1. bookVolume 2021 (2021): Issue 4 (October 2021)
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

Managing Potentially Intrusive Practices in the Browser: A User-Centered Perspective

Published Online: 23 Jul 2021
Page range: 500 - 527
Received: 28 Feb 2021
Accepted: 16 Jun 2021
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

Browser users encounter a broad array of potentially intrusive practices: from behavioral profiling, to crypto-mining, fingerprinting, and more. We study people’s perception, awareness, understanding, and preferences to opt out of those practices. We conducted a mixed-methods study that included qualitative (n=186) and quantitative (n=888) surveys covering 8 neutrally presented practices, equally highlighting both their benefits and risks. Consistent with prior research focusing on specific practices and mitigation techniques, we observe that most people are unaware of how to effectively identify or control the practices we surveyed. However, our user-centered approach reveals diverse views about the perceived risks and benefits, and that the majority of our participants wished to both restrict and be explicitly notified about the surveyed practices. Though prior research shows that meaningful controls are rarely available, we found that many participants mistakenly assume opt-out settings are common but just too difficult to find. However, even if they were hypothetically available on every website, our findings suggest that settings which allow practices by default are more burdensome to users than alternatives which are contextualized to website categories instead. Our results argue for settings which can distinguish among website categories where certain practices are seen as permissible, proactively notify users about their presence, and otherwise deny intrusive practices by default. Standardizing these settings in the browser rather than being left to individual websites would have the advantage of providing a uniform interface to support notification, control, and could help mitigate dark patterns. We also discuss the regulatory implications of the findings.

Keywords

[1] Ruba Abu-Salma and Benjamin Livshits. Evaluating the end-user experience of private browsing mode. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, CHI ’20, page 1–12, New York, NY, USA, 2020. Association for Computing Machinery. Search in Google Scholar

[2] Jagdish Prasad Achara, Javier Parra-Arnau, and Claude Castelluccia. Mytrackingchoices: Pacifying the ad-block war by enforcing user privacy preferences, 2016. Search in Google Scholar

[3] Alessandro Acquisti. Nudging privacy: The behavioral economics of personal information. IEEE Security and Privacy, 7(6):82–85, 2009. Search in Google Scholar

[4] Alessandro Acquisti, Idris Adjerid, Rebecca Balebako, Laura Brandimarte, Lorrie Faith Cranor, Saranga Komanduri, Pedro Giovanni Leon, Norman Sadeh, Florian Schaub, Manya Sleeper, Yang Wang, and Shomir Wilson. Nudges for privacy and security: Understanding and assisting users’ choices online. ACM Comput. Surv., 50(3), August 2017. Search in Google Scholar

[5] Alessandro Acquisti, Curtis Taylor, and Liad Wagman. The economics of privacy. Journal of Economic Literature, 54(2):442–92, June 2016. Search in Google Scholar

[6] Lalit Agarwal, Nisheeth Shrivastava, Sharad Jaiswal, and Saurabh Panjwani. Do not embarrass: Re-examining user concerns for online tracking and advertising. In Proceedings of the Ninth Symposium on Usable Privacy and Security, SOUPS ’13, New York, NY, USA, 2013. Association for Computing Machinery. Search in Google Scholar

[7] Amazon. Alexa top sites. https://www.alexa.com/topsites, 2020. Search in Google Scholar

[8] Vinayshekhar Bannihatti Kumar, Roger Iyengar, Namita Nisal, Yuanyuan Feng, Hana Habib, Peter Story, Sushain Cherivirala, Margaret Hagan, Lorrie Cranor, Shomir Wilson, Florian Schaub, and Norman Sadeh. Finding a choice in a haystack: Automatic extraction of opt-out statements from privacy policy text. In Proceedings of The Web Conference 2020, WWW ’20, page 1943–1954, New York, NY, USA, 2020. Association for Computing Machinery. Search in Google Scholar

[9] Catherine Barrett. Emerging trends from the first year of eu gdpr enforcement. Scitech Lawyer, 16(3):22–25,35, Spring 2020. Search in Google Scholar

[10] Lemi Baruh, Ekin Secinti, and Zeynep Cemalcilar. Online Privacy Concerns and Privacy Management: A Meta-Analytical Review. Journal of Communication, 67(1):26–53, 01 2017. Search in Google Scholar

[11] Douglas Bates, Martin Mächler, Ben Bolker, and Steve Walker. Fitting linear mixed-effects models using lme4. Journal of Statistical Software, 67(1):1–48, 2015. Search in Google Scholar

[12] P. Beatty, I. Reay, S. Dick, and J. Miller. P3p adoption on e-commerce web sites: A survey and analysis. IEEE Internet Computing, 11(2):65–71, 2007. Search in Google Scholar

[13] Annika Bergström. Online privacy concerns: A broad approach to understanding the concerns of different groups for different uses. Computers in Human Behavior, 53:419–426, 2015. Search in Google Scholar

[14] Dan Bouhnik and Golan Carmi. Interface application comprehensive analysis of ghostery. International Journal of Computer Systems, 5(3), 03 2018. Search in Google Scholar

[15] Renato Bruni and Gianpiero Bianchi. Website categorization: A formal approach and robustness analysis in the case of e-commerce detection. Expert Systems with Applications, 142:113001, 2020. Search in Google Scholar

[16] Bill Budington, Alexei Miagkov, Katarzyna Szymielewicz, and Jason Kelley. Do not track. https://www.eff.org/issues/do-not-track, 2016. Search in Google Scholar

[17] Dave Camp. Firefox now available with enhanced tracking protection by default plus updates to facebook container, firefox monitor and lockwise. https://blog.mozilla.org/blog/2019/06/04/firefox-now-available-with-enhanced-tracking-protection-by-default/, Jun 2019. Search in Google Scholar

[18] Michelangelo Ceci and Donato Malerba. Classifying web documents in a hierarchy of categories: a comprehensive study. Journal of Intelligent Information Systems, 28(1):37–78, 2007. Search in Google Scholar

[19] Hongliang Chen, Christopher E. Beaudoin, and Traci Hong. Securing online privacy: An empirical test on internet scam victimization, online privacy concerns, and privacy protection behaviors. Computers in Human Behavior, 70:291 – 302, 2017. Search in Google Scholar

[20] Lorrie Cranor and Rigo Wenning. Platform for privacy preferences (p3p) project. https://www.w3.org/P3P/, Feb 2018. Search in Google Scholar

[21] Lorrie Faith Cranor. Necessary but not sufficient: Standardized mechanisms for privacy notice and choice. JTHTL, 10:273–308, 2012. Search in Google Scholar

[22] Tobias Dienlin and Sabine Trepte. Is the privacy paradox a relic of the past? an in-depth analysis of privacy attitudes and privacy behaviors. European Journal of Social Psychology, 45(3):285–297, 2015. Search in Google Scholar

[23] Disconnect. Take back your privacy. https://disconnect.me/, 2020. Search in Google Scholar

[24] Serge Egelman and Eyal Peer. The myth of the average user: Improving privacy and security systems through individualization. In Proceedings of the 2015 New Security Paradigms Workshop, NSPW ’15, page 16–28, New York, NY, USA, 2015. Association for Computing Machinery. Search in Google Scholar

[25] Steven Englehardt and Arvind Narayanan. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, page 1388–1401, New York, NY, USA, 2016. Association for Computing Machinery. Search in Google Scholar

[26] Cori Faklaris, Laura Dabbish, and Jason I. Hong. A self-report measure of end-user security attitudes (sa-6). In Proceedings of the Fifteenth USENIX Conference on Usable Privacy and Security, SOUPS ’19, page 61–77, USA, 2019. USENIX Association. Search in Google Scholar

[27] Franz Faul, Edgar Erdfelder, Axel Buchner, and Albert-Georg Lang. Statistical power analyses using g*power 3.1: Tests for correlation and regression analyses. Behavior research methods, 41:1149–60, 11 2009. Search in Google Scholar

[28] Electronic Frontier Foundation. Privacy badger automatically learns to block invisible trackers. https://privacybadger.org/, 2020. Search in Google Scholar

[29] Mozilla Foundation. Firefox - protect your life online with privacy-first products. https://www.mozilla.org/en-US/firefox/, 2020. Search in Google Scholar

[30] Xianyi Gao, Yulong Yang, Huiqing Fu, Janne Lindqvist, and Yang Wang. Private browsing: An inquiry on usability and privacy protection. In Proceedings of the 13th Workshop on Privacy in the Electronic Society, WPES ’14, page 97–106, New York, NY, USA, 2014. Association for Computing Machinery. Search in Google Scholar

[31] Barney G Glaser and Anselm L Strauss. Discovery of grounded theory: Strategies for qualitative research. Rout-ledge, 2017. Search in Google Scholar

[32] Cliqz International GmbH. Ghostery makes the web cleaner, faster and safer! https://www.ghostery.com/, Feb 2020. Search in Google Scholar

[33] Google. Choose your privacy settings. https://support.google.com/chrome/answer/114836, 2021. Search in Google Scholar

[34] Peiqing Guan and Wei Zhou. Business analytics generated data brokerage: Law, ethical and social issues. In Robin Doss, Selwyn Piramuthu, and Wei Zhou, editors, Future Network Systems and Security, pages 167–175, Cham, 2017. Springer International Publishing. Search in Google Scholar

[35] Hana Habib, Sarah Pearman, Jiamin Wang, Yixin Zou, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. “it’s a scavenger hunt”: Usability of websites’ opt-out and data deletion choices. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, CHI ’20, page 1–12, New York, NY, USA, 2020. Association for Computing Machinery. Search in Google Scholar

[36] Hana Habib, Yixin Zou, Aditi Jannu, Neha Sridhar, Chelse Swoopes, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. An empirical analysis of data deletion and opt-out choices on 150 websites. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), Santa Clara, CA, 2019. USENIX Association. Search in Google Scholar

[37] Brave Incorporated. Brave: Secure, fast & private web browser with adblocker. https://brave.com/, 2020. Search in Google Scholar

[38] Ruogu Kang, Stephanie Brown, Laura Dabbish, and Sara Kiesler. Privacy attitudes of mechanical turk workers and the u.s. public. In 10th Symposium On Usable Privacy and Security (SOUPS 2014), pages 37–49, Menlo Park, CA, July 2014. USENIX Association. Search in Google Scholar

[39] Ruogu Kang, Laura Dabbish, Nathaniel Fruchter, and Sara Kiesler. “my data just goes everywhere:” user mental models of the internet and implications for privacy and security. In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015), pages 39–52, Ottawa, July 2015. USENIX Association. Search in Google Scholar

[40] Soroush Karami, Panagiotis Ilia, Konstantinos Solomos, and Jason Polakis. Carnus: Exploring the privacy threats of browser extension fingerprinting. In Proceedings of the Symposium on Network and Distributed System Security (NDSS), 2020. Search in Google Scholar

[41] Eunjin Kim and Byungtae Lee. E-service quality competition through personalization under consumer privacy concerns. Electronic Commerce Research and Applications, 8(4):182 – 190, 2009. Special Issue: Economics and Electronic Commerce. Search in Google Scholar

[42] Linda Lee, David Fifield, Nathan Malkin, Ganesh Iyer, Serge Egelman, and David Wagner. A usability evaluation of tor launcher. Proceedings on Privacy Enhancing Technologies, 2017(3):90 – 109, 2017. Search in Google Scholar

[43] Pedro Leon, Blase Ur, Richard Shay, Yang Wang, Rebecca Balebako, and Lorrie Cranor. Why johnny can’t opt out: A usability evaluation of tools to limit online behavioral advertising. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’12, page 589–598, New York, NY, USA, 2012. Association for Computing Machinery. Search in Google Scholar

[44] Jialiu Lin, Shahriyar Amini, Jason I Hong, Norman Sadeh, Janne Lindqvist, and Joy Zhang. Expectation and purpose: understanding users’ mental models of mobile app privacy through crowdsourcing. In Proceedings of the 2012 ACM conference on ubiquitous computing, pages 501–510, 2012. Search in Google Scholar

[45] Jialiu Lin, Bin Liu, Norman Sadeh, and Jason I Hong. Modeling users’ mobile app privacy preferences: Restoring usability in a sea of permission settings. In 10th Symposium On Usable Privacy and Security (SOUPS 2014), pages 199–212, 2014. Search in Google Scholar

[46] Awio Web Services LLC. Web browser market share. http://www.w3counter.com/globalstats.php?year=2021&month=1, Jan 2021. Search in Google Scholar

[47] Arunesh Mathur, Jessica Vitak, Arvind Narayanan, and Marshini Chetty. Characterizing the use of browser-based blocking extensions to prevent online tracking. In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), pages 103–116, Baltimore, MD, August 2018. USENIX Association. Search in Google Scholar

