July 29, 2021
One size does not fit all when managing data practices on the web
By Daniel Tkacik JUL 19, 2021
Surfing the web today exposes users to a shocking array of data collection practices. Websites are building digital profiles about you, targeting ads towards you, and sometimes they’re even using your computer to mine cryptocurrency, whether you know it or not.
How does that sit with you? A new study by Carnegie Mellon University CyLab researchers aimed to find out.
"We wanted to find out to what extent people are aware of these practices, how they feel about them, and whether they understand how much of these practices they can potentially control and how," says CyLab’s Daniel Smullen, a Ph.D. student in the Institute for Software Research (ISR) and a lead author of a new study.
The team conducted two surveys involving more than 1,000 total participants to study people’s perceptions, awareness, understanding, and preferences to opt out a variety of practices such as targeted advertising, behavioral profiling, and more. Since users may feel or act differently depending on what kind of website they are visiting, each of these practices were presented in the context of different website categories, such as news and information sites, shopping sites, financial sites, and more.
This work highlights the need for users to be able to control which practices they want to allow and which they do not.
"Analysis of the responses collected in the study reveal that people’s attitudes towards these different practices are often linked to the particular category of website where they are deployed," says Smullen.
While most people acknowledge these practices as intrusive, many participants acknowledged they may have potential benefits too, depending on the kind of website they’re visiting and what they’re doing there. For example, one category of practices considered in this study— "Identity / Sign-In Services" such as "Sign in with Google" — may track users across many different and unrelated websites, but they also remove the need to remember as many passwords.
Because of this mix of risks and benefits, whether participants wanted to block various practices wasn’t black or white. In other words, the researchers say, a "one size fits all" approach to allowing or denying these practices isn’t good enough. While some value the convenience of services like "Sign in with Google," others are primarily concerned about being tracked.
"This work highlights the need for users to be able to control which practices they want to allow and which they do not. The problem is that these controls are often not available and, even when they are, they are generally ad hoc and supported differently by different website." says CyLab’s / ISR’s Norman Sadeh, a co-author and principal investigator of the Personalized Privacy Assistant Project. "What is badly needed is a standard for people to be able to communicate their choices to websites. Such a standard would allow users to specify their preferences once in their browser—or some browser extension—and rely on their browser to communicate them to individual websites."
Developing such standards is essential, the authors say, but they also acknowledge it won’t be easy. Websites have different incentives than browsers or even users, so a website may break for a user if it doesn’t agree with the user’s preferences on data collection.
"Today users often do not have the control they need and even when such controls are offered by a given website, the required level of effort is too great. A standard would have to come with regulation—or some commitment from website operators—to require website operators to honor people’s browser settings," says Sadeh. "While earlier standardization efforts in this space have been unsuccessful, this study provides strong scientific evidence that such standardization is really needed. New regulations such as laws passed in California or Europe also suggest that such a change might finally be within reach."