Patrick Gage Kelley @patrickgage DESIGNING PRIVACY NOTICES Supporting user understanding and control Lorrie Faith Cranor Norman Sadeh Alessandro Acquisti Sunny Consolvo 

2 1. Notice/Awareness 2. Choice/Consent 3. Access/Participation 4. Integrity/Security 5. Enforcement/Redress “ ” 

3 The most fundamental principle is notice. ... Without notice, a consumer cannot make an informed decision as to whether and to what extent to disclose personal information. Moreover, three of the other principles discussed below are only meaningful when a consumer has notice... “ 

4 “a blogger revealed that the company's app automatically uploads iPhone users’ entire address books” 

5 Facebook, Twitter, Instagram, Foursquare, Foodspotting, Yelp, and Gowalla “a blogger revealed that the company's app automatically uploads iPhone users’ entire address books” 

Thesis Statement 6 The goal of this work is to explore how improved privacy notices can be created and iteratively improved to help consumers better understand data practices and take more active control of their information. 

Online privacy policies Android permissions 7 1. Design and focus group 2. Large scale verification 3. Background interviews 4. App selection lab study 

Online privacy policies Android permissions 8 1. Design and focus group 2. Large scale verification 3. Background interviews 4. App selection lab study 

Design of a “nutrition label” for privacy 9 

No content

11 FTC. Privacy Online: A Report to￿Congress. June 1998 EPIC. Surfer Beware III: Privacy Policies without Privacy Protection. 1999 1998 85% – collect personal information 14% – provide any notice ~2% – provide a comprehensive privacy policy 1999 80% – top websites with privacy policies 

12 C. Jensen, C. Potts. Privacy Policies as Decision-Making Tools: An Evaluation of Online Privacy Notices. CHI 2004 A. McDonald, L. Cranor. The Cost of Reading Privacy￿Policies. I/S. 2008. Flesch-Kincaid readability score: 34.2 top 50 internet privacy policies (2003) Time, per person: 244/hours year National opportunity cost: $781 billion 

This is what consumers are up￿against 13 

Can we build a better privacy policy? 14 

Can more intentionally designed, standardized privacy policy formats benefit consumers? 15 

Can more intentionally designed, standardized privacy policy formats benefit consumers? • Ease of understanding • Speed of information- nding • Ability to make comparisons • Consumer opinion 16 

Challenges 17 • People are not familiar with privacy terminology • Context matters • Privacy policies are complex • People don’t understand privacy implications 

18 

Standardized format • People learn where to look • Side-by-side comparisons Standardized language • People learn the terminology Brief • People can get their questions answered quickly 19 Towards a privacy “nutrition label” 

20 Iterative design approach 5 focus groups • 7-11 participants each • explored attitudes towards privacy policies • tested understanding of labels and symbols Patrick Gage Kelley, Joanna Bresee, Lorrie Faith Cranor, and Robert W. Reeder. A "Nutrition Label" for Privacy. SOUPS 2009. 

21 

What we collect How we use your information Who shares your information Provide service and maintain site Research and development Marketing Telemarketing Profiling not linked to you Profiling linked to you Other companies Public forums Contact information Content Cookies Demographic information Social security no. and gov't ID Preferences Purchase and financial data Web browsing information Unique identifiers Understanding this privacy report Data is collected and used in this way. Your data will not be used in this way unless you opt-in. You can opt-out of this data use. You can opt-in or opt-out of some uses of this data. 

The Acme Policy types of information contact information cookies demographic information financial information health information preferences purchasing information social security number & govt ID your activity on this site your location how we use your information provide service & maintain site research & development marketing telemarketing profiling who we share your information with other companies public forums 

Design Evolution 24 Final Proposed Design Design Evolution Acme Privacy Policy 

Standardized label 25 

26 Removes wiggle room and complicated terminology by using four standard symbols 

27 Allows for quick high-level visual feedback by looking at the overall intensity of the page 

28 Allows for information to be found in the same place every time 

29 Can be printed, fits in a standard browser window 

30 A legend explains each of the four symbols, a definition clearly explains each term 

31 Amazon’s Mechanical Turk • 764 participants • Between subjects design • Measured time, accuracy, and enjoyability on information finding and comparison tasks • Average time to complete ~15 minutes User testing Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach. Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, and Lorrie Faith Cranor. CHI 2010. 

