a consumer cannot make an informed decision as to whether and to what extent to disclose personal information. Moreover, three of the other principles discussed below are only meaningful when a consumer has notice... “
An Evaluation of Online Privacy Notices. CHI 2004 A. McDonald, L. Cranor. The Cost of Reading PrivacyPolicies. I/S. 2008. Flesch-Kincaid readability score: 34.2 top 50 internet privacy policies (2003) Time, per person: 244/hours year National opportunity cost: $781 billion
each • explored attitudes towards privacy policies • tested understanding of labels and symbols Patrick Gage Kelley, Joanna Bresee, Lorrie Faith Cranor, and Robert W. Reeder. A "Nutrition Label" for Privacy. SOUPS 2009.
your information Provide service and maintain site Research and development Marketing Telemarketing Profiling not linked to you Profiling linked to you Other companies Public forums Contact information Content Cookies Demographic information Social security no. and gov't ID Preferences Purchase and financial data Web browsing information Unique identifiers Understanding this privacy report Data is collected and used in this way. Your data will not be used in this way unless you opt-in. You can opt-out of this data use. You can opt-in or opt-out of some uses of this data.
information financial information health information preferences purchasing information social security number & govt ID your activity on this site your location how we use your information provide service & maintain site research & development marketing telemarketing profiling who we share your information with other companies public forums
design • Measured time, accuracy, and enjoyability on information ﬁnding and comparison tasks • Average time to complete ~15 minutes User testing Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach. Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, and Lorrie Faith Cranor. CHI 2010.
read and understand likened them to Japanese Stereo Instructions The standardized-format were more complimentary: This layout for privacy policies is MUCH more consumer friendly. I hope this becomes the industry standard 37 “ “ ” ” “ ”
access to all kinds of websites, even the protected ones.” –P1 I would say, this just requires a data plan, and you would need to have Internet access.” –P6 Any app that needs to get information from somewhere other than that is local on the phone.” –P7 “ “ “
assume it would probably be along the lines of, it knows when my phone is sleeping or in use or in a phone call, and the type of phone” –P2 So it knows whether or not I am in the middle of a call? I don’t really know what that part [identity] means.” –P13 If you are on the phone maybe it shuts itself oﬀ... Maybe like your carrier? Hopefully not like who you are.” –P19 “ “ “
they select apps in the market • Roleplay • App selection task • Malicious applications and data sharing concerns • Privacy and permissions 73 Nathaniel Good, Rachna Dhamija, Jens Grossklags, David Thaw, Steven Aronowitz, Deirdre Mulligan, and Joseph Konstan. Stopping spyware at the gate: a user study of privacy, notice and spyware. SOUPS 2005
even though I noticed it. I tend to pay more attention to ratings and usefulness then anything else. No, not really. It’s not the most important factor. I don’t keep a bunch of vital personal info on my phone, so no worries. I think people who do are really stupid.” 84 “ “
if it seemed to be the only thing to distinguish between the two apps.” Yeah, I always check that stuﬀ. I want to know exactly what is happening to and with my data from that program when I use it. It was useful though I wish some apps would go into greater detail about why certain things are there.” 85 “ “
already out there • Android/Google are protecting them 86 Participants wanted reasons • Watching out for apps that take too much • ...but will make up reasons when asked why an app might need a certain permission
Oﬃce (DAAD19-02-1-0389 and W911NF-09-1-0273) NSF Cyber Trust grant CNS-0627513 (Nudging Users Towards Privacy) CNS-0831428, CNS-0905562, CNS-1012763 DGE-0903659 (IGERT: Usable Privacy and Security) Microsoft through the Carnegie Mellon Center for Computational Thinking, FCT through the CMU/Portugal ICTI IBM OCR project on Privacy and Security Policy Management. Google Intel Labs Seattle The University of Washington The University of New Mexico Carnegie Mellon’s CyLab
Elise, Sean, Tara, and all of the rest of my aunts and uncles and cousins and family. The entire CUPS Lab, especially: Rob, Serge, PK, Steve, Aleecia, Cristian, Kami, Yang, Blase, Michelle, Rebecca, Pedro, Peter, Saranga, Rich, Dave G, Janice, Manya. Lujo Bauer, Jason Hong, Nicholas Christin, Jodi Forlizzi, John Zimmerman, Golan Levin, Ben Fry, Carlos Guestrin, Osman Khan, Mary Shaw, Jaeyeon Jung, Robert Biddle, Stuart Schechter, Simson Garﬁnkle, Mary Ellen Zurko, Heather Lipford, Diana Smetters, Moira Burke, Paul André, Sean Munson, Justin Cranshaw, Mike Benisch, Behzod Sirjani, Scott W. H. Young, Stephanie Rosenthal, Danny Rashid, Rob Simmons. My research undergraduates: Luc, Joanna, Daniel, Jerry, Robin, Yael. My teachers: Hiller, Amit, Hoopsick, Mr. Schoell, Jessica, Molly, Anne, Marcia, Harry, David, Babak, Lisa, Katie The entire staﬀ of the Tartan, especially: Bradford, Kristen, Shweta, Nikunja, Kristen, Claire, Andrew, Jess, Michael, Emily, Anna, Stacey, Courtney, Greg, Alan, Christa, Celia, JW, Marshall, Alex, Josh, Allison. My GSA friends: Carrie, Warren, Chad, Carolyn, DJ, Hillary, Ruth, Kate, Patrick, Jared, Timi, Aaron, Amelia, Jon, Kate, PJ, Alex, Denise, Mary Jo, Julia, David. Carnegie Mellon’s administrators and staﬀ: Jared, Gina, Indira, Renee, Michael, Bob, Ralph, Queenie, Madelyn, Kim, Paula, Erika, and Gloriana. And all of my other friends: Dan, Ben, Aaron, Joseph, Ashley, Jackie, Greg, June, Kyle, Drew, Alex, Shelly, Colin, Craig, Max, Corinne, Katie, Phluﬀ, Amy, Elise, Carolyn, Kerri, Cory, Kevin, Jamie, Melissa, Greg, Eric, Brian, Adam, Elliot, Ben, Erhardt, Josh, Caroline, Isaac, Matthew, Daniel, David, Andy, Marissa. And everyone else who is here today, in the room, digitally, and everywhere.