Highlights:
- Research focuses on enhancing transparency in privacy policy notifications for data breaches and policy changes.
- The proposed ontological model structures user notifications and improves automated reasoning.
- Experiments show most policies lack detail on notification scenarios, particularly in IoT and cloud computing.
- Ontologies offer solutions for more comprehensive and user-friendly privacy policy notifications.
TLDR: A new ontological model has been developed to improve transparency in privacy policy notifications for data breaches and policy changes. This structured approach helps users better understand privacy risks, yet current implementations in IoT and cloud computing policies remain insufficient.
In an increasingly digitized world, where personal data is collected and processed daily, privacy remains a critical concern. While regulations like GDPR, HIPAA, and CCPA are designed to protect users, ensuring transparency through privacy policies is still a challenge.
A recent study by Mikhail Kuznetsov, Evgenia Novikova, and Igor Kotenko tackles this issue head-on. Their research introduces an ontology-based approach to model user notification scenarios, particularly in cases of data breaches and privacy policy changes. This structured model helps clarify the obligations of data processors and enhance user awareness.
The Problem of Incomplete Notifications
Typically, companies rely on privacy policies to inform users about data processing practices. However, notification mechanisms, especially those related to data breaches and policy changes, are often vague. As the study points out, many cloud service providers and IoT manufacturers still fall short in providing detailed, actionable notifications in their policies.
According to the research, only 10% and 16% of privacy policies in IoT device data sets mention data breaches and policy changes, respectively. Many policies vaguely advise users to monitor updates on a webpage without specifying the consequences of rejecting policy changes.
The Ontological Approach
The research team’s ontological model offers a formalized way to structure notification scenarios. By defining key attributes such as communication mechanisms, causes of breaches, and time periods for action, the model provides clarity on when and how users should be informed.
For example, the model classifies communication methods, such as SMS, emails, or in-app notifications, and ties them to specific breach or policy change events. This structured approach enables automatic reasoning, allowing systems to analyze and reason about the transparency of privacy policies more effectively.
Experimentation and Key Findings
In experiments conducted with cloud computing services and IoT devices, the researchers applied their ontological model to real privacy policies. The findings were concerning. Cloud providers such as AWS, Google Cloud, and Hewlett Packard Enterprise include minimal information about notification mechanisms, relying heavily on passive notices like web page updates. Only a few provided any concrete timeline or consequences for non-compliance with policy changes.
On the IoT front, things were even bleaker. Only 58 out of 592 policies in the IoT dataset explicitly mentioned data breaches. In some cases, policies simply stated, “We will notify you in the event of a data breach,” without specifying how or when users would be informed.
The Future of Privacy Transparency
Kuznetsov, Novikova, and Kotenko’s ontological model is a crucial step toward more transparent privacy policies. By providing a structured framework, this approach can help organizations better communicate with users about their data rights and the potential risks of data breaches. It also paves the way for future research to build more user-friendly systems that can reason about the completeness and clarity of privacy policies.
However, the study also highlights the need for greater compliance from industries that handle sensitive user data. Companies must go beyond legal minimums to ensure users are fully informed and empowered to control their privacy.
Source: Kuznetsov, M., Novikova, E., & Kotenko, I. (2024). Modelling user notification scenarios in privacy policies. Cybersecurity, 7(41). https://doi.org/10.1186/s42400-024-00234-8.