Thesis Defense Slides

Transcript

1. Patrick Gage Kelley @patrickgage DESIGNING PRIVACY NOTICES Supporting user understanding

   and control Lorrie Faith Cranor Norman Sadeh Alessandro Acquisti Sunny Consolvo

2. 2 1. Notice/Awareness 2. Choice/Consent 3. Access/Participation 4. Integrity/Security 5.

   Enforcement/Redress “ ”

3. 3 The most fundamental principle is notice. ... Without notice,

   a consumer cannot make an informed decision as to whether and to what extent to disclose personal information. Moreover, three of the other principles discussed below are only meaningful when a consumer has notice... “

4. 4 “a blogger revealed that the company's app automatically uploads

   iPhone users’ entire address books”

5. 5 Facebook, Twitter, Instagram, Foursquare, Foodspotting, Yelp, and Gowalla “a

   blogger revealed that the company's app automatically uploads iPhone users’ entire address books”

6. Thesis Statement 6 The goal of this work is to

   explore how improved privacy notices can be created and iteratively improved to help consumers better understand data practices and take more active control of their information.

7. Online privacy policies Android permissions 7 1. Design and focus

   group 2. Large scale verification 3. Background interviews 4. App selection lab study

8. Online privacy policies Android permissions 8 1. Design and focus

   group 2. Large scale verification 3. Background interviews 4. App selection lab study

9. Design of a “nutrition label” for privacy 9

10. None

11. 11 FTC. Privacy Online: A Report to￿Congress. June 1998 EPIC.

    Surfer Beware III: Privacy Policies without Privacy Protection. 1999 1998 85% – collect personal information 14% – provide any notice ~2% – provide a comprehensive privacy policy 1999 80% – top websites with privacy policies

12. 12 C. Jensen, C. Potts. Privacy Policies as Decision-Making Tools:

    An Evaluation of Online Privacy Notices. CHI 2004 A. McDonald, L. Cranor. The Cost of Reading Privacy￿Policies. I/S. 2008. Flesch-Kincaid readability score: 34.2 top 50 internet privacy policies (2003) Time, per person: 244/hours year National opportunity cost: $781 billion

13. This is what consumers are up￿against 13

14. Can we build a better privacy policy? 14

15. Can more intentionally designed, standardized privacy policy formats benefit consumers?

    15

16. Can more intentionally designed, standardized privacy policy formats benefit consumers?

    • Ease of understanding • Speed of information- nding • Ability to make comparisons • Consumer opinion 16

17. Challenges 17 • People are not familiar with privacy terminology

    • Context matters • Privacy policies are complex • People don’t understand privacy implications

18. 18

19. Standardized format • People learn where to look • Side-by-side

    comparisons Standardized language • People learn the terminology Brief • People can get their questions answered quickly 19 Towards a privacy “nutrition label”

20. 20 Iterative design approach 5 focus groups • 7-11 participants

    each • explored attitudes towards privacy policies • tested understanding of labels and symbols Patrick Gage Kelley, Joanna Bresee, Lorrie Faith Cranor, and Robert W. Reeder. A "Nutrition Label" for Privacy. SOUPS 2009.

21. 21

22. What we collect How we use your information Who shares

    your information Provide service and maintain site Research and development Marketing Telemarketing Profiling not linked to you Profiling linked to you Other companies Public forums Contact information Content Cookies Demographic information Social security no. and gov't ID Preferences Purchase and financial data Web browsing information Unique identifiers Understanding this privacy report Data is collected and used in this way. Your data will not be used in this way unless you opt-in. You can opt-out of this data use. You can opt-in or opt-out of some uses of this data.

23. The Acme Policy types of information contact information cookies demographic

    information financial information health information preferences purchasing information social security number & govt ID your activity on this site your location how we use your information provide service & maintain site research & development marketing telemarketing profiling who we share your information with other companies public forums

24. Design Evolution 24 Final Proposed Design Design Evolution Acme Privacy

    Policy

25. Standardized label 25

26. 26 Removes wiggle room and complicated terminology by using four

    standard symbols

27. 27 Allows for quick high-level visual feedback by looking at

    the overall intensity of the page

28. 28 Allows for information to be found in the same

    place every time

29. 29 Can be printed, fits in a standard browser window

30. 30 A legend explains each of the four symbols, a

    definition clearly explains each term

31. 31 Amazon’s Mechanical Turk • 764 participants • Between subjects

    design • Measured time, accuracy, and enjoyability on information finding and comparison tasks • Average time to complete ~15 minutes User testing Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach. Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, and Lorrie Faith Cranor. CHI 2010.

32. 32 Five formats compared Standardized label Standardized short label Standardized

    short text Full policy text Layered text

33. 33 table table text text table (with text) Five formats

    compared Standardized label Standardized short label Standardized short text Full policy text Layered text

34. 34 table table text text table (with text) standardized standardized

    standardized real-world real-world Five formats compared Standardized label Standardized short label Standardized short text Full policy text Layered text

35. 35 Std. Label Std. Short Label Std. Short Text Full

    Policy Text Layered Text Percentage correct Overall accuracy results

36. Standardized formats outperformed text and layered formats Structured information presentation

    Clear labeling of information that is not used or collected Standardized terminology to minimize length and increase the clarity of the text Definitions of standardized terms 36

37. Participant comments The full policy text described as: torture to

    read and understand likened them to Japanese Stereo Instructions The standardized-format were more complimentary: This layout for privacy policies is MUCH more consumer friendly. I hope this becomes the industry standard 37 “ “ ” ” “ ”

38. Can more intentionally designed, standardized privacy policy formats benefit consumers?

    Yes. • Ease of understanding • Speed of information- nding • Ability to make comparisons • Consumer opinion 38

39. Online privacy policies Android permissions

40. Android Permissions

41. 41 953 million subscribers Morgan Stanley 2011 estimate KPBC, Mary

    Meeker

42. 600,000 applications 15 billion downloads 42

43. 600,000 applications 15 billion downloads ...and no application review 43

44. 44 Android Security Research - Formal security model - Information

    leakage - Permissions overspecification - Developer misunderstandings

45. 1. Do I believe this application will compromise the security

    and function of my phone if I install it? 45 What should users be asking?

46. 46 What should users be asking? 1. Do I believe

    this application will compromise the security and function of my phone if I install it? 2.Do I trust this developer and their partners with access to my personal information?

47. Android Interviews 47 Interviewed 20 Android smartphone Semi-structured interview methodology

    ecosystem wide issues how and why they download applications privacy and security concerns

48. Why and how do they select apps to install/purchase? 48

    - Reviews and star-ratings, word of mouth - Participants don’t buy apps: free, try it, and delete it later

49. Android permissions screens 49

50. Permissions interface issues 50 - Information is hidden away -

    No clear way to cancel - Unclear what app doesn’t do - No sense of importance, necessity, purpose - No way to opt-out - Unclear terms and concepts

51. 51 Android permissions screens

52. 52 Android permissions screens

53. Do they read and understand permissions screens? 53 - No

    Don’t understand terms Haven’t tried to learn them - Trust reviews more - Don’t understand why apps need access

54. Network communication: full Internet access 54 That you can have

    access to all kinds of websites, even the protected ones.” –P1 I would say, this just requires a data plan, and you would need to have Internet access.” –P6 Any app that needs to get information from somewhere other than that is local on the phone.” –P7 “ “ “

55. Phone calls: read phone state and identity 55 I would

    assume it would probably be along the lines of, it knows when my phone is sleeping or in use or in a phone call, and the type of phone” –P2 So it knows whether or not I am in the middle of a call? I don’t really know what that part [identity] means.” –P13 If you are on the phone maybe it shuts itself off... Maybe like your carrier? Hopefully not like who you are.” –P19 “ “ “

56. 56 - Largely unconcerned - Believe Android is protecting them

    - Generally concerned about technology - Most refused to do banking Are they concerned about malicious applications?

57. Android Interview Findings 57 - Users do not understand Android

    permissions - Vague, confusing, misleading, jargon-filled, and poorly grouped - Permissions mostly ignored - Participants believe they are protected

58. Users cannot make informed privacy and security decisions when installing

    Android apps 58

59. Can we create a better designed permissions display for mobile

    apps? 59

60. Apps that come on the phone Apps that come from

    a trusted/ already known brand Apps that are picked from the market to fill a need 60

61. 61 Apps that come on the phone The most used

    apps: phone, mail, text messaging, weather, directions, maps... But also includes many apps users wish they could remove

62. Apps that come from a trusted/ already known brand: Facebook,

    Twitter, Pandora, Spotify, Angry Birds, The New York Times, Words with Friends, ESPN, etc... 62

63. Apps that are picked from the market to fill a

    need How do users make this decision? 63

64. 64

65. 65

66. 66 privacy

67. 67 privacy

68. 68 privacy privacy

69. 69 meters highlights icons checklist

70. Three Phases of Testing Phase 1 Several 50-participant MTurk iterations

    Phase 2 20 participant laboratory interview and application selection experiment Phase 3 250 participant MTurk application selection experiment and survey 70
71. None

72. Privacy Facts Checklist • Bold header “Privacy Facts” • Eight

    types of information • Advertising and analytics • Checkbox next to each • Immediately after the Description section • Immediately before the Reviews section 72

73. Roleplay Lab Study • General Android phone use • How

    they select apps in the market • Roleplay • App selection task • Malicious applications and data sharing concerns • Privacy and permissions 73 Nathaniel Good, Rachna Dhamija, Jens Grossklags, David Thaw, Steven Aronowitz, Deirdre Mulligan, and Joseph Konstan. Stopping spyware at the gate: a user study of privacy, notice and spyware. SOUPS 2005

74. Application Selection Task • Privacy Facts Checklist v. Android Market

    • Users select one app per category • Each category has two apps • One requests less permissions 74 — Calorie tracking — Word game — Streaming music — Twitter — Document scanning — Flight tracker

75. 4 stars 10,000 downloads 3 similar reviews Category Differences 75

    — Calorie tracking — Word game — Twitter — Document scanning — Streaming music (brand) 50 million downloads — Flight tracker (3 stars)

76. Most people do not consider permissions Other features are more

    important: cost, functionality, ratings, reviews, size, simplicity, design. 76

77. 77 How users report they pick apps ratings user reviews

    price branding and design word of mouth # downloads popularity permissions size of the app developer/company advertising 0% 25% 50% 75% 100% Very important Not important

78. Application Selection (Interview) 78 Word game Nutrition Music Flight tracking

    Document scanning Twitter brand 3/4 Privacy Facts Checklist 60% 70% 40% 40% 90% 70% Permissions 50% 100% 30% 20% 90% 20%

79. Application Selection (MTurk) 79 Word game Nutrition Music Flight tracking

    Document scanning Twitter brand 3/4 Privacy Facts Checklist 61% 73% 28% 36% 61% 52% Permissions 40% 57% 18% 39% 72% 26%

80. With the checklist, people are selecting the application that accesses

    less permissions though other factors like brand and rating decrease effect 80

81. Reading the permissions... 81 Average time Privacy Facts Checklist 11:40

    Permissions 10:51

82. Reading the permissions... 82 Average time Privacy Facts Checklist 11:40

    Permissions 10:51 Permissions views 0 0 0 0 1 6 6 6 6 6 3.19 seconds

83. With the privacy checklist • No one thought the new

    display was out of place • No one stated permissions were missing 83

84. People said it wasn’t useful It didn’t influence my decision

    even though I noticed it. I tend to pay more attention to ratings and usefulness then anything else. No, not really. It’s not the most important factor. I don’t keep a bunch of vital personal info on my phone, so no worries. I think people who do are really stupid.” 84 “ “

85. People said it was useful Yes. It only influenced me

    if it seemed to be the only thing to distinguish between the two apps.” Yeah, I always check that stuff. I want to know exactly what is happening to and with my data from that program when I use it. It was useful though I wish some apps would go into greater detail about why certain things are there.” 85 “ “

86. Not concerned with data sharing • All their data is

    already out there • Android/Google are protecting them 86 Participants wanted reasons • Watching out for apps that take too much • ...but will make up reasons when asked why an app might need a certain permission

87. Overall, privacy information at decision time helps users • More

    likely to mention “information” or “data” • Said they would be more likely to consider privacy • The checklist influences app selection 87

88. Online privacy policies Android permissions

89. Design Suggestions 89 - Be aware of expectations - Placement

    in the decision process - Understandability - Standardization of terms and format - Holistic design

90. Be aware of expectations 90 - Common misconceptions - Everyone

    has the same policy, so there is no reason to look - All my information is already out there

91. Placement in the decision process 91 - Brand, functionality, trust,

    price, interface, will often outweigh privacy - Present privacy with the other factors - Most power among similar options

92. Understandability 92 - Terms created by lawyers or developers will

    often not resonate with actual users - Understanding allows for “design” - Select, reduce, and merge terms...

93. Standardization of terms and format 93 - Terms - Educational

    efforts to clarify meaning - Format - Comparison: easy and visual

94. Holistic design 94 - Entire policy in a single visual

    design allows users to see - Portions in terms of the whole - Possible interactions - What is not used/collected

95. Thesis Statement 95 The goal of this work is to

    explore how improved privacy notices can be created and iteratively improved to help consumers better understand data practices and take more active control of their information.

96. Patrick Gage Kelley @patrickgage [email protected] patrickgagekelley.com Lorrie Faith Cranor Norman

    Sadeh Alessandro Acquisti Sunny Consolvo Joanna Bresee, Seungyeop Han, Jaeyeon Jung, Matthew Kay, Jialiu Lin, Aleecia McDonald, Rob Reeder, Manya Sleeper, David Wetherall, Sungjoon Steve Won, Tim Vidas

97. This work was supported in part by: U.S. Army Research

    Office (DAAD19-02-1-0389 and W911NF-09-1-0273) NSF Cyber Trust grant CNS-0627513 (Nudging Users Towards Privacy) CNS-0831428, CNS-0905562, CNS-1012763 DGE-0903659 (IGERT: Usable Privacy and Security) Microsoft through the Carnegie Mellon Center for Computational Thinking, FCT through the CMU/Portugal ICTI IBM OCR project on Privacy and Security Policy Management. Google Intel Labs Seattle The University of Washington The University of New Mexico Carnegie Mellon’s CyLab

98. Mom, Dad, Katie, Grandma Gage, Grandparents, Carol, Mike, Jim, Dave,

    Elise, Sean, Tara, and all of the rest of my aunts and uncles and cousins and family. The entire CUPS Lab, especially: Rob, Serge, PK, Steve, Aleecia, Cristian, Kami, Yang, Blase, Michelle, Rebecca, Pedro, Peter, Saranga, Rich, Dave G, Janice, Manya. Lujo Bauer, Jason Hong, Nicholas Christin, Jodi Forlizzi, John Zimmerman, Golan Levin, Ben Fry, Carlos Guestrin, Osman Khan, Mary Shaw, Jaeyeon Jung, Robert Biddle, Stuart Schechter, Simson Garfinkle, Mary Ellen Zurko, Heather Lipford, Diana Smetters, Moira Burke, Paul André, Sean Munson, Justin Cranshaw, Mike Benisch, Behzod Sirjani, Scott W. H. Young, Stephanie Rosenthal, Danny Rashid, Rob Simmons. My research undergraduates: Luc, Joanna, Daniel, Jerry, Robin, Yael. My teachers: Hiller, Amit, Hoopsick, Mr. Schoell, Jessica, Molly, Anne, Marcia, Harry, David, Babak, Lisa, Katie The entire staff of the Tartan, especially: Bradford, Kristen, Shweta, Nikunja, Kristen, Claire, Andrew, Jess, Michael, Emily, Anna, Stacey, Courtney, Greg, Alan, Christa, Celia, JW, Marshall, Alex, Josh, Allison. My GSA friends: Carrie, Warren, Chad, Carolyn, DJ, Hillary, Ruth, Kate, Patrick, Jared, Timi, Aaron, Amelia, Jon, Kate, PJ, Alex, Denise, Mary Jo, Julia, David. Carnegie Mellon’s administrators and staff: Jared, Gina, Indira, Renee, Michael, Bob, Ralph, Queenie, Madelyn, Kim, Paula, Erika, and Gloriana. And all of my other friends: Dan, Ben, Aaron, Joseph, Ashley, Jackie, Greg, June, Kyle, Drew, Alex, Shelly, Colin, Craig, Max, Corinne, Katie, Phluff, Amy, Elise, Carolyn, Kerri, Cory, Kevin, Jamie, Melissa, Greg, Eric, Brian, Adam, Elliot, Ben, Erhardt, Josh, Caroline, Isaac, Matthew, Daniel, David, Andy, Marissa. And everyone else who is here today, in the room, digitally, and everywhere.