Nathaniel Good
Jens Grossklags
Joseph Konstan
ABSTRACT
Spyware is a significant problem for most computer users. The term "spyware" loosely describes a new class of computer software. This type of software may track user activities online and offline, provide targeted advertising and/or engage in other types of activities that users describe as invasive or undesirable.While the magnitude of the spyware problem is well documented, recent studies have had only limited success in explaining the broad range of user behaviors that contribute to the proliferation of spyware. As opposed to viruses and other malicious code, users themselves often have a choice whether they want to install these programs.In this paper, we discuss an ecological study of users installing five real world applications. In particular, we seek to understand the influence of the form and content of notices (e.g., EULAs) on user's installation decisions.Our study indicates that while notice is important, notice alone may not be enough to affect users' decisions to install an application. We found that users have limited understanding of EULA content and little desire to read lengthy notices. Users found short, concise notices more useful, and noticed them more often, yet they did not have a significant effect on installation for our population. When users were informed of the actual contents of the EULAs to which they agreed, we found that users often regret their installation decisions.We discovered that regardless of the bundled content, users will often install an application if they believe the utility is high enough. However, we discovered that privacy and security become important factors when choosing between two applications with similar functionality. Given two similar programs (e.g. KaZaA and Edonkey), consumers will choose the one they believe to be less invasive and more stable. We also found that providing vague information in EULAs and short notices can create an unwarranted impression of increased security. In these cases, it may be helpful to have a standardized format for assessing the possible options and trade-offs between applications.
- Abrams, M., Eisenhauer, M. and Sotto, L. (2004) "Response to the FTC request for public comments in the Advance Notice of Proposed Rulemaking on Alternative Forms of Privacy Notices under the Gramm-Leach-Bliley Act", Center for Information Policy Leadership, March 2004. Available at: http://www.hunton.com/files/tbl_s47Details/FileUpload265/685/CIPL-Notices_ANPR_Comments_3.29.04.pdf]]Google Scholar
- Ackerman, M., and Cranor, L. (1999) "Privacy Critics: UI components to safeguard users' privacy," Proceedings of CHI '99, extended abstracts.]] Google ScholarDigital Library
- Acquisti, A. and Grossklags, J. (2005) Privacy and Rationality in Individual Decision Making, IEEE Security and Privacy, IEEE Computer Society, Vol. 3, No. 1, January/February 2005, pp. 26--33.]] Google ScholarDigital Library
- Acquisti, A. and Grossklags, J. (2005) "Uncertainty, Ambiguity and Privacy", Fourth Annual Workshop Economics and Information Security (WEIS 2005), MA, 2--3 June, 2005.]]Google Scholar
- AOL/NSCA Online Safety Study, America Online and National Cyber Security Alliance, October 2004. Available at: http://www.staysafeonline.info/news/safety_study_v04.pdf]]Google Scholar
- Bartram, L., Ware, C., Calvert, T., (2003) "Moticons: detection, distraction and task", International Journal of Human-Computer Studies 58: 515--545, Issue 5 (May 2003).]] Google ScholarDigital Library
- Berthold, O., Köhntopp, M. (2000) "Identity Management based on P3P", in: Federrath, H. "Designing Privacy Enhancing Technologies", Proceedings of the Workshop on Design Issues in Anonymity and Unobservability, Springer, pp. 141--160.]] Google ScholarDigital Library
- Cranor, L., Reagle, J., and Ackerman, M. (1999) "Beyond Concern: Understanding Net Users' Attitudes About Online Privacy", AT&T Labs-Research, April, 1999.]]Google Scholar
- Dourish, P. and Redmiles, D. (2002) "An approach to usable security based on event monitoring and visualization", Proceedings of the 2002 workshop on New security paradigms, September 2002.]] Google ScholarDigital Library
- Earthlink (2005) "Results complied from Webroot's and EarthLink's Spy Audit programs". Available at: http://www.earthlink.net/spyaudit/press/ (last accessed February 25, 2005)]]Google Scholar
- Gilbert, D., Morewedge, C., Risen, J. and Wilson, T. (2004) "Looking Forward to Looking Backward: The Misprediction of Regret", Psychological Science, Vol. 15, No. 5, pp. 346--350.]]Google ScholarCross Ref
- Good, N. S., Krekelberg. A. J. (2003) "Usability and Privacy: A study of Kazaa P2P file-sharing", in: Proceedings of CHI 2003.]] Google ScholarDigital Library
- HIPAA Highlights Privacy Notice, Press Release, Center for Information Policy Leadership, Hunton and Williams http://www.hunton.com/news/news.aspx?nws_pg=7&gen_H4ID=10 102 (last accessed May 24, 2005)]]Google Scholar
- Bettman, J. R., Payne, J. W. and Staelin, R. (1986) "Cognitive Considerations in Designing Effective Labels for Presenting Risk Information," J. Pub. Pol'y & Marketing, 5, pp. 1--28.]]Google ScholarCross Ref
- Jensen, C. and Potts, C. (2004) "Privacy policies as decision-making tools: an evaluation of online privacy notices", in: Proceedings of ACM CHI 2004, Vienna, Austria, pages 471--478.]] Google ScholarDigital Library
- PC Pitstop (2005) "It pays to read EULAs". Available at http://www.pcpitstop.com/spycheck/eula.asp (last accessed May 24, 2005)]]Google Scholar
- Platform for Privacy Preferences Project (P3P). http://www.w3.org/P3P/]]Google Scholar
- Spiekermann, S., Grossklags, J. and Berendt, B. (2001) "E-privacy in 2nd generation E-Commerce: privacy preferences versus actual behavior", in: Proceedings of the Third ACM Conference on Electronic Commerce, Association for Computing Machinery (ACM EC'01), Tampa, Florida, US, pp. 38--47.]] Google ScholarDigital Library
- Trafton, J. G., Altmann, E. M., Brock, D. P., Mintz, F. E. (2003). "Preparing to resume an interrupted task: effects of prospective goal encoding and retrospective rehearsal", International Journal of Human-Computer Studies 58: 583--603.]] Google ScholarDigital Library
- Van Dantzich, M., Robbins, D., Horvitz, E. and Czerwinski, M. (2002) "Scope: Providing awareness of multiple notifications at a glance", in: Proceedings of Advanced Visual Interfaces 2002, Trento, Italy.]] Google ScholarDigital Library
- Wired. "Spyware on My Machine? So What?":http://www.wired.com/news/technology/0,1282,65906,00.html]]Google Scholar
Index Terms
- Stopping spyware at the gate: a user study of privacy, notice and spyware
Recommendations
A Data-driven Characterization of Modern Android Spyware
According to Nokia’s 2017 Threat Intelligence Report, 68.5% of malware targets the Android platform; Windows is second with 28%, followed by iOS and other platforms with 3.5%. The Android spyware family UAPUSH was responsible for the most infections, ...
Noticing notice: a large-scale experiment on the timing of software license agreements
CHI '07: Proceedings of the SIGCHI Conference on Human Factors in Computing SystemsSpyware is an increasing problem. Interestingly, many programs carrying spyware honestly disclose the activities of the software, but users install the software anyway. We report on a study of software installation to assess the effectiveness of ...
A review of spyware campaigns and strategies to combat them
InfoSecCD '06: Proceedings of the 3rd annual conference on Information security curriculum developmentWhile they seem very similar, often using the same tools and techniques, spyware installations are carried out for very different reasons than traditional malware attacks. Consequently, different strategies must be used to fight them. Malware is usually ...
Comments