Usable transparency throughnetwork representations andanalyses

Julio AnguloKarlstad UniversityDept. of Information Systems651 88 Karlstad, Swedenjulio.angulo.r@gmail.com

Paste the appropriate copyright statement here. ACM now supports threedifferent copyright statements:• ACM copyright: ACM holds the copyright on the work. This is the historicalapproach.• License: The author(s) retain copyright, but ACM receives an exclusivepublication license.• Open Access: The author(s) wish to pay for the work to be open access.The additional fee must be paid to ACM.This text field is large enough to hold the appropriate release statementassuming it is single spaced.Every submission will be assigned their own unique DOI string to be includedhere.

AbstractWe explore how concepts from the field of network sciencecan be employed to inform Internet users about the waytheir personal identifiable information (PII) is being usedand shared by online services. We argue that presentingusers with graphical interfaces that display informationabout the network structures that are formed by PIIexchanges can have an impact on the decisions users takeonline, such as the services they choose to interact withand the information they decide release.

Author KeywordsTransparency, network science, UI, data visualizations

ACM Classification KeywordsH.1.2 [User/Machine Systems]: Human Factors; K.4.1[Public Policy Issues]: Privacy; D.2.2 [Design Tools andTechniques]: User Interfaces

IntroductionThe personal information that online services collect fromtheir users can be shared, aggregated and processed forvarious purposes. However, these users are rarely fullyaware about how their information is being used, withwhom it is shared, where is it stored, and what are thepossible consequences of the use or misuse of theirinformation.

In simplistic terms, the spread of users’ personalinformation can be thought of as a network, where nodesor actors are the different online services (including onlinemerchants, data aggregators, data brokers, etc.) and theresource being shared among these actors is users’personal information. Performing network analysis on therelationship between these actors could bring to lightprobabilistic risks and benefits associated with theinformation that different services hold. For instance,understanding the clustering coefficient of a particularservice could provide an idea on the speed and extent inwhich a users’ personal information could be spread.Similarly, the degree centrality of a service can reveal theamount of information that flows through it and thepower that a service might have to use this knowledge foreither malevolent or beneficial causes. These insights,when presented to users through graphical interfaces, canpotentially influence users’ trust on online services, theirdecisions to release information online, and theirwillingness to control it.

Background and related workStudies of Internet networks have revealed patterns inwhich information can spread most efficiently [9], anddiscussions surrounding privacy in a networked worldpropose that privacy is a dynamic process which isaffected by situated and evolving interactions [17]. Studiesin the privacy field have indicated that social influence canplay a role in people’s security and privacy attitudes andbehaviours [24]. For instance, a study on students’ privacysettings in online social networks suggests that studentsare more likely to have private profiles if their friends androommates have themselves a private profile [14]. Anotherstudy claims that trust behaviours within a communitycan influence privacy concerns and behaviours in othermembers of that community [16]. Yet another study

suggests that many people learn informal lessons aboutonline security from stories they hear from their friendsand family, and they in turn retell these stories further toothers, thus forming a network of narrations wheresecurity decisions and behaviours are being sociallyinfluenced [19]. Researchers have also looked at theimpact of applying network analyses and visualizations fortackling privacy problems and for making users aware oftheir actions online [7, 11, 13, 20, 21, 24]. For instance,Google+ ripples [23] shows users the reach of theircontent posted publicly, and Mozilla’s Lightbeam [15]visualizes the first and third party services that collectinformation embedded in users’ web browsing behaviours.

Studies have also shown that transparency from a serviceprovider can promote trust and revenue for that service[22]. Providing users with transparency of the exchangesof their PII among different online entities would bepossible assuming that service providers want to beaccountable and transparent about their data handlingand sharing practices. The technical, legal and societalimplications of accountable online services are currentlybeing explored by initiatives like the European CloudAccountability project (A4Cloud) [18], which builds uponconcepts related to P3P [5] and PPL [2].

Visualizing privacy policies as networksMost users do not take the time to read the textspresented in an online service’s privacy policy. Suggestionshave been made for simplifying these policies throughgraphical metaphors (e.g. [12]). However, many of theseattempts still require users to possess higher abstractmodels of technology and of privacy principles, and theyassume that users are willing to spend time and effort atunderstanding them.

