When signing up on digital services and creating accounts, often users are asked more information that is really needed, with the risk of trespassing the privacy limit.

An international conference in Karlstad University concerning digital identities addressed the topic, outlining methods and strategies that digital service providers use to get users’ private information, discussing how it could impact on individuals’ privacy.

When a user wants to sign up to a digital service, the service provider asks information to identify the users who wants to be able to log in its account. There are different methods to verify the user identity and protect its privacy but these are not always the preferred ones for providers. In fact, often providers deliberately choose to act it a less ethical way, collecting as much information as possible, usually not needed, threatening the user privacy.

“We have for instance seen that some service providers ask for information that they do not need for the main purpose of the service they offer,” explains Lothar Fritsch, researcher in IT-security at Karlstad University. “They may ask for details while assuring the user that these will not be shown publicly or are protected by a user policy. These details are then used to find out as much as possible about users to enhance their business opportunities, something which is not mentioned in any agreements.”

Same goes for apps. Apps are often mobile-friendly versions of websites (can include some specific functions of the website, act as support to them or as stand-alone services). When we download and install apps, much information is usually requested. Several studies proved that users experience difficulties to comprehend the mass of information requested and what they are agreeing to when signing up, as well as indicating that often they have no clue about what will be done with such information and if will be possible to revoke it.

Data fragments are used to identify the users while keeping anonymity. However, there are several types of fragments that can be used for identification. If many fragments are collected, these can be linked to each other and the anonymised user may be identified. Therefore, by asking more information than required, digital services increase the chances of users identified and their privacy violated.

“When we as users give apps access to certain information on our smartphones, we also make it possible for the actor behind the app to identify us. We want to find ways to make users aware of what it means when apps receive access to certain types of data on our smartphones,” explains Nurul Momen, PhD student in Computer Science at Karlstad University.

Written by: Pietro Paolo Frigenti

Journal Reference:
L. Fritsch, H. Roßnagel, D. Hühnlein (eds.): Open Identity Summit 2017, Proceedings, Lecture Notes in Informatics (LNI) 277, GI-Edition, 2017, ISBN 978-3-88579-671-8