Is contextual integrity robust to temporal changes in will-

Attitudes towards privacy and sharing social network data are temporally volat- ile, and as such, decisions about willingness to share data with researchers may only represent thinking at a single point in time, and not a person’s “true” in- tent. As discussed in Chapter 2.1, this may cause regret, and perceived leakage of social network data. The consent methods we examine in this study consider the temporal issue differently. The secured consent method, perhaps the most common in social network studies, assumes that a participant’s willingness to participate in a study is carte blanche to collect any data associated with them, and disregards any temporal effects. Conversely, sustained consent relies on constant interventions to mitigate any drift in a person’s willingness to share data, which achieves high accuracy at the cost of a significant burden on the participant. As a goal of the contextual integrity method is to reduce the bur- den on participants, we hypothesise that leveraging social norms is more robust over time. If a user is found to highly conform to social norms at one point in time, we expect this to hold true as a proxy for willingness to share discrete pieces of data. As we have discussed earlier, we expected a small decrease in accuracy compared to sustained consent as the significant number of interven- tions ensures accuracy. By repeating the study over a week, we capture changes in behaviour to determine the robustness of these techniques. To do this, we apply the consent policy of the first week’s results to predict the participant’s responses in the second week. These predictions are validated by the parti- cipant’s responses to the performance evaluation questionnaire, just as how ac- curacy is measured. Figure 5.9 illustrates the extent to which these predictions would have led to over-sharing of data. These results suggest that privacy atti- tudes do indeed change over the course of a week. Across all conditions, trying to use predictions from the previous week performs quite poorly in many cases. This is most problematic in the case of secured consent because there is no way of accommodating such changes in intent, suggesting that consent acquisition

in a single moment in time is not sufficient. The sustained consent condition shows a very similar distribution, however in practice this would be mitigated by continuing to intervene to capture consent, dismissing the need to rely on old data, at the cost of higher participant burden. Surprisingly, the contextual integrity condition performs poorly by this measure of robustness, however this is understandable in the context of our previous result that the technique is only applicable for about a quarter of the population who are highly norm- conformant, and an ANOVA suggests over-sharing is not significantly higher in this case(F(2,65) =0.168,p>0.1). As this condition includes participants of varying degrees of conformity, attempts to leverage this to make longitudinal predictions for non-conformant participants performs very poorly. In practice, users who have not been identified themselves as norm-conformant within 6 interventions would be excluded from a contextual integrity-based solution in favour of a sustained consent approach that would better capture their intent.

Returning to our hypotheses, we find qualified support for H1. On average, contextual integrity reduces burden by 21.9%. While median accuracy is not significantly better than secured consent, for 27.7% of participants, contextual integrity delivered perfect accuracy with a 41.1% reduction in burden compared to the sustained condition. We also find support for H2, as the contextual in- tegrity method is not significantly less robust than sustained consent over time. We note that as human behaviour is so diverse, there is no “one-size-fits- all” approach to consent that achieves optimal results. A benefit of the method we introduce is that as norm conformity can be quickly established, if a person clearly does not conform to such norms, it is possible to transparently change strategy to a sustained approach and maximise accuracy. We found that while the low-burden secured consent approach may be sufficient for some people, it can not be relied on to maintain accuracy in most cases.

We acknowledge that our measure of accuracy is not the sole means to de- termine that informed consent has been sought. This metric allows us to con- firm that the participant disclosed the SNS data that they were willing to, which

we believe is important to establish. It does not, however, determine whether the participant understands the implications of sharing their data, or the pur- pose of the research. In biomedical studies, consent comprehension tests are commonly used to determine that participants’ consent is informed, but their effectiveness has been questioned [17]. Investigating the wider implications of assessing consent comprehension is important further work, where again we anticipate contextual integrity could be leveraged. For example, while we found that our semi-automated approach to determining consent was appropriate for some people, others might find it invasive, and striking this ethical balance is a sensitive topic.

5.3 Summary

In this chapter, we have presented the first application of contextual integ- rity to the acquisition of informed consent for sharing SNS data. We note the following:

• Contextual integrity can be leveraged to reduce the burden placed on par- ticipants to acquire consent on average by 21.9%.

• For 27.7% of participants who are highly conformant to social norms, con- textual integrity can deliver accuracy paralleling that of burdensome sus- tained consent, while reducing burden by 41.1% compared to the sustained condition.

• Using norm conformity to determine consent is temporally robust over a week, but further work is needed to determine whether this holds true for longer periods.

Having shown how we can apply contextual integrity to a framework for studying SNSs, and demonstrating that it can constitute an appropriate means of acquiring informed consent in SNS studies, in the next chapter we consider

how the framework can be applied to the study of emerging SNSs, to examine their potential privacy impacts.

Chapter 6

Identifying privacy breaches in emer-

ging SNSs with contextual integrity

In this chapter, we demonstrate how contextual integrity can be used as a dia- gnostic to determine the potential privacy impacts of emerging SNSs. We con- duct a user study to investigate the potential risks when adding financial in- centives to LBSNs.

In this chapter, we make the following contributions:

• We conduct the first application of contextual integrity to identify the norms governing the use of incentivised location sharing systems.

• We conduct a user study of 22 smartphone users to understand expecta- tions and motivations in an incentivised location sharing system, and to see whether feedback affects willingness to disclose locations.

The rise of smartphones and mobile sensing smart devices is enabling vast amounts of personal data to be collected or generated, and optionally shared with other people, services, and businesses, as we discussed in Chapter 2.2. Such self-tracking is the logical extension of context-sharing applications such as Foursquare. Such services are increasingly delivering financial incentives to

encourage people to act as an advertising agent on behalf of a business to their social network. The introduction of incentives raises several questions. Do they affect privacy concerns, or people’s uses of such services? Do people’s decisions change for the worse as a result of incentives, and how, or indeed should, we improve this? In this section, we look at ILS services (Chapter 2.2), to determine whether they may constitute a risk to individual privacy. While the use of LBSNs has been well studied, this is the first user study to examine the potential risks in embedding financial incentives in traditionally social-driven online sharing. To determine whether incentives may introduce new privacy violations, we use Nissenbaum’s model of contextual integrity, introduced in Chapter 2.3.6. Specifically, we use the contextual integrity decision heuristic, a diagnostic tool for determining whether a new process risks violating the expectations within an entrenched context, as described in Chapter 2.3.6. We discuss a preliminary user study in which 22 people use an ILS application for one week, and receive financial incentives to share their location with businesses and their social net- work. The user study allows us to better understand the expectations of people using such an application, their behaviour and motivations for disclosing their location for a financial incentive, and how the design of the application affects how people use it. We use these findings to complete the decision heuristic and decide whether ILS constitutes a privacy violation. In addition, we recommend a number of best practices for application developers, to provide services that deliver incentives for disclosures in a way that preserves people’s comfort and privacy, while delivering benefits to advertisers and developers.

This study aims to address the following research questions:

1. Do users of LBSNs have different expectations of privacy when their dis- closures are financially motivated?

2. Do incentives perturb privacy norms in an LBSN to the extent that con- textual integrity is violated?

users share their location for money affect behaviour, and reduce the risk of privacy violations?