A Curious Case of Consent Button [... neither do I want to accept, - - PowerPoint PPT Presentation

a curious case of consent button
SMART_READER_LITE
LIVE PREVIEW

A Curious Case of Consent Button [... neither do I want to accept, - - PowerPoint PPT Presentation

Apr 14, 2023 490 likes •657 views

A Curious Case of Consent Button [... neither do I want to accept, nor decline ...] Nurul Momen & Lothar Fritsch Karlstad University 19 July, 2019. HotPETs, KTH, Stockholm 1 / 15 I want to find an app to wash my hands ... Image

slide-1
SLIDE 1

A Curious Case of “Consent Button”

[... neither do I want to accept, nor decline ...] Nurul Momen & Lothar Fritsch

Karlstad University

19 July, 2019. HotPETs, KTH, Stockholm

1 / 15

slide-2
SLIDE 2

I want to find an app to wash my hands ...

Image source: running faucet by Steve Johnson (CC-BY-2.0) 2 / 15

slide-3
SLIDE 3

What happens next?

◮ Personal data access: a lot more than a user can observe. ◮ Partial identities can be extracted from privilege usage data.

Paper I. How much Privilege does an App Need? Investigating Resource Usage of Android Apps; N Momen, T Pulls, L Fritsch, and S Lindskog; In Proceedings of the Fifteenth International Conference on Privacy, Security and Trust (PST), Calgary, Canada, August 28-30, IEEE, 2017. Paper II. Derived Partial Identities Generated from App Permissions; L Fritsch, and N Momen; In Proceedings of the Open Identity Summit 2017; Lecture Notes in Informatics (LNI) 277, ISSN 1617-5468, ISBN 978-3-88579-671-8, October 05–06, 2017; Karlstad, Sweden., Gesellschaft f¨ ur Informatik e.V., 2017. 3 / 15

slide-4
SLIDE 4

Good and bad behavior of apps

  • 1. Requirement types (price): what does it ask for & how much of the privilege is

being used?

  • 2. Legal requirements: does it comply with the regulations?
  • 3. Crowd-sourced user feedback: what do other users think?

4 / 15

slide-5
SLIDE 5

Let’s judge an apps’ behavior ...

  • ix. Fitbit: 20 (9/3/3/T) [Threat count, T=5]

CALENDAR CALL_LOG CAMERA CONTACTS LOCATION MICROPHONE PHONE STORAGE SENSORS SMS

Permission-groups requested in Manifest. Clarification missing in privacy policy. Permission access whithout user interaction during runtime. Legend

Paper III: A Multilateral Privacy Impact Analysis Method for Android Apps; M Hatamian, N Momen, L Fritsch, K Rannenberg; In Proceedings of Annual Privacy Forum 2019, Rome, Italy, page 87-106. 5 / 15

slide-6
SLIDE 6

Let’s compare with other apps ...

  • i. Lifesum: 13 (5/3/4/T) [Threat count, T=1]

CALENDAR CALL_LOG CAMERA CONTACTS LOCATION MICROPHONE PHONE STORAGE SENSORS SMS

  • ii. Endomondo: 9 (5/0/2/T) [Threat count, T=2]

CALENDAR CALL_LOG CAMERA CONTACTS LOCATION MICROPHONE PHONE STORAGE SENSORS SMS

  • iii. 30dayFitnessChal.: 6 (2/2/0/T) [Threat count, T=2]

CALENDAR CALL_LOG CAMERA CONTACTS LOCATION MICROPHONE PHONE STORAGE SENSORS SMS

  • iv. Runkeeper: 19 (6/4/3/T) [Threat count, T=6]

CALENDAR CALL_LOG CAMERA CONTACTS LOCATION MICROPHONE PHONE STORAGE SENSORS SMS

  • v. Pedometer: 13 (6/3/2/T) [Threat count, T=2]

CALENDAR CALL_LOG CAMERA CONTACTS LOCATION MICROPHONE PHONE STORAGE SENSORS SMS

  • vi. MyFitnessPal: 9 (6/2/0/T) [Threat count, T=1]

CALENDAR CALL_LOG CAMERA CONTACTS LOCATION MICROPHONE PHONE STORAGE SENSORS SMS

  • vii. Runtastic: 15 (6/1/4/T) [Threat count, T=4]

CALENDAR CALL_LOG CAMERA CONTACTS LOCATION MICROPHONE PHONE STORAGE SENSORS SMS

  • viii. 7minsWorkout: 6 (2/2/0/T) [Threat count, T=2]

CALENDAR CALL_LOG CAMERA CONTACTS LOCATION MICROPHONE PHONE STORAGE SENSORS SMS

  • ix. Fitbit: 20 (9/3/3/T) [Threat count, T=5]

CALENDAR CALL_LOG CAMERA CONTACTS LOCATION MICROPHONE PHONE STORAGE SENSORS SMS

  • x. GoogleFit: 10 (5/0/3/T) [Threat count, T=2]

CALENDAR CALL_LOG CAMERA CONTACTS LOCATION MICROPHONE PHONE STORAGE SENSORS SMS Permission-groups requested in Manifest. Clarification missing in privacy policy. Permission access whithout user interaction during runtime. Legend

Paper III: A Multilateral Privacy Impact Analysis Method for Android Apps; M Hatamian, N Momen, L Fritsch, K Rannenberg; In Proceedings of Annual Privacy Forum 2019, Rome, Italy, page 87-106. 6 / 15

slide-7
SLIDE 7

But, apps change requirements!

GDPR May 25, 2018

Permission use Permission use User concerns Permission manifest Permission manifest User concerns

t

Mar 2017 Nov 2017 Dec 2018 Feb 2019 Data collection Quarantine period Quarantine period Pre-GDPR collection Post-GDPR collection

Overview of data collection periods.

Paper IV: Did app privacy improve after GDPR? N Momen, M Hatamian, L Fritsch; To appear in IEEE Security Privacy Magazine 2019. 7 / 15

slide-8
SLIDE 8

Change of privilege-requirements

  • +

+

  • +

+

  • +

+

  • +
  • +
  • +

+

  • +
  • +

+

  • A

B C D E F G H I J < Reduced Not used Added In use C A L E N D A R C A L L _ L O G C A M E R A C O N T A C T S L O C A T I O N M I C R O P H O N E P H O N E S E N S O R S S M S S T O R A G E Telegram (50) Communication apps Viber (49) Tango (48) Skype (47) Messenger (46) Imo (45) WeChat (44) Line (43) Hangout (42) WhatsApp (41) Facebook (40) Social apps Instagram (39) Twitter (38) Snapchat (37) Slack (36) Pinterest (35) Foursquare (34) Linkedin (33) Tumblr (32) TikTok (31) Runkeeper (30) Fitness apps Pedometer (29) Runtastic (28) Lifesum (27) Endomodo (26) 30dayFitness (25) Fitbit (24) 7 minWorkout (23) MyFitnessPal (22) GoogleFit (21) weather.com (20) Weather apps Accuweather (19) WeatherApp (18) GoWeather (17) WeatherBug (16) Weather&Clock (15) YahooWeather (14) PalmaryWeather (13) Yr (12) Weather&Radar (11) Spotify (10) Music apps SoundCloud (9) Shazam (8) Tidal (7) SongFlip (6) BBCiPlayer (5) Deezer (4) PlayMusic (3) JangoRadio (2) iHeartRadio (1)

