Slides from a talk I gave at the FTC about two projects our team is doing, PrivacyGrade and Social Cybersecurity.

1. ©2015CarnegieMellonUniversity:1
PrivacyGrade and
Social Cybersecurity
Jason Hong
Federal Trade Commission
July 9, 2015
Computer
Human
Interaction:
Mobility
Privacy
Security

2. ©2015CarnegieMellonUniversity:2
Talk Overview
• PrivacyGrade
– Analyzing the privacy of 1M
smartphone apps
• Social Cybersecurity
– Using social psych to influence
people’s cybersecurity behaviors

3. ©2015CarnegieMellonUniversity:3
What Are Your Apps Really Doing?
Shares your location,
gender, unique phone ID,
phone# with advertisers
Uploads your entire
contact list to their server
(including phone #s)

4. ©2015CarnegieMellonUniversity:4
Many Smartphone Apps Have
“Unusual” Permissions
Location Data
Unique device ID
Location Data
Network Access
Unique device ID
Location Data
Microphone
Unique device ID

5. ©2015CarnegieMellonUniversity:5
What Do Developers Know
about Privacy?
• Interviews with 13 app developers
• Surveys with 228 app developers
• What tools? Knowledge? Incentives?
• Points of leverage?
Balebako et al, The Privacy and Security Behaviors
of Smartphone App Developers. USEC 2014.

6. ©2015CarnegieMellonUniversity:6
Summary of Findings
Third-party Libraries Problematic
• Use ads and analytics to monetize

7. ©2015CarnegieMellonUniversity:7
Summary of Findings
Third-party Libraries Problematic
• Use ads and analytics to monetize
• Hard to understand their behaviors
– A few didn’t know they were using
libraries (inconsistent answers)
– Some didn’t know they collected data
– “If either Facebook or Flurry had a
privacy policy that was short and
concise and condensed into real
English rather than legalese, we
definitely would have read it.”

8. ©2015CarnegieMellonUniversity:8
Summary of Findings
Devs Don’t Know What to Do
• Low awareness of existing privacy
guidelines
– Often just ask others around them
• Low perceived value of privacy
policies
– Mostly protection from lawsuits
– “I haven’t even read [our privacy
policy]. I mean, it’s just legal stuff
that’s required, so I just put in there.”

9. ©2015CarnegieMellonUniversity:9
PrivacyGrade.org
• Improve transparency
• Assign privacy grades to
all 1M+ Android apps

10. ©2015CarnegieMellonUniversity:10

11. ©2015CarnegieMellonUniversity:11

12. ©2015CarnegieMellonUniversity:12

13. ©2015CarnegieMellonUniversity:13

14. ©2015CarnegieMellonUniversity:14
Expectations vs Reality

15. ©2015CarnegieMellonUniversity:15
Privacy as Expectations
Use crowdsourcing to compare what
people expect an app to do vs what
an app actually does
App Behavior
(What an app
actually does)
User Expectations
(What people think
the app does)

16. ©2015CarnegieMellonUniversity:16
How PrivacyGrade Works
• Long tail distribution of libraries
• We focused on top 400 libraries

17. ©2015CarnegieMellonUniversity:17
How PrivacyGrade Works
• We crowdsourced people’s
expectations of core set of 837 apps
– Ex. “How comfortable are you with
Drag Racing using your location for ads?”
• Created a model to predict people’s
likely privacy concerns
• Applied model to 1M Android apps

18. ©2015CarnegieMellonUniversity:18
Overall Stats on PrivacyGrade
April 2015
• No sensitive permissions used
means A+
• Other grades
set at quartiles
of grade range

19. ©2015CarnegieMellonUniversity:19
Changes in Grades Over Time
October 2014 to April 2015

20. ©2015CarnegieMellonUniversity:20
Changes in Grades Over Time
Most Grades Remained the Same

21. ©2015CarnegieMellonUniversity:21
Changes in Grades Over Time
A Fair Number of Apps Improved

22. ©2015CarnegieMellonUniversity:22
Changes in Grades Over Time
Lots of Apps Deleted
• Not sure why deleted yet
– Some apps were re-uploaded

23. ©2015CarnegieMellonUniversity:23
Impact of this Research
• Popular Press
– NYTimes, CNN, BBC, CBS, more
• Government
– Earlier work helped lead to FTC fines
– Scared some Congressional staffers
• Google
• Developers

24. ©2015CarnegieMellonUniversity:24
Social Cybersecurity
• New work looking at changing
people’s awareness, knowledge,
and motivation to be secure
• Tool for FTC and companies to use
to improve privacy and security

25. ©2015CarnegieMellonUniversity:25
Social Proof

26. ©2015CarnegieMellonUniversity:26
• Baseline effectiveness is 35%

27. ©2015CarnegieMellonUniversity:27

28. ©2015CarnegieMellonUniversity:28
• “showing each user pictures of friends who
said they had already voted, generated
340,000 additional votes nationwide”
• “they also discovered that about 4 percent of
those who claimed they had voted were not
telling the truth”

29. ©2015CarnegieMellonUniversity:29
Adoption of Cybersecurity
Features is Very Low
• Typically single digits
– Two-factor authentication
– Login notifications on Facebook
– Trusted contacts on Facebook

30. ©2015CarnegieMellonUniversity:30
Insight from Interviews
Observability of Adoption Low
• One person stopped in coffee shop
and asked about the Android 9-dot:
“We were just sitting in a
coffee shop and I wanted
to show somebody
something and [they said], ‘
My phone does not have
that,’ and I was like, ‘I
believe it probably does.’”

31. ©2015CarnegieMellonUniversity:31
Diffusion of Innovations
• Five major factors
for successful
innovations:
– Relative Advantage
– Trialability
– Complexity
– Compatibility
– Observability

32. ©2015CarnegieMellonUniversity:32
Social Proof + Making
Cybersecurity Observable
• Variants
– Control
– Over # / %
– Only # / %
– Raw # / %
– Some
Das, S., A. Kramer, L. Dabbish, J.I. Hong. Increasing Security Sensitivity
With Social Proof: A Large-Scale Experimental Confirmation. CCS 2014.

33. ©2015CarnegieMellonUniversity:33
Method
• Controlled, randomized study
with 50k active Facebook users
– 8 conditions, so N=6250
• Part of annual security awareness
campaign Facebook was going to
run anyway

34. ©2015CarnegieMellonUniversity:34
Results of Experiment

35. ©2015CarnegieMellonUniversity:35
Summary
• PrivacyGrade
– Analyzing the privacy of 1M apps
• Social Cybersecurity
– Social proof + observability to improve
cybersecurity behaviors

36. ©2015CarnegieMellonUniversity:36
Thanks!
Collaborators:
Special thanks to:
• Army Research Office
• National Science Foundation
• Alfred P. Sloan Foundation
• Google
• CMU Cylab
• NQ Mobile
• Shah Amini
• Kevin Ku
• Jialiu Lin
• Song Luan
• Bharadwaj Ramachandran
• Norman Sadeh

37. ©2015CarnegieMellonUniversity:37
How PrivacyGrade Works

38. ©2015CarnegieMellonUniversity:38
Limitations of Current
Approach
• PrivacyGrade works for most apps
– But popular apps, lots of custom code
– Also can’t analyze backend
• Only free apps
– Limitations on downloading paid apps
• Assume most libraries have one
purpose
– True for vast majority
– More analytics + advertising combos

39. ©2015CarnegieMellonUniversity:39
Talk Overview
• Interviews and surveys of app
developers
• PrivacyGrade.org
• Using text mining to infer
privacy-related app behaviors
• Reflections on privacy ecosystem

40. ©2015CarnegieMellonUniversity:40
Reflections on Privacy
Consider entire ecosystem
• End-users
– Most research has focused here
– But puts too much burden
– Really hard to improve awareness,
knowledge, and motivation

41. ©2015CarnegieMellonUniversity:41
Reflections on Privacy
Consider entire ecosystem
• End-users
• Developers
• Third-party developers
• Markets
• OS
• Third-party advocates
– Ex. FTC, Consumer Reports

42. ©2015CarnegieMellonUniversity:42
Reflections on Privacy
Helping Developers
• Point of greatest leverage
• Examples:
– Better understanding of 3rd party libs
– Better design patterns for privacy
– Better APIs
• “Home” or “work” vs precise location
– Better reusable components
• Databases and ACID properties
• Make the path of least resistance
privacy sensitive

43. ©2015CarnegieMellonUniversity:43
Mobile App
• Scans apps you
have on phone,
gets grades from
our site
• Just need to
add it to
Google Play store