Visible to the public Scalable Privacy Analysis - April 2022Conflict Detection Enabled

Submitted by Serge Egelman on Wed, 09/14/2022 - 4:28pm

PI(s), Co-PI(s), Researchers:

  • Serge Egelman (ICSI)
  • Narseo Vallina-Rodriguez (IMDEA)
  • Primal Wijesekera (ICSI)

HARD PROBLEM(S) ADDRESSED
Scalability and Composability, Policy-Governed Secure Collaboration, Metrics

PUBLICATIONS

  • Under review:
    Noura Alomar and Serge Egelman. Developers Say the Darnedest Things: Privacy Compliance Processes Followed by Developers of Child-Directed Apps. In Proceedings on Privacy Enhancing Technologies (PoPETS), 2022(4).
  • Accepted for publication:
    Alisa Frik, Juliann Kim, Joshua Rafael Sanchez, and Joanne Ma. Users' Expectations About and Use of Smartphone Privacy and Security Settings. In Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems (CHI 2022), April 29-May 5, 2022, New Orleans, LA, USA. ACM, New York, NY, USA, 24 pages.

KEY HIGHLIGHTS

  • Root detection study:
    We have finished analyzing our testing data from ~10k apps, and expect to submit to a top tier conference in the next quarter. (We're still in the process of writing up our results.)

  • We wrote up our study of developers and submitted it to PETS. Abstract:

    • We investigate the privacy compliance processes followed by developers of child-directed mobile apps. While children's online privacy laws have existed for decades in the US, prior research found relatively low rates of compliance. Yet, little is known about how compliance issues come to exist and how compliance processes can be improved to address them. Our results, based on surveys (n=127) and interviews (n=27), suggest that most developers rely on app markets to identify privacy issues, they lack complete understandings of the third-party SDKs they integrate, and they find it challenging to ensure that these SDKs are kept up-to-date and privacy-related options are configured correctly. As a result, we find that well-resourced app developers outsource most compliance decisions to auditing services, and that smaller developers follow "best-effort" models, by assuming that their apps are compliant so long as they have not been rejected by app markets. We highlight the need for usable tools that help developers identify and fix mobile app privacy issues.

  • Log study:
    We have been examining the personal data that ends up in system logs on mobile devices, and then where that data goes. While user-installed apps are not supposed to be able to access this data, there exists an entire ecosystem of pre-installed apps and SDKs that creates severe security issues (e.g., there is no oversight over the apps that are pre-installed by manufacturers and carriers, many of which uses the same privacy-invasive ad SDKs as user-installed third-party apps). We spent the past several months using web assembly to build a website that allows us to collect system logs from Android devices, search it for personal information, and then report anonymous aggregate statistics, all from within the browser (so that no sensitive data leaves the network). Our data collection site can be examined here: https://pages.cpsc.ucalgary.ca/~allan.lyons/webadb/participate.html

    We spent most of this quarter collecting data from ~1500 users' devices and are currently analyzing the results. We have discovered several potential vulnerabilities, which we are documenting and coordinating with Google.

  • We had a CHI paper accepted on users and smartphone security settings. Abstract:
    With the growing smartphone penetration rate, smartphone settings remain one of the main models for information privacy and security controls. Yet, their usability is largely understudied, especially with respect to the usability impact on underrepresented socio-economic and low-tech groups. In an online survey with 178 users, we find that many people are not aware of smartphone privacy and security settings, their defaults, and have not configured them in the past, but are willing to do it in the future. Some participants perceive low self-efficacy and expect difficulties and usability issues with configuring those settings. Finally, we find that certain socio-demographic groups are more vulnerable to risks and feel less prepared to use smartphone settings to protect their online privacy and security.

COMMUNITY ENGAGEMENTS

  • PI Egelman has been interviewed by several reporters about online privacy issues.
  • Colleagues accepted the AEPD Privacy Research Award in Madrid.

EDUCATIONAL ADVANCES:

  • Several graduate and undergraduate students are participating in this research.
Groups: