Date of Award

Fall 9-2014

Embargo Period

7-15-2016

Degree Type

Dissertation

Degree Name

Doctor of Philosophy (PhD)

Department

Engineering and Public Policy

Advisor(s)

Lorrie Faith Cranor

Abstract

As smartphones become more ubiquitous, increasing amounts of information about smartphone users are created, collected, and shared. This information may pose privacy and security risks to the smartphone user. The risks may vary from government surveillance to theft of financial information. Previous work in the area of smartphone privacy and security has both identified specific security flaws and examined users’ expectations and behaviors. However, there has not been a broad examination of the smartphone ecosystem to determine the risks to users from smartphone data sharing and the possible mitigations. Two of the five studies in this work examine the smartphone data sharing ecosystem to identify risks and mitigations. The first study uses multi-stakeholder expert interviews to identify risks to users and the mitigations. A second study examines app developers in order to quantify the risky behaviors and identify opportunities to improve security and privacy. In the remaining three of five studies discussed in this work, we examine one specific risk mitigation that has been popular with policy-makers: privacy notices for consumers. If done well, privacy notices should inform smartphone users about the risks and allow them to make informed decisions about data collection. Unfortunately, previous research has found that existing privacy notices do not help smartphone users, as they are neither noticed nor understood. Through user studies, we evaluate options to improve notices. We identify opportunities to capture the attention of users and improve understanding by examining the timing and content of notices. Overall, this work attempts to inform public policy around smartphone privacy and security. We find novel opportunities to mitigate risks by understanding app developers’ work and behaviors. Also, recognizing the current focus on privacy notices, we attempt to frame the debate by examining how users’ attention to and comprehension of notices can be improved through content and timing.

Share

COinS