Usable privacy and security; Human-computer interaction; Dark patterns
Abstract :
[en] This paper examines the effect of the dark pattern strategy ``loss-gain framing'' on users' data disclosure behaviour in mobile settings. Understanding whether framing influences users' willingness to disclose personal information is important to (i) determine if and how this technique can subvert consent and other privacy decisions, (ii) prevent abuse with appropriate policies and sanctions, and (iii) provide clear evidence-based guidelines for app privacy engineering.
We conducted an online user study (N=848), in which we varied the framing of app permission requests (i.e., positive, negative, or neutral framing) and examined its impact on participants' willingness to accept the permission, their evaluation of the trustworthiness of the request and their perception of being informed by it.
Our findings reveal effects on disclosure behaviour for request types that users cannot easily understand. In this case, negative framing makes users more likely to disclose personal information. Contrary to our expectations, positive framing reduces disclosure rates, possibly because it raises users' suspicion. We discuss implications for the design of interfaces that aim to facilitate informed, privacy-enhancing decision-making.
Disciplines :
Computer science
Author, co-author :
BONGARD-BLANCHY, Kerstin; Luxembourg Media and Digital Design Center Belvaux, Luxembourg
STERCKX, Jean-Louis; KU Leuven - Katholieke Universiteit Leuven [BE]
ROSSI, Arianna; LIDER Lab, Dirpolis Institute, Scuola Superiore Sant’Anna, Pisa, Italy
SERGEEVA, Anastasia ; University of Luxembourg > Faculty of Humanities, Education and Social Sciences (FHSE) > Department of Behavioural and Cognitive Sciences (DBCS) > Cognitive Science and Assessment
RIVAS, Salvador ; University of Luxembourg > Faculty of Humanities, Education and Social Sciences (FHSE) > LUCET
KOENIG, Vincent ; University of Luxembourg > Faculty of Humanities, Education and Social Sciences > Department of Behavioural and Cognitive Sciences > Team Vincent KOENIG
DISTLER, Verena; University of the Bundeswehr Munich, Germany
External co-authors :
yes
Language :
English
Title :
Analysing the Influence of Loss-Gain Framing on Data Disclosure Behaviour: A Study on the Use Case of App Permission Requests
Publication date :
13 October 2023
Event name :
EuroUSEC '23: European Symposium on Usable Security
Event date :
16-17 of October, 2023
Audience :
International
Journal title :
Proceedings of the 2023 European Symposium on Usable Security
Publisher :
Association for Computing Machinery, New York, Unknown/unspecified
This publication is part of the DECEPTICON project supported by
the Luxembourg National Research Fund (FNR) (grant no. IS/14717072).
Author 3 has carried out the research while being employed at
SnT, University of Luxembourg and wishes to acknowledge BRIEF
- Biorobotics Research and Innovation Engineering Facilities financed by NextGenerationEU under grant number “IR0000036” –
CUP J13C22000400007. The last author acknowledges support by
dtec.bw – Digitalization and Technology Research Center of the Bundeswehr. dtec.bw is funded by the European Union – NextGenerationEU.
Alessandro Acquisti, Idris Adjerid, Rebecca Balebako, Laura Brandimarte, Lorrie Faith Cranor, Saranga Komanduri, Pedro Giovanni Leon, Norman Sadeh, Florian Schaub, Manya Sleeper, Yang Wang, and Shomir Wilson. 2017. Nudges for Privacy and Security: Understanding and Assisting Users’ Choices Online. ACM Comput. Surv. 50, 3, Article 44 (2017), 41 pages. https://doi.org/10.1145/3054926
Alessandro Acquisti, H Heinz, and Jens Grossklags. 2005. Uncertainty, ambiguity and privacy. In 4th Annual Workshop on Economics and Information Security (WEIS).
Idris Adjerid, Alessandro Acquisti, Laura Brandimarte, and George Loewenstein. 2013. Sleights of privacy: Framing, disclosures, and the limits of transparency. In Proceedings of the ninth symposium on usable privacy and security. 1–11.
Idris Adjerid, Alessandro Acquisti, and George Loewenstein. 2019. Choice architecture, framing, and cascaded privacy choices. Management Science 65, 5 (2019), 2267–2290.
Paritosh Bahirat, Martijn Willemsen, Yangyang He, Qizhang Sun, and Bart Knijnenburg. 2021. Overlooking context: How do defaults and framing reduce deliberation in smart home privacy decision-making?. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems. 1–18.
Jan M Bauer, Regitze Bergstrøm, and Rune Foss-Madsen. 2021. Are you sure, you want a cookie?–The effects of choice architecture on users’ decisions about sharing private online data. Computers in Human Behavior 120 (2021), 106729.
Benjamin Maximilian Berens, Heike Dietmann, Chiara Krisam, Oksana Kulyk, and Melanie Volkamer. 2022. Cookie Disclaimers: Impact of Design and Users’ Attitude. In Proceedings of the 17th International Conference on Availability, Reliability and Security. 1–20.
Bo Bian, Xinchen Ma, and Huan Tang. 2021. The Supply and Demand for Data Privacy: Evidence from Mobile Apps. Number ID 3987541 in 1. SSRN, Rochester, NY. https://doi.org/10.2139/ssrn.3987541
Tim Biggs. Accessed 2023-01-23.’If in Doubt, Say No’: Why Phone Apps Want Permission to Use Your Personal Data. Available online at https://www.smh.com.au/technology/if-in-doubt-say-no-why-phone-appswant-permission-to-use-your-personal-data-20191106-p53813.html.
European Data Protection Board. 2018. Opinion 5/2018. Preliminary Opinion on Privacy by Design. The European Data Protection Supervisor (EDPS). https://edps.europa.eu/sites/edp/files/publication/18-05-31_preliminary_opinion_on_privacy_by_design_en_0.pdf
Kerstin Bongard-Blanchy, Jean-Louis Sterckx, Arianna Rossi, Verena Distler, Salvador Rivas, and Vincent Koenig. 2022. An (Un)Necessary Evil - Users’ (Un)Certainty about Smartphone App Permissions and Implications for Privacy Engineering. In 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, Genoa, Italy. https://doi.org/10.1109/EuroSPW55150.2022.00023
Christoph Bösch, Benjamin Erb, Frank Kargl, Henning Kopp, and Stefan Pfattheicher. 2016. Tales from the Dark Side: Privacy Dark Strategies and Privacy Dark Patterns. Proc. Priv. Enhancing Technol. 2016, 4 (2016), 237–254.
David M. Boush, Marian Friestad, and Peter Wright. 2009. Deception In The Marketplace: The Psychology of Deceptive Persuasion and consumer self-protection (first edition ed.). Rouledge.
Harry Brignull. Accessed 2023-01-18. Deceptive Design - Types of Deceptive Design. Available online at https://www.deceptive.design/types.
Michael Chromik, Malin Eiband, Sarah Theres Völkel, and Daniel Buschek. 2019. Dark Patterns of Explainability, Transparency, and User Control for Intelligent Systems.. In IUI workshops, Vol. 2327.
Danielle Keats Citron and Daniel J. Solove. 2022. Privacy harms. BUL Rev. 102 (2022), 793.
Anzo DeGiulio, Hanoom Lee, and Eleanor Birrell. 2021. “Ask App Not to Track”: The Effect of Opt-In Tracking Authorization on Mobile Privacy. In International Workshop on Emerging Technologies for Authorization and Authentication. Springer, 152–167.
Verena Distler, Matthias Fassl, Hana Habib, Katharina Krombholz, Gabriele Lenzini, Carine Lallemand, Lorrie Faith Cranor, and Vincent Koenig. 2021. A Systematic Literature Review of Empirical Methods and Risk Representation in Usable Privacy and Security Research. ACM Transactions on Computer-Human Interaction (TOCHI) 28, 6 (2021), 1–50.
Verena Distler, Tamara Gutfleisch, Carine Lallemand, Gabriele Lenzini, and Vincent Koenig. 2022. Complex, but in a good way? How to represent encryption to non-experts through text and visuals – Evidence from expert co-creation and a vignette experiment. Computers in Human Behavior Reports 5 (2022), 100161. https://doi.org/10.1016/j.chbr.2021.100161
European Data Protection Board. 2023. Guidelines 3/2022 on Deceptive design patterns in social media platform interfaces: How to recognize and avoid them. Version 2.0. available online at https://edpb.europa.eu/system/files/2022- 03/edpb_03- 2022_guidelines_ on_dark_patterns_in_social_media_platform_interfaces_en.pdf.
Directorate-General for Justice, Consumers (European Commission), Francisco Lupiáñez-Villanueva, Alba Boluda, Francesco Bogliacino, Giovanni Liva, Lucie Lechardoy, and Teresa Rodríguez de las Heras Ballell. 2022. Behavioural study on unfair commercial practices in the digital environment. Dark patterns and manipulative personalisation: final report. Publications Office of the European Union, LU. https://data.europa.eu/doi/10.2838/859030
Joshua Gluck, Florian Schaub, Amy Friedman, Hana Habib, Norman Sadeh, Lorrie Faith Cranor, and Yuvraj Agarwal. 2016. How short is too short? implications of length and framing on the effectiveness of privacy notices. In Twelfth symposium on usable privacy and security (SOUPS 2016). 321–340.
Jingjing Gong, Yan Zhang, Zheng Yang, Yonghua Huang, Jun Feng, and Weiwei Zhang. 2013. The framing effect in medical decision-making: a review of the literature. Psychology, health & medicine 18, 6 (2013), 645–653.
PAJ Graßl, HK Schraffenberger, FJ Zuiderveen Borgesius, and MA Buijzen. 2021. Dark and bright patterns in cookie consent requests. Journal of Digital Social Research 3, 1 (2021), 1–38.
Siddharth Gulati, Sonia Sousa, and David Lamas. 2017. Modelling trust: An empirical assessment. In Human-Computer Interaction–INTERACT 2017: 16th IFIP TC 13 International Conference, Mumbai, India, September 25-29, 2017, Proceedings, Part IV 16. Springer, 40–61.
Siddharth Gulati, Sonia Sousa, and David Lamas. 2019. Design, development and evaluation of a human-computer trust scale. Behaviour & Information Technology 38, 10 (Oct. 2019), 1004–1015. https://doi.org/10.1080/0144929X.2019.1656779
Johanna Gunawan, Cristiana Santos, and Irene Kamara. 2022. Redress for Dark Patterns Privacy Harms? A Case Study on Consent Interactions. In Proceedings of the 2022 Symposium on Computer Science and Law. 181–194.
Hana Habib, Yixin Zou, Aditi Jannu, Neha Sridhar, Chelse Swoopes, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. 2019. An Empirical Analysis of Data Deletion and {Opt-Out} Choices on 150 Websites. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). 387–406.
Daniel Holliday, Stephanie Wilson, and Simone Stumpf. 2016. User trust in intelligent systems: A journey over time. In Proceedings of the 21st international conference on intelligent user interfaces. 164–168.
Athina Ioannou, Iis Tussyadiah, Graham Miller, Shujun Li, and Mario Weick. 2021. Privacy nudges for disclosure of personal information: A systematic literature review and meta-analysis. PloS one 16, 8 (2021), e0256822.
Georgios Kampanos and Siamak F Shahandashti. 2021. Accept all: The landscape of cookie banners in Greece and the UK. In ICT Systems Security and Privacy Protection: 36th IFIP TC 11 International Conference, SEC 2021, Oslo, Norway, June 22–24, 2021, Proceedings. Springer, 213–227.
Bart P Knijnenburg and Alfred Kobsa. 2013. Making decisions about privacy: information disclosure in context-aware recommender systems. ACM Transactions on Interactive Intelligent Systems (TiiS) 3, 3 (2013), 1–23.
Matthias Kraus, Nicolas Wagner, and Wolfgang Minker. 2020. Effects of proactive dialogue strategies on human-computer trust. In Proceedings of the 28th ACM Conference on User Modeling, Adaptation and Personalization. 107–116.
Colin R Kuehnhanss, Bruno Heyndels, and Katharina Hilken. 2015. Choice in politics: Equivalency framing in economic policy decisions and the influence of expertise. European Journal of Political Economy 40 (2015), 360–374.
Kun Chang Lee and Namho Chung. 2009. Understanding factors affecting trust in and satisfaction with mobile banking in Korea: A modified DeLone and McLean’s model perspective. Interacting with computers 21, 5-6 (2009), 385–392.
Irwin P Levin, Sandra L Schneider, and Gary J Gaeth. 1998. All frames are not created equal: A typology and critical analysis of framing effects. Organizational behavior and human decision processes 76, 2 (1998), 149–188.
Jialiu Lin, Bin Liu, Norman Sadeh, and Jason I Hong. 2014. Modeling {Users’} Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings. In 10th Symposium On Usable Privacy and Security (SOUPS 2014). 199–212.
Bin Liu, Mads Schaarup Andersen, Florian Schaub, Hazim Almuhimedi, Shikun Aerin Zhang, Norman Sadeh, Yuvraj Agarwal, and Alessandro Acquisti. 2016. Follow My Recommendations: A Personalized Privacy Assistant for Mobile App Permissions. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). USENIX Association, 27–41. https://www.usenix.org/conference/soups2016/technical-sessions/presentation/liu
Jamie Luguri and Lior Strahilevitz. 2019. Shining a light on dark patterns. U of Chicago, Public Law Working Paper 719 (2019).
Jamie Luguri and Lior Jacob Strahilevitz. 2021. Shining a light on dark patterns. Journal of Legal Analysis 13, 1 (2021), 43–109.
Eryn Ma and Eleanor Birrell. 2022. Prospective Consent: The Effect of Framing on Cookie Consent Decisions. In CHI Conference on Human Factors in Computing Systems Extended Abstracts. 1–6.
Dominique Machuletz and Rainer Böhme. 2019. Multiple purposes, multiple problems: A user study of consent dialogs after GDPR. arXiv preprint arXiv:1908.10048 (2019).
Arunesh Mathur, Gunes Acar, Michael J Friedman, Elena Lucherini, Jonathan Mayer, Marshini Chetty, and Arvind Narayanan. 2019. Dark patterns at scale: Findings from a crawl of 11K shopping websites. Proceedings of the ACM on Human-Computer Interaction 3, CSCW (2019), 1–32.
Arunesh Mathur, Jonathan Mayer, and Mihir Kshirsagar. 2021. What Makes a Dark Pattern... Dark? Design Attributes, Normative Considerations, and Measurement Methods. arXiv:2101.04843 [cs] (Jan 2021). https://doi.org/10.1145/3411764. 3445610 arXiv: 2101.04843.
Philipp Mayring et al. 2004. Qualitative content analysis. A companion to qualitative research 1, 2 (2004), 159–176.
Nora McDonald, Sarita Schoenebeck, and Andrea Forte. 2019. Reliability and inter-rater reliability in qualitative research: Norms and guidelines for CSCW and HCI practice. Proceedings of the ACM on human-computer interaction 3, CSCW (2019), 1–23.
Ella Mullan. Accessed 2023-02-01. iOS Push Notification Permissions: The Best Practices. Available online at https://blog.hurree.co/blog/ios-push-notificationpermissions-best-practises.
Florian Nothdurft, Tobias Heinroth, and Wolfgang Minker. 2013. The impact of explanation dialogues on human-computer trust. In Human-Computer Interaction. Users and Contexts of Use: 15th International Conference, HCI International 2013, Las Vegas, NV, USA, July 21-26, 2013, Proceedings, Part III 15. Springer, 59–67.
Midas Nouwens, Ilaria Liccardi, Michael Veale, David Karger, and Lalana Kagal. 2020. Dark patterns after the GDPR: Scraping consent pop-ups and demonstrating their influence. In Proceedings of the 2020 CHI conference on human factors in computing systems. 1–13.
