Automating identification of potentially problematic privacy policies

Research output: Contribution to journalArticle

Abstract

Almost every website, mobile application or cloud service requires users to agree to a privacy policy, or similar terms of service, detailing how the developer or service provider will handle user data, and the purposes for which it will be used. Many past works have criticised these documents on account of their length, excessively complex wording, or the simple fact that users typically do not read or understand them, and that potentially invasive or wide-reaching terms are included in these policies. In this paper, an automated approach and tool to gather and analyse these policies is presented, and some important considerations for these documents are highlighted, specifically those surrounding past legal rulings over the enforceability of some specific and widely-used contract terms - the ability for terms to be changed without directly notifying users (and presumed continued use indicates acceptance), and the protections in place in the event of a sale or acquisition of a company. The concerns these pose to user privacy and choice are highlighted, as well as the extent to which these terms are found in policies and documents from many popular websites. This tool was used to highlight how commonly these terms are found, and the extent of this potential problem, and explore potential solutions to the challenge of regulating user privacy via such contracts in an era where mobile devices contain significant quantities of highly sensitive personal data, which is highly desirable to service operators, as a core valuation asset of their company.
LanguageEnglish
JournalNordic and Baltic Journal of Information and Communications Technologies
Publication statusAccepted/In press - 22 Feb 2016

Fingerprint

Websites
Data privacy
Mobile devices
Industry
Sales

Keywords

  • automating identification
  • cloud services
  • cloud computing
  • privacy policies
  • personal data

Cite this

@article{bb852cc763974e06adefa100a791baf5,
title = "Automating identification of potentially problematic privacy policies",
abstract = "Almost every website, mobile application or cloud service requires users to agree to a privacy policy, or similar terms of service, detailing how the developer or service provider will handle user data, and the purposes for which it will be used. Many past works have criticised these documents on account of their length, excessively complex wording, or the simple fact that users typically do not read or understand them, and that potentially invasive or wide-reaching terms are included in these policies. In this paper, an automated approach and tool to gather and analyse these policies is presented, and some important considerations for these documents are highlighted, specifically those surrounding past legal rulings over the enforceability of some specific and widely-used contract terms - the ability for terms to be changed without directly notifying users (and presumed continued use indicates acceptance), and the protections in place in the event of a sale or acquisition of a company. The concerns these pose to user privacy and choice are highlighted, as well as the extent to which these terms are found in policies and documents from many popular websites. This tool was used to highlight how commonly these terms are found, and the extent of this potential problem, and explore potential solutions to the challenge of regulating user privacy via such contracts in an era where mobile devices contain significant quantities of highly sensitive personal data, which is highly desirable to service operators, as a core valuation asset of their company.",
keywords = "automating identification, cloud services, cloud computing, privacy policies, personal data",
author = "Greig Paul and James Irvine",
year = "2016",
month = "2",
day = "22",
language = "English",
journal = "Nordic and Baltic Journal of Information and Communications Technologies",
issn = "1902-097X",

}

TY - JOUR

T1 - Automating identification of potentially problematic privacy policies

AU - Paul, Greig

AU - Irvine, James

PY - 2016/2/22

Y1 - 2016/2/22

N2 - Almost every website, mobile application or cloud service requires users to agree to a privacy policy, or similar terms of service, detailing how the developer or service provider will handle user data, and the purposes for which it will be used. Many past works have criticised these documents on account of their length, excessively complex wording, or the simple fact that users typically do not read or understand them, and that potentially invasive or wide-reaching terms are included in these policies. In this paper, an automated approach and tool to gather and analyse these policies is presented, and some important considerations for these documents are highlighted, specifically those surrounding past legal rulings over the enforceability of some specific and widely-used contract terms - the ability for terms to be changed without directly notifying users (and presumed continued use indicates acceptance), and the protections in place in the event of a sale or acquisition of a company. The concerns these pose to user privacy and choice are highlighted, as well as the extent to which these terms are found in policies and documents from many popular websites. This tool was used to highlight how commonly these terms are found, and the extent of this potential problem, and explore potential solutions to the challenge of regulating user privacy via such contracts in an era where mobile devices contain significant quantities of highly sensitive personal data, which is highly desirable to service operators, as a core valuation asset of their company.

AB - Almost every website, mobile application or cloud service requires users to agree to a privacy policy, or similar terms of service, detailing how the developer or service provider will handle user data, and the purposes for which it will be used. Many past works have criticised these documents on account of their length, excessively complex wording, or the simple fact that users typically do not read or understand them, and that potentially invasive or wide-reaching terms are included in these policies. In this paper, an automated approach and tool to gather and analyse these policies is presented, and some important considerations for these documents are highlighted, specifically those surrounding past legal rulings over the enforceability of some specific and widely-used contract terms - the ability for terms to be changed without directly notifying users (and presumed continued use indicates acceptance), and the protections in place in the event of a sale or acquisition of a company. The concerns these pose to user privacy and choice are highlighted, as well as the extent to which these terms are found in policies and documents from many popular websites. This tool was used to highlight how commonly these terms are found, and the extent of this potential problem, and explore potential solutions to the challenge of regulating user privacy via such contracts in an era where mobile devices contain significant quantities of highly sensitive personal data, which is highly desirable to service operators, as a core valuation asset of their company.

KW - automating identification

KW - cloud services

KW - cloud computing

KW - privacy policies

KW - personal data

UR - http://www.riverpublishers.com/journal.php?j=NBJICT/2016/1/1

M3 - Article

JO - Nordic and Baltic Journal of Information and Communications Technologies

T2 - Nordic and Baltic Journal of Information and Communications Technologies

JF - Nordic and Baltic Journal of Information and Communications Technologies

SN - 1902-097X

ER -