privacy, law, and engineering & smartphones public policy...
TRANSCRIPT
![Page 1: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/1.jpg)
1
CyLa
b Us
ab
le Privacy & Security Laboratory
HTTP://CUPS.CS.CMU.EDU
Engineering & Public Policy
CyLab
Privacy, Law, and Smartphones
Rebecca Balebako, PhD Candidate
Advisor: Dr. Lorrie Cranor
![Page 2: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/2.jpg)
2
Privacy and Security Concerns
Smartphone
Public Policy
Privacy and
Security
![Page 3: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/3.jpg)
3
Smartphones
• Increasingly popular
• Smartphones are different that personal computers: – Sensors – Always on – Immature – Smaller screens
![Page 4: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/4.jpg)
4
Information on smartphones
![Page 5: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/5.jpg)
5
Evaluating smartphone interfaces
![Page 6: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/6.jpg)
6
California Attorney General
![Page 7: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/7.jpg)
7
App Developers Should…
• Data checklist for PII
• Avoid or limit PII
• Develop a privacy policy
• Limit data collection
• Limit data retention
• Special notices for unexpected data practices “to enable meaningful practices”
• Give users access
![Page 8: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/8.jpg)
8
Do apps on your phone:
• Have privacy policy
• Give you control/access over data collected
• Have ‘Special Notices’
![Page 9: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/9.jpg)
9
Recent Policy: White House
![Page 10: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/10.jpg)
10
Recent Policy: FTC Staff Report
![Page 11: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/11.jpg)
11
Developing Policy: NTIA MHP
![Page 12: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/12.jpg)
12
Multi-stakeholder process (MSHP)
• Open meetings
• MSHP vs. self-regulation
![Page 13: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/13.jpg)
13
NTIA MSHP vs W3C
• Communication (email, in-person, etc.)
• Goal (Code of Conduct vs. tech standard)
• Novelty of MSHP
Credits – Michael Heiss / FlickR
![Page 14: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/14.jpg)
14
Data Types • Biometrics (information about your body, including fingerprints, facial recognition,
signatures and/or voice print.)
• Browser History and Phone or Text Log (A list of websites visited, or the calls or texts made or received.)
• Contacts (including list of contacts, social networking connections or their phone numbers, postal, email and text addresses.)
• Financial Information (Includes credit, bank and consumer-specific financial information such as transaction data.)
• Health, Medical or Therapy Information (including health claims and information used to measure health or wellness.)
• Location (precise past or current location and history of where a user has gone.)
• User Files (files stored on the device that contain your content, such as calendar, photos, text, or video.)
![Page 15: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/15.jpg)
15
Third-Party Entities • Ad Networks (Companies that display ads to you through apps.)
• Carriers (Companies that provide mobile connections.)
• Consumer Data Resellers (Companies that sell consumer information to other companies for multiple purposes including offering products and services that may interest you.)
• Data Analytics Providers (Companies that collect and analyze your data.)
• Government Entities (Any sharing with the government except where required or expressly permitted by law.)
• Operating Systems and Platforms (Software companies that power your device, app stores, and companies that provide common tools and information for apps about app consumers.)
• Other Apps (Other apps of companies that the consumer may not have a relationship with)
• Social Networks (Companies that connect individuals around common interests and facilitate sharing.)
![Page 16: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/16.jpg)
16
Survey
![Page 17: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/17.jpg)
17
Common understanding
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
SuperTax: State Agency EasyApply: State Agencies SuperTax: Federal Agency
iTunes: Facebook CallCalendar: Carrier Bookstore: Facebook
FindMyKid: Local Police GoodDriver: Traffic Data Company
CallCalendar: Google Calendar FindMyKid: Parent's Phone
iTunes: Apple iCloud Bookstore: GreatReading
GoodDriver: Car Insurance GoodDriver: Car Rental
HipClothes: Other Clothing Stores Salsa: AdMeMetric
Fitness: Sports Companies Salsa: Ad Companies
Fitness: Health Companies
Title
Ad Networks Carriers Consumer Data Resellers Data Analytics Providers
Government Entities Operating Systems and Platforms Other Apps Social Networks
None Not Sure
![Page 18: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/18.jpg)
18
Why so bad?
• Process Fatigue
• What is usability?
• Cost of usability tests
• Process issues
![Page 19: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/19.jpg)
19
CyLa
b Us
ab
le Privacy & Security Laboratory
HTTP://CUPS.CS.CMU.EDU
Engineering & Public Policy
CyLab
Is Your Inseam a Biometric? Evaluating the Understandability of Mobile Privacy Notice
Technical reports: CMU-CyLab-13-011
![Page 20: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/20.jpg)
20
Different Study
![Page 21: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/21.jpg)
21
App Developers
• 200,000 iOS developers
• 800,000 iOS apps and 800,000 Android apps
• Low barrier to entry
![Page 22: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/22.jpg)
22
Information on smartphones
![Page 23: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/23.jpg)
23
App Developer study
• Exploratory Interviews (13)
• Quantitative on-line study (228)
![Page 24: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/24.jpg)
24
Interview app developers
• How do they decide what privacy and security measures to take? – Search engines – Some training – Talk to friends – May have access to legal counsel – May need legal counsel
![Page 25: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/25.jpg)
25
App developer tools
• Do – Cloud computing – Authentication (Facebook) – Analytics such as Google and Flurry – Open source tools such as mysql
• Don’t – Privacy Policy generators – Security audits – Read third-party privacy policies – Delete data
![Page 26: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/26.jpg)
26
Quantitative Survey
• Behaviors: – Privacy Policy – CPO or equivalent – Encrypt stored data – Use SSL – Data minimization
![Page 27: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/27.jpg)
27
Company size
![Page 28: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/28.jpg)
28
Company size
![Page 29: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/29.jpg)
29
Data Type Collect or Store Parameters specific to my app 83.9% Which apps are installed 73.9% Location 71.6% Advertising ID 70.6% Sensor (not location) 63.0% Phone Id 54.5% Contacts 54.0% Phone Number 44.1% Password 35.5% Credit Card Information 30.3%
![Page 30: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/30.jpg)
30
![Page 31: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/31.jpg)
31
![Page 32: Privacy, Law, and Engineering & Smartphones Public Policy ...cups.cs.cmu.edu/courses/pplt-fa13/slides/131022smartphone.pdf · Rebecca Balebako, PhD Candidate ... Evaluating smartphone](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fd8087f8b9a67178d63ba/html5/thumbnails/32.jpg)
32
CyLa
b Us
ab
le Privacy & Security Laboratory
HTTP://CUPS.CS.CMU.EDU
Engineering & Public Policy
CyLab
Thanks!