Managing Potentially Intrusive Practices in the Browser: A User-Centered Perspective

Abstract Browser users encounter a broad array of potentially intrusive practices: from behavioral profiling, to crypto-mining, fingerprinting, and more. We study people’s perception, awareness, understanding, and preferences to opt out of those practices. We conducted a mixed-methods study that included qualitative (n=186) and quantitative (n=888) surveys covering 8 neutrally presented practices, equally highlighting both their benefits and risks. Consistent with prior research focusing on specific practices and mitigation techniques, we observe that most people are unaware of how to effectively identify or control the practices we surveyed. However, our user-centered approach reveals diverse views about the perceived risks and benefits, and that the majority of our participants wished to both restrict and be explicitly notified about the surveyed practices. Though prior research shows that meaningful controls are rarely available, we found that many participants mistakenly assume opt-out settings are common but just too difficult to find. However, even if they were hypothetically available on every website, our findings suggest that settings which allow practices by default are more burdensome to users than alternatives which are contextualized to website categories instead. Our results argue for settings which can distinguish among website categories where certain practices are seen as permissible, proactively notify users about their presence, and otherwise deny intrusive practices by default. Standardizing these settings in the browser rather than being left to individual websites would have the advantage of providing a uniform interface to support notification, control, and could help mitigate dark patterns. We also discuss the regulatory implications of the findings.

[1]  Daniel J. Solove A Taxonomy of Privacy , 2006 .

[2]  Eunjin Kim,et al.  E-service quality competition through personalization under consumer privacy concerns , 2009, Electron. Commer. Res. Appl..

[3]  Lujo Bauer,et al.  Understanding People’s Privacy Attitudes Towards Video Analytics Technologies , 2020 .

[4]  Alessandro Acquisti,et al.  Can Privacy Nudges be Tailored to Individuals' Decision Making and Personality Traits? , 2019, WPES@CCS.

[5]  Paul Voigt,et al.  Introduction and ‘Checklist’ , 2017 .

[6]  Serge Egelman,et al.  The Myth of the Average User: Improving Privacy and Security Systems through Individualization , 2015, NSPW.

[7]  A. Strauss,et al.  The Discovery of Grounded Theory , 1967 .

[8]  Paul Voigt,et al.  The EU General Data Protection Regulation (GDPR) , 2017 .

[9]  Hana Habib,et al.  "It's a scavenger hunt": Usability of Websites' Opt-Out and Data Deletion Choices , 2020, CHI.

[10]  Alessandro Acquisti,et al.  Expecting the Unexpected: Understanding Mismatched Privacy Expectations Online , 2016, SOUPS.

[11]  Norman M. Sadeh,et al.  Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing , 2012, UbiComp.

[12]  Christopher E. Beaudoin,et al.  Securing online privacy: An empirical test on Internet scam victimization, online privacy concerns, and privacy protection behaviors , 2017, Comput. Hum. Behav..

[13]  Yang Wang,et al.  A field trial of privacy nudges for facebook , 2014, CHI.

[14]  Martin Degeling,et al.  (Un)informed Consent: Studying GDPR Consent Notices in the Field , 2019, CCS.

[15]  E. Erdfelder,et al.  Statistical power analyses using G*Power 3.1: Tests for correlation and regression analyses , 2009, Behavior research methods.

[16]  Lorrie Faith Cranor,et al.  A Design Space for Effective Privacy Notices , 2015, SOUPS.

[17]  Lujo Bauer,et al.  (Do Not) Track Me Sometimes: Users’ Contextual Preferences for Web Tracking , 2016, Proc. Priv. Enhancing Technol..

[18]  Michelangelo Ceci,et al.  Classifying web documents in a hierarchy of categories: a comprehensive study , 2007, Journal of Intelligent Information Systems.

[19]  Renato Bruni,et al.  Website categorization: A formal approach and robustness analysis in the case of e-commerce detection , 2020, Expert Syst. Appl..

[20]  Paul Voigt,et al.  The Eu General Data Protection Regulation (Gdpr): A Practical Guide , 2017 .

[21]  Serge Egelman,et al.  Nudge Me Right: Personalizing Online Security Nudges to People's Decision-Making Styles , 2019, Comput. Hum. Behav..

[22]  Yang Wang,et al.  Nudges for Privacy and Security , 2017, ACM Comput. Surv..

[23]  Sabine Trepte,et al.  Is the privacy paradox a relic of the past? An in‐depth analysis of privacy attitudes and privacy behaviors , 2015 .

[24]  Hana Habib,et al.  Finding a Choice in a Haystack: Automatic Extraction of Opt-Out Statements from Privacy Policy Text , 2020, WWW.

[25]  Alessandro Acquisti,et al.  Nudging Privacy: The Behavioral Economics of Personal Information , 2009, IEEE Security & Privacy.

[26]  Johann Roturier,et al.  Examining the Adoption and Abandonment of Security, Privacy, and Identity Theft Protection Practices , 2020, CHI.

[27]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[28]  XiaoFeng Wang,et al.  Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services , 2012, 2012 IEEE Symposium on Security and Privacy.

[29]  Laura A. Dabbish,et al.  Privacy Attitudes of Mechanical Turk Workers and the U.S. Public , 2014, SOUPS.

[30]  L. Cranor,et al.  Nudges for Privacy and Security , 2017, ACM Comput. Surv..

[31]  Claude Castelluccia,et al.  MyTrackingChoices: Pacifying the Ad-Block War by Enforcing User Privacy Preferences , 2016, ArXiv.

[32]  Richard J. Enbody,et al.  Malvertising – exploiting web advertising , 2011 .

[33]  Lujo Bauer,et al.  Privacy Expectations and Preferences in an IoT World , 2017, SOUPS.

[34]  F. Myrick,et al.  Grounded Theory: An Exploration of Process and Procedure , 2006, Qualitative health research.

[35]  L. Baruh,et al.  Online Privacy Concerns and Privacy Management: A Meta-Analytical Review , 2017 .

[36]  Yang Wang,et al.  Folk Models of Online Behavioral Advertising , 2017, CSCW.

[37]  Lorrie Faith Cranor,et al.  Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice , 2012, J. Telecommun. High Technol. Law.

[38]  Leyla Bilge,et al.  Can I Opt Out Yet?: GDPR and the Global Illusion of Cookie Control , 2019, AsiaCCS.

[39]  Laura A. Dabbish,et al.  "My Data Just Goes Everywhere: " User Mental Models of the Internet and Implications for Privacy and Security , 2015, SOUPS.

[40]  Ashraf Matrawy,et al.  A classification of web browser fingerprinting techniques , 2015, 2015 7th International Conference on New Technologies, Mobility and Security (NTMS).

[41]  A. Strauss,et al.  The discovery of grounded theory: strategies for qualitative research aldine de gruyter , 1968 .

[42]  Ganesh Iyer,et al.  A Usability Evaluation of Tor Launcher , 2017, Proc. Priv. Enhancing Technol..

[43]  Nisheeth Shrivastava,et al.  Do not embarrass: re-examining user concerns for online tracking and advertising , 2013, SOUPS.

[44]  Laura A. Dabbish,et al.  A Self-Report Measure of End-User Security Attitudes (SA-6) , 2019, SOUPS @ USENIX Security Symposium.

[45]  Lorrie Faith Cranor,et al.  An Empirical Analysis of Data Deletion and Opt-Out Choices on 150 Websites , 2019, SOUPS @ USENIX Security Symposium.

[46]  Yang Wang,et al.  Private Browsing: an Inquiry on Usability and Privacy Protection , 2014, WPES.

[47]  D. Bates,et al.  Fitting Linear Mixed-Effects Models Using lme4 , 2014, 1406.5823.

[48]  Arvind Narayanan,et al.  Characterizing the Use of Browser-Based Blocking Extensions To Prevent Online Tracking , 2018, SOUPS @ USENIX Security Symposium.

[49]  Lujo Bauer,et al.  “Did you know this camera tracks your mood?”: Understanding Privacy Expectations and Preferences in the Age of Video Analytics , 2021, Proc. Priv. Enhancing Technol..

[50]  Dan Bouhnik,et al.  Interface Application Comprehensive Analysis of Ghostery , 2018 .

[51]  Jon M. Peha,et al.  Track Gap: Policy Implications of User Expectations for the 'Do Not Track' Internet Privacy Feature , 2011 .

[52]  Jérôme Kunegis,et al.  On the Ubiquity of Web Tracking: Insights from a Billion-Page Web Crawl , 2016, J. Web Sci..

[53]  Andrea Forte,et al.  Reliability and Inter-rater Reliability in Qualitative Research , 2019, Proc. ACM Hum. Comput. Interact..

[54]  Pamela J. Wisniewski,et al.  Making privacy personal: Profiling social network users to inform privacy education and nudging , 2017, Int. J. Hum. Comput. Stud..

[55]  Jason Polakis,et al.  Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting , 2020, NDSS.

[56]  Scott Dick,et al.  P3P Adoption on E-Commerce Web sites: A Survey and Analysis , 2007, IEEE Internet Computing.

[57]  Edgar R. Weippl,et al.  Block Me If You Can: A Large-Scale Study of Tracker-Blocking Tools , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[58]  Alessandro Acquisti,et al.  The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study , 2011, WEIS.

[59]  Yang Wang,et al.  Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral advertising , 2012, CHI.

[60]  Norman M. Sadeh,et al.  Modeling Users' Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings , 2014, SOUPS.

[61]  Wei Zhou,et al.  Business Analytics Generated Data Brokerage: Law, Ethical and Social Issues , 2017, FNSS.

[62]  Curtis R. Taylor,et al.  The Economics of Privacy , 2016 .

[63]  Emilee J. Rader,et al.  Awareness of Behavioral Tracking and Information Privacy Concern in Facebook and Google , 2014, SOUPS.

[64]  Benjamin Livshits,et al.  Evaluating the End-User Experience of Private Browsing Mode , 2018, CHI.

[65]  Norman M. Sadeh,et al.  The Best of Both Worlds: Mitigating Trade-offs Between Accuracy and User Burden in Capturing Mobile App Privacy Preferences , 2020, Proc. Priv. Enhancing Technol..

[66]  Blase Ur,et al.  Your Secrets Are Safe: How Browsers' Explanations Impact Misconceptions About Private Browsing Mode , 2018, WWW.

[67]  Annika Bergström,et al.  Online privacy concerns: A broad approach to understanding the concerns of different groups for different uses , 2015, Comput. Hum. Behav..