Leverage Automated Decision-Making for Enhanced User Privacy Controls in Mobile Applications

Problem Summary

Users face challenges in managing app permissions effectively and making informed privacy decisions. This issue stems from several factors like limited user understanding, numerous permission requests, lack of contextual awareness, static and binary decisions about permissions. Frequent permission requests and the need for constant decision-making can lead to user fatigue, causing users to either indiscriminately accept permissions or ignore important privacy settings. Finding a balance between protecting user personal data and ensuring a seamless and user-friendly experience is challenging, as overly restrictive or obtrusive privacy controls can hinder app functionality.

Rationale

By leveraging automated decision-making, the solutions aim to reduce user burden, enhance privacy protection, and ensure that permission decisions align closely with user preferences and contextual needs. This dynamic and personalised approach to privacy management provides users with better control and understanding of how their data is accessed and shared, fostering a more secure and user-friendly mobile environment.

Solution

Use advanced, user-centric, and context-aware automated decision-making systems to help users manage their app permissions effectively.

Wijesekera et al. [1] present a novel privacy management system for Android that uses contextual signals to predict user privacy preferences dynamically. This system addresses the limitations of the ask-on-first-use (AOFU) model, which does not account for varying contexts in subsequent permission requests. It balances usability with privacy protection by using infrequent prompts to retrain the ML model, ensuring minimal disruption to the user experience.

Rashidi et al. [2] propose DroidNet, an Android permission control framework that uses crowdsourcing to help users make informed decisions about app permissions. DroidNet operates in a "probation" mode for new apps, where permissions are not granted upfront. Instead, it provides recommendations based on decisions from peer expert users. An expertise ranking algorithm using a transitional Bayesian inference model is used to identify expert users. The system offers real-time recommendations on permission requests, helping inexperienced users make safer decisions.

Gao et al. [3] present AutoPer+, an autonomous permission recommendation system for Android that leverages natural language processing (NLP) and machine learning to assist users in making permission decisions. AutoPer+ analyses app descriptions to determine the necessity of permissions, using a multi-topic model and deep semi-supervised learning with Long Short-Term Memory (LSTM) networks to identify similar apps and their permission usages. The system provides recommendations (Allow, Deny, Ask) along with explanations to help users understand the rationale behind each decision.

Liu et al. [4] introduce a Personalized Privacy Assistant (PPA) for mobile app permissions, designed to help users manage the large number of permission decisions they need to make. The PPA predicts privacy preferences by asking users a small number of questions and matching them to privacy profiles derived from real-world data.

Kim, Ko, and Kim [5] introduce the Quality of Private Information (QoPI) model, designed to provide fine-grained and dynamic privacy controls for mobile applications. The QoPI model defines various types and quality levels of private information and incorporates contextual properties affecting privacy decisions. By using this model, users can manage their privacy settings more precisely according to their needs and the context in which the application is used. The model predicts appropriate privacy controls based on user behaviour, improving the accuracy and efficiency of privacy management compared to traditional binary and static approaches.

Olejnik et al. [6] introduce SmarPer, an advanced permission mechanism for Android designed to provide context-aware and automatic runtime permission decisions. SmarPer aims to address the limitations of static permission policies by predicting user decisions using a Bayesian linear regression model. It also includes a data obfuscation feature to offer users a middle ground between allowing and denying permissions. While it does not use crowdsourcing, it employs advanced models to make expert-level privacy recommendations.

Wijesekera et al. [7] investigate the feasibility of dynamically granted permissions on mobile devices, focusing on aligning these permissions with user preferences. The authors conducted a longitudinal field study with 131 participants to analyse contextual privacy decisions and developed a machine-learning model to predict user decisions. The model detects changes in context and infers privacy preferences based on users' past decisions and behaviour.

Liu et al. [8] present PriVs, an unobtrusive privacy permission recommendation system for mobile apps that balances privacy and usability. PriVs uses crowdsourced data to generate personalised privacy recommendations for users. The system collects users’ privacy settings and feedback to refine recommendations continuously. It employs collaborative filtering methods to make privacy permission recommendations and allows users to approve, reject, or temporarily approve suggested settings.

Kaur, Echizen and Kumar [9] proposed an intelligent agent model designed to protect the location privacy of smartphone users. This agent acts as a virtual proxy, managing the release and distortion of location data based on user-defined preferences and contextual information. Utilising neural networks, the agent learns from user behaviour to predict and adjust privacy settings dynamically. By introducing spatial and temporal perturbations, the agent minimises the risk of continuous tracking and unauthorised data inference, ensuring robust privacy protection while maintaining the functionality of location-based services.

These systems proposed in the supporting research leverage various techniques such as crowdsourcing, machine learning, natural language processing (NLP), and collaborative filtering to provide personalised and dynamic privacy recommendations that align with user preferences and behaviours. Frameworks like DroidNet [2] and PriVs [8] use crowdsourced data to gather expert opinions and user feedback, providing real-time permission recommendations based on collective knowledge and preferences. The systems proposed by Wijesekera et al. [1][7] use contextual signals and machine learning to predict user decisions with high accuracy. AutoPer+ [3] uses LSTM networks and NLP for autonomous permission recommendations. The Personalised Privacy Assistant (PPA) [4] uses machine learning to develop privacy profiles and offer personalised recommendations. The QoPI model [5] defines various privacy levels and contextual properties for dynamic privacy management. SmarPer [6] uses Bayesian linear regression to predict user decisions and offers an obfuscation option. The Smart Data agent [9] uses neural networks to learn from user behaviour to predict and adjust privacy settings dynamically.

Platforms: mobile devices

Example

Droidnet interface <a href="#section2">[2]</a>.

Left: probation and trusted installation mode; Middle: users select resources to be monitored; Right: permission grant prompt, with a suggestion from DroidNet [2]. (See enlarged)

AutoPer+ interface recommendation <a href="#section3">[3]</a>.

AutoPer+ interface recommendation [3]. (See enlarged)

Permission management and daily privacy nudge <a href="#section4">[4]</a>

Left: permission management; Right: daily privacy nudge, which includes the access frequency and purpose information [4]. (See enlarged)

Interface QoPI recommender <a href="#section5">[5]</a>.

Left: an example scenario for obtaining a QoPI recommendation; Right: manually selecting a QoPI level for the locational information [5]. (See enlarged)

SmarPer permission prompt and details of the effect of decision types  <a href="#section6">[6]</a>.

Top: SmarPer permission prompt. Bottom: Information about the effect of the different decision types (when the user clicks the question mark in the permission prompt) [6]. (See enlarged)

PriVs app <a href="#section8">[8]</a>.

From left to right: (a) users are presented with statistical results, which can serve as a reference for their privacy preferences; (b) PriVs can receive and implement the recommendations generated by the algorithm; (c) when an app requests various permissions, PriVs will display an interface to collect user feedback on these permissions; (d)A dialogue pops up to remind users when they choose to approve the recommendation temporarily [8]. (See enlarged)

Use cases
  • Providing tools and frameworks that leverage crowdsourcing, machine learning, and NLP to improve user privacy and data protection dynamically.
  • Helping users make informed decisions about app permissions through expert-driven, context-aware, and autonomous recommendations.
Pros

  • The solutions reduce privacy violations and align closely with user preferences, achieving high recommendation accuracy (up to 96.8%). They use contextual information and collaborative filtering to provide automatic permission decisions, offering partial data sharing and personalised privacy management. These systems also provide explanations for recommendations, improving user understanding and acceptance, with studies showing up to 78.7% user acceptance rates [1][3][4][5][6][7][8].
  • Uses an expertise ranking algorithm for high-quality recommendations and continuously refines recommendations based on user feedback [2].

Cons

  • The quality and reliability of the recommendations heavily depend on the accuracy and volume of crowdsourced data. This reliance introduces potential risks such as false responses intended to mislead the recommendation system, necessitating measures to mitigate these threats and ensure the system’s effectiveness [2][8].
  • The studies faced some limitations, including a focus on popular apps, which may have introduced bias [6], the requirement of root access for manipulating permission settings, limiting the participant pool [4], and the lack of real-world consequences for denying permissions, which might not accurately reflect user behaviour in typical app usage scenarios [7].
  • The integration of contextual data and machine learning models can introduce computational overhead and latency in permission decision-making, which may affect the performance of the mobile device [1].

Privacy Choices

Privacy choices give people control over certain aspects of data practices. Considering the design space for privacy choices [10], this guideline can be applied in the following dimensions:

  • Contextualised
    The guideline is particularly relevant in this case, as it leverages contextual signals to provide recommendations, helping users make privacy decisions based on the specific context (e.g., time, location, purpose).
  • Binary choices
    The guideline can enhance binary choices by providing users with context-aware and personalised recommendations to make more informed decisions.

  • Personalised
    It promotes personalised timing of privacy choices, presenting recommendations at the most appropriate times based on individual user preferences.
  • Just in time
    It supports just-in-time privacy choices by providing context-aware recommendations when the specific data practice is about to happen.
  • Context-aware
    The guideline is relevant for context-aware timing, delivering recommendations tailored to the user’s current context.

  • Machine-readable
    It can be applied in a machine-readable format to support automated systems and privacy agents that negotiate privacy choices on behalf of the user.
  • Visual
    The guideline supports visual modalities by presenting recommendations in the form of text, images, or icons that are easy for users to understand.

  • Presentation
    Privacy choices always have a presentation that involves a system providing clear and easily understandable information to users about potential data practices, available options, and how to communicate privacy decisions, often incorporating multiple components and integrating with related privacy notices, requiring careful consideration of design dimensions such as timing, channel, and modality [10].

    This guideline presents solutions that focus on clear and understandable presentation of privacy choices. It aims to help users comprehend data practices and effectively communicate their privacy decisions by providing recommendations and explanations.
  • Feedback
    The guideline includes providing users with feedback on the status of their privacy choices and ensuring they are aware of the actions taken based on their decisions, including recommended and automated decisions.

