ABSTRACT
Users make two privacy-related decisions when signing up for a new Service Provider (SP): (1) whether to use an existing Single Sign-On (SSO) account of an Identity Provider (IdP), or not, and (2) the information the IdP is allowed to share with the SP under specific conditions. From a privacy point of view, the use of existing social network-based SSO solutions (i.e. social login) is not recommended. This advice, however, comes at the expense of security, usability, and functionality. Thus, in principle, it should be up to the user to consider all advantages and disadvantages of using SSO and to consent to requested permissions, provided that she is well informed. Another issue is that existing social login sign-up interfaces are often not compliant with legal privacy requirements for informed consent and Privacy by Default. Accordingly, our research focuses on enabling informed decisions and consent in this context. To this end, we identified users' problems and usability issues from the literature and an expert cognitive walkthrough. We also elicited end user and legal privacy requirements for user interfaces (UIs) providing informed consent. This input was used to develop a tutorial to inform users on the pros and cons of sign-up methods and to design SSO sign-up Uls for privacy. A between-subject laboratory study with 80 participants was used to test both the tutorial and the UIs. We demonstrate an increase in the level to which users are informed when deciding and providing consent in the context of social login.
- Yusuf Albayram, Mohammad Maifi Hasan Khan, and Michael Fagan. 2017. A Study on Designing Video Tutorials for Promoting Security Features: A Case Study in the Context of Two-Factor Authentication (2FA). International Journal of HumanâĂŞComputer Interaction 33, 11 (2017), 927--942.Google Scholar
- Majid Arianezhad, L Jean Camp, Timothy Kelley, and Douglas Stebila. 2013. Comparative Eye Tracking of Experts and Novices in Web Single Sign-on. In CODASPY. ACM, 105--116. Google ScholarDigital Library
- Art. 29 Data Protection Working Party. 2004. Opinion 10/2004 on More Harmonised Information Provisions. Available from: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2004/wp100_en.pdf. (2004).Google Scholar
- Lujo Bauer, Cristian Bravo-Lillo, Elli Fragkaki, and William Melicher. 2013. A Comparison of Users' Perceptions of and Willingness to Use Google, Facebook, and Google+ Single-sign-on Functionality. In DIM. ACM, 25--36. Google ScholarDigital Library
- R. Böhme and S. Köpsell. 2010. Trained to Accept?: A Field Experiment on Consent Dialogs. In CHI. ACM, 2403--2406. Google ScholarDigital Library
- Cristian Bravo-Lillo, Lorrie Cranor, Saranga Komanduri, Stuart Schechter, and Manya Sleeper. 2014. Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It. In SOUPS. USENIX Association, 105--111. Google ScholarDigital Library
- John Brooke. 2013. SUS: A Retrospective. Journal of Usability Studies 8, 2 (2013), 29--40. Google ScholarDigital Library
- Ann Cavoukian. 2009. Privacy by Design: The 7 Foundational Principles. Implementation and Mapping of Fair Information Practices. Information and Privacy Commissioner of Ontario, Canada (2009).Google Scholar
- Serge Egelman. 2013. My Profile is My Password, Verify Me!: The Privacy/Convenience Tradeoff of Facebook Connect. In CHI. ACM, 2369--2378. Google ScholarDigital Library
- Batya Friedman, Edward Felten, and Lynette I. Millett. 2000. Informed Consent Online: A Conceptual Model and Design Principles. University of Washington Computer Science & Engineering Technical Report 00-12-2 (2000).Google Scholar
- Ruti Gafni and Dudu Nissim. 2014. To Social Login or not Login? Exploring Factors Affecting the Decision. Issues in Informing Science and Information Technology 11 (2014), 57--72.Google ScholarCross Ref
- Yousra Javed and Mohamed Shehab. 2016. Investigating the Animation of Application Permission Dialogs: A Case Study of Facebook. In DPM. Springer, 146--162.Google Scholar
- Yousra Javed and Mohamed Shehab. 2017. Look Before You Authorize: Using Eye-Tracking to Enforce User Attention Towards Application Permissions. PoPET 2, 2 (2017), 23--37.Google Scholar
- Farzaneh Karegar, Daniel Lindegren, John Sören Pettersson, and Simone Fischer-Hübner. 2017. Assessments of a Cloud-Based Data Wallet for Personal Identity Management. In Information Systems Development: Advances in Methods, Tools and Management (ISD2017 Proceedings).Google Scholar
- Jonathan Lazar, Jinjuan Heidi Feng, and Harry Hochheiser. 2010. Research Methods in Human-Computer Interaction. Wiley Publishing. Google ScholarDigital Library
- Naresh K. Malhotra, Sung S. Kim, and James Agarwal. 2004. Internet Users' Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model. Information Systems Research 15, 4 (2004), 336--355. Google ScholarDigital Library
- Andrew S. Patrick and Steve Kenny. 2003. From Privacy Legislation to Interface Design: Implementing Information Privacy in Human-Computer Interactions. In PET. Springer, 107--124.Google Scholar
- John Sören Pettersson, Simone Fischer-Hübner, Ninni Danielsson, Jenny Nilsson, Mike Bergmann, Sebastian Clauss, Thomas Kriegelstein, and Henry Krasemann. 2005. Making PRIME Usable. In SOUPS. ACM, 53--64. Google ScholarDigital Library
- Ashwini Rao, Florian Schaub, Norman Sadeh, Alessandro Acquisti, and Ruogu Kang. 2016. Expecting the Unexpected: Understanding Mismatched Privacy Expectations Online. In SOUPS. USENIX Association, 77--96. Google ScholarDigital Library
- Nicky Robinson and Joseph Bonneau. 2014. Cognitive Disconnect: Understanding Facebook Connect Login Permissions. In COSN. 247--258. Google ScholarDigital Library
- Shahar Ronen, Oriana Riva, Maritza Johnson, and Donald Thompson. 2013. Taking Data Exposure into Account: How Does It Affect the Choice of Sign-in Accounts?. In CHI. ACM, 3423--3426. Google ScholarDigital Library
- Michael C Rowbotham, John Astin, Kaitlin Greene, and Steven R Cummings. 2013. Interactive Informed Consent: Randomized Comparison with Paper Consents. PloS one 8, 3 (2013), e58603.Google ScholarCross Ref
- San-Tsai Sun, Eric Pospisil, Ildar Muslukhov, Nuray Dindar, Kirstie Hawkey, and Konstantin Beznosov. 2011. What Makes Users Refuse Web Single Sign-on?: An Empirical Investigation of OpenID. In SOUPS. ACM, Article 4, 20 pages. Google ScholarDigital Library
- San-Tsai Sun, Eric Pospisil, Ildar Muslukhov, Nuray Dindar, Kirstie Hawkey, and Konstantin Beznosov. 2013. Investigating Users's Perspectives of Web Single Sign-On: Conceptual Gaps and Acceptance Model. TOIT 13, 1, Article 2 (2013), 35 pages. Google ScholarDigital Library
- The European Parliament and the Council of the European Union. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (2016).Google Scholar
- Pagona Tsormpatzoudi, Bettina Berendt, and Fanny Coudert. 2015. Privacy by Design: From Research and Policy to Practice-the Challenge of Multi-disciplinarity. In APF. Springer, 199--212.Google Scholar
- Anna Vapen, Niklas Carlsson, Anirban Mahanti, and Nahid Shahmehri. 2015. Information Sharing and User Privacy in the Third-party Identity Management Landscape. In CODASPY. ACM, 151--153. Google ScholarDigital Library
- Vetenskapsrådet. 2002. Forskningsetiska principer inom humanistisk-samhällsvetenskaplig forskning.Google Scholar
- Na Wang, Jens Grossklags, and Heng Xu. 2013. An Online Experiment of Privacy Authorization Dialogues for Social Applications. In CSCW. ACM, 261--272. Google ScholarDigital Library
Index Terms
- Helping john to make informed decisions on using social login
Recommendations
(Un)informed Consent: Studying GDPR Consent Notices in the Field
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications SecuritySince the adoption of the General Data Protection Regulation (GDPR) in May 2018 more than 60 % of popular websites in Europe display cookie consent notices to their visitors. This has quickly led to users becoming fatigued with privacy notifications and ...
Extending layered privacy language to support privacy icons for a personal privacy policy user interface
HCI '18: Proceedings of the 32nd International BCS Human Computer Interaction ConferenceThe LPL Personal Privacy Policy User Interface (LPL PPP UI) is designed to allow for informed and free consent. An extension for the Layered Privacy Language and the Privacy Icons Overview is introduced here. The capabilities of the LPL PPP UI consist ...
Privacy-Patterns for IoT Application Developers
UbiComp/ISWC '22 Adjunct: Adjunct Proceedings of the 2022 ACM International Joint Conference on Pervasive and Ubiquitous Computing and the 2022 ACM International Symposium on Wearable ComputersDesigning Internet of things (IoT) applications (apps) is challenging due to the heterogeneous nature of the systems on which these apps are deployed. Personal data, often classified as sensitive, may be collected and analysed by IoT apps, where data ...
Comments