cispa_all_3918.pdf (988.26 kB)

Comparing Large-Scale Privacy and Security Notifications

Download (988.26 kB)
conference contribution
posted on 2023-11-29, 18:24 authored by Christine Utz, Matthias Michels, Martin Degeling, Ninja MarnauNinja Marnau, Ben StockBen Stock
Over the last decade, web security research has used notification campaigns as a tool to help web operators fix security problems or stop infrastructure abuse. First attempts at applying this approach to privacy issues focused on single services or vendors. Hence, little is known if notifications can also raise awareness and encourage remediation of more complex, vendor-independent violations of privacy legislation at scale, such as informed consent to cookie usage under the EU's ePrivacy Directive or the General Data Protection Regulation's requirement for a privacy policy. It is also unclear how privacy notifications perform and are perceived compared to those about security vulnerabilities. To fill this research gap, we conduct a large-scale, automated email notification study with more than 115K websites we notify about lack of a privacy policy, use of third-party cookies without or before informed consent, and input forms for personal data that do not use HTTPS. We investigate the impact of warnings about fines and compare the results with security notifications to more than 40K domains about openly accessible Git repositories. Based on our measurements and interactions with operators through email and a survey, we find that notifications about privacy issues are not as well received as security notifications. They result in lower fix rates, less incentive to take immediate action, and more negative feedback. Specific reasons include a lack of awareness and knowledge of privacy laws' applicability, difficulties to pinpoint the problem, and limited intrinsic motivation.


Preferred Citation

Christine Utz, Matthias Michels, Martin Degeling, Ninja Marnau and Ben Stock. Comparing Large-Scale Privacy and Security Notifications. In: Privacy Enhancing Technologies Symposium (PETS). 2023.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

Privacy Enhancing Technologies Symposium (PETS)

Legacy Posted Date


Open Access Type

  • Gold


@inproceedings{cispa_all_3918, title = "Comparing Large-Scale Privacy and Security Notifications", author = "Utz, Christine and Michels, Matthias and Degeling, Martin and Marnau, Ninja and Stock, Ben", booktitle="{Privacy Enhancing Technologies Symposium (PETS)}", year="2023", }

Usage metrics


    No categories selected


    Ref. manager