research-article

Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing

Authors:

Shahriyar Amini,

Janne Lindqvist,

Joy ZhangAuthors Info & Claims

UbiComp '12: Proceedings of the 2012 ACM Conference on Ubiquitous Computing

Pages 501 - 510

https://doi.org/10.1145/2370216.2370290

Published: 05 September 2012 Publication History

Abstract

Smartphone security research has produced many useful tools to analyze the privacy-related behaviors of mobile apps. However, these automated tools cannot assess people's perceptions of whether a given action is legitimate, or how that action makes them feel with respect to privacy. For example, automated tools might detect that a blackjack game and a map app both use one's location information, but people would likely view the map's use of that data as more legitimate than the game. Our work introduces a new model for privacy, namely privacy as expectations. We report on the results of using crowdsourcing to capture users' expectations of what sensitive resources mobile apps use. We also report on a new privacy summary interface that prioritizes and highlights places where mobile apps break people's expectations. We conclude with a discussion of implications for employing crowdsourcing as a privacy evaluation technique.

References

[1]

"Katz v United States 389 U. S. 347." Available: http://en.wikipedia.org/wiki/Katz_v._United_States

[2]

S. Amini, et al., "Towards Scalable Evaluation of Mobile Applications through Crowdsourcing and Automation," CMU-CyLab-12-006, Carnegie Mellon University, 2012.

[3]

D. Barrera, et al., "A methodology for empirical analysis of permission-based security models and its application to android," In Proc. CCS, 2010.

Digital Library

[4]

A. Barth, et al., "Privacy and Contextual Integrity: Framework and Applications," In Proc. IEEE Symposium on Security and Privacy, 2006.

Digital Library

[5]

M. Benisch, et al., "Capturing location-privacy preferences: quantifying accuracy and user-burden tradeoffs," Personal and Ubiquitous Computing, 2010.

Digital Library

[6]

A. Beresford, et al., "MockDroid: trading privacy for application functionality on smartphones," In Proc. HotMobile, 2011.

Digital Library

[7]

M. S. Bernstein, et al., "Soylent: a word processor with a crowd inside," In Proc. UIST, 2010.

Digital Library

[8]

C. Bravo-Lillo, et al., "Bridging the gap in computer security warnings: a mental model approach," IEEE Security & Privacy Magazine, 2010.

Digital Library

[9]

L. J. Camp, "Mental models of privacy and security," Technology and Society Magazine, IEEE, vol. 28, 2009.

[10]

E. Chin, et al., "Analyzing inter-application communication in Android," In Proc. MobiSys, 2011.

Digital Library

[11]

K. Craik, the nature of explanation, Cambridge University Press, 1943.

[12]

M. Egele, et al., "PiOS: Detecting Privacy Leaks in iOS Applications," In Proc. NDSS, 2011.

[13]

W. Enck, "Defending Users against Smartphone Apps: Techniques and Future Directions," in LNCS. vol. 7093, ed, 2011.

Digital Library

[14]

W. Enck, et al., "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones," In Proc. OSDI 2010.

Digital Library

[15]

W. Enck, et al., "A Study of Android Application Security," In Proc. USENIX Security Symposium, 2011.

Digital Library

[16]

A. P. Felt, et al., "Android permissions demystified," In Proc. CCS, 2011.

Digital Library

[17]

A. P. Felt, et al., "A survey of mobile malware in the wild," In Proc. SPSM, 2011.

Digital Library

[18]

A. P. Felt, et al., "Android Permissions: User Attention, Comprehension, and Behavior," UCB/EECS-2012-26, University of California, Berkeley, 2012.

Digital Library

[19]

A. P. Felt, et al., "Permission re-delegation: attacks and defenses," In Proc. USENIX conference on Security, 2011.

Digital Library

[20]

N. Good, et al., "Stopping spyware at the gate: a user study of privacy, notice and spyware," In Proc. SOUPS, 2005.

Digital Library

[21]

S. Grobart. "The Facebook Scare That Wasn't." Available: http://gadgetwise.blogs.nytimes.com/2011/08/10/the-facebook-scare-that-wasnt/

[22]

P. Hornyack, et al., "These aren't the droids you're looking for: retrofitting android to protect data from imperious applications," In Proc. CCS, 2011.

Digital Library

[23]

C. Jensen and C. Potts, "Privacy policies as decision-making tools: an evaluation of online privacy notices," In Proc. CHI, 2004.

Digital Library

[24]

J. Jeon, et al., "Dr. Android and Mr. Hide: Fine-grained security policies on unmodified Android," 2012.

[25]

P. G. Kelley, et al., "A "nutrition label" for privacy," In Proc. SOUPS, 2009.

Digital Library

[26]

P. G. Kelley, et al., "A Conundrum of permissions: Installing Applications on an Android Smartphone," In Proc. USEC, 2012.

Digital Library

[27]

G. Liu, et al., "Smartening the crowds: computational techniques for improving human verification to fight phishing scams," In Proc. SOUPS, 2011.

Digital Library

[28]

M. Nauman, et al., "Apex: extending Android permission model and enforcement with user-defined runtime constraints," In Proc. ASIACCS, 2010.

Digital Library

[29]

D. Norman, The design of everyday things: Basic Books, 2002.

Digital Library

[30]

L. Palen and P. Dourish, "Unpacking "privacy" for a networked world," In Proc. CHI, 2003.

Digital Library

[31]

S. Patil, et al., "With a little help from my friends: can social navigation inform interpersonal privacy preferences?," In Proc. Proceedings of the ACM 2011 conference on Computer supported cooperative work, 2011.

Digital Library

[32]

N. Sadeh, et al., "Understanding and Capturing People's Privacy Policies in a Mobile Social Networking Application," The Journal of Personal and Ubiquitous Computing, 2009.

Digital Library

[33]

D. J. Solove, "A Taxonomy of Privacy," University of Pennsylvania Law Review, Vol. 154, No. 3, January 2006.

[34]

A. Thampi. "Path uploads your entire iPhone address book to its servers." Available: http://mclov.in/2012/02/08/path-uploads-your-entire-address-book-to-their-servers.html

[35]

S. Thurm and Y. I. Kane, "Your Apps are Watching You," WSJ, 2011.

[36]

T. Vidas, et al., "Curbing android permission creep," Proceedings of the Web, vol. 2, 2011.

[37]

A. Wagner. "Google Posts Refreshed Android Distribution Numbers." Available: http://www.twylah.com/surfingislander/tweets/177040176181288960

[38]

R. Wash, "Folk models of home computer security," In Proc. SOUPS, 2010.

Digital Library

[39]

Y. Zhou, et al., "Taming Information-Stealing Smartphone Applications (on Android)," In Proc. TRUST, 2011.

Digital Library

Cited By

Berkholz JRahman AStevens G(2025)Playing with Privacy: Exploring the Social Construction of Privacy Norms Through a Card GameProceedings of the ACM on Human-Computer Interaction10.1145/37012029:1(1-23)Online publication date: 10-Jan-2025
https://dl.acm.org/doi/10.1145/3701202
Liu WLee SYao M(2024)Acceptance and self-protection in government, commercial, and interpersonal surveillance contexts: An exploratory studyCyberpsychology: Journal of Psychosocial Research on Cyberspace10.5817/CP2024-4-918:4Online publication date: 18-Sep-2024
https://doi.org/10.5817/CP2024-4-9
Bisconti PAquilino LMarchetti ANardi DDas SGreen BVarshney KGanapini MRenda A(2024)A Formal Account of AI Trustworthiness: Connecting Intrinsic and Perceived TrustworthinessProceedings of the 2024 AAAI/ACM Conference on AI, Ethics, and Society10.5555/3716662.3716675(131-140)Online publication date: 21-Oct-2024
https://dl.acm.org/doi/10.5555/3716662.3716675
Show More Cited By

Index Terms

Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing
1. Human-centered computing

Recommendations

Evaluation of a mobile mindfulness app distributed through on-line stores

Recently, interactive approaches aimed at helping people practice mindfulness have appeared in the literature. However, the few available user studies for such approaches focus only on short-term effects and are carried out in a lab or in a similar ...
"Little brothers watching you": raising awareness of data leaks on smartphones
SOUPS '13: Proceedings of the Ninth Symposium on Usable Privacy and Security

Today's smartphone applications expect users to make decisions about what information they are willing to share, but fail to provide sufficient feedback about which privacy-sensitive information is leaving the phone, as well as how frequently and with ...
Elderly mental model of reminder system
APCHI '12: Proceedings of the 10th asia pacific conference on Computer human interaction

The growing numbers of elderly is inevitable. As we get older, we will experience some memory declines, thus an assistive technology such as reminder system is recommended. However, the uptake of reminder system is still low. Many researchers from the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

UbiComp '12: Proceedings of the 2012 ACM Conference on Ubiquitous Computing

September 2012

1268 pages

ISBN:9781450312240

DOI:10.1145/2370216

General Chair:
Anind K. Dey
Carnegie Mellon University
,
Program Chairs:
Hao-Hua Chu
National Taiwan University, Taiwan
,
Gillian Hayes
University of California, Irvine

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

SIGSPATIAL: ACM Special Interest Group on Spatial Information

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 September 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

Ubicomp '12

Sponsor:

Ubicomp '12: The 2012 ACM Conference on Ubiquitous Computing

September 5 - 8, 2012

Pennsylvania, Pittsburgh

Acceptance Rates

UbiComp '12 Paper Acceptance Rate 58 of 301 submissions, 19%;

Overall Acceptance Rate 764 of 2,912 submissions, 26%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

323
Total Citations
View Citations
4,086
Total Downloads

Downloads (Last 12 months)230
Downloads (Last 6 weeks)29

Reflects downloads up to 04 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Berkholz JRahman AStevens G(2025)Playing with Privacy: Exploring the Social Construction of Privacy Norms Through a Card GameProceedings of the ACM on Human-Computer Interaction10.1145/37012029:1(1-23)Online publication date: 10-Jan-2025
https://dl.acm.org/doi/10.1145/3701202
Liu WLee SYao M(2024)Acceptance and self-protection in government, commercial, and interpersonal surveillance contexts: An exploratory studyCyberpsychology: Journal of Psychosocial Research on Cyberspace10.5817/CP2024-4-918:4Online publication date: 18-Sep-2024
https://doi.org/10.5817/CP2024-4-9
Bisconti PAquilino LMarchetti ANardi DDas SGreen BVarshney KGanapini MRenda A(2024)A Formal Account of AI Trustworthiness: Connecting Intrinsic and Perceived TrustworthinessProceedings of the 2024 AAAI/ACM Conference on AI, Ethics, and Society10.5555/3716662.3716675(131-140)Online publication date: 21-Oct-2024
https://dl.acm.org/doi/10.5555/3716662.3716675
Dhondt KLe Pochat VDimova YJoosen WVolckaert SBalzarotti DXu W(2024)Swipe left for identity theftProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699183(5053-5070)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699183
Balash DAli MKanich CAviv AKelley PKapadia A(2024)"I would not install an app with this label"Proceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696921(413-432)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696921
Saeed S(2024)Usable Privacy and Security in Mobile Applications: Perception of Mobile End Users in Saudi ArabiaBig Data and Cognitive Computing10.3390/bdcc81101628:11(162)Online publication date: 18-Nov-2024
https://doi.org/10.3390/bdcc8110162
Zhou Z(2024)Data extraction in dockless bikeshare: An analysis from users’ perspectiveBig Data & Society10.1177/2053951724129972411:4Online publication date: 21-Nov-2024
https://doi.org/10.1177/20539517241299724
Zhang XRafi TGuan YLi SLyu MFilkov VRay BZhou M(2024)Demystifying the Privacy-Realism Dilemma in the MetaverseProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops10.1145/3691621.3694958(245-250)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691621.3694958
Bemmann FMayer S(2024)The Impact of Data Privacy on Users' Smartphone App Adoption DecisionsProceedings of the ACM on Human-Computer Interaction10.1145/36765258:MHCI(1-23)Online publication date: 24-Sep-2024
https://dl.acm.org/doi/10.1145/3676525
Alhirabi NBeaumont SRana OPerera C(2024)Designing Privacy-Aware IoT Applications for Unregulated DomainsACM Transactions on Internet of Things10.1145/36484805:2(1-32)Online publication date: 15-Feb-2024
https://dl.acm.org/doi/10.1145/3648480
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten