Informed Consent-Are Your Participants-Aware-o- What-They-Share.pptx
•Download as PPTX, PDF•
0 likes•47 views
Presented at USENIX's 2022 Symposium on Usable Privacy and Security. Lightning talk describing how to ensure that your research participants are fully informed of how private data collected by underlying usability and user research software is handled by those entities. Recording is available at https://www.usenix.org/conference/soups2022/presentation/whysel
Recommended
More Related Content
Similar to Informed Consent-Are Your Participants-Aware-o- What-They-Share.pptx
Similar to Informed Consent-Are Your Participants-Aware-o- What-They-Share.pptx (20)
More from Noreen Whysel
More from Noreen Whysel (20)
Recently uploaded
Recently uploaded (20)
Informed Consent-Are Your Participants-Aware-o- What-They-Share.pptx
- 1. Informed Consent: Are Your Participants Aware of What They Share? Noreen Whysel Director of Validation Research Internet Safety Labs August 7-9, 2022 SOUPS 2022: Eighteenth Symposium on Usable Privacy and Security
- 4. 10 Attributes of Respectful Me2B Commit ments Source: 10 Attributes of Respectful Me2B Commitments https://me2ba.org/flash-guide-9-the-10- attributes-of-respectful-me2b-commitments/
- 5. Data Privacy Risks in User Testing Software
- 6. What Are the Risks of All This Data Sharing? Participant • Lack of Sufficient Notice • Lack of Consent Researcher • Data Privacy Legal Violations • Trust User Testing Platform • Data Privacy Legal Violations • Trust
- 7. ISL Safe Software Audit
- 9. Underlying Technologies Tracking and Sharing User Data Ada Appcues Azure.com Bing Ads Bugsnag Cloudflare cloudfront.net (Amazon) Cookielaw.org Datadog Tracker Doubleclick.net Drift.com Facebook.com Facebook.net Google.com Googleapis.com Google-analytics.com Google Adwords Google Adsense Google Dynamic Remarketing Google Fonts Google Play GoogleTagManager.com Gstatic.com Hubspot Jqyuery.com Klaro licdn.com (LinkedIn) Linkedin.com Microsoft.com Mixpanel via mxpnl.com NewRelic.com nr-data.net Office.net Office.com Pendo Rollbar Segment Sentry Snowplow sp Smassets.net Stathat.com Stripe Surveymonkey.com app.usabilityhub.com UserInterviews.com Windows.net Zendesk Zendesk Tracker _ga _gid _sp_id _sp_ses
- 10. Google Forms and Microsoft Source: Tracker Map https://www.crownpeak.com/products/tag-monitoring-and-management
- 11. Source: Google Forms Google Forms and SurveySwap
- 12. Google Forms vs Survey Swap Source: Tracker Map https://www.crownpeak.com/products/tag-monitoring-and-management Google Forms 1 Tracker 0 Ad Networks 2 Widgets (Google) SurveySwap.io 3 Trackers 4 Ad Networks 1 Analytics (Google) 3 Widgets (incl Google Tag Manager)
- 13. Usability Hub Usability Test 2 Trackers 1 Ad Network 1 Widget (Google Fonts) 1 Analytics (Google) Usability Hub First Click Test 2 Trackers 1 Ad Network 1 Widget (Google Fonts) 1 Analytics (Google) Optimal Workshop Tree Test 2 Trackers 1 Ad Network 1 Widget (Google Tag Manager) 1 Analytics (Google) Optimal Workshop Card Sort 4 Trackers 1 Ad Network 1 Widget (Google Tag Manager) 1 Analytics (Google) Usability Tests Source: Tracker Map https://www.crownpeak.com/products/tag-monitoring-and-management
- 14. TypeForm Form 0 Trackers 0 Ad Networks 1 Widget (first party) 0 Analytics SurveyMonkey 0 Trackers 0 Ad Networks 1 Widget (Google Tag Manager) 1 Analytics (New Relic) Survey Software Source: Tracker Map https://www.crownpeak.com/products/tag-monitoring-and-management
- 15. Source: Tracker Map https://www.crownpeak.com/products/tag-monitoring-and-management UserInterviews 5 Trackers (incl Facebook, Google and Microsoft ad trackers) 3 Ad Networks (Bing, Facebook, Doubleclick) 7 Widgets (incl Google Tag Manager) 2 Analytics (Google Analytics, Mix Panel) Prolific.io 3 Trackers (All 0 Ad Network 2 Widgets (incl Zendesk) 1 Analytics (Google Users)
- 16. What Can You Do Now?
- 17. What Can Researchers Do? • Provide clear notice and consent • Highlight any potentially hidden data sharing by the testing software • Name the software or testing platforms so participants can read and consent to their policies
- 18. What Can User Testing Software Platforms Do? • Understand your data protection responsibilities • Make a greater effort to inform participants and researchers of your data sharing policy–every time they use your software
- 19. Thank You! Noreen Whysel Director of Validation Research Internet Safety Labs (formerly the Me2B Alliance) Noreen.whysel@internetsafetylabs.org https://www.internetsafetylabs.org https://www.me2ba.org
Editor's Notes
- Hi. I'm Noreen Whysel from the Internet Safety Labs here to talk about informed consent and participant data privacy. Are Your Participants Aware of what they share?
- We'd like to be sure that the data about our research participant stays between us and the test participant. But are our participants fully aware of the data sharing agreements underlying the participants’ use of these testing tools?
- The confidentiality agreement they have with us is only part of the picture. In this short talk, I'll discuss how to ensure that your participants know how their data is collected and how it might be used or shared beyond the scope of the covered research project.
- I'll focus on a mini audit of several user testing software packages that we performed based on the Ten Attributes for Respectful Me2B Commitments that underly the our Me2B Safe Technology Specification. Me2B is a term that flips the traditional shortcut B2C, or business to consumer relationship, by putting the individual first.
- To understand the background of this talk, we take a brief look at the Data Privacy. I'm not a lawyer so this is really just a broad brush overview.
- Data may get collected in a number of different ways like when you enter data directly into forms, your account profile if you have one, or via aggregated profile and behavioral data that may be collected from third party data brokers or your own app use.
- Those of us who collect, use and share data from our research participants are becoming subject to a greater and greater number of data protection laws.
- Each law has varying degrees of requirements, so you want to get your data governance policies right. And it's fair to expect the same from usability software that collects and controls data for you and your participants.
- Researchers collect and store data with a number of different research tools, that in turn use underlying technology that may also access this data. Knowing who might be eavesdropping through the testing platform's relationship with these underlying tools helps you to evaluate whether you are exposing your team or your participants to risks that come with access by technologies.
- Lack of notice and consent to share data is a significant risk. These are key components of many of the data privacy laws that govern which data we can and cannot save, use or share. While the risk to the researcher are similar to those of the user testing platform, the platform also bears responsibility for ensuring that anyone participating in a test on their platform has an appropriate level of notification of the data being collected and shared, as well as allowing the participant control over whether to continue.
- So now let's look at our audit. Researchers collect and store data with a number of different research tools, creating what we call a Me2T relationship between the individual and the technology.
- This is a non-scientific study: It's not randomized and reflects the software packages that we either have been using in our own research or those that we've documented from forums that we participate in. You'll note that most of the software we looked at share data with Google and other external vendors. At least one shared with Facebook and two shared with Amazon and Microsoft.
- You can also see that just for these eight companies, there are a few dozen companies or company assets that are receiving data. The ones in bold are advertising or tracking software. Many of these tools aren't necessarily exploiting user data, but they are doorways to entities that now have some access to your participants' data.
- We used a tool called TrackerMap which exposes paths for data sharing between entities. What you are seeing is a map of the underlying connections between the testing software and various first and third-party technologies. We were particularly interested in advertising networks noted in blue, analytics packages in red, and trackers in gold. We started with Google and Microsoft forms because they are popular, free tools and don't require a lot of expertise to set up. We expected to see sharing with their own advertising networks, but only found Microsoft shared with Bing Ads here in blue. Google's shares are to more functional programs.
- What does this look like to the participant? Google Forms doesn't require it, but researchers can add a description at the top with information about the study, and details for informed consent if they choose to. A lot of studies don't have this much information and this short message is not sufficient for informed consent.
- A savvy user may see that Google has it's own privacy policy at the bottom of the form and may note that it would be in addition to any data policy for the study itself. And notice that this study also has a line here that says "P.S. This survey contains a completion code for SurveySwap.io," This indicates that participants may come from an external panel recruiting site. So there is a couple of third party technologies in play here but no reference to privacy and consent practices for any of these underlying Me2T relationships.
- So maybe google doesn't share much. But the SurveySwap data indicates that participants in this study are potentially being exposed to data sharing from the panel company.
- We ran a few other tests. Here are the tracker maps from live tests at usability testing platforms we examined in our study. You can see that these platforms both share with Doubleclick and Google.
- Survey vendors tended to have a relatively small number of tracking vendors.
- And the third group we looked at was panel recruiters where we saw a lot of data sharing with entities like Facebook, Doubleclick, Microsoft Marketing and Adobe Metrics. When you look at these you should be asking yourself whether your participants are aware that these entities may have access to their data. We feel it's a good idea to remind participants of any Me2T consent relationships they may have when they participate your study.
- Product development is flawed. Often there is no consent when testing with potential users. Researchers should advocate for informed consent form that highlights all potential recipients of participant data including any additional data policies underlying the usability platform software or panel recruitment agencies.
- Software testing platforms should take a close look at their data protection responsibilities and make a greater effort to inform participants and test creators of the data sharing policy – not just once but every time they participate.
- So that's my PSA and I'd love to hear your questions. Enjoy the rest of SOUPS22!