A Conceptual Consent Request Framework for Mobile Devices

The General Data Protection Regulation (GDPR) identifies consent as one of the legal bases for personal data processing and requires that it should be freely given, specific, informed, unambiguous, understandable, and easily revocable. Unfortunately, current technical mechanisms for obtaining consent often do not comply with these requirements. The conceptual consent request framework for mobile devices that is presented in this paper, addresses this issue by following the GDPR requirements on consent and offering a unified user interface for mobile apps. The proposed conceptual framework is evaluated via the development of a City Explorer app with four consent request approaches (custom, functionality-based, app-based, and usage-based) integrated into it. The evaluation shows that the functionality-based consent, which was integrated into the City Explorer app, achieved the best evaluation results and the highest average system usability scale (SUS) score. The functionality-based consent also scored the highest number of SUS points among the four consent templates when evaluated separately from the app. Additionally, we discuss the framework’s reusability and its integration into other mobile apps of different contexts.

[1]  Alisa Frik,et al.  Users’ Expectations About and Use of Smartphone Privacy and Security Settings , 2022, CHI.

[2]  Hana Habib,et al.  Toggles, Dollar Signs, and Triangles: How to (In)Effectively Convey Privacy Choices with Icons and Link Texts , 2021, CHI.

[3]  Olha Drozd,et al.  Privacy CURE: Consent Comprehension Made Easy , 2020, SEC.

[4]  Nataliia Bielova,et al.  Do Cookie Banners Respect my Choice? : Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[5]  Midas Nouwens,et al.  Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence , 2020, CHI.

[6]  Martin Degeling,et al.  (Un)informed Consent: Studying GDPR Consent Notices in the Field , 2019, CCS.

[7]  Olha Drozd,et al.  I Agree: Customize Your Personal Data Processing with the CoRe User Interface , 2019, TrustBus.

[8]  Leyla Bilge,et al.  Can I Opt Out Yet?: GDPR and the Global Illusion of Cookie Control , 2019, AsiaCCS.

[9]  Delphine Reinhardt,et al.  Let there be LITE: design and evaluation of a label for IoT transparency enhancement , 2018, MobileHCI Adjunct.

[10]  Benjamin Fabian,et al.  Large-scale readability analysis of privacy policies , 2017, WI.

[11]  Martino Trevisan,et al.  Benchmark and comparison of tracker-blockers: Should you trust them? , 2017, 2017 Network Traffic Measurement and Analysis Conference (TMA).

[12]  Martino Trevisan,et al.  4 Years of EU Cookie Law: Results and Lessons Learned , 2017, Proc. Priv. Enhancing Technol..

[13]  Claudio Carpineto,et al.  Automatic Assessment of Website Compliance to the European Cookie Law with CooLCheck , 2016, WPES@CCS.

[14]  Priya Kumar,et al.  Privacy Policies and Their Lack of Clear Disclosure Regarding the Life Cycle of User Information , 2016, AAAI Fall Symposia.

[15]  Lorrie Faith Cranor,et al.  A Design Space for Effective Privacy Notices , 2015, SOUPS.

[16]  Eve Maler,et al.  Extending the Power of Consent with User-Managed Access: A Standard Architecture for Asynchronous, Centralizable, Internet-Scalable Consent , 2015, 2015 IEEE Security and Privacy Workshops.

[17]  Harold Abelson,et al.  No technical understanding required: helping users make informed choices about access to their personal data , 2014, MobiQuitous.

[18]  K. Steinsbekk,et al.  Broad consent versus dynamic consent in biobank research: Is passive participation an ethical problem? , 2013, European Journal of Human Genetics.

[19]  Jerry den Hartog,et al.  A machine learning solution to assess privacy policy completeness: (short paper) , 2012, WPES '12.

[20]  J. M. Christian Bastien,et al.  Usability testing: a review of some methodological and technical aspects of the method , 2010, Int. J. Medical Informatics.

[21]  Lorrie Faith Cranor,et al.  A "nutrition label" for privacy , 2009, SOUPS.

[22]  Lorrie Faith Cranor,et al.  A comparative study of online privacy policies and formats , 2009, Privacy Enhancing Technologies.

[23]  Jeff Sauro,et al.  The Factor Structure of the System Usability Scale , 2009, HCI.

[24]  Philip T. Kortum,et al.  Determining what individual SUS scores mean: adding an adjective rating scale , 2009 .

[25]  Lujo Bauer,et al.  Expandable grids for visualizing and authoring computer security policies , 2008, CHI.

[26]  T. Tuunanen,et al.  A Design Science Research Methodology for Information Systems Research , 2007, J. Manag. Inf. Syst..

[27]  Lorrie Faith Cranor,et al.  Giving notice: why privacy policies and security breach notifications aren't enough , 2005, IEEE Communications Magazine.

[28]  E. Charters The Use of Think-aloud Methods in Qualitative Research An Introduction to Think-aloud Methods , 2003 .

[29]  Batya Friedman,et al.  Informed consent in the Mozilla browser: implementing value-sensitive design , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[30]  Marti A. Hearst,et al.  The state of the art in automating usability evaluation of user interfaces , 2001, CSUR.

[31]  John T. Kelso,et al.  Remote evaluation: the network as an extension of the usability laboratory , 1996, CHI.

[32]  Jakob Nielsen,et al.  Finding usability problems through heuristic evaluation , 1992, CHI.

[33]  Rui L. Aguiar,et al.  Permission and Privacy Challenges in Alternate-Tenant Smart Spaces , 2021, Open Identity Summit.

[34]  Kai Rannenberg,et al.  ICT Systems Security and Privacy Protection: 35th IFIP TC 11 International Conference, SEC 2020, Maribor, Slovenia, September 21–23, 2020, Proceedings , 2020, SEC.

[35]  Francisco Rebelo,et al.  Advances in Ergonomics in Design , 2019, Advances in Intelligent Systems and Computing.

[36]  Ilaria Liccardi,et al.  Improving Mobile App Selection through T ransparency and Better Permission Analysis , 2013 .

[37]  Dear Mr Sotiropoulos ARTICLE 29 Data Protection Working Party , 2013 .

[38]  Masaaki Kurosu Human Centered Design, First International Conference, HCD 2009, Held as Part of HCI International 2009, San Diego, CA, USA, July 19-24, 2009, Proceedings , 2009, HCI.

[39]  Jakob Nielsen,et al.  Severity Ratings for Usability Problems , 2006 .

[40]  K. Hambridge Action research. , 2000, Professional nurse.

[41]  M. Brewer,et al.  Research Design and Issues of Validity , 2000 .

[42]  M. W. van Someren,et al.  The think aloud method: a practical approach to modelling cognitive processes , 1994 .

[43]  T. Oko Interviewing as Qualitative Research: A Guide for Researchers in Education and the Social Sciences. , 1992 .