Two Types of Data Privacy Controls

TL;DR

The paper clarifies two principal privacy dimensions—user-to-user and user-to-institution privacy—to address users' perceived loss of control on the web. It surveys prior work on social versus institutional privacy, release versus usage controls, and networked versus institutional information flows to frame a two-type privacy taxonomy. It argues that privacy controls often overemphasize one type, leading to an illusory sense of control over institutional data practices. It outlines a research agenda to standardize terminology, define precise data flows and actors, and promote adoption across academia and industry, with attention to cross-cultural differences and survey design.

Abstract

Users share a vast amount of data while using web and mobile applications. Most service providers such as email and social media providers provide users with privacy controls, which aim to give users the means to control what, how, when, and with whom, users share data. Nevertheless, it is not uncommon to hear users say that they feel they have lost control over their data on the web. This article aims to shed light on the often overlooked difference between two main types of privacy from a control perspective: privacy between a user and other users, and privacy between a user and institutions. We argue why this difference is important and what we need to do from here.