Collaborative Research: SaTC: CORE: Small: Measuring, Validating and Improving upon App-Based Privacy Nutrition Labels

合作研究：SaTC：核心：小型：测量、验证和改进基于应用程序的隐私营养标签

• 批准号: 2247952
• 负责人: Adam Aviv
• 金额: $ 20万
• 依托单位: George Washington University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-06-01 至 2026-05-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2247952&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; CORE; Small

Smartphones collect a large amount of personal data as people use them, which can cause privacy violations when smartphone applications (“apps”) use or share the data in ways people don’t expect. Existing text-based privacy policies are hard to read and make sense of, making it hard for people to understand what a mobile app will do with their data. This has led major app stores to require apps to use standardized “privacy labels”—akin to nutrition labels—to help people make informed choices about the apps they use; however, it is unclear how well these labels work in the real world. This project will attack this question by studying how privacy labels work for three main groups: app developers who must select correct labels for their apps; app store administrators that create the policies and standards for the labels; and end users who must use them to make privacy decisions. The team will also analyze mobile apps to see how well they adhere to the promises made by their privacy labels, and how both people’s understandings of privacy labels and apps’ adherence to them changes over time. Together the work will lead to better understanding, design, and use of privacy labels for both regulators and people who use mobile apps. To address these questions, the project will apply a mixed-methods approach. For studying end users, the research team will perform iterative usability testing and longitudinal comprehension studies to gauge understanding of these new privacy labels and how it changes over time. The team will also use factorial vignettes analyzed by multivariate regressions to identify factors of both existing and hypothetical privacy label designs that might impact user decision making around installing, using, and granting permissions to apps. For studying developers and platforms, the team will conduct quantitative measurement studies using a “privacy label observatory” that will periodically collect a number of versions of both apps and their privacy labels, using dynamic software analysis of the apps to determine their use of private information. This will help answer questions about whether privacy labels become more accurate over time as developers become more familiar with them, as well as how the app ecosystem reacts to events like regulatory or company policy changes and enforcement actions. The primary outcomes of this project will be empirical data on whether these new privacy tools are working, how and why they might be failing both app developers and consumers alike, and how platforms can improve their design to make them more effective. This will include public datasets about current and historical usage of privacy labels, as well as design patterns and policy recommendations for improving the state of privacy labels and mobile app privacy.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

智能手机在人们使用时会收集大量个人数据，这可能会在智能手机应用程序（“应用程序”）使用或以人们不期望的方式使用数据时造成侵犯隐私。现有的基于文本的隐私政策很难阅读和理解，因此人们很难理解移动应用程序对他们的数据的作用。这导致主要的应用商店要求应用程序使用标准化的“隐私标签”（Akin到营养标签），以帮助人们对他们使用的应用做出明智的选择；但是，目前尚不清楚这些标签在现实世界中的表现如何。该项目将通过研究隐私标签如何适合三个主要组工作来攻击这个问题：必须为其应用选择正确标签的应用程序开发人员； App Store管理员创建标签的策略和标准；以及必须使用它们做出隐私决策的最终用户。该团队还将分析移动应用程序，以了解他们遵守其隐私标签的承诺，以及两个人对隐私标签和应用程序对它们的调整的理解如何随着时间而变化。这项工作将为监管机构和使用移动应用程序的人员提供更好的理解，设计和使用隐私标签。为了解决这些问题，该项目将采用混合方法。对于研究最终用户，研究团队将进行迭代可用性测试和纵向理解研究，以评估对这些新的隐私标签的理解及其随时间变化。该团队还将使用由多元回归分析的阶乘小插图来确定现有和假设隐私标签设计的因素，这些因素可能会影响用户决策，围绕安装，使用和授予应用程序的权限。对于研究开发人员和平台，该团队将使用“隐私标签观察”进行定量测量研究，该研究将定期收集应用程序及其隐私标签的许多版本，并使用应用程序的动态软件分析来确定其私人信息的使用。这将有助于回答有关随着开发人员越来越熟悉的隐私标签是否变得更加准确的问题，以及应用程序生态系统如何对诸如监管或公司政策变化和执法行动等事件等事件的反应。该项目的主要结果将是有关这些新的隐私工具是否有效的经验数据，如何以及为什么使应用程序开发人员和消费者都失败，以及平台如何改善其设计以使其更有效。这将包括有关隐私标签当前和历史使用情况的公共数据集，以及改善隐私标签状况和移动应用程序隐私的设计模式和政策建议。该奖项反映了NSF的法定任务，并被认为是通过基金会的知识分子优点和更广泛的影响审查标准来通过评估来通过评估来支持的。