research-article

Public Access

Better the Devil You Know: Exposing the Data Sharing Practices of Smartphone Apps

Authors:

Ilaria Liccardi,

Daniel J. Weitzner,

Nigel ShadboltAuthors Info & Claims

CHI '17: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems

Pages 5208 - 5220

https://doi.org/10.1145/3025453.3025556

Published: 02 May 2017 Publication History

Abstract

Most users of smartphone apps remain unaware of what data about them is being collected, by whom, and how these data are being used. In this mixed methods investigation, we examine the question of whether revealing key data collection practices of smartphone apps may help people make more informed privacy-related decisions. To investigate this question, we designed and prototyped a new class of privacy indicators, called Data Controller Indicators (DCIs), that expose previously hidden information flows out of the apps. Our lab study of DCIs suggests that such indicators do support people in making more confident and consistent choices, informed by a more diverse range of factors, including the number and nature of third-party companies that access users' data. Furthermore, personalised DCIs, which are contextualised against the other apps an individual already uses, enable them to reason effectively about the differential impacts on their overall information exposure.

Supplementary Material

suppl.mov (pn1497p.mp4)

Supplemental video

Download
3.04 MB

References

[1]

George Akerlof. 1995. The market for "lemons": Quality uncertainty and the market mechanism. In Essential Readings in Economics. Springer, 175--188.

[2]

Hazim Almuhimedi, Florian Schaub, Norman Sadeh, Idris Adjerid, Alessandro Acquisti, Joshua Gluck, Lorrie Faith Cranor, and Yuvraj Agarwal. 2015. Your location has been shared 5,398 times!: A field study on mobile app privacy nudging. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 787--796.

Digital Library

[3]

Julio Angulo, Simone Fischer-Hübner, Tobias Pulls, and Erik Wästlund. 2015. Usable transparency with the data track: a tool for visualizing data disclosures. In Proceedings of the Conference Extended Abstracts on Human Factors in Computing Systems. ACM, 1803--1808.

Digital Library

[4]

Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM SIGPLAN Notices 49, 6 (2014), 259--269.

Digital Library

[5]

Rebecca Balebako and Lorrie Cranor. 2014. Improving app privacy: Nudging app developers to protect user privacy. IEEE Security & Privacy 12, 4 (2014), 55--58.

[6]

Rebecca Balebako, Jaeyeon Jung, Wei Lu, Lorrie Faith Cranor, and Carolyn Nguyen. 2013. Little brothers watching you: Raising awareness of data leaks on smartphones. In Proceedings of the Symposium on Usable Privacy and Security. ACM, 12.

Digital Library

[7]

Rebecca Balebako, Pedro G Leon, Hazim Almuhimedi, Patrick Gage Kelley, Jonathan Mugan, Alessandro Acquisti, Lorrie Faith Cranor, and Norman Sadeh. 2011. Nudging users towards privacy on mobile devices. In Proceedings of Workshop on Persuasion, Nudge, Influence and Coercion.

[8]

Rebecca Balebako, Florian Schaub, Idris Adjerid, Alessandro Acquisti, and Lorrie Cranor. 2015. The Impact of Timing on the Salience of Smartphone App Privacy Notices. In Proceedings of the ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices. ACM, 63--74.

Digital Library

[9]

Leonid Batyuk, Markus Herpich, Seyit Ahmet Camtepe, Karsten Raddatz, Aubrey-Derrick Schmidt, and Sahin Albayrak. 2011. Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within Android applications. In Malicious and Unwanted Software (MALWARE), 2011 6th International Conference on. IEEE, 66--72.

Digital Library

[10]

Michael Benisch, Patrick Gage Kelley, Norman Sadeh, and Lorrie Faith Cranor. 2011. Capturing location-privacy preferences: quantifying accuracy and user-burden tradeoffs. Personal and Ubiquitous Computing 15, 7 (2011), 679--694.

Digital Library

[11]

Jan Lauren Boyles, Aaron Smith, and Mary Madden. 2012. Privacy and Data Management on Mobile Devices. Pew's Report: Mobile Identity (September 5th 2012), 1--19.

[12]

Laura Brandimarte, Alessandro Acquisti, and George Loewenstein. 2013. Misplaced confidences privacy and the control paradox. Social Psychological and Personality Science 4, 3 (2013), 340--347.

[13]

Michael Brown, Tim Coughlan, Glyn Lawson, Murray Goulden, Robert J Houghton, and Richard Mortier. 2013. Exploring Interpretations of Data from the Internet of Things in the Home. Interacting with Computers 25, 3 (2013), 204--217.

[14]

A Cortesi and M Hils. 2013. mitmproxy: a man-in-the-middle proxy. (2013).

[15]

Lorrie Faith Cranor. 2006. What do they indicate?: evaluating security and privacy indicators. Interactions 13, 3 (2006), 45--47.

Digital Library

[16]

Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. 2011. PiOS: Detecting Privacy Leaks in iOS Applications. In NDSS. 177--183.

[17]

Serge Egelman, Adrienne Porter Felt, and David Wagner. 2013. Choice architecture and smartphone privacy: There'sa price for that. In The economics of information security and privacy. Springer, 211--236.

[18]

William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N Sheth. 2014. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 32, 2 (2014), 5.

Digital Library

[19]

Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of ACM Computer and Communications Security 2016.

Digital Library

[20]

Chris Evans, Chris Palmer, and Ryan Sleevi. 2015. Public key pinning extension for HTTP. RFC 7469. RFC Editor. https://tools.ietf.org/html/rfc7469

[21]

Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. 2012. Android permissions: User attention, comprehension, and behavior. In Proceedings of Symposium on Usable Privacy and Security. ACM, 3.

Digital Library

[22]

Electronic Frontier Foundation. 2016. Coders' Rights Project Reverse Engineering FAQ. (2016). https: //www.eff.org/issues/coders/reverse-engineering-faq

[23]

Huiqing Fu, Yulong Yang, Nileema Shingte, Janne Lindqvist, and Marco Gruteser. 2014. A field study of run-time location access disclosures on android smartphones. Proceedings of USEC 14 (2014).

[24]

Sanford J Grossman and Oliver D Hart. 1983. An analysis of the principal-agent problem. Econometrica: Journal of the Econometric Society (1983), 7--45.

[25]

Hamza Harkous, Rameez Rahman, and Karl Aberer. 2016. Data-Driven Privacy Indicators. In Symposium on Usable Privacy and Security. USENIX Association.

[26]

Ruogu Kang, Laura Dabbish, Nathaniel Fruchter, and Sara Kiesler. 2015. "My Data Just Goes Everywhere:" User Mental Models of the Internet and Implications for Privacy and Security. In Proceedings of Symposium On Usable Privacy and Security. 39--52.

[27]

Patrick Gage Kelley, Sunny Consolvo, Lorrie Faith Cranor, Jaeyeon Jung, Norman Sadeh, and David Wetherall. 2012. A conundrum of permissions: installing applications on an android smartphone. In International Conference on Financial Cryptography and Data Security. Springer, 68--79.

Digital Library

[28]

Patrick Gage Kelley, Lorrie Faith Cranor, and Norman Sadeh. 2013. Privacy as part of the app decision-making process. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 3393--3402.

Digital Library

[29]

Jennifer King. 2012. How Come I'm Allowing Strangers to Go Through My Phone? Smartphones and Privacy Expectations. Smartphones and Privacy Expectations (2012).

[30]

Pedro Giovanni Leon, Ashwini Rao, Florian Schaub, Abigail Marsh, Lorrie Faith Cranor, and Norman Sadeh. 2015. Privacy and Behavioral Advertising: Towards Meeting Users' Preferences. In Proceedings of the Symposium on Usable Privacy and Security.

[31]

Pedro Giovanni Leon, Blase Ur, Yang Wang, Manya Sleeper, Rebecca Balebako, Richard Shay, Lujo Bauer, Mihai Christodorescu, and Lorrie Faith Cranor. 2013. What matters to users?: factors that affect users' willingness to share information with online advertisers. In Proceedings of Symposium on Usable Privacy and Security. ACM, 1--7.

Digital Library

[32]

Ilaria Liccardi, Joseph Pato, and Daniel J. Weitzner. 2014a. Improving Mobile App Selection through Transparency and Better Permission Analysis. Journal of Privacy and Confidentiality: Vol. 5: Iss. 2, Article 1. (2014), 1--55.

[33]

Ilaria Liccardi, Joseph Pato, Daniel J. Weitzner, Hal Abelson, and David De Roure. 2014b. No Technical Understanding Required: Helping Users Make Informed Choices About Access to Their Personal Data. In Proceedings of International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services. 140--150.

Digital Library

[34]

Jialiu Lin, Shahriyar Amini, Jason I Hong, Norman Sadeh, Janne Lindqvist, and Joy Zhang. 2012. Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing. In Proceedings of Conference on Ubiquitous Computing. ACM, 501--510.

Digital Library

[35]

Jialiu Lin, Bin Liu, Norman Sadeh, and Jason I Hong. 2014. Modeling users' mobile app privacy preferences: Restoring usability in a sea of permission settings. In Symposium On Usable Privacy and Security. 199--212.

[36]

Bin Liu, Mads Schaarup Andersen, Florian Schaub, Hazim Almuhimedi, Shikun Aerin Zhang, Norman Sadeh, Yuvraj Agarwal, and Alessandro Acquisti. 2016. Follow My Recommendations: A Personalized Assistant for Mobile App Permissions. In Proceedings of the Symposium on Usable Privacy and Security.

[37]

Kirsten Martin and Katie Shilton. 2016. Putting mobile application privacy in context: An empirical study of user privacy expectations for mobile devices. The Information Society 32, 3 (2016), 200--216.

Digital Library

[38]

Akiva A Miller. 2014. What Do We Worry About When We Worry About Price Discrimination? The Law and Ethics of Using Personal Information for Pricing. Journal of Technology Law & Policy 19 (2014), 41.

[39]

Janni Nielsen, Torkil Clemmensen, and Carsten Yssing. 2002. Getting access to what goes on in people's heads?: reflections on the think-aloud technique. In Proceedings of the Nordic conference on Human-computer interaction. ACM, 101--110.

Digital Library

[40]

Kenneth Olmstead and Michelle Atkinson. 2015. App Permissions in the Google Play Store: Chapter 1: The Majority of Smartphone Owners Download Apps. Pew's Report: Numbers, fact and Trends Shaping the world (November 19th 2015), 1--19.

[41]

TNS Opinion. 2015. Special Eurobarometer 431, Data protection. (2015). http://ec.europa.eu/public_opinion/ archives/eb_special_439_420_en.htm#431

[42]

Paul Pearce, Adrienne Porter Felt, Gabriel Nunez, and David Wagner. 2012. Addroid: Privilege separation for applications and advertisers in android. In Proceedings of the Symposium on Information, Computer and Communications Security. ACM, 71--72.

Digital Library

[43]

Jeremy Pounder. 2015. For what it's worth - the future of personalised pricing. (2015).

[44]

Lingzhi Qiu, Zixiong Zhang, Ziyi Shen, and Guozi Sun. 2015. AppTrace: Dynamic trace on Android devices. In 2015 IEEE International Conference on Communications. IEEE, 7145--7150.

[45]

Ashwini Rao, Florian Schaub, Norman Sadeh, Alessandro Acquisti, and Ruogu Kang. Expecting the Unexpected: Understanding Mismatched Privacy Expectations Online.

[46]

Jingjing Ren, Ashwin Rao, Martina Lindorfer, Arnaud Legout, and David Choffnes. 2016. Demo: ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic. In Proceedings of the International Conference on Mobile Systems, Applications, and Services Companion (MobiSys '16 Companion). 117--117.

Digital Library

[47]

Fuming Shih, Ilaria Liccardi, and Daniel Weitzner. 2015. Privacy tipping points in smartphones privacy preferences. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 807--816.

Digital Library

[48]

Irina Shklovski, Scott D Mainwaring, Halla Hrund Skúladóttir, and Höskuldur Borgthorsson. 2014. Leakiness and creepiness in app space: Perceptions of privacy and mobile app use. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2347--2356.

Digital Library

[49]

Statistica. 2016. Number of smartphone users in the United States from 2010 to 2019 (in millions). (2016). http://www.statista.com/statistics/201182/ forecast-of-smartphone-users-in-the-us/

[50]

Peter Tolmie, Andy Crabtree, Tom Rodden, James Colley, and Ewa Luger. 2016. "This has to be the cats": Personal Data Legibility in Networked Sensing Systems. In Proceedings of the 19th ACM Conference on Computer-Supported Cooperative Work & Social Computing. ACM, 491--502.

Digital Library

[51]

Na Wang, Bo Zhang, Bin Liu, and Hongxia Jin. 2015. Investigating Effects of Control and Ads Awareness on Android Users' Privacy Behaviors and Perceptions. In Proceedings of Conference on Human-Computer Interaction with Mobile Devices and Services. ACM, 373--382.

Digital Library

[52]

Yang Wang, Pedro Giovanni Leon, Alessandro Acquisti, Lorrie Faith Cranor, Alain Forget, and Norman Sadeh. 2014. A field trial of privacy nudges for facebook. In Proceedings of the SIGCHI conference on human factors in computing systems. ACM, 2367--2376.

Digital Library

[53]

Jason Watson, Heather Richter Lipford, and Andrew Besmer. 2015. Mapping user preference to privacy default settings. ACM Transactions on Computer-Human Interaction 22, 6 (2015), 32.

Digital Library

[54]

Jinyan Zang, Krysta Dummit, James Graves, Paul Lisker, and Latanya Sweeney. 2015. Who knows what about me? A survey of behind the scenes personal data sharing to third parties by mobile apps. Proceeding of Technology Science (2015).

[55]

Frederik J Zuiderveen Borgesius. 2015. Improving privacy protection in the area of behavioural targeting. SSRN 2654213 (2015).

Cited By

Bourdoucen ALindqvist J(2024)Privacy of Default Apps in Apple’s Mobile EcosystemProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642831(1-32)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642831
Wang GZhao JKollnig KZier ADuron BZhang ZVan Kleek MShadbolt N(2024)KOALA Hero Toolkit: A New Approach to Inform Families of Mobile Datafication RisksProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642283(1-18)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642283
Hadan HWang DNacke LZhang-Kennedy L(2024)Privacy in Immersive Extended Reality: Exploring User Perceptions, Concerns, and Coping StrategiesProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642104(1-24)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642104
Show More Cited By

Index Terms

Better the Devil You Know: Exposing the Data Sharing Practices of Smartphone Apps
1. Human-centered computing
2. Social and professional topics
  1. Computing / technology policy

Recommendations

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Comparing Apples to Androids: Discovery, Retrieval, and Matching of iOS and Android Apps for Cross-Platform Analyses
MSR '24: Proceedings of the 21st International Conference on Mining Software Repositories

For years, researchers have been analyzing mobile Android apps to investigate diverse properties such as software engineering practices, business models, security, privacy, or usability, as well as differences between marketplaces. While similar studies ...
My Bank Already Gets this Data: Exposure Minimisation and Company Relationships in Privacy Decision-Making
CHI EA '17: Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing Systems

This paper explores how individuals' privacy-related decision-making processes may be influenced by their pre-existing relationships to companies in a wider social and economic context. Through an online role-playing exercise, we explore attitudes to a ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '17: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems

May 2017

7138 pages

ISBN:9781450346559

DOI:10.1145/3025453

General Chairs:
Gloria Mark
University of California Irvine
,
Susan Fussell
Cornell University
,
Program Chairs:
Cliff Lampe
University of Michigan
,
m.c. schraefel
University of Southampton
,
Juan Pablo Hourcade
University of Iowa
,
Caroline Appert
Université Paris-Sud
,
Daniel Wigdor
University of Toronto

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 May 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation
EPSRC

Conference

CHI '17

Sponsor:

SIGCHI

CHI '17: CHI Conference on Human Factors in Computing Systems

May 6 - 11, 2017

Colorado, Denver, USA

Acceptance Rates

CHI '17 Paper Acceptance Rate 600 of 2,400 submissions, 25%;

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

65
Total Citations
View Citations
2,444
Total Downloads

Downloads (Last 12 months)328
Downloads (Last 6 weeks)39

Reflects downloads up to 28 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bourdoucen ALindqvist J(2024)Privacy of Default Apps in Apple’s Mobile EcosystemProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642831(1-32)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642831
Wang GZhao JKollnig KZier ADuron BZhang ZVan Kleek MShadbolt N(2024)KOALA Hero Toolkit: A New Approach to Inform Families of Mobile Datafication RisksProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642283(1-18)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642283
Hadan HWang DNacke LZhang-Kennedy L(2024)Privacy in Immersive Extended Reality: Exploring User Perceptions, Concerns, and Coping StrategiesProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642104(1-24)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642104
Rodriguez DDel Alamo JCozar MGarcía B(2024)ROI: a method for identifying organizations receiving personal dataComputing10.1007/s00607-023-01209-2106:1(163-184)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1007/s00607-023-01209-2
Fischer-Hübner SKaregar FFischer-Hübner SKaregar F(2024)Overview of Usable Privacy Research: Major Themes and Research DirectionsThe Curious Case of Usable Privacy10.1007/978-3-031-54158-2_3(43-102)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-54158-2_3
Bourdoucen ANurgalieva LLindqvist J(2023)Privacy Is the Price: Player Views and Technical Evaluation of Data Practices in Online GamesProceedings of the ACM on Human-Computer Interaction10.1145/36110647:CHI PLAY(1136-1178)Online publication date: 4-Oct-2023
https://dl.acm.org/doi/10.1145/3611064
Knowles BConchie S(2023)Un-Paradoxing Privacy: Considering Hopeful TrustACM Transactions on Computer-Human Interaction10.1145/360932930:6(1-24)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1145/3609329
Kitkowska AKaregar FWästlund E(2023)Share or Protect: Understanding the Interplay of Trust, Privacy Concerns, and Data Sharing Purposes in Health and Well-Being AppsProceedings of the 15th Biannual Conference of the Italian SIGCHI Chapter10.1145/3605390.3605417(1-14)Online publication date: 20-Sep-2023
https://dl.acm.org/doi/10.1145/3605390.3605417
Kollnig KDatta SSerban Von Davier TVan Kleek MBinns RLyngs UShadbolt N(2023)‘We are adults and deserve control of our phones’: Examining the risks and opportunities of a right to repair for mobile appsProceedings of the 2023 ACM Conference on Fairness, Accountability, and Transparency10.1145/3593013.3593973(22-34)Online publication date: 12-Jun-2023
https://dl.acm.org/doi/10.1145/3593013.3593973
Sun RXue MTyson GWang SCamtepe SNepal S(2023)Not Seen, Not Heard in the Digital World! Measuring Privacy Practices in Children’s AppsProceedings of the ACM Web Conference 202310.1145/3543507.3583327(2166-2177)Online publication date: 30-Apr-2023
https://dl.acm.org/doi/10.1145/3543507.3583327
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents