GGrantIndex
← Search

Collaborative Research: SaTC: CORE: Small: Measuring, Validating and Improving upon App-Based Privacy Nutrition Labels

$219,996FY2023CSENSF

George Washington University, Washington DC

Investigators

Abstract

Smartphones collect a large amount of personal data as people use them, which can cause privacy violations when smartphone applications (“apps”) use or share the data in ways people don’t expect. Existing text-based privacy policies are hard to read and make sense of, making it hard for people to understand what a mobile app will do with their data. This has led major app stores to require apps to use standardized “privacy labels”—akin to nutrition labels—to help people make informed choices about the apps they use; however, it is unclear how well these labels work in the real world. This project will attack this question by studying how privacy labels work for three main groups: app developers who must select correct labels for their apps; app store administrators that create the policies and standards for the labels; and end users who must use them to make privacy decisions. The team will also analyze mobile apps to see how well they adhere to the promises made by their privacy labels, and how both people’s understandings of privacy labels and apps’ adherence to them changes over time. Together the work will lead to better understanding, design, and use of privacy labels for both regulators and people who use mobile apps. To address these questions, the project will apply a mixed-methods approach. For studying end users, the research team will perform iterative usability testing and longitudinal comprehension studies to gauge understanding of these new privacy labels and how it changes over time. The team will also use factorial vignettes analyzed by multivariate regressions to identify factors of both existing and hypothetical privacy label designs that might impact user decision making around installing, using, and granting permissions to apps. For studying developers and platforms, the team will conduct quantitative measurement studies using a “privacy label observatory” that will periodically collect a number of versions of both apps and their privacy labels, using dynamic software analysis of the apps to determine their use of private information. This will help answer questions about whether privacy labels become more accurate over time as developers become more familiar with them, as well as how the app ecosystem reacts to events like regulatory or company policy changes and enforcement actions. The primary outcomes of this project will be empirical data on whether these new privacy tools are working, how and why they might be failing both app developers and consumers alike, and how platforms can improve their design to make them more effective. This will include public datasets about current and historical usage of privacy labels, as well as design patterns and policy recommendations for improving the state of privacy labels and mobile app privacy. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

View original record on NSF Award Search →