From procedures to peril : towards risk transparency in information privacy for users

ZHAW Digital Collection · 2026-04-08

Sportverletzungen im Kindes- und Jugendalter

Monatsschrift Kinderheilkunde · 2026-02-04

CA–CI: Integrating Contextual Integrity and the Capabilities Approach for Dignity Considerations in AI Governance

IEEE Security & Privacy · 2026-01-01

Capabilities approach -contextual integrity (CA–CI) extends contextual integrity through the integration of dignity thresholds from the capabilities approach and the specification of purpose as a constitutive parameter. We demonstrate how CA–CI can operationalize the EU AI Act's fundamental rights impact assessments, harm thresholds, and anticipatory governance.

How We Define Privacy Literacy: Teaching Experiences & Challenges of Community-Engaged Privacy Educators

Proceedings on Privacy Enhancing Technologies · 2026-01-01 · 1 citations

This study examines the pedagogical approaches and experiences of community-engaged educators—individuals who teach privacy, online safety, or security to specific communities through community organizations, companies, or local institutions, such as libraries. We draw on interviews with 21 such educators across the United States and find that, unlike some privacy and security advice that may emphasize knowledge retention of common skills and strategies, these educators prioritized teaching for independent decision-making. Our participants conceptualized privacy literacy as a process for taking informed action, and, from their insights, we identified five core competencies of privacy literacy: (1) data fluency, (2) account security, (3) fraud detection, (4) information vetting, and (5) surveillance capitalism. Notably, these competencies integrate privacy, security, and online safety concepts into privacy literacy—reflecting an increasingly integrated threat landscape. Embedded within the communities they serve, these educators shared their deep understanding of their students’ needs, which varied dramatically, and shared ways in which they tailored their programming accordingly. However, educators also shared significant teaching constraints, including limited time, resources, and organizational support. We discuss the implications of our findings for privacy literacy and for supporting community-engaged privacy literacy efforts.

Privacy and Trust vs. Utility: Adoption of Commercial vs. Institutional AI assistants Among University Users

2026-04-13 · 1 citations

Generative AI assistants are being rapidly adopted in universities, supporting students in coursework and faculty in academic tasks. To address privacy concerns, some institutions introduced institutional AI assistants, typically wrappers around commercial models (e.g., ChatGPT) with added governance and data protections. However, university-affiliated users appear to rely more on commercial tools (e.g., ChatGPT, Gemini). We conducted a survey (n=260) at one U.S. university to examine preferences, usage scenarios, and perceptions of trust, privacy, and experience with institutional and commercial AI. Participants trusted institutional tools more and considered them more privacy protective, nevertheless commercial tools were often favored for writing, programming, and learning due to their features and utility. Findings reveal a trade-off between privacy and trust versus utility, highlighting complementary adoption patterns and design opportunities for both institutional and commercial AI in higher education.

“Families are messy”: From Parent-Child Tensions to Family-Centered Design of Smart Home Technologies

2026-04-13 · 1 citations

Smart home technologies have become common in family homes, making even young children inevitable users of these technologies. However, these systems are typically designed for individual adults, creating family tensions and conflicts over children’s access, safety, and appropriate smart home use. To investigate children’s and parents’ individual and joint smart home needs and dynamics, we conducted an in-home study with nine families (children aged 6-11). We identify four key parent-child tensions with smart home technologies, including struggles over parental protection versus children’s autonomy, differing views on technology’s purpose, disagreements over technology-enforced routines, and children’s vulnerability to embedded commercialism. Our work reconceptualizes parental mediation as a process of “tension management” rather than the application of static rules. This research challenges the dominant individual-centric choice architecture in smart home design, calling for a family-centered approach that acknowledges and adapts to the fluid, complex, and negotiated reality of modern family life.

From procedures to peril: Towards risk transparency in information privacy for users

Telecommunications Policy · 2026-03-31

Information privacy is an integral part of users' lives, as many digital services and their business models heavily rely on personal data. For example, conversational agents will use massive amounts of user conversations to hyper-personalize ads. Although privacy information is provided through policies and app notifications, and regulation increasingly adopts risk-based approaches, users remain largely uncertain about the risks they face. Design tweaks such as privacy icons or nutrition labels have yielded little improvement, as the central issue lies not in how privacy information is presented, but in what is omitted: the emphasis on disclosing data practices alone does not sufficiently reduce users’ uncertainty about potential harms. This paper develops an argument for complementing the current paradigm of “procedural transparency” with “risk transparency.” Risk transparency prioritizes the clear communication of privacy risks to individuals using digital services, similar to established practices in domains such as drug safety, public health, or consumer protection, where explicitly informing users about risks is considered the main priority. In this article, we discuss risk transparency terminology, illustrate how risk can be communicated, and review the evidence on the effectiveness of risk communication as well as its associated challenges. A shift towards privacy risk transparency aims to provide consumers and data subjects with more meaningful information that supports their informed decision-making in the data economy. • Users remain uncertain about actual risks despite risk-based privacy/AI regulations and detailed privacy policies. • We propose a shift from communicating complex data practices to explicit, user-friendly risk transparency. • Emerging evidence suggests risk transparency improves users’ privacy self-management.

Transparency Guidelines for Human-Centered Security and Privacy Research

Zenodo (CERN European Organization for Nuclear Research) · 2025-12-23

About the guidelines Transparent research reporting is crucial to make research understandable and replicable. The idea of this document is to provide guidelines for the usable privacy and security community on how to report our research transparently. Its focus is therefore human-subject security and privacy studies. SoKs/SLRs are not explicitly covered, though many items still apply - see the PRISMA statement for explicit reporting guidelines. These guidelines are based on research on the community’s research reporting expectations and practices [Klemmer et al., Klemmer et al.] and a workshop held at SOUPS 2025. The goal is to serve as a checklist for both authors and reviewers, ensuring that critical details are included in a paper. The guidelines aim to strengthen research quality further, improve replicability, and support newcomers in participating in our research community, both as authors and reviewers. How should these guidelines be used? In general: This document provides two overview checklists with brief descriptions, one sorted by topic and one sorted by priority. Both link to more extensive descriptions for each criterion. As an author: When designing and conducting your research and writing your paper, see what transparency criteria are relevant to your project. The guidelines provide instructions and examples that offer inspiration and can be adapted to a specific paper. As a reviewer: When reviewing papers, you can check with these guidelines whether something is missing and should be added to a paper. Reviewers can reference these guidelines in their review to substantiate their critique and point authors to these guidelines for improving a paper’s reporting. These guidelines should apply to the majority of papers, providing helpful advice on research reporting. However, there may be exceptional cases and exceptions that necessitate deviating from widely accepted practices. Therefore, these guidelines should be considered in the context of the respective paper. Interactive website Visit our interactive companion website to navigate the guide: https://transparency-guide.teamusec.de These guidelines do not aim to prescribe how research should be conducted or should (not) be done in a research project. Instead, they aim to guide papers to report details that allow reviewers and others to assess the merit and rigor of the study and its execution.

Transparency Guidelines for Human-Centered Security and Privacy Research

Zenodo (CERN European Organization for Nuclear Research) · 2025-12-23

About the guidelines Transparent research reporting is crucial to make research understandable and replicable. The idea of this document is to provide guidelines for the usable privacy and security community on how to report our research transparently. Its focus is therefore human-subject security and privacy studies. SoKs/SLRs are not explicitly covered, though many items still apply - see the PRISMA statement for explicit reporting guidelines. These guidelines are based on research on the community’s research reporting expectations and practices [Klemmer et al., Klemmer et al.] and a workshop held at SOUPS 2025. The goal is to serve as a checklist for both authors and reviewers, ensuring that critical details are included in a paper. The guidelines aim to strengthen research quality further, improve replicability, and support newcomers in participating in our research community, both as authors and reviewers. How should these guidelines be used? In general: This document provides two overview checklists with brief descriptions, one sorted by topic and one sorted by priority. Both link to more extensive descriptions for each criterion. As an author: When designing and conducting your research and writing your paper, see what transparency criteria are relevant to your project. The guidelines provide instructions and examples that offer inspiration and can be adapted to a specific paper. As a reviewer: When reviewing papers, you can check with these guidelines whether something is missing and should be added to a paper. Reviewers can reference these guidelines in their review to substantiate their critique and point authors to these guidelines for improving a paper’s reporting. These guidelines should apply to the majority of papers, providing helpful advice on research reporting. However, there may be exceptional cases and exceptions that necessitate deviating from widely accepted practices. Therefore, these guidelines should be considered in the context of the respective paper. Interactive website Visit our interactive companion website to navigate the guide: https://transparency-guide.teamusec.de These guidelines do not aim to prescribe how research should be conducted or should (not) be done in a research project. Instead, they aim to guide papers to report details that allow reviewers and others to assess the merit and rigor of the study and its execution.

Layered, Overlapping, and Inconsistent: A Large-Scale Analysis of the Multiple Privacy Policies and Controls of U.S. Banks

2025-11-19

Privacy policies are often complex. An exception is the two-page standardized notice that U.S. financial institutions must provide under the Gramm-Leach-Bliley Act (GLBA). However, banks now operate websites, mobile apps, and other services that involve complex data sharing practices that require additional privacy notices and do-not-sell opt-outs. We conducted a large-scale analysis of how U.S. banks implement privacy policies and controls in response to GLBA; other federal privacy policy requirements; and the California Consumer Privacy Act (CCPA), a key example for U.S. state privacy laws. We focused on the disclosure and control of a set of especially privacy-invasive practices: third-party data sharing for marketing-related purposes. We collected privacy policies for the 2,067 largest U.S. banks, 45.2% of which provided multiple policies. Across disclosures and controls for the same bank, we identified frequent, concerning inconsistencies---53.8% of banks with multiple privacy policies indicated in GLBA notices that they do not share with third parties but disclosed sharing in other policies. This multiplicity of policies, with the inconsistencies it causes, may create consumer confusion and undermine the transparency goals of the very laws that require them. Our findings call into question whether current policy requirements, such as the GLBA notice, are achieving their intended goals in today's online banking landscape. We discuss potential avenues for reforming and harmonizing privacy policies and control requirements across federal and state laws.