005 Computerprogrammierung, Programme, Daten
Refine
Departments, institutes and facilities
- Institut für Cyber Security & Privacy (ICSP) (109)
- Institut für Verbraucherinformatik (IVI) (83)
- Fachbereich Informatik (41)
- Fachbereich Wirtschaftswissenschaften (34)
- Institut für Technik, Ressourcenschonung und Energieeffizienz (TREE) (7)
- Fachbereich Ingenieurwissenschaften und Kommunikation (2)
- Graduierteninstitut (1)
- Institut für funktionale Gen-Analytik (IFGA) (1)
- Institute of Visual Computing (IVC) (1)
- Zentrum für Ethik und Verantwortung (ZEV) (1)
Document Type
- Conference Object (149)
- Article (52)
- Part of a Book (6)
- Book (monograph, edited volume) (3)
- Research Data (2)
- Doctoral Thesis (2)
- Working Paper (2)
- Contribution to a Periodical (1)
- Master's Thesis (1)
- Preprint (1)
Year of publication
Language
- English (220) (remove)
Keywords
- GDPR (8)
- Usable Security (7)
- HTTP (5)
- security (5)
- usable privacy (5)
- Big Data Analysis (4)
- Cloud (4)
- Global Software Engineering (4)
- Privacy (4)
- REST (4)
- Risk-based Authentication (4)
- Web (4)
- Authentication (3)
- Offshoring (3)
- Qualitative research (3)
- SOA (3)
- web caching (3)
- web services (3)
- Authentication features (2)
- Business Ethnography (2)
- Claim personal data (2)
- Cloud Security (2)
- Consumer Informatics (2)
- Data literacy (2)
- Data takeout (2)
- Digital Sovereignty (2)
- Food (2)
- Global Software Development (2)
- HCI (2)
- Human Factors In Software Design (2)
- IoT (2)
- Malware analysis (2)
- Methodology (2)
- Password (2)
- Practice Theory (2)
- Public Transport (2)
- Qualitative Study (2)
- Risk-based Authentication (RBA) (2)
- SOAP (2)
- Security (2)
- Smart Home (2)
- Software (2)
- Sustainability (2)
- TLS (2)
- Usable Privacy (2)
- User Experience (2)
- User-Centered Design (2)
- Voice Assistants (2)
- WS-Security (2)
- XML Signature (2)
- XML Signature Wrapping (2)
- end user development (2)
- software engineering (2)
- structural equation modeling (2)
- 3D Printer (1)
- ACPYPE (1)
- API Documentation (1)
- API usability (1)
- Account (Datenverarbeitung) (1)
- Account Security (1)
- Accounting practices (1)
- Adaptive Media Streaming (1)
- Adaptive Streaming (1)
- Administrative work (1)
- Adoption (1)
- Adoption Factors (1)
- Advance Encryption Standard (1)
- Advances in Design Science Research (1)
- Affective computing (1)
- Agent-Based Modeling (1)
- Analysis (1)
- Appropriation (1)
- Appropriation Infras-tructure (1)
- Articulation Work (1)
- Artificial Intelligence (1)
- Attention mechanism (1)
- Authentifikation (1)
- Autonomous Driving (1)
- Biometric data (1)
- Black-box models (1)
- Botnet tracking (1)
- Botnets (1)
- Browser cache (1)
- CAE metadata structures (1)
- Cache Poisoning (1)
- Carbohydrate (1)
- Certificates (1)
- Chloroquine (1)
- Cipher Block Chain (1)
- Climate Risks (1)
- Cloud Computing security (1)
- Cloud Malware Injection (1)
- Cloud Standards (1)
- Co-performance (1)
- CoAP (1)
- Collaborative design (1)
- Community (1)
- Computer Aided Software Engineering (1)
- Computer Security (1)
- Computer Support (1)
- Computersicherheit (1)
- Computing Milieux (1)
- Conceptual model (1)
- Conficker (1)
- Conformance Testing (1)
- Connected Car (1)
- Constructionism (1)
- Consumer protection (1)
- Content Security Policies (1)
- Context (1)
- Cooperative Work (1)
- Countermeasures (1)
- Crisis management (1)
- Curse of dimensionality (1)
- Cyber Attacks (1)
- Cyber Security (1)
