In recent years, the popularity of social media has been on the rise. Driven by a multitude of motivations, users have grown accustomed to sharing online most aspects of their lives. This self-disclosure has not only proven to be dangerous for peoples' privacy and security but also harmful to their personal, professional and intimate relationships. However, in the age of social media, it seems improbable for people to completely discontinue using social media platforms such as Facebook, Twitter and Instagram. Hence, there is an urgent need to find a balanced compromise between online sociability and privacy. In this work we propose a platform to mitigate the dangers of self-disclosure through the use of a personalized harm-aware recommender system. Specifically, the recommender system balances the requirements for privacy protection with the users' need to share with their social circles. To achieve this, the platform starts by evaluating the risks of disclosing the personal information and then, if necessary, proceeds to recommend to the user how to reduce that risk. While the evaluation of the risk is done in an objective manner, personalization is of the essence since users have diferent preferences and sharing needs. As such, when performing the recommendation, the systems will provide personalized nudge-based recommendations, raising the users' awareness of the privacy issues stemming from selfdisclosure.
encourages the collection and sharing of information, by gradually increasing the variety and types of collected data, as well as relying on more revelatory default visibility setti2n].gs [
While social media platforms are expected to safeguard the user’s data and information, this task becomes much harder when the human factors are considered.
Indeed, while users in general report a high concern for their privacy, they tend to have a privacy-compromising online behavior, and an unprecedented level of self- disclosure (the act of voluntarily sharing and disclosing personal information to others) activity is taking place. This contradiction between privacy attitudes and actual behavior is generally referred to as the privacy paradox 3[]. Essentially, one would logically expect that users’ privacy concerns would restrict the voluntary disclosure of personal information. However, the reverse efect is observed where users tend to share private information in exchange for retail items and personalized services, or through their social network activitie4s][.
This has existed long before the advent of the internet and social media. In 1973, psychologists
Irwin Altman and Dalmas Taylor formulated the theory of social penetratio5n]. [It theorizes
that the more people disclose things about themselves, the closer they get to those with whom
they share said information. This applies to friendships6][ and romantic [
Moreover, there are many other reasons why people feel motivated to divulge their personal
and sensitive information, ranging from seeking fame, attracting brand sponsorships, release
pent-up feelings [
The following scenario serves to further explain the issue and the proposed solution: Alice is usually careful and aware of dangers on privacy and cybersecurity online. Recently, she has been laid of her current job due to the economic struggle following the COVID-19 outbreak. While browsing through her preferred social media platform, she stumbles upon a post for a “work from home” job ofer, providing an email address for applicants and requesting information such as a curriculum vitae, social security number and address. This is one of the biggest scams that have been targeting vulnerable people seeking an alternative income. Alice is usually careful and aware of menaces on privacy and cybersecurity, but her judgement is clouded by her current mental state and she is unable to objectively assess her situation. If she proceeds without being advised otherwise, she might turn into a fraud victim.
In this case, there is a need for a system which already identified Alice’s privacy preferences, knows that her current conduct is dangerous and can advise her against this course of action. This system would intervene and nudge Alice telling her “BEWARE! Your are about to share information which can easily lead to your identity being stolen. Consider deleting the information ‘social security number’ to reduce the risk”. This paper proposes a platform for this purpose, to guide users towards aware disclosure. The proposed system considers the user’s assessment of their data as well as an objective evaluation and finds middle ground between the two.
In dealing with this issue, this work makes the following contributions: • Propose an objective threat assessment model for computing the privacy risk based on an input vector representing the user’s disclosed data. • Detail an adaptive nudge-based recommender that balances on one sidethe objective risk assessment and on the other side the user’s sharing needs and privacy preferences.
The paper is organized as follows: section 2 discusses existing work that relates to our proposition. Section 3 details the recommender system and the diferent submodules of the architecture. Section 4 reports on the evaluation of the platform and section 5 concludes this work with a discussion of the contributions provides pointers on future work.
Trepte and Masur[
People evaluate the risks and the perceived gratification1[
It is for this reason that the need for an objective party to help assess the situation has emerged. The user’s decision-making abilities should not be discarded but aided instead. Bandu[r2a3] confirms that a certain behavior can be encouraged or deterred provided that the person receives a prediction of positive incentives or detrimental consequences. This is where our proposition plays a major role to either validate or discourage the self-disclosing user post and provide personalized alternatives in the latter case.
Other studies aiming to reduce self-disclosure include research on the correlation between changing privacy settings and revealing personal dat2a4][. The study concludes that simply limiting the audience does not equal more control over sensitive credentials. This further supports the urgent need to find a solution to manage the user’s input rather than focus on platform-specific configurations and antimalware.
In particular, nudge-based mechanisms are garnering interest in awareness raising contexts.
Nudges propose positive reinforcements and suggestions. They are used for cybersecurity and
privacy preservation in order to encourage users to adopt aware behavior and to reflect on
their behavior in a non-obstructive way. They can be a one-fits-all where they depend on the
scenario rather than the user 2[
Nudged are used in a multitude of contexts, from helping adolescent SNS users avoid
privacy and safety threats 2[
We believe that having an objective assessment along with the personal judgement has the potential to not only get closer to the user’s preferences but also mitigate the risk of selfdisclosure, which is why we adopt this approach. The following section details our proposition of the harm-aware recommender system.
This section details the proposed approach for a personalized, nudge-based recommender system. However, the recommender system is one component of a larger platform. Consequently, to help the reader better understand the design and function of the recommender system, the next subsection highlights the general architecture of the platform (Figure 1), briefly introducing the various components.
The platform relies on user modeling to study the user’s tendencies and preferences over time. This is then utilized along with domain knowledge to empower the personalized recommender system and mitigate the risk of self-disclosure. The user model is used to capture characteristics of the individual including motivation, objectives and cognitive bias. A personalized approach must also consider the user’s trust circle (where the user feels comfortable revealing personal data), which includes both the platforms and the human counterparts.
Another major component is the domain knowledge which, contrarily to the user model, does not focus on individuals but rather on the general processes and conclusions. This includes the language model which serves to process the text input and to “understand” it. Other functions include devising the subjective assessment model as well as studying the privacy tendencies on the platform.
The Information Extraction component analyzes the raw text input of the user, determines the exact disclosed data, ultimately generating the threat vector. It has the disclosed information as well as their disclosure rate so each piece of data is represented(a s,: ).
Finally, the user model, the domain model and the threat vector are sent to the recommender system, the focal point of this paper. The system orchestrator serves as the medium through which the diferent modules communicate.
This subsection focuses on the main contribution for this paper which stems from the recommender system mechanism. It is worth noting that it can be used as a standalone module (browser plugin for example) or integrated within other platforms. Figure 2 is a view of the recommender system’s modules which are detailed next.
The objective of this module is to provide an objective assessment of the risk. The valu e is user input-specific but not user preference-specific. Specifically, the value of depends solely on the input. As such, if two users, with completely diferent preferences disclose the same pieces of data, they would have the exact same risk value.
This is done using the objective threat function as follows: ∑ , =1 = · ( , ) (1) corresponds to a component of the data vector . Each component is a piece of personal data such as location or social security number. threat assessment after receiving data from the orchestrator.
is a component of the disclosure vector . For =legal name, = first name or = last name.
is the objective weight/risk of disclosin g . ( , ) disclosure rate: is the value of disclosing the informatio n out of . This varies between 0 and 1. The lower end means that the user didn’t disclose any portion of that information and 1 refers to a complete disclosure of datu m .
the total number of personal data that the system considers to be private. ,
To the best of our knowledge, there are no formal objective measure to weigh the risk of
disclosing certain pieces of personal information. As such, we devised on a novel approach to
determine the importance (weight) of personal information , , based on their price on the
dark web. A piece of data is considered to be most sensitive and its disclosure most costly when
it has the highest price tag. These values were collected from diferent reports and studies done
by various sources includingExperian, TransUnion, Atlas VPN, Safety detectives, Keepersecurity,
Symantec, Statista, and Pace technical [
Each class is then represented by a normalized interval’s mean value to reduce the noise of the raw data. This newly calculated value corresponds to the objective weight of each information belonging to said class. For example, the weight of an information belonging to the “low sensitivity” bucket is2.25.
In Table 3, scenarios are defined, and their objective risk values are calculated using the weights in Table 2 and the estimated values of the disclosure ra (te ). This is the method used to estimate values of ( ): If the data is fully disclose d(: ) = 1 and if the data is fully undisclosed: ( )=0.
