choice’architecture’and’ smartphone’privacy:’...adverse’selecaon’in’app’markets’...
TRANSCRIPT
![Page 1: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/1.jpg)
Choice Architecture and Smartphone Privacy: There’s A Price for That
Serge Egelman Adrienne Porter Felt David Wagner
UC Berkeley 1
![Page 2: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/2.jpg)
Adverse selecAon in app markets
Example: SMS – 73% of malware uses SMS capability – 3% of legiAmate applicaAons use it SMS capability signals potenAal malware
Advice: “Don’t use apps that require SMS”
Is it possible to follow this advice?
2
∴ ∴
A. P. Felt, M. FiniOer, E. Chin, S. Hanna, and D. Wagner. A Survey of Mobile Malware in The Wild. ACM Workshop on Security and Privacy in Mobile Devices (SPSM) 2011.
![Page 3: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/3.jpg)
EXAMPLE: INSTALLATION
3
![Page 4: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/4.jpg)
Step 1: Search
4
![Page 5: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/5.jpg)
Step 2: Select applicaAon
5
![Page 6: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/6.jpg)
Step 3: View descripAon
6
![Page 7: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/7.jpg)
Step 4: View permissions
7
![Page 8: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/8.jpg)
Step 5: View permissions…sAll
8
Services that cost you money Send SMS messages
![Page 9: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/9.jpg)
Step 6: Go back
9
![Page 10: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/10.jpg)
Step 7: Go back
10
![Page 11: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/11.jpg)
Step 8: Select applicaAon
11
![Page 12: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/12.jpg)
Step 9: View descripAon
12
![Page 13: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/13.jpg)
Step 10: View permissions
13
![Page 14: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/14.jpg)
Android permissions
Users don’t noAce permissions – Online survey: • 17.5% claimed to look at permissions
– Laboratory experiment: • 17% looked at permissions during installaAon • 42% completely unaware permissions existed
A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. Android Permissions: User ACenDon, Comprehension, and Behavior. In Proceedings of the 2012 Symposium on Usable Privacy and Security (SOUPS). 14
![Page 15: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/15.jpg)
What permissions do users actually care about?
How does choice architecture impact user preference?
15
![Page 16: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/16.jpg)
What do users actually care about?
Android currently has 124 different permissions Only locaAon has been extensively studied LocaAon represents 1% of the permission space
16
![Page 17: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/17.jpg)
Experiment 1: an upper bound
When choice is made “obvious,” will users indicate a willingness to pay more to disclose less data? Web-‐based survey of 483 U.S. residents Recruited from Mechanical Turk Asked to select app most willing to purchase
17
![Page 18: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/18.jpg)
18
![Page 19: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/19.jpg)
Methodology
Controlled for price and permissions: Counter-‐balanced: – Names – DescripAons – Icons – Screenshots
$0.49 $0.99 $1.49 $1.99
Internet LocaAon (GPS) Record Audio
Internet Record Audio
Internet LocaAon (GPS)
Internet
19
![Page 20: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/20.jpg)
Hypotheses
H0: Each price/privacy variant will be chosen with equal probability H1: Price-‐sensiDve parDcipants will choose the least-‐expensive opDon H2: Privacy-‐sensiDve parDcipants will choose the high-‐privacy opDon (i.e., most expensive)
20
![Page 21: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/21.jpg)
Results
H0 is rejected: χ2=102.9, p<0.0005
120 74 77
212
0
50
100
150
200
250
$1.99 $1.49 $0.99 $0.49
Decreasing privacy 21
![Page 22: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/22.jpg)
Exit survey
Rate the following influencing factors: – Number of downloads – Icon – Size of app – Permissions requested – DescripAon – Name of app – RaAng/Reviews – Familiarity with app – Cost – Manufacturer of app
22
![Page 23: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/23.jpg)
Exit survey
CorrelaAon between stated price sensiAvity and price of app selected: r=-‐0.39, p<0.0005 CorrelaAon between stated privacy sensiAvity and price of app selected: r=0.33, p<0.004 $1.99 $1.49 $0.99 $0.49
1. Permissions (46%) 2. DescripAon (23%) 3. Icon (9%)
1. DescripAon (41%) 2. Permissions (18%) 3. Cost (16%)
1. Cost (33%) 2. DescripAon (15%) 3. Icon (14%)
1. Cost (62%) 2. DescripAon (15%) 3. RaAngs (6%)
120 74 77 212
23
![Page 24: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/24.jpg)
Summary
ParAcipants less concerned with price were willing to consider other differences (e.g., privacy) …but this represents an idealized version of the Market, where side-‐by-‐side comparisons occur
24
![Page 25: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/25.jpg)
Experiment 2: app valuaAon
When presented with a single app, how do permission requests impact users’ valuaAons? Posed as an app developer soliciAng users for a private beta. Willingness to pay experiment modeled aOer Danezis et al.
25 G. Danezis, S. Lewis, and R. Anderson. How much is locaAon privacy worth? In online proceedings of the Workshop on the Economics of InformaAon Security (WEIS), 2005.
![Page 26: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/26.jpg)
Methodology
Single app presented with price ($0.99) – Permission requests were randomized:
How much compensaAon needed to install/use? – Reverse Vickrey aucAon
Suggested retail price?
26
1 2 3 4 5
Internet
Internet Contacts
Internet LocaAon (GPS)
Internet Photos
Internet Contacts LocaAon (GPS) Photos
![Page 27: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/27.jpg)
27
![Page 28: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/28.jpg)
Results
353 Android-‐using parAcipants Bids changed only with respect to contacts: Permissions had no observable effect on suggested prices – Strong anchoring effect 28
β t Significance
(Constant) Contacts LocaAon Photos
0.168 0.011 -‐0.027
7.435 3.104 0.215 -‐0.494
p<0.001 p<0.002 p<0.830 p<0.622
F3=3.294, p<0.021
![Page 29: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/29.jpg)
Concern with permissions
Exit survey asked about factors considered – Cost was consistently first, regardless of permissions requested
– Permissions were more likely to be considered amongst those viewing request for all four than those only viewing request for Internet access (U=6227, p<0.015) • However, moved from 4th to 5th
29
![Page 30: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/30.jpg)
Summary
When architecture supported side-‐by-‐side comparisons, 25% stated willingness to pay $1.50 over $0.49 base price for fewer permissions. When valuaAng a single app, permissions are unlikely to be considered. RelaAvely speaking, users unconcerned with locaAon.
30
![Page 31: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/31.jpg)
Caveats
ApplicaAon-‐specific vs. funcAon-‐specific searches Stated willingness, rather than observaAon of completed transacAons Results are upper bounds
31
![Page 32: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/32.jpg)
Caveats
32
![Page 33: Choice’Architecture’and’ Smartphone’Privacy:’...Adverse’selecAon’in’app’markets’ Example:’SMS’ – 73%’of’malware’uses’SMS’capability’ – 3%’of’legiAmate’applicaons’use’it!SMS](https://reader036.vdocuments.mx/reader036/viewer/2022071609/6148d1be2918e2056c22efc0/html5/thumbnails/33.jpg)
Moving forward
Architecture should support comparison shopping based on concerning permissions …and not bother users with requests for unconcerning ones InstallaAon is not the most appropriate Ame to make most permission requests
33 A. P. Felt, S. Egelman, M. FiniOer, D. Akhawe, and D. Wagner. How to Ask for Permissions. In Proceedings of the USENIX Workshop on Hot Topics in Security (HotSec), 2012.