Privacy Preserving Data Management: Assisting Users in Data Disclosure Scenarios – Congratulations to *Dr.-Ing.* Sebastian Linsner on the successful defense of his doctoral thesis

Users often need to share their data but are not always informed about its use or consequences. Sebastian Linsner’s PhD thesis „Privacy Preserving Data Management: Assisting Users in Data Disclosure Scenarios“ aims to help users by incorporating their perspectives into developing digital tools. It identifies problems and risks of data disclosure, finds ways developers can mitigate these risks, and ensures the practical adoption of these solutions. Transparency was shown to build trust and correct false security perceptions. Customizable data flow controls were also investigated, revealing that security features can enhance privacy and usability without major trade-offs. Overall, the thesis emphasizes the importance of enabling users to make informed decisions to maintain data sovereignty, which makes an important contribution.

On Monday, August 5, 2024 Sebastian Linsner has successfully defended his PhD thesis, which marks the final milestone towards achieving his Dr.-Ing. degree at the Department of Computer Science at Technical University of Darmstadt.

The entire PEASEC team extends its heartfelt congratulations to our new *Dr.-Ing.* Sebastian Linsner!

His dissertation was supervised by Prof. Dr. Dr. Christian Reuter, who also acted as first referee. Prof. Dr. Anna Spagnolli (University of Padua, Italy) acted as second referee. Prof. Dr. Marc Fischlin (Cryptography and Complexity Theory) and Prof. Dr. Jörn Kohlhammer (Visual Search and Analysis) joined the  examination commitee.

Privacy Preserving Data Management: Assisting Users in Data Disclosure Scenarios

Users face many situations in which they have to disclose their data to others. In many cases, they are not properly informed about the usage of their data or the consequences of data disclosure. This thesis aims to support users in these situations by investigating possibilities to incorporate their perspectives into the development process for digital tools. The investigated scenarios are twofold: Firstly, business-to-business (B2B) collaborations, especially highlighting the perspective of owners of small and medium enterprises (SMEs) who are forced to provide data for business processes. This holds especially true for the domain of agriculture, where many work processes are coordinated with a division of work, requiring data exchange. Furthermore, SMEs are predominant in German agriculture, making this domain ideal for the investigation. Secondly, scenarios of everyday usage for private users that require the disclosure of data are investigated. These revolve around browser tracking, attestation of internet of things (IoT) devices to prevent espionage through malware and a novel interaction concept for increased privacy in customer-to-business (C2B) interactions. Although both scenarios have some similarities, considering them separately broadens the perspective on software development. Extending personally owned data to operational data especially raises new demands for development processes that preserve data sovereignty. In contrast to private users, in B2B collaborations, declining the usage of digital tools and data disclosure is not possible because business owners have to adhere to regulations and provide business partners with data for collaborative work processes.

This thesis investigates how users can be supported in these scenarios by researching three core aspects: Firstly, problems and risks that lead to (unintended) data disclosure or arise from it have to be identified. Secondly, measures are investigated that developers can apply to mitigate these risks and meet the needs of the users. Finally, the developed solutions have to be adopted into practice. Strategies to bring security- and privacy-enhancing technologies to use are essential because a tool that is not used cannot protect anyone. These three research directions are investigated with several publications that form the main body of this cumulative thesis. Using their findings, the over-arching research question is answered: “How can users be enabled to make informed decisions to maintain data sovereignty and manage their data in data disclosure scenarios?”

The results for the B2B sector show a significant overlook of perspectives of smaller businesses, neglecting their privacy needs and thus slowing down the digital transformation. The underlying publications identify several technical, social and ethical aspects for technology adoption in this domain. Farmers who participated in these studies had an especially strong demand for tools that allow them to enact their data sovereignty and prevent others from getting insights into their business strategy.

For private users, the contributions are threefold: Firstly, different levels of support for users were investigated, which led to the creation of support personas, a novel approach representing different needs and preferences regarding the level of support users need to interact with security- and privacy-enhancing tools. Secondly, transparency was evaluated as a suitable way to educate users and build trust in security mechanisms. The evaluation showed that false mental models were revoked by the increased understanding, allowing users to estimate the level of protection correctly and avoiding data leakage through overestimation of protection. Finally, different options to control the data flow in everyday scenarios were investigated. By providing different levels of customization, light was shed on the effects of the control paradox. Furthermore, the evaluation showed that incorporating security and privacy features into everyday use cases does not require a severe trade-off regarding usability. Instead, the proposed interaction concept was perceived as an overall improvement to privacy and usability.

To conclude, this thesis presents different approaches to identify risks and problems in data disclosure scenarios for private users as well as business owners, explores solutions for developers and investigates strategies for the adoption of security- and privacy-enhancing technologies into practice.

Selected Publications within the PhD:

Projects: