A Study on Exploring the Level of Awareness of Privacy Concerns and Risks

Tommy Nguyen; Garnet Yeates; Tony Ly; Umar Albalawi

doi:10.3390/app132413237

,

and

¹

School of Computing and Data Science, Wentworth Institute of Technology, Boston, MA 02115, USA

²

College of Computing and Information Technology, University of Tabuk, Tabuk 71491, Saudi Arabia

^*

Author to whom correspondence should be addressed.

Appl. Sci.2023, 13(24), 13237;https://doi.org/10.3390/app132413237

This article belongs to the Special Issue Advanced Technologies in Data and Information Security III

Version Notes

Order Reprints

Abstract

With the recent increase in phishing attacks and other kinds of malicious activities, increasing the awareness of security and privacy awareness is arguably one of the best proven ways of preventing these kinds of threats. The main challenge in security and privacy awareness is the end user’s awareness of aspects of privacy and security they give up when using the Internet. Thus, this study focuses on identifying and discussing the growing threats of Internet usage and the lack of privacy and security knowledge of the everyday person. This study presents the results of a survey conducted to determine discrepancies between what rights users think they sign away when they agree to terms of service versus what rights they actually give away. It is hypothesized that people are genuinely unaware of what rights they are giving up, especially since they are signing the terms of service without reading the fine print. In this study, the terms of service were presented to respondents, and they answered questions on what they thought they were giving up, but once they answered the questions, they were explicitly told whether they truly knew what rights they signed away. The experimental results of this study examine how much knowledge the everyday person lacks with respect to the privacy policies they sign. All of this is ultimately used to examine possible flaws in the system. The experimental results illustrate the results of the survey. Based on the total surveys completed, the average score was 62%. This means that out of 10 clauses described in a given terms of service document or privacy policy, people are truly unaware of at least 4 of these statements.

Keywords:

security and privacy awareness; phishing attack; privacy policies

1. Introduction

The introduction of the Internet opened numerous opportunities for the development of applications that have made life easier. From worldwide communications to video streaming platforms, the Internet has made life convenient [1]. However, with this convenience comes a cost. Malicious activities such as phishing attacks have become commonplace. Not only has data theft become more commonplace, but the act of stealing data has never been easier. As a result of convenience being the number one priority for many corporations, user data are practically open to the public. From work history to important events in life, sites such as LinkedIn, Facebook, and Twitter allow users to post as much of their information as they can. Furthermore, social media companies typically collect cookie data and other information on who you are [2]. The data collected are often sold to third parties. However, what if those data were leaked to the public? There have been numerous instances where sensitive data were unintentionally leaked [3]. In addition to these potential issues, some other factors such as phishing attacks, unclear privacy settings, and searchable databases may contribute to the increased risk in modern social media platforms.

With the availability of technology, it has become increasingly apparent that phishing schemes are no longer difficult to perform. A form of phishing scheme is where a malicious user sends a link to an individual, where they are asked to either download a fake program or give away sensitive information [4]. On platforms that rely on peer-to-peer messaging, which is especially dangerous as phishing perpetrators are able to target individuals who are most vulnerable to falling for phishing schemes.

The increased usage of social media platforms has made it crucial that users update their profile settings to allow only their intended targets to see their posts. However, it has become clear that social media platforms are not explicit in defining the privacy settings of a user, leading to serious mismatching issues with regard to user expectations of their privacy in relation to the settings they have applied and the reality of their privacy settings [5].

Many corporations use searchable databases as a means of knowing prior purchase history in order to advertise similar products to users. This means that corporations are aware of customers’ purchase history, ensuring that whatever decision they make is not guaranteed to be known to them alone. By hacking, it means that records relating to an individual may be revealed. This is especially dangerous considering that police use similar technology to predict areas of crime [6]. Despite the numerous risks that are present today, many are still unaware of these risks and the consequences of insufficient privacy/security measures [7]. Although IoT devices bring tremendous benefits in terms of user experience, they impose significant privacy risks [8].

In turn, the purpose of this research is to explain why many people still lack fundamental knowledge of privacy/security risks, to explain why many people still choose not to implement security/privacy measures after learning about the risks, and to give some potential solutions for this problem. The purpose of this empirical study is to explore the level of awareness of how much privacy one gives up on social media platforms. The research method targets the fine-print agreements of social media. To the best of our knowledge, no such study exists in exploring the level of awareness on how much privacy one gives up based on understanding these fine-print agreements. Undoubtedly, there are several state-of-the-art studies on privacy concerns in the data analysis of social networks, including [9], in which the researchers collected data concerning users who have different social network profiles in order to analyze privacy options provided by social media platforms.

