Problem Summary

Users face significant privacy risks due to the widespread sharing of personal information across multiple online platforms. These risks are often compounded by a lack of awareness and understanding of how others can access and use shared information. The problem is further exacerbated by the complexity of managing privacy settings and the difficulty in quantifying the potential privacy leakage associated with their online activities.

Rationale

By quantifying privacy risks and providing actionable insights through user-friendly interfaces, users are empowered to make informed decisions about their information-sharing activities. Continuous monitoring and feedback mechanisms help ensure the ongoing protection of personal data, addressing the complexity and dynamic nature of privacy management in online platforms and enhancing user awareness of privacy by estimating their privacy risk online.

Solution

To enhance user awareness and control over their privacy by providing quantifiable metrics and actionable insights into their privacy status and potential risks, using interactive and visual tools to raise privacy awareness. Collectively, all the papers address the problem of users facing significant privacy risks from sharing personal information on online platforms by developing tools and frameworks that enhance awareness and understanding of privacy implications. These solutions employ interactive visualisations and user-centric designs to make privacy risks more transparent and comprehensible. By offering quantifiable metrics and detailed insights into privacy leakage, they help users navigate the complexity of managing privacy settings and make more informed decisions. Additionally, these tools provide feedback and visual aids, empowering users to understand better how their information can be accessed and used by others.

Liu and Terzi [1] proposed a framework to compute a user's privacy score in online social networks, highlighting potential privacy risks associated with information-sharing activities. This approach evaluates privacy risk based on two dimensions: the sensitivity of shared information and its visibility within the network. The framework employs mathematical models to quantify both aspects and integrates them to calculate the overall privacy score. This score aids in privacy risk monitoring, recommends privacy settings, and serves as a tool for social studies. The implementation involves mathematical models drawing from Item Response Theory (IRT) and Information Propagation (IP) models.

Pensa and Di Biase [2] introduced an approach to enhance user privacy in online social networks by introducing a circle-based privacy score that builds on the work of Liu and Terzi [1]. This score is designed to reflect the privacy leakage risk by allowing users to specify which friends can see each profile item or post rather than relying on broad, separation-based privacy settings like "friends" or "public." The study introduced an active learning approach to reduce the burden on users of manually setting visibility for each item and friend. This method minimises user intervention by intelligently predicting privacy preferences for profile items based on a subset of manually labelled data.

While the studies Liu and Terzi [1] and Pensa and Di Biase [2] propose privacy score calculations to assess and mitigate privacy risks based on users' information-sharing behaviours and network structures of a single network, Yoshikuni and Watanabe [3] focus on the potential exposure from linking multiple accounts across different platforms, i.e., cross-account identification. The authors introduced the concept of account reachability (AR) to measure privacy risk. AR quantifies the likelihood that a stranger can find a user’s private account based on information in their public account. A tool named ARChecker implements the account reachability concept. It simulates the process a cyberstalker might use to find a user's private account from their public account by evaluating profiles and messages. The tool provides users with advice on how to modify their profiles and messages to decrease their privacy risk. ARChecker uses visualisations, such as human icons and word clouds, to help users intuitively understand their privacy risk and see which keywords are contributing to their AR value.

Aghasian et al. [4] focused on quantifying users' privacy on online social networks by calculating a Privacy Disclosure Score (PDS) based on shared information across multiple platforms. This approach considers two primary factors: the sensitivity and visibility of the shared information. The process involves gathering data from various social networking sites to analyse users' attributes, such as contact numbers, email addresses, job details, and interests. The sensitivity of each attribute is measured alongside its visibility, which encompasses accessibility to the information, the difficulty of data extraction, and the data's reliability. The paper employs fuzzy-based modelling methods to handle the complexity arising from multiple data sources and varying visibility states of user attributes. These methods allow for a nuanced calculation of the PDS by incorporating the fuzziness associated with the privacy implications of shared information. The outcome provides users with a quantifiable measure of their privacy exposure, enabling them to make informed decisions about their online sharing practices. Aghasian et al. [4] evaluate their approach against the privacy scoring model by Liu and Terzi [1], highlighting the differences in privacy risk assessment when considering information disclosed across multiple social networking sites. This comparison aims to demonstrate the effectiveness and accuracy of their method in providing a more comprehensive privacy disclosure score by incorporating data from various online social networks, thereby addressing the limitations of single-source assessments as indicated by Liu and Terzi's work.

Kökciyan and Yolum [5] present PriGuardTool, a web-based tool designed to detect privacy violations in online social networks using a semantic approach. It represents users' privacy concerns as commitments between the user and the OSN, monitoring these commitments to identify both explicit and implicit privacy breaches. The tool leverages ontologies to model social network data and employs a user-friendly interface where users can specify privacy preferences and receive feedback on potential violations. PriGuardTool helps users manage their privacy by providing actionable insights and recommendations to mitigate identified risks, ensuring continuous privacy protection.

Liu et al. [6] introduce PriMe, a human-centric privacy measurement tool for mobile participatory sensing systems. PriMe quantifies privacy risks by combining intrinsic sensitivity (individual user preferences) and extrinsic sensitivity (specific data items and scenarios) using a model inspired by the Rasch Model. It provides personalised privacy risk assessments, helping users make informed decisions about data sharing.

Gishc, de Luca and Blanchebarbe [7] introduce the Privacy Badge, a user interface designed to enhance privacy awareness on mobile devices. The Privacy Badge uses visual indicators such as icons and colour codes to represent different levels of privacy risk, providing users with immediate, at-a-glance information about their privacy status. Users can interact with the Privacy Badge to access detailed information and adjust their privacy settings directly through the interface. This tool helps users become more aware of their privacy settings and make informed decisions about data sharing.

Aktypi, Nurse and Goldsmith [8] introduce an interactive tool designed to help users understand privacy risks associated with sharing data on fitness trackers and online social networks (OSNs). The tool visualises how personal data from these sources can be correlated and exploited, raising user awareness of potential identity exposure. The authors also developed a taxonomy of identity attributes, facilitating the analysis of digital footprints and privacy violations.

Kani-Zabihi and Helmhout [9] present the concept of On-line Interactive (OI) privacy features - interactive tools, components, or user interfaces that create privacy awareness and help users understand their online privacy risks. Key contributions include the development of a Social Translucence Map, which visualises the flow of personal information, a Privacy Enquiry Tool for real-time privacy discussions with service providers, and a Discussion Forum for user-generated privacy FAQs.

Prange et al. [10] introduce PriView, a system designed to enhance user awareness of potential privacy intrusions from surrounding devices in various environments. The paper explores different visualisation methods to indicate the presence and activity of sensors (e.g., cameras, microphones) in users' vicinities using a mobile application and a head-mounted display (HMD).

Guo et al. [11] introduces an interactive visualisation system for federated learning (FL) to enhance user privacy awareness. The system allows data owners to inspect and adjust privacy settings interactively, visualising risks from potential attacks like data reconstruction and membership inference. The system helps users balance privacy protection with model performance by integrating differential privacy techniques and model unlearning mechanisms.

Bal, Rannenbert and Hong [12] introduce Styx, a privacy risk communication system for Android that evaluates privacy risks from a long-term perspective. The paper introduces a concept of second-order privacy risks, which considers the long-term data-access behaviour of apps and the potential impact of user profiling and data mining on user privacy. Styx is designed to provide real-time privacy risk communication based on the second-order privacy risk perspective. The system uses privacy-impacting behavioural patterns (PIBP) to model long-term data-access behaviour associated with specific privacy threats.

Fung, Rashidi and Motti [13] introduced a novel multi-view model for permission notifications that enhance user understanding and decision-making regarding app permissions. The multi-view model incorporates Control Theory to ensure consistency across views tailored to different user knowledge levels. A chain of control units was developed, each responsible for producing one of the multi-view interfaces. It tailors the presentation of privacy risks based on users' knowledge levels, offering customised interfaces with varying granularity, intricacy, and co-equality. These interfaces range from detailed app activity logs for expert users to simplified risk assessments for novices. Additionally, the model incorporates a user preference system, allowing individuals to select or automatically be assigned views that best match their understanding and comfort level. Beyond information presentation, the solution suggests actionable user recommendations, providing a nuanced approach to app permission management. Actions vary from simple permission denial to app uninstallation, depending on the app's assessed risk level.

Lin et al. [14] presented a mechanism called REMIND to estimate the risk of privacy breaches when sharing images on social networks. REMIND uses a probabilistic model to evaluate the likelihood of unwanted image disclosure based on various factors, including user behaviour and image content. The system provides reminders and suggestions for revising privacy settings to mitigate potential risks.

Platforms: personal computers, mobile devices, smart devices

Related guidelines: Promote User Awareness and Decision-Making on Permission/Authorisation Requests, Encourage Users to Consider Privacy Implications Before Sharing Online, Communicate Privacy Risk with Colour-Coded Privacy Indicators, Implement User-Customisable Multi-View Privacy Notifications

Example

Interface of the ARChecker [3]. (See enlarged)

Top: Users input their privacy concerns via PriGuardTool interface to detect privacy violations on Facebook. Bottom: The user receives notifications of privacy violations and can request post modifications or removals [5]. (See enlarged)

Left: The badge features concentric rings, with less important data placed further from the centre, symbolising data importance. Middle: Preferences view data type on the left and service view on the right. Right: Service-centred view [7]. (See enlarged)

Excerpt of identified inferences and risks [8]. (See enlarged)

Screenshots of the proof-of-concept version of Styx [12]. (See enlarged)

Privacy notification view details are reduced from left to bottom right, accounting for different user visualisation choices [13]. (See enlarged)

• By considering both the sensitivity of shared information and the visibility within the network, the paper provides a thorough approach to assessing privacy risk, capturing nuances that traditional privacy settings might overlook. Additionally, the methodology for computing privacy scores is designed to be container-independent, making scores comparable across different social networks and scalable for broad applications. Also, the study utilises both synthetic and real-world datasets for validation [1]. Models such as REMIND [14] can be seamlessly applied to various types of co-owned or co-managed content in online social networks, extending beyond just images.
• The circle-based privacy score allows users to have granular control over who can see their profile items or posts, addressing the nuanced privacy preferences of individuals in a social network. Also, by leveraging an active learning approach, the paper significantly reduces the amount of manual input required from users to set privacy preferences. Additionally, the proposed method fosters privacy awareness among social network users, encouraging them to make more informed decisions about their privacy settings. It was also empirically validated through an online survey with actual Facebook users, providing evidence of its effectiveness and practical utility in improving privacy management on social networks [2].
• Raises awareness about the potential risks of having multiple interconnected social media accounts and the importance of managing them to safeguard privacy. Additionally, it empowers users by providing insights on protecting their privacy through modifications to their profiles and messages [3].
• Incorporates data from multiple social networks for a comprehensive risk assessment. It Improves user awareness about their online privacy exposure and offers a quantifiable score to guide privacy management decisions [4].
• Similar to virus checks, PriGuardTool detects both explicit and implicit privacy violations using semantic rules and ontologies [5].
• The tool received positive feedback, with participants expressing a willingness to continue using it and recommend it to others. It helped users, even those aware of potential risks, to better understand the specific privacy risks associated with wearables through clear visual illustrations. Users appreciated the tool's ability to interpret information and show risks from multiple online sources, providing a more comprehensive view of potential privacy threats [8].
• The Prime tool was validated with real-world users, demonstrating its accuracy and user acceptance [6]. User studies also demonstrated the effectiveness of Privacy Badge and PriView in raising privacy awareness and aiding privacy management [7][10].
• Study results showed that privacy risk information provided by Styx improves the comprehensibility of privacy risks and aids users in comparing different apps regarding their privacy properties [12].
• Users can choose the view they most understand and are more comfortable with. Additionally, the solution provides actionable insights by recommending specific actions (like block, deny, uninstall) based on the assessed risk level of an app. This approach not only informs users about potential risks but also guides them on how to mitigate these risks, enhancing user security and privacy protection [13].
• User evaluations showed high acceptance, with most participants recognising the system's benefits and increasing their willingness to contribute data to FL [11].

• While effective, the mathematical models and algorithms used to compute privacy scores might be complex for average social network users to understand or engage with directly. Also, users might over-rely on the computed privacy score as a comprehensive measure of privacy risk, potentially neglecting other aspects of privacy not captured by the score. Additionally, implementing this framework across various social networking platforms requires cooperation from these platforms. It might face resistance due to the complexity and potential changes to existing privacy settings and policies [1].
• Limited online platforms (such as Facebook) API access for obtaining necessary information restricts access to certain user information, limiting the tool's effectiveness [5].
• Collecting the necessary training data for visualisations, such as photos for computer vision techniques, is time-consuming and effort-intensive. Also, collecting and visualising information must be done to preserve the privacy of device owners, recorded users, and bystanders. Additionally, determining which information is relevant for users in specific situations remains a complex task [10].
• While the active learning approach reduces user burden, the initial setup and understanding of circle-based privacy scores might still be complex for average users unfamiliar with privacy management concepts. The effectiveness of the proposed privacy score relies on user participation in the initial data collection phase, which may be less effective for users who are less engaged or unwilling to participate. Additionally, despite being validated in a controlled experiment, the approach may face scalability challenges when deployed across a social network's entire user base, particularly in networks with billions of users. Implementing the circle-based privacy score also requires social networks to adapt their privacy policy settings, which may encounter resistance or technical challenges on existing platforms [2].
• Despite the intention to cater to different user expertise levels, there's a risk of information overload, particularly for users who might find multiple views and detailed action recommendations overwhelming. This could lead to decision fatigue, where users may default to simpler but less secure choices. Also, the effectiveness of the multi-view model heavily relies on users actively engaging with and understanding the different views and recommended actions. There's a possibility that users might not invest the time to explore and switch between views, reducing the system's overall impact on privacy and security decision-making [13].
• The effects of the second-order privacy risk communication were investigated in a limited context with only a partial implementation of Styx [12].
• It relies on users' willingness to report or link their social media profiles accurately. It also potentially has high computational requirements for real-time scoring [4].
• The evaluation primarily focuses on Twitter and Facebook, potentially overlooking privacy dynamics in other popular or emerging social networking platforms. Additionally, ARChecker's effectiveness depends on users' willingness and ability to understand and act on the provided recommendations [3].

This guideline is best aligned with the design space for privacy notices [15], as the guideline focuses on effectively communicating privacy risks to users. Considering the design space for privacy notices, this guideline can be applied to the following dimensions:

The guideline aims to make the processes and implications of data sharing more transparent to users by enhancing privacy awareness through communication of privacy risks, thus promoting Transparency [16]. Other related privacy attributes: