ABSTRACT
Smartphone security research has produced many useful tools to analyze the privacy-related behaviors of mobile apps. However, these automated tools cannot assess people's perceptions of whether a given action is legitimate, or how that action makes them feel with respect to privacy. For example, automated tools might detect that a blackjack game and a map app both use one's location information, but people would likely view the map's use of that data as more legitimate than the game. Our work introduces a new model for privacy, namely privacy as expectations. We report on the results of using crowdsourcing to capture users' expectations of what sensitive resources mobile apps use. We also report on a new privacy summary interface that prioritizes and highlights places where mobile apps break people's expectations. We conclude with a discussion of implications for employing crowdsourcing as a privacy evaluation technique.
- "Katz v United States 389 U. S. 347." Available: http://en.wikipedia.org/wiki/Katz_v._United_StatesGoogle Scholar
- S. Amini, et al., "Towards Scalable Evaluation of Mobile Applications through Crowdsourcing and Automation," CMU-CyLab-12-006, Carnegie Mellon University, 2012.Google Scholar
- D. Barrera, et al., "A methodology for empirical analysis of permission-based security models and its application to android," In Proc. CCS, 2010. Google ScholarDigital Library
- A. Barth, et al., "Privacy and Contextual Integrity: Framework and Applications," In Proc. IEEE Symposium on Security and Privacy, 2006. Google ScholarDigital Library
- M. Benisch, et al., "Capturing location-privacy preferences: quantifying accuracy and user-burden tradeoffs," Personal and Ubiquitous Computing, 2010. Google ScholarDigital Library
- A. Beresford, et al., "MockDroid: trading privacy for application functionality on smartphones," In Proc. HotMobile, 2011. Google ScholarDigital Library
- M. S. Bernstein, et al., "Soylent: a word processor with a crowd inside," In Proc. UIST, 2010. Google ScholarDigital Library
- C. Bravo-Lillo, et al., "Bridging the gap in computer security warnings: a mental model approach," IEEE Security & Privacy Magazine, 2010. Google ScholarDigital Library
- L. J. Camp, "Mental models of privacy and security," Technology and Society Magazine, IEEE, vol. 28, 2009.Google ScholarCross Ref
- E. Chin, et al., "Analyzing inter-application communication in Android," In Proc. MobiSys, 2011. Google ScholarDigital Library
- K. Craik, the nature of explanation, Cambridge University Press, 1943.Google Scholar
- M. Egele, et al., "PiOS: Detecting Privacy Leaks in iOS Applications," In Proc. NDSS, 2011.Google Scholar
- W. Enck, "Defending Users against Smartphone Apps: Techniques and Future Directions," in LNCS. vol. 7093, ed, 2011. Google ScholarDigital Library
- W. Enck, et al., "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones," In Proc. OSDI 2010. Google ScholarDigital Library
- W. Enck, et al., "A Study of Android Application Security," In Proc. USENIX Security Symposium, 2011. Google ScholarDigital Library
- A. P. Felt, et al., "Android permissions demystified," In Proc. CCS, 2011. Google ScholarDigital Library
- A. P. Felt, et al., "A survey of mobile malware in the wild," In Proc. SPSM, 2011. Google ScholarDigital Library
- A. P. Felt, et al., "Android Permissions: User Attention, Comprehension, and Behavior," UCB/EECS-2012-26, University of California, Berkeley, 2012.Google ScholarDigital Library
- A. P. Felt, et al., "Permission re-delegation: attacks and defenses," In Proc. USENIX conference on Security, 2011. Google ScholarDigital Library
- N. Good, et al., "Stopping spyware at the gate: a user study of privacy, notice and spyware," In Proc. SOUPS, 2005. Google ScholarDigital Library
- S. Grobart. "The Facebook Scare That Wasn't." Available: http://gadgetwise.blogs.nytimes.com/2011/08/10/the-facebook-scare-that-wasnt/Google Scholar
- P. Hornyack, et al., "These aren't the droids you're looking for: retrofitting android to protect data from imperious applications," In Proc. CCS, 2011. Google ScholarDigital Library
- C. Jensen and C. Potts, "Privacy policies as decision-making tools: an evaluation of online privacy notices," In Proc. CHI, 2004. Google ScholarDigital Library
- J. Jeon, et al., "Dr. Android and Mr. Hide: Fine-grained security policies on unmodified Android," 2012.Google Scholar
- P. G. Kelley, et al., "A "nutrition label" for privacy," In Proc. SOUPS, 2009. Google ScholarDigital Library
- P. G. Kelley, et al., "A Conundrum of permissions: Installing Applications on an Android Smartphone," In Proc. USEC, 2012. Google ScholarDigital Library
- G. Liu, et al., "Smartening the crowds: computational techniques for improving human verification to fight phishing scams," In Proc. SOUPS, 2011. Google ScholarDigital Library
- M. Nauman, et al., "Apex: extending Android permission model and enforcement with user-defined runtime constraints," In Proc. ASIACCS, 2010. Google ScholarDigital Library
- D. Norman, The design of everyday things: Basic Books, 2002. Google ScholarDigital Library
- L. Palen and P. Dourish, "Unpacking "privacy" for a networked world," In Proc. CHI, 2003. Google ScholarDigital Library
- S. Patil, et al., "With a little help from my friends: can social navigation inform interpersonal privacy preferences?," In Proc. Proceedings of the ACM 2011 conference on Computer supported cooperative work, 2011. Google ScholarDigital Library
- N. Sadeh, et al., "Understanding and Capturing People's Privacy Policies in a Mobile Social Networking Application," The Journal of Personal and Ubiquitous Computing, 2009. Google ScholarDigital Library
- D. J. Solove, "A Taxonomy of Privacy," University of Pennsylvania Law Review, Vol. 154, No. 3, January 2006.Google ScholarCross Ref
- A. Thampi. "Path uploads your entire iPhone address book to its servers." Available: http://mclov.in/2012/02/08/path-uploads-your-entire-address-book-to-their-servers.htmlGoogle Scholar
- S. Thurm and Y. I. Kane, "Your Apps are Watching You," WSJ, 2011.Google Scholar
- T. Vidas, et al., "Curbing android permission creep," Proceedings of the Web, vol. 2, 2011.Google Scholar
- A. Wagner. "Google Posts Refreshed Android Distribution Numbers." Available: http://www.twylah.com/surfingislander/tweets/177040176181288960Google Scholar
- R. Wash, "Folk models of home computer security," In Proc. SOUPS, 2010. Google ScholarDigital Library
- Y. Zhou, et al., "Taming Information-Stealing Smartphone Applications (on Android)," In Proc. TRUST, 2011. Google ScholarDigital Library
Index Terms
- Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing
Recommendations
Evaluation of a mobile mindfulness app distributed through on-line stores
Recently, interactive approaches aimed at helping people practice mindfulness have appeared in the literature. However, the few available user studies for such approaches focus only on short-term effects and are carried out in a lab or in a similar ...
"Little brothers watching you": raising awareness of data leaks on smartphones
SOUPS '13: Proceedings of the Ninth Symposium on Usable Privacy and SecurityToday's smartphone applications expect users to make decisions about what information they are willing to share, but fail to provide sufficient feedback about which privacy-sensitive information is leaving the phone, as well as how frequently and with ...
Elderly mental model of reminder system
APCHI '12: Proceedings of the 10th asia pacific conference on Computer human interactionThe growing numbers of elderly is inevitable. As we get older, we will experience some memory declines, thus an assistive technology such as reminder system is recommended. However, the uptake of reminder system is still low. Many researchers from the ...
Comments