Contrastación Estadística

The findings of this study provide a valuable lesson in terms of what aspects significantly influ- ence users’ attitudes to privacy, and hence should be considered when designing privacy notice . Data dimensions, including sensitivity, visibility, as well as awareness factors of the shared location-based information showed to have a clear impact on how users perceive their location privacy and ultimately decide upon their level of information disclosure.

Based on Westin/ Harris privacy segmentation index that examines users’ feelings towards their privacy, in 2003, 26% were privacy fundamentalists who have a strong sense to protect their privacy and very concerned, 64% were privacy pragmatic who try to balance having the benefit with their personal privacy, and 10% were the privacy unconcerned [86]. This segmentation gives an overall users’ perception towards privacy , whereas our study focuses on the domain of location privacy in GeoSNs as well as modelling users’ privacy perceptions considering sharing factors. We can map this index to our findings to reveal the users’ segmentation by correspond- ing ‘yes’ to privacy unconcerned, ‘maybe’ to privacy pragmatic and‘ no’ to fundamentalists in each combination of disclosure factors.

We utilised users’ perceptions to develop a LPTLM. This includes three privacy levels, as iden- tified in Section 5.3.1: Green, where it is safe to disclose location information, Amber, where

142 6.4 Discussion and Implications

Table 6.5: Participants’ sharing decisions based on the data dimensions, visibility and sensitivity of disclosed information in the case of Realistic awareness.

Visibility Friends Public

Data Dimensions Sensitivity Yes Mybe No Yes Mybe No

Spatial Insensitive 73% 18% 9% 67% 26% 7% Sensitive 45% 21% 34% 31% 28% 41% Spatial-Social Insensitive 67% 23% 10% 60% 24% 16% Sensitive 32% 30% 38% 25% 28% 47% Spatial-Social-Temporal Insensitive 57% 30% 13% 49% 31% 20% Sensitive 36% 31% 33% 31% 26% 43%

Table 6.6: Participants’ sharing decisions based on the data dimensions, visibility and sensitivity of disclosed information in the case of Attackers’ view.

Visibility Friends Public

Data Dimensions Sensitivity Yes Maybe No Yes Maybe No

Spatial Insensitive 61% 23% 16% 55% 32% 13% Sensitive 30% 26% 44% 31% 27% 42% Spatial-Social Insensitive 57% 25% 18% 55% 32% 13% Sensitive 38% 28% 34% 21% 30% 49% Spatial-Social-Temporal Insensitive 52% 32% 16% 48% 28% 25% Sensitive 36% 27% 37% 25% 16% 59%

caution should be exercised when disclosing location information, and Red, where it is danger- ous to disclose location information. In this model, we consider the three main factors of data dimension, visibility, and awareness, as well as data sensitivity due to its significant impact on user perception as observed. Participants’ sharing decisions based on these aspects are presen- ted in Table 6.5 in the case of Realistic awareness and in Table 6.6 in the case of Attackers’ view.

One way of proposing this model is to directly map users’ sharing attitude to the privacy level where ’Yes’ is mapped to the Green level, ’Maybe’ is mapped to the Amber level and ’No’ is mapped to the Red level. The results of users’ perceptions considering these aspects can be used directly and simply in a visual privacy indicator that shows the ratio of the three privacy levels in a given location-disclosure situation based on similar users’ experience, as shown in Figure 6.9(a) when awareness is realistic and in Figure 6.9(b) when awareness is from the attackers’ view.

Alternatively, the overall percentage of users’ sharing decisions in each situation of the con- sidered four aspects can be used to limit the privacy level to one or a maximum of two in order to provide a clearer estimation of privacy. If the majority of users with a threshold≥60%selected a certain sharing decision, then the privacy level mapped to this decision would be the proposed privacy level in the model. For example, 61% of users selected to share their location in the

6.4 Discussion and Implications 143

(a)

(b)

Figure 6.9: Visual privacy indicators considering the dimension, visibility and sensitivity in the case of (a)Realistic awareness and (b) Attackers’ view.

Table 6.7: The proposed LPTLM based on directly mapping privacy levels to sharing decisions by considering their proportions.

Awareness Realistic Attackers’ view

Visibility

Friends Public Friends Public

Data Dimensions Sensitivity

Spatial Insensitive Green Green Green Green∼Amber Sensitive Amber Amber Amber Amber∼Red

Spatial-Social Insensitive Green Green Green∼Amber Green∼Amber Sensitive Amber Amber∼Red Amber Amber∼Red

Spatial-Social -Temporal

Insensitive Green∼Amber Green∼Amber Green∼Amber Green∼Amber

Sensitive Amber Amber Amber Red Spatial/Insensitive/Friend/Attachers’ view scenarios, hence the suggested privacy level would be Green. Otherwise, it would be between the privacy levels assigned to the two highly-selected decisions if they are next to each other in regard to their ranking. For instance, in Spatial/Insens- itive/Public/Attackers’ view scenarios, the two decision chosen the most were ’Yes’ (55%) and ’Maybe’ (32%). Therefore, the proposed privacy level would be between Green and Amber. If the two highly-selected decisions are not adjacent in regard to their ranking which in this case are ’Yes’ and ’No’, then logically the privacy level would be Amber since it falls in the middle. Table 6.7 demonstrates the resulting LPTLM.

144 6.4 Discussion and Implications

Table 6.8: The proposed LPTLM considering users’ willingness to share based on average responses in both awareness types.

Friends Public

Insensitive Sensitive Insensitive Sensitive

Spatial Green Amber Green Red

Spatial-Social Green Amber Amber Red

Spatial-Social-Temporal Amber Amber Amber Red

Another approach to developing the LPTLM is to consider the percentage of users who are willing to share their location in the different scenarios given. After taking the average results of sharing decision in both Realistic and Attacker’s view awareness, where:

• A Green classification is used with a threshold of≥60%for the ’Yes’ value.

• An Amber classification is used with a threshold of < 60% and > 30% for the ’Yes’ value.

• A Red classification is used with a threshold of≤ 30% for the ’Yes’ value.

Table 6.8 presents the proposed LPTLM based on this approach.

A third technique for proposing the LPTLM is to evenly distribute users’ responses to ’Maybe’ between ’Yes’ and ’No’. Participants’ sharing decisions based on the data dimensions, visibility, awareness and sensitivity of disclosed information after this distribution are presented in Table 6.9. Then, the proportion of participants who were willing to share is considered to find the proper privacy level corresponding to the given location-sharing factors where:

• A Green classification is used with a threshold of≥70%for the ’Yes’ value.

• An Amber classification is used with a threshold of < 70% and > 50% for the ’Yes’ value.

• A Red classification is used with a threshold of≤50% for the ’Yes’ value.

The resulting LPTLM is shown in Table 6.10.

All of the previous three versions of LPTLM can be used in any privacy-aware system as they are all considered equally potent. All of them are developed by utilising the majority of parti- cipants’ responses as a threshold to derive appropriate threat levels. Hence, as noted, most of the derived threat levels in correspondence to the sharing factors across these LPTLMs are similar. The proposed models as well as users’ privacy perceptions can be used to offer suggestion for designing effective privacy notice as the followings:

6.4 Discussion and Implications 145

Table 6.9: Participants’ sharing decisions based on the data dimensions, visibility, aware- ness and sensitivity of disclosed information after splitting ‘Maybe’ responses between ‘Yes’ and ‘No’ .

Awareness Realistic Attackers’ view

Visibility Friends Public Friends Public

Data Dimensions Sensitivity Yes No Yes No Yes No Yes No

Spatial Insensitive 82% 18% 80% 20% 72.5% 27.5% 71% 29% Sensitive 55.5% 44.5% 45% 55% 43% 57% 44.5% 55.5% Spatial-Social Insensitive 78.5% 21.5% 72% 28% 69.5% 30.5% 71% 29% Sensitive 47% 53% 39% 61% 52% 48%, 36% 64% Spatial-Social -Temporal Insensitive 72% 28% 64.5% 35.5% 68% 26% 62% 39% Sensitive 51 % 49% 44% 56% 49.5% 50.5% 33% 67%

Table 6.10: The proposed LPTLM based on evenly distributing users’ responses to ‘Maybe’ between ‘Yes’ and ‘No’.

Awareness Realistic Attackers’ view

Visibility

Friends Public Friends Public

Data Dimensions Sensitivity

Spatial Insensitive Green Green Green Green Sensitive Amber Red Red Red

Spatial-Social Insensitive Green Green Green Green Sensitive Red Red Amber Red

Spatial-Social -Temporal

Insensitive Green Amber Amber Amber

Sensitive Amber Red Red Red

• Factors to Consider for Privacy Notice: Participants showed different privacy attitudes towards different location-sharing scenarios. This suggests that when designing for pri- vacy, a user must be informed about what dimensions of their data are exposed as well as the content of the disclosed information. They also need to be aware of who can see and access this information and clearly mark what is considered as sensitive information to allow them to make informed consent about their information sharing.

• Use of Privacy Indicator: A visual privacy indicator can be shown in the privacy notice as a way of providing easy privacy cues that can be coloured based on the given information disclosure factors. Three sub-indicators can also be shown for visibility, sensitivity and level of extracted information, to provide a detailed privacy status regarding each of these factors. Such indicators can efficiently impact user behaviour towards making informed sharing decisions.

• Use of Privacy Score: Privacy scores can be presented to users in order to help them assess their privacy status by calculating it based on the factors involved in a location disclosure action. This score can offer an effective approach to influencing user sharing

146 6.5 Conclusion

behaviour by increasing their privacy awareness.

• Similar Experiences:A privacy notice can show a user what others did in similar location- sharing situation which might aid in the process of decision-making.

• Personalisation:Findings indicate that configurable privacy settings should be offered in the privacy notice to users, since, although the majority may lean toward a certain attitude, others have different privacy views, as seen in the study results. Hence, privacy settings can enable a user to personalise the notice based on their personal privacy preferences.

6.5

Conclusion

This chapter presents an in-depth user-based study that investigates factors that influence users’ location-sharing attitude in order to understand how users perceive location privacy and al- low them to make informed consent for location sharing. Results showed that users’ location- decisions are impacted by the dimensions of the exposed data and its sensitivity, visibility to others, and awareness of potential privacy implications. Users were less willing to share and hence more concerned about their privacy whenever the presented location-sharing scenario posed a greater risk to their privacy, especially when they are aware of the hidden implications. These factors should be considered in the design of any location privacy awareness system. The study outcomes were used to propose several versions of LPTLM that demonstrate how the res- ults of users’ privacy perception can be utilised to suggest a privacy level for a user based on the factors involved in a location-sharing task.

147

Chapter 7

Towards Holistic Geo-Profile View for

Privacy Awareness on GeoSNs

7.1

Introduction

This chapter will address this issue using location privacy awareness by following the same aspects used in Chapters 5 and 6 which are the dimensions of the exposed data, their visibility to other, and awareness of the related privacy risks which all shown to contribute to the way in which the respondents perceive location privacy and behave with regard to location-sharing. However, it aims to propose a usable privacy-oriented interface that provides holistic view or, in another word, full access to a user’s location-based profile resulting from his/her location sharing on GeoSNs. It offers a holistic view of the users’ data whether directly collected or implicitly inferred about them including who can see them that can be accessed by users when needed. In addition, users’ profile can be extracted from multiple GeoSN accounts to show a wider overview of what the users’ are giving away of their information online. The location privacy awareness approach is used here in a different context than Chapter 5 that provided real-time and task-specific notifications. The design focuses on presenting privacy awareness information simply and directly using several visualisation methods, to clarify the meaning of the information shown. Employing visualisation techniques was shown to be an effective way of educating users about their data disclosure to online services, showing them the privacy implications and influencing their attitude to location-sharing [33, 122, 123, 124, 92]. The evaluation is carried out to measure the impact on users’ privacy attitude and behaviour in a series of semi-structured interviews with users of GeoSNs, whose feedback is based on their own real-shared data.