaller than 40.When domain specific questions (D) are used as the features, we also obtain low compactness scores, albeit being larger than using A. If only generic questions, i.e., G, are utilized, worse clustering solutions are seen.When comparing the results obtained by using G with those of using G+AP2, we can see that adding AP2 to G contributes to a better clustering.Concerning QS 2 where only privacy relevant questions are considered, we see that using domain specific privacy relevant questions (DP1) allows us to gain the most discriminative clusters.Using the subset of privacy relevant questions, i.e., AP1 is also beneficial to the clustering of user profiles.For QS 3 , there are comparable clustering solutions when using the features sets G 1 , G 3 , G 4 , and G 5 .The best clustering is obtained with G 2 .The silhouette scores in Figure7(b), Figure7(d), and Figure7(f) further enforce the compactness ones.A is the feature set that achieves the best silhouette for QS 1 .Adding AP2 to G helps achieve a better clustering solution, compared to using only G.

Table 1 :
Privacy categories according to different taxonomies (Listed in chronological order).

Assisted Selection of Privacy Preferences
Marginally concerned, Amateurs, Technicians, Lazy Experts, and Moral right.Schairer et al. [15] came up with even more, i.e., six categories, where the answer Little is split into Nothing to hide, and Something to hide; and Quite is made of Trade-off, and Personal [14]ed, Pragmatists, and Fundamentalist.Since then, there have been other studies that follow up and develop this initial taxonomy.In particular, Dupre et al.[14]expanded it proposing five categories:

Table 2 :
Summary of the dataset.

Table 1 .
[14]ee et al.[14]analyzed data from surveys and participants interviews, the authors identified five user clusters that emerge from end-user behaviors, including Fundamentalists, Lazy Experts, Technicians, Amateurs and the Marginally Concerned.Schairer et al. [15] presented a model of privacy disposition and its development based on qualitative research on privacy considerations in the context of emerging health technologies.The authors identified six clusters, including Fatalism, Nothing to hide, Something to hide, Tradeoff, Personal responsibility, Moral right.In the research proposed by Sanchez et al. [7] the authors presented the results of a fitness-related simulation and questionnaire to classify users according to their privacy-related preferences.They used two different sets of labels for their clusters, one for the computed privacy-profile assignment consisting of six groups and one for self-assessment they proposed to the users consisting in four groups.The first clusters were labeled as: Unconcerned, Socially Active, Health-focused, Minimal, Anonymous, Strict.The second clusters were labeled as: Privacy Conservative, Unconcerned, Fence-Sitter,