Presentation of our paper, titled: "'If You Can't Beat them, Join them': A Usability Approach to Interdependent Privacy in Cloud Apps", at the 7th ACM Conference on Data and Applications Security and Privacy (CODASPY'17), Scottsdale, AZ, USA, March 22 - 24, 2017 The paper is available here: https://infoscience.epfl.ch/record/224430 The video slides are here: https://youtu.be/tA_6Df-PEOY You can find more about my work on my personal website: http://hamzaharkous.com

1. IfyouCan’tBeatThem,JoinThem:
HamzaHarkousandKarlAberer
1
AUsabilityApproachto
InterdependentPrivacyinCloudApps
hamzaharkous.com

2. Growing Business Adoption
of Cloud Ecosystems
*Skyhigh Networks. Cloud Report | Skyhigh Networks. https://www.skyhighnetworks.com/cloud-report/

3. 3
Your Files
CSPs
3rd
party apps
Files

5. Organizations use 10-20 times more
cloud apps than their IT departments think*.

6. TheProliferationof
newAdversaries:
6
3rdpartyapps

7. 7
average financial impact on a company as a result of a
cloud-storage data breach
Elastica Cloud Threat Labs. Q2 2015 Shadow Data Report: https: //www.elastica.net/q2-2015-shadow-data-report/
$13.85M

8. 8
76%
of Google Drive apps featured on Chrome Store
ask for full access to all your files*
*Harkous et al. The Curious Case of the PDF Converter that Likes Mozart:
Dissecting and Mitigating the Privacy Risk of Personal Cloud Apps. (PoPETs 2016)

9. 9
of documents are
shared with at least
1 other user
37.2%
*Elastica Cloud Threat Labs. 1H 2016 Shadow Data Report. 2016.
*Skyhigh Networks. Cloud Adoption and Risk Report. 2015.

10. 9
of documents are
shared with at least
1 other user
37.2% 23%
of documents are
broadly shared
(with all employees or
with outsiders)
*Elastica Cloud Threat Labs. 1H 2016 Shadow Data Report. 2016.
*Skyhigh Networks. Cloud Adoption and Risk Report. 2015.

11. Company 1 Company 2 Company 3 Company 4 Company 5 Company 6
10

12. Company 1 Company 2 Company 3 Company 4 Company 5 Company 6
TooManyShareholders
→LargerAttackSurface 10

13. Company 1 Company 2 Company 3
11

14. Company 1 Company 2 Company 3
FewerShareholders→
Narrowerattacksurface 11

15. Company 1 Company 2 Company 3 Company 4 Company 5 Company 6
Challenge
Shared Data Non-shared Data
You
12

16. Company 1 Company 2 Company 3 Company 4 Company 5 Company 6
Challenge
Shared Data Non-shared Data
You
12

17. Company 1 Company 2 Company 3 Company 4 Company 5 Company 6
Challenge
Shared Data Non-shared Data
You
12

18. Challenges
You
13

19. Challenges
You Cannot remember all companies
13

20. Challenges
You Cannot remember all companies
Don’t know what others install
so that you don’t give access to new companies
13

21. Challenges
You Cannot remember all companies
Don’t know what others install
so that you don’t give access to new companies
Cannot control what others install
13

22. 14
Interdependent Privacy
"The privacy of individual users is bound to be affected by the decisions of
others, and could be out of their own control"*

23. 14
Interdependent Privacy
"The privacy of individual users is bound to be affected by the decisions of
others, and could be out of their own control"*
Originally introduced in the context of Facebook apps
- Biczok and Chia, Interdependent privacy: Let me share your data. In FC 2013
- Pu and Grossklags, An economic model and simulation results of app adoption decisions on networks with interdependent privacy
consequences, GameSec 2014

24. 14
Interdependent Privacy
"The privacy of individual users is bound to be affected by the decisions of
others, and could be out of their own control"*
* Olteanu, et al. "Quantifying interdependent privacy risks with location data." IEEE TMC (2016).
Also used in the context of location privacy
Originally introduced in the context of Facebook apps
- Biczok and Chia, Interdependent privacy: Let me share your data. In FC 2013
- Pu and Grossklags, An economic model and simulation results of app adoption decisions on networks with interdependent privacy
consequences, GameSec 2014

25. 15
of cloud apps with full
access get the
collaborators’ data
100%2%
of Facebook apps get the
friends’ data*
- Biczok and Chia, Interdependent privacy: Let me share your data. In FC 2013

26. 16
Contributions
• First to study the problem in the context of cloud apps.

27. 16
Contributions
• First to study the problem in the context of cloud apps.
• We quantify the effects of interdependent privacy in the wild.

28. 16
Contributions
• First to study the problem in the context of cloud apps.
• We quantify the effects of interdependent privacy in the wild.
• We propose a usable privacy solution to mitigate the issue.

29. 16
Contributions
• First to study the problem in the context of cloud apps.
• We quantify the effects of interdependent privacy in the wild.
• We propose a usable privacy solution to mitigate the issue.
• We showcase the network effect of privacy-aware decisions at scale.

30. 17
ResearchQuestion-1
How significant is the impact of
collaborators’ app adoption
decisions on the users’ privacy loss?

31. Datasetstudy:
GoogleDrive+PrivySeal
18
+

32. privyseal.epfl.ch

33. Anonymized Dataset
20
183 Google Drive users
131 Google Drive apps
≥ 10 files each
≥ 5% shared files

34. Anonymized Dataset
20
183 Google Drive users
131 Google Drive apps
Data:
- anonymized user ids
- anonymized file ids
- list of collaborators per file
- list of apps per user
- vendor for each app
≥ 10 files each
≥ 5% shared files

35. Anonymized Dataset
21
For collaborators not in the
dataset, assign the apps of a
random user from the dataset

36. Anonymized Dataset
21
For collaborators not in the
dataset, assign the apps of a
random user from the dataset

37. Anonymized Dataset
21
For collaborators not in the
dataset, assign the apps of a
random user from the dataset

38. Anonymized Dataset
21
For collaborators not in the
dataset, assign the apps of a
random user from the dataset

39. Anonymized Dataset
21
For collaborators not in the
dataset, assign the apps of a
random user from the dataset
3,422 users+collaborators

40. Metric:Vendors’FileCoverage
number of files of user u accessible by vendor v
number of files of user u
metric. Consider a user u and a set V of vendors at a certain
ime step. For notation simplicity, we will omit the time step
enceforth. VFCu(V ) is computed as the summation of the
les’ fractions shared with each of these vendors:
VFCu(V ) =
X
v2V
|Fu,v|
|Fu|
(1)
Intuitively, VFCu(V ) increases as vendors in V get access
o more files of u. It has the range [0, |V |]. 3
If we consider the set Vu of vendors explicitly authorized
y user u, we can define the Self-Vendors File Coverage as
y problem, which covers all vendors with full
n issue in least-privileged apps too.
y Loss Metrics
uantify the privacy loss that a user incurs with
duce now the Vendors File Coverage (VFC)
er a user u and a set V of vendors at a certain
notation simplicity, we will omit the time step
FCu(V ) is computed as the summation of the
shared with each of these vendors:
VFCu(V ) =
X
v2V
|Fu,v|
|Fu|
(1)
VFCu(V ) increases as vendors in V get access
u. It has the range [0, |V |]. 3
problem, which covers all vendors with full
ssue in least-privileged apps too.
Loss Metrics
ntify the privacy loss that a user incurs with
ce now the Vendors File Coverage (VFC)
a user u and a set V of vendors at a certain
tation simplicity, we will omit the time step
u(V ) is computed as the summation of the
ared with each of these vendors:
VFCu(V ) =
X
v2V
|Fu,v|
|Fu|
(1)
Cu(V ) increases as vendors in V get access
. It has the range [0, |V |]. 3
forauseruandsetVofvendors

41. 23
WhyVFC?
Easy to relay to the user:
"the percentage of your files accessible by the company"

42. 23
WhyVFC?
Easy to relay to the user:
"the percentage of your files accessible by the company"
Does not need external vendor evaluations:
e.g. based on reputation, number of installations, etc

43. Metric:Vendors’FileCoverage
v2V
|Fu|
Intuitively, VFCu(V ) increases as vendors in V get access
to more files of u. It has the range [0, |V |]. 3
If we consider the set Vu of vendors explicitly authorized
by user u, we can define the Self-Vendors File Coverage as:
Self-VFCu = VFCu(Vu) (2)
Similarly, if we consider the set VC(u) of vendors autho-
rized by the collaborators C(u) of u, we can define the
Collaborators-Vendors File Coverage as:
Collaborators-VFCu = VFCu(VC(u)) (3)
Part due to the users’ decisions
VFCu(V ) is computed as the summation of the
s shared with each of these vendors:
VFCu(V ) =
X
v2V
|Fu,v|
|Fu|
(1)
VFCu(V ) increases as vendors in V get access
of u. It has the range [0, |V |]. 3
der the set Vu of vendors explicitly authorized
can define the Self-Vendors File Coverage as:
Self-VFCu = VFCu(Vu) (2)
f we consider the set VC(u) of vendors autho-
collaborators C(u) of u, we can define the
-Vendors File Coverage as:
ollaborators-VFCu = VFCu(VC(u)) (3)
s already achieves the least privilege possible.
vendors authorized by the user

44. Metric:Vendors’FileCoverage
v2V
|Fu|
Intuitively, VFCu(V ) increases as vendors in V get access
to more files of u. It has the range [0, |V |]. 3
If we consider the set Vu of vendors explicitly authorized
by user u, we can define the Self-Vendors File Coverage as:
Self-VFCu = VFCu(Vu) (2)
Similarly, if we consider the set VC(u) of vendors autho-
rized by the collaborators C(u) of u, we can define the
Collaborators-Vendors File Coverage as:
Collaborators-VFCu = VFCu(VC(u)) (3)
Part due to the users’ decisions
VFCu(V ) is computed as the summation of the
s shared with each of these vendors:
VFCu(V ) =
X
v2V
|Fu,v|
|Fu|
(1)
VFCu(V ) increases as vendors in V get access
of u. It has the range [0, |V |]. 3
der the set Vu of vendors explicitly authorized
can define the Self-Vendors File Coverage as:
Self-VFCu = VFCu(Vu) (2)
f we consider the set VC(u) of vendors autho-
collaborators C(u) of u, we can define the
-Vendors File Coverage as:
ollaborators-VFCu = VFCu(VC(u)) (3)
s already achieves the least privilege possible.
vendors authorized by the user
v2V
|Fu|
Intuitively, VFCu(V ) increases as vendors in V get access
to more files of u. It has the range [0, |V |]. 3
If we consider the set Vu of vendors explicitly authorized
by user u, we can define the Self-Vendors File Coverage as:
Self-VFCu = VFCu(Vu) (2)
Similarly, if we consider the set VC(u) of vendors autho-
rized by the collaborators C(u) of u, we can define the
Collaborators-Vendors File Coverage as:
Collaborators-VFCu = VFCu(VC(u)) (3)
2Per-file access already achieves the least privilege possible.
Part due to the collaborators’ decisions
with each of these vendors:
Cu(V ) =
X
v2V
|Fu,v|
|Fu|
(1)
) increases as vendors in V get access
as the range [0, |V |]. 3
et Vu of vendors explicitly authorized
ne the Self-Vendors File Coverage as:
VFCu = VFCu(Vu) (2)
sider the set VC(u) of vendors autho-
ators C(u) of u, we can define the
File Coverage as:
ors-VFCu = VFCu(VC(u)) (3)vendors authorized by the collaborators

45. Metric:Vendors’FileCoverage
Combined metric due to the users’ and the collaborators
quantify the privacy loss that a user incurs with
oduce now the Vendors File Coverage (VFC)
der a user u and a set V of vendors at a certain
notation simplicity, we will omit the time step
FCu(V ) is computed as the summation of the
shared with each of these vendors:
VFCu(V ) =
X
v2V
|Fu,v|
|Fu|
(1)
VFCu(V ) increases as vendors in V get access
of u. It has the range [0, |V |]. 3
der the set Vu of vendors explicitly authorized
can define the Self-Vendors File Coverage as:
Self-VFCu = VFCu(Vu) (2)
we consider the set VC(u) of vendors autho-
collaborators C(u) of u, we can define the
vendors authorized by the user
u(V ) =
X
v2V
|Fu,v|
|Fu|
(1)
increases as vendors in V get access
s the range [0, |V |]. 3
Vu of vendors explicitly authorized
e the Self-Vendors File Coverage as:
FCu = VFCu(Vu) (2)
der the set VC(u) of vendors autho-
tors C(u) of u, we can define the
File Coverage as:
s-VFCu = VFCu(VC(u)) (3)
hieves the least privilege possible.
vendors authorized by the collaborators
Finally, the Aggregate VFCu for a user u is that due to all
vendors authorized by u or its collaborators:
Aggregate-VFCu = VFCu(Vu [ VC(u)) (4)
Throughout this work, we will use the terms privacy loss
and VFC interchangeably. As will become evident in Sec-

46. 26
HowtheVFCevolveswithmoreshareddata:
●
●
●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●●
●
●
●
●
●
●
●●
●
●●
●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●
●
●
● ●
●
●
●
●
●
●
●
●
●
●
●
●
●
183 133 87 58 43 35 22
0
5
10
15
5 10 20 30 40 50 60
Minimum % of shared files per user
Coveragevalue
Self_VFC Colls_VFC Agg_VFC
Minimum % of Shared Files per User
VFCvalue

47. 26
HowtheVFCevolveswithmoreshareddata:
●
●
●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●●
●
●
●
●
●
●
●●
●
●●
●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●
●
●
● ●
●
●
●
●
●
●
●
●
●
●
●
●
●
183 133 87 58 43 35 22
0
5
10
15
5 10 20 30 40 50 60
Minimum % of shared files per user
Coveragevalue
Self_VFC Colls_VFC Agg_VFC
Minimum % of Shared Files per User
VFCvalue
Users with at least 5% of files shared

48. 26
HowtheVFCevolveswithmoreshareddata:
●
●
●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●●
●
●
●
●
●
●
●●
●
●●
●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●
●
●
● ●
●
●
●
●
●
●
●
●
●
●
●
●
●
183 133 87 58 43 35 22
0
5
10
15
5 10 20 30 40 50 60
Minimum % of shared files per user
Coveragevalue
Self_VFC Colls_VFC Agg_VFC
Minimum % of Shared Files per User
VFCvalue
Users with at least 5% of files shared
Number of users

49. 26
HowtheVFCevolveswithmoreshareddata:
●
●●●
●
●
●
●
●●
●
●
●
●
●
●
●●
●
●
●
●●●● ●●●
●
●●
0
5
5 10 20
Cov
Minimum % of Shared Files per User
VFCvalue
Users with at least 5% of files shared
Number of users
139% of the Self-VFC

50. 27
0 5 10 20 30 40 50 60
139%
200%
306%
256%
582%
610% 623%
% Privacy Loss due to Collaborators relative to that due to the User
Minimum % of Shared Files per User

51. 28
ResearchQuestion-1
How significant is the impact of collaborators’ app adoption
decisions on the users’ privacy loss?
Collaborators’ decisions are highly significant.
They become more important as the sharing frequency increases

52. 29
ResearchQuestion-2
DoCurrentPermissionModels
helpuserminimizetheVFC?
Howcanwe improvethem?

53. 30
CurrentPermissionModels

54. 30
CurrentPermissionModels

55. 31
CurrentPermissionModels

56. History-Based (HB) Insights Model

57. History-Based(HB)InsightsModel
You are made aware of the percentage of your files that
the vendor already has (i.e. the Aggregate VFC)
(due to your or your collaborators’ decisions)
You

58. BaselinePermissionModels

59. HBInsightsPermissionModels

60. HBInsightsPermissionModels
Selecting the vendor with maximum existing
access results in minimizing the aggregate VFC
(proof in the paper)

61. HBInsightsPermissionModels
Selecting the vendor with maximum existing
access results in minimizing the aggregate VFC
(proof in the paper)

62. Userstudy
37

63. 38
OnlineStudySetup
Recruited users via Crowdflower (141 users)
Baseline group (BL): 72 users History-based group (HB): 69 users

64. 38
OnlineStudySetup
Recruited users via Crowdflower (141 users)
Baseline group (BL): 72 users History-based group (HB): 69 users
Introductory Survey

65. 38
OnlineStudySetup
Recruited users via Crowdflower (141 users)
Baseline group (BL): 72 users History-based group (HB): 69 users
4 modulesIntroductory Survey

66. 38
OnlineStudySetup
Recruited users via Crowdflower (141 users)
Baseline group (BL): 72 users History-based group (HB): 69 users
4 modulesIntroductory Survey Concluding Survey

67. 39
Demographics
nsider the di↵erences in access
rs that collaborators installed?
the user was asked to choose
th a list of 12 apps (Figure 5
y two of these apps were rel-
nd they were placed on top of
as first or second). With this
e realistic setup of app brows-
e user’s e↵ort on finding apps.
ccess permissions too (namely
n Chrome Store, we removed
reviews, and screenshots and
is is all in order to reduce the
de the study. We refer the user
0] who investigated the e↵ects
ecisions for Android apps.
gue and learning e↵ects, mod-
d in a random order for users.
setup in two stages: with col-
s from the CrowdFlower com-
the online pilot testers work,
de for session recording in our
Age 18-62 (median 31 years)
Gender 35.5% Female
64.5% Male
Occupation 59.6% full-time employees
14.2% student
6.4% part-time worker
8.5% self-employed
5.0% homemaker
6.4% Unemployed/retired
IT Experience 41.8% Have worked or studied in IT
Degree 19.1% High school
7.1% Trade/tech./vocational training
51.1% Associate or Bachelor’s degree
22.7% Post Graduate Degree
Countries 35.0% USA
37.5% IND
7.5% GBR
6.9% DEU
6.9% CAN
7.4% AUS+IRL+ NLD + PAK

68. 40
Module1
You installed
by: Company 1
Howlikelyareuserstoselectanappfromthe
samecompanytheyinstalledfrombefore?

69. 40
Module1
You installed
by: Company 1
by Company 1
by Company 2
. Would you choose:
?OR
Howlikelyareuserstoselectanappfromthe
samecompanytheyinstalledfrombefore?

70. Module1-HBGroup

71. Module1-HBGroup

72. 50%
Results
Baseline
75.4%
History-based
p-value= 0.003Fisher’s exact test
Probabilityofinstallingthemore privacy preservingoption

73. Results
Baselinegroupsparticipantslookedforotherreasons:
(morecomprehensivedescription,moreprofessionallogo,abettersoundingname,oramoretrustableURL)
Difficultyofrememberingthepreviousvendors
(e.g.2participantsjustifiedbymentioningthattheappcomesfromthesamevendor,butactuallyselectedadifferentone)

74. 44
Module2
Howlikelyareuserstoselectthesameappthattheir
collaboratorhaveusedbefore?

75. 44
Module2
Your friend
John
installed by: Company 1
Howlikelyareuserstoselectthesameappthattheir
collaboratorhaveusedbefore?

76. 44
Module2
Your friend
John
installed by: Company 1
by: Company 1
by: Company 2
. Would you choose: ?OR
Howlikelyareuserstoselectthesameappthattheir
collaboratorhaveusedbefore?

77. 52.8%
Results
Baseline
88.4%
History-based
p-value<0.001
Probabilityofinstallingthemore privacy preservingoption
Fisher’s exact test

78. Results

79. Results
Quote: “Mytools.com is the maker of PDF Mergy and since they already have ALOT of
access to my files (thanks to John), might as well stick with the brand and not open up
more files to another company.”

80. 47
Module3
Your friend
Lisa
installed Company 1
Howlikelyareuserstoselectanappfromthesamevendor
thattheircollaboratorhaveusedbefore?

81. 47
Module3
Your friend
Lisa
installed Company 1
Company 1
Company 2
. Would you choose: ?OR
Howlikelyareuserstoselectanappfromthesamevendor
thattheircollaboratorhaveusedbefore?

82. 58.3%
Results
Baseline
82.6%
History-based
p-value= 0.002
Probabilityofinstallingthemore privacy preservingoption
Fisher’s exact test

83. 49
Module4
Howlikelyareuserstoconsiderthedifferences inaccess
levelsofvendorsthatcollaboratorsauthorized?

84. 50
Module4
Your friend
Lisa
installed Company 1

85. 50
Module4
Your friend
Lisa
installed Company 1
Your friend
John
installed Company 2

86. 50
Module4
Your friend
Lisa
installed Company 1
Your friend
John
installed Company 2
Your share
more files
with Lisa

87. 50
Module4
Your friend
Lisa
installed Company 1
Your friend
John
installed Company 2
Company 1
Company 2
. Would you choose: ?OR
Your share
more files
with Lisa

88. 44.4%
Results
Probabilityofinstallingthemore privacy preservingoption
Baseline
82.6%
History-based
p-value=<0.001Fisher’s exact test

89. Results
Quote: “This is the app that John already uses, and he has access to all of my files. The
PDF Mergy app is used by Lisa, but she only has access to part of my files.”

90. 53
ResearchQuestion-3
HowdotheHistory-basedDecisions
affectusers’privacyatscale?

91. 54
Idea: Study the network effect of
History-based decisions
installed from v1
User A

92. 54
Idea: Study the network effect of
History-based decisions
installed from v1
User A
installed from v1
User B

93. 54
Idea: Study the network effect of
History-based decisions
installed from v1
VFC for User A increases by 0
User A
installed from v1
User B

94. 55
Issue: We do not have access to large
networks of cloud storage and apps’ users.
Create networks with similar properties.

95. Network1:InflatedGoogleDriveNetwork
Start from PrivySeal users’ network.
*Newman. The structure and function of complex networks. SIAM review, 2003

96. Extract the degree distribution.
Network1:InflatedGoogleDriveNetwork
Start from PrivySeal users’ network.
*Newman. The structure and function of complex networks. SIAM review, 2003

97. Create a large scale connected graph with a
similar distribution using the Configuration Model*.
Extract the degree distribution.
Network1:InflatedGoogleDriveNetwork
Start from PrivySeal users’ network.
*Newman. The structure and function of complex networks. SIAM review, 2003

98. Create a large scale connected graph with a
similar distribution using the Configuration Model*.
Extract the degree distribution.
Network1:InflatedGoogleDriveNetwork
Start from PrivySeal users’ network.
*Newman. The structure and function of complex networks. SIAM review, 2003
- 18,000 users
- 138,440 edges
- average degree: 15

99. Network2:AuthorCollaborationNetwork
Rely on Microsoft Academic Graph
(papers, authors, affiliations)

100. Use a snapshot of 50,000 papers to
construct a collaboration graph
Network2:AuthorCollaborationNetwork
Rely on Microsoft Academic Graph
(papers, authors, affiliations)

101. Obtain a graph
Use a snapshot of 50,000 papers to
construct a collaboration graph
Network2:AuthorCollaborationNetwork
Rely on Microsoft Academic Graph
(papers, authors, affiliations)

102. Obtain a graph
Use a snapshot of 50,000 papers to
construct a collaboration graph
Network2:AuthorCollaborationNetwork
Rely on Microsoft Academic Graph
(papers, authors, affiliations)
- 41,000 users
- 199,980 edges
- average degree: 4

103. Network3:TeamsCollaborationNetwork
Take the previously constructed
collaboration graph

104. Compute the Strongly Connected
Components (SCC)
Network3:TeamsCollaborationNetwork
Take the previously constructed
collaboration graph

105. Each team is a SCC.
Compute the Strongly Connected
Components (SCC)
Network3:TeamsCollaborationNetwork
Take the previously constructed
collaboration graph

106. Each team is a SCC.
Compute the Strongly Connected
Components (SCC)
Network3:TeamsCollaborationNetwork
Take the previously constructed
collaboration graph
- 16,400 users
- 1700 teams

107. Each team is a SCC.
Compute the Strongly Connected
Components (SCC)
Network3:TeamsCollaborationNetwork
Take the previously constructed
collaboration graph
- 16,400 users
- 1700 teams
Assumption:
Team members only account for
other team members’ decisions

108. Keepsimulationpropertiesrealistic:
- Distribution of shared files
- Number of apps installed
Match the PrivySeal dataset

109. Keepsimulationpropertiesrealistic:
- Apps vendors
- App installation count
Select at random on each step among1000
apps from Chrome Store

110. 61
Fully-Aware model (FA)
(always selects the HB option)
Experimental HB Model (EHB)
Experimental Baseline Model (EBL)
3UserModels

111. 62
3UserModels
Fully-Aware model (FA)
(always selects the HB option)
Experimental HB Model (EHB)
Experimental Baseline Model (EBL)
Users are self-interested and do not cooperate on
app installation decisions.

112. 62
3UserModels
Fully-Aware model (FA)
(always selects the HB option)
Experimental HB Model (EHB)
Experimental Baseline Model (EBL)
Users are self-interested and do not cooperate on
app installation decisions.

113. 63
SimulationSteps
Select a user
(based on the installation frequency of the user)

114. 63
SimulationSteps
Select a user
(based on the installation frequency of the user)
Select an app
(based on the installation frequency of the app)

115. 63
SimulationSteps
Select a user
(based on the installation frequency of the user)
Select an app
(based on the installation frequency of the app)
Choose to install the app or one of its related apps
(based on the user model)

116. 63
SimulationSteps
Select a user
(based on the installation frequency of the user)
Select an app
(based on the installation frequency of the app)
Choose to install the app or one of its related apps
(based on the user model)
Compute the average Aggregate VFC per user
(based on the user model)

117. 64
SimulationResults

118. Growth of the Privacy Loss is curtailed as users install more apps.
65
Inflated Network Authors’ Network Teams’ Network
Growth of the Average aggregate VFC with more apps installed by users.

119. How much is the privacy loss reduction by the end of the simulation
(w.r.t. the baseline (EBL))?
66
Inflated Network Authors’ Network
Users
modeled by
our study
(EHB)
Users who
always take
the optimal
decision
(FA)
41% 28%
70% 40%

120. How much is the privacy loss reduction by the end of the simulation
(w.r.t. the baseline (EBL))?
66
Inflated Network Authors’ Network
Users
modeled by
our study
(EHB)
Users who
always take
the optimal
decision
(FA)
41% 28%
70% 40%
Difference due to the
graph connectivity

121. How much is the privacy loss reduction by the end of the simulation
(w.r.t. the baseline (EBL))?
67
Users
modeled by
our study
(EHB)
Users who
always take
the optimal
decision
(FA)
23%
45%
Teams’ Network
Assumption:
Team members only account for other team
members’ decisions

122. 68
Take-aways
The impact of collaborators on user’s privacy significantly important.
With a Usable privacy solutions, we show how to mitigate this issue.
With large networks, the network effect of HB decisions increases.

123. 69
FutureWork
History based insights are a basic building block for:
Data-driven, Usable privacy

124. 69
FutureWork
History based insights are a basic building block for:
Data-driven, Usable privacy
Communicating risk to the users in their own language

125. 69
FutureWork
History based insights are a basic building block for:
Data-driven, Usable privacy
Communicating risk to the users in their own language
Context of permissions, privacy policies, etc.

126. hamzaharkous.com
hamza.harkous@gmail.com

127. hamzaharkous.com
hamza.harkous@gmail.com