skip to main content


Title: Predicting smartphone location-sharing decisions through self-reflection on past privacy behavior
Abstract Smartphone location sharing is a particularly sensitive type of information disclosure that has implications for users’ digital privacy and security as well as their physical safety. To understand and predict location disclosure behavior, we developed an Android app that scraped metadata from users’ phones, asked them to grant the location-sharing permission to the app, and administered a survey. We compared the effectiveness of using self-report measures commonly used in the social sciences, behavioral data collected from users’ mobile phones, and a new type of measure that we developed, representing a hybrid of self-report and behavioral data to contextualize users’ attitudes toward their past location-sharing behaviors. This new type of measure is based on a reflective learning paradigm where individuals reflect on past behavior to inform future behavior. Based on data from 380 Android smartphone users, we found that the best predictors of whether participants granted the location-sharing permission to our app were: behavioral intention to share information with apps, the “FYI” communication style, and one of our new hybrid measures asking users whether they were comfortable sharing location with apps currently installed on their smartphones. Our novel, hybrid construct of self-reflection on past behavior significantly improves predictive power and shows the importance of combining social science and computational science approaches for improving the prediction of users’ privacy behaviors. Further, when assessing the construct validity of the Behavioral Intention construct drawn from previous location-sharing research, our data showed a clear distinction between two different types of Behavioral Intention: self-reported intention to use mobile apps versus the intention to share information with these apps. This finding suggests that users desire the ability to use mobile apps without being required to share sensitive information, such as their location. These results have important implications for cybersecurity research and system design to meet users’ location-sharing privacy needs.  more » « less
Award ID(s):
1814439
NSF-PAR ID:
10289662
Author(s) / Creator(s):
; ; ;
Date Published:
Journal Name:
Journal of Cybersecurity
Volume:
6
Issue:
1
ISSN:
2057-2085
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. Location sharing is a particularly sensitive type of online information disclosure. To explain this behavior, we compared the effectiveness of using self-report measures drawn from the literature, behavioral data collected from mobile phones, and a new type of measure that represents a hybrid of self-report and behavioral data to contextualize users’ attitudes toward their past location sharing behaviors. This new measure was based on a reflective learning paradigm, where one reflects on past behavior to inform future behavior. Based on a study of Android smartphone users (N=114), we found that the construct ‘FYI About Myself’ and our new reflective measure of one’s comfort with sharing location with apps on the smartphone were the best predictors of location sharing behavior. Surprisingly, Behavioral Intention, a commonly used proxy for actual behavior, was not a significant predictor. These results have important implications for privacy research and designing systems to meet users’ location sharing privacy needs. 
    more » « less
  2. Location sharing is a particularly sensitive type of online information disclosure. To explain this behavior, we compared the effectiveness of using self-report measures drawn from the literature, behavioral data collected from mobile phones, and a new type of measure that represents a hybrid of self-report and behavioral data to contextualize users’ attitudes toward their past location sharing behaviors. This new measure was based on a reflective learning paradigm, where one reflects on past behavior to inform future behavior. Based on a study of Android smartphone users (N=114), we found that the construct ‘FYI About Myself’ and our new reflective measure of one’s comfort with sharing location with apps on the smartphone were the best predictors of location sharing behavior. Surprisingly, Behavioral Intention, a commonly used proxy for actual behavior, was not a significant predictor. These results have important implications for privacy research and designing systems to meet users’ location sharing privacy needs. 
    more » « less
  3. We conducted a user study with 380 Android users, profiling them according to two key privacy behaviors: the number of apps installed, and the Dangerous permissions granted to those apps. We identified four unique privacy profiles: 1) Privacy Balancers (49.74% of participants), 2) Permission Limiters (28.68%), 3) App Limiters (14.74%), and 4) the Privacy Unconcerned (6.84%). App and Permission Limiters were significantly more concerned about perceived surveillance than Privacy Balancers and the Privacy Unconcerned. App Limiters had the lowest number of apps installed on their devices with the lowest intention of using apps and sharing information with them, compared to Permission Limiters who had the highest number of apps installed and reported higher intention to share information with apps. The four profiles reflect the differing privacy management strategies, perceptions, and intentions of Android users that go beyond the binary decision to share or withhold information via mobile apps. 
    more » « less
  4. The prevalence of smartphones in our society warrants more research on understanding the characteristics of users and their information privacy behaviors when using mobile apps. This paper investigates the antecedents and consequences of “power use” (i.e., the competence and desire to use technology to its fullest) in the context of informational privacy. In a study with 380 Android users, we examined how gender and users’ education level influence power use, how power use affects users’ intention to install apps and share information with them versus their actual privacy behaviors (i.e., based on the number of apps installed and the total number of “dangerous permission” requests granted to those apps). Our findings revealed an inconsistency in the effect of power use on users’ information privacy behaviors: While the intention to install apps and to share information with them increased with power use, the actual number of installed apps and dangerous permissions ultimately granted decreased with power use. In other words, although the self-reported intentions suggested the opposite, people who scored higher on the power use scale seemed to be more prudent about their informational privacy than people who scored lower on the power use scale. We discuss the implications of this inconsistency and make recommendations for reconciling smartphone users’ informational privacy intentions and behaviors. 
    more » « less
  5. The transparency and privacy behavior of mobile browsers has remained widely unexplored by the research community. In fact, as opposed to regular Android apps, mobile browsers may present contradicting privacy behaviors. On the one end, they can have access to (and can expose) a unique combination of sensitive user data, from users’ browsing history to permission-protected personally identifiable information (PII) such as unique identifiers and geolocation. However, on the other end, they also are in a unique position to protect users’ privacy by limiting data sharing with other parties by implementing ad-blocking features. In this paper, we perform a comparative and empirical analysis on how hundreds of Android web browsers protect or expose user data during browsing sessions. To this end, we collect the largest dataset of Android browsers to date, from the Google Play Store and four Chinese app stores. Then, we developed a novel analysis pipeline that combines static and dynamic analysis methods to find a wide range of privacy-enhancing (e.g., ad-blocking) and privacy-harming behaviors (e.g., sending browsing histories to third parties, not validating TLS certificates, and exposing PII---including non-resettable identifiers---to third parties) across browsers. We find that various popular apps on both Google Play and Chinese stores have these privacy-harming behaviors, including apps that claim to be privacy-enhancing in their descriptions. Overall, our study not only provides new insights into important yet overlooked considerations for browsers’ adoption and transparency, but also that automatic app analysis systems (e.g., sandboxes) need context-specific analysis to reveal such privacy behaviors. 
    more » « less