Smartphones and privacy: U of T researchers on why we give access to apps
If you hesitate when an app on your phone asks to access your location you鈥檙e not alone.
That鈥檚 according to a new study from 重口味SM researchers that was conducted in four languages and across five continents.
In last week, U of T researchers examined why users choose to grant or deny permission when apps request access to contacts, calendars, microphones and more. The iPhone and Android operating systems give users control over data access when installing an app and during the app鈥檚 operation 鈥 a process known as a 鈥渞untime permission request.鈥
David Lie, a professor in the Edward S. Rogers Sr. department electrical and computer engineering (ECE) in the Faculty of Applied Science & Engineering, says that when the team initially set out to determine which factors influence behaviour, they had no idea user expectations would be so significant.
鈥淎n unexpected request is more than twice as likely to be denied,鈥 Lie says. 鈥淎lso, if there is some explanation for it 鈥 if the app conveys to the user why it needs access to something 鈥 then we see the denial rate cut in half.
鈥淎pp developers and smartphone OS designers should give serious consideration to how they communicate and set expectations with their users, which is more important than previously thought.鈥
The multidisciplinary team of researchers included Lisa Austin, a cross-appointed ECE professor who is also chair in law and technology in the Faculty of Law. Both Austin and Li are also affiliated with the Schwartz Reisman Institute for Technology and Society.
Professors Lisa Austin and David Lie, pictured here prior to the COVID-19 pandemic, are part of a multidisciplinary team behind a new global study that explores the privacy expectations and behaviour of smartphone users (photo by Jessica MacInnis)
To gather data for the study, the team developed an Android app, named PrivaDroid, that runs in the background of each participant鈥檚 phone for 30 days. After each new app installation or runtime permission request, PrivaDroid asks participants whether they expected the request and their rationale behind either granting or denying it.
Using online advertising, they recruited more than 1,700 participants from a variety of countries with contrasting privacy legislation and levels of economic development. Over several months ending in the spring of 2020, PrivaDroid observed more than 36,000 permission events.
鈥淧revious studies were constrained to more artificial environments, where participants come into a lab or are set up with phone that鈥檚 not their own device,鈥 says Lie. 鈥淭his was first time someone has been able to do a global smartphone study 鈥榠n the wild.鈥欌
Past research has shown that factors such as age, gender, country of residence and level of education can influence privacy behaviour.
鈥淥ur study confirms this,鈥 says Lie. 鈥淔or example, women are more cautious about granting permissions than men, and young people grant permissions more often than older ones 鈥 but not as much as you might think.鈥
Another finding was that participants who were rated 鈥榩rivacy sensitive鈥 according to the international Internet Users鈥 Information Privacy Concerns privacy scale have highly variable deny rates 鈥 and nearly 30 per cent of them grant permissions more frequently than average.
鈥淭his gap between stated behaviour and actual behaviour is known as the 鈥榩rivacy paradox,鈥欌 says Lie. 鈥淭his gap would make sense with behaviour one wouldn鈥檛 be proud of, but it鈥檚 hard to see how that applies with privacy. It鈥檚 a puzzle.鈥
Are these people paying lip service to privacy concerns and then prioritizing their own convenience in the moment? The study reveals that this apparent contradictory behaviour is more nuanced.
鈥淭he privacy-sensitive group who granted a lot of permissions said they expected them,鈥 says Lie. 鈥淚t鈥檚 possible they have a better understanding of how and why applications use permissions 鈥 that they鈥檙e avoiding the 鈥榗reepy鈥 apps and installing the more transparent ones.鈥
鈥淪o many complex technical and geopolitical issues converge around privacy,鈥 says Professor Deepa Kundur, chair of ECE. 鈥淭hey truly demand a multidisciplinary approach and a long runway. This smartphone privacy study may be a first in its size, scope and complexity, but hopefully it鈥檚 the first of many.鈥
Though prudence might suggest people deny permissions, 鈥渢hat belies how they actually use their phones,鈥 says Lie. 鈥淚f you really didn鈥檛 want what the app provided, or you thought the developer was malicious, you鈥檇 just uninstall the app. Smartphone users are telling us that clearly communicating expectations builds trust, and trust plays an important role in granting permissions.鈥