Analyzing Privacy Policies Using Contextual Integrity Annotations

Shvartzshnaider, Yan; Apthorpe, Noah; Feamster, Nick; Nissenbaum, Helen

doi:10.2139/ssrn.3244876

Cited by 7 publications

(8 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this study, we instead evaluate privacy policies using the lens of contextual integrity (CI) framework, which creates a more objective evaluation. The CI framework has been applied in numerous contexts, such as analyzing online platform privacy policies, 10,17–20 examining privacy regulations, 21 designing IoT platform permission models, 22,23 and evaluating healthcare surveillance technologies 24 . The efficacy of CI theory in evaluating privacy policy statements has been demonstrated in Reference 10.…”

Section: Related Workmentioning

confidence: 99%

“…CI provides a structured approach for identifying problematic statements in privacy policies that may hinder readers' understanding and assessment of a company's data collection practices. These statements may be deficient in relevant contextual details, contain ambiguous language, or describe information sharing in ways that can be interpreted in multiple ways 10 . Therefore, CI analysis allows us not only to detect incomplete information flows that lack relevant contextual information, but also to identify flows that are hindered by ambiguous language.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Comprehensive evaluation of privacy policies using the contextual integrity framework

Ghahremani,

Nguyen

2024

Security and Privacy

View full text Add to dashboard Cite

Online privacy policies are often lengthy and difficult to understand. This may lead many users to avoid reading them despite increasing concerns about how their personal information is managed. This article presents a structured approach to evaluate the transparency and comprehensiveness of privacy policies using a comprehensive set of evaluation questions within the contextual integrity (CI) framework. We use these questions to identify policies' responses to key privacy concerns. Applying the CI framework, we analyze the clarity and context of these responses, identifying any vagueness and contextual issues that could impede a user's understanding of the privacy policy. Using the CI analysis, we quantify the quality of policies' responses, thereby enabling users to make informed decisions about online services or products. We apply our methodology to two popular messaging apps, Telegram and WhatsApp, using them as case studies to systematically uncover the strengths and weaknesses of their privacy policies. The findings demonstrate that our proposed methodology can effectively identify transparency issues and assess the comprehensiveness of privacy policies. This suggests that our approach could serve as a practical alternative to subjective evaluations typically conducted by privacy experts.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Comprehensive evaluation of privacy policies using the contextual integrity framework

Ghahremani,

Nguyen

2024

Security and Privacy

View full text Add to dashboard Cite

show abstract

“…Another line of prior work focuses specifically on studying how factors such as vague wording, lack of context, ambiguous words and phrases, and internal contradictions contribute to a lack of reader comprehension [4,19,33,35,36]. Kumar [19] studied 23 policies from major telecommunications companies, finding that "vague or unclear language hinders comprehension of company practice" and inhibits users from making informed choices about whether or not to engage in business with a company.…”

Section: Policy Specificitymentioning

confidence: 99%

Defining Privacy: How Users Interpret Technical Terms in Privacy Policies

Tang

Shoemaker

Lerner

et al. 2021

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Recent privacy regulations such as GDPR and CCPA have emphasized the need for transparent, understandable privacy policies. This work investigates the role technical terms play in policy transparency. We identify potentially misunderstood technical terms that appear in privacy policies through a survey of current privacy policies and a pilot user study. We then run a user study on Amazon Mechanical Turk to evaluate whether users can accurately define these technical terms, to identify commonly held misconceptions, and to investigate how the use of technical terms affects users’ comfort with privacy policies. We find that technical terms are broadly misunderstood and that particular misconceptions are common. We also find that the use of technical terms affects users’ comfort with various privacy policies and their reported likeliness to accept those policies. We conclude that current use of technical terms in privacy policies poses a challenge to policy transparency and user privacy, and that companies should take steps to mitigate this effect.

show abstract

“…It is clear from the data presented that gaps do exist when it comes to staff awareness of cyber security and policies put in place to protect information. Another technology giant, Facebook, was forced to change their privacy law because of the GDPR and the Cambridge Analytica debacle (Shvartzshnaider, Apthorpe, Feamster, & Nissenbaum, 2018). Low awareness levels among staff constitute a risk and is therefore deemed a challenge when seeking full compliance to the POPI Act.…”

Section: Staff and Skills Trainingmentioning

confidence: 99%

Challenges of implementation of data protection legislation in a South African context

Theys¹

2021

Proceedings of ‏The 11th International Conference on Research in Science and Technology

View full text Add to dashboard Cite

South Africa has enacted its own information protection law, the Protection of Personal Information (POPI) Act, in 2013. 2018 saw the publication of the regulations. Neither the Act nor its regulations provide recommendations that assists organizations with achieving compliance. Furthermore, POPI impacts businesses from various sectors differently. The type of personal information stored and required for processing differs across organizations. Moreover, fines issued under the POPI Act could reach as high as 10 million Rand. This paper outlines a case study which explored within a single organization to identify what the challenges are that an organization could be faced with. The study is conducted throughout the organizational levels within a single organization. In the light of the imminent enforcement of the POPI Act, this paper highlights challenges that organizations could experience.

show abstract

Analyzing Privacy Policies Using Contextual Integrity Annotations

Cited by 7 publications

References 19 publications

Comprehensive evaluation of privacy policies using the contextual integrity framework

Comprehensive evaluation of privacy policies using the contextual integrity framework

Defining Privacy: How Users Interpret Technical Terms in Privacy Policies

Challenges of implementation of data protection legislation in a South African context

Contact Info

Product

Resources

About