Visible to the public Governance for Big Data - January 2023Conflict Detection Enabled

Submitted by Serge Egelman on Mon, 01/23/2023 - 3:36pm

PI(s), Co-PI(s), Researchers:

  • Serge Egelman (ICSI)
  • Julia Bernd (ICSI)

HARD PROBLEM(S) ADDRESSED
Human Behavior, Policy-Governed Secure Collaboration

PUBLICATIONS

  • Nothing to report this quarter

KEY HIGHLIGHTS

Users' expectations regarding data collection regulation
We are continuing with our survey study, first described in our April 2022 report, which examines the relationship between U.S. consumers' expectations about how different types of apps will handle user data, and their assumptions about sector-specific laws regulating handling of health data. The study is examining users' expectations and preferences around who is responsible and who should be responsible for regulating data collection and handling, and whether users have different expectations and preferences about regulation of health vs. other types of data.

  • We revised the survey based on insights from user-testing walkthroughs and a small pilot.
  • We collected data from 300 participants. We showed each participant one out of six possible app descriptions (where the made-up apps had different purposes, some of which were medical or health-related and some of which were not), asked them to make some guesses about the app's data practices. We then asked series of questions about whether those practices were legal and allowed by app stores (and whether they should be), along with questions designed to confirm whether the participants view the apps or data practices as medical/health related.
  • We are beginning quantitative analysis of the data.
  • We are also contributing to the design of a separate survey (led by others in our research group) that will compare users' expectations about the data practices and privacy policies of actual health apps with what is really going on based on network traffic analysis.


Evaluating data broker claims about consent for data collection
For this study, we created a list of data brokers that purport to sell data that is collected with the consent of mobile users so that we could evaluate their claims about consent and the anonymity of the data. After a great deal of effort in identifying and contacting data brokers, we found that in the wake of the FTC's Kochava case, most data brokers now require signing of very onerous NDAs to share sample data. Thus, we changed courses and worked to identify other sources for this data (e.g., data breaches on underground forums). We have also created a survey to send to consumers to assess what they recall about granting consent and are awaiting IRB approval for the survey.


The effect of privacy guidance on developers' abilities to discover privacy compliance issues/vulnerabilities

After finding that developers don't always understand privacy issues for their apps and need guidance on how to improve the privacy of their apps, we decided to design a series of studies to evaluate new tools designed to help developers write software that is more likely to comply with privacy laws. This project will emphasize the importance of code review for discovering privacy vulnerabilities and shed light on how to help developers strengthen their ability to discover privacy vulnerabilities. We will design a privacy checklist and then investigate whether using it would lead developers to discovering privacy vulnerabilities/compliance issues we embed in a skeleton child-directed app adapted/implemented for the purposes of the study. The study will show whether providing explicit privacy guidance to developers could help them make their apps compliant with applicable privacy regulations and which form of guidance is most effective.

COMMUNITY ENGAGEMENTS

  • Nothing to report this quarter.

EDUCATIONAL ADVANCES:

  • Our study examining users' expectations regarding data collection regulation is being led by a UC Berkeley computer science grad student.
  • The studies on data brokers are being led by two UC Berkeley undergraduates.
  • The studies evaluating new developer tools for writing software that complies with privacy laws will form the basis of a PhD dissertation that should be completed in the next year.
Groups: