With ever increasing digitalization we experience that enterprises capture consumer data for understanding their behavior and for offering better personalized services. More than often the captured data contains personal and sensitive information of the consumer (also referred to as 'data-subject'), and thus, leads to privacy concerns (Andrade, Kaltcheva, and Weitz 2002;Malhotra, Kim, and Agarwal 2004;Flavián and Guinalíu 2006). Till recently, the data privacy landscape was more enterprise centric with long and incomprehensible policy documents and default opt in for data sharing and usage (Cranor et al. 2013). In her work, Priya Kumar (Kumar 2016) discussed the specific ways in which vague or unclear language hinders the comprehension of enterprise practices. This paradigm represented one extreme of the data privacy management landscape where the data-subject had little or no control over her data with respect to its usage and sharing.
Some enterprises allowed data-subjects to access their data and provide consent for certain specific purposes such as sharing of personal email or demographic data with third party. However, such privacy preference controls provided by enterprises were either limited or there was a disconnect from privacy policy (Anthonysamy, Greenwood, and Rashid 2013) or it was hard to use them (Madden 2012). Further, these controls did not stop an enterprise from analyzing the data for gaining additional insights into datasubject's behavior. More recently, these concerns were addressed by newer privacy regulations and acts in different geographies, for example, GDPR in EU (Voigt and Von dem Bussche 2017) and CCPA in California (de la Torre 2018). These data protection regulations are designed to protect the personal information of individuals by restricting how such information can be collected, used and disclosed by having proper informed consent from data-subjects (Barnard-Wills, Chulvi, and De Hert 2016). For example, France's National Data Protection Commission (CNIL) penalized Google for not having a valid legal basis to process the personal data of the users of its services, especially for ads personalization purposes 1 .
Informed consent is beginning to form the foundation of data protection law in many jurisdictions. It is intuitively considered as an appropriate method to ensure the protection of a data-subject's autonomy as it allows her to have control over her personal data (Voigt and Von dem Bussche 2017;Dwyer III, Weaver, and Hughes 2004). However, if a datasubject interacts with multiple services having consent requirement for many purposes (defined in Section 3) then it leads to information overloading while making decision, and hence, consent fatigue. In biomedical domain consent fatigue is a well discussed topic (Ploug and Holm 2013). Solove (Solove 2012) and Casteren (Casteren 2017) have studied about consumer's privacy self-management and their In this work, we explore the problem of consent fatigue due to information overload and frequent decision making. To address this issue we proposed and implemented a consent recommender system for LinkedIn application. Our work enables a LinkedIn user in identifying appropriate privacy controls and its corresponding setting. It is especially useful for cold-starting a new user for whom no prior historical privacy preferences are available. The main contribution of our work consists of a novel combination of Factorization Machine (FM) (Rendle 2010; 2012) and factors affecting an individuals decision making process for predicting their privacy preference. That said, the details of our contribution are as follows:
• We conducted a survey on 50 data-subjects to identify factors that can influence their decision-making process. Further, we collected LinkedIn privacy setting data for each participant for building our recommendation model.
• In this work we have shown that the privacy recommendation problem can be modeled as a prediction problem. For that we used Factorization Machine (FM) (Rendle 2010; 2012) for consent recommendation. This also helped in analyzing the pairwise interaction of attributes for learning reliable weights. Further, we showed that the accuracy of our proposed model is around 88%. Also, we discussed the change in accuracy (in terms of precision, recall and F1-score) with respect to the different combination of features.
The rest of the paper is organized as follows. Related work is presented in section 2. Architecture and system description are given in section 3. The survey methodology, demography details and result analysis are discussed in section 4. The experimental results are shown in section 5. Section 6 describes the implication of our work, future research possibilities and the limitation of our work with some concluding remarks in section 7.
Often services and applications capture more than required user data for analytics or generating profit by selling it to third party. An example of this was discussed in (Balebako et al. 2013) where they showed that even well-known mobile applications capture sensitive data of data-subjects and then share it with third party without their cognizance. However, with latest data privacy regulations a data-subject's consent becomes necessary to process her data. Substantial amount of work is done for understanding privacy concerns of datasubject (Liu et al. 2016;Olejnik et al. 2017;Knijnenburg 2014;Sadeh and Hong 2014;Liu, Lin, and Sadeh 2014;Sadeh et al. 2009;Wijesekera et al. 2017).
In their work, Sadeh et al analyzed the sensitive data requested by a mobile app and the purposes associated with it (Sadeh and Hong 2014). Liu et al, detected user profiles based on the user application permission settings (Liu, Lin, and Sadeh 2014). They further used Singular Value Decomposition (SVD) for addressing the issues related to sparsity and dimensionality. In (Wijesekera et al. 2017), authors reduce the burden on users by automating the decision making process in smartphones.
Researchers have also looked into the privacy preference recommender system for social networks. Ghainour et al (Ghazinour, Matwin, and Sokolova 2016) proposed a recommender system for privacy settings in social networks, particularly for Facebook. They modeled user's Facebook privacy settings of photo albums by independently considering different attributes, for example, personal profile and interests. In this paper, we also make use of the pairwise interaction of attributes. As it helps in learning reliable weights by taking the inner product of lower dimensional vectors.
In a recent work, (Naeini et al. 2017) focused on privacy expectations and preferences in IoT data collection scenarios. Naeini et al (2017) further showed that privacy preferences are diverse, context dependent and participants are more likely to consent to data if it benefits them. Additionally, they were able to predict data-subjects preferences after three data-collection scenarios. The work presented in (Naeini et al. 2017) comes closer to our work. However, their main focus is on improving the privacy notices for IoT
Where, α is the set of attributes, m is the number of samples and n is the number of features.
For further description refer to Section 3 and 3.1.
devices and develop more advanced personal privacy assistants, whereas, we are addressing the problem of information overload, and hence, the issue of consent fatigue in post GDPR and CCPA era.
Definitions: Some basic definitions of the terms as per GDPR (Voigt and Von dem Bussche 2017):
1. data-subject is an individual whose personal data is collected, held or processed. In this paper terms consumer and data-subject are used interchangeably.
2. personal data shall mean any information relating to an identified or identifiable natural person ('data subject')
3. consent is defined as a data-subject's informed and unambiguous agreement to process her data.
4. purpose of processing data refers to the need and unambiguous reason for collecting, accessing and processing data-subject's data.
Problem Statement: Let U be the set of data-subjects such that U = {u 1 , . . . , u N }. Further, let S be a service provider (LinkedIn in our case), that processes large amount of data fields D = {d 1 , . . . , d K }. Let P = {p 1 , . . . , p X } be the set of clear and unambiguous purposes under which S processes D. For a given purpose p i ∈ P , there is an associated D i ⊆ D. The service provider S will only process D i for the purpose p i . Similarly, a data field d j ∈ D could be linked to multiple purposes P j ⊆ P . Also, purpose p i is associated with a set of attributes (α i ) (e.g., description, purpose category, sensitivity of requested data field, etc.), such that α = X i=1 α i . Figure 1 describes the overall flow of our proposed recommendation system. We selected LinkedIn for building our recommendation model because its a popular professional networking site and we found their privacy settings very comprehensive, including, handling of GDPR related concerns 2 . The modification in their policy was notified via a banner on their landing page. In case a data-subject keeps on using their service without modifying any settings then it is considered as implicit consent which is discussed by 2 https://www.linkedin.com/help/linkedin/topics/6701/6702 (Degeling et al. 2018). We extracted the privacy setting of each participant in our experiment. The collected data is processed to create a suitable feature vector for training the FM model using TensorFlow (Abadi et al. 2016). We tested the accuracy of model by splitting the collected data into training and testing and reported the results in Section 5.
Our data is described in the matrix format X ∈ R m×n , wherein, x i ∈ R n is the i th row that represents the combination of a data-subject and a particular privacy setting with additional attributes as binary indicator variables. The response variable y i ∈ R represents the consent value for i th feature vector. Figure 2 shows the input matrix representation used in this work.
Why FM for Consent Recommendation? The Equation 1 shows the traditional linear regression model, where, w 0 ∈ R and W ∈ R n are bias and weights for features respectively. For any two given features we can independently learn the weight parameters using the model of Equation 1 with linear time complexity. However, this model is not suitable for learning the pairwise interaction of features as discussed in (Rendle 2010;2012). A polynomial regression model with order 2 can capture the parameters for pairwise interaction, but, its time complexity is O(n 2 ).
In a consent recommendation system various factors interact and influence each other and that is why we have selected FM as our model. It solves the issue by factorizing the W as a lower dimensional factor matrix. The model equation from (Rendle 2012) is given below:
In Equation 2, model parameters are w 0 ∈ R, w ∈ R n and V ∈ R n×k . Further, v i and v i in V represents the i th and (i ) th variables with k latent factors. The first part of the above equation models the linear interaction, and, second part shows the pairwise interaction of variables with low rank(k) using their inner product. This effectively helps to estimate the parameters in highly sparse dataset. The Equation 2, is of order 2. We can have higher order variable interactions as shown below (Rendle 2010):
(3) Where, V (l) ∈ R n×k l , k l ∈ N + 0 and, ∀l ∈ {2, . . . , d}, with d as the order.
