Mobile permission decisions are often studied at the moment a permission request appears. However, our study shows that users’ choices are shaped much earlier, across a multi-stage journey that begins with app-need recognition and unfolds through app discovery, exploration, selection, installation, and first use. Drawing on interviews with 19 U.S.\ Android users, we map this process and identify four archetypal journeys that explain how early cues, such as discovery sources, app type, and social trust, shape later permission behavior. These insights align with theoretical models like Privacy Calculus, showing how users weigh perceived benefits and risks at each step, and complement Contextual Integrity theory, explaining how social norms and information flows shape expectations and constrain privacy agency across steps. We contribute an empirically grounded framework that clarifies why permission outcomes vary across contexts. Our results reframe mobile privacy as a sequential, path-dependent process, offering implications for future design and research.
Fitness-tracking platforms, such as Strava and Garmin Connect, are increasingly popular and are reshaping how people monitor and share their physical activity. Given the sensitive nature of the data users share, these platforms implement a series of privacy features, including controls for profile visibility, activity sharing, and the specification of sensitive locations.In this paper, we present the first large-scale study aiming to quantify user adoption of privacy features on fitness-tracking platforms and to shed light on the reasoning behind identified trends.We apply a mixed-method.First, we provide a systematic categorization of the privacy features implemented across major fitness-tracking platforms.We then quantify their adoption, using the Strava and Garmin Connect platforms as our case studies, by analyzing 197,873 public activity records, revealing a gap between available controls and actual adoption.We complement our empirical evaluation by surveying 182 participants, confirming low adoption and identifying barriers.Our findings highlight limited use of privacy features and provide insights into the reasons for this trend, including a lack of awareness, perceived low necessity, concerns about functionality, and difficulties adjusting settings.We also discuss potential strategies to overcome these challenges.
Passwords suffer from major usability hurdles that foster insecure practices and undermine cybersecurity. Passkeys were introduced to address these issues, however, adoption remains low. Digital nudges offer a promising way to accelerate passkey adoption, yet research lacks empirical insight about when to nudge and which nudge types and designs are most effective. We therefore employed a mixed-methods approach to examine the impact of nudges on passkey adoption across five touchpoints in the digital user journey: During registration, login, account recovery, while in the settings menu, and during user activity. First, we conducted 15 expert interviews to identify candidate nudges and their design principles. We evaluate these nudges in a randomized controlled trial (RCT) with 3,680 participants on a commercial healthcare platform. Our results indicate that digital nudges can significantly increase passkey adoption when applied at the right touchpoints, encouraging users to move beyond passwords.
While memes enhance social interaction on social media, they can raise privacy and security concerns. Despite research on overtly toxic or unsafe memes, little attention has been given to users' experiences with seemingly safe memes and how contextual factors trigger privacy concerns. This study explores users’ comfort levels, influencing factors, underlying reasons for discomfort, and unmet needs when engaging with such memes. We first collected and analyzed 2,317 Reddit posts describing real-world meme experiences, then conducted an online survey with 324 participants to evaluate comfort across curated scenarios. Our findings reveal that perceived-safe memes can cause harm when shared inappropriately, with comfort shaped by content and context. Privacy concerns intensify with deeper involvement, strangers, and sensitive meme topics. We identified users' desire for consent and control in meme interactions. Based on our study, we make recommendations for users, developers of social media platforms and policymakers to address meme-related privacy and contextual concerns.
Parents face complex challenges managing children’s digital privacy, navigating their own practices and multi-stakeholder family dynamics. This study develops a psychologically grounded model of parental privacy management to identify modifiable cognitive and emotional antecedents. Surveying 1,000 German parents and using structural equation modeling techniques, we examined how privacy concern and self-efficacy predict three key behaviors: child mediation, parental child data disclosure regulation, and regulation of others. Results show that privacy concern robustly predicts all three behaviors, challenging the traditional privacy paradox in parental contexts. More importantly, self-efficacy emerges as a substantially stronger predictor of privacy behaviors than concern. Among its antecedents, technical skills are most influential. Our findings suggest a paradigm shift toward peer-to-peer interventions that prioritize confidence and skill-building over fear-based approaches that emphasize privacy threats. By focusing on modifiable antecedents, this work provides practical guidance for designing interventions and platforms that empower parents to effectively protect children’s privacy.
Traditional estate planning practices enable people to provide their heirs access to the assets left behind but are often insufficient for the transfer and management of online accounts. To understand how estate planning practices could be improved, we conducted 21 semi-structured interviews with older adults in the United States that explored their practices, concerns, and needs regarding postmortem online account access and management. We encountered few formalized digital estate planning practices; many participants use their credential management practices—primarily pen-and-paper—to provide postmortem account access. How participants envision account transfer is motivated by trust in their current practices and in their heirs, while concerns regarding technology hinder adoption of new methods. Participants consistently prioritize accounts with financial assets, and expectations surrounding postmortem account management vary based on individual circumstances, with the common goal of reducing burdens on executors and heirs. Our results suggest the need for developing technical standardization and expert guidance for digital estate planning.