Motivated by previous studies which suggest that networkvisualizations are a good way to understand the meaningbehind data [3, 6] and that users appreciate interactiverepresentations of data flows [11, 13], we argue that partsof a services’ privacy policy would become more intuitivewhen translated into a network visualization, as depictedin the example shown in Figure 1. The figure resembles atree structure having the online service in question as thecentral node at the top, from which edges branchaccording to the relationships specified by the service’sprivacy policy statements that explain the flow of personaldata attributes. Constructing these relationships would betechnically possible assuming that accountable onlineservices provide machine-readable privacy policies, such asA-PPL [18], which specifies some aspects of the datasharing practices of a service. In the visual tree, childrennodes are represented with the logotypes of the onlineservices that could receive the data. When the user clicksover a services’ logotype, the node expands to reveal moredetailed information about that service and iconsrepresenting the personal attributes being received by thatservice branch out of the selected node, allowing forprogressive disclosure of the policy. Summarizedinformation about the service provider and the analysis ofits position within the network would be presented in aside panel.

Although no formal usability studies have been made toevaluate this visualization idea, we argue that such visualpresentation would be able to provide users with a quickoverview of the way data flows through different onlineentities. This is not only more informative and graspablethan the current textual presentation of privacy policies,but also allows for the progressive and interactivedisclosure of information, dictated by how much the userwants to know. Besides, studies on the understanding of

network visualizations done by inexperienced studentsshowed that these students were able to easily identifyproperties of the network and to extract information thatwas not apparent otherwise [8].

Figure 1: Visualizing data exchanges and usage as specified ina service’s machine-readable privacy policy.

Data disclosures as ego-centred networksInternet users leave digital traces in their everyday onlineinteractions. As a way to provide transparency of the datadisclosures, different visualization techniques can bedesigned to inform users about which personal informationhas been released to which service at what point in time.We envision one type of visualization (Figure 2) [1] inwhich the user is represented with a profile image in themiddle of the screen, the services to which she hasreleased information appear in a bottom panel and theinformation attributes that have been released appeared ina top panel. By clicking in one (or many) of the servicesat the bottom, the interface shows a “trace” from theservice to the user, and then from the user to the piecesof information that she has released to that specificservice. If the user instead clicks on a piece of information

at the top, the trace shows which online services havethat particular piece of information. This view can bethought of as an ego network of radius 1, where the datasubject is being represented as the central node. Onlyrelevant service providers, which form the radii of the egonetwork, are represented with small images of theirlogotypes. Different colours or shapes in the links cold beused to represent explicitly sent data, implicitly collecteddata or data inferred from analysis. Detailed descriptionsof this concept and initial usability studies of iterativedesign rounds can be found in [1].

Figure 2: Visualizing data disclosures as an ego network.

Trust on online services as a social contagion

Figure 3: Network representationof level of trust that peoplewould place in an unknown cloudservice. A total of 130respondents to a survey arelinked by a geographicalproximity if they are less than 10degrees in longitude and latitudefrom each other.1 = (No trust at all);2 = ;3 = ;4 = ;5 = (Trust completely)).

Figure 4: Same as Figure 3,clustered by world regions(Scandinavia & Northern Europe;Central Europe; Northern Africa;East Europe & the Balcans;South East Asia; Oceania;America)

The increasing popularity of recommender and reputationsystems serves as an indication that people rely on thejudgement of others to make trust decisions of their own[10], a phenomenon also referred to as “social proof” [4].

We performed an exploratory experiment to test the ideathat the level of trust users place on an unknown online

service is influenced by the level of trust that their nearbypeers in the network place on the service. To do this wecreated a registration page for a fictitious cloud storageservice, which we called SheepCloud, and invitedparticipants from different parts of the world to register tothis cloud service previously unknown to them.Participants were made believe that they could obtain freeGB of cloud storage by submitting their personalinformation at the moment of registration and uploadingsome initial files to the cloud. After they click on theregistration button, participants were debriefed about theexperiment, then they were asked questions about theirprivacy attitudes and to rate, in a scale from 1 to 5, “howmuch would you trust a service like SheepCloud with allyour files and data.” Our preliminary results suggest thatclusters emerge in the reported levels of trust from usersin nearby geographic regions. This is visually representedin Figure 3, where the colour of a node indicates howmuch were participants willing to trust this unknown cloudservice provider with their information. Obtaining differentmetrics for a larger network, such as the modularity or thetransitivity of trust ranks between connected nodes, couldbring interesting insights and corroborate if in fact “trust”in online services, and other privacy related concepts,exhibit properties of social contagion.

Next stepsThe ideas presented here would need to be empiricallytested to check not only for the usability of the proposedvisualizations in meaningful contexts of use, but also forthe impact that they may have on the users’ decisions todisseminate and control their PII. We argue that studiesto corroborate these ideas are possible by adapting theresults from initiatives like the Cloud Accountabilityproject [18], which makes it technically feasible to recreatethe chain of services in which users’ data flows through.

References[1] Angulo, J., Bernsmed, K., Fischer-Hubner, S., et al.

D:D-5.1 User Interface Prototypes V1. Projectdeliverable D:D-5.1, A4Cloud Project, August 2014.

[2] Ardagna, C. A., et al. Primelife policy language. InWACAS ’09 (2009).

[3] Becker, H., Naaman, M., and Gravano, L. Beyondtrending topics: Real-world event identification ontwitter. In ICWSM’11, AAAI (2011).

[4] Cialdini, R. B. Influence (rev): The Psychology ofPersuasion. HarperCollins, 1993.

[5] Cranor, L. F. P3P: Making privacy policies moreuseful. IEEE Security & Privacy 1, 6 (2003), 50–55.

[6] Freeman, L. C. Visualizing social networks. Journalof social structure 1, 1 (2000), 4.

[7] Gao, B., and Berendt, B. Circles, posts and privacyin egocentric social networks: An exploratoryvisualization approach. 2013.

[8] Hansen, D. L., Rotman, D., Bonsignore, E., et al. Doyou know the way to SNA?: A process model foranalyzing and visualizing social media data. U. ofMaryland. Tech Report: HCIL-2009-17 (2009).

[9] Haythornthwaite, C. Social network analysis: Anapproach and technique for the study of informationexchange. Library & Information Science Research18, 4 (1996), 323–342.

[10] Jøsang, A., Ismail, R., and Boyd, C. A survey of trustand reputation systems for online service provision.Decision support systems 43, 2 (2007), 618–644.

[11] Kani-Zabihi, E., and Helmhout, M. Increasing serviceusers’ privacy awareness by introducing on-lineinteractive privacy features. In NordSec ’12.Springer, 2012, 131–148.

[12] Kelley, P. G., Bresee, J., Cranor, L. F., and Reeder,R. W. A “Nutrition Label” for Privacy. In SOUPS’09, ACM (New York, NY, USA, 2009), 1–12.

[13] Kolter, J., et al. Visualizing past personal datadisclosures. In ARES ’10, IEEE (2010), 131–139.

[14] Lewis, K., Kaufman, J., and Christakis, N. The tastefor privacy: An analysis of college student privacysettings in an online social network. JCMC ’08 14, 1(2008), 79–100.

[15] Mozilla. Lightbeam add-on for Firefoxhttps://www.mozilla.org/en-US/lightbeam/.

[16] Nov, O., and Wattal, S. Social computing privacyconcerns: antecedents and effects. In CHI ’09, ACM(2009), 333–336.

[17] Palen, L., and Dourish, P. Unpacking privacy for anetworked world. In CHI ’03, ACM (2003), 129–136.

[18] Pearson, S., et al. Accountability for cloud and otherfuture internet services. In CloudCom ’12, IEEE(2012), 629–632.

[19] Rader, E., Wash, R., and Brooks, B. Stories asinformal lessons about security. In SOUPS ’12, ACM(2012), 6:1–6:17.

[20] Strahilevitz, L. J. A social networks theory of privacy.In American Law & Economics Association AnnualMeetings, bepress (2005), 42.

[21] Takano, Y., Ohta, S., Takahashi, T., et al.Mindyourprivacy: Design and implementation of avisualization system for third-party web tracking. InPST ’14, IEEE (2014), 48–56.

[22] Tsai, J., Egelman, S., Cranor, L., and Acquisti, A.The effect of online privacy information onpurchasing behavior: An experimental study.Information System Research 22 (2011), 254–268.

[23] Viegas, F., et al. Google+ ripples: A nativevisualization of information flow. In Internationalconference on World Wide Web (2013), 1389–1398.

[24] Wang, D., Wen, Z., Tong, H., et al. Informationspreading in context. In Inter. Conf on WWW ’11,ACM (2011), 735–744.