"The web is financed by advertising. For it to be more targeted, large online services such as Google create profiles about their users," explains Florian Farke. What YouTube video have you watched? What have you searched for on Google? What have you looked up on Google Maps? What places have you been? Google stores all this data and much more. Since 2016, users have been able to view their stored data in detail via the Google service "My Activity" (accessible via myactivity.google.com with a Google account).
"The online services then draw conclusions from the activities: For example, if you search for children’s toys, Google infers the parental status ‘Has children’ and marital status ‘In a relationship’," elaborates Florian Farke. "Google learns these characteristics based on the activities it collects or infers them from people with similar activities,” adds David Balash.
Less concerned about data collection
After viewing their collected data, 40 per cent of the study participants said they were less concerned about Google’s data collection than before; only 15 per cent were more concerned. "We were surprised by the results," says Florian Farke. "Google clearly benefits from offering such a privacy dashboard. It’s like a monster in a horror movie: the longer you don’t show it, the scarier it gets," illustrates David Balash.
Among the participants who commented on the scope and detail of their collected data, a large proportion were surprised by the sheer volume of activities collected. In addition, 63 per cent of respondents were resigned and said they didn’t want to change their privacy settings. One of the study participants summed up their frustration as follows: "Google sells my information as a product. I am not really a customer. I am like a piece of corn that is sold on the commodities market. […]. I am then sold to the highest bidder several times."
Suggestions for improved design
In their paper, the researchers also make suggestions on how to improve the design of transparency tools like My Activity to be less overwhelming for users. For example, by centralising the privacy controls of multiple web services. In the future, the researchers would like to explore how new transparency tools can be designed to better inform users about what data is being collected about them and how it is being used.
The project was partially funded by the SecHuman research training group of the State of North Rhine-Westphalia and the German Research Foundation in the Cluster of Excellence 2092 Cyber Security in the Age of Large-Scale Attackers (CASA).
Florian M. Farke, David G. Balash, Maximilian Golla, Markus Dürmuth, Adam J. Aviv: Are privacy dashboards good for end users? Evaluating user perceptions and reactions to Google’s My Activity, 30th USENIX Security Symposium, 2021, Virtual Conference
Link to the preprint:
Mobile Security Research Group
Horst Görtz Institute for IT Security
Phone: +49 234 32 28669
Dr. Maximilian Golla
Max Planck Institute for Security and Privacy
Phone: +49 234 32 28667
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.