[48] Aleecia McDonald and Jon M Peha. Track gap: Policy implications of user expectations for the ’do not track’ internet privacy feature. In 39th Research Conference on Communication, Information and Internet Policy, (TPRC 2011). Elsevier, 2011. Search in Google Scholar

[49] Nora McDonald, Sarita Schoenebeck, and Andrea Forte. Reliability and Inter-rater Reliability in Qualitative Research: Norms and Guidelines for CSCW and HCI Practice. Proceedings of the ACM Human-Computer Interaction, pages 1–23, August 2019. Search in Google Scholar

[50] William Melicher, Mahmood Sharif, Joshua Tan, Lujo Bauer, Mihai Christodorescu, and Pedro Giovanni Leon. (do not) track me sometimes: Users’ contextual preferences for web tracking. Proceedings on Privacy Enhancing Technologies, 2016(2):135 – 154, 2016. Search in Google Scholar

[51] G. Merzdovnik, M. Huber, D. Buhov, N. Nikiforakis, S. Neuner, M. Schmiedecker, and E. Weippl. Block me if you can: A large-scale study of tracker-blocking tools. In 2017 IEEE European Symposium on Security and Privacy (EuroS P), pages 319–333, 2017. Search in Google Scholar

[52] Mozilla. Enhanced tracking protection in firefox. https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop, 2021. Search in Google Scholar

[53] Pardis Emami Naeini, Sruti Bhagavatula, Hana Habib, Martin Degeling, Lujo Bauer, Lorrie Faith Cranor, and Norman Sadeh. Privacy expectations and preferences in an iot world. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017), pages 399–412, Santa Clara, CA, July 2017. USENIX Association. Search in Google Scholar

[54] Rishab Nithyanand, Sheharbano Khattak, Mobin Javed, Narseo Vallina-Rodriguez, Marjan Falahrastegar, Julia E. Powles, Emiliano De Cristofaro, Hamed Haddadi, and Steven J. Murdoch. Ad-blocking and counter blocking: A slice of the arms race. CoRR, abs/1605.05077, 2016. Search in Google Scholar

[55] Eyal Pe’er, Serge Egelman, Marian Harbach, Nathan Malkin, Arunesh Mathur, and Alisa Frik. Nudge me right: Personalizing online nudges to people’s decision-making styles. SSRN Electronic Journal, 01 2019. Search in Google Scholar

[56] The Tor Project. The tor project: Privacy & freedom online. https://www.torproject.org/, 2020. Search in Google Scholar

[57] Emilee Rader. Awareness of behavioral tracking and information privacy concern in facebook and google. In 10th Symposium On Usable Privacy and Security (SOUPS 2014), pages 51–67, 2014. Search in Google Scholar

[58] Ashwini Rao, Florian Schaub, Norman Sadeh, Alessandro Acquisti, and Ruogu Kang. Expecting the unexpected: Understanding mismatched privacy expectations online. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), pages 77–96, Denver, CO, June 2016. USENIX Association. Search in Google Scholar

[59] Iskander Sanchez-Rola, Matteo Dell’Amico, Platon Kotzias, Davide Balzarotti, Leyla Bilge, Pierre-Antoine Vervier, and Igor Santos. Can i opt out yet? gdpr and the global illusion of cookie control. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, Asia CCS ’19, page 340–351, New York, NY, USA, 2019. Association for Computing Machinery. Search in Google Scholar

[60] Florian Schaub, Rebecca Balebako, Adam L. Durity, and Lorrie Faith Cranor. A design space for effective privacy notices. In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015), pages 1–17, Ottawa, July 2015. USENIX Association. Search in Google Scholar

[61] Sebastian Schelter and Jérôme Kunegis. On the ubiquity of web tracking: Insights from a billion-page web crawl, 2016. Search in Google Scholar

[62] Michael Simon. Apple is removing the do not track toggle from safari, but for a good reason. https://www.macworld.com/article/3338152/apple-safari-removing-do-not-track.html, Feb 2019. Search in Google Scholar

[63] Daniel Smullen, Yuanyuan Feng, Shikun Aerin Zhang, and Norman Sadeh. The best of both worlds: Mitigating trade-offs between accuracy and user burden in capturing mobile app privacy preferences. Proceedings on Privacy Enhancing Technologies, 2020(1):195 – 215, 01 Jan. 2020. Search in Google Scholar

[64] Daniel Solove. A taxonomy of privacy. University of Pennsylvania Law Review, 154:477, 2005-2006. Search in Google Scholar

[65] Aditya K Sood and Richard J Enbody. Malvertising– exploiting web advertising. Computer Fraud & Security, 2011(4):11–16, 2011. Search in Google Scholar

[66] Janice Y. Tsai, Serge Egelman, Lorrie Cranor, and Alessandro Acquisti. The effect of online privacy information on purchasing behavior: An experimental study. Information Systems Research, 22(2):254–268, 2011. Search in Google Scholar

[67] R. Upathilake, Y. Li, and A. Matrawy. A classification of web browser fingerprinting techniques. In 7th International Conference on New Technologies, Mobility and Security (NTMS), pages 1–5, 2015. Search in Google Scholar

[68] Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub, and Thorsten Holz. (un) informed consent: Studying gdpr consent notices in the field. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 973–990, 2019. Search in Google Scholar

[69] Paul Voigt and Axel Von dem Bussche. The eu general data protection regulation (gdpr). A Practical Guide, 1st Ed., Cham: Springer International Publishing, 2017. Search in Google Scholar

[70] Diane Walker and Florence Myrick. Grounded theory: An exploration of process and procedure. Qualitative Health Research, 16(4):547–559, 2006. PMID: 16513996. Search in Google Scholar

[71] R. Wang, S. Chen, and X. Wang. Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In 2012 IEEE Symposium on Security and Privacy, pages 365–379, 2012. Search in Google Scholar

[72] Yang Wang, Pedro Giovanni Leon, Alessandro Acquisti, Lorrie Faith Cranor, Alain Forget, and Norman Sadeh. A field trial of privacy nudges for facebook. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’14, page 2367–2376, New York, NY, USA, 2014. Association for Computing Machinery. Search in Google Scholar

[73] Logan Warberg, Alessandro Acquisti, and Douglas Sicker. Can privacy nudges be tailored to individuals’ decision making and personality traits? In Proceedings of the 18th ACM Workshop on Privacy in the Electronic Society, WPES ’19, page 175–197, New York, NY, USA, 2019. Association for Computing Machinery. Search in Google Scholar

[74] Gabriel Weinberg. Duckduckgo: Privacy, simplified. https://duckduckgo.com/, 2020. Search in Google Scholar

[75] Pamela J. Wisniewski, Bart P. Knijnenburg, and Heather Richter Lipford. Making privacy personal: Profiling social network users to inform privacy education and nudging. International Journal of Human-Computer Studies, 98:95 – 108, 2017. Search in Google Scholar

[76] Yuxi Wu, Panya Gupta, Miranda Wei, Yasemin Acar, Sascha Fahl, and Blase Ur. Your secrets are safe: How browsers’ explanations impact misconceptions about private browsing mode. In Proceedings of the 2018 World Wide Web Conference, WWW ’18, page 217–226, Republic and Canton of Geneva, CHE, 2018. International World Wide Web Conferences Steering Committee. Search in Google Scholar

[77] Yaxing Yao, Davide Lo Re, and Yang Wang. Folk models of online behavioral advertising. In Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing, pages 1957–1969, 2017. Search in Google Scholar

[78] Maciej Zawadzi«ski. What is intelligent tracking prevention (itp)? versions 1.0 - 2.3 explained. https://clearcode.cc/blog/intelligent-tracking-prevention/, Apr 2020. Search in Google Scholar

[79] Shikun Zhang, Yuanyuan Feng, Lujo Bauer, Lorrie Faith Cranor, Anupam Das, and Norman Sadeh. Did you know this camera tracks your mood? understanding privacy expectations and preferences in the age of video analytics. Proceedings on Privacy Enhancing Technologies, 2021(2):282–304, 2021. Search in Google Scholar

[80] Shikun Zhang, Yuanyuan Feng, Anupam Das, Lujo Bauer, Lorrie Faith Cranor, and Norman Sadeh. Understanding people’s privacy attitudes towards video analytics technologies. Proceedings of FTC PrivacyCon, pages 1–18, 2020. Search in Google Scholar

[81] Yixin Zou, Kevin Roundy, Acar Tamersoy, Saurabh Shin-tre, Johann Roturier, and Florian Schaub. Examining the adoption and abandonment of security, privacy, and identity theft protection practices. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, CHI ’20, page 1–15, New York, NY, USA, 2020. Association for Computing Machinery. Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo