Understanding People’s Diverse Privacy Attitudes: Notification, Control, and Regulatory Implications

With the broad adoption of smartphones, the Internet of Things (IoT) and artificial intelligence (AI) technologies, people are contributing to the generation of increasingly rich and sensitive digital footprints as they go about their daily lives. The privacy risks associated with the large and diverse amounts of data collected by these new technologies are compounded by increasingly widespread data sharing and data mining practices. In response to these developments, new privacy regulations have been introduced, such as Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). These regulations aim to increase transparency and control over the collection and use of one’s personal data, yet they have also inadvertently increased user burden when it comes to managing one’s privacy. In the United States, the prevailing legal framework for privacy revolves around the concept of “Notice and Choice.” Notifying data subjects about all relevant data collection practices and empowering them to effectively exercise control over these practices in accordance with applicable regulations has become highly impractical. The amount of time and effort needed for a user to read all privacy policies and configure all privacy settings is unrealistically high. 

This dissertation explores the diversity of people’s privacy attitudes across contexts associated with the recent introduction of new technologies. Specifically, we look at (1) new data collection and use scenarios associated with the recent deployment of video analytics technologies across an increasingly broad range of contexts, (2) the privacy challenges arising from the proposed adoption of COVID-19 vaccination mandates and associated vaccination certificates, and (3) the effectiveness of mobile app privacy labels to inform mobile users about the data collection and use practices of mobile apps. Work presented herein is informed by the Contextual Integrity framework, which identifies key contextual parameters influencing people’s privacy expectations and preferences. Through a collection of user studies, this thesis aims to shed light on the diversity of people’s privacy attitudes in these different contexts and the challenges they give rise to. This includes looking at the complexity of informing people about the data practices associated with a representative set of video analytics scenarios, people’s perception of privacy trade-offs associated with COVID-19 vaccination mandates and certificates in different contexts, and finally the challenges associated with the development of mobile app privacy labels capable of effectively addressing people’s diverse privacy concerns. 

This dissertation illustrates the complexity and diversity of people’s privacy expectations and preferences across these different scenarios. It reveals privacy expectations that apply across broad segments of the population as well as differences in expectations among different groups of people. It shows how clustering techniques can be used to develop finer models of people’s privacy expectations and preferences. It documents the challenges in reconciling privacy and user burden consideration and suggests possible solutions that range from regulations requiring APIs to communicate privacy decisions, to the use of clustering models to assist users in managing their privacy decisions.