et al. SOUPS 2010. Of Passwords and People: Measuring the Effect of Password-Composition Policies. Komanduri et al. CHI 2011. Guess again (and again and again): Measuring password strength by simulating password- cracking algorithms. Kelley et al. OAKLAND 2012. CHI 2011 HONORABLE MENTION 3
et al. UBICOMP 2010. Location-Sharing Technologies: Privacy Risks and Controls. Tsai et al. I/ S 2010. Who’s Viewed You? The Impact of Feedback in a Mobile-location System. Tsai et al. CHI 2009. Capturing Social Networking Privacy Preferences... Ravichandran, et al. PETS 2009. 4
Patrick Gage Kelley, Robin Brewer, Yael Mayer, Lorrie Faith Cranor, and Norman Sadeh. INTERACT 2011. INTERACT HONORABLE MENTION Paul Adams. The Real Life Social Network 7
1998 14 In light of the Commission's findings and significant consumer concerns regarding privacy online, it is evident that substantially greater incentives are needed to spur self- regulation and ensure widespread implementation of basic privacy principles. “ ”
Surfer Beware III: Privacy Policies without Privacy Protection. 1999 C. Jensen, C. Potts. Privacy Policies as Decision-Making Tools: An Evaluation of Online Privacy Notices. CHI 2004 A. McDonald, L. Cranor. The Cost of Reading PrivacyPolicies. I/S. 2008. upward of 85% – collect personal information from consumers. only 14% – provide any notice with respect to their information practices ~2% – provide notice by means of a comprehensive privacy policy. However, by 1999 privacy policies were found on over 80% of top websites. The average Flesch-Kincaid score required for the top 50 internet privacy policies (2003) was 34.2 Time = 244/hours year (national opportunity cost for time to read policies: $781 billion)
• Context matters • Not enough to know only type of data collected and how data is used • Need to know which data are used for what purposes as companies use some data for some purposes and other data for other purposes • Privacy policies are complex • People don’t understand privacy implications
comparisons Standardized language • People learn the terminology Brief • People can get their questions answered quickly 23 Towards a privacy “nutrition label”
Instructions Possible types of information they collect Purpose of the policy Will they share this information “for this purpose” Can you opt-out? Contact information
each • explored attitudes towards privacy policies • tested understanding of labels and symbols Patrick Gage Kelley, Joanna Bresee, Lorrie Faith Cranor, and Robert W. Reeder. A "Nutrition Label" for Privacy. SOUPS 2009.
your information Provide service and maintain site Research and development Marketing Telemarketing Profiling not linked to you Profiling linked to you Other companies Public forums Contact information Content Cookies Demographic information Social security no. and gov't ID Preferences Purchase and financial data Web browsing information Unique identifiers Understanding this privacy report Data is collected and used in this way. Your data will not be used in this way unless you opt-in. You can opt-out of this data use. You can opt-in or opt-out of some uses of this data.
information financial information health information preferences purchasing information social security number & govt ID your activity on this site your location how we use your information provide service & maintain site research & development marketing telemarketing profiling who we share your information with other companies public forums
to compare label and text policies • 8 tasks, measured time and accuracy • 6 opinion questions Iterative design approach 5 focus groups • 7-11 participants each • explored attitudes towards privacy policies • tested understanding of labels and symbols Patrick Gage Kelley, Joanna Bresee, Lorrie Faith Cranor, and Robert W. Reeder. A "Nutrition Label" for Privacy. SOUPS 2009.
design • Measured time, accuracy, and enjoyability on information finding and comparison tasks • Average time to complete ~15 minutes User testing Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach. Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, and Lorrie Faith Cranor. CHI 2010.
Can be answered from single row or column Complex tasks • Interaction between rows and columns Single policy likeability Comparison tasks Policy comparison likeability
standardized real-world real-world Five formats compared Standardized label Standardized short label Standardized short text Full policy text Layered text
Policy Text Layered Text Percentage correct Overall accuracy results ANOVA significant at p < 0.05, F(4; 1094) = 73.75 std label vs. full text, p < 0.05, t(510) = 14:4, std. short label vs. full text p < 0.05, t(490) = 12.9, std. short text vs. full text p < 0.05, t(491) = 14.3 layered vs. full text policy p = 0.83, t(314) = -0.21
Policy Text Layered Text Timing results ANOVA on the log-normalized time information p < 0.0001 Standardized all took less time sig. p < 0.05, layered at p = 0.025 std. label, t(348) = 5.36, std. short label t(327) = 6.01, std. short text t(329) = 4.55, layered t(238) = 2.25
Clear labeling of information that is not used or collected Standardized terminology to minimize length and increase the clarity of the text Definitions of standardized terms 56
of policy Short table takes up less space but sometimes makes comparison tasks and tasks about data not collected more difficult Text doesn’t scale well for complex policies, people more likely to miss text in the middle of paragraphs 57
full policy Some information was not in layered policy yet few people clicked through to full policy to look for it Layered not standardized enough – many differences between companies 59
read and understand likened them to Japanese Stereo Instructions The standardized-format were more complimentary: This layout for privacy policies is MUCH more consumer friendly. I hope this becomes the industry standard 62 “ “ ” ” “ ”
will not apply in situations where (a) you either have made, simultaneously make, or later make a specific request for information from a member of The Bell Group, (b) The Bell Group uses your personal information for either “Operational Uses” or “Fulfillment Uses” (as described above in A3), (c) you either have engaged, simultaneously engage, or later engage in either Non-Registered Transactions or Sponsored Activities (as described above in A3), or (d) The Bell Group shares your personal information under the provisions of A3 above with respect to “Companies That Facilitate Communications and Transactions With You,” “Companies That You Previously Authorized to Obtain Your Information,” “Purchase or Sale of Businesses,” or “Disclosures to Comply with Laws and Disclosures to Help Protect the Security and Safety of Our Web Sites, The Bell Group and Others.” Also, any opt-out choices you make will not apply to personal information that you provide about other persons, but these other persons will have the
potential applications for their device. 1. Do I believe this application will compromise the security and function of my phone if I install it? 2.Do I trust this developer and their partners with access to my personal information? 70
and Seattle Semi-structured interview methodology focused on ecosystem wide issues: - What do they think of Android generally? - Why and how do they select apps to install/purchase? - Do they read and understand permissions screens? - Are they concerned about malicious applications? - Are tools/info needed to help with app privacy/security?
- The reviews and star-ratings, word of mouth from friends, and those who don’t see anything sketchy on the permissions list - Nearly all participants don’t buy apps, so since it is free, they try it, and later delete it Do they read and understand permissions screens? - Many said they try, most don’t believe they understand the terms used, and haven’t tried to learn them - They trust the reviews more - They don’t understand why the apps need such access 76
Android is protecting them with app review for usability, bugs, viruses - Are concerned in general about technology, most refused to do banking on their phones Are tools/info needed to help with app privacy/security? - Most said they would be interested in better app reviews, or an app that checks their phone, a few had tried similar tools, installed anti-virus software 77
access to all kinds of websites, even the protected ones.” –P1 I would say, this just requires a data plan, and you would need to have Internet access.” –P6 Any app that needs to get information from somewhere other than that is local on the phone.” –P7 “ “ “
assume it would probably be along the lines of, it knows when my phone is sleeping or in use or in a phone call, and the type of phone” –P2 So it knows whether or not I am in the middle of a call? I don’t really know what that part [identity] means.” –P13 If you are on the phone maybe it shuts itself off... Maybe like your carrier? Hopefully not like who you are.” –P19 “ “ “
don’t like, I don’t know what it means, ... my impression is that instead of me being able to authorize something, that application is saying it can.” –P3 That freaks me out. What does that mean exactly, cause I am not quite sure.” –P12 I don’t know, I guess it is in charge of whatever accounts you open up.” –P18 “ “ “
Sunny Consolvo Patrick Gage Kelley @patrickgage [email protected] patrickgagekelley.com Privacy nutrition labels Joanna Bresee, Aleecia McDonald, Rob Reeder, Sungjoon Steve Won Android app permissions Jaeyeon Jung, David Wetherall, Tim Vidas Location sharing Michael Benisch, Janice Tsai, Eran Toch, Paul Hankes Drielsma, Jialiu Lin, Jason Hong Passwords Michelle Mazurek, Saranga Komanduri, Rich Shay, Blase Ur, Lujo Bauer Twitter/Facebook Manya Sleeper, Justin Cranshaw, Yang Wang, Yael Mayer, Robin Brewer New Media Arts Golan Levin, Danny Rashid, Matthew Kay, Polo Chau, Sue Ann Hong