Results 1-20 of 30.
((uid:50033521))

Bookmark and Share    
Full Text
Peer Reviewed
See detailAn (Un)Necessary Evil - Users’ (Un)Certainty about Smartphone App Permissions and Implications for Privacy Engineering
Bongard, Kerstin UL; Sterckx, Jean-Louis; Rossi, Arianna UL et al

in 2022 7th IEEE European Symposium on Security and Privacy Workshops (EuroSPW) (in press)

App permission requests are a control mechanism meant to help users oversee and safeguard access to data and resources on their smartphones. To decide whether to accept or deny such requests and make this ... [more ▼]

App permission requests are a control mechanism meant to help users oversee and safeguard access to data and resources on their smartphones. To decide whether to accept or deny such requests and make this consent valid, users need to understand the underlying reasons and judge the relevance of disclosing data in line with their own use of an app. This study investigates people’s certainty about app permission requests via an online survey with 400 representative participants of the UK population. The results demonstrate that users are uncertain about the necessity of granting app permissions for about half of the tested permission requests. This implies substantial privacy risks, which are discussed in the paper, resulting in a call for user-protecting interventions by privacy engineers. [less ▲]

Detailed reference viewed: 110 (18 UL)
Full Text
Peer Reviewed
See detailData Protection and Consenting Communication Mechanisms: Current Proposals and Challenges
Human, Soheil; Degeling, Martin; Santos, Christiana et al

in IEEE eXplore (2022, June 06)

Data Protection and Consenting Communication Mechanisms (DPCCMs) have the potential of becoming one of the most fundamental means of protecting humans’ privacy and agency. However, they are yet to be ... [more ▼]

Data Protection and Consenting Communication Mechanisms (DPCCMs) have the potential of becoming one of the most fundamental means of protecting humans’ privacy and agency. However, they are yet to be improved, adopted and enforced. In this paper, based on the results of a technical document analysis and an expert study, we we identify some of the main technical factors that can be comparison factors between some of the main interdisciplinary challenges of a Human-centric, Accountable, Lawful, and Ethical practice of personal data processing on the Internet and discuss whether the current DPCCMs proposal can contribute towards their resolution. In particular, we discuss the two current open specifications, i.e. the Advanced Data Protection Control (ADPC) and the Global Privacy Control (GPC) based on the identified challenges. [less ▲]

Detailed reference viewed: 113 (12 UL)
Full Text
See detailFeedback to the Guidelines 3/2022 on “Dark patterns in social media platform interfaces: How to recognise and avoid them”
Botes, Wilhelmina Maria UL; Carli, Rachele; Rossi, Arianna UL et al

Report (2022)

Detailed reference viewed: 64 (1 UL)
Full Text
Peer Reviewed
See detailContext, Prioritization, and Unexpectedness: Factors Influencing User Attitudes About Infographic and Comic Consent
Doan, Xengie Cheng UL; Selzer, Annika; Rossi, Arianna UL et al

in Web Conference Companion Volume (ACM) (2022, April 26)

Being asked to consent to data sharing is a ubiquitous experience in digital services - yet it is very rare to encounter a well designed consent experience. Considering the momentum and importance of a ... [more ▼]

Being asked to consent to data sharing is a ubiquitous experience in digital services - yet it is very rare to encounter a well designed consent experience. Considering the momentum and importance of a European data space where personal information freely and easily flows across organizations, sectors and Member States, solving the long-discussed thorny issue of "how to get consent right" cannot be postponed any further. In this paper, we describe the first findings from a study based on 24 semi-structured interviews investigating participants’ expectations and opinions toward consent in a data sharing scenario with a data trustee. We analyzed various dimensions of a consent form redesigned as a comic and an infographic, including language, information design, content and the writer-reader relationship. The results provide insights into the complexity of elements that should be considered when asking individuals to freely and mindfully disclose their data, especially sensitive information. [less ▲]

Detailed reference viewed: 155 (41 UL)
Full Text
Peer Reviewed
See detailUnwinding a Legal and Ethical Ariadne’s Thread Out of the Twitter Scraping Maze
Rossi, Arianna UL; Kumari, Archana; Lenzini, Gabriele UL

in Schiffner, Stefan; Ziegler, Sebastien; Quesada Rodriguez, Adrian (Eds.) Data Protection Law International Convergence and Compliance with Innovative Technologies (DPLICIT) (2022)

Social media data is a gold mine for research scientists, but such type of data carries unique legal and ethical implications while there is no checklist that can be followed to effortlessly comply with ... [more ▼]

Social media data is a gold mine for research scientists, but such type of data carries unique legal and ethical implications while there is no checklist that can be followed to effortlessly comply with all the applicable rules and principles. On the contrary, academic researchers need to find their way in a maze of regulations, sectoral and institutional codes of conduct, interpretations and techniques of compliance. Taking an autoethnographic approach combined with desk research, we describe the path we have paved to find the answers to questions such as: what counts as personal data on Twitter and can it be anonymized? How may we inform Twitter users of an ongoing data collection? Is their informed consent necessary? This article reports practical insights on ethical, legal, and technical measures that we have adopted to scrape Twitter data and discusses some solutions that should be envisaged to make the task of compliance less daunting for academic researchers. The subject matter is relevant for any social computing research activity and, more in general, for all those that intend to gather data of EU social media users. [less ▲]

Detailed reference viewed: 46 (4 UL)
Full Text
Peer Reviewed
See detailWhat if data protection embraced foresight and speculative design?
Rossi, Arianna UL; Chatellier, Regis; Leucci, Stefano et al

in DRS2022: Bilbao (2022)

Due to rapid technological advancements and the growing “datafication” of our societies, individuals’ privacy constitutes an increasingly explored speculative space for regulators, researchers ... [more ▼]

Due to rapid technological advancements and the growing “datafication” of our societies, individuals’ privacy constitutes an increasingly explored speculative space for regulators, researchers, practitioners, designers and artists. This article reports two experiences at a national and an international data protection authority (i.e., the Commission Nationale de l'Informatique et des Libertés - CNIL - and the European Data Protection Supervisor - EDPS - respectively), where foresight methods and speculative design are employed in policy-making with the goal of anticipating technological trends, their implications for society and their impact on regulations, as well as the effects of existing and upcoming laws on emerging technologies. Such initiatives can enhance strategic proactive abilities, raise public awareness of privacy issues and engender a participatory approach to the design of policies. They can also inspire the research, education and practice of legal design. [less ▲]

Detailed reference viewed: 29 (5 UL)
Full Text
Peer Reviewed
See detailCookie Banners, What’s the Purpose? Analyzing Cookie Banner Text Through a Legal Lens
Santos, Cristiana; Rossi, Arianna UL; Sanchez Chamorro, Lorena UL et al

in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS '21) (2021, November 15)

A cookie banner pops up when a user visits a website for the first time, requesting consent to the use of cookies and other trackers for a variety of purposes. Unlike prior work that has focused on ... [more ▼]

A cookie banner pops up when a user visits a website for the first time, requesting consent to the use of cookies and other trackers for a variety of purposes. Unlike prior work that has focused on evaluating the user interface (UI) design of cookie banners, this paper presents an in-depth analysis of what cookie banners say to users to get their consent. We took an interdisciplinary approach to determining what cookie banners should say. Following the legal requirements of the ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR), we manually annotated around 400 cookie banners presented on the most popular English-speaking websites visited by users residing in the EU. We focused on analyzing the purposes of cookie banners and how these purposes were expressed (e.g., any misleading or vague language, any use of jargon). We found that 89% of cookie banners violated applicable laws. In particular, 61% of banners violated the purpose specificity requirement by mentioning vague purposes, including “user experience enhancement”. Further, 30% of banners used positive framing, breaching the freely given and informed consent requirements. Based on these findings, we provide recommendations that regulators can find useful. We also describe future research directions. [less ▲]

Detailed reference viewed: 144 (24 UL)
Full Text
Peer Reviewed
See detailAll in one stroke? Intervention Spaces for Dark Patterns
Rossi, Arianna UL; Bongard, Kerstin UL

E-print/Working paper (2021)

This position paper draws from the complexity of dark patterns to develop arguments for differentiated interventions. We propose a matrix of interventions with a \textit{measure axis} (from user-directed ... [more ▼]

This position paper draws from the complexity of dark patterns to develop arguments for differentiated interventions. We propose a matrix of interventions with a \textit{measure axis} (from user-directed to environment-directed) and a \textit{scope axis} (from general to specific). We furthermore discuss a set of interventions situated in different fields of the intervention spaces. The discussions at the 2021 CHI workshop "What can CHI do about dark patterns?" should help hone the matrix structure and fill its fields with specific intervention proposals. [less ▲]

Detailed reference viewed: 136 (10 UL)
Full Text
Peer Reviewed
See detailVisualisation Techniques for Consent: Finding Common Ground in Comic Art with Indigenous Populations
Botes, Wilhelmina Maria UL; Rossi, Arianna UL

in 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (2021)

With emerging technologies such as genome research and the digitization of health records comes the need for new models of informed consent. In this climate of innovation people are often prone to explore ... [more ▼]

With emerging technologies such as genome research and the digitization of health records comes the need for new models of informed consent. In this climate of innovation people are often prone to explore the latest technological advancement as possible solutions, including for informed consent. In this paper, we present the design and evaluation of a so-called low-tech informed consent solution that was designed specifically for the informational and cultural needs of a vulnerable indigenous population, i.e., the San of South Africa. This low-tech solution took the form of a comic and, although it could enhance understanding and identification, the costs and labour intensity of comic design and the deriving limitations on its scalability should be critically considered in the light of a digitised and more standardized solution. [less ▲]

Detailed reference viewed: 76 (6 UL)
Full Text
Peer Reviewed
See detailWhich Properties has an Icon? A Critical Discussion on Evaluation Methods for Standardised Data Protection Iconography
Rossi, Arianna UL; Lenzini, Gabriele UL

in Proceedings of the 8th Workshop on Socio-Technical Aspects in Security and Trust (STAST) (2021)

Following GDPR's Article12.7's proposal to use standardized icons to inform data subject in "an easily visible, intelligible and clearly legible manner," several icon sets have been developed. In this ... [more ▼]

Following GDPR's Article12.7's proposal to use standardized icons to inform data subject in "an easily visible, intelligible and clearly legible manner," several icon sets have been developed. In this paper, we firstly critically review some of those proposals. We then examine the properties that icons and icon sets should arguably fulfill according to Art.12's transparency provisions. Lastly, we discuss metrics and evaluation procedures to measure compliance with the Article. [less ▲]

Detailed reference viewed: 246 (30 UL)
Full Text
Peer Reviewed
See detailBack to the Future with Icons and Images: "Low-Tech" to Communicate and Protect Privacy and Data
Botes, Wilhelmina Maria UL; Rossi, Arianna UL

in Ducato, Rossana; Strowel, Alain (Eds.) Legal Design Perspectives. Theoretical and Practical Insights from the Field (2021)

Detailed reference viewed: 67 (7 UL)
Full Text
Peer Reviewed
See detailProactive Legal Design for Health Data Sharing based on Smart Contracts
Rossi, Arianna UL; Haapio, Helena

in Corrales Compagnucci, Marcelo; Fenwick, Mark; Wrbka, Stefan (Eds.) Smart Contracts. Technological, Business and Legal Perspectives (2021)

Detailed reference viewed: 68 (14 UL)
Full Text
Peer Reviewed
See detail"I am definitely manipulated, even when I am aware of it. It’s ridiculous!" - Dark Patterns from the End-User Perspective
Bongard-Blanchy, Kerstin UL; Rossi, Arianna UL; Rivas, Salvador UL et al

in Proceedings of ACM DIS Conference on Designing Interactive Systems (2021)

Online services pervasively employ manipulative designs (i.e., dark patterns) to influence users to purchase goods and subscriptions, spend more time on-site, or mindlessly accept the harvesting of their ... [more ▼]

Online services pervasively employ manipulative designs (i.e., dark patterns) to influence users to purchase goods and subscriptions, spend more time on-site, or mindlessly accept the harvesting of their personal data. To protect users from the lure of such designs, we asked: are users aware of the presence of dark patterns? If so, are they able to resist them? By surveying 406 individuals, we found that they are generally aware of the influence that manipulative designs can exert on their online behaviour. However, being aware does not equip users with the ability to oppose such influence. We further find that respondents, especially younger ones, often recognise the "darkness" of certain designs, but remain unsure of the actual harm they may suffer. Finally, we discuss a set of interventions (e.g., bright patterns, design frictions, training games, applications to expedite legal enforcement) in the light of our findings. [less ▲]

Detailed reference viewed: 341 (34 UL)
Full Text
Peer Reviewed
See detailTransparency by Design in Data-Informed Research: a Collection of Information Design Patterns
Rossi, Arianna UL; Lenzini, Gabriele UL

in Computer Law & Security Review (2020), 37(105402),

Oftentimes information disclosures describing personal data-gathering research activities are so poorly designed that participants fail to be informed and blindly agree to the terms, without grasping the ... [more ▼]

Oftentimes information disclosures describing personal data-gathering research activities are so poorly designed that participants fail to be informed and blindly agree to the terms, without grasping the rights they can exercise and the risks derived from their cooperation. To respond to the challenge, this article presents a series of operational strategies for transparent communication in line with legal-ethical requirements. These "transparency-enhancing design patterns" can be implemented by data controllers/researchers to maximize the clarity, navigability, and noticeability of the information provided and ultimately empower data subjects/research subjects to appreciate and determine the permissible use of their data. [less ▲]

Detailed reference viewed: 283 (45 UL)
Full Text
Peer Reviewed
See detailCan Visual Design Provide Legal Transparency? The Challenges for Successful Implementation of Icons for Data Protection
Rossi, Arianna UL; Palmirani, Monica

in Design Issues (2020), 36(3), 82-96

Design is a key player in the future of data privacy and data protection. The General Data Protection Regulation (GDPR) established by the European Union aims to rebalance the information asymmetry ... [more ▼]

Design is a key player in the future of data privacy and data protection. The General Data Protection Regulation (GDPR) established by the European Union aims to rebalance the information asymmetry between the organizations that process personal data and the individuals to which that data refers. Machine-readable, standardized icons that present a “meaningful overview of the intended processing” are suggested by the law as a tool to enhance the transparency of information addressed to data subjects. However, no specific guidelines have been provided, and studies on privacy iconography are very few. This article describes research conducted on the creation and evaluation of icons representing data protection concepts. First, we introduce the methodology used to design the Data Protection Icon Set (DaPIS): participatory design methods combined with legal ontologies and machine-readable representations. Second, we discuss some of the challenges that have been faced in the development and evaluation of DaPIS and similar icon sets. Third, we provide some tentative responses and indicate a way forward for evaluation of the effectiveness of privacy icons and their widespread adoption. [less ▲]

Detailed reference viewed: 287 (12 UL)
Full Text
Peer Reviewed
See detailMaking the Case for Evidence-based Standardization of Data Privacy and Data Protection Visual Indicators
Rossi, Arianna UL; Lenzini, Gabriele UL

in Journal of Open Access to Law (2020), 8(1),

Lately, icons have witnessed a growing wave of interest in the view of enhancing transparency and clarity of data processing practices in mandated disclosures. Although benefits in terms of ... [more ▼]

Lately, icons have witnessed a growing wave of interest in the view of enhancing transparency and clarity of data processing practices in mandated disclosures. Although benefits in terms of comprehensibility, noticeability, navigability of the information and user’s attention and memorization can be expected, they should also be supported by decisive empirical evidence about the efficacy of the icons in specific contexts. Misrepresentation, oversimplification, and improper salience of certain aspects over others are omnipresent risks that can drive data subjects to wrong conclusions. Cross-domain and international standardization of visual means also poses a serious challenge: if on the one hand developing standards is necessary to ensure widespread recognition and comprehension, each domain and application presents unique features that can be hardly established, and imposed, in a top-down manner. This article critically discusses the above issues and identifies relevant open questions for scientific research. It also provides concrete examples and practical suggestions for researchers and practitioners that aim to implement transparency-enhancing icons in the spirit of the General Data Protection Regulation (GDPR). [less ▲]

Detailed reference viewed: 158 (12 UL)
Full Text
Peer Reviewed
See detailWhat's in an Icon? Promises and Pitfalls of Data Protection Iconography
Rossi, Arianna UL; Palmirani, Monica

in Leenes, Ronald; Hallinan, Dara; Gutwirth, Serge (Eds.) et al Data Protection and Privacy: Data Protection and Democracy (2020)

Under the General Data Protection Regulation (GDPR), transparency of information becomes an obligation aimed at creating an ecosystem where data subjects understand and control what happens to their ... [more ▼]

Under the General Data Protection Regulation (GDPR), transparency of information becomes an obligation aimed at creating an ecosystem where data subjects understand and control what happens to their personal data. The definition of transparency stresses its user-centric nature, while design considerations to comply with this obligation assume central importance. This article focuses on the icons established by the GDPR Art. 12.7 to offer “a meaningful overview of the intended processing”. Existing attempts to represent data protection through icons have not met widespread adoption and reasons about the strengths and weaknesses of their creation and evaluation are here discussed. Building on this analysis, we present an empirical research proposing a new icon set that responds to GDPR requirements. The article also discusses the challenges of creating and evaluating such icon set and provides some future directions of research for effective an effective implementation and standardization. [less ▲]

Detailed reference viewed: 386 (22 UL)
Full Text
See detailLegal Design for the General Data Protection Regulation. A Methodology for the Visualization and Communication of Legal Concepts
Rossi, Arianna UL

Doctoral thesis (2019)

Privacy policies are known to be impenetrable, lengthy, tedious texts that are hardly read and poorly understood. Therefore, the General Data Protection Regulation (GDPR) introduces provisions to enhance ... [more ▼]

Privacy policies are known to be impenetrable, lengthy, tedious texts that are hardly read and poorly understood. Therefore, the General Data Protection Regulation (GDPR) introduces provisions to enhance the transparency of such documents and suggests icons as visual elements to provide “in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing.” The present dissertation discusses how design, and in particular legal design, can support the concrete implementation of the GDPR’s transparency obligation. Notwithstanding the many benefits that visual communication demonstrably provides, graphical elements do not improve comprehension per se. Research on graphical symbols for legal concepts is still scarce, while both the creation and consequent evaluation of icons depicting abstract or unfamiliar concepts represent a challenge. More- over, precision of representation can support the individuals’ sense-making of the meaning of graphical symbols, but at the expense of simplicity and us- ability. Hence, this research proposed a methodology that combines semantic web technologies with principles of semiotics and ergonomics, and empirical methods drawn from the emerging discipline of legal design, that was used to create and evaluate DaPIS, the Data Protection Icon Set meant to support the data subjects’ navigation of privacy policies. The icon set is modeled on PrOnto, an ontological representation of the GDPR, and is organized around its core modules: personal data, roles and agents, processing operations, processing purposes, legal bases, and data subjects’ rights. In combination with the description of a privacy policy in the legal standard XML Akoma Ntoso, such an approach makes the icons machine-readable and semi-automatically retrievable. Icons can thus serve as information markers in lengthy privacy statements and support the navigation of the text by the data subject. [less ▲]

Detailed reference viewed: 217 (16 UL)
Full Text
Peer Reviewed
See detailProactive Legal Design: Embedding Values in the Design of Legal Artefacts
Rossi, Arianna UL; Haapio, Helena

in Schweighofer, Erich; Kummer, Franz; Saarenpää, Ahti (Eds.) International Legal Infomatics Symposium IRIS 2019 (2019)

Legal Design is an umbrella term for merging forward-looking legal thinking with design think- ing. It applies human-centered design to prevent or solve legal problems. Legal Design takes an ... [more ▼]

Legal Design is an umbrella term for merging forward-looking legal thinking with design think- ing. It applies human-centered design to prevent or solve legal problems. Legal Design takes an interdisciplinary and proactive approach to law, covering not only legal information and documents, but also legal services, processes, and systems. This paper introduces Legal Design in the context of forward-looking Legal Tech, especially through the lenses of data protection, and analyses the analogies among Value-Sensitive Design, Proactive Law, and Privacy by Design. [less ▲]

Detailed reference viewed: 132 (6 UL)
Full Text
See detailDaPIS: an Ontology-Based Data Protection Icon Set
Rossi, Arianna UL; Palmirani, Monica

in Peruginelli, Ginevra; Faro, Sebastiano (Eds.) Knowledge of the Law in the Big Data Age (2019)

Privacy policies are known to be impenetrable and lengthy texts that are hardly read and poorly understood. This is why the General Data Protection Regulation (GDPR) introduces provisions to enhance ... [more ▼]

Privacy policies are known to be impenetrable and lengthy texts that are hardly read and poorly understood. This is why the General Data Protection Regulation (GDPR) introduces provisions to enhance information transparency including icons as visual means to clarify data practices. However, the research on the creation and evaluation of graphical symbols for the communication of legal concepts, which are generally abstract and unfamiliar to laypeople, is still in its infancy. Moreover, detailed visual representations can support users’ comprehension of the underlying concepts, but at the expense of simplicity and usability. This Chapter describes a methodology for the creation and evaluation of DaPIS, a machine-readable Data Protection Icon Set that was designed following human-centered methods drawn from the emerging discipline of Legal Design. Participatory design methods have ensured that the perspectives of legal experts, designers and other relevant stake- holders are combined in a fruitful dialogue, while user studies have empirically determined strengths and weaknesses of the icon set as communicative means for the legal sphere. Inputs from other disciplines were also fundamental: canonical principles drawn from aesthetics, ergonomics and semiotics were included in the methodology. Moreover, DaPIS is modeled on PrOnto, an ontology of the GDPR, thus offering a comprehensive solution for the Semantic Web. In combination with the description of a privacy policy in the legal standard XML Akoma Ntoso, such an approach makes the icons machine-readable and automatically retrievable. Icons can thus serve as information markers in lengthy privacy statements and support an efficient navigation of the document. In this way, different representations of legal information can be mapped and connected to enhance its comprehensibility: the lawyer-readable, the machine-readable, and the human-readable layers. [less ▲]

Detailed reference viewed: 184 (14 UL)