People are Shocked — Shocked! — When They Learn Just How Much Mobile Data They Share

• By Dian Schaffhauser
• 04/06/15

Knowledge apparently really is power. When people learn just how often their smartphone apps share their information with third parties, they put a stop to it. And if they're reminded by their phones, they'll put a stop to it even more often. According to "Your Location Has Been Shared 5,398 Times! A Field Study on Mobile App Privacy Nudging," a research paper shortly to be published by Carnegie Mellon University researchers, smartphone users are oblivious to the amount of data collected by the apps they run on their devices.

The point of the research is to figure out effective ways to get people to pay attention to online privacy, particularly when it involves their mobile devices, which can accumulate a great deal of personal information about them.

In interviews, research subjects were repeatedly surprised when they learned how frequently their personal information was being accessed. "4,182 (times) — are you kidding me?" one participant asked. "It felt like I'm being followed by my own phone. It was scary. That number is too high."

"The vast majority of people have no clue about what's going on," said Norman Sadeh, a professor in the School of Computer Science's Institute for Software Research, who was involved in the research.

To understand how people would respond when they were made aware of what was going on related to their privacy, the study examined the use of app permission managers and "privacy nudges." Permission managers are programs that allow people to set rules on what sensitive information their apps can access. The study specifically used AppOps, an app for Android 4.3 that's no longer available.

The nudges were daily messages sent to users telling them how often information related to their location, contacts or phone calls had been shared. That nudge was the source of the paper's title. In one case, a user was informed, "Your location has been shared 5,398 times with Facebook, Groupon, GO Launcher EX and seven other apps in the last 14 days."

During week one of the study, app behavior data was collected for 23 people as they used their Android mobile devices. In the second week, they were given access to AppOps. In the third week they received the daily nudges that offered details about how often their data was shared by their apps.

According to the researchers, when given access to AppOps, 22 participants collectively reviewed their app permissions 51 times and restricted 272 permissions on 76 different apps. Only one participant failed to review permissions.

But after a few days they reverted to their old practices. And that's when the privacy nudges began arriving, which sent them back to their privacy settings for further action. During this phase, participants reviewed their apps' permissions 69 times, restricted 47 distinct apps from accessing 122 permissions, and permitted six apps access to six permissions.

"App permission managers are better than nothing, but by themselves they aren't sufficient," Sadeh said. "Privacy nudges can play an important role in increasing awareness and in motivating people to review and adjust their privacy settings."

However, neither privacy managers nor nudges are a panacea, he added, since users can become overwhelmed by the settings they must master to gain control over privacy.

As the report suggested, personalized privacy assistants might be the best approach. For example, a personalized nudge could learn which apps a user wishes to share information from and which ones are off limits and then "nudge" the user accordingly. Also the format of the privacy nudge should be taken into consideration. The ones used in the experiment were full screen, which "annoyed some participants." Perhaps, the report's authors suggested, a partial screen size would be more acceptable, especially if it included a "remind me later" option. Finally, because users have different preferences for receiving privacy nudges, customization of timing, frequency and format would be essential.

Research along these lines is progressing. Sadeh said his own research suggests that an app that asks just a few privacy-related questions could predict a user's preferences with 90 percent accuracy.

This research, which will be presented during CHI 2015, the Conference on Human Factors in Computing Systems, in Seoul, was supported by funding from the National Science Foundation, Google, Samsung and Saudi Arabia's King Abdulaziz City for Science and Technology.