  • Primary
    The guideline can be applied through primary channels, such as within the app or system where the user interacts directly with the privacy choices.
  • Secondary
    It can also be extended to secondary channels, like mobile apps or websites, providing recommendations through these platforms when primary channels are limited.

Control

All discussed solutions address the control attribute [11] by providing mechanisms that allow users to make informed decisions, customise their privacy settings, and manage permissions dynamically based on context and preferences. Other related privacy attributes:

Security involves technical measures taken to protect data from unauthorised or malicious access. While not the primary focus, the discussed solution proposals implicitly address security by ensuring that permission decisions minimise unnecessary data exposure, thereby reducing potential security risks.

Transparency involves making users aware of how their personal data is handled, providing access to privacy policies, and proactively distributing information. Many of the presented solution proposals emphasise informing users about permission decisions and providing explanations for recommendations, enhancing transparency.


References

[1] Primal Wijesekera, Joel Reardon, Irwin Reyes, Lynn Tsai, Jung-Wei Chen, Nathan Good, David Wagner, Konstantin Beznosov, and Serge Egelman (2018). Contextualizing Privacy Decisions for Better Prediction (and Protection). In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (CHI '18). Association for Computing Machinery, New York, NY, USA, Paper 268, 1–13. https://doi.org/10.1145/3173574.3173842

[2] Bahman Rashidi, Carol Fung, Anh Nguyen, Tam Vu and Elisa Bertino (2018). Android User Privacy Preserving Through Crowdsourcing. In IEEE Transactions on Information Forensics and Security, vol. 13, no. 3, pp. 773-787, March 2018. https://doi.org/10.1109/TIFS.2017.2767019

[3] Hongcan Gao, Chenkai Guo, Dengrong Huang, Xiaolei Hou, Yanfeng Wu, Jing Xu, Zhen He, and Guangdong Bai (2020). Autonomous Permission Recommendation. In IEEE Access, vol. 8, pp. 76580-76594, 2020. https://doi.org/10.1109/ACCESS.2020.2967139

[4] Bin Liu, Mads Schaarup Andersen, Florian Schaub, Hazim Almuhimedi, Shikun Zhang, Norman Sadeh, Alessandro Acquisti. and Yuvraj Agarwal (2016). Follow my recommendations: A personalized privacy assistant for mobile app permissions. In Twelfth symposium on usable privacy and security (SOUPS 2016) (pp. 27-41). https://www.usenix.org/conference/soups2016/technical-sessions/presentation/liu

[5] Seung-Hyun Kim, In-Young Ko, Soo-Hyung Kim (2017). Quality of Private Information (QoPI) model for effective representation and prediction of privacy controls in mobile computing. Computers & Security, 66, pp.1-19. https://doi.org/10.1016/j.cose.2017.01.002

[6] Katarzyna Olejnik, Italo Dacosta, Joana Soares Machado, Kévin Huguenin, Mohammad Emtiyaz Khan, and Jean-Pierre Hubaux (2017). SmarPer: Context-Aware and Automatic Runtime-Permissions for Mobile Devices. In 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 2017, pp. 1058-1076. https://doi.org/10.1109/SP.2017.25

[7] Primal Wijesekera, Arjun Baokar, Lynn Tsai, Joel Reardon, Serge Egelman, David Wagner, and Konstantin Beznosov (2017). The Feasibility of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences. In 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 2017, pp. 1077-1093. https://doi.org/10.1109/SP.2017.51

[8] Rui Liu, Jiannong Cao, Kehuan Zhang, Wenyu Gao, Junbin Liang and Lei Yang (2018). When Privacy Meets Usability: Unobtrusive Privacy Permission Recommendation System for Mobile Apps Based on Crowdsourcing. In IEEE Transactions on Services Computing, vol. 11, no. 5, pp. 864-878, 1 Sept.-Oct. 2018. https://doi.org/10.1109/TSC.2016.2605089

[9] Harkeerat Kaur, Isao Echizen and Rohit Kumar (2020). Smart Data Agent for Preserving Location Privacy. In 2020 IEEE Symposium Series on Computational Intelligence (SSCI), Canberra, ACT, Australia, 2020, pp. 2567-2575. https://doi.org/10.1109/SSCI47803.2020.9308396

[10] Yuanyuan Feng, Yaxing Yao, and Norman Sadeh (2021). A Design Space for Privacy Choices: Towards Meaningful Privacy Control in the Internet of Things. In CHI Conference on Human Factors in Computing Systems (CHI ’21), May 8–13, 2021, Yokohama, Japan. ACM, New York, NY, USA, 16 pages. https://doi.org/10.1145/3411764.3445148

[11] Susanne Barth, Dan Ionita, and Pieter Hartel (2022). Understanding Online Privacy — A Systematic Review of Privacy Visualizations and Privacy by Design Guidelines. ACM Comput. Surv. 55, 3, Article 63 (February 2022), 37 pages. https://doi.org/10.1145/3502288