The dominant privacy framework of the information age relies on notions of “notice and consent.” That is, service providers will disclose, often through privacy policies, their data collection practices, and users can then consent to their terms. However, it is unlikely that most users comprehend these disclosures, which is due in no small part to ambiguous, deceptive, and misleading statements. By comparing actual collection and sharing practices to disclosures in privacy policies, we demonstrate the scope of the problem.
Through analysis of 68,051 apps from the Google Play Store, their corresponding privacy policies, and observed data transmissions, we investigated the potential misrepresentations of apps in the Designed For Families (DFF) program, inconsistencies in disclosures regarding third-party data sharing, as well as contradictory disclosures about secure data transmissions. We find that of the 8,030 DFF apps (i.e., apps directed at children), 9.1% claim that their apps are not directed at children, while 30.6% claim to have no knowledge that the received data comes from children. In addition, we observe that 10.5% of 68,051 apps share personal identifiers with third-party service providers, yet do not declare any in their privacy policies, and only 22.2% of the apps explicitly name third parties. This ultimately makes it not only difficult, but in most cases impossible, for users to establish where their personal data is being processed. Furthermore, we find that 9,424 apps do not use TLS when transmitting personal identifiers, yet 28.4% of these apps claim to take measures to secure data transfer. Ultimately, these divergences between disclosures and actual app behaviors illustrate the ridiculousness of the notice and consent framework.
more »
« less
Analysis of Non-Discrimination Policies in the Sharing Economy
Recent research has exposed a serious discrimination problem affecting applications of the Digital Sharing Economy (DSE), such as Uber, Airbnb, and TaskRabbit. To control for this problem, several DSE apps have crafted a new form of usage policies, known as non-discrimination policies (NDPs). These policies are intended to outline end-users' rights of equal treatment and describe how acts of bias and discrimination over DSE apps are identified and prevented. However, there is still a major knowledge gap in how such non-code artifacts can be formulated, structured, and evolved. To bridge this gap, in this paper, we introduce a first-of-its-kind framework for analyzing and evaluating the content of NDPs in the DSE market. Our analysis is conducted using a dataset of 108 DSE apps, sampled from a broad range of application domains. Our results show that, a) most DSE apps do not provide a separate NDP, b) the majority of existing policies are either extremely brief or combined as sub-statements of other usage policies, and c) most apps do not provide a clear statement of how their NDPs are enforced. Our analysis in this paper is intended to assist DSE app developers with drafting and evolving more comprehensive NDPs as well as help end-users of these apps to make more informed socioeconomic decisions in one of the fastest growing software ecosystems in the world.
more »
« less
- Award ID(s):
- 1951411
- PAR ID:
- 10339566
- Date Published:
- Journal Name:
- Proceedings
- ISSN:
- 2576-3148
- Page Range / eLocation ID:
- 104 - 113
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Furnell, Steven (Ed.)A huge amount of personal and sensitive data is shared on Facebook, which makes it a prime target for attackers. Adversaries can exploit third-party applications connected to a user’s Facebook profile (i.e., Facebook apps) to gain access to this personal information. Users’ lack of knowledge and the varying privacy policies of these apps make them further vulnerable to information leakage. However, little has been done to identify mismatches between users’ perceptions and the privacy policies of Facebook apps. We address this challenge in our work. We conducted a lab study with 31 participants, where we received data on how they share information in Facebook, their Facebook-related security and privacy practices, and their perceptions on the privacy aspects of 65 frequently-used Facebook apps in terms of data collection, sharing, and deletion. We then compared participants’ perceptions with the privacy policy of each reported app. Participants also reported their expectations about the types of information that should not be collected or shared by any Facebook app. Our analysis reveals significant mismatches between users’ privacy perceptions and reality (i.e., privacy policies of Facebook apps), where we identified over-optimism not only in users’ perceptions of information collection, but also on their self-efficacy in protecting their information in Facebook despite experiencing negative incidents in the past. To the best of our knowledge, this is the first study on the gap between users’ privacy perceptions around Facebook apps and the reality. The findings from this study offer directions for future research to address that gap through designing usable, effective, and personalized privacy notices to help users to make informed decisions about using Facebook apps.more » « less
-
Applications of the Digital Sharing Economy (DSE), such as Uber, Airbnb, and TaskRabbit, have become a main facilitator of economic growth and shared prosperity in modern-day societies. However, recent research has revealed that the participation of minority groups in DSE activities is often hindered by different forms of bias and discrimination. Evidence of such behavior has been documented across almost all domains of DSE, including ridesharing, lodging, and freelancing. However, little is known about the underlying design decisions of DSE platforms which allow certain demographics of the market to gain unfair advantage over others. To bridge this knowledge gap, in this paper, we systematically synthesize evidence from 58 interdisciplinary studies to identify the pervasive discrimination concerns affecting DSE platforms along with their triggering features and mitigation strategies. Our objective is to consolidate such interdisciplinary evidence from a software design point of view. Our results show that existing evidence is mainly geared towards documenting and mitigating issues of racism and sexism affecting platforms of ridesharing, lodging, and freelancing. Our review further shows that discrimination concerns in the DSE market are commonly enabled by features of user profiles and commonly impact reputation systems.more » « less
-
This study focuses on identifying the factors contributing to a sense of personal responsibility that could improve understanding of insecure cybersecurity behavior and guide research toward more effective messaging targeting non-adopting populations. Towards that, we ran a 2(account type)x2(usage scenario)x2(message type) between-group study with 237 United States adult participants on Amazon MTurk, and investigated how the non-adopting population allocates blame, and under what circumstances they blame the end user among the parties who hold responsibility: the software companies holding data, the attackers exposing data, and others. We find users primarily hold service providers accountable for breaches but they feel the same companies should not enforce stronger security policies on users. Results indicate that people do hold end users accountable for their behavior in the event of a breach, especially when the users’ behavior affects others. Implications of our findings in risk communication is discussed in the paper.more » « less
-
null (Ed.)A new mobile computing paradigm, dubbed mini-app, has been growing rapidly over the past few years since being introduced by WeChat in 2017. In this paradigm, a host app allows its end-users to install and run mini-apps inside itself, enabling the host app to build an ecosystem around (much like Google Play and Apple AppStore), enrich the host's functionalities, and offer mobile users elevated convenience without leaving the host app. It has been reported that there are over millions of mini-apps in WeChat. However, little information is known about these mini-apps at an aggregated level. In this paper, we present MiniCrawler, the first scalable and open source WeChat mini-app crawler that has indexed over 1,333,308 mini-apps. It leverages a number of reverse engineering techniques to uncover the interfaces and APIs in WeChat for crawling the mini-apps. With the crawled mini-apps, we then measure their resource consumption, API usage, library usage, obfuscation rate, app categorization, and app ratings at an aggregated level. The details of how we develop MiniCrawler and our measurement results are reported in this paper.more » « less