Privacy Principles; Dark Patterns; Privacy Engineering; ISO/IEC 29100
Résumé :
[en] The privacy engineering literature proposes requirements for the design of technologies but gives little guidance on how to correctly fulfil them in practice. On the other hand, a growing number of taxonomies document examples of how to circumvent privacy requirements via ”dark patterns,” i.e., manipulative privacy-invasive interface designs. To improve the actionability of the knowledge about dark patterns for the privacy engineering community, we matched a selection of existing dark patterns classifications with the ISO/IEC 29100:2011 standard on Privacy Principles by performing an iterative expert analysis, which resulted in clusters of dark patterns that potentially violate the ISO privacy engineering requirements. Our results can be used to develop practical guidelines for the implementation of technology designs that comply with the ISO Privacy Principles.
Disciplines :
Sciences informatiques
Auteur, co-auteur :
VALOGGIA, Philippe; ITIS, Luxembourg Institute of Science and Technology, Esch-sur-Alzette, Luxembourg
SERGEEVA, Anastasia ; University of Luxembourg > Faculty of Humanities, Education and Social Sciences (FHSE) > Department of Behavioural and Cognitive Sciences (DBCS) > Lifespan Development, Family and Culture
ROSSI, Arianna ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust > IRiSC > Team Gabriele LENZINI ; LIDER Lab, Sant’Anna School of Advanced Studies, Pisa, Italy
BOTES, Wilhelmina Maria ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust > IRiSC > Team Gabriele LENZINI ; University of KwaZulu Natal, South Africa
Co-auteurs externes :
yes
Langue du document :
Anglais
Titre :
Learning from the Dark Side About How (not) to Engineer Privacy: Analysis of Dark Patterns Taxonomies from an ISO 29100 Perspective
Date de publication/diffusion :
2024
Nom de la manifestation :
International Conference on Information Systems Security and Privacy (ICISSP 2024)
Lieu de la manifestation :
Rome, Italie
Date de la manifestation :
26 - 28 Februaty 2024
Manifestation à portée :
International
Titre du périodique :
Proceedings of the 10th International Conference on Information Systems Security and Privacy
31700-1:2023, I. (2002). ISO iso 31700-1:2023 consumer protection — privacy by design for consumer goods and services — part 1: High-level requirements.
Anthonysamy, P., Rashid, A., and Chitchyan, R. (2017). Privacy requirements: present & future. In 2017 IEEE/ACM 39th international conference on software engineering: software engineering in society track (ICSE-SEIS), pages 13–22. IEEE.
Antignac, T., Scandariato, R., and Schneider, G. (2016). A privacy-aware conceptual model for handling personal data. In Leveraging Applications of Formal Methods, Verification and Validation: Foundational Techniques: 7th International Symposium, ISoLA 2016, Imperial, Corfu, Greece, October 10–14, 2016, Proceedings, Part I 7, pages 942–957. Springer.
BEUC (2022). ”dark patterns” and the eu consumer law acquisition. Last accessed 9 January 2023.
Bongard-Blanchy, K., Rossi, A., Rivas, S., Doublet, S., Koenig, V., and Lenzini, G. (2021). ” i am definitely manipulated, even when i am aware of it. it’s ridiculous!”-dark patterns from the end-user perspective. In Designing Interactive Systems Conference 2021, pages 763–776.
Bosch, C., Erb, B., Kargl, F., Kopp, H., and Pfattheicher, S. (2016). Tales from the dark side: Privacy dark strategies and privacy dark patterns. Proc. Priv. Enhancing Technol., 2016(4):237–254.
Botes, M. (2023). Autonomy and the social dilemma of online manipulative behavior. AI and Ethics, 3(1):315–323.
Brignull, H. (2022). Deceptive patterns. Last accessed 30 October 2022.
Chamorro, L. S., Bongard-Blanchy, K., and Koenig, V. (2022). Justice in interaction design: preventing manipulation in interfaces. arXiv preprint arXiv:2204.06821.
Chromik, M., Eiband, M., Volkel, S. T., and Buschek, D. (2019). Dark patterns of explainability, transparency, and user control for intelligent systems. In IUI workshops, volume 2327.
Citron, D. K. and Solove, D. J. (2022). Privacy harms. BUL Rev., 102:793.
CNIL (2019). Shaping choices in the digital world.from dark patterns to data protection: the influence of ux/uidesign on user empowerment. Last accessed 9 January2023.
Conti, G. and Sobiesk, E. (2010). Malicious interface design: exploiting the user. In Proceedings of the 19th international conference on World wide web, pages 271–280.
CPRA (2020). The california privacy rights act of 2020. Last accessed 9 January 2023.
Curley, A., O’Sullivan, D., Gordon, D., Tierney, B., and Stavrakakis, I. (2021). The design of a framework for the detection of web-based dark patterns.
Deng, M., Wuyts, K., Scandariato, R., Preneel, B., and Joosen, W. (2011). A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requirements Engineering, 16(1):3–32.
Di Geronimo, L., Braz, L., Fregnan, E., Palomba, F., and Bacchelli, A. (2020). Ui dark patterns and where to find them: a study on mobile applications and user perception. In Proceedings of the 2020 CHI conference on human factors in computing systems, pages 1–14.
EDPB (2022). Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: how to recognise and avoid them. Version 1.0.
Fansher, M., Chivukula, S. S., and Gray, C. M. (2018). # darkpatterns: Ux practitioner conversations about ethical design. In Extended Abstracts of the 2018 CHI Conference on Human Factors in Computing Systems, pages 1–6.
Goodstein, S. A. (2021). When the cat’s away: Techlash, loot boxes, and regulating” dark patterns” in the video game industry’s monetization strategies. U. Colo. L. Rev., 92:285.
Gray, C. M., Chivukula, S. S., and Lee, A. (2020). What kind of work do” asshole designers” create? describing properties of ethical concern on reddit. In Proceedings of the 2020 acm designing interactive systems conference, pages 61–73.
Gray, C. M., Kou, Y., Battles, B., Hoggatt, J., and Toombs, A. L. (2018). The dark (patterns) side of ux design. In Proceedings of the 2018 CHI conference on human factors in computing systems, pages 1–14.
Gray, C. M., Sanchez Chamorro, L., Obi, I., and Duane, J.-N. (2023a). Mapping the landscape of dark patterns scholarship: A systematic literature review. In Designing Interactive Systems Conference, pages 188–193.
Gray, C. M., Santos, C., and Bielova, N. (2023b). Towards a preliminary ontology of dark patterns knowledge. In Extended Abstracts of the 2023 CHI Conference on Human Factors in Computing Systems, pages 1–9.
Gray, C. M., Santos, C., Bielova, N., and Mildner, T. (2023c). An ontology of dark patterns knowledge: Foundations, definitions, and a pathway for shared knowledge-building. arXiv preprint arXiv:2309.09640.
Gray, C. M., Santos, C., Bielova, N., Toth, M., and Clifford, D. (2021). Dark patterns and the legal requirements of consent banners: An interaction criticism perspective. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, pages 1–18.
Graßl, P., Schraffenberger, H., Borgesius, F. Z., and Buijzen, M. (2021). Dark and bright patterns in cookie consent requests. Journal of Digital Social Research, 3(1):1–38.
Greenberg, S., Boring, S., Vermeulen, J., and Dostal, J. (2014). Dark patterns in proxemic interactions: a critical perspective. In Proceedings of the 2014 conference on Designing interactive systems, pages 523–532.
Gunawan, J., Santos, C., and Kamara, I. (2022). Redress for dark patterns privacy harms? a case study on consent interactions. In Proceedings of the 2022 Symposium on Computer Science and Law, pages 181–194.
Habib, H., Zou, Y., Jannu, A., Sridhar, N., Swoopes, C., Acquisti, A., Cranor, L. F., Sadeh, N., and Schaub, F. (2019). An empirical analysis of data deletion and {Opt-Out} choices on 150 websites. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), pages 387–406.
Hasan Mansur, S. M., Salma, S., Awofisayo, D., and Moran, K. (2023). Aidui: Toward automated recognition of dark patterns in user interfaces. In 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE), page 1958–1970.
Huth, D. and Matthes, F. (2019). “appropriate technical and organizational measures”: Identifying privacy engineering approaches to meet gdpr requirements.
Islam, S., Mouratidis, H., Kalloniatis, C., Hudic, A., and Zechner, L. (2012). Model based process to support security and privacy requirements engineering. International Journal of Secure Software Engineering (IJSSE), 3(3):1–22.
ISO (2023). Iso 31700-1:2023 consumer protection — privacy by design for consumer goods and services —part 1: High-level requirements.
ISO/IEC (2002). ISO/IEC 15288:2002 systems engineering – systems life cycle processes.
ISO/IEC 29100:2011 (2011). Information technology - Security techniques - Privacy framework. Standard, International Organization for Standardization, Geneva, CH.
Jarovsky, L. (2022). Dark patterns in personal data collection: Definition, taxonomy and lawfulness. Taxonomy and Lawfulness (March 1, 2022).
Kitkowska, A. (2023). The hows and whys of dark patterns: Categorizations and privacy. Human Factors in Privacy Research, pages 173–198.
Kocyigit, E., Rossi, A., and Lenzini, G. (2023). Towards assessing features of dark patterns in cookie consent processes. In Bieker, F., Meyer, J., Pape, S., Schiering,
I., and Weich, A., editors, Privacy and Identity Management, IFIP Advances in Information and Communication Technology, page 165–183, Cham. Springer Nature Switzerland.
Kollnig, K., Datta, S., and Van Kleek, M. (2021). I want my app that way: Reclaiming sovereignty over personal devices. In Extended Abstracts of the 2021 CHI Conference on Human Factors in Computing Systems, pages 1–8.
Krauß, V. (2022). Exploring dark patterns in xr.
Luguri, J. and Strahilevitz, L. J. (2021). Shining a light on dark patterns. Journal of Legal Analysis, 13(1):43–109.
Martin, Y.-S. and Kung, A. (2018). Methods and tools forgdpr compliance through privacy and data protection engineering. In 2018 IEEE European symposium on security and privacy workshops (EuroS&PW), pages 108–111. IEEE.
Martini, P., Drews, C., et al. (2022). Making choice meaningful–tackling dark patterns in cookie and consent banners through european data privacy law. Available at SSRN 4257979.
Mathur, A., Acar, G., Friedman, M. J., Lucherini, E., Mayer, J., Chetty, M., and Narayanan, A. (2019). Dark patterns at scale: Findings from a crawl of 11k shopping websites. Proceedings of the ACM on HumanComputer Interaction, 3(CSCW):1–32.
Mathur, A., Kshirsagar, M., and Mayer, J. (2021). What makes a dark pattern… dark? design attributes, normative considerations, and measurement methods. In Proceedings of the 2021 CHI conference on human factors in computing systems, pages 1–18.
Matte, C., Bielova, N., and Santos, C. (2020). Do cookie banners respect my choice?: Measuring legal compliance of banners from iab europe’s transparency and consent framework. In 2020 IEEE Symposium on Security and Privacy (SP), pages 791–809. IEEE.
Mead, N. R. and Stehney, T. (2005). Security quality requirements engineering (square) methodology. ACM SIGSOFT Software Engineering Notes, 30(4):1–7.
NCC (2018). Deceived by design, how tech companies use dark patterns to discourage us from exercising our rights to privacy. Norwegian Consumer Council Report.
OECD (2023). Consumer vulnerability in the digital age. Number 355 in OECD Digital Economy Papers. Paris.
Owens, K., Gunawan, J., Choffnes, D., Emami-Naeini, P., Kohno, T., and Roesner, F. (2022). Exploring deceptive design patterns in voice interfaces. In Proceedings of the 2022 European Symposium on Usable Security, pages 64–78.
Rossi, A. and Bongard-Blanchy, K. (2021). All in one stroke? intervention spaces for dark patterns. arXiv preprint arXiv:2103.08483.
Sangaroonsilp, P., Dam, H. K., Choetkiertikul, M., Ragkhitwetsagul, C., and Ghose, A. (2023). A taxonomy for mining and classifying privacy requirements in issue reports. Information and Software Technology, 157:107162.
Santos, C., Rossi, A., Sanchez Chamorro, L., BongardBlanchy, K., and Abu-Salma, R. (2021). Cookie banners, what’s the purpose? analyzing cookie banner text through a legal lens. In Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society, WPES ’21, page 187–194, New York, NY, USA. Association for Computing Machinery.
Voigt, P. and Von dem Bussche, A. (2017). The eu general data protection regulation (gdpr). A Practical Guide, 1st Ed., Cham: Springer International Publishing, 10(3152676):10–5555.
Wright, D. and Raab, C. (2014). Privacy principles, risks and harms. International Review of Law, Computers & Technology, 28(3):277–298.
Zagal, J. P., Bjork, S., and Lewis, C. (2013). Dark patterns in the design of games. In Foundations of Digital Games 2013.