OECD. 2022. Dark commercial patterns. Number 336 in OECD Digital Economy Papers. OECD Publishing, Paris.
Karlsruhe Institut of Technology KIT. 2022. Privacy Friendly Apps - improved privacy protection on the smartphone. Available online at https://secuso.aifb.kit.edu/english/105.php.
Sayantan Polley, Rashmi Raju Koparde, Akshaya Bindu Gowri, Maneendra Perera, and Andreas Nuernberger. 2021. Towards trustworthiness in the context of explainable search. In Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval. 2580–2584.
Jens Riegelsberger, M Angela Sasse, and John D McCarthy. 2005. The mechanics of trust: A framework for research and design. International Journal of Human-Computer Studies 62, 3 (2005), 381–422.
Sonam Samat and Alessandro Acquisti. 2017. Format vs. content: the impact of risk and presentation on disclosure decisions. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). 377–384.
Cristiana Santos, Nataliia Bielova, and Célestin Matte. 2020. Are cookie banners indeed compliant with the law?:. Technology and Regulation 2020 (Dec 2020), 91–135. https://doi.org/10.26116/techreg.2020.009
Cristiana Santos, Arianna Rossi, Lorena Sanchez Chamorro, Kerstin Bongard-Blanchy, and Ruba Abu-Salma. 2021. Cookie Banners, What’s the Purpose? Analyzing Cookie Banner Text Through a Legal Lens. In Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society (Virtual Event, Republic of Korea) (WPES’21). Association for Computing Machinery, New York, NY, USA, 187–194. https://doi.org/10.1145/3463676.3485611
Florian Schaub, Rebecca Balebako, Adam L Durity, and Lorrie Faith Cranor. 2015. A design space for effective privacy notices. In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015). 1–17.
Myeong-Gu Seo, Brent Goldfarb, and Lisa Feldman Barrett. 2010. Affect and the framing effect within individuals over time: Risk taking in a dynamic investment simulation. Academy of Management Journal 53, 2 (2010), 411–431.
David L Streiner. 2015. Best (but oft-forgotten) practices: the multiple problems of multiplicity—whether and how to correct for many statistical tests. The American journal of clinical nutrition 102, 4 (2015), 721–728.
Joanna Strycharz, Edith Smit, Natali Helberger, and Guda van Noort. 2021. No to cookies: Empowering impact of technical and legal knowledge on rejecting tracking cookies. Computers in Human Behavior 120 (Jul 2021), 106750. https://doi.org/10.1016/j.chb.2021.106750
S Shyam Sundar and Jinyoung Kim. 2019. Machine heuristic: When we trust computers more than humans with our personal information. In Proceedings of the 2019 CHI Conference on human factors in computing systems. 1–9.
Mohammad Tahaei, Ruba Abu-Salma, and Awais Rashid. 2023. Stuck in the Permissions With You: Developer & End-User Perspectives on App Permissions & Their Privacy Ramifications. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems. 1–24. https://doi.org/10.1145/3544548.3581060arXiv:2301.06534 [cs].
Amos Tversky and Daniel Kahneman. 1981. The Framing of Decisions and the Psychology of Choice. Science 211, 4481 (1981), 453–458. https://doi.org/10.1126/science.7455683 arXiv:https://www.science.org/doi/pdf/10.1126/science.7455683
Anthony Vance, Jeffrey L. Jenkins, Bonnie Brinton Anderson, Daniel K. Bjornn, and C. Brock Kirwan. 2018. Tuning Out Security Warnings: A Longitudinal Examination of Habituation Through fMRI, Eye Tracking, and Field Experiments. MIS Quarterly 42, 2 (Feb 2018), 355–380. https://doi.org/10.25300/MISQ/2018/ 14124
W3C. 2022. Report on the 2022 W3C Workshop on Permissions. Technical Report. W3C. https://www.w3.org/Privacy/permissions-ws-2022/report