Managing Potentially Intrusive Practices in the Browser: A User-Centered Perspective

Thumbnail Image

Files

popets-2021-0082.pdf (621.57 KB)

Links to Files

https://www.petsymposium.org/2021/files/papers/issue4/popets-2021-0082.pdf

Permanent Link

http://hdl.handle.net/11603/22213

Collections

UMBC Information Systems Department
UMBC Faculty Collection

Author/Creator

Author/Creator ORCID

Date

2021-06-16

Type of Work

conference papers and proceedings
Text

Department

Program

Citation of Original Publication

Smullen, Daniel et al.; Managing Potentially Intrusive Practices in the Browser: A User-Centered Perspective; Proceedings on Privacy Enhancing Technologies, (4):500–527, 16 June, 2021; https://www.petsymposium.org/2021/files/papers/issue4/popets-2021-0082.pdf

Rights

This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0)

Subjects

Abstract

Browser users encounter a broad array of potentially intrusive practices: from behavioral profiling, to crypto-mining, fingerprinting, and more. We study people’s perception, awareness, understanding, and preferences to opt out of those practices. We conducted a mixed-methods study that included qualitative (n=186) and quantitative (n=888) surveys covering 8 neutrally presented practices, equally highlighting both their benefits and risks. Consistent with prior research focusing on specific practices and mitigation techniques, we observe that most people are unaware of how to effectively identify or control the practices we surveyed. However, our user-centered approach reveals diverse views about the perceived risks and benefits, and that the majority of our participants wished to both restrict and be explicitly notified about the surveyed practices. Though prior research shows that meaningful controls are rarely available, we found that many participants mistakenly assume opt-out settings are common but just too difficult to find. However, even if they were hypothetically available on every website, our findings suggest that settings which allow practices by default are more burdensome to users than alternatives which are contextualized to website categories instead. Our results argue for settings which can distinguish among website categories where certain practices are seen as permissible, proactively notify users about their presence, and otherwise deny intrusive practices by default. Standardizing these settings in the browser rather than being left to individual websites would have the advantage of providing a uniform interface to support notification, control, and could help mitigate dark patterns. We also discuss the regulatory implications of the findings.