USER CENTRIC PRIVACY POLICY MODELLING

UoM administered thesis: Phd

  • Authors:
  • Sophia Kununka

Abstract

The growing uptake of mobile applications (apps) has significant implications for end user privacy. The default solution is the provision of mobile privacy policies which serve as a contract between users and app service providers. However, privacy policies have been critiqued as difficult to understand by users and not providing any degree of control over personal privacy. This is because policies are written by service providers and are legal-like and technical motivated by requirements for compliance rather than users ability to understand. Research into the design of alternative policy representations exists yet the involvement of users in the design of alternative representations has generally been limited. This work aims to design effective representation of a privacy policy by incorporating the end users perspective into the design of policies. An exploration of the privacy policy domain was conducted through the analysis of 100 representative app privacy policies from which a reference model of privacy terms was developed. The end users perspective has been explored through an early user study set to establish users mental models, control needs and representation preferences. Findings show that whilst initial mental models are largely reflective of the predominant conventional full length privacy policies, users are open to innovations and in fact show clear preference for alternative policy representations that are more structured and visual in nature. The reference model of privacy terms and the findings of the early user study enabling user centric design of privacy policy are two of the contributions of this thesis. The third and main contribution of this thesis is the integration of these two results in the user-centred design of an effective privacy policy representation. Effectiveness means the representation is comprehensive, informative and facilitates greater user control over privacy. The representation developed in this thesis is evaluated against the conventional policy. Results demonstrate that the representation's comprehensiveness is rated 10% better and was tested by measuring users' accuracy in information finding, certainty of finding desired information, and appeal in information finding. Its informativeness was rated 59% better and was tested by measuring users' likelihood to read policies if they resembled the representation and the time needed to find information. Its level of user control over privacy was rated 32% better and was tested by measuring users' ability to specify and alter privacy options. Overall, the proposed policy representation meets the aim of this thesis by incorporating the user perspectives allowing the creation of privacy policies which facilitate informed consent and user control over personal information.

Details

Original languageEnglish
Awarding Institution
Supervisors/Advisors
Award date1 Aug 2019