2. Related Research

2.1. The Unknown Risks of Platforms and IoT Devices

For many individuals, platforms such as Amazon and YouTube have become individuals’ “go-to” platforms when it comes to online shopping and video streaming platforms. Despite this, many are not aware that the purchases they make and the products/videos they look at are being tracked. Many e-commerce sites use a customer’s purchase history to find specific sales, promotions, and products that suit their interests [10] and recommend those to them. Using this elaborate strategy, Amazon can bolster its sales by increasing the likelihood that a customer will purchase another product. Additionally, e-commerce sites can sell customer data to third parties. This can lead to customer data being used by unauthorized individuals. A “searchable database” is an organized collection of data that can be queried based on a field; for e-commerce sites, the data would be users’ purchase history. In most cases, the everyday user has no control over what data are given and what data are kept. In situations involving e-commerce sites, users can make foresighted decisions prior to signing up for the e-commerce sites. What determines whether they apply for these sites depends on whether or not individuals go out of their way to read the Terms and Agreement and the Privacy Policies listed for the specific site. In most instances, individuals do not read these documents, as the documents typically contain legal jargon that most everyday individuals would not understand. Furthermore, these documents are typically very long, increasing the likelihood that an individual may not read them. That is to say, individuals typically skip the Terms and Agreement and Privacy Policies documents listed, forfeiting their data unknowingly, which also applies to users in an IoT platform [11].

2.2. Online Social Network Privacy Settings

Over time, there has been a growing trend of individuals sharing sensitive personal information on online social networks [12]. While these networks do provide users with some control over their privacy settings, such as managing who they share information with and enabling or disabling location services, access control policies have proven to be notoriously difficult to configure correctly [13]. This raises the question of whether online social network users’ privacy matches their actual sharing intentions. The study [5] presents an empirical analysis evaluation which measures the privacy attitudes of social network users and compares these measurements against their privacy settings on Facebook. The results analysis revealed a serious mismatch: every 1 of the 65 participants in the study confirmed that at least one of their sharing intentions was violated. In other words, this means that the user’s privacy settings are incorrect—without them having known about this until looking at the settings and being told explicitly what they do.

2.3. Online Privacy and Security Behaviours

Research into online privacy issues shows that in theory, users seem to be very interested in privacy protection, but in practice, this does not seem to be the case [14]. A notable phenomenon exists between expressed privacy concerns and actual online behavior, known as the privacy paradox [15]. This paradox highlights the incongruity between users’ stated privacy concerns and their actions in the digital realm. Despite expressing privacy worries, individuals often engage in risky practices such as downloading suspicious files, readily sharing personal information, and neglecting to review the privacy policies of social media platforms. The study focuses specifically on the behaviour of participants and found that users perform a risk–benefit calculation guided by rationality. The results show that users do show concerns, but their concerns are overridden by factors such as the desirability of the app, time constraints, or gratifications from a risk–benefit analysis. They also found that people act on their own intuition without assessing the risk of information sharing online. This study shows a couple of the same issues in peoples’ behaviour with respect to privacy. Another study [16] investigates how users’ privacy information might be leaked across social media platforms. In [17], new privacy factors are proposed by using the hyped model-based Communication Management Theory (CPM) and Theory of Planned Behavior (TPB).

2.4. Root Cause of Privacy Leniency

Despite the inherent dangers associated with internet usage, many remain unaware of the potential consequences of their actions and consequently take minimal steps to safeguard their privacy. For example, a survey was conducted on 2205 British broadband users. The survey found some astonishing results about how people configure their network routers. A total of 82% of the survey participants never changed the default network name. A total of 86% of the survey never updated the router’s firmware. In total, 70% of the survey participants never checked to see if there were unknown devices on the network. In addition, 69% of the survey participants never changed the default Wi-Fi access password. The most astonishing finding is that 48% of the survey participants did not understand why they would need to do the above things [18]. This lack of awareness can lead to severe consequences such as their data being compromised. Using password attack examples, for a simple password, a hacker can very easily use a brute force method to guess the password. On most modern computers, the brute force method can take anywhere from a couple of seconds to a few hours at most (for simple passwords). From the vast body of research conducted, it is evident that the lack of security measures/actions taken by users stems from their lack of knowledge. The article [19] highlights the importance of understanding mental models and their relevance to internet privacy. One of their key findings underscores the crucial role of possessing a fundamental understanding of privacy attacks in shaping future actions, such as the websites individuals choose to visit and the privacy settings they employ. However, their research also recognizes that knowledge is not the sole determinant of a lack of security measures. In fact, the study revealed that participants who were cognizant of privacy strategies failed to employ them consistently, if at all. Furthermore, their study found that users with a high level of technical knowledge did not implement more security measures than the novices. Alternatively, what other factors may have a more profound impact on an end user’s security measure? Kang et al. [10] found that in addition to knowledge, personal and second-hand experience play a major role as well. Users’ decisions to use a specific site are often influenced by the experiences of others, both those they know personally and those they have heard about. Positive or negative experiences shared by others can make these threats more real and tangible for individuals. Without personal or second-hand experiences, users may perceive these threats as distant and unlikely to happen to them, leading to a more nonchalant approach to privacy protection. Their study revealed that many users refrain from implementing security measures due to the belief that they lack valuable online information, perceiving increased security measures as inconvenient, or assuming that attacks primarily target the companies themselves, leaving them powerless to prevent them. In light of these findings, it becomes pertinent to address the question of how to educate individuals about the significance of internet security and assist them in overcoming the perceived inconvenience of security measures. To achieve this goal, an educational application was developed. However, based on the research findings, simply making the application educational is insufficient. It is crucial that individuals experience a real-life attack in some way, shape, or form to make a lasting impact. Consequently, the application serves as both an educational tool and a simulated phishing scam.

3. Methodology

To educate internet users about the importance of internet security, an application was developed. The application was designed to give users first-hand experience with an attack and illustrate why that attack could be dangerous. The process for developing the educational application is illustrated in Figure 1.

Figure 1. Proof-of-concept development process.

3.1. Proof of Concept WPF Application

The proof-of-concept application is designed using WPF (Windows Presentation Foundation) and consists of three main components: a simulated Citizens Bank login page for the phishing scam, a post-phishing scam explanation page, and a privacy education page.

Upon entering their credentials and clicking "LOG IN", users are redirected to a page that elaborates on the potential risks associated with their actions. This page serves to emphasize the ease with which phishing perpetrators can acquire sensitive information from unsuspecting victims. Importantly, the entered credentials are not stored in any database; their sole purpose is to highlight the dangers of falling for phishing scams.

Furthermore, the application incorporates an additional page dedicated to educating users about the perils of phishing. This page presents users with questions related to social media privacy policies, and their responses are evaluated against the corresponding quotes from the respective privacy policies. The feedback provided alongside each question reinforces the validity of the user’s answer.

Figure 2, Figure 3 and Figure 4 illustrate the user interface of our prototype.

Figure 2. An outline of the survey setup.

Figure 3. An example of the prototype for each survey and its questions.

Figure 4. User enters name and picks social media sites they use.

3.2. React App Implementation

For the actual implementation, the application was developed using the MERN stack (MongoDB database, Express.js server, React.js front-end, Node.js runtime). This was an advantageous choice of implementation for several reasons. One reason is that using a web application allows for a responsive cross-platform design. While much of the application remains in the prototype stage, a cloud-hosted web application would be the most suitable option for widespread deployment. This approach would ensure accessibility across various devices, including mobile platforms. The suitability of a web application is further reinforced by the effectiveness of webpage data representation (DOM, HTML, and CSS) in crafting responsive and interactive surveys that dynamically adapt their content to present educational information upon completion [20].

The structure for the React app is essentially the same as the WPF application, but with additional features such as a reporting page, a server to process and generate data using RESTful API, and a database to persistently store data for each participant based on the surveys that they completed. The application diverged from its prototype, ultimately settling on mimicking Leopard Web [21] instead of Citizens Bank. The Leopard Web copy was meticulously crafted to closely resemble the actual site while incorporating subtle modifications to ascertain users’ ability to distinguish between the fake and genuine Leopard Web. The replica website omitted certain elements, such as the copyright trademark at the bottom and the black bar at the top featuring the Wentworth logo. Upon entering their credentials, users are directed to a screen that elucidates the dangers of phishing scams. A button is provided to seamlessly transition to the subsequent survey. Once they have reached the survey, they will see a screen that requires them to enter their name and select which platforms they use (YouTube, Twitter, Pinterest, etc.). Figure 4 displays this screen. Once they select the platforms that they want to take surveys on, they will be asked a series of true or false questions that are based on the Terms of Service and Privacy Policies for each platform. Samples of these questions are given in Figure 5 and Table 1. The users are expected to answer to the best of their ability. When the users complete the surveys, they will press the “Submit Surveys” button. Upon clicking the button and submitting their response, the survey cards will flip to reveal the backside. On the back of each card, participants will find their score displayed prominently in the top left corner. The backsides also replicate the statements from the front, with incorrect answers highlighted in red for easy identification. Aligned with the educational objectives of the application, participants were allowed to click on underlined (invalid) statements to access additional information that elaborated on the specific statement. For instance, if a user clicks on a statement they incorrectly guessed as false, a dialog box will emerge, revealing the statement’s veracity. This dialog box will additionally provide a supporting quote directly from the applicable privacy policy or terms of service. These efforts are driven by the overarching goal of maximizing the educational value and transparency for participants, aiming to illuminate aspects of privacy policies and terms of service that they may not have been aware of. This approach will ultimately contribute to addressing the fundamental question of the public’s understanding of privacy concerns and risks. Figure 5 and Figure 6 show the steps of the application.

Figure 5. User answers questions for each site they use. Please note that the image does not display the full Q&A, as some questions for the Amazon section are cut out in order to fit into the paper.

Table 1. Table containing all sites, with questions from each site, and the specific source of the question.

Figure 6. Average accuracy of participants in determining the privacy policies of different corporations.