If a portion of the data is disclosed: Suppose that the complete dat ahas pieces ranked from least to most user specific, example for =credit card number, the first 4 digits ( 1) that are bank-specific are worth less than the rest of the number ( 2) which are more user-specific. To put a value of how much of does 1 account for, we define the function in general as follows: ( , 1+ ) = 2 ∗ ( , ), ∀ 1 ≤ < ( , 1) + ( , 2) + … … … + ( , ) = ( , ) = 1 ( , 1) + 2 ( , 1) + … … … + ( , 1) = 1 ( , 1)(1 + 2 + 4 + … + 2−1 ) = 1 ( , ) = 2 1− 1 ⋅ 2−1 (2)
Example: in Table 3, scenario 2, the user disclosed their year of birth which is the most specific in comparison with the day and month of birth. 3 = 22 ⋅ 231−1 = 0.57
The exception to this would be the address because disclosing the zip code for example, even without explicitly stating the city, province and country, is an implicit disclosure of all of these pieces of data. As such, we define the f values for country, province, city, zip code, building consecutively as0.125, 0.25, 0.5, 0.75,1. This is applied to scenario 1 in Table 3.
Going back to the main scenario in the introduction where Alice is about to disclose her address and social security number, 1 is the address and 2 is the SSN, = 1, ⋅ ( 1, 1)+ 2, ⋅ ( 2, 2) = 1.25 ∗ 1 + 1.25 ∗ 1 = 2.5.
The aforementioned and recorded values are non-user specific as they define the objective values. The following module shows how the user preferences are used along with these objective weights to personalize the nudges.
This module takes as input the threat vector and the calculated . The latter is then compared with the user’s subjective threshold. Specifically, this threshold represents the user’s privacy tolerance, that is how much information they are willing to share. This is an important aspect of personalization since diferent users have diferent sharing/privacy needs. If ( < ℎ ℎ) , it means that the disclosure is within the user’s tolerance, and the process terminates. However, if ( ≥ ℎ ℎ) , it means that the risk exceeds the user’s tolerance, and the system must notify the user and recommend (nudge) an appropriate course of action to reduce the risk below the threshold. Another important aspect of personalization is the user preferences for each piece of data that are called subjective weigh ts, . Each data has an objective weight , and a subjective , .
To do so, we start by defining the set = { , − ℎ ℎ ≤ , ⋅ ( )}. Specifically, is a set of candidates (pieces of data ) whose elimination alone reduces the value of objective threat function below the personalized threshold . can either be: • ≠ ∅ , meaning that there exists at least one piece of da t a that, when removed, will reduce the risk below the threshold. If multiple candidates exist, we choose the one to delete using this user preference-based formula: = arg min ( , 1≤≤ | | ) (3) • = ∅ , meaning that there is not one single piece of data that would reduce the risk below the threshold. In this case, the system recommends to the user to delete multiple pieces of disclosed data to reach the risk tolerance level. In this case we execute the following pseudo code: ← ∶
← the values of the threshold an d , the personalization is based.
is the final output and it’s the set of data to be recommended to the user. In particular, Alice who is highly aware of privacy menaces, has a threshold equal to 2, and the risk of her current action is 2.5 as calculated in the previous section. If her preference for SNN is 1 and for location is 2, in this case the nudge would be to delete SSN.
At this point, Alice has received the recommendation and the process that follows her choice is detailed in the evaluation module section.
This process is based on the user’s action after being recommended the personalized nudges. The user can refuse the nudge or accept it. In the first case, the user shares the content as is, without modifications. In the second case, the user either accepts the recommendation and reduces the risk as proposed by the system, or might reduce the risk based on their own discretion. All these cases are considered as a form of implicit feedback which is used to update . Both these values are user-specific parameters on which i Begin with reevaluating th e
after the user’s action: • User doesn’t delete any piece of data:
remains the same • User deletes one or more pieces of data. Supposing that the user deletes the following Deleted_data= { , … , }: = − ii Then we update the threshold as follows: ℎ ℎ = ℎ ℎ + • if –ℎ ℎ < 0 softsign ( − ℎ ℎ , either the risk of the user’s original input was already below the threshold or the user fully accepted the recommendation to delete the pieces of data whose weight exceeds the threshold−:1 < softsign (–ℎ ℎ) < 0 . As a result, the threshold is reduced. sRRoiescckioam>lstmehceruenrsdihtydolendleutminbger RAℎec,ℎcfue=spet2nn=.5uu2−dd.gg5ee+:: s=o=ftss2iog.25ftsn.5ig−n(11.(2.2155.2−=52−1).22=5) 1=.527.42 • if –ℎ ℎ ≥ 0 , the user either deleted partial pieces of data or completely ignored the recommendation and proceeded to post the input as it is. 0 < softsign (–ℎ ℎ) < 1 . As a result, the threshold is increased. iii We update the weights using a similar formula, for eac h ∈ : • If the user deletes : • If the user does not delete : , , = , + softsign ( , − ,
In Table 4, this process is applied to Alice’s scenario and calculations are made for both cases when she does and when she does not accept the nudge.
To simplify the weight update , we use = 1 but in the evaluation section we discuss the impact of the value of this parameter on the system’s recommendations. Table 4 shows how the threshold is increased when the user ignores the nudge and vice versa. Finally, the algorithms for recommendations and updating the user preferences are detailed below. simulated data represents all types of users from low awareness, medium to high. One of the main concerns when using recommender systems is the cold start problem in which the user has just been introduced to the platform and his preferences are unknown. To overcome this and set initial threshold values to kickstart the recommender system-based awareness raising process, the user’s preferences are estimated though a short survey. Essentially, it consists of a straightforward process where the individual estimates how much their own assets are worth to them on a scale of 1 to 10. These values as given by the user are averaged and considered to be the initial subjective weights. This is also used to compute the initial threshold which equals 10 − − ( ℎ ). After doing this, the system has the initial threshold and as mentioned previously, the system is judged on how fast this converges to the actual threshold
The next step is to see how these initial thresholds evolve over time. This depends on the scenario that defines the objective risk value, the system’s set learning rate and the user’s responses to the recommendations. We select 3 scenarios out of a total of 20 conducted tests that have a significant objective risk values to demonstrate the diferent outcomes depending on the user.
In Table 5, users’ decisions are simulated as follows: • Users who have a low threshold value are the most concerned about their privacy and the most likely to accept to delete data as recommended by the system. The higher the risk the more likely they are to accept the nudge. For example, user 3 refused the recommendations with a 25% probability, accepted them with a75% probability. • Users with medium thresholds (Bob and Anna) accept recommendations with a probability closer to50%. • Users with high threshold are the least conscious about their privacy and as a result they refuse the recommendations with a75% probability and accept them with a25% probability.
In each iteration (scenario), the risk value is evaluated (values taken from Table 3) and compared to the personal threshold which is initialized based on the survey filled by each user. This comparison allows the system to determine which type of nudge it needs to make: recommend modification or encourage the post as it is if the risk does not surpass the personal threshold. Example: in scenario 7, Sam whose threshold i6s.62 after the previous scenario is encouraged by the system to reduce the disclosure but upon his refusal, the threshold is increased as it corresponds to his tolerance to risk. The threshold goes from6.62 to 6.91 which gets the user closer to their actual threshol5d.
For the same scenario, John who displays the highest aversion to risk, accepts the recommendation which results in his threshold going down from1.33 to 1.21 which is further from the actual threshold which is equa2l. However, that can be explained by the fact that the risk 6is.5 which is high, and a highly aware person is likely to accept to reduce the risk. The threshold converges more quickly with low risk scenarios.
Another important thing worth pointing out is that is an experimental value that is characteristic of the system and not the users. Meaning that once we set its value, the thresholds of all users are computed using the same value. In our evaluation, we tested values between0.1 and 0.9 and compared the impact of each on the convergence of the threshold. A good choice of is imperative. A large value fo r would introduce a considerable change, and this would cause the threshold to exceed and miss the targeted value. A small value owf ould introduce very small changes to the threshold, and that is not desirable as well, since it will take longer to converge to the targeted value. So, if the threshold diference from one iteration to the next is negligible then the awareness-raising purpose.
We tested the outcome with values of from 0.1 to 0.9 in increments of 0.1. For example, Catherine whose initial threshold i8s.75 , has given the address the highest score during the quiz so he might be inclined to eliminate his province after second thought. with a value α =0.9, Catherine’s new threshold is7.94 which is a0.81 reduction from the earlier value. This seems like an improvement in terms of the user’s awareness. However, it is too optimistic as in fact, this user has a minimal awareness of all of her assets. So, the next time we nudge her, unless the risk is address-related, we predict that she would ignore the system. In conclusion, maximizing the threshold reduction can have a negative impact because large jumps result in frequent unwelcomed nudges that do not reflect the user’s preferences. Similarly to this, ifxing = 0.1 results inℎ ℎ = 8.67 for the same user Catherine, after she performs the same action. This is not a good choice either because a user with a high threshold such as Catherine would almost never receive nudges which counters the privacy preserving purpose of the platform. After several tests, was set to 0.5, as it provides an optimal value that has shown to converge to the user’s preferences more accurately and quickly, with Low0.(31) , Medium (2.25) and High (6.5) risk levels alike.
Finally, in Table 6, a comparison is drawn between this paper’s proposition and existing work on nudges for privacy preservation.
In this section, we have evaluated the platform based on users with diferent initial thresholds and it is then compared in terms of mechanism with existing approaches.
Today, the proliferation of social networking sites, their reachability, ease of use as well as their integration within many aspects of our daily activities, has given rise to an unprecedented level of self-disclosure activity. Various solutions exist to help the user navigate the maze of online self-disclose, however, such systems focus mainly either on the data being disclosed (ignoring the user’s needs and preferences) or on the user (ignoring the data being disclosed). As such, this paper presents a new platform that balances the risks of self-disclosure and the user’s sharing needs and privacy preferences. It is a user-centric proposition based on a personalized risk-aware recommender system. Users are guided towards privacy preservation through nudges tailored according to their perception to maximize the probability of accepting the recommendation. The contributions of this work can be summarized into two main aspects. First, this work provides an objective approach to evaluate the risk of various types of user data. Second, this work provides a novel method of modeling and evaluating the user’s privacy preferences at two diferent levels, one for a general disclosure (the threshold), and the second more specific ( , ), based on the diferent types of data being disclosed. Finally, an evaluation of the personalization component of the recommender system is performed, to validate how well the system adapts and converges to the user’s preferences.
As for future works, various aspects still require further development. First, currently, the recommender system considers each disclosure on its own and keeps track only of the user preferences. This can represent a threat for users who small nuggets of information, one at a time. These might not trigger the recommender system and go undetected. As such, the risk evaluation function proposed in this work should also incorporate other aspects from previous disclosures by the user. Second, both the risk and the user preference, in reality, are very dependent on the sharing environment as well as the people involved. As such we intend to investigate further how to incorporate these aspects within the objective evaluation of risk, and the personalized recommendation and nudges. Also, the language model needs implementation and more development to ensure both the understanding of the user input and the generation of the nudge. Finally, it would be interesting to explore how one can extend this approach to other domains, such as fake news. Specifically, an approach that would combine an objective evaluation of the post with the user’s preferences and cognitive biases to nudge them away from fake news. Accessed: 2020-07-28. URL: https://www.equifax.co.uk/resources/identity_protection/ dark-web-explained.htm.l [34] [Online] Your SSN costs less than a Starbucks cofee on the dark web, 2020, Accessed: 2020-07-28. URL: https://atlasvpn.com/blog/ your-ssn-costs-less-than-a-starbucks-coffee-on-the-dark-we.b [35] [Online] Dark Web: The Average Cost of Buying a New Identity in 2020, 2020, Accessed: 2020-07-28. URL: https://www.safetydetectives.com/blog/ dark-web-the-average-cost-of-buying-a-new-identit y./ [36] [Online] How Cybercriminals Make Money, 2020, Accessed: 2020-07-28. URLh:ttps://www. keepersecurity.com/en_GB/how-much-is-my-information-worth-to-hacker-dark-web. html. [37] [Online] Internet Security Threat Report, 2020, Accessed: 2020-07-28. URLh:ttps://docs.
broadcom.com/doc/istr-24-2019-en. [38] [Online] Dark web market price for stolen credentials 2019, 2020, Accessed: 2020-07-28. URL: https://www.statista.com/statistics/1007470/ stolen-credentials-dark-web-market-price./ [39] [Online] How Much Is Your Identity Worth on the Black Market?, 2020, Accessed: 202007-28. URL: https://www.pacetechnical.com/much-identity-worth-black-market./