The Privacy and Security Behaviors of Smartphone, at USEC 2014

•Download as PPTX, PDF•

0 likes•357 views

Talk presented at USEC 2014. Smartphone app developers have to make many privacy-related decisions about what data to collect about end-users, and how that data is used. We explore how app developers make decisions about privacy and security. Additionally, we examine whether any privacy and security behaviors are related to characteristics of the app development companies. We conduct a series of interviews with 13 app developers to obtain rich qualitative information about privacy and security decision-making. We use an online survey of 228 app developers to quantify behaviors and test our hypotheses about the relationship between privacy and security behaviors and company characteristics. We find that smaller companies are less likely to demonstrate positive privacy and security behaviors. Additionally, although third-party tools for ads and analytics are pervasive, developers aren’t aware of the data collected by these tools. We suggest tools and opportunities to reduce the barriers for app developers to implement privacy and security best practices.

Technology

1
Engineering &
Public Policy
The Privacy and
Security Behaviors of
Smartphone
App Developers
Rebecca Balebako, Abigail
Marsh, Jialiu Lin, Jason
Hong, Lorrie Faith Cranor

App Developer decisions
• Privacy and Security features compete with
• Features requested by customers
• Data requested by financers
• Revenue model
2

Research Project
• Exploratory Interviews
• Quantitative on-line study
3

Findings
• Small companies lack privacy and security behaviors
• Small company developers rely on social ties for advice
• Legalese hinders reading and writing of privacy policies
• Third-Party tools heavily used
4

Participant Recruitment
• 13 developers interviewed
• Recruited through craigslist and Meetups
• $20 for one-hour interview
5

Participant Demographics
• Variety of revenue models
• Advertising
• Subscription
• Pay-per-use
• Non-Profit
• Seven different states
• Small company size well-represented
6

Tools impact privacy and security
• Interviewees do:
• Use cloud computing
• Use authentication tools such as Facebook
• Use analytics such as Google and Flurry
• Use open source tools such as mysql
7

Tools not used
• Interviewees don‟t use or are unaware of:
• Use privacy policy generators
• Use security audits
• Read third-party privacy policies
• Delete data
8

On-line surveys
• 228 app developers
• Paid $5 (avg: 15 minutes)
• Recruited through
craigslist, reddit, Facebook, backpage.com
• Developer demographics
• Majority were „Programmer or Software Engineer‟ or
„Product or Project Manager‟
• Avg age: 30 (18-50 years)
10

Company demographics
• Platforms
• iOS (62%)
• Android (62%)
• Windows (17%)
• Blackberry (4%)
• Palm (3%)
• Large Company Size well-represented
11

Data collected or stored
Behavior Collect or Store
Parameters specific to my app 84%
Which apps are installed 74%
Location 72%
Sensor information (not location-related) 63%
12

Privacy and security behaviors
Behavior Percent
Use SSL 84%
Encrypt everything (all data collected) 57%
Have CPO or equivalent 78%
Privacy Policy on website 58%
13
• Room for improvement!

Ad and analytics heavily used
• 87.4% use at least one analytics company
• 86.5% use at least one advertising company
17

How Familiar Are You With The Types Of
Data Collected By Third-Party Tools
19

Findings
• Small companies lack privacy and security behaviors
• Free or quick tools needed
• Usable tools needed
• Small company developers rely on social ties for
advice
• Opportunities for intervention in social networks
• Legalese hinders reading and writing of privacy
policies
• Third-Party tools heavily used
• Third-party tools should be explicit about data handling
20

Privacy Policies Are Not Considered
Useful
“I haven‟t even read [our privacy policy]. I mean,
it‟s just legal stuff that‟s required, so I just put in
there.” – P4
22

Developers have time and resource
constraints
• “I don‟t see the time it would take to implement
that over cutting and pasting someone else‟s
privacy policies.... I don‟t see the value being
such that that‟s worth it.”
-P10
23

Privacy and security behaviors
Behavior Percent
Use SSL 83.8%
Encrypt data on phone 59.6%
Encrypt data in database 53.1%
Encrypt everything (all data collected) 57.0%
Revenue from advertising 48.2%
Have CPO or equivalent 78.1%
Privacy Policy on website 57.9%
24

Ad and analytics
Ad or analytic provider percent
Google analytics 82%
Google ads 64%
Flurry analytics 17%
No ads 13%
No analytics 13%
25

Using data and analytics to supercharge your products is important for all product managers. There are tons of ways to utilize analytics as a product manager whether it is: incorporating analytics into your product to provide more customer value; incorporating into business case or financial reporting to provide more value; utilizing to better understand the voice of the customer; or more effectively pricing your product to name a few. These slides are geared at people making products and how they can utilize data and analytics to make good products great.

Generating actionable consumer insights from analytics - Telekom R&DMerlien Institute

It's all about big dataYuxin Tu, PhD

AI Weekly - April 5, 2021

Bruno Aziza

isicg - 3 r's v4Elliott Franklin

We asked LinkedIn members worldwide about their levels of interest in the latest wave of technology: whether they’re using wearables, and whether they intend to buy self-driving cars and VR headsets as they become available. We asked them too about their attitudes to technology and to the growing role of Artificial Intelligence (AI) in the devices that they use. The answers were fascinating – and in many cases, surprising. This SlideShare explores the full results of this study, including detailed market-by-market breakdowns of intention levels for each technology – and how attitudes change with age, location and seniority level. If you’re marketing a tech brand – or planning to use VR and wearables to reach a professional audience – then these are insights you won’t want to miss.

Building an effective Information Security Roadmap

Elliott Franklin

As company information security functions continue to grow each year with increasing attacks and regulations, how are you handling the pressure? Are you constantly battling to run the business projects and reacting to customer requests? Have you blocked off a few hours each week on your calendar to close your email, turn off your phone and try to build, assess and maintain an effective vision for your security team? This presentation will discuss a cascading approach to creating such a roadmap that is easily understood by executives and has helped gain quick buy in for multiple enterprise wide security projects.

20230426 AIIM23 How to Leverage Privacy Practices to Build Customer Trust.pptx

Jesse Wilkins

GDPR | Cyber security process resilience

Rishi Kant

How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...

Aggregage

Creating a GDPR Action Plan; Not a Freakout Plan

Mediacurrent

Change Your Search to Find – SharePoint and Office 365 Webinar

Concept Searching, Inc

Enterprise search, once a hot topic, now faces new challenges with the adoption of hybrid and cloud environments. In SharePoint and Office 365, search isn’t equal, and before jumping on the Office 365 band wagon, organizations need to know as much as they can about potential challenges and pitfalls. Even in a SharePoint stand-alone environment, the consumption of content is forcing a renewed look at security, information lifecycle management, and non-compliance. Join us on Tuesday, October 28th, at 11:30am – 12:30pm EDT for this webinar packed with information on how to address search issues in SharePoint stand-alone, Office 365 hybrid, or cloud-only environments. If you’re not sure how you would answer any of the below questions below, then this webinar is for you:. • Does an enterprise search engine that provides the same transparency both on-premise and in the cloud matter to you? Does it matter to your users? • With the huge push for Office 365, is enterprise search getting lost? • Will the announcement of Delve push you over the edge in adopting Office 365? Why? • What about managing content in the cloud? Do you have any reservations about security,or records, and what your users are doing in the cloud? (Bet you’ll be surprised.) • What about migration? What goes where? • How will you know what’s on your users’ OneDrives? Is DLP enough? • Is your SharePoint search good enough? Have you calculated the ROI you can gain by improving it? • How are you going to manage the ever increasing consumption of organizational content?

#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers

One North

One North’s Managing Director of Technology Ryan Horner and legal process and technology consultant Bob Beach share details on how the EU’s General Data Protection Regulation (GDPR) could impact digital assets. This webinar is designed to educate digital marketers, share actionable examples, and provide an overview of how One North can help clients ensure their digital properties are in compliance with the regulation and execute on those efforts. Beyond GDPR compliance, the session will also highlight important information for marketers as data privacy continues to become a critical and strategic component of digital. Access the recording: https://youtu.be/ruQpN70LGt0

Cybersecurity for King County Public Educators

Sarah K Miller

GDPR: The Application Security Twist

Security Innovation

When GDPR becomes law in a few months, it will be the most wide-ranging and stringent data protection initiative in history. To prepare for this sea change, most organizations have streamlined and detailed their information security policies; however, many are unaware that immature application security programs arguably pose the biggest threat of a data breach. This oft-forgotten piece of data protection puts organizations at risk of GDPR fines. Attend this joint webinar with Security Innovation and Smarttech247 to learn practical tips on incorporating application security best practices into an InfoSec program to achieve GDPR compliance. Topics include: * Summary of GDPR key concepts * Security of data processing in software and the CIA triad * The people and process problem of GDPR: Governance * Using Data Protection by Design for secure design and business logic * Assessments to verify the security of processing Presenters: Roman Garber, Security Innovation Edward Skraba, Smarttech247

Ethics in Data Management.pptx

Ravindra Babu

005. Ethics, Privacy and Security

Arianto Muditomo

This presentation is prepared by Author for Perbanas Institute as a part of Author Lecture Series. It is to be used for educational and non-commercial purposes only and is not to be changed, altered, or used for any commercial endeavor without the express written permission from Author and/or Perbanas Institute. Appropriate legal action may be taken against any person, organization, or entity attempting to misrepresent, charge, or profit from the educational materials contained here. Authors are allowed to use their own articles without seeking permission from any person, organization, or entity.

Helping Developers with Privacy

Jason Hong

Evaluating the use of search engines and social Media today

Simeon Bala

Search engines are an essential tool for any marketer or researcher who needs to quickly find relevant information. It is no surprise that they can be used to obtain a variety of different types of data. In the past, search engines were just a means of accessing information that had been collected and cataloged by humans. But today they are also a tool for collecting data themselves. This presentation was given to evaluate the impact of social engines and mobile devices today. The presentation contain idea and tips on how to live online. Google and Facebook were used as case study as they are the biggest. Presentation was done by Simeon Bala 9jaoncloud.com.ng publicopinion.org.ng

Caveon Webinar Series - Security Challenges in Creating Testing Programs - Se...

Caveon Test Security

Think back to when you first started your certification program... there were so many things to think about: • Who will develop your items? • Where were items going to be housed? • Where will the tests be delivered? • Who was going to do the fulfillment of certification awards? What you weren't thinking about: • How am I going to protect my test questions from getting stolen? Join us for a virtual coffee and conversation as we discuss the processes you can put in place, things you can do, and tools you can use to stop test theft before it happens. Two programs will be featured and you'll hear lessons learned from each. Josephine Elizaga, Senior Manager of Certification for Genesys will present information from her experience with the recently released Genesys Professional Certification Program. Josephine has fifteen years of experience in training and certification with HP Software Education. She holds an engineering degree with further studies in instructional design and training methods for business and industry. Jamie Mulkey, Executive Director of the Certified Exam Security Professional (CESP) Program and Vice President of Client Services for Caveon, will present some key strategies currently being deployed for the upcoming CESP - Generalist exam. Even if your certification program is not-so-new, you will gain insight on security tips and techniques that will strengthen your testing program.

CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions

TrustArc

CCPA is in full effect and - as of July 1, 2020 - is being fully enforced. The “wait and see” game is officially over and organizations must be fully compliant in order to avoid regulatory fines and negative publicity. There are many requirements set forth by the CCPA, and building a strong compliance plan can be daunting. Not only does the compliance plan need to be set-up for future growth and changes, but it also needs the flexibility to produce on-demand, customized reports to provide to stakeholders. TrustArc has helped organizations of all sizes and maturity with CCPA compliance from simple assessments to full automation. Investing time upfront to perform the proper analysis and planning is key to feeling confident that your CCPA compliance program will efficiently and effectively mitigate risk while meeting business objectives. Join this webinar to see how TrustArc CCPA solutions help organizations of all sizes and maturity achieve and maintain compliance. This webinar will review: -Stages of CCPA program maturity -TrustArc CCPA solutions for every stage of compliance

Viewers also liked

Increasing your vertical

Hellen Meyer

Earn money today

Hellen Meyer

How can i jump higher

Hellen Meyer

Module 5 lesson 5 remediationcrystalpullen

Surveys pay

Hellen Meyer

Formulas and functionscrystalpullen

Study: The Future of VR, AR and Self-Driving Cars

Viewers also liked (7)

Increasing your vertical

Earn money today

How can i jump higher

Module 5 lesson 5 remediation

Surveys pay

Formulas and functions

Study: The Future of VR, AR and Self-Driving Cars

Similar to The Privacy and Security Behaviors of Smartphone, at USEC 2014

Building an effective Information Security Roadmap

Elliott Franklin

20230426 AIIM23 How to Leverage Privacy Practices to Build Customer Trust.pptx

Jesse Wilkins

GDPR | Cyber security process resilience

Rishi Kant

How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...

Aggregage

Creating a GDPR Action Plan; Not a Freakout Plan

Mediacurrent

Change Your Search to Find – SharePoint and Office 365 Webinar

Concept Searching, Inc

#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers

One North

Cybersecurity for King County Public Educators

Sarah K Miller

GDPR: The Application Security Twist

Security Innovation

Ethics in Data Management.pptx

Ravindra Babu

005. Ethics, Privacy and Security

Arianto Muditomo

Helping Developers with Privacy

Jason Hong

Evaluating the use of search engines and social Media today

Simeon Bala

Caveon Webinar Series - Security Challenges in Creating Testing Programs - Se...

Caveon Test Security

CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions

TrustArc

Taking the Share out of Sharepoint: SharePoint Application Security.

Aspenware

The beauty of SharePoint is you can quickly enable the business to do anything anywhere. That freedom and flexibility can create a serious security risk for your organization. With every service and application you roll out you also roll out new ways for hackers to get at your data. NetSource Secure, HOSTING, and Aspenware are pleased to bring you this critical SharePoint security presentation. In this presentation Senior SharePoint Architect Waughn Hughes and Senior Security Consultant Justin Tibbs will give you the information necessary to assess your SharePoint security risks and develop a plan for mitigating risks.

7 principles of good intranet governance

Intranätverk

Presented by Mark Morrell at Intranätverk 2015: Gothenburg, 21 May. The alternative to governance can be chaotic anarchy. Posing risks to security and intellectual productivity provides an awful experience for those who still use your intranet. Where governance can start to get confusing and difficult is in how it is applied. Mark Morrell will show you how applying these governance principles can be easy and have a good outcome: 1. Know your organisation 2. Define the scope 3. Put people first 4. Use all resources 5. Compare and benchmark 6. Do what you say you will do 7. Keep it legal

Flight East 2018 Presentation–You've got your open source audit report, now w...

Synopsys Software Integrity Group

Cooperability for Interoperability

MEASURE Evaluation

Discovery, Risk, and Insight in a Metadata-Driven World Webinar

Concept Searching, Inc

Discovery, risk, and insight mean something different to every organization, even at different locations within the same company. Do you find answers by trial and error? Do you stumble across information, or find it when it is too late to make good use of it? In this session Concept Searching and technology partner, Netwrix, give a detailed view of risk mitigation for data security, compliance, and operational intelligence. With the combination of the conceptClassifier platform and Netwrix Auditor, see firsthand the automatic generation and use of semantic metadata. The overview of this state-of-the-art solution shows how to proactively prepare to mitigate risk, regardless of where or why it occurs. Speakers: Robert Piddocke – Vice President of Channel and Business Development at Concept Searching Ilia Sotnikov – Vice President of Product Management at Netwrix Jeff Melnick – Manager of Sales Engineering at Netwrix

Similar to The Privacy and Security Behaviors of Smartphone, at USEC 2014 (20)

Building an effective Information Security Roadmap

20230426 AIIM23 How to Leverage Privacy Practices to Build Customer Trust.pptx

GDPR | Cyber security process resilience

How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...

Creating a GDPR Action Plan; Not a Freakout Plan

Change Your Search to Find – SharePoint and Office 365 Webinar

#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers

Cybersecurity for King County Public Educators

GDPR: The Application Security Twist

Ethics in Data Management.pptx

005. Ethics, Privacy and Security

Helping Developers with Privacy

Evaluating the use of search engines and social Media today

Caveon Webinar Series - Security Challenges in Creating Testing Programs - Se...

CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions

Taking the Share out of Sharepoint: SharePoint Application Security.

7 principles of good intranet governance

Flight East 2018 Presentation–You've got your open source audit report, now w...

Cooperability for Interoperability

Discovery, Risk, and Insight in a Metadata-Driven World Webinar

Recently uploaded

PCI PIN Basics Webinar from the Controlcase Team

ControlCase

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Aggregage

Pushing the limits of ePRTC: 100ns holdover for 100 days

Adtran

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

DevOps and Testing slides at DASA Connect

Kari Kakkonen

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

nkrafacyberclub

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

RESUME BUILDER APPLICATION Project for students

KAMESHS29

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

Securing your Kubernetes cluster_ a step-by-step guide to success !

KatiaHIMEUR1

Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster. However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks. In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.

Mind map of terminologies used in context of Generative AI

Kumud Singh

20240605 QFM017 Machine Intelligence Reading List May 2024

Matthew Sinclair

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

名前です男

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

SOFTTECHHUB

The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing. One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

Microsoft - Power Platform_G.Aspiotis.pdf

Uni Systems S.M.S.A.

Climate Impact of Software Testing at Nordic Testing Days

Kari Kakkonen

My slides at Nordic Testing Days 6.6.2024 Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Uni Systems S.M.S.A.

Recently uploaded (20)

PCI PIN Basics Webinar from the Controlcase Team

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Pushing the limits of ePRTC: 100ns holdover for 100 days

Epistemic Interaction - tuning interfaces to provide information for AI support

DevOps and Testing slides at DASA Connect

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

RESUME BUILDER APPLICATION Project for students

By Design, not by Accident - Agile Venture Bolzano 2024

Securing your Kubernetes cluster_ a step-by-step guide to success !

Mind map of terminologies used in context of Generative AI

20240605 QFM017 Machine Intelligence Reading List May 2024

Monitoring Java Application Security with JDK Tools and JFR Events

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

Microsoft - Power Platform_G.Aspiotis.pdf

Climate Impact of Software Testing at Nordic Testing Days

Essentials of Automations: The Art of Triggers and Actions in FME

Uni Systems Copilot event_05062024_C.Vlachos.pdf

The Privacy and Security Behaviors of Smartphone, at USEC 2014

1. 1 Engineering & Public Policy The Privacy and Security Behaviors of Smartphone App Developers Rebecca Balebako, Abigail Marsh, Jialiu Lin, Jason Hong, Lorrie Faith Cranor

2. App Developer decisions • Privacy and Security features compete with • Features requested by customers • Data requested by financers • Revenue model 2

3. Research Project • Exploratory Interviews • Quantitative on-line study 3

4. Findings • Small companies lack privacy and security behaviors • Small company developers rely on social ties for advice • Legalese hinders reading and writing of privacy policies • Third-Party tools heavily used 4

5. Participant Recruitment • 13 developers interviewed • Recruited through craigslist and Meetups • $20 for one-hour interview 5

6. Participant Demographics • Variety of revenue models • Advertising • Subscription • Pay-per-use • Non-Profit • Seven different states • Small company size well-represented 6

7. Tools impact privacy and security • Interviewees do: • Use cloud computing • Use authentication tools such as Facebook • Use analytics such as Google and Flurry • Use open source tools such as mysql 7

8. Tools not used • Interviewees don‟t use or are unaware of: • Use privacy policy generators • Use security audits • Read third-party privacy policies • Delete data 8

9. 9

10. On-line surveys • 228 app developers • Paid $5 (avg: 15 minutes) • Recruited through craigslist, reddit, Facebook, backpage.com • Developer demographics • Majority were „Programmer or Software Engineer‟ or „Product or Project Manager‟ • Avg age: 30 (18-50 years) 10

11. Company demographics • Platforms • iOS (62%) • Android (62%) • Windows (17%) • Blackberry (4%) • Palm (3%) • Large Company Size well-represented 11

12. Data collected or stored Behavior Collect or Store Parameters specific to my app 84% Which apps are installed 74% Location 72% Sensor information (not location-related) 63% 12

13. Privacy and security behaviors Behavior Percent Use SSL 84% Encrypt everything (all data collected) 57% Have CPO or equivalent 78% Privacy Policy on website 58% 13 • Room for improvement!

14. Company size and behaviors 14

15. Who do you turn to? 15

16. Who do you turn to? 16

17. Ad and analytics heavily used • 87.4% use at least one analytics company • 86.5% use at least one advertising company 17

18. Third-party tools 18

19. How Familiar Are You With The Types Of Data Collected By Third-Party Tools 19

20. Findings • Small companies lack privacy and security behaviors • Free or quick tools needed • Usable tools needed • Small company developers rely on social ties for advice • Opportunities for intervention in social networks • Legalese hinders reading and writing of privacy policies • Third-Party tools heavily used • Third-party tools should be explicit about data handling 20

21. balebako@cmu.edu Questions?

22. Privacy Policies Are Not Considered Useful “I haven‟t even read [our privacy policy]. I mean, it‟s just legal stuff that‟s required, so I just put in there.” – P4 22

23. Developers have time and resource constraints • “I don‟t see the time it would take to implement that over cutting and pasting someone else‟s privacy policies.... I don‟t see the value being such that that‟s worth it.” -P10 23

24. Privacy and security behaviors Behavior Percent Use SSL 83.8% Encrypt data on phone 59.6% Encrypt data in database 53.1% Encrypt everything (all data collected) 57.0% Revenue from advertising 48.2% Have CPO or equivalent 78.1% Privacy Policy on website 57.9% 24

25. Ad and analytics Ad or analytic provider percent Google analytics 82% Google ads 64% Flurry analytics 17% No ads 13% No analytics 13% 25

26. Advice 26

Editor's Notes

Presented at USEC 2014http://www.usecap.org/usec14.html
Opportunities to teach So what or now what? Call to action- usable tools- third-party librarues
Discarded 232 results.
1 employee: 5%2-9 employees: 15%10-30 employees: 20%31-100 employees: 48%100+ employees: 12%
We found that the size of a company does help determinewhether they have a CPO (2 test p< 0.001), whether they havea privacy policy (2 tests p=.002), and whether they encrypteverything (2 tests p< 0.001). However, the company sizewas not correlated with SSL using the conservative correctedsignificance level (2 tests p=.009).
“Who, if anyone, doyou turn to when you have questions about consumer privacy and security?”
“Who, if anyone, doyou turn to when you have questions about consumer privacy and security?”Options included: Developers from meetups, developers within my company, lawert within and outside companyKruskal-Wallis test p<.0001
most app developers (87.4\%) used at least one analytics company, with one in five using two or more analytics companies.Most apps also used an advertising company: 86.5\% selected one or more advertising companies in use, using on average 1.78 ad companies (SD=1.33).
Many tools or documents that help app developers make privacy decisions discuss third-party data sharing. For example, The CA AG recommendation says that app developers should…
This is indicates that users are confused about the term ‘third-party tools’ and that tools and documents should clarify that these include ads and analyticsPie chart fonts are to small to see
Ooputunities to teach So what or now what? Call to action - usable tools- third-party librarues
most app developers (87.4\%) used at least one analytics company, with one in five using two or more analytics companies.Most apps also used an advertising company: 86.5\% selected one or more advertising companies in use, using on average 1.78 ad companies (SD=1.33).
Who if anyone, do you turn to when you have questions about privacy and security

The Privacy and Security Behaviors of Smartphone, at USEC 2014

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (7)

Similar to The Privacy and Security Behaviors of Smartphone, at USEC 2014

Similar to The Privacy and Security Behaviors of Smartphone, at USEC 2014 (20)

Recently uploaded

Recently uploaded (20)

The Privacy and Security Behaviors of Smartphone, at USEC 2014

Editor's Notes