32 Five formats compared Standardized label Standardized short label Standardized short text Full policy text Layered text 

33 table table text text table (with text) Five formats compared Standardized label Standardized short label Standardized short text Full policy text Layered text 

34 table table text text table (with text) standardized standardized standardized real-world real-world Five formats compared Standardized label Standardized short label Standardized short text Full policy text Layered text 

35 Std. Label Std. Short Label Std. Short Text Full Policy Text Layered Text Percentage correct Overall accuracy results 

Standardized formats outperformed text and layered formats Structured information presentation Clear labeling of information that is not used or collected Standardized terminology to minimize length and increase the clarity of the text Definitions of standardized terms 36 

Participant comments The full policy text described as: torture to read and understand likened them to Japanese Stereo Instructions The standardized-format were more complimentary: This layout for privacy policies is MUCH more consumer friendly. I hope this becomes the industry standard 37 “ “ ” ” “ ” 

Can more intentionally designed, standardized privacy policy formats benefit consumers? Yes. • Ease of understanding • Speed of information- nding • Ability to make comparisons • Consumer opinion 38 

Online privacy policies Android permissions 

Android Permissions 

41 953 million subscribers Morgan Stanley 2011 estimate KPBC, Mary Meeker 

600,000 applications 15 billion downloads 42 

600,000 applications 15 billion downloads ...and no application review 43 

44 Android Security Research - Formal security model - Information leakage - Permissions overspecification - Developer misunderstandings 

1. Do I believe this application will compromise the security and function of my phone if I install it? 45 What should users be asking? 

46 What should users be asking? 1. Do I believe this application will compromise the security and function of my phone if I install it? 2.Do I trust this developer and their partners with access to my personal information? 

Android Interviews 47 Interviewed 20 Android smartphone Semi-structured interview methodology ecosystem wide issues how and why they download applications privacy and security concerns 

Why and how do they select apps to install/purchase? 48 - Reviews and star-ratings, word of mouth - Participants don’t buy apps: free, try it, and delete it later 

Android permissions screens 49 

Permissions interface issues 50 - Information is hidden away - No clear way to cancel - Unclear what app doesn’t do - No sense of importance, necessity, purpose - No way to opt-out - Unclear terms and concepts 

51 Android permissions screens 

52 Android permissions screens 

Do they read and understand permissions screens? 53 - No Don’t understand terms Haven’t tried to learn them - Trust reviews more - Don’t understand why apps need access 

Network communication: full Internet access 54 That you can have access to all kinds of websites, even the protected ones.” –P1 I would say, this just requires a data plan, and you would need to have Internet access.” –P6 Any app that needs to get information from somewhere other than that is local on the phone.” –P7 “ “ “ 

Phone calls: read phone state and identity 55 I would assume it would probably be along the lines of, it knows when my phone is sleeping or in use or in a phone call, and the type of phone” –P2 So it knows whether or not I am in the middle of a call? I don’t really know what that part [identity] means.” –P13 If you are on the phone maybe it shuts itself off... Maybe like your carrier? Hopefully not like who you are.” –P19 “ “ “ 

56 - Largely unconcerned - Believe Android is protecting them - Generally concerned about technology - Most refused to do banking Are they concerned about malicious applications? 

Android Interview Findings 57 - Users do not understand Android permissions - Vague, confusing, misleading, jargon-filled, and poorly grouped - Permissions mostly ignored - Participants believe they are protected 

Users cannot make informed privacy and security decisions when installing Android apps 58 

Can we create a better designed permissions display for mobile apps? 59 

Apps that come on the phone Apps that come from a trusted/ already known brand Apps that are picked from the market to fill a need 60 

61 Apps that come on the phone The most used apps: phone, mail, text messaging, weather, directions, maps... But also includes many apps users wish they could remove 

Apps that come from a trusted/ already known brand: Facebook, Twitter, Pandora, Spotify, Angry Birds, The New York Times, Words with Friends, ESPN, etc... 62 

Apps that are picked from the market to fill a need How do users make this decision? 63 

64 

65 

66 privacy 

67 privacy 

68 privacy privacy 

69 meters highlights icons checklist 

Three Phases of Testing Phase 1 Several 50-participant MTurk iterations Phase 2 20 participant laboratory interview and application selection experiment Phase 3 250 participant MTurk application selection experiment and survey 70 

No content

Privacy Facts Checklist • Bold header “Privacy Facts” • Eight types of information • Advertising and analytics • Checkbox next to each • Immediately after the Description section • Immediately before the Reviews section 72 

Roleplay Lab Study • General Android phone use • How they select apps in the market • Roleplay • App selection task • Malicious applications and data sharing concerns • Privacy and permissions 73 Nathaniel Good, Rachna Dhamija, Jens Grossklags, David Thaw, Steven Aronowitz, Deirdre Mulligan, and Joseph Konstan. Stopping spyware at the gate: a user study of privacy, notice and spyware. SOUPS 2005 

Application Selection Task • Privacy Facts Checklist v. Android Market • Users select one app per category • Each category has two apps • One requests less permissions 74 — Calorie tracking — Word game — Streaming music — Twitter — Document scanning — Flight tracker 

4 stars 10,000 downloads 3 similar reviews Category Differences 75 — Calorie tracking — Word game — Twitter — Document scanning — Streaming music (brand) 50 million downloads — Flight tracker (3 stars) 

Most people do not consider permissions Other features are more important: cost, functionality, ratings, reviews, size, simplicity, design. 76 

77 How users report they pick apps ratings user reviews price branding and design word of mouth # downloads popularity permissions size of the app developer/company advertising 0% 25% 50% 75% 100% Very important Not important 

Application Selection (Interview) 78 Word game Nutrition Music Flight tracking Document scanning Twitter brand 3/4 Privacy Facts Checklist 60% 70% 40% 40% 90% 70% Permissions 50% 100% 30% 20% 90% 20% 

Application Selection (MTurk) 79 Word game Nutrition Music Flight tracking Document scanning Twitter brand 3/4 Privacy Facts Checklist 61% 73% 28% 36% 61% 52% Permissions 40% 57% 18% 39% 72% 26% 

With the checklist, people are selecting the application that accesses less permissions though other factors like brand and rating decrease effect 80 

Reading the permissions... 81 Average time Privacy Facts Checklist 11:40 Permissions 10:51 

Reading the permissions... 82 Average time Privacy Facts Checklist 11:40 Permissions 10:51 Permissions views 0 0 0 0 1 6 6 6 6 6 3.19 seconds 

With the privacy checklist • No one thought the new display was out of place • No one stated permissions were missing 83 

People said it wasn’t useful It didn’t influence my decision even though I noticed it. I tend to pay more attention to ratings and usefulness then anything else. No, not really. It’s not the most important factor. I don’t keep a bunch of vital personal info on my phone, so no worries. I think people who do are really stupid.” 84 “ “ 

People said it was useful Yes. It only influenced me if it seemed to be the only thing to distinguish between the two apps.” Yeah, I always check that stuff. I want to know exactly what is happening to and with my data from that program when I use it. It was useful though I wish some apps would go into greater detail about why certain things are there.” 85 “ “ 

Not concerned with data sharing • All their data is already out there • Android/Google are protecting them 86 Participants wanted reasons • Watching out for apps that take too much • ...but will make up reasons when asked why an app might need a certain permission 

Overall, privacy information at decision time helps users • More likely to mention “information” or “data” • Said they would be more likely to consider privacy • The checklist influences app selection 87 

Online privacy policies Android permissions 

Design Suggestions 89 - Be aware of expectations - Placement in the decision process - Understandability - Standardization of terms and format - Holistic design 

Be aware of expectations 90 - Common misconceptions - Everyone has the same policy, so there is no reason to look - All my information is already out there 

Placement in the decision process 91 - Brand, functionality, trust, price, interface, will often outweigh privacy - Present privacy with the other factors - Most power among similar options 

Understandability 92 - Terms created by lawyers or developers will often not resonate with actual users - Understanding allows for “design” - Select, reduce, and merge terms... 

Standardization of terms and format 93 - Terms - Educational efforts to clarify meaning - Format - Comparison: easy and visual 

Holistic design 94 - Entire policy in a single visual design allows users to see - Portions in terms of the whole - Possible interactions - What is not used/collected 

Thesis Statement 95 The goal of this work is to explore how improved privacy notices can be created and iteratively improved to help consumers better understand data practices and take more active control of their information. 

Patrick Gage Kelley @patrickgage [email protected] patrickgagekelley.com Lorrie Faith Cranor Norman Sadeh Alessandro Acquisti Sunny Consolvo Joanna Bresee, Seungyeop Han, Jaeyeon Jung, Matthew Kay, Jialiu Lin, Aleecia McDonald, Rob Reeder, Manya Sleeper, David Wetherall, Sungjoon Steve Won, Tim Vidas 

This work was supported in part by: U.S. Army Research Office (DAAD19-02-1-0389 and W911NF-09-1-0273) NSF Cyber Trust grant CNS-0627513 (Nudging Users Towards Privacy) CNS-0831428, CNS-0905562, CNS-1012763 DGE-0903659 (IGERT: Usable Privacy and Security) Microsoft through the Carnegie Mellon Center for Computational Thinking, FCT through the CMU/Portugal ICTI IBM OCR project on Privacy and Security Policy Management. Google Intel Labs Seattle The University of Washington The University of New Mexico Carnegie Mellon’s CyLab 

Mom, Dad, Katie, Grandma Gage, Grandparents, Carol, Mike, Jim, Dave, Elise, Sean, Tara, and all of the rest of my aunts and uncles and cousins and family. The entire CUPS Lab, especially: Rob, Serge, PK, Steve, Aleecia, Cristian, Kami, Yang, Blase, Michelle, Rebecca, Pedro, Peter, Saranga, Rich, Dave G, Janice, Manya. Lujo Bauer, Jason Hong, Nicholas Christin, Jodi Forlizzi, John Zimmerman, Golan Levin, Ben Fry, Carlos Guestrin, Osman Khan, Mary Shaw, Jaeyeon Jung, Robert Biddle, Stuart Schechter, Simson Garfinkle, Mary Ellen Zurko, Heather Lipford, Diana Smetters, Moira Burke, Paul André, Sean Munson, Justin Cranshaw, Mike Benisch, Behzod Sirjani, Scott W. H. Young, Stephanie Rosenthal, Danny Rashid, Rob Simmons. My research undergraduates: Luc, Joanna, Daniel, Jerry, Robin, Yael. My teachers: Hiller, Amit, Hoopsick, Mr. Schoell, Jessica, Molly, Anne, Marcia, Harry, David, Babak, Lisa, Katie The entire staff of the Tartan, especially: Bradford, Kristen, Shweta, Nikunja, Kristen, Claire, Andrew, Jess, Michael, Emily, Anna, Stacey, Courtney, Greg, Alan, Christa, Celia, JW, Marshall, Alex, Josh, Allison. My GSA friends: Carrie, Warren, Chad, Carolyn, DJ, Hillary, Ruth, Kate, Patrick, Jared, Timi, Aaron, Amelia, Jon, Kate, PJ, Alex, Denise, Mary Jo, Julia, David. Carnegie Mellon’s administrators and staff: Jared, Gina, Indira, Renee, Michael, Bob, Ralph, Queenie, Madelyn, Kim, Paula, Erika, and Gloriana. And all of my other friends: Dan, Ben, Aaron, Joseph, Ashley, Jackie, Greg, June, Kyle, Drew, Alex, Shelly, Colin, Craig, Max, Corinne, Katie, Phluff, Amy, Elise, Carolyn, Kerri, Cory, Kevin, Jamie, Melissa, Greg, Eric, Brian, Adam, Elliot, Ben, Erhardt, Josh, Caroline, Isaac, Matthew, Daniel, David, Andy, Marissa. And everyone else who is here today, in the room, digitally, and everywhere.