- Cybercrime (1)
- Cybercrime Legislation (1)
- DASH (1)
- DNSSEC (1)
- DSGVO (1)
- Data Compression (1)
- Data Integration (1)
- Data Protection Officer (1)
- Data Reduction (1)
- Data Tiles (1)
- Data collection (1)
- Data protection by design (1)
- Data visualization (1)
- Deep Learning (1)
- Denial of Service (1)
- Deployment (1)
- Design (1)
- Design Case Study (1)
- Design Probe (1)
- Design patterns (1)
- Developer Centered Security (1)
- Difference-coding (1)
- Digital Ecosystem (1)
- Digital Energy Management (1)
- Digital Plumbing (1)
- Digital Receipt (1)
- Digital signatures (1)
- Disclosive ethics (1)
- Distribute Software Development (1)
- Domestic Robots (1)
- Domestic Technology (1)
- Domestic workplace studies (1)
- E-Health (1)
- ELSI (1)
- Ecosystems (1)
- Effective purpose specification (1)
- Elderly (1)
- Electric micromobility (1)
- Embodied knowledge (1)
- Empirical Study (1)
- Employee data protection (1)
- Employment (1)
- End-User Development (1)
- Engaging Experience (1)
- Environment Perception (1)
- Eriodictyol (1)
- Ethnographic Research (1)
- Evaluation (1)
- Expert Interviews (1)
- Fake review cues (1)
- Fake review detection (1)
- File carving (1)
- Financial practices (1)
- Folk theories (1)
- Food Practices (1)
- Food literacy (1)
- Force field (1)
- Fragmented files (1)
- Frontend architecture (1)
- Full-text Search (1)
- Geo-tagging (1)
- Glycam06 (1)
- Grassroots (1)
- Gromacs (1)
- HFI (1)
- HTML5 (1)
- HTTPS (1)
- Header whitelisting (1)
- Highly Automated Driving (1)
- Host-Based Code Injection Attacks (1)
- Household management (1)
- Human autonomy (1)
- Human computer interaction (HCI) (1)
- Human factors (1)
- Human review fraud detection (1)
- Human-Centered Robotics (1)
- Human-Robot-Interaction (HRI) (1)
- Human-centered computing (1)
- Human-food interaction (1)
- Human–Food Interaction (1)
- Hydroxychloroquine (1)
- ICT (1)
- IIoT (1)
- Implementation Challenges (1)
- Individual Empowerment (1)
- Informational self-determination (1)
- Infrastructuring (1)
- Integrated Household Information System (1)
- Integration Platform as a Service (1)
- Intelligence Amplification (1)
- Intelligence Augmentation (1)
- Intelligent Process Automation (1)
- Interactive Artifacts (1)
- Interbank Market (1)
- Intermediaries (1)
- Internet Technology (1)
- Internet of Things (1)
- Interpretability (1)
- Interviews (1)
- Invisible AI (1)
- IoT services security (1)
- JOSE (1)
- JPEGs (1)
- JSON (1)
- Large-Scale Online Services (1)
- Last mile problem (1)
- Lead userness (1)
- Learning (1)
- Learning Environments (1)
- Learning and Adaptive Systems (1)
- Legal metrology (1)
- Liquidity Crises (1)
- Live Streaming (1)
- Living Lab (1)
- Login (1)
- Malware (1)
- Malware Detection (1)
- Management (1)
- Marketplaces (1)
- Memory forensics (1)
- Mental Models (1)
- Mental models (1)
- Message Authentication (1)
- Microservices (1)
- Misconception (1)
- Mixed / augmented reality (1)
- Mobile devices (1)
- Mobility (1)
- Model surrogation (1)
- Multimedia Communication (1)
- Multimedia forensics (1)
- Multimodal Mobility (1)
- Nearshoring (1)
- Nonbonded scaling factor (1)
- Online Services (1)
- Open Access (1)
- OpenStack (1)
- Opinion scam (1)
- Organizations (1)
- PHR (1)
- Partial Data Protection (1)
- Partial Signature (1)
- PartialEncryption (1)
- Participatory Design (1)
- Password Masking (1)
- Password Visualization (1)
- Passwords (1)
- Passwort (1)
- Peer-to-Peer (1)
- Perceived AI (1)
- Performance (1)
- Personal Health Record (1)
- Phishing (1)
- Platform economy (1)
- Policy (1)
- Privacy Awareness (1)
- Privacy engineering (1)
- Privacy in the workplace (1)
- Privacy patterns (1)
- Privacy perceptions (1)
- Privatsphäre (1)
- Programmer Workbench (1)
- Prudential Regulation (1)
- Public Key Infrastructure (1)
- Push-based Streaming (1)
- RACS (1)
- RBAR (1)
- REST security (1)
- Relative Energies (1)
- Repositories (1)
- Research Trajectories (1)
- Research methods (1)
- Restful Web Services (1)
- Review scam (1)
- Risk Perception (1)
- Risk-Based Account Recovery (1)
- Robotic Process Automation (1)
- SAML (1)
- SARS-CoV-2 (1)
- SELMA (1)
- SID (1)
- SME (1)
- SOS calls (1)
- SaaS (1)
- Safety (1)
- Scholarly workbench (1)
- Scientific workbench (1)
- Secure Cloud Storage (1)
- Secure Coding Practices (1)
- Secure data transfer (1)
- Security APIs (1)
- Security Protocol (1)
- Self-driving (1)
- Semantic gap (1)
- Service Design (1)
- Service-Oriented Architecture (1)
- Silmitasertib (1)
- Small to medium-sized enterprises (1)
- Smart metering (1)
- Smartphones (1)
- Sociable Technologies (1)
- Social Capital (1)
- Social Media (1)
- Social learning (1)
- Socio Informatics (1)
- Software Development (1)
- Software Security (1)
- Software as a Service (1)
- Stuxnet (1)
- Sustainable HCI (1)
- Taste (1)
- Testing (1)
- Testing Tool (1)
- Thin Client (1)
- Transportation (1)
- Trust (1)
- Two-factor Authentication (1)
- UI-Dressing (1)
- URI (1)
- UXD (1)
- Usable Security and Privacy (1)
- Usage Experience (1)
- User Requirements (1)
- User-perspective (1)
- Valproic acid (1)
- Verification systems (1)
- Video (1)
- Virtual Reality (1)
- Voight-Kampff test (1)
- Warnings (1)
- Web Browser (1)
- Web Browser Cache (1)
- Web Information Systems and Technologies (1)
- Web Interfaces and Applications (1)
- Web Portal (1)
- Web Security (1)
- Web Service (1)
- Web Service Security (1)
- Web Services and Web Engineering (1)
- Web-Tracking (1)
- WebSocket (1)
- WebSockets (1)
- Well-being (1)
- Wind Fields (1)
- Wind Flow Visualization (1)
- Work (1)
- Workflow (1)
- XML (1)
- XML Security (1)
- XSpRES (1)
- accelerometer (1)
- attacks (1)
- caching (1)
- carsharing (1)
- co-design (1)
- conformations (1)
- connected car (1)
- consumer informatics (1)
- cooperation (1)
- critical consumerism (1)
- cryptographic apis (1)
- culture (1)
- culture of participation (1)
- data literacy (1)
- data management (1)
- data science (1)
- data science canvas (1)
- data visualization (1)
- database systems (1)
- decision support system (1)
- deep learning (1)
- democratization (1)
- design probe (1)
- developer console (1)
- digital fabrication (1)
- digital platform ecosystem (1)
- distributed systems (1)
- drugs (1)
- eco-feedback (1)
- emergency response (1)
- emotion recognition (1)
- employee privacy (1)
- end-to-end security (1)
- ethics (1)
- ethnographically informed studies (1)
- ethnography (1)
- factor analysis (1)
- focus groups (1)
- food waste (1)
- higher education (1)
- human-centred design (1)
- humanoidrobot (1)
- informational self-determination (1)
- innovative work behavior (1)
- intervention mechanisms (1)
- knowledge graphs (1)
- knowledge management (1)
- knowledge sharing practices (1)
- latent class analysis (1)
- maker communities (1)
- mental models (1)
- mobile computing (1)
- mobility intelligence (1)
- multi-sensory (1)
- natural language processing (1)
- ontology (1)
