Extending Layered Privacy Language to Support Privacy Icons for a Personal Privacy Policy User Interface

The LPL Personal Privacy Policy User Interface (LPL PPP UI) is designed to allow for informed and free consent. An extension for the Layered Privacy Language and the Privacy Icons Overview is introduced here. The capabilities of the LPL PPP UI consist of informing the Data Subject about the contents of a privacy policy in a structured way, personal privacy interactions, and giving the Data Subject an overview utilising privacy icons are presented. The impact of the Privacy Icons Overview is further evaluated, taking into consideration both speed and accuracy. Furthermore, additional challenges for the creation of a privacy policy user interface as well as privacy icons are presented.


MOTIVATION
The Layered Privacy Language (LPL) expresses and enforces privacy properties such as personal privacy, user consent, data provenance, and retention management [1]. It is intended to allow Data Subjects to accept and consent to privacy policies and enforce privacy-preserving processing based upon a personalised privacy policy. To allow a user to consent to a privacy policy, we propose a user interface supporting privacy icons based on LPL. The General Data Protection Regulation (GDPR), entered into force on 25 th May 2018. It is designed to standardise data privacy laws across Europe to protect and empower all EU citizens' data privacy and to rework the way organisations approach data privacy. The GDPR specifies that consent has to be given freely, specific, informed and unambiguous [2, Art. 4 No. 11]. Additionally, the concept of Personal Privacy [3] is considered. It states that the user can influence the privacy properties of the processing. Furthermore, the GDPR states that the contents of the privacy policies can be represented by standardised icons [2, Art. 12 No. 7]. Accordingly, we propose an extension of LPL considering those properties. Current state-of-the-art privacy policies are usually purely text-based and only allow two optionsconsent or dissent. It is debatable whether such privacy policies really inform the users about the processing of their data. Therefore, we introduce a user interface, based on LPL. On the one hand it allows the display of privacy icons and on the other hand it allows the personalisation of the privacy policy allowing consent and dissent to purposes. In the first user interface prototyping with LPL, we discovered that LPL lacks proper multi-lingual support, as well as human-readable descriptions for all of its elements. Additionally, the legal requirement, that icons should be included in a machine-readable format, is not fulfilled.
The main contributions of this paper are the UI Extension for LPL, the LPL Personal Privacy Policy Interface, LPL Privacy Icons and the Privacy Icon Overview evaluation. The paper is structured as follows: In section 2, the LPL User Interface Extension is introduced. Section 3 introduces LPL Privacy Icons, which will be utilised in section 4 describing the LPL Personal Privacy Policy User Interface (LPL PPP UI). Section 5 describes the Privacy Icon Overview. The paper is concluded in section 6, which also provides an outlook for future works.

LPL UI EXTENSION
LPL, considering both legal and computer science view on privacy, represents privacy policies, which can be structured as a set of purposes, each describing the processed data and how the data has to be anonymised. Its intended use is to be presented to and accepted by the Data Subject to enable a privacy-preserving processing of the personal data. The structure of LPL is detailed by Gerl et al. [1]. An overview is given in the following to show its limitations.
The root element is the LayeredPrivacyPolicy containing the 'lang' attribute defining the displayed language, introducing redundant policy definitions for each privacy policy. It contains a set of Purpose elements, each defining the processing of data. The Purpose contains the 'required', 'optOut' and 'description' attributes. The 'required' attribute defines if the purpose can be dissented to. The 'optOut' attribute defines if the purpose has to be actively dissented (opt-out) or consented to (opt-in). The 'description' attribute is used for a humanreadable description of the purpose in the language defined by the previously-described 'lang' attribute. For each Purpose a set of Data elements is defined. Each Data element has the attributes 'required' and 'description', with the same intended functionality. No representation of icons in a machine-readable format or a proper multi-lingual support has been given by LPL as of its described state. Therefore, we extended LPL (see Figure 1) and added a list of 'Icon' elements for the 'LayeredPrivacyPolicy' element, defining privacy icons, identified by a unique 'name'. To support multi-lingual support, we removed all existing 'description' fields and replaced them with

LPL PRIVACY ICONS
Next to a proposed set of privacy icons specifically for the GDPR [4] several additional sets can be found [5] [6]. None of the privacy icon sets is established as a widely-adapted standard.
Our approach on designing a privacy icon set is based on the analysis of privacy policies and method descriptions that are used by the public sector, more specifically research projects. We identified most commonly-used topics and purposes. This resulted in a comprehensive privacy icon set (see Figure 2) that can be used by LPL. It contains icons representing data sharing, retention, anonymisation, and common purposes such as marketing. The privacy icon set for LPL can be exchanged to facilitate the eventually officially agreed on privacy icons for the GDPR. We are aware that the icons have to be evaluated, which is outside the scope of this paper.

LPL PERSONAL PRIVACY POLICY USER INTERFACE (LPL PPP UI)
In the following, we describe related works for user interfaces of privacy languages and the design process that leads to the creation of the LPL PPP UI and its structure.

Related Works
Existing user interfaces for other privacy languages have been surveyed in the process of our development and evaluation. For P3P the 'AT&T Privacy Bird' browser plugin [7], privacy policy visualisations [8] [9], as well as a 'Nutrition Label' [10] [11] have been proposed. For PPL the 'Send Data?' browser extension has been developed [12]. Also representatives of the legal view postulate that new ways to inform the Data Subject have to be found [13]. Accordingly, we focus on representing privacy policies created by LPL to inform the user about its content utilising privacy icons with the LPL Personal Privacy Policy User Interface as described in the following.

Design Process
Although different user groups can be identified [14], each Data Subject has to be informed on the contents of the privacy policy. Therefore, a more general design concept, namely the Visual Information Seeking Mantra [15], has been used. The intention is to use an Overview with privacy icons to inform the Data Subject 'at first glance'. This includes the possibility to Filter further Details on Demand according to their personal needs.
The remaining design principles have been excluded for the scope of this prototype but possible implementation is discussed in the following. View Relationships could visualise how data fields are used within automatic decisionmaking [2, Art. 13 No. 2]. A History of accepted privacy policies could be made available for the Data Subject to reflect its decisions, which would also require the Data Subject to Extract the privacy policy contents.

User Interface Structure
In the following, we will present the structure of the LPL Personal Privacy Policy User Interface (LPL PPP UI) based on a real privacy policy of a research project (see Figure 3).
The header contains the title of the privacy policy as well as a link to a regular privacy policy representation. Overview is given in two sections of the user interface. On the one hand the top bar, utilising privacy icons, gives an overview over the processing of the personal data. On the other hand the left column represents the purpose overview. The purpose overview lists all purposes, showing opt-in and opt-out purposes, as well as purposes which are required to be consented to. An interested Data Subject may look into further details of each purpose utilising the purpose details, by selecting (filtering) the shown details. The purpose details show a purpose description and allow the inspection of the data elements, recipients, retention, and privacy model.
For the data elements, each is listed in the data overview that can be accessed by a click on the corresponding header. Its details will be displayed in the data details. Accordingly, each recipient is shown in the recipient overview and its description is shown in recipient detail. The retention is related to all the data of the corresponding purpose and is textually displayed.
The privacy model defines the properties that have to be fulfilled for the set of data described in the corresponding purpose. Rather than describing a privacy model by an abstract definition that should not be understood by any non-experts, the privacy model will be described by the risk of deanonymisation. For example, k-Anonymity with k=3 has a risk of 33% for de-identification in case of a Record Linkage attack scenario [16].
With LPL PPP UI the Data Subject is allowed to accept or decline purposes. In the Purpose Overview we distinguish between required and non-mandatory purposes. Required purposes cannot be declined. Non-mandatory purposes are displayed with an additional checkbox that the user can interact with, in order to consent or dissent. This is only checked for opt-in purposes.

PRIVACY ICON OVERVIEW EVALUATION
We evaluated whether the LPL PPP UI with Privacy Icon Overview is advantageous over an LPL PPP UI without Privacy Icon Overview. The goal was to observe the benefit of presenting to a user the privacy icons. As the basis for the privacy policies, we used the previously-mentioned privacy policy of a research project.

Experiment Design
The participants received tasks that simulate an interested Data Subject inspecting the privacy policies to receive an overview. For the evaluation of the Privacy Icon Overview, we created two similar tasks. We present a distinct privacy policy to each participant with the task to inform them about the purposes of the processing of the user's data, before using a questionnaire to answer which purposes are given. Each correctly answered question scored a point.
In the experiment 10 random volunteers participated, separated into two groups (A and B). Group A had three female and two male participants. Group B had two female and three male participants. Each group had to fulfil two tasks. The participants use the internet regularly, but have not been educated or provided information about the LPL PPP UI or the LPL Privacy Icons. Nor have they been involved in the development. The tasks are presented by alternating an LPL PPP UI with Privacy Icon Overview and LPL PPP UI without Privacy Icon Overview. If group A has to do the task with the Privacy Icon Overview than group B has to do the task without the Privacy Icon Overview. Therefore, each group had to fulfil one task with a regular and LPL privacy policy.

Results
It was observed that the average time spent on the view with Privacy Icon Overview is higher compared to the view without Privacy Icon Overview in task 1, and vice-versa for task 2. Additionally, it can be observed that both for task 1 and 2 the average score improved by about 6% for the LPL PPP UI with Privacy Icon Overview compared to the LPL PPP UI without Privacy Icon Overview (see Table 1). Considering the average score measurements, the LPL PPP UI with Privacy Icon Overview shows an advantage consistently. However, it must be acknowledged that the scores for task 1 are in general quite low (i.e. 31% and 37%). This could be caused by the task design (e.g. unclear instructions, which may have been better understood by the participant during task 2, resulting in a general better score). Overall, we interpret the results as positive and promising for further research. Each of the mentioned developments must be evaluated considering higher participant counts as well as with more elaborate tasks to achieve significant, indicative, and decisive results.

ACKNOWLEDGEMENTS
Thanks and credit to Florian Prey and Sophie Voitleitner for supporting the creation of the LPL PPP UI and LPL Privacy Icons.