Eman Alashwali

Eman Alashwali

Most service providers, such as Google, save logs from data generated by users while using the service. Many service providers provide users with privacy controls to manage whether, how, and for how long the data is saved and used by the service provider. While most prior studies focused on the negative side of users' activity logs, such as users' lack of awareness about the logs' privacy controls and users' privacy concerns toward their data, this work aims to provide a balanced view of users' perceptions regarding activity logs by considering the positive, negative, and extremely negative (hence disastrous) sides, as well as the misconceptions of activity logs. In this work, we present a case study of Google's Activity controls by conducting a secondary analysis of interview data from 30 Google personal account holders in Saudi Arabia. Using template analysis, we analyzed the data from the lens of four main themes: the good, the bad, the misconception, and the disastrous aspects of users' activity logs from the users' perspective. Our findings uncover new themes and use cases, offering a balanced view of users' perceptions of activity logs, and provide a better understanding and a useful source for subsequent studies on related topics. We conclude with practical recommendations for service providers, privacy researchers and experts, and users alike.

Eman Alashwali, Abeer Alhuzali

In 2024, Saudi Arabia's Personal Data Protection Law (PDPL) came into force. However, little work has been done to assess its implementation. In this paper, we analyzed 100 e-commerce websites operating in Saudi Arabia against the PDPL, examining the presence of a privacy policy and, if present, the policy's declarations of four items pertaining to personal data rights and practices: 1) personal data retention period, 2) the right to request the destruction of personal data, 3) the right to request a copy of personal data, and 4) a mechanism for filing complaints. Our results show that, despite national awareness and support efforts, a significant fraction of e-commerce websites in our dataset are not fully compliant: only 31% of websites in our dataset declared all four examined items in their privacy policies. Even when privacy policies included such declarations, a considerable fraction of them failed to cover required fine-grained details. Second, the majority of top-ranked e-commerce websites in our dataset (based on search results order) and those hosted on local e-commerce hosting platforms exhibited considerably higher non-compliance rates than mid- to low-ranked websites and those not hosted on local e-commerce platforms. Third, we assessed the use of Large Language Models (LLMs) as an automated tool for privacy policy analysis to measure compliance with the PDPL. We highlight the potential of LLMs and suggest considerations to improve LLM-based automated analysis for privacy policies. Our results provide a step forward in understanding the implementation barriers to data protection laws, especially in non-Western contexts. We provide recommendations for policymakers, regulators, website owners, and developers seeking to improve data protection practices and automate compliance monitoring.

Eman Alashwali, Fatimah Alashwali

In this paper, we investigate Saudi parents' privacy concerns regarding their children's smart device applications (apps). To this end, we conducted a survey and analysed 119 responses. Our results show that Saudi parents expressed a high level of concern regarding their children's privacy when using smart device apps. However, they expressed higher concerns about apps' content than privacy issues such as apps' requests to access sensitive data. Furthermore, parents' concerns are not in line with most of the children's installed apps, which contain apps inappropriate for their age, require parental guidance, and request access to sensitive data such as location. We also discuss several aspects of Saudi parents' practices and concerns compared to those reported by Western (mainly from the UK) and Chinese parents in previous reports. We found interesting patterns and established new relationships. For example, Saudi and Western parents show higher levels of privacy concerns than Chinese parents. Finally, we tested 14 privacy practices and concerns against high versus low socioeconomic classes (parents' education, technical background, and income) to find whether there are significant differences between high and low classes (we denote these differences by "digital divide"). Out of 42 tests (14 properties x 3 classes) we found significant differences between high and low classes in 7 tests only. While this is a positive trend overall, it is important to work on bridging these gaps. The results of this paper provide key findings to identify areas of improvement and recommendations, especially for Saudis, which can be used by parents, developers, researchers, regulators, and policy makers.