The Best of Both Worlds: Mitigating Trade-offs Between Accuracy and User Burden in Capturing Mobile App Privacy Preferences

Open access

Abstract

In today’s data-centric economy, data flows are increasingly diverse and complex. This is best exemplified by mobile apps, which are given access to an increasing number of sensitive APIs. Mobile operating systems have attempted to balance the introduction of sensitive APIs with a growing collection of permission settings, which users can grant or deny. The challenge is that the number of settings has become unmanageable. Yet research also shows that existing settings continue to fall short when it comes to accurately capturing people’s privacy preferences. An example is the inability to control mobile app permissions based on the purpose for which an app is requesting access to sensitive data. In short, while users are already overwhelmed, accurately capturing their privacy preferences would require the introduction of an even greater number of settings. A promising approach to mitigating this trade-off lies in using machine learning to generate setting recommendations or bundle some settings. This article is the first of its kind to offer a quantitative assessment of how machine learning can help mitigate this trade-off, focusing on mobile app permissions. Results suggest that it is indeed possible to more accurately capture people’s privacy preferences while also reducing user burden.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Alessandro Acquisti and Jens Grossklags. Privacy and rationality in individual decision making. IEEE Security Privacy 3(1):26–33 Jan 2005.

  • [2] Yuvraj Agarwal and Malcolm Hall. ProtectMyPrivacy: Detecting and mitigating privacy leaks on ios devices using crowdsourcing. In Proceeding of the 11th Annual International Conference on Mobile Systems Applications and Services MobiSys ‘13 pages 97–110 New York NY USA 2013. ACM.

  • [3] Hazim Almuhimedi Florian Schaub Norman Sadeh Idris Adjerid Alessandro Acquisti Joshua Gluck Lorrie Faith Cranor and Yuvraj Agarwal. Your location has been shared 5398 times!: A field study on mobile app privacy nudging. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems CHI ‘15 pages 787–796 New York NY USA 2015. ACM.

  • [4] Panagiotis Andriotis Martina Angela Sasse and Gianluca Stringhini. Permissions snapshots: Assessing users’ adaptation to the android runtime permission model. In 2016 IEEE International Workshop on Information Forensics and Security (WIFS) pages 1–6 Dec 2016.

  • [5] Paul Bankhead. Providing a safe and secure experience for our users. https://android-developers.googleblog.com/2018/10/providing-safe-and-secure-experience.html Oct 2018. Accessed: 2019-02-24.

  • [6] Douglas Bates Martin Mächler Ben Bolker and Steve Walker. Fitting linear mixed-effects models using lme4. Journal of Statistical Software 67(1):1–48 2015.

  • [7] Michael Benisch Patrick Gage Kelley Norman Sadeh and Lorrie Faith Cranor. Capturing location-privacy preferences: Quantifying accuracy and user-burden tradeoffs. Personal Ubiquitous Comput. 15(7):679–694 October 2011.

  • [8] Bram Bonné Sai Teja Peddinti Igor Bilogrevic and Nina Taft. Exploring decision making with android’s runtime permission dialogs using in-context surveys. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017) pages 195–210 Santa Clara CA 2017. USENIX Association.

  • [9] William Enck Peter Gilbert Seungyeop Han Vasant Tendulkar Byung-Gon Chun Landon P. Cox Jaeyeon Jung Patrick McDaniel and Anmol N. Sheth. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. 32(2):5:1–5:29 June 2014.

  • [10] Lujun Fang and Kristen LeFevre. Privacy wizards for social networking sites. In Proceedings of the 19th International Conference on World Wide Web WWW ‘10 pages 351–360 New York NY USA 2010. ACM.

  • [11] Franz Faul Edgar Erdfelder Albert-Georg Lang and Axel Buchner. G*power 3: A flexible statistical power analysis program for the social behavioral and biomedical sciences. Behavior Research Methods 39(2):175–191 May 2007.

  • [12] Google. Android permissions overview. https://developer.android.com/guide/topics/permissions/overview Jan 2019. Accessed: 2019-02-24.

  • [13] John Gower. A general coefficient of similarity and some of its properties. Biometrics 27(4):857–871 1971.

  • [14] Peter Hornyack Seungyeop Han Jaeyeon Jung Stuart Schechter and David Wetherall. These aren’t the droids you’re looking for: Retrofitting android to protect data from imperious applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security CCS ‘11 pages 639–652 New York NY USA 2011. ACM.

  • [15] Qatrunnada Ismail Tousif Ahmed Apu Kapadia and Michael K. Reiter. Crowdsourced exploration of security configurations. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems CHI ‘15 pages 467–476 New York NY USA 2015. ACM.

  • [16] ISO/IEC 25022:2016. https://www.iso.org/standard/35746.html Jun 2016.

  • [17] Haojian Jin Minyi Liu Kevan Dodhia Yuanchun Li Gaurav Srivastava Matthew Fredrikson Yuvraj Agarwal and Jason I. Hong. Why are they collecting my data?: Inferring the purposes of network traffic in mobile apps. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 2(4):173:1–173:27 December 2018.

  • [18] Patrick Gage Kelley Sunny Consolvo Lorrie Faith Cranor Jaeyeon Jung Norman Sadeh and David Wetherall. A conundrum of permissions: installing applications on an android smartphone. In International conference on financial cryptography and data security pages 68–79. Springer 2012.

  • [19] Bart P Knijnenburg. Information disclosure profiles for segmentation and recommendation. In Symposium on Usable Privacy and Security (SOUPS) 2014.

  • [20] Jialiu Lin Shahriyar Amini Jason I. Hong Norman Sadeh Janne Lindqvist and Joy Zhang. Expectation and purpose: Understanding users’ mental models of mobile app privacy through crowdsourcing. In Proceedings of the 2012 ACM Conference on Ubiquitous Computing UbiComp ‘12 pages 501–510 New York NY USA 2012. ACM.

  • [21] Jialiu Lin Michael Benisch Norman Sadeh Jianwei Niu Jason Hong Banghui Lu and Shaohui Guo. A comparative study of location-sharing privacy preferences in the united states and china. Personal Ubiquitous Comput. 17(4):697–711 April 2013.

  • [22] Jialiu Lin Bin Liu Norman Sadeh and Jason I. Hong. Modeling users’ mobile app privacy preferences: Restoring usability in a sea of permission settings. In 10th Symposium On Usable Privacy and Security (SOUPS 2014) pages 199–212 Menlo Park CA 2014. USENIX Association.

  • [23] Bin Liu Mads Schaarup Andersen Florian Schaub Hazim Almuhimedi Shikun (Aerin) Zhang Norman Sadeh Yuvraj Agarwal and Alessandro Acquisti. Follow my recommendations: A personalized privacy assistant for mobile app permissions. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016) pages 27–41 Denver CO 2016. USENIX Association.

  • [24] Bin Liu Jialiu Lin and Norman Sadeh. Reconciling mobile app privacy and usability on smartphones: Could user privacy profiles help? In Proceedings of the 23rd International Conference on World Wide Web WWW ‘14 pages 201–212 New York NY USA 2014. ACM.

  • [25] Kirsten Martin and Katie Shilton. Putting mobile application privacy in context: An empirical study of user privacy expectations for mobile devices. The Information Society 32(3):200–216 2016.

  • [26] Kristopher Micinski Daniel Votipka Rock Stevens Nikolaos Kofinas Michelle L. Mazurek and Jeffrey S. Foster. User interactions and permission use on android. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems CHI ‘17 pages 362–373 New York NY USA 2017. ACM.

  • [27] Scott R. Moore Huangyi Ge Ninghui Li and Robert W. Proctor. Cybersecurity for android applications: Permissions in android 5 and 6. International Journal of Human–Computer Interaction 0(0):1–11 2018.

  • [28] Jonathan Mugan Tarun Sharma and Norman Sadeh. Understandable learning of privacy preferences through default personas and suggestions. http://reports-archive.adm.cs.cmu.edu/anon/isr2011/abstracts/11-112.html Aug 2011.

  • [29] Pardis Emami Naeini Sruti Bhagavatula Hana Habib Martin Degeling Lujo Bauer Lorrie Faith Cranor and Norman Sadeh. Privacy expectations and preferences in an iot world. In Thirteenth Symposium on Usable Privacy and Security ({SOUPS} 2017) pages 399–412 2017.

  • [30] Helen Nissenbaum. Privacy in context: Technology policy and the integrity of social life. Stanford University Press 2009.

  • [31] Council of the European Union. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union L119:1–88 May 2016.

  • [32] Leysia Palen and Paul Dourish. Unpacking “privacy” for a networked world. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems CHI ‘03 pages 129–136 New York NY USA 2003. ACM.

  • [33] Bahman Rashidi Carol Fung and Tam Vu. Dude ask the experts!: Android resource access permission recommendation with recdroid. In 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM) pages 296–304 May 2015.

  • [34] Srikar Reddy. Android runtime permissions recent policy changes and security vulnerabilities. https://medium.com/finbox/android-runtime-permissions-recent-policy-changes-and-security-vulnerabilities-935c5fc88f3d Dec 2018. Accessed: 2019-02-24.

  • [35] Joel Rosenblatt. Uber data-scraping surveillance detailed by ex-manager. https://www.bloomberg.com/news/articles/2017-12-15/uber-data-scraping-surveillance-detailed-in-ex-manager-s-letter 2017. Accessed: 2019-02-24.

  • [36] Florian Schaub Rebecca Balebako Adam L. Durity and Lorrie Faith Cranor. A design space for effective privacy notices. In Proceedings of the Eleventh USENIX Conference on Usable Privacy and Security SOUPS’15 pages 1–17 Berkeley CA USA 2015. USENIX Association.

  • [37] Fuming Shih Ilaria Liccardi and Daniel Weitzner. Privacy tipping points in smartphones privacy preferences. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems CHI ‘15 pages 807–816 New York NY USA 2015. ACM.

  • [38] Irina Shklovski Scott D. Mainwaring Halla Hrund Skúladóttir and Höskuldur Borgthorsson. Leakiness and creepiness in app space: Perceptions of privacy and mobile app use. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems CHI ‘14 pages 2347–2356 New York NY USA 2014. ACM.

  • [39] Helmut Strasser and Christian Weber. On the asymptotic theory of permutation statistics. Mathematical Methods of Statistics 8 02 1970.

  • [40] Joshua Tan Khanh Nguyen Michael Theodorides Heidi Negrón-Arroyo Christopher Thompson Serge Egelman and David Wagner. The effect of developer-specified explanations for permission requests on smartphone user behavior. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems CHI ‘14 pages 91–100 New York NY USA 2014. ACM.

  • [41] Eric Thompson. App annie blog. https://www.appannie.com/en/insights/market-data/global-consumer-app-usage-data/ May 2017.

  • [42] Lynn Tsai Primal Wijesekera Joel Reardon Irwin Reyes Serge Egelman David A. Wagner Nathaniel Good and Jung-Wei Chen. Turtle guard: Helping android users apply contextual privacy preferences. In SOUPS 2017.

  • [43] Jennifer Valentino-DeVries Natasha Singer Michael H. Keller and Aaron Krolik. Your apps know where you were last night and they’re not keeping it secret. https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html 2018. Accessed: 2019-02-24.

  • [44] Max Van Kleek Ilaria Liccardi Reuben Binns Jun Zhao Daniel J. Weitzner and Nigel Shadbolt. Better the devil you know: Exposing the data sharing practices of smartphone apps. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems CHI ‘17 pages 5208–5220 New York NY USA 2017. ACM.

  • [45] Daniel Votipka Seth M. Rabin Kristopher Micinski Thomas Gilray Michelle L. Mazurek and Jeffrey S. Foster. User comfort with android background resource accesses in different contexts. In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018) pages 235–250 Baltimore MD August 2018. USENIX Association.

  • [46] Haoyu Wang Jason Hong and Yao Guo. Using text mining to infer the purpose of permission use in mobile apps. In Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing UbiComp ‘15 pages 1107–1118 New York NY USA 2015. ACM.

  • [47] Sarah Myers West. Data capitalism: Redefining the logics of surveillance and privacy. Business & Society 58(1):20–41 2019.

  • [48] Primal Wijesekera Arjun Baokar Lynn Tsai Joel Reardon Serge Egelman David Wagner and Konstantin Beznosov. The feasibility of dynamically granted permissions: Aligning mobile privacy with user preferences. In 2017 IEEE Symposium on Security and Privacy (SP) pages 1077–1093 May 2017.

  • [49] Primal Wijesekera Joel Reardon Irwin Reyes Lynn Tsai Jung-Wei Chen Nathan Good David Wagner Konstantin Beznosov and Serge Egelman. Contextualizing privacy decisions for better prediction (and protection). In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems CHI ‘18 pages 268:1–268:13 New York NY USA 2018. ACM.

  • [50] Shomir Wilson Justin Cranshaw Norman Sadeh Alessandro Acquisti Lorrie Faith Cranor Jay Springfield Sae Young Jeong and Arun Balasubramanian. Privacy manipulation and acclimation in a location sharing application. In Proceedings of the 2013 ACM International Joint Conference on Pervasive and Ubiquitous Computing UbiComp ‘13 pages 549–558 New York NY USA 2013. ACM.

  • [51] Pamela Wisniewski Bart P Knijnenburg and Heather Richter Lipford. Profiling facebook users’ privacy behaviors. In Symposium on Usable Privacy and Security (SOUPS) 2014.

  • [52] Jierui Xie Bart Piet Knijnenburg and Hongxia Jin. Location sharing privacy preference: Analysis and personalized recommendation. In Proceedings of the 19th International Conference on Intelligent User Interfaces IUI ‘14 pages 189–198 New York NY USA 2014. ACM.

Search
Journal information
Metrics
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 12 12 12
PDF Downloads 11 11 11