How Short Is Too Short? Implications of Length and Framing on the Effectiveness of Privacy Notices

Privacy policies are often too long and difficult to understand, and are therefore ignored by users. Shorter privacy notices with clearer wording may increase users’ privacy awareness, particularly for emerging mobile and wearable devices with small screens. In this paper, we examine the potential of (1) shortening privacy notices, by removing privacy practices that a large majority of users are already aware of, and (2) highlighting the implications of described privacy practices with positive or negative framing. We conducted three online user studies focused on privacy notice design for fitness wearables. Our results indicate that short-form privacy notices can inform users about privacy practices. However, we found no effect from including positive or negative framing in our notices. Finally, we found that removing expected privacy practices from notices sometimes led to less awareness of those practices, without improving awareness of the practices that remained in the shorter notices. Given that shorter notices are typically expected to be more effective, we find the lack of increased awareness of the practices remaining in the notice surprising. Our results suggest that the length of an effective privacy notice may be bounded. We provide an analysis of factors influencing our participants’ awareness of privacy practices and discuss the implications of our findings on the design of privacy notices.

[1]  David J. Hauser,et al.  Attentive Turkers: MTurk participants perform better on online attention checks than do subject pool participants , 2015, Behavior Research Methods.

[2]  Ninghui Li,et al.  Effective Risk Communication for Android Apps , 2013, IEEE Transactions on Dependable and Secure Computing.

[3]  Jeffrey Knockel,et al.  Every step you fake: a comparative analysis of fitness tracker privacy and security , 2016 .

[4]  Steven M. Bellovin,et al.  Privee: An Architecture for Automatically Analyzing Web Privacy Policies , 2014, USENIX Security Symposium.

[5]  Alessandro Acquisti,et al.  Sleights of privacy: framing, disclosures, and the limits of transparency , 2013, SOUPS.

[6]  J. Reeve,et al.  Solutions to problematic polypharmacy: learning from the expertise of patients. , 2015, The British journal of general practice : the journal of the Royal College of General Practitioners.

[7]  Andrew S. Patrick,et al.  From Privacy Legislation to Interface Design: Implementing Information Privacy in Human-Computer Interactions , 2003, Privacy Enhancing Technologies.

[8]  Lorrie Faith Cranor,et al.  "Little brothers watching you": raising awareness of data leaks on smartphones , 2013, SOUPS.

[9]  Sameer Patil,et al.  Interrupt Now or Inform Later?: Comparing Immediate and Delayed Privacy Feedback , 2015, CHI.

[10]  Lorrie Faith Cranor,et al.  Disagreeable Privacy Policies: Mismatches between Meaning and Users’ Understanding , 2014 .

[11]  Lorrie Faith Cranor,et al.  User interfaces for privacy agents , 2006, TCHI.

[12]  Lorrie Faith Cranor,et al.  Your Location has been Shared 5,398 Times!: A Field Study on Mobile App Privacy Nudging , 2015, CHI.

[13]  Fred H. Cate,et al.  The Limits of Notice and Choice , 2010, IEEE Security & Privacy.

[14]  Naresh K. Malhotra,et al.  Internet Users' Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model , 2004, Inf. Syst. Res..

[15]  Alessandro Acquisti,et al.  Gone in 15 Seconds: The Limits of Privacy Transparency and Control , 2013, IEEE Security & Privacy.

[16]  G. Loewenstein,et al.  Privacy and human behavior in the age of information , 2015, Science.

[17]  Malcolm Hall,et al.  ProtectMyPrivacy: detecting and mitigating privacy leaks on iOS devices using crowdsourcing , 2013, MobiSys '13.

[18]  Lorrie Faith Cranor,et al.  Standardizing privacy notices: an online study of the nutrition label approach , 2010, CHI.

[19]  Aleecia M. McDonald,et al.  The Cost of Reading Privacy Policies , 2009 .

[20]  Lorrie Faith Cranor,et al.  The Impact of Timing on the Salience of Smartphone App Privacy Notices , 2015, SPSM@CCS.

[21]  Noah A. Smith,et al.  Crowdsourcing Annotations for Websites' Privacy Policies: Can It Really Work? , 2016, WWW.

[22]  Lorrie Faith Cranor,et al.  A "nutrition label" for privacy , 2009, SOUPS.

[23]  Omri Ben-Shahar,et al.  'Best Practices' in the Design of Privacy Disclosures: An Experimental Test , 2015 .

[24]  S. Shyam Sundar,et al.  Make it Simple, or Force Users to Read?: Paraphrased Design Improves Comprehension of End User License Agreements , 2016, CHI.

[25]  Michael S. Wogalter,et al.  Personalization of warning signs: The role of perceived relevance on behavioral compliance , 1994 .

[26]  Deirdre K. Mulligan,et al.  Stopping spyware at the gate: a user study of privacy, notice and spyware , 2005, SOUPS '05.

[27]  Lorrie Faith Cranor,et al.  A comparative study of online privacy policies and formats , 2009, Privacy Enhancing Technologies.

[28]  Ilaria Liccardi,et al.  Privacy Tipping Points in Smartphones Privacy Preferences , 2015, CHI.

[29]  M. Calo Against Notice Skepticism In Privacy (And Elsewhere) , 2011 .

[30]  David A. Wagner,et al.  The effect of developer-specified explanations for permission requests on smartphone user behavior , 2014, CHI.

[31]  Colin Potts,et al.  Privacy policies as decision-making tools: an evaluation of online privacy notices , 2004, CHI.

[32]  Krista Casler,et al.  Separate but equal? A comparison of participants and data gathered via Amazon's MTurk, social media, and face-to-face behavioral testing , 2013, Comput. Hum. Behav..

[33]  Alfred Kobsa,et al.  Contextualized Communication of Privacy Practices and Personalization Benefits: Impacts on Users' Data Sharing and Purchase Behavior , 2004, Privacy Enhancing Technologies.

[34]  I. Ayres,et al.  The No Reading Problem in Consumer Contract Law , 2013 .

[35]  Annie I. Antón,et al.  Financial privacy policies and the need for standardization , 2004, IEEE Security & Privacy Magazine.

[36]  Alessandro Acquisti,et al.  Expecting the Unexpected: Understanding Mismatched Privacy Expectations Online , 2016, SOUPS.

[37]  Lorrie Faith Cranor,et al.  A Design Space for Effective Privacy Notices , 2015, SOUPS.

[38]  Lorrie Faith Cranor,et al.  A Comparative Study of Online Privacy Policies and Formats , 2009, Privacy Enhancing Technologies.

[39]  Matthew Smith,et al.  Using personal examples to improve risk communication for security & privacy decisions , 2014, CHI.