Integrate Privacy Indicators for Informed App Selection

Problem Summary

Users often lack clear, accessible, and timely privacy information when selecting apps, leading to uninformed decisions and over-privileged permissions.

Rationale

The rationale is that introducing data privacy indicators will empower users with more comprehensive insights into data flows, their exposure to third-party apps, and how the collected data is being used by smartphone or cloud apps.

Solution

To enhance user privacy by integrating dynamic and data-driven privacy indicators into app marketplaces and similar, helping users make informed decisions about app installations and permissions. Collectively, all supporting papers presented below address the problem of providing clear, accessible, and timely privacy information to users. They offer innovative solutions, from data-driven insights and visual indicators to personalised notifications and granular threat representations, ensuring that users can make informed decisions.

Harkous, Rahman, and Aberer [1] introduced the concept of Data-Driven Privacy Indicators (DDPIs) to bridge the privacy gap between user expectations and actual data access by third-party apps. User data is analysed by a trusted entity, such as the application platform, and the result of this analysis is integrated into the indicator interface. This approach includes several privacy indicators, including "History-Based Insights". History-based insights provide users with information about how accessible their data is to application providers based on previous app installations by the user or their collaborators, helping them make more informed decisions about granting application permissions.

Quay-de la Vallee, Selby, and Krishnamurthi [2] proposed integrating privacy ratings into app marketplaces to help users make informed decisions about app installation. By providing permission ratings gathered from automated tools and human reviews, users could better assess the privacy implications of apps before installing. Kelley, Cranor, and Sadeh [3] also investigated how privacy information can be made a central part of the app selection process. The authors propose a "Privacy Facts" display, which presents privacy and permission information on the main app screen.

Bock and Momen [4] presented an implementation and evaluation process for an indicator that serves as an ex-ante (before the event) privacy indicator cue for the app store. A prototype of the privacy indicator was developed and integrated into a simulated version of the Google Play Store. This prototype was designed to display the privacy indicators alongside app listings, making privacy information readily accessible to users during the app selection process. Bal [5] also presented a new design for privacy indicators in smartphone app markets to enhance users' understanding of privacy risks and support informed app selection. It incorporates long-term data access behaviours, context, purpose-binding, and developer transparency. It also assesses privacy risks based on how frequently and under what circumstances data is accessed rather than just the permissions requested. Privacy warnings are integrated during the app discovery stage to influence user decisions before installation, and privacy indicators are provided at various levels of detail to cater to different user needs. High-level indicators are immediately visible, and detailed information is available on demand. The authors developed a prototype of the Google Play Store with added privacy warning stimuli, including visual indicators (5-star ratings and colour coding) and detailed privacy information screens.

Paturi, Kelley and Mazumdar [6] present a novel icon-based privacy threat representation interface designed to inform Android users about privacy threats posed by both app providers and third-party ad libraries. The interface categorises privacy threats into three granules: location (information about the user's geographical location), identity (Information that uniquely identifies the user, like, for example, email address, device IMEI), and query (Information about the user's search queries).

Jackson and Wang [7] addressed the privacy paradox, where users' privacy behaviours often do not align with their stated privacy attitudes. The authors propose a personalised privacy notification approach to highlight this discrepancy. The solution includes a privacy discrepancy interface for mobile apps, juxtaposing users' general privacy attitudes towards mobile apps with the privacy risks of specific app permissions. This interface nudges users to make permission decisions aligning with their privacy attitudes. The privacy discrepancy interface combines users' privacy attitudes with the privacy riskiness of app permissions, displayed through coloured icons (green, yellow, red) to signal risk levels. Users can click on icons to see detailed information about privacy risks and adjust permissions to modify the risk level dynamically.

Tucker, Tucker and Zheng [8] presented Privacy Pal, a Chrome browser extension designed to enhance user awareness of privacy and security risks associated with third-party applications on Facebook. Privacy Pal provides a risk analysis and visualisation tool that classifies app permissions into categories like location, identity, and contacts and assesses potential threats such as identity theft and tracking. The extension displays risk levels using a visual interface similar to password strength meters to help users make informed decisions before installing apps.

Liccardi et al. [9] proposed an improved interface for the Google Play Store to help users better understand app permissions. The interface introduces a sensitivity score that quantifies the potential privacy risks of apps based on their permissions, highlighting those that access personal data. This approach aims to simplify the decision-making process for users, especially those who lack technical knowledge, by making privacy implications more accessible and understandable.

Kleek et al. [10] presented a novel class of privacy indicators called Data Controller Indicators (DCIs). These indicators reveal smartphone apps' data collection activities by identifying which organisations are collecting data, what data is being collected, and for what purposes. The authors also presented the Personalised DCIs, which contextualize data collection against other apps a user has installed.

Shen et al. [11] proposed BlueSeal, a novel permission mechanism for Android that enhances the existing system by incorporating flow permissions derived from both intra-app and cross-app data flows. It employs static analysis using the Soot framework, extended to analyse Android's DEX bytecode, and leverages a permission map for API calls. BlueSeal identifies sources and sinks within apps to track data flows, enabling detailed permission settings that reflect actual data usage patterns. By augmenting the Android package installer, BlueSeal provides users with visibility into and control over how apps interact with each other and use permissions, thereby improving privacy and security on Android devices.

Platforms: personal computers, mobile devices

Example

History-based Insights interface <a href="#section1">[1]</a>.

History-based Insights interface highlights the percentage of files accessible by the vendor [1]. (See enlarged)

Immediate Insights interface example <a href="#section1">[1]</a>.

Immediate Insights interface example [1]. (See enlarged)

Permission Store <a href="#section2">[2]</a>.

Left: PerMission Store search results page; Right: Example of an app page [2]. (See enlarged)

Privacy Facts checklist display <a href="#section3">[3]</a>.

Privacy Facts checklist display [3]. (See enlarged)

Replica of the Google Play Store app with new privacy indicators <a href="#section5">[5]</a>.

Replica of the Google Play Store app with new privacy indicators [5]. (See enlarged)

Privacy Discrepancy Interface <a href="#section7">[7]</a>, Privacy Pal Interface<a href="#section8">[8]</a> and Privacy Granules Interface <a href="#section6">[6]</a>

The privacy discrepancy interface (left) highlights the discrepancy between user privacy concerns and the riskiness of each app's permission request [7]. Privacy pal interface (top right) helps users to visualise privacy and security risks associated with granting permissions to third-party apps [8]. Summary interfaces for privacy granules (bottom right) [6] (See enlarged)

Improved interface when choosing an app, showing the sensitivity score <a href="#section9">[9]</a>.

From left to right: (a) when users search for an app; (b) within each app’s page prior to installation; (c) showing the increase (or decrease) in value of the sensitivity score when updating an app; (d) showing the total sensitivity score within the permission list [9]. (See enlarged)

Data Controller Indicator (DCI) and Personalized DCI (PDCI) <a href="#section10">[10]</a>.

Data Controller Indicator (DCI) and Personalized DCI (PDCI), each with tabular (top) and Sankey options (bottom) [10]. (See enlarged)

Example of Flow Permissions displayed to users <a href="#section11">[11]</a>.

Example of Flow Permissions displayed to users [11]. (See enlarged)

Use cases
  • Implementation in cloud/smartphone app authorisation process.
  • Implementation in app markets during app discovery and inspection.
  • Offer insight on new app privacy based on prior app use and third-party data access.
Pros

  • History-based insights prompted privacy-aware choices, showing DDPIs' positive impact on user decisions. The privacy indicator based on installation history boosted privacy-conscious app selection by 30% [1].
  • Moving privacy and permissions information to a prominent, clear, and simple display influences users to choose apps with fewer permissions. Privacy ratings and indicators improve users' ability to manage app permissions, enhance awareness of privacy risks, and promote safer app selection behaviour without additional effort or increased decision-making time [2][3][4][5][6][9][10].
  • A user study showed that Flow Permissions significantly impact the likelihood of app installations among users who have no preconceived notions about the app, highlighting its potential to aid decision-making in a real-world setting. It also helps differentiate between normal and malicious app behaviours based on information flows, providing valuable insights into potentially harmful applications. Additionally, an analysis found that most apps contain a manageable number of Flow Permissions, making it practical for users to review and understand the permissions an app requests [11].
  • An online experiment demonstrated that the privacy discrepancy interface improved alignment between users' privacy behaviours and attitudes compared to other notification approaches [7].

Cons

  • The studies highlight several challenges in implementing and generalising privacy indicators and assistants for app selection and management. These include security restrictions preventing direct editing of app settings, reliance on external platforms for app installations, app familiarity bias, and the need for detailed explanations. Additionally, the controlled environment of the studies and the hypothetical scenarios used may not accurately reflect real-world user behaviour, limiting the generalisability of the results [2][4][6][7][8].
  • It is a challenge to effectively prioritise and deliver concise yet tailored privacy messages to users without negatively impacting platform usability, avoiding user frustration caused by conflicting or overwhelming privacy indicators [1]. In the case of DCI and PDCI [10], participants took significantly longer to make decisions using DCI and PDCI interfaces compared to other conditions. However, while this can be seen as a drawback, it also reflects the thoroughness with which decisions were made [10].
  • A user study showed that participants did not perceive permissions displays the same way they view privacy policies, seeing them only as items the phone can take rather than personal inputs they personally provided [3]. In the case of Flow Permissions, it had little impact on users with preconceived notions about an app, indicating limitations in changing familiar users' perceptions [11].

Privacy Notices

This guideline is closely related to privacy notices, which typically inform users about the collection, use, and sharing of their personal data [12]. It aims to inform users through timely, visual, and persistent indicators, helping them make better app selection decisions without necessarily providing extensive interactive privacy choices. This alignment ensures that users are well-informed about privacy implications at critical decision points, enhancing transparency and trust in the app selection, installation and permission granting.

If integrated into the service handling personal data, such a tool could facilitate privacy choices by offering controls like data exclusion and consent management.

  • At Setup
    The proposed guideline can be used to present a privacy notice to users when they are using the system for the first time so they can be aware of the data handling practices.
  • On demand
    The proposed guideline can be used to present a privacy notice to users when they actively seek privacy information, for example, in privacy dashboards or privacy settings interfaces.
  • Persistent
    By offering ongoing visibility into privacy ratings and indicators, the guideline can make users continually aware of privacy implications, similar to persistent notices.
  • Just in time
    The guideline suggests integrating permission ratings and privacy indicators when users make app installation decisions. This approach fits well with the just-in-time approach, ensuring users receive relevant privacy information in context, thus enhancing transparency.

  • Non-blocking
    While the primary focus is on providing information rather than immediate controls, the guideline aligns with non-blocking controls by allowing users to review and manage permissions without disrupting their primary tasks.
  • Decoupled
    This guideline can be applied to privacy notices decoupled from privacy choices.

  • Visual
    The use of data-driven privacy indicators, permission ratings, and intuitive visual elements (like colour-coded systems) align with the visual modality in privacy notices aimed at effectively communicating complex privacy information.

  • Secondary
    This guideline can be applied to secondary channels if the primary channel does not have an interface or has a limited one.
  • Primary
    This guideline can be applied to the platform or device the user interacts with. For instance, the integration of privacy indicators within app marketplaces corresponds to using a primary channel, as users interact with these indicators directly within the app selection environment.

Transparency

Transparency [13] is the main privacy attribute since this mechanism involves the proactive distribution of information to users. The guideline focuses on providing users with clear, comprehensive, and accessible privacy information about apps through data-driven privacy indicators. This helps users to understand how their personal data will be handled, helping them make informed decisions. Other related privacy attributes:

Giving users insights into data handling practices leverages control by allowing them to make self-determined decisions about sharing their personal data.

