Modern mobile operating systems implement an ask-on-first-use policy to regulate applications’ access to private user data: the user is prompted to allow or deny access to a sensitive resource the first time an app attempts to use it. Prior research shows that this model may not adequately capture user privacy preferences because subsequent requests may occur under varying contexts. To address this shortcoming, LERSSE’s PhD student Primal Wijesekera led a collaboration project with Dr. Egelman‘s Berkeley Laboratory for Usable and Experimental Security (BLUES) to implement a novel privacy management system in Android, in which contextual signals are used to build a classifier that predicts user privacy preferences under various scenarios. A 37-person field study was employed to evaluate this new permission model under normal device usage. From the exit interviews and collection of over 5 million data points from participants, we show that this new permission model reduces the error rate by 75% (i.e., fewer privacy violations), while preserving usability. This research offers guidelines for how platforms can better support user privacy decision making.
Primal will be presenting this research at ACM SIG CHI conference in May.
More details about the study and findings can be found in the paper, which chosen by the CHI Technical Program Committee as one of the top 5% papers in the program.