Paper IV: Did app privacy improve after GDPR? N Momen, M Hatamian, L Fritsch; To appear in IEEE Security Privacy Magazine 2019. 8 / 15

slide-9
SLIDE 9

Change of privilege usage pattern

  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100

100 100

  • 100
  • 100

100 100

  • 68.42
  • 68.42
  • 100
  • 100
  • 100
  • 100
  • 92.31
  • 92.31

100 100

  • 33.33
  • 33.33
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100

100 100 71.05 71.05

  • 100
  • 100

83.33 83.33

  • 100
  • 100

100 100 100 100

  • 100
  • 100

100 100

  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 100
  • 85.71
  • 85.71
  • 45.1
  • 45.1
  • 100
  • 100
  • 100
  • 100
  • 13
  • 13
  • 6
  • 6

1

  • 58.54
  • 58.54
  • 17
  • 17

3

  • 97.4
  • 97.4

43.72 43.72 10 10

  • 100
  • 100

10 10

  • 25
  • 25
  • 13
  • 13
  • 59.52
  • 59.52

81.25 81.25

  • 43
  • 43
  • 29
  • 29

31.76 31.76 100 100 8

  • 21.95
  • 21.95

9

  • 67.86
  • 67.86
  • 8
  • 8
  • 20
  • 20
  • 15
  • 15
  • 9
  • 9
  • 26
  • 26
  • 13
  • 13
  • 56.52
  • 56.52
  • 58.62
  • 58.62

4 37 37 100 100 100 100 100 100 41.46 41.46 28.95 28.95 100 100

  • 28
  • 28

85.71 85.71

  • 15
  • 15
  • 7
  • 7

100 100 100 100

  • 26
  • 26
  • 75
  • 75

100 100 100 100

  • 83.91
  • 83.91

7 7

  • 100
  • 100
  • 85
  • 85
  • 75
  • 75
  • 15
  • 15

10 10

  • 15
  • 15
  • 5
  • 5
  • 12
  • 12

100 100

  • 100
  • 100

11.63 11.63

  • 94.87
  • 94.87
  • 5
  • 5
  • 20
  • 20

14 14

  • 40
  • 40

10 10 16 16 100 100 5

  • 47
  • 47
  • 42
  • 42
  • 16
  • 16
  • 13
  • 13

2.44 2.44 8

  • 98.29
  • 98.29
  • 73
  • 73
  • 26
  • 26

3

  • 100
  • 100

40 40

  • 100
  • 100
  • 6
  • 6
  • 30
  • 30
  • 13
  • 13
  • 82.22
  • 82.22
  • 82.61
  • 82.61
  • 89
  • 89

75.76 75.76 100 100 44.19 44.19 100 100 20 20

  • 56.63
  • 56.63
  • 68.29
  • 68.29

100 100

  • 36
  • 36

16.67 16.67

  • 30
  • 30
  • 16
  • 16
  • 14
  • 14

100 100

  • 92.59
  • 92.59
  • 10
  • 10
  • 76
  • 76

60 60 100 100

  • 71.74
  • 71.74
  • 86.36
  • 86.36
  • 16
  • 16

65.76 65.76

  • 8
  • 8
  • 100
  • 100
  • 98.94
  • 98.94
  • 26
  • 26
  • 13
  • 13
  • 10
  • 10
  • 15
  • 15

37.5 37.5

  • 68.6
  • 68.6
  • 55.88
  • 55.88
  • 96.15
  • 96.15
  • 75
  • 75
  • 58.97
  • 58.97
  • 73.91
  • 73.91
  • 41
  • 41

