PrivacyInformer:/Automatic/ PrivacyDescriptionGeneratorfor...

PrivacyInformer:  Automatic  Privacy  Description  Generator  for  MIT  App  Inventor  

Daniela  Miao  Aug  7th,  2014   1

At  a  glance  •  Motivation  •  Overview  of  the  System  

– User  Interface  – Project  Source  Analysis  – Mobile  Integration  

•  Exploratory  User  Study  •  Policy  Discussion  •  Future  Work  &  Summary  

2  

Motivation  

3  

•  Many  privacy  concerns  in  the  mobile  apps  market  

•  Privacy  policies  provide  one  method  to  inform  end  users,  but  they  are  usually  long  and  difJicult  to  understand  – Would  take  one  month  to  read  all  privacy  policies  of  websites  an  average  user  visits  in  a  year  

•  Mobile  apps  developers  don’t  like  to  write  privacy  policies  

Motivation  

4  

•  App  Inventor  developers  use  visual  components,  so  we  can  automatically  generate  privacy  documents  by  analyzing  the  “source  code”  

•  Pre-­‐generated  templates  can  be  associated  with  privacy-­‐sensitive  components  –  One  for  location  sensor,  one  for  accelerometer  sensor  etc.  

•  Final  privacy  description  is  generated  at  compile  time  

Privacy  Policy  vs.  Privacy  Description  •  Online  privacy  policy  generators  help  developers  with  legal  preparation  –  ensures  regulations  are  followed  

•  PrivacyInformer  generates  a  short,  usable  privacy  document,  contents  are  not  vetted  by  legal  experts  

•  Privacy  description  focuses  on  describing  just  the  privacy-­‐sensitive  behaviors  of  the  application  

5  

Permissions  vs.  Privacy  Description  •  Permissions  cover  broad  classes  of  functionalities,  offering  little  meaningful  information  to  users  

•  PrivacyInformer  analyzes  blocks  code  in  an  attempt  to  convey  behaviors,  and  how  data  is  collected  and  disseminated  6  

7  

System  Overview  

1.  User  Interface  –  Adding  the  new  view  for  PrivacyInformer  –  Integration  with  current  App  Inventor  UI  

2.  “Source  code”  Analysis  –  Find  Jiles  that  store  component  and  blocks  info  –  Parse,  analyze  and  extract  information  to  construct  

intermediate  data  structure  –  Linked  Data  –  Produce  human-­‐readable  privacy  description  

3.  Packaging  the  generated  privacy  description  into  the  compiled  apk  at  build  time  

–  Make  it  viewable  via  Android  menu  options  8  

System  Overview  

9  

User  Interface  

•  Real-­‐time  access  of  project  “source”  needed  •  Find  source  Jiles:  JSON  and  XML  

“Source  code”  Analysis  

JSON  XML  

•  Intermediate  data  structure  needed  to  represent  the  privacy  description  of  each  application  

•  Linked  Data  (LD)  is  Jlexible  –  just  needed  to  create  relevant  ontological  terms  to  deJine  App  Inventor  and  Android  concepts  – Hosted  at  http://dig.csail.mit.edu/2014/PrivacyInformer    

•  Privacy  description  generated  in  Linked  Data  format  by  combining  pre-­‐generated  LD  templates  for  privacy-­‐sensitive  components,  as  well  as  analyzing  relationships  between  blocks  

11  

“Source  code”  Analysis  

•  Privacy  templates  are  created  for  a  pre-­‐deJined  set  of  “privacy-­‐sensitive”  components  –  For  testing  purposes:  AccelerometerSensor,  LocationSensor,  Web  

•  Templates  contain  information  that  is  unlikely  to  change:  function  of  the  component,  what  permissions  it  has  etc.  

12  

“Source  code”  Analysis  

•  Source  Jile  provides  a  list  of  privacy-­‐sensitive  components  used  

•  Appropriate  templates  are  included  in  the  privacy  description  of  the  application  

13  

“Source  code”  Analysis  Privacy  Templates  

Generated  Description  

•  Details  for  LocationSensor  

•  Details  for  Web  JSON  

•  Blocks  source  code  analyzed  to  capture  pair-­‐wise  interactions  between  privacy-­‐sensitive  components  

•  Certain  methods  are  pre-­‐deJined  as  “potentially  privacy  leaking”  14  

“Source  code”  Analysis  

Accelerometer:Shaking    ai:connectsTo      Web:PostText  

Web:PostText    ai:connectsTo      Location:Lat  

Accelerometer:Shaking    ai:connectsTo      Location:Lat  

•  Privacy  description  produced  in  Linked  Data  format  (machine-­‐readable)  à  HTML  (human-­‐readable)  

15  

“Source  code”  Analysis  

Accelerometer:Shaking        ai:connectsTo  Web:PostText    Web:PostText  ai:connectsTo  Location:Latitude    Accelerometer:Shaking        ai:connectsTo  Location:Latitude  

•  Web:PostText  was  pre-­‐deJined  as  “potentially  data  leaking”,  hence  the  operations  highlighted  in  red  indicate  where  the  user’s  data  may  leak  

16  

“Source  code”  Analysis  

Accelerometer:Shaking        ai:connectsTo  Web:PostText    Web:PostText  ai:connectsTo  Location:Latitude    Accelerometer:Shaking        ai:connectsTo  Location:Latitude  

•  Compiler  packages  HTML  and  Linked  Data  Jile  into  the  downloaded  apk    •  An  Android  menu  option  allows  users  to  view  the  privacy  description  

17  

Mobile  Integration  

•  Basic  online  survey  to  get  feedback  on  the  existence  of  such  a  privacy  framework  

•  Collected  31  responses  from  existing  App  Inventor  users  who  have  published  mobile  apps  on  the  Google  Play  Store  

•  Results  mostly  positive:  74%  said  they  would  use  it  and  that  it  would  save  them  time  

•  Most  comments  on  the  aesthetics  of  the  privacy  description  

18  

Exploratory  User  Study  

•  Various  reasons  for  choosing  to  not  use  PrivacyInformer,  but  perception  of  privacy  descriptions  is  an  obvious  factor  

19  

Exploratory  User  Study  

0%  

5%  

10%  

15%  

20%  

25%  

30%  

35%  

40%  

Not  important   Of  little  

importance   Moderately  Important   Important  

Very  important  

Percentage  of  Respondents  

Reaction  to  PrivacyInformer  vs.  perception  of  privacy  description  importance  

Would  Use  PrivacyInformer   Would  NOT  Use  PrivacyInformer  

•  Most  people  thought  writing  a  privacy  description  would  take  them  between  1  to  2  hours  without  PrivacyInformer  

•  Less  than  15  minutes  with  PrivacyInformer  20  

Exploratory  User  Study  

0  

2  

4  

6  

8  

10  

12  

14  

Less  than  15  minutes  

Between  15  minutes  and  1  

hour  

Between  1  hour  and  2  hours  

Between  2  hours  and  5  hours  

More  than  5  hours  

Num

ber  of  Responses  

Time  spent  making  privacy  document  with  and  without  using  PrivacyInformer  

Using  PrivacyInformer   Without  PrivacyInformer  

•  Privacy  policies  are  long  because  legal  experts  want  to  lower  the  risk  of  litigation  by  using  general  terms  that  open  up  room  for  interpretation.  

•  Any  piece  of  public  privacy  statement  included  with  a  mobile  app  can  become  the  basis  for  litigation.  How  to  increase  motivation  for  developers  to  use  privacy  statements?  –  Perhaps  the  law  should  create  a  “safe  harbor”  for  mobile  developers  to  present  privacy  statements  in  good  faith.  FTC  could  increase  burden  of  proof,  such  that  only  deliberate  attempts  of  privacy  violations  are  penalized.    

•  One  inJluential  party  in  the  mobile  apps  market  is  the  app  platform  owner,  such  as  Apple,  Google  etc.  –  Regulatory  agencies  could  focus  on  managing  these  app  platforms,  rather  than  targeting  the  entire  mobile  app  market.    

–  Machine-­‐readable  privacy  documents  generated  by  PrivacyInformer  could  be  used  at  the  app  platform  level  to  allow  Jiltering  by  privacy  preferences.    21  

Policy  Discussion  

•  PrivacyInformer  opens  up  possibilities  for  various  interesting  extension  work  – Different  presentation  of  privacy  information  – Mobile  app  matching  based  on  privacy  preferences  – Generate  privacy  rules  that  govern  data  access,  allowing  accountability  to  data  usage  as  well  as  collection  and  dissemination  

•  Privacy  issues  are  only  just  emerging  in  the  mobile  market.  PrivacyInformer  tries  to  address  one  aspect  of  a  bigger  picture,  with  much  more  left  to  learn  and  explore.    22  

Future  Work  &  Summary  

Thank  You!      

23