Education

B.Sc. in Information and Communication Systems Engineering from the University of the Aegean
M.Sc. in Information Systems from the Athens University of Economics and Business

Research Interests

 
• Privacy in Social Networking Services
• Privacy-by-Design
• Privacy Enhancing Technologies (PETs)
• Privacy Impact Assessment (PIA)
• Privacy Awareness

Teaching Activities

Journals


Copyright Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder.


K. Vemou, M. Karyda, Evaluating privacy impact assessment methods: guidelines and best practice, Information & Computer Security, 2019, Emerald Publishing Limited, https://doi.org/10.1108/ICS-04-2019-0047
 

Abstract
(Purpose) This paper aims to practically guide privacy impact assessment (PIA) implementation by proposing a PIA process incorporating best practices from existing PIA guidelines and privacy research. (Design/methodology/approach) This paper critically reviews and assesses generic PIA methods proposed by related research, data protection authorities and standard’s organizations, to identify best practices and practically support PIA practitioners. To address identified gaps, best practices from privacy literature are proposed. (Findings) This paper proposes a PIA process based on best practices, as well as an evaluation framework for existing PIA guidelines, focusing on practical support to PIA practitioners. (Practical implications) The proposed PIA process facilitates PIA practitioners in organizing and implementing PIA projects. This paper also provides an evaluation framework, comprising a comprehensive set of 17 criteria, for PIA practitioners to assess whether PIA methods/guidelines can adequately support requirements of their PIA projects (e.g. special legal framework and needs for PIA project organization guidance). (Originality/value) This research extends PIA guidelines (e.g. ISO 29134) by providing comprehensive and practical guidance to PIA practitioners. The proposed PIA process is based on best practices identified from evaluation of nine commonly used PIA methods, enriched with guidelines from privacy literature, to accommodate gaps and support tasks that were found to be inadequately described or lacking practical guidance.

K. Vemou, M. Karyda, Requirements for Private Communications over Public Spheres, Information and Computer Security, Vol. 28, No. 1, pp. 68-96, 2019, Emerald Publishing Limited, https://doi.org/10.1108/ICS-01-2019-0002
 

Abstract
(Purpose) In the Web 2.0 era, users massively communicate through social networking services (SNS), often under false expectations that their communications and personal data are private. This paper aims to analyze privacy requirements of personal communications over a public medium. (Design/methodology/approach) This paper systematically analyzes SNS services as communication models and considers privacy as an attribute of users’ communication. A privacy threat analysis for each communication model is performed, based on misuse scenarios, to elicit privacy requirements per communication type. (Findings) This paper identifies all communication attributes and privacy threats and provides a comprehensive list of privacy requirements concerning all stakeholders: platform providers, users and third parties. (Originality/value) Elicitation of privacy requirements focuses on the protection of both the communication’s message and metadata and takes into account the public–private character of the medium (SNS platform). The paper proposes a model of SNS functionality as communication patterns, along with a method to analyze privacy threats. Moreover, a comprehensive set of privacy requirements for SNS designers, third parties and users involved in SNS is identified, including voluntary sharing of personal data, the role of the SNS platforms and the various types of communications instantiating in SNS.

K. Vemou, M. Karyda, Guidelines and tools for incorporating privacy in Social Networking Platforms, IADIS International Journal on WWW/Internet, Vol. 12, No. 2, pp. 16-33, 2014, http://www.iadisportal.org/ijwi/
 

Abstract
Built-in privacy is important for promoting users’ privacy and trust in Social Networking Services (SNS). Up to now, privacy research has its focus on the development and employment of Privacy Enhancing Technologies as add-on applications and on investigating users’ privacy preferences. This paper draws on the principles of privacy-by-design and extends previous literature by identifying privacy requirements for the development of privacy-friendly SNS platforms. The paper also evaluates currently embedded privacy practices in four popular SNS platforms (Facebook, Google+, Twitter and Pinterest) to assess the level of built-in privacy and proposes a list of guidelines and tools SNS platform designers can employ.

Conferences


Copyright Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder.


K. Vemou, M. Karyda, An Organizational Scheme for Privacy Impact Assessments, 15th European Mediterranean & Middle Eastern Conference on Information Systems, Themistocleous M., Rupino da Cunha P., (eds), pp. 258-271, Oct, 2018, Limassol, Cyprus, Springer, https://link.springer.com/chapter/10.100...
 

Abstract
The importance of Privacy Ιmpact Αssessment (PIA) has been emphasized by privacy researchers and its conduction is provisioned in legal frameworks, such as the European Union’s General Data Protection Regulation. However, it is still a complicated and bewildering task for organizations processing personal data, as available methods and guidelines fail to provide adequate guidance confusing organisations and PIA practitioners. This paper analyzes the interplay among PIA stakeholders and proposes an organizational scheme for successful PIA projects.

K. Vemou, M. Karyda, An Evaluation Framework for Privacy Impact Assessment Methods, 12th Mediterranean Conference on Information Systems (MCIS2018), Sep, 2018, Corfu, Greece, Association of Information Systems (AIS), https://aisel.aisnet.org/mcis2018/5/
 

Abstract
Privacy Impact Assessment (PIA) methods guide the implementation of Privacy-by-Design principles and are provisioned in the European Union’s General Data Protection Regulation. As implementing a PIA is still an intricate task for organizations, this paper provides a critical review and assessment of generic PIA methods proposed by related research, Data Protection Authorities and Standard’s Or-ganizations. The evaluation framework is based on a comprehensive set of criteria elicited through a systematic analysis of relevant literature. This paper also identifies elements of PIA methods that re-quire further support or clarification as well as issues that still remain open, such as the need for im-plementation of supporting tools.

K. Vemou, M. Karyda, Evaluating privacy practices in Web 2.0 services, 9th Mediterranean Conference on Information Systems, Oct, 2015, Samos, Greece, Association of Information Systems (AIS), https://aisel.aisnet.org/mcis2015/7/
 

Abstract
This paper discusses the effectiveness of privacy practices and tools employed by Web 2.0 service providers to facilitate users protect their privacy and respond to public pressure. By experimenting on three recently introduced tools, which claim to offer users access and choice on the data stored about them, we analyse their privacy preserving features. Research results indicate their limited effectiveness with regard to user privacy. We discuss discrepancy between stated goals of these privacy enhancing tools and actual goals these tools accomplish.

K. Vemou, G. Mousa, M. Karyda, On the low diffusion of Privacy-enhancing Technologies in Social Networking: results of an empirical investigation, 12th European, Mediterranean & Middle Eastern Conference on Information Systems 2015 (EMCIS2015), Jun, 2015, Athens, Greece
 

Abstract
This paper discusses the low adoption of PETs among SNS users, based on the results of an empirical investigation among users of social networking services. 170 members of 5 popular social networks provided information on how they protect their privacy, as well as on the most important factors guiding their decision to use privacy preserving tools or not. Research findings suggest that awareness of PETs is still low among social network users and that quality, effectiveness, cost and ease of use are critical factors influencing PETs adoption. A small number of users was also found not to employ any PETs, despite the fact that they reported being familiar with some of them. This paper enhances our understanding of PETs diffusion from the perspective of users and argues that usability aspects need to guide their design and implementation.

K. Vemou, M. Karyda, S. Kokolakis, Directions for Raising Privacy Awareness in SNS Platforms, 18th Panhellenic Conference on Informatics, pp. 1-6, Oct, 2014, Athens, ACM New York, http://dl.acm.org/citation.cfm?id=264579...
 

Abstract
Members of online social networks are often under an illusion of privacy, underestimating privacy risks related to their personal information published in their profiles. Current literature identifies privacy awareness as a key factor for enhancing user privacy. This paper identifies awareness raising applications and explores the effectiveness of awareness tools and practices currently employed by six popular SNS platforms, through a combined approach of literature review and experimental use. Our findings illustrate that awareness practices differ significantly among platforms and fail to promote awareness. We also show that effective awareness raising tools, such as privacy signalling and visualization applications, are overlooked and propose directions to further enhance privacy awareness mechanisms in SNS platforms.

K. Vemou, M. Karyda, Embedding privacy practices in social networking services, 7th IADIS International Conference Information Systems 2014, P. Powell, M. B. Nunes and P. Isaías, (eds), pp. 201-208, Mar, 2014, Madrid, Spain, IADIS Press, http://www.iadisportal.org/digital-libra...
 

Abstract
Built-in privacy emerges as a necessity to keep users’ interest and trust in Social Networking Services. However, extant literature is dominated by research on developing and/or employing Privacy-Enhancing Technologies as add-ons and on exploring users’ privacy preferences, failing to provide explicit guidance on how to inscribe privacy from the early stages of SNS implementation. In this paper we draw upon the principles of privacy-by-design to propose a list of privacy requirements to drive privacy-friendly SNS design and discuss their implementation in four popular SNS platforms.

K. Vemou, M. Karyda, Α classification of factors influencing low adoption of PETs among SNS users, 10th International Conference on Trust, Privacy & Security in Digital Business, S. Furnell, C. Lambrinoudakis, and J. Lopez, (eds), pp. 74-84, Aug, 2013, Prague, Czech Republic, Springer, http://link.springer.com/chapter/10.1007...
 

Abstract
Privacy concerns are rising among SNS users. However, privacy enhancing technologies are not, yet, widely deployed, moreover the rate at which their deployment has grown over the last few years has not been substantial. This is surprising given the fact that PETs are widely recognized as effective at reducing privacy risks. This paper discusses this paradox and tries to answer the question why PETs adoption by social network users is limited. It presents a framework of key factors that facilitates understanding of the issue and can serve as a guide for future research and practice.

Books


Copyright Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder.


Chapters in Books


Copyright Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder.


Conferences Proceedings Editor


Copyright Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder.