PrivacyGrade and Social Cybersecurity, talk at FTC July 2015

3. ©2015CarnegieMellonUniversity:3 What Are Your Apps Really Doing? Shares your location, gender, unique phone ID, phone# with advertisers Uploads your entire contact list to their server (including phone #s)

4. ©2015CarnegieMellonUniversity:4 Many Smartphone Apps Have “Unusual” Permissions Location Data Unique device ID Location Data Network Access Unique device ID Location Data Microphone Unique device ID

5. ©2015CarnegieMellonUniversity:5 What Do Developers Know about Privacy? • Interviews with 13 app developers • Surveys with 228 app developers • What tools? Knowledge? Incentives? • Points of leverage? Balebako et al, The Privacy and Security Behaviors of Smartphone App Developers. USEC 2014.

7. ©2015CarnegieMellonUniversity:7 Summary of Findings Third-party Libraries Problematic • Use ads and analytics to monetize • Hard to understand their behaviors – A few didn’t know they were using libraries (inconsistent answers) – Some didn’t know they collected data – “If either Facebook or Flurry had a privacy policy that was short and concise and condensed into real English rather than legalese, we definitely would have read it.”

8. ©2015CarnegieMellonUniversity:8 Summary of Findings Devs Don’t Know What to Do • Low awareness of existing privacy guidelines – Often just ask others around them • Low perceived value of privacy policies – Mostly protection from lawsuits – “I haven’t even read [our privacy policy]. I mean, it’s just legal stuff that’s required, so I just put in there.”

15. ©2015CarnegieMellonUniversity:15 Privacy as Expectations Use crowdsourcing to compare what people expect an app to do vs what an app actually does App Behavior (What an app actually does) User Expectations (What people think the app does)

17. ©2015CarnegieMellonUniversity:17 How PrivacyGrade Works • We crowdsourced people’s expectations of core set of 837 apps – Ex. “How comfortable are you with Drag Racing using your location for ads?” • Created a model to predict people’s likely privacy concerns • Applied model to 1M Android apps

23. ©2015CarnegieMellonUniversity:23 Impact of this Research • Popular Press – NYTimes, CNN, BBC, CBS, more • Government – Earlier work helped lead to FTC fines – Scared some Congressional staffers • Google • Developers

24. ©2015CarnegieMellonUniversity:24 Social Cybersecurity • New work looking at changing people’s awareness, knowledge, and motivation to be secure • Tool for FTC and companies to use to improve privacy and security

28. ©2015CarnegieMellonUniversity:28 • “showing each user pictures of friends who said they had already voted, generated 340,000 additional votes nationwide” • “they also discovered that about 4 percent of those who claimed they had voted were not telling the truth”

29. ©2015CarnegieMellonUniversity:29 Adoption of Cybersecurity Features is Very Low • Typically single digits – Two-factor authentication – Login notifications on Facebook – Trusted contacts on Facebook

30. ©2015CarnegieMellonUniversity:30 Insight from Interviews Observability of Adoption Low • One person stopped in coffee shop and asked about the Android 9-dot: “We were just sitting in a coffee shop and I wanted to show somebody something and [they said], ‘ My phone does not have that,’ and I was like, ‘I believe it probably does.’”

32. ©2015CarnegieMellonUniversity:32 Social Proof + Making Cybersecurity Observable • Variants – Control – Over # / % – Only # / % – Raw # / % – Some Das, S., A. Kramer, L. Dabbish, J.I. Hong. Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation. CCS 2014.

33. ©2015CarnegieMellonUniversity:33 Method • Controlled, randomized study with 50k active Facebook users – 8 conditions, so N=6250 • Part of annual security awareness campaign Facebook was going to run anyway

36. ©2015CarnegieMellonUniversity:36 Thanks! Collaborators: Special thanks to: • Army Research Office • National Science Foundation • Alfred P. Sloan Foundation • Google • CMU Cylab • NQ Mobile • Shah Amini • Kevin Ku • Jialiu Lin • Song Luan • Bharadwaj Ramachandran • Norman Sadeh

38. ©2015CarnegieMellonUniversity:38 Limitations of Current Approach • PrivacyGrade works for most apps – But popular apps, lots of custom code – Also can’t analyze backend • Only free apps – Limitations on downloading paid apps • Assume most libraries have one purpose – True for vast majority – More analytics + advertising combos

39. ©2015CarnegieMellonUniversity:39 Talk Overview • Interviews and surveys of app developers • PrivacyGrade.org • Using text mining to infer privacy-related app behaviors • Reflections on privacy ecosystem

40. ©2015CarnegieMellonUniversity:40 Reflections on Privacy Consider entire ecosystem • End-users – Most research has focused here – But puts too much burden – Really hard to improve awareness, knowledge, and motivation

41. ©2015CarnegieMellonUniversity:41 Reflections on Privacy Consider entire ecosystem • End-users • Developers • Third-party developers • Markets • OS • Third-party advocates – Ex. FTC, Consumer Reports

42. ©2015CarnegieMellonUniversity:42 Reflections on Privacy Helping Developers • Point of greatest leverage • Examples: – Better understanding of 3rd party libs – Better design patterns for privacy – Better APIs • “Home” or “work” vs precise location – Better reusable components • Databases and ACID properties • Make the path of least resistance privacy sensitive

PrivacyGrade and Social Cybersecurity, talk at FTC July 2015

Jason Hong

PrivacyGrade and Social Cybersecurity, talk at FTC July 2015