2 36 36 100 100 48 48 4 K K L M N O P Q R S T

  • 100
  • 90
  • 80
  • 70
  • 60
  • 50
  • 40
  • 30
  • 20
  • 10

10 20 30 40 50 60 70 80 90 100 C A L E N D A R C A L L _ L O G C A M E R A C O N T A C T S L O C A T I O N M I C R O P H O N E P H O N E S E N S O R S S M S S T O R A G E Telegram (50) Communication apps Viber (49) Tango (48) Skype (47) Messenger (46) Imo (45) WeChat (44) Line (43) Hangout (42) WhatsApp (41) Facebook (40) Social apps Instagram (39) Twitter (38) Snapchat (37) Slack (36) Pinterest (35) Foursquare (34) Linkedin (33) Tumblr (32) TikTok (31) Runkeeper (30) Fitness apps Pedometer (29) Runtastic (28) Lifesum (27) Endomodo (26) 30dayFitness (25) Fitbit (24) 7 minWorkout (23) MyFitnessPal (22) GoogleFit (21) weather.com (20) Weather apps Accuweather (19) WeatherApp (18) GoWeather (17) WeatherBug (16) Weather&Clock (15) YahooWeather (14) PalmaryWeather (13) Yr (12) Weather&Radar (11) Spotify (10) Music apps SoundCloud (9) Shazam (8) Tidal (7) SongFlip (6) BBCiPlayer (5) Deezer (4) PlayMusic (3) JangoRadio (2) iHeartRadio (1)

Paper IV: Did app privacy improve after GDPR? N Momen, M Hatamian, L Fritsch; To appear in IEEE Security Privacy Magazine 2019. 9 / 15

slide-10
SLIDE 10

Wait, wait ... That’s a lot to consider!

How can a user re-evaluate decisions taken earlier with ease?

10 / 15

slide-11
SLIDE 11

Confused?

I don’t know!

Accept Maybe Decline

11 / 15

slide-12
SLIDE 12

Confused?

I don’t know! So, maybe?

Accept Maybe Decline

Paper V: Partial Commitment–“Try Before You Buy” and “Buyer’s Remorse” for Personal Data in Big Data Machine Learning; L Fritsch; IFIP International Conference on Trust Management, page 3-11. 11 / 15

slide-13
SLIDE 13

Partial commitment

Consent with an expiry date. Consent for a subset of data. Consent for limited access.

12 / 15

slide-14
SLIDE 14

At expiration?

Evaluation of privacy-preserving-performance. Decision to continue or revoke access. Intervenability.

13 / 15

slide-15
SLIDE 15

Wrapping up ...

Problems:

◮ Leaving the data-tap open. ◮ Poor means for monitoring. ◮ Consent for eternity.

Looking ahead:

◮ Methods to determine privacy-impact assessment cues. ◮ Burdensome responsibility to assess the cues. ◮ Starting a discussion about partial commitment.

14 / 15

slide-16
SLIDE 16

Questions & discussion

Contacts:

  • 1. Nurul Momen, PhD Candidate, PriSec, Computer Science Dept. Karlstad University.

email: nurul.momen@kau.se

  • 2. Lothar Fritsch, Associate Professor, PriSec, Computer Science Dept. Karlstad University.

email: lothar.fritsch@kau.se References: Paper I: How much Privilege does an App Need? Investigating Resource Usage of Android Apps; N Momen, T Pulls, L Fritsch, and S Lindskog; In Proceedings of the Fifteenth International Conference on Privacy, Security and Trust (PST), Calgary, Canada, August 28-30, IEEE, 2017. Paper II: Derived Partial Identities Generated from App Permissions; L Fritsch, and N Momen; In Proceedings of the Open Identity Summit 2017; Lecture Notes in Informatics (LNI) 277, ISSN 1617-5468, ISBN 978-3-88579-671-8, October 05–06, 2017; Karlstad, Sweden., Gesellschaft f¨ ur Informatik e.V., 2017. Paper III: A Multilateral Privacy Impact Analysis Method for Android Apps; M Hatamian, N Momen, L Fritsch, K Rannenberg; In Proceedings of Annual Privacy Forum 2019, Rome, Italy, page 87-106. Paper IV: Did app privacy improve after GDPR? N Momen, M Hatamian, L Fritsch; To appear in IEEE Security Privacy Magazine 2019. Paper V: Partial Commitment–“Try Before You Buy” and “Buyer’s Remorse” for Personal Data in Big Data Machine Learning; L Fritsch; IFIP International Conference on Trust Management, page 3-11. 15 / 15