Once a survey is completed, average scores for each site is computed using the following formula:

\frac{\sum x_{i}}{n}

where x_i represents the score for a given survey of a site and n represents the total number of individuals who took the survey for this particular site. A similar formula is applied to the global average:

\frac{\sum a_{i}}{n_{t o t a l}}

The equation presented above deviates from the initial equation in that it divides the sum of the participants’ average scores across all surveys by the total number of surveys taken, rather than simply summing the scores. This modification reflects a shift in focus from individual survey scores to the overall average performance across multiple surveys.

4. Results

A total of 100 individuals participated in the survey, most of whom were college students or recent graduates. The participants completed surveys for each platform that they use. Figure 6 illustrates the results of the survey. Based on the total surveys completed, the average score was 62%. The findings reveal that, on average, individuals are genuinely unaware of at least 4 out of the 10 clauses outlined in each Terms of Service or Privacy Policy. Furthermore, interviewers seem to have performed the poorest when evaluating TikTok, with an average score of only 40%. Despite the recent controversies relating to TikTok, surprisingly, many individuals are still unaware of the privacy risks associated with the platform. Facebook, which has had years of privacy and legal problems, is the second worst-performing survey. Analyzing the collected data revealed several potential inferences, such as the possibility that users of these platforms are not thoroughly reading the Terms of Service and Privacy Policies or that the platforms themselves are not clearly disclosing the extent of the data being collected from users. Both factors could contribute to a lack of user awareness regarding data collection practices, potentially undermining trust in these platforms.

Table 1 presents an overview of the survey questions employed to gauge public understanding, along with the corresponding websites the questions refer to and the specific sources from which they were drawn.

5. Discussion

Among the eight companies, Amazon, the e-commerce giant, achieved the second-highest score. As a company that focuses on shopping convenience [42], numerous privacy rights are given up when signing onto the platform. Information such as addresses and credit card details is essential for Amazon to fulfill orders and process payments. These details enable the company to deliver purchased products to users’ residences and securely collect payments for transactions. Amazon’s high survey accuracy suggests that participants are well-informed about the data they share with the platform. Despite the length and complexity of privacy policies on e-commerce platforms like Amazon, their reputation as reliable product sellers and shippers implicitly conveys the need to collect certain user information [43]. Consequently, a company’s reputation can serve as an intermediary between itself and its users, enabling users to glean some understanding of the platform’s privacy practices and the types of data required for service utilization.

LinkedIn, a professional networking platform designed to connect individuals with potential employers, harbors a multitude of potential data theft risks [44]. The wealth of sensitive information stored on the platform, including educational background and employment history, makes it a prime target for malicious actors seeking to exploit these valuable data. These types of information could be used to fabricate identity and lead to account vulnerabilities (school information may be used in security questions for certain platform accounts). Although LinkedIn has not had any recent privacy controversies associated with their platform, there is potential for hacking/data theft to occur because of open information being available to everyone who has a LinkedIn account. Unlike Amazon, the average accuracy of the survey conducted for LinkedIn was 55%, implying that some participants were unfamiliar with specific privacy policies related to LinkedIn.

6. Conclusions

In summary, the development and expansion of the Internet have brought both convenience and risks. These risks harbor the potential for devastating identity theft or data breaches, exposing end users to severe consequences. Despite these risks, many are either unaware or unconcerned. The reasoning behind an individual’s unawareness is more than just a lack of knowledge, but also a lack of personal or second-hand experience. To address these concerns, an educational application was developed that provides users with both hands-on experience in identifying phishing scams and comprehensive knowledge of various privacy policies. This study delves into the extent to which end users are aware of the privacy and security implications associated with their online activities. Based on the experiment results, the average score was 62%. This means that out of 10 clauses described in each Terms of Service or Privacy Policy, people are truly unaware of at least 4 of these statements. The lack of comprehensive understanding among users about the data they relinquish when interacting online hinders their ability to effectively assess the risks associated with information sharing. Terms of Service and Privacy Policies can be hundreds of pages long and, due to time constraints, it is difficult to assume that people will read them everyday and retain any of the information. In future research, we plan to investigate strategies for enhancing the effectiveness and usability of the terms of use and privacy policies, empowering users with a comprehensive understanding of their privacy rights.

Author Contributions

Implementation, T.N., G.Y. and T.L.; Investigation, T.N., G.Y. and T.L.; Writing—original draft, T.N., G.Y. and T.L.; editing, T.N.; Supervision, U.A. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Informed Consent Statement

Informed consent was obtained from all subjects involved in the study.

Data Availability Statement

The data presented in this study are available on request from the corresponding author. The data are not publicly available due to privacy.

Conflicts of Interest

The authors declare no conflict of interest.