Prediction of Consent: Given a feature vector x, Equation 3 quantifies the consent. The recommendation can be generated by thresholding the value of ŷ(x). Therefore, the predicted consent C p is defined as:
This section describes the steps involved in our data collection procedure. We selected the participants with an active LinkedIn account with last login activity not older than 15 days. We presented a consent form prior to survey that explained to each participant about the collected data, its use in our study, and the retention period of the data. Those participants who gave consent for data collection and processing were allowed to volunteer further. The data collected from participants did not have any personally identifiable information. The study consisted of three sections: a) an online survey focused on understanding respondent's basic demographics, b) Internet User's Information Privacy Concern (IUIPC) survey (Malhotra, Kim, and Agarwal 2004), and c) some additional questions to support our design, so as to understand how active the participant is in social networking platforms, especially, in this case LinkedIn (refer to Section 4.2). The participants were asked to provide us their privacy settings information from LinkedIn. We processed the settings information and related description for building binary indicator feature vectors (x i ∈ R n , refer to Section 3.1). We considered each section title as a purpose that comes under three categories (privacy, advertisement and communication) and 11 subcategories during our study. The purpose information comprised of one or more control buttons denoted as setting information (refer to Figure 3). Each type of variables such as setting, purpose and its attributes were encoded as one-hot vector.
Participants were asked to rate their comfort level with services using and sharing their personal information on a 5-point Likert scale: Q1: I am comfortable with LinkedIn use/share my personal information or activity data for any purposes. Q2: I am comfortable with other social networks (example, Facebook, Twitter, Google+) use/share my personal information or activity data for any purposes
To assess the change in a participant's behavior, we asked the question Q1 and Q2 as Q3 and Q4 respectively with the following updated scenario:
The enterprise explicitly says that for what purpose it is using the information and it's privacy practice is certified by a trusted organization.
'Q5' and 'Q6' were formulated to understand participants opinion on visibility of their personal data on LinkedIn and other social networking sites. Q5: If you are disclosing your personal information in LinkedIn, who can see your personal information? Q6: If you are disclosing your personal information in other social networks (example, Facebook, Twitter, Google+), who can see your personal information?
Dataset Demographics. Sampled population from our research lab consists of data-subjects with an active LinkedIn account and an active user of at least one more social networking service. The number of participants who gave their consent for data collection experiment were 50. Out of these 50 participants 54% were Male and 46% were Female. 96% of the participants were from age group 22-30 years. The minimum educational qualification within the sample population was under-graduate degree, whereas, the highest qualification was Doctor of Philosophy (PhD). Also, 68% of the participants were highly active (more than once in a week) on LinkedIn's social networking platform.
Findings. In the entry level survey the participants scored relatively well on IUIPC scale for control, awareness and collection of personal information as reported in Table 1. This indicates that participants have reasonably high level of privacy concerns. From the survey we found that 20% participants have modified their privacy settings only at the time of registration, 42% modify once in a quarter, 30% once in a year, and 8% never changed their setting and have given implicit consent for their data use. Figure 4 shows the results from our survey. It is apparent that the 'Agree, Disagree and Neutral' count value changes from 'Q1' to 'Q2' and from 'Q3' to 'Q4'. We used this insight and included purpose and it's attributes for building our prediction model. In Figure 4, we can see that the most of the participants tend to make their personal information visible to their social network. However, some participants kept their information visible to the public in LinkedIn but not on other social networking sites. We conjecture that a participant could benefit by disclosing the professional information as it helps them building new professional connects, and hence, possibility of new job opportunities. This finding is coherent with the observation from Geffet et al (Zhitomirsky-Geffet and Bratspiess 2016). These insights suggest that the reputation of an enterprise and the potential benefits to the data-subject could influence consent decision.
We surveyed 50 participants for LinkedIn with maximum of 174 privacy settings, 42 purposes, 4 purpose categories (3 values used here) and 11 purpose subcategories. Total we had 5584 samples (m) with 281 features (n = 50 + 174 + 42+4+11), for m and n refer to Section 3.1. If a participant gives her consent for a given data field and purpose then the state of the control is considered as '1', that is the control is selected, otherwise it will be '0'. Further, we utilized the TensorFlow implementation of FM algorithm (TFFM) with ADAM optimizer (Mikhail Trofimov 2016). Learning rate was kept as 0.001 and the threshold value (θ) was set as 0.5.
In our experiment, we randomly divided all the participants in 10 bins. We iterated over these 10 bins, using one bin for testing purpose and the remaining 9 bins for training our model. Finally, We averaged out the accuracy obtained from the 10 iterations, shown in Table 2. The sensitivity analysis of f1-score with respect to the rank is shown in Figure 5. It can be observed that there is change in accuracy with different degree of feature combination (order). Further, the size of the dataset is limited which may lead to the fluctuations in the line plot as rank increases. It would be interesting to use some contextual information such as text from purpose description to understand the meaning behind latent factors (V ∈ R n×k in Equation 2). The complexity of different models is given in Table 3.
Mean Square Error, Precision and Recall: We analyzed the Mean Square Error (MSE), precision, recall and f1-score with different order and rank combinations. The results are shown in Table 2. Initially we considered all the purpose attributes in our TFFM model. Further, we assessed the impact of purpose attributes by removing each attribute one by one. From experiments we figured that rank(k) 17 gives better results in terms of accuracy. Moreover, we compared TFFM results with Linear Support Vector Machine (SVM) and polynomial SVM. Linear SVM showed marginal improvement over TFFM model as linear models work better with less amount of data. However, as explained in Section 3.1, TFFM can work as a consent recommendation system given its linear complexity, scalability with larger datasets Cold start vs warm start: The cold-start recommendation scenario appears when there are no prior preferences for users or items, whereas, warm-start arises when prior preferences are available.
FM model works with attributes or categories of input data represented as binary indicators (Rendle 2012). The flexibility of this model helps us to deal with cold-start users/items even when we lack prior preferences. Here, the purpose related attributes of input data are helpful for predicting the new data-subject's consent.
Contributions. Our work makes some useful contributions in the context of information overload and resulting consent fatigue due to multiple purposes for whom consent is needed. We have shown that consent recommendation could be modeled as a prediction problem. Our recommender system has an accuracy of 87% for data-subjects with no prior preferences or usage history. For warm-start data-subjects the system is expected to perform even better. We also identified certain factors which may heavily influence a data-subject's decision making process for consent. Furthermore, the survey results showed that data-subjects are more comfortable in sharing information with enterprises providing professional services.
Future Work. Informed consent from data-subject is pivotal in data privacy regulations and safeguarding their interests. However, privacy policies are complex, and even with relevant educational qualification data-subjects find it difficult to make proper choices. Therefore, there is a need for personal digital assistant that can also help a data-subject in making consent decisions. For future work we will refer to (Liu et al. 2016;Naeini et al. 2017) as our baseline. As consent is pivotal concept in most of the regulations, therefore, we envision that it will be required even if the enterprise were to process homomorphically encrypted data (Gentry and Boneh 2009).
Implicit consent for data collection, sharing and processing is possible due to multiple reasons. Three main reasons contributing to implicit consent are: a) consent fatigue, b) data-subjects unawareness, and c) complex privacy policy document. This may lead to a sense of false compliance and security (Degeling et al. 2018). A potential area to explore is to identify possible breach of compliance regulations due to a data-subject's implicit consent.
In this work we built our recommender system by training our model on data gathered from LinkedIn. In post GDPR and CCPA era, all the service providers of varying type are expected to comply with them. However, more than often it is not feasible to gather sufficient data to build a model for each one of them. To address this issue transfer learning could be a possible area to look into. Assuming the consent requests from the other service has the same flavour of purposes and related attributes.
Apart from European Union's GDPR, many other countries are looking into their own version of data privacy laws and regulations. For example, Protection of Personal Information Act, 2013 (POPI Act) of South Africa, Personal Information Protection and Electronic Documents Act (PIPEDA) from Canada, Singapore Personal Data Protec- tion Act, 2012, and Data Protection Act in India. In future we would like to do a user study and analyze the effect of their demographics on the decision making process. Limitations. Our findings are based on study of privacy settings of a single web-application. This prediction model developed for LinkedIn might not be suitable for a dating site or a photograph sharing site. However, there is a possibility of exploring the application of transfer learning and checking the efficacy of our model on other applications.
We could collect only limited number of participant's privacy settings. In order to obtain a more reliable confidence metric, we will carry out experiments with more participants. Also, in this work we have not quantified the degree of fatigue. It will be interesting to see how it will affect the recommendation model. A possible way to assess it is to observe a data-subject's interaction with the application.
The information we obtained from the self reported responses of the participants may suffer from 'Privacy Paradox' (Norberg, Horne, and Horne 2007). Even though most of the participants were highly concerned about their privacy, but, their actual behavior towards consent request may change in real life. Further, we could not analyze whether the participants are going to change the privacy settings later or not.
We conclude that a lot of factors can affect a data-subjects consent depending on the purpose of processing data. However, the unavailability of factors in the real world setting challenged us in our experiments. For example, the time of consent request, benefit to a data-subject in exchange for consent, information about data field sensitivity and its retention period should matter, but it was hard to extract this information from the experimental setup.
In this work, we explored the issues pertaining to information overload and consent fatigue due to complex privacy policies and new regulations requiring consent for various purposes. We addressed this issue by implementing a consent recommender system for LinkedIn. Furthermore, we demonstrated that the recommendation problem could be modeled as a prediction problem. Our analysis of survey responses and LinkedIn data enabled us to identify some important factors which can influence a data-subject's decision making process. We hope that our work will be useful in identifying the issues pertaining to consent fatigue and build interest for further research in this area.