choice architectures for mobile privacy and security: a research agenda serge egelman uc berkeley 1
Post on 22-Dec-2015
214 views
TRANSCRIPT
1
Choice Architectures for Mobile Privacy and Security:A Research Agenda
Serge EgelmanUC Berkeley
2
Adverse selection
Example: SMS73% of malware uses SMS capability3% of legitimate applications use it
SMS capability signals potential malware
Advice: “Don’t use apps that require SMS”
Is it possible to follow this advice?
3
EXAMPLE: INSTALLATION
4
Step 1: Search
5
Step 2: Select application
6
Step 3: View description
7
Step 4: View permissions
8
Step 5: View permissions…still
Services that cost you moneySend SMS messages
9
Step 6: Go back
10
Step 7: Go back
11
Step 8: Select application
12
Step 9: View description
13
Step 10: View permissions
14
A possible improvement
15
EXAMPLE: EXISTING APP
16
Step 1: Find apps
17
Step 2: Find settings app
18
Step 3: Scroll…
19
Step 4: Click…
20
Step 5: Find applications
21
Step 6: Click…
22
Step 7: Manage applications
23
Step 8: Click…
24
Step 9: Find particular app
25
Step 10: Click…
26
Step 11: View app settings
27
Step 12: Scroll to permissions
28
There must be a better way!
29
Agenda
Choice architecture
Lessons from privacy research
Previous findings
Questions and considerations
30
CHOICE ARCHITECTURESFraming options to have an impact on outcome
R. Thaler and C. Sunstein. Nudge: Improving decisions about health, wealth, and happiness.Yale University Press, New Haven and London, 2008.
31
Smartphones
Current devices implement choice architectures for granting capabilities to applications:
32
33
Users aren’t being served
Curating the market is expensiveDoes not scaleAsking the first time may be insufficientCapability requests are needed
Previous findings82.5% do not notice permissions97.4% misunderstood meaningsCurrent architecture is unhelpful
34
LESSONS FROM PRIVACY
35
Privacy preferences
No literature [yet] on security preferencesWealth of literature on online privacy:
When explicitly asked, users care what information they share and with whom1,2,3
[1] A. F. Westin. E-Commerce & Privacy: What Net Users Want. Privacy & American Business, Hackensack, NJ, 1998. http://www.pwcglobal.com/gx/eng/svcs/privacy/images/E-Commerce.pdf.[2] M. S. Ackerman, L. F. Cranor, and J. Reagle. Privacy in e-commerce: examining user scenarios and privacy preferences. In EC ’99: Proceedings of the 1st ACM Conference on Electronic Commerce, pages 1–8, New York, NY, USA, 1999. ACM. http://www.eecs.umich.edu/ackerm/pub/99b28/ecommerce.final.pdf.
[3] d. boyd and E. Hargittai. Facebook privacy settings: Who cares? First Monday, 15(8), August 2010.
36
Privacy behaviors
Privacy behaviors rarely match preferences:
Users readily disclose information1
Decisions are often regretted2,3
[1] S. Spiekermann, J. Grossklags, and B. Berendt. E-Privacy in 2nd Generation E-Commerce: Privacy Preferences versus Actual Behavior. In Proceedings of EC’01: Third ACM Conference on Electronic Commerce, pages 38–47, Tampa, Florida, 2001. http://www.sims.berkeley.edu/~jensg/research/ eprivacy_acm.html.[2] N. Good, R. Dhamija, J. Grossklags, S. Aronovitz, D. Thaw, D. Mulligan, and J. Konstan. Stopping spyware at the gate: A user study of privacy, notice and spyware. In Proceedings of the Symposium On Usable Privacy and Security (SOUPS 2005), pages 43–52, Pittsburgh, PA, July 2005.[3] A. Acquisti. Privacy in electronic commerce and the economics of immediate gratification. In Proceedings of the ACM Electronic Commerce Conference (EC ’04), pages 21–29, New York, NY, 2004. ACM Press. http://www.heinz.cmu.edu/~acquisti/papers/privacy-gratification.pdf.
37
Why the discrepancy?
Poorly designed choice architectures:Language is difficult1,2
Comprehension takes time3
Hyperbolic discounting4
[1] G. R. Milne and M. J. Culnan. Strategies for reducing online privacy risks: Why consumers read (or don’t read) online privacy notices. Journal of Interactive Marketing, 18(3):54–61, Summer 2004.[2] A. Anton, J. Earp, Q. He, W. Stufflebeam, D. Bolchini, and C. Jensen. Financial privacy policies and the need for standardization. IEEE Security & Privacy, 2(2):36–45, Mar-Apr 2004.[3] A. McDonald and L. Cranor. The cost of reading privacy policies. In Proceedings of the Technology Policy Research Conference, September 26–28 2008.
[4] A. Acquisti and J. Grossklags. Losses, gains, and hyperbolic discounting: An experimental approach to information security attitudes and behavior. In Proceedings of The 2nd Annual Workshop on Economics and Information Security (WEIS ’03), 2003.