- open educational resources (OERs) (1)
- optimized geometries (1)
- organizational management and coordination (1)
- participatory design (1)
- pervasive computing (1)
- posture analysis (1)
- privacy at work (1)
- privacy by design (1)
- privacy preferences (1)
- privacy settings (1)
- process infrastructure (1)
- project management (1)
- prosumption (1)
- qualitative research methods (1)
- question answering (1)
- reCAPTCHA (1)
- recommender systems (1)
- right to access (1)
- security and privacy literacy (1)
- security warning design (1)
- semantic technologies (1)
- services (1)
- shared mobility (1)
- sharing (1)
- signature (1)
- simulation process (1)
- small enterprises (1)
- small molecule (1)
- smart meters (1)
- social robots (1)
- software development (1)
- spinal posture (1)
- sustainability (1)
- sustainable mobility (1)
- technological platform (1)
- text mining (1)
- transfer learning (1)
- transparency-enhancing technologies (1)
- usability (1)
- usable privacy controls (1)
- usable secure email (1)
- user interface design (1)
- user journey (1)
- validity (1)
- visibility (1)
- visualization (1)
- wearable sensor (1)
- web services security (1)
- wine (1)
Helping Johnny to Analyze Malware: A Usability-Optimized Decompiler and Malware Analysis User Study
(2016)
Digital ecosystems are driving the digital transformation of business models. Meanwhile, the associated processing of personal data within these complex systems poses challenges to the protection of individual privacy. In this paper, we explore these challenges from the perspective of digital ecosystems' platform providers. To this end, we present the results of an interview study with seven data protection officers representing a total of 12 digital ecosystems in Germany. We identified current and future challenges for the implementation of data protection requirements, covering issues on legal obligations and data subject rights. Our results support stakeholders involved in the implementation of privacy protection measures in digital ecosystems, and form the foundation for future privacy-related studies tailored to the specifics of digital ecosystems.
Risk-based authentication (RBA) extends authentication mechanisms to make them more robust against account takeover attacks, such as those using stolen passwords. RBA is recommended by NIST and NCSC to strengthen password-based authentication, and is already used by major online services. Also, users consider RBA to be more usable than two-factor authentication and just as secure. However, users currently obtain RBA's high security and usability benefits at the cost of exposing potentially sensitive personal data (e.g., IP address or browser information). This conflicts with user privacy and requires to consider user rights regarding the processing of personal data. We outline potential privacy challenges regarding different attacker models and propose improvements to balance privacy in RBA systems. To estimate the properties of the privacy-preserving RBA enhancements in practical environments, we evaluated a subset of them with long-term data from 780 users of a real-world online service. Our results show the potential to increase privacy in RBA solutions. However, it is limited to certain parameters that should guide RBA design to protect privacy. We outline research directions that need to be considered to achieve a widespread adoption of privacy preserving RBA with high user acceptance.
Risk-based authentication (RBA) aims to protect users against attacks involving stolen passwords. RBA monitors features during login, and requests re-authentication when feature values widely differ from those previously observed. It is recommended by various national security organizations, and users perceive it more usable than and equally secure to equivalent two-factor authentication. Despite that, RBA is still used by very few online services. Reasons for this include a lack of validated open resources on RBA properties, implementation, and configuration. This effectively hinders the RBA research, development, and adoption progress.
To close this gap, we provide the first long-term RBA analysis on a real-world large-scale online service. We collected feature data of 3.3 million users and 31.3 million login attempts over more than 1 year. Based on the data, we provide (i) studies on RBA’s real-world characteristics plus its configurations and enhancements to balance usability, security, and privacy; (ii) a machine learning–based RBA parameter optimization method to support administrators finding an optimal configuration for their own use case scenario; (iii) an evaluation of the round-trip time feature’s potential to replace the IP address for enhanced user privacy; and (iv) a synthesized RBA dataset to reproduce this research and to foster future RBA research. Our results provide insights on selecting an optimized RBA configuration so that users profit from RBA after just a few logins. The open dataset enables researchers to study, test, and improve RBA for widespread deployment in the wild.
Login Data Set for Risk-Based Authentication
Synthesized login feature data of >33M login attempts and >3.3M users on a large-scale online service in Norway. Original data collected between February 2020 and February 2021.
This data sets aims to foster research and development for <a href="https://riskbasedauthentication.org">Risk-Based Authentication (RBA) systems. The data was synthesized from the real-world login behavior of more than 3.3M users at a large-scale single sign-on (SSO) online service in Norway.
Risk-based authentication (RBA) aims to strengthen password-based authentication rather than replacing it. RBA does this by monitoring and recording additional features during the login process. If feature values at login time differ significantly from those observed before, RBA requests an additional proof of identification. Although RBA is recommended in the NIST digital identity guidelines, it has so far been used almost exclusively by major online services. This is partly due to a lack of open knowledge and implementations that would allow any service provider to roll out RBA protection to its users. To close this gap, we provide a first in-depth analysis of RBA characteristics in a practical deployment. We observed N=780 users with 247 unique features on a real-world online service for over 1.8 years. Based on our collected data set, we provide (i) a behavior analysis of two RBA implementations that were apparently used by major online services in the wild, (ii) a benchmark of the features to extract a subset that is most suitable for RBA use, (iii) a new feature that has not been used in RBA before, and (iv) factors which have a significant effect on RBA performance. Our results show that RBA needs to be carefully tailored to each online service, as even small configuration adjustments can greatly impact RBA's security and usability properties. We provide insights on the selection of features, their weightings, and the risk classification in order to benefit from RBA after a minimum number of login attempts.
Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well.
We present the results of a between-group lab study (n=65) to evaluate usability and security perceptions of two RBA variants, one 2FA variant, and password-only authentication. Our study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably secure to 2FA in a variety of application types. We also observed RBA usability problems and provide recommendations for mitigation. Our contribution provides a first deeper understanding of the users' perception of RBA and helps to improve RBA implementations for a broader user acceptance.
Risk-based authentication (RBA) is an adaptive security measure to strengthen password-based authentication against account takeover attacks. Our study on 65 participants shows that users find RBA more usable than two-factor authentication equivalents and more secure than password-only authentication. We identify pitfalls and provide guidelines for putting RBA into practice.
Risk-based authentication (RBA) aims to strengthen password-based authentication rather than replacing it. RBA does this by monitoring and recording additional features during the login process. If feature values at login time differ significantly from those observed before, RBA requests an additional proof of identification. Although RBA is recommended in the NIST digital identity guidelines, it has so far been used almost exclusively by major online services. This is partly due to a lack of open knowledge and implementations that would allow any service provider to roll out RBA protection to its users.
To close this gap, we provide a first in-depth analysis of RBA characteristics in a practical deployment. We observed N=780 users with 247 unique features on a real-world online service for over 1.8 years. Based on our collected data set, we provide (i) a behavior analysis of two RBA implementations that were apparently used by major online services in the wild, (ii) a benchmark of the features to extract a subset that is most suitable for RBA use, (iii) a new feature that has not been used in RBA before, and (iv) factors which have a significant effect on RBA performance. Our results show that RBA needs to be carefully tailored to each online service, as even small configuration adjustments can greatly impact RBA's security and usability properties. We provide insights on the selection of features, their weightings, and the risk classification in order to benefit from RBA after a minimum number of login attempts.
Risikobasierte Authentifizierung (RBA) ist ein adaptiver Ansatz zur Stärkung der Passwortauthentifizierung. Er überwacht eine Reihe von Merkmalen, die sich auf das Loginverhalten während der Passworteingabe beziehen. Wenn sich die beobachteten Merkmalswerte signifikant von denen früherer Logins unterscheiden, fordert RBA zusätzliche Identitätsnachweise an. Regierungsbehörden und ein Erlass des US-Präsidenten empfehlen RBA, um Onlineaccounts vor Angriffen mit gestohlenen Passwörtern zu schützen. Trotz dieser Tatsachen litt RBA unter einem Mangel an offenem Wissen. Es gab nur wenige bis keine Untersuchungen über die Usability, Sicherheit und Privatsphäre von RBA. Das Verständnis dieser Aspekte ist jedoch wichtig für eine breite Akzeptanz.
Diese Arbeit soll ein umfassendes Verständnis von RBA mit einer Reihe von Studien vermitteln. Die Ergebnisse ermöglichen es, datenschutzfreundliche RBA-Lösungen zu schaffen, die die Authentifizierung stärken bei gleichzeitig hoher Menschenakzeptanz.
Background
Consumers rely heavily on online user reviews when shopping online and cybercriminals produce fake reviews to manipulate consumer opinion. Much prior research focuses on the automated detection of these fake reviews, which are far from perfect. Therefore, consumers must be able to detect fake reviews on their own. In this study we survey the research examining how consumers detect fake reviews online.
Methods
We conducted a systematic literature review over the research on fake review detection from the consumer-perspective. We included academic literature giving new empirical data. We provide a narrative synthesis comparing the theories, methods and outcomes used across studies to identify how consumers detect fake reviews online.
Results
We found only 15 articles that met our inclusion criteria. We classify the most often used cues identified into five categories which were (1) review characteristics (2) textual characteristics (3) reviewer characteristics (4) seller characteristics and (5) characteristics of the platform where the review is displayed.
Discussion
We find that theory is applied inconsistently across studies and that cues to deception are often identified in isolation without any unifying theoretical framework. Consequently, we discuss how such a theoretical framework could be developed.
Risk-Based Authentication for OpenStack: A Fully Functional Implementation and Guiding Example
(2023)
Online services have difficulties to replace passwords with more secure user authentication mechanisms, such as Two-Factor Authentication (2FA). This is partly due to the fact that users tend to reject such mechanisms in use cases outside of online banking. Relying on password authentication alone, however, is not an option in light of recent attack patterns such as credential stuffing.
Risk-Based Authentication (RBA) can serve as an interim solution to increase password-based account security until better methods are in place. Unfortunately, RBA is currently used by only a few major online services, even though it is recommended by various standards and has been shown to be effective in scientific studies. This paper contributes to the hypothesis that the low adoption of RBA in practice can be due to the complexity of implementing it. We provide an RBA implementation for the open source cloud management software OpenStack, which is the first fully functional open source RBA implementation based on the Freeman et al. algorithm, along with initial reference tests that can serve as a guiding example and blueprint for developers.
The documentation requirements of data published in long term archives have significantly grown over the last decade. At WDCC the data publishing process is assisted by “Atarrabi”, a web-based workflow system for reviewing and editing metadata information by the data authors and the publication agent. The system ensures high metadata quality for long-term use of the data with persistent identifiers (DOI/URN). By these well-defined references (DOI) credit can properly be given to the data producers in any publication.
The processing of employees’ personal data is dramatically increasing, yet there is a lack of tools that allow employees to manage their privacy. In order to develop these tools, one needs to understand what sensitive personal data are and what factors influence employees’ willingness to disclose. Current privacy research, however, lacks such insights, as it has focused on other contexts in recent decades. To fill this research gap, we conducted a cross-sectional survey with 553 employees from Germany. Our survey provides multiple insights into the relationships between perceived data sensitivity and willingness to disclose in the employment context. Among other things, we show that the perceived sensitivity of certain types of data differs substantially from existing studies in other contexts. Moreover, currently used legal and contextual distinctions between different types of data do not accurately reflect the subtleties of employees’ perceptions. Instead, using 62 different data elements, we identified four groups of personal data that better reflect the multi-dimensionality of perceptions. However, previously found common disclosure antecedents in the context of online privacy do not seem to affect them. We further identified three groups of employees that differ in their perceived data sensitivity and willingness to disclose, but neither in their privacy beliefs nor in their demographics. Our findings thus provide employers, policy makers, and researchers with a better understanding of employees’ privacy perceptions and serve as a basis for future targeted research
on specific types of personal data and employees.
The European General Data Protection Regulation requires the implementation of Technical and Organizational Measures (TOMs) to reduce the risk of illegitimate processing of personal data. For these measures to be effective, they must be applied correctly by employees who process personal data under the authority of their organization. However, even data processing employees often have limited knowledge of data protection policies and regulations, which increases the likelihood of misconduct and privacy breaches. To lower the likelihood of unintentional privacy breaches, TOMs must be developed with employees’ needs, capabilities, and usability requirements in mind. To reduce implementation costs and help organizations and IT engineers with the implementation, privacy patterns have proven to be effective for this purpose. In this chapter, we introduce the privacy pattern Data Cart, which specifically helps to develop TOMs for data processing employees. Based on a user-centered design approach with employees from two public organizations in Germany, we present a concept that illustrates how Privacy by Design can be effectively implemented. Organizations, IT engineers, and researchers will gain insight on how to improve the usability of privacy-compliant tools for managing personal data.
Applied privacy research has so far focused mainly on consumer relations in private life. Privacy in the context of employment relationships is less well studied, although it is subject to the same legal privacy framework in Europe. The European General Data Protection Regulation (GDPR) has strengthened employees’ right to privacy by obliging that employers provide transparency and intervention mechanisms. For such mechanisms to be effective, employees must have a sound understanding of their functions and value. We explored possible boundaries by conducting a semistructured interview study with 27 office workers in Germany and elicited mental models of the right to informational self-determination, which is the European proxy for the right to privacy. We provide insights into (1) perceptions of different categories of data, (2) familiarity with the legal framework regarding expectations for privacy controls, and (3) awareness of data processing, data flow, safeguards, and threat models. We found that legal terms often used in privacy policies used to describe categories of data are misleading. We further identified three groups of mental models that differ in their privacy control requirements and willingness to accept restrictions on their privacy rights. We also found ignorance about actual data flow, processing, and safeguard implementation. Participants’ mindsets were shaped by their faith in organizational and technical measures to protect privacy. Employers and developers may benefit from our contributions by understanding the types of privacy controls desired by office workers and the challenges to be considered when conceptualizing and designing usable privacy protections in the workplace.
The ongoing digitisation in everyday working life means that ever larger amounts of personal data of employees are processed by their employers. This development is particularly problematic with regard to employee data protection and the right to informational self-determination. We strive for the use of company Privacy Dashboards as a means to compensate for missing transparency and control. For conceptual design we use among other things the method of mental models. We present the methodology and first results of our research. We highlight the opportunities that such an approach offers for the user-centred development of Privacy Dashboards.