Going against the (Appropriate) Flow: A Contextual Integrity Approach to Privacy Policy Analysis

Shvartzshnaider, Yan; Apthorpe, Noah; Feamster, Nick; Nissenbaum, Helen

doi:10.1609/hcomp.v7i1.5266

Cited by 19 publications

(12 citation statements)

References 28 publications

(32 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We then empirically documented the prevalence and visibility of data collection within Disney Parks, various identifiable categories of sensors that interact with apps and with MagicBands. Following the Shvartzshnaider et al (2019) methodology, we annotated statements that describe information-handling practices in terms of relevant CI parameters in prescribed flows analysis of the Walt Disney Company privacy policy and My Disney Experience -Frequently Asked Questions (FAQs) page.…”

Section: Methodsmentioning

confidence: 99%

Technofuturism in Play

Sanfilippo

Shvartzshnaider²

2023

Governing Smart Cities as Knowledge Commons

View full text Add to dashboard Cite

Section: Methodsmentioning

confidence: 99%

Technofuturism in Play

Sanfilippo

Shvartzshnaider²

2023

Governing Smart Cities as Knowledge Commons

View full text Add to dashboard Cite

“…Moreover, prior works have also focused on enabling automated understanding of privacy policies [27], [4], [33]. Additionally, prior work has used the theory of Contextual Integrity [47] to study the alignment with U.S. Children's Online Privacy Protection Act (COPPA) [9], and to evaluate its viability in privacy policies [64]. However, none of these works focus on analyzing privacy regulations, which is the focus of our work.…”

Section: Related Workmentioning

confidence: 99%

Towards Automated Regulation Analysis for Effective Privacy Compliance

Manandhar,

Singh,

Nadkarni

2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Privacy regulations are being introduced and amended around the globe to effectively regulate the processing of consumer data. These regulations are often analyzed to fulfill compliance mandates and to aid the design of practical systems that improve consumer privacy. However, at present, this is done manually, making the task error-prone, while also incurring significant time, effort, and cost for companies. This paper describes the design and implementation of ARC, a framework that transforms unstructured and complex regulatory text into a structured representation, the ARC tuple(s), which can be queried to assist in the analysis and understanding of regulations. We demonstrate ARC's effectiveness in extracting three forms of tuples with a high F-1 score (avg. 82.1% across all three) using four major privacy regulations: CCPA, GDPR, VCDPA, and PIPEDA. We then build ARCBert that identifies semantically similar phrases across regulations, enabling compliance analysts to identify common requirements. We run ARC on 16 additional privacy regulations and identify 1,556 ARC tuples and clusters of semantically similar phrases. Finally, we extend ARC to evaluate the compliance of privacy policies by comparing it against the disclosure requirements in the four regulations. Our empirical evaluation with the privacy policies of S&P 500 companies finds 476 missing disclosures, which when manually validated, result in 71.05% true positives, as well as the discovery of 288 additional missing disclosures from the partial matches identified by ARC.

show abstract

“…This analysis can help in identifying potentially confusing or misleading statements, e.g., when one of the five parameters such as transmission principle or receiver is missing or ambiguous (Shvartzshnaider et al, 2019a). Furthermore, one can use the identified parameters to formalize the expressed informational norms and privacy rules in formal logic (Shvartzshnaider et al, 2019b;Datta et al, 2011).…”

Section: And Privacymentioning

confidence: 99%

“…In this paper, we show that existing NLP models and techniques can assist a human annotator in identifying relevant privacy parameters in the policy text. The proposed novel NLP task can support the following applications: automate comparative analysis of privacy policies using the theory of contextual integrity (Shvartzshnaider et al, 2019a;Sanfilippo et al, 2019); extraction and enforcement of prescribed CI-based policy from legal and co-operate document (Shvartzshnaider et al, 2019a;Sanfilippo et al, 2019), an enhanced auditing of existing privacy policies for correctness and consistency (Andow et al, 2019).…”

Section: Introductionmentioning

confidence: 99%

Beyond The Text: Analysis of Privacy Statements through Syntactic and Semantic Role Labeling

Shvartzshanider,

Balashankar,

Wies

et al. 2023

Proceedings of the Natural Legal Language Processing Workshop 2023

View full text Add to dashboard Cite

This paper formulates a new task of extracting privacy parameters from a privacy policy, through the lens of Contextual Integrity (CI), an established social theory framework for reasoning about privacy norms. Through extensive experiments, we further show that incorporating CI-based domain-specific knowledge into a BERT-based SRL model results in the highest precision and recall, achieving an F1 score of 84%. With our work, we would like to motivate new research in building NLP applications for the privacy domain.

show abstract

Going against the (Appropriate) Flow: A Contextual Integrity Approach to Privacy Policy Analysis

Cited by 19 publications

References 28 publications

Technofuturism in Play

Technofuturism in Play

Towards Automated Regulation Analysis for Effective Privacy Compliance

Beyond The Text: Analysis of Privacy Statements through Syntactic and Semantic Role Labeling

Contact Info

Product

Resources

About