References

Geraci, G.; Garcia-Rodriguez, A.; Giordano, L.G.; López-Pérez, D.; Björnson, E. Understanding UAV cellular communications: From existing networks to massive MIMO. IEEE Access 2018, 6, 67853–67865. [Google Scholar] [CrossRef]
Bernhard, D.; Lovejoy, J.P.; Ann-Kathrin, H.; Brittany, N.H. Facebook and Online Privacy: Attitudes, Behaviors and Unintended Consequences. J. Comput.-Mediat. Commun. 2009, 15, 83–108. [Google Scholar]
Said, W.; Mostafa, A. Towards a hybrid immune algorithm based on danger theory for database security. IEEE Access 2020, 8, 145332–145362. [Google Scholar] [CrossRef]
Sai, A.M.V.; Li, Y. A Survey on privacy issues in mobile social networks. IEEE Access 2020, 8, 130906–130921. [Google Scholar]
Madejski, M.; Johnson, M.; Bellovin, S. The Failure of Online Social Privacy Settings; Department of Computer Science, Columbia University: New York, NY, USA, 2011. [Google Scholar]
Lyon, D. Surveillance as Social Sorting: Privacy, Risk, and Digital Discrimination; Routledge: London, UK, 2003; pp. 154–196. [Google Scholar]
Badun, L.; Denney, K.; Celik, Z.B.; McDaniel, P.; Uluagac, A.S. A survey on IoT platforms: Communication security, and privacy perspectives. Comput. Netw. 2021, 192, 108040. [Google Scholar]
Tclo@ucsc.edu. The Dangers of the Internet of Things. Dangerous World. Available online: https://dangerousworld.soe.ucsc.edu/2018/03/25/the-dangers-of-the-internet-of-things/ (accessed on 25 March 2018).
Cerruto, F.; Cirillo, S.; Desiato, D.; Gambardella, S.M.; Polese, G. Social network data analysis to highlight privacy threats. J. Big Data 2022, 9, 19. [Google Scholar] [CrossRef]
Kang, R.; Dabbish, L.; Fruchter, N.; Kiiesler, S. “My data just goes everywhere:” User mental models of the internet and implications for privacy and security. In Proceedings of the Eleventh Symposium on Usable Privacy and Security, Ottawa, ON, Canada, 22–24 July 2015. [Google Scholar]
Breve, B.; Cimino, G.; Deufemia, V. Identifying security and privacy violation rules in trigger-action IoT platforms with NLP models. IEEE Internet Things J. 2023, 10, 5607–5622. [Google Scholar] [CrossRef]
Misra, G.; Such, J.M. How socially aware are social privacy controls. Computer 2016, 49, 96–99. [Google Scholar] [CrossRef]
Alan, A.; Al-Arnaout, Z.; Topcu, A.; Zaki, C.; Shdefat, A.; Wlbasi, E. How do default privacy settings on social apps match people’s actual preferences. In Proceedings of the 2022 International Conference on Electrical and Computing Technologies and Applications, Ras Al Khaimah, United Arab Emirates, 23–25 November 2022; pp. 101–107. [Google Scholar]
Cengiz, A.B.; Guler, K.; Boluk, P.S. The effect of social media behaviors on security and privacy threats. IEEE Access 2022, 10, 57674–57684. [Google Scholar] [CrossRef]
Barth, S.; Jonh, M.; Junger, M.; Hartel, P.; Roppelt, J. Putting the privacy paradox to the test: Online privacy and security behaviors among users with technical knowledge, privacy awareness, and financial. Telemat. Inform. 2019, 41, 55–69. [Google Scholar] [CrossRef]
Hu, X.; Zhu, T.; Zhai, X.; Zhou, W.; Zhao, W. Privacy data propagation and preservation in social media: A real-world case study. IEEE Trans. Knowl. Data Eng. 2021, 35, 4137–4150. [Google Scholar] [CrossRef]
Hou, Q.; Han, M.; Cai, Z. Survey on data analysis in social media: A practical application aspect. Big Data Min. Anal. 2020, 3, 259–279. [Google Scholar] [CrossRef]
Spiekermann, S.; Grossklags, J.; Berendt, B. E-privacy in 2nd generation E-commerce: Privacy preferences versus actual behavior. In Proceedings of the 3rd ACM conference on Electronic Commerce, Tampa, FL, USA, 14–17 October 2001; pp. 38–47. [Google Scholar]
Wagenseil, P. The One Router Setting Everyone Should Change (But No One Does). Tom’s Guide. Available online: https://www.tomsguide.com/us/change-router-default-passwords,news-26975.html (accessed on 13 April 2018).
Darmawan, I.; Maulana, M.; Gunawan, R.; Widiyasono, N. Evaluating web scraping performance using XPath, CSS selector, regular expression, and HTML DOM with multiprocessing. Int. J. Inform. Vis. 2022, 6, 904–910. [Google Scholar] [CrossRef]
Leopard Web Wentworth Institute of Technology. Available online: https://cas.wit.edu/cas/login (accessed on 15 April 2023).
Meta Privacy Center. Available online: https://www.facebook.com/privacy/policies/cookies/?entry_point=cookie_policy_redirect&entry=0 (accessed on 15 June 2023).
Statement of Right and Responsibilities. Available online: https://www.facebook.com/legal/terms/previous (accessed on 15 June 2023).
Facebook Terms of Service. Available online: https://m.facebook.com/legal/terms (accessed on 15 June 2023).
Facebook Data Policy. Available online: https://m.facebook.com/privacy/policy/version/20220104/#how-we-use-information (accessed on 15 June 2023).
Amazon Privacy Notice. Available online: https://www.amazon.com.be/-/en/gp/help/customer/display.html?nodeId=GX7NJQ4ZB8MHFRNJ (accessed on 18 June 2023).
Interest-Based Ads. Available online: https://www.amazon.com/gp/help/customer/display.html?nodeId=GLVB9XDF9M8MU7UZ (accessed on 18 June 2023).
Conditions of Use. Available online: https://www.amazon.com/gp/help/customer/display.html?nodeId=GLSBYFE9MGKKQXXM (accessed on 18 June 2023).
TikTok Privacy Policy. Available online: https://www.tiktok.com/legal/page/us/privacy-policy/en (accessed on 20 June 2023).
TikTok Terms of Service. Available online: https://www.tiktok.com/legal/page/us/terms-of-service/en (accessed on 20 June 2023).
Linkedin Privacy Policy. Available online: https://www.linkedin.com/legal/privacy-policy (accessed on 22 June 2023).
Linkedin User Agreement. Available online: https://www.linkedin.com/legal/user-agreement (accessed on 22 June 2023).
Snap Inc. Custom Creative Tools Terms. Available online: https://snap.com/ar/terms/custom-creative-tools (accessed on 24 June 2023).
Snap Inc. Privacy and Safety Hub. Available online: https://values.snap.com/privacy/privacy-center (accessed on 24 June 2023).
Snap Inc. Cookie Policy. Available online: https://www.snap.com/en-US/cookie-policy (accessed on 24 June 2023).
Twitter Terms of Service. Available online: https://twitter.com/en/tos (accessed on 26 June 2023).
Twitter Privacy Policy. Available online: https://twitter.com/en/privacy (accessed on 26 June 2023).
YouTube Terms of Service. Available online: https://www.youtube.com/t/terms (accessed on 28 June 2023).
Google Privacy & Terms. Available online: https://policies.google.com/privacy (accessed on 28 June 2023).
Pinterest Terms of Service. Available online: https://policy.pinterest.com/en/terms-of-service (accessed on 29 June 2023).
Pinterest Privacy Policy. Available online: https://policy.pinterest.com/en/privacy-policy (accessed on 29 June 2023).
Sadq, Z.; Sabir, H.; Saeed, V. Analysing the amazon success strategies. J. Process Manag. New Technol. 2018, 6, 65–70. [Google Scholar]
Alzhrani, A.; Alatawi, A.; Alsharari, B.; Albalawi, U.; Mustafa, M. Towards security awareness of mobile application using semantic-based sentiment analysis. Int. J. Adv. Comput. Sci. Appl. 2022, 13, 800–809. [Google Scholar] [CrossRef]
Gibson, B.; Townes, S.; Lewis, D.; Bhunia, S. Vulnerability in massive API scraping: 2021 linkedIn data breach. In Proceedings of the 2021 International Conference on Computational Science and Computational Intelligence (CSCI), Las Vegas, NV, USA, 15–17 December 2021. [Google Scholar]

Figure 1. Proof-of-concept development process.

Figure 2. An outline of the survey setup.

Figure 3. An example of the prototype for each survey and its questions.

Figure 4. User enters name and picks social media sites they use.

Figure 5. User answers questions for each site they use. Please note that the image does not display the full Q&A, as some questions for the Amazon section are cut out in order to fit into the paper.

Figure 6. Average accuracy of participants in determining the privacy policies of different corporations.

Table 1. Table containing all sites, with questions from each site, and the specific source of the question.

Site	Question	Quote	Source
Facebook	Facebook stores your data whether you have an account or not.	“Facebook uses cookies and receives information when you visit those sites and apps, including device information and information about your activity, without any further action from you. This occurs whether or not you have a Facebook account or are logged in”	[22]
Facebook	Facebook can view your browser history.	“You can review your Off-Facebook activity, which is a summary of activity that businesses and organizations share with us about your interactions with them, such as visiting their apps or websites. They use our Business Tools, like Facebook Pixel, to share this information with us. This helps us do things like give you a more personalized experience on Facebook”	[22]
Facebook	Your identity is used in ads that are shown to others.	“You give us permission to use your name and profile picture and information about actions you have taken on Facebook next to or in connection with ads, offers, and other sponsored content that we display across our Products, without any compensation to you.”	[23]
Facebook	When you delete content on Facebook, it is gone forever.	“In addition, content you delete may continue to appear if you have shared it with others and they have not deleted it.”	[24]
Facebook	Facebook does not infringe upon/analyse your private messages.	“Our systems automatically process content and communications you and others provide to analyze context and what’s in them for the purposes described below…” Provide measurement, analytics, and other business services. Promote safety, integrity and security. Communicate with you. Research and innovate for social good. Provide, personalize and improve our Products.	[25]
Amazon	Amazon services with a microphone/camera can collect and process voice/video data.	“When you use our voice, image and camera services, we use your voice input, images, videos, and other personal information to respond to your requests, provide the requested service to you, and improve our services”	[26]
Amazon	Amazon can not sell your data.	“As we continue to develop our business, we might sell or buy other businesses or services. In such transactions, customer information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing Privacy Notice (unless, of course, the customer consents otherwise). Also, in the unlikely event that Amazon.com, Inc. or substantially all of its assets are acquired, customer information will of course be one of the transferred assets.”	[26]
Amazon	Amazon can not track you on other websites.	“Like many websites, we use “cookies” and other unique identifiers, and we obtain certain types of information when your web browser or device accesses Amazon Services and other content served by or on behalf of Amazon on other websites.”	[26]
Amazon	Amazon uses your personal data and behavioural data for advertisement.	“To serve you interest-based ads, we use information such as your interactions with Amazon sites, content, or services.”	[27]
Amazon	Amazon does not copyright license (claim as their own) your data.	“If you do post content or submit material, and unless we indicate otherwise, you grant Amazon a nonexclusive, royalty-free, perpetual, irrevocable, and fully sublicensable right to use, reproduce, modify, adapt, publish, perform, translate, create derivative works from, distribute, and display such content throughout the world in any media. You grant Amazon and sublicensees the right to use the name that you submit in connection with such content, if they choose.”	[28]
TikTok	Private messages can not be read by the service.	“Messages: We collect and process, which includes scanning and analyzing, information you provide when you compose, send, or receive messages through the Platform’s messaging functionality. That information includes the content of the message and information about when the message has been sent, received and/or read, as well as the participants of the communication.”	[29]
TikTok	Information such as age, username/password, email, phone number can be collected by TikTok.	“Information, such as age, username and password, language, and email or phone number. Profile information, such as name, social media account information, and profile image. User-generated content, including comments, photographs, live streams, audio recordings, videos, and virtual item videos that you choose to create with or upload to the Platform.”	[29]
TikTok	Data on your content is collected at the time of creation, regardless of if you choose to upload or save it.	“We collect User Content through pre-loading at the time of creation, import, or upload, regardless of whether you choose to save or upload that User Content, in order to recommend audio options and provide other personalized recommendations.”	[29]
TikTok	Some browsers transmit “do-not-track” signals to websites. TikTok ignores these.	“Some browsers transmit “do-not-track” signals to websites. Because of differences in how browsers incorporate and activate this feature, we currently do not take action in response to these signals”	[29]
TikTok	Your content can be deleted at any time without prior notice for any reason.	“We reserve the right, at any time and without prior notice, to remove or disable access to content at our discretion for any reason or no reason.”	[30]
LinkedIn	LinkedIn stores data on you even if you did not interact with the service.	“We receive personal data (including contact information) about you when others import or sync their contacts or calendar with our Services, associate their contacts with Member profiles, scan and upload business cards, or send messages using our Services”	[31]
LinkedIn	The LinkedIn mobile app can scan both your contacts and your calendar.	“If you opt to import your address book, we receive your contacts (including contact information your service provider(s) or app automatically added to your address book when you communicated with addresses or numbers not already in your list). If you sync your contacts or calendars with our Services, we will collect your address book and calendar meeting information to keep growing your network”	[31]
LinkedIn	Your private messages cannot be scanned/read.	“We also use automatic scanning technology on messages to support and protect our site. For example, we use this technology to suggest possible responses to messages and to manage or block content that violates our User Agreement or Professional Community Policies from our Services”	[31]
LinkedIn	Your identity can not be used in ads that are shown to other users.	“we have the right, without payment to you or others, to serve ads near your content and information, and your social actions (e.g., likes, comments, follows, shares may be visible and included with ads, as noted in the Privacy Policy). If you use a Service feature, we may mention that with your name or photo to promote that feature within our Services, subject to your settings”	[32]
LinkedIn	Specific content can be removed without reason or notice.	“We are not obligated to publish any information or content on our Service and can remove it with or without notice”	[32]
Snapchat	The service can edit and distribute your content through any media known now or that may exist in the future.	“You grant Snap and its affiliates a license to archive, copy, cache, encode, store, reproduce, record, sell, sublicense, distribute, transmit, broadcast, synchronize, adapt, edit, modify, publicly display, publicly perform, publish, republish, promote, exhibit, create derivative works based upon, and otherwise use the Asset on or in connection with the Services and the advertising, marketing, and promotion thereof, in all formats, on or through any means or media now known or hereafter developed, and with any technology or devices now known or hereafter developed”	[33]
Snapchat	Snapchat does not hold onto content that you have deleted.	“After a Snap is deleted, we’ll mainly be able to see the basic details—like when it was sent and who it was sent to.”	[34]
Snapchat	Your personal data is not given to third parties that work for Snapchat.	“We may share information about you with business partners that provide services and functionality on our services”	[34]
Snapchat	Snapchat may not only collect your location data, but they can also use it and share it.	“provide and improve our advertising services, ad targeting, and ad measurement, including through the use of your precise location information (again, if you’ve given us permission to collect that information)”	[35]
Snapchat	Snapchat can not share your personal data with third parties that are not involved in its operation.	“We may let other companies use cookies on our services. These companies may collect information about how you use our services over time and combine it with similar information from other services and companies.”	[35]
Twitter	Users own the content they submit, post or display on Twitter.	“You retain your rights to any Content you submit, post or display on or through the Services. What’s yours is yours—you own your Content (and your incorporated audio, photos and videos are considered part of the Content).”	[36]
Twitter	Twitter is licensed to use your Content without restrictions.	“By submitting, posting or displaying Content on or through the Services, you grant us a worldwide, non-exclusive, royalty-free license (with the right to sublicense) to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute such Content in any and all media or distribution methods now known or later developed”	[36]
Twitter	Twitter collects information outside of the app on your devices.	“Information about your connection, such as your IP address and browser type. Information about your device and its settings, such as device and advertising ID, operating system, carrier, language, memory, apps installed, and battery level. Your device address book, if you’ve chosen to share it with us.”	[37]
Twitter	Twitter collects information on non-user activity within the products and services.	“We may receive information when you view content on or otherwise interact with our products and services, even if you have not created an account or are signed out, such as IP address; browser type and language; operating system; the referring webpage; access times; pages visited; location; your mobile carrier; device information (including device and application IDs); search terms and IDs (including those not submitted as queries); ads shown to you on Twitter; Twitter-generated identifiers; and identifiers associated with cookies.	[37]
Twitter	Information collected by Twitter will be removed from the web after deleting an account.	“Remember public content can exist elsewhere even after you remove it from Twitter. For example, search engines and other third parties may retain copies of your Tweets longer, based upon their own privacy policies, even after they are deleted or expire on Twitter.”	[37]
YouTube/Google	The service will retain your Content after you remove it.	“The licenses granted by you continue for a commercially reasonable period of time after you remove or delete your Content from the Service. You understand and agree, however, that YouTube may retain, but not display, distribute, or perform, server copies of your videos that have been removed or deleted.“	[38]
YouTube/Google	The service is able to use and modify your Content to their discretion.	“By providing Content to the Service, you grant to YouTube a worldwide, non-exclusive, royalty-free, sublicensable and transferable license to use that Content (including to reproduce, distribute, prepare derivative works, display and perform it) in connection with the Service and YouTube’s (and its successors’ and Affiliates’) business, including for the purpose of promoting and redistributing part or all of the Service.”	[38]
YouTube/Google	The service obtains and stores location information from the device you’re using.	“Your location can be determined with varying degrees of accuracy by: GPS and other sensor data from your device, IP address, and activity on Google services, such as your searches and places you label like home or work. As well as information about things near your device, such as Wi-Fi access points, cell towers, and Bluetooth-enabled devices.”	[39]
YouTube/Google	The service can relocate your data to outside of your country.	“We maintain servers around the world and your information may be processed on servers located outside of the country where you live. Data protection laws vary among countries, with some providing more protection than others.”	[39]
Pinterest	Pinterest does not retain Content that has been removed.	“Following termination or deactivation of your account, or if you remove any User Content from Pinterest, we may keep your User Content for a reasonable period of time for backup, archival, or audit purposes. Pinterest and its users may retain and continue to use, store, display, reproduce, re-pin, modify, create derivative works, perform, and distribute any of your User Content that other users have stored or shared on Pinterest.”	[40]
Pinterest	Pinterest does not track your location when you choose not to share your precise location.	“We will still use your IP address, which is used to approximate your location, even if you don’t choose to share your precise location.”	[41]
Pinterest	Pinterest does not transfer or store data outside of your country.	“By using our products or services, you authorize us to transfer and store your information outside your home country, including in the United States, for the purposes described in this policy.”	[41]
Pinterest	Content you post is available to the public.	“Anyone can see the public boards and Pins you create and profile information you give us. We also make this public information available through what are called APIs (basically a technical way to share information quickly).”	[41]
Pinterest	Pinterest does not receive your information from outside of Pinterest.	“We also get information about you and your activity outside Pinterest from our affiliates, advertisers, partners and other third parties we work with.”	[41]

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

A Study on Exploring the Level of Awareness of Privacy Concerns and Risks

Abstract

1. Introduction

2. Related Research

2.1. The Unknown Risks of Platforms and IoT Devices

2.2. Online Social Network Privacy Settings

2.3. Online Privacy and Security Behaviours

2.4. Root Cause of Privacy Leniency

3. Methodology

3.1. Proof of Concept WPF Application

3.2. React App Implementation

4. Results

5. Discussion

6. Conclusions

Author Contributions

Funding

Informed Consent Statement

Data Availability Statement

Conflicts of Interest

References

Article Metrics

Citations

Article Access Statistics