References

[1] Hamza Harkous, Rameez Rahman, and Karl Aberer (2016). Data-Driven Privacy Indicators. In: Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). [S.l.: s.n.], 2016 https://www.usenix.org/system/files/conference/soups2016/wpi16_paper-harkous.pdf

[2] Hannah Quay-de la Vallee, Paige Selby, and Shriram Krishnamurthi (2016). On a (Per)Mission: Building Privacy Into the App Marketplace. In Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM '16). Association for Computing Machinery, New York, NY, USA, 63–72. https://doi.org/10.1145/2994459.2994466

[3] Patrick Gage Kelley, Lorrie Faith Cranor, and Norman Sadeh (2013). Privacy as part of the app decision-making process. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '13). Association for Computing Machinery, New York, NY, USA, 2013, 3393–3402. https://doi.org/10.1145/2470654.2466466

[4] Sven Bock and Nurul Momen (2020). Nudging the user with privacy indicator: a study on the app selection behavior of the user. In: Proceedings of the 11th Nordic Conference on Human-Computer Interaction: Shaping Experiences, Shaping Society. [S.l.: s.n.], 2020. p. 1–12. https://doi.org/10.1145/3419249.3420111

[5] Gökhan Bal (2014). Designing privacy indicators for smartphone app markets: A new perspective on the nature of privacy risks of apps. In: Proceedings of the 20th Americas Conference on Information Systems, AMCIS 2014. [S.l.: s.n.], 2014. https://aisel.aisnet.org/amcis2014/MobileComputing/GeneralPresentations/6

[6] Anand Paturi, Patrick Gage Kelley, and Subhasish Mazumdar. Introducing privacy threats from ad libraries to android users through privacy granules. Proceedings of NDSS Workshop on Usable Security (USEC’15). Internet Society. Vol. 1. No. 2. 2015. http://dx.doi.org/10.14722/usec.2015.23008

[7] Corey Brian Jackson and Yang Wang. Addressing the privacy paradox through personalized privacy notifications. Proceedings of the ACM on interactive, mobile, wearable and ubiquitous technologies, ACM New York, NY, USA, v. 2, n. 2, p. 1–25, 2018. https://doi.org/10.1145/3214271

[8] Rachel Tucker, Carl Tucker and Jun Zheng. Privacy Pal: Improving Permission Safety Awareness of Third Party Applications in Online Social Networks. In: IEEE. 2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conference on Embedded Software and Systems. [S.l.], 2015. p. 1268–1273. https://doi.org/10.1109/HPCC-CSS-ICESS.2015.83

[9] Ilaria Liccardi, Joseph Pato, Daniel J. Weitzner, Hal Abelson, and David De Roure. 2014. No technical understanding required: helping users make informed choices about access to their personal data. In Proceedings of the 11th International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services (MOBIQUITOUS '14). ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), Brussels, BEL, 140–150. https://doi.org/10.4108/icst.mobiquitous.2014.258066

[10] Max Van Kleek, Ilaria Liccardi, Reuben Binns, Jun Zhao, Daniel J. Weitzner, and Nigel Shadbolt (2017). Better the Devil You Know: Exposing the Data Sharing Practices of Smartphone Apps. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems (CHI '17). Association for Computing Machinery, New York, NY, USA, 5208–5220. https://doi.org/10.1145/3025453.3025556

[11] Feng Shen, Namita Vishnubhotla, Chirag Todarka, Mohit Arora, Babu Dhandapani, Eric John Lehner, Steven Y. Ko, and Lukasz Ziarek (2014). Information flows as a permission mechanism. In Proceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering (ASE '14). Association for Computing Machinery, New York, NY, USA, 2014. 515–526. https://doi.org/10.1145/2642937.2643018

[12] Florian Schaub, Rebecca Balebako, Adam L Durity, and Lorrie Faith Cranor (2015). A Design Space for Effective Privacy Notices. In: Symposium on Usable Privacy and Security (SOUPS 2015). [S.l.: s.n.], p. 1–17. https://www.usenix.org/system/files/conference/soups2015/soups15-paper-schaub.pdf

[13] Susanne Barth, Dan Ionita, and Pieter Hartel (2022). Understanding Online Privacy — A Systematic Review of Privacy Visualizations and Privacy by Design Guidelines. ACM Comput. Surv. 55, 3, Article 63 (February 2022), 37 pages. https://doi.org/10.1145/3502288