38
Privacy choice architectures
Improved architecture led to better choicesPrivacy Finder
Context matters1,2
Timing matters3
Lessons for smartphones?[1] J. Gideon, S. Egelman, L. Cranor, and A. Acquisti. Power Strips, Prophylactics, and Privacy, Oh My! In Proceedings of the 2006 Symposium on Usable Privacy and Security, pages 133–144, 2006.[2] J. Tsai, S. Egelman, L. Cranor, and A. Acquisti. The impact of privacy indicators on search engine browsing patterns. Information Systems Research, 22(2):254–268, June 2011. [3] S. Egelman, J. Tsai, L. F. Cranor, and A. Acquisti. Timing is everything?: the effects of timing and placement of online privacy indicators. In Proceedings of the 27th international conference on Human factors in computing systems, CHI ’09, pages 319–328, New York, NY, USA, 2009. ACM.
39
SMARTPHONECHOICE ARCHITECTURE
40
Notice
82.5% do not look at permissions42% unaware permissions existed42% aware but don’t use
Explanations:Many were habituated—too many requestsMany were unaware—too late in the process
Suggestions:Only prompt when necessaryProvide information earlier
41
Comprehension
97% could not define permissions64% could not state SMS ability
Explanations:All but one was confused with its categoryNot knowing full lists creates ambiguities
Suggestions:Improve descriptionsNarrow list of possible permissions
42
WHICH PERMISSIONS ARE IMPORTANT?
43
Card sorting exercise
Merged redundanciesExtraneous eliminated
170 Android16 Windows Phone
50 Total permissions
44
Example:redundant permissions
Read received SMS
Power on/off
Force stop applications
View network state
Read sent SMS
Reboot
Kill processes
View WiFi state
45
Example:extraneous permissionsRead sync statsAllow debuggingEnable multicast
Set orientationVibrateEnable flashlight
Do users really need to understand these?
Are these really harmful?
46
Permission preferences survey
Mechanical Turk survey measured:Level of concern for various permissionsWhether users would pay for fewer permissions
Demographicsn=483, 52.6% Female32.9% Android usersUS-based
47
Conditions
Price Permissions Requested
$0.49 • Full Internet Access• Fine (GPS) Location• Record Audio
$0.99 • Full Internet Access• Record Audio
$1.49 • Full Internet Access• Fine (GPS) Location
$1.99 • Full Internet Access
48
49
25% willing to pay for fewer permissions
$0.49 $0.99 $1.49 $1.99 0
50
100
150
200
250
App Most Likely to Purchase
50
Installation considerations
Primary decision factors:37% said cost22% said description17% said permissions
Degree of consideration:1
Cost > permissions (p<0.0005)Description > permissions (p<0.0005)Ratings > permissions (p<0.0005)Permissions comparable with downloads1. Wilcoxon signed ranks
test
51
Relative concerns
August AdMob Surveyn=308
November Mechanical Turk Surveyn=483
1. View Photos Modify Accounts
2. Record Audio Read Email
3. Read Contacts Read SMS
4. Read Bookmarks Read Contacts
5. View Call History Modify Storage
10.
Exact Location 12.
Exact Location
52
Experimental differences
Rankings for similar permissions diverged
Permission August AdMob November MTurk
Record Audio 1 5
Read Contacts 2 2
Read SMS 3 1
Record Video 4 4
Exact Location 5 7
Phone Number 6 3
Browser History 7 6
Why so different?
53
Possible explanations
Selection bias?Not due to gender or usageAge differed slightlyWestin index “privacy fundamentalists:”
13.6% (August) vs. 26.1% (November)
Differing time periods
Wording changed!We cannot know if every participant understood
54
UNDERSTANDING CONCERNS
55
Understanding concerns
Planned online survey to gauge concerns
Permission is describedComprehension questionsLevel of concernConcern relative to other permissions
56
Ranking permissions
57
IMPROVING COMPREHENSION
58
Comprehension problems
Participants had no idea what a quarter of permissions meant
Others confused category with permissionExample: READ_CALENDAR
“read my passwords”“gather all personal information from phone”
59
Your personal informationRead your calendar
60
Pictures improve comprehension
PictogramsCrowdsourced drawingsFree-form associationsMatching
Result: icons and text
61
Crowdsourced pictograms
1) Draw a symbol to represent “Internet access”
Submit Clear
62
Improving comprehension
1) If you saw the symbol on the right, what would you think it represented?
Submit Clear
The application is trying to send or receive data from the Internet.
63
Matching to validate
Internet access
Location
Make calls
Record audio
64
THE ROLE OF CONTEXT
65
Improving comprehension is the tip of the icebergWhen?
Install time?Runtime?Resource access?
Scope?Once?Every time?X times?
For similar permission types?
66
Example: location requests
Permission Request
“Facebook” would like to use your current location
Don’t Allow
OK
Permission Request
“Facebook” would like to use your current location:
Berkeley, CA
Don’t Allow
OK
Permission Request
“Facebook” would like to use your current location:
Work
Don’t Allow
OK
Permission Request
“Facebook” would like to use your current location:
Sketchy Massage Parlor
Don’t Allow
OK
67
Exploring context
Results likely change based on the useLaboratory studies likely yield different resultsField studies are needed
LongitudinalIn situ
Relevance?Harm?Frequency?Consequences?
68
Conclusion
Current choice architectures fail usersRequests go unnoticedToo many permissionsPermissions are hard to understand
Users want to know what apps are doing
Factor when choosing which to installEasier to detect undesirable apps
69
Questions?