Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
169 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

{A New Hope}: Contextual Privacy Policies for Mobile Applications and An Approach Toward Automated Generation (2402.14544v2)

Published 22 Feb 2024 in cs.CR and cs.SE

Abstract: Privacy policies have emerged as the predominant approach to conveying privacy notices to mobile application users. In an effort to enhance both readability and user engagement, the concept of contextual privacy policies (CPPs) has been proposed by researchers. The aim of CPPs is to fragment privacy policies into concise snippets, displaying them only within the corresponding contexts within the application's graphical user interfaces (GUIs). In this paper, we first formulate CPP in mobile application scenario, and then present a novel multimodal framework, named SeePrivacy, specifically designed to automatically generate CPPs for mobile applications. This method uniquely integrates vision-based GUI understanding with privacy policy analysis, achieving 0.88 precision and 0.90 recall to detect contexts, as well as 0.98 precision and 0.96 recall in extracting corresponding policy segments. A human evaluation shows that 77% of the extracted privacy policy segments were perceived as well-aligned with the detected contexts. These findings suggest that SeePrivacy could serve as a significant tool for bolstering user interaction with, and understanding of, privacy policies. Furthermore, our solution has the potential to make privacy notices more accessible and inclusive, thus appealing to a broader demographic. A demonstration of our work can be accessed at https://cpp4app.github.io/SeePrivacy/

Definition Search Book Streamline Icon: https://streamlinehq.com
References (109)
  1. 10 essential types of app screens in mobile ui design - cadabra studio. https://cadabra.studio/blog/10-types-of-app-screens-you-should-know/, Accessed: 2023-02-21.
  2. App design 9 main types of app screens. https://decode.agency/article/app-screens-design/, Accessed: 2023-02-21.
  3. Permissions for apps on the amazon appstore. https://www.amazon.com/gp/help/customer/display.html/ref=hp_app_paaa?nodeId=GLS4D99DFBLKW3XW&ref_=mas_dp_perm, Accessed: 2023-05-10.
  4. California consumer privacy act of 2018 (CCPA). https://oag.ca.gov/privacy/ccpa, Accessed: 2022-04-25.
  5. Children’s online privacy protection rule (COPPA). https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa, Accessed: 2023-02-20.
  6. The online privacy protection act of 2003 (CalOPPA). https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=BPC&sectionNum=22575, Accessed: 2023-02-20.
  7. Fair information practice principles (fipps). https://www.fpc.gov/resources/fipps/, Accessed: 2023-04-05.
  8. General data protection regulation (GDPR). https://gdpr-info.eu/, Retrieved: 2022-04-25.
  9. Selecting collection service scenarios and data items to be collected upon app release. https://developer.huawei.com/consumer/en/doc/distribution/app/privacy-label, Accessed: 2023-02-20.
  10. Guide to the general data protection regulation (gdpr). https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/, Accessed: 2023-04-05.
  11. Opencv. https://pypi.org/project/opencv-python/, Accessed: 2023-07-24.
  12. Selenium. https://www.selenium.dev/, Accessed: 2022-10-01.
  13. Spacy. https://github.com/explosion/spaCy, Accessed: 2023-05-01.
  14. Unctad. https://unctad.org/page/data-protection-and-privacy-legislation-worldwide, Accessed: 2022-08-26.
  15. https://www.appbrain.com/, Accessed: 2023-02-15.
  16. App privacy details on the app store, b. https://developer.apple.com/app-store/app-privacy-details/, Accessed: 2022-04-30.
  17. App privacy details on the app store, c. https://developer.apple.com/app-store/app-privacy-details/, Accessed: 2023-02-20.
  18. What is personal information? https://www.oaic.gov.au/privacy/your-privacy-rights/your-personal-information/what-is-personal-information, Accessed: 2023-02-13.
  19. Beautifulsoup. https://www.crummy.com/software/BeautifulSoup/, Accessed: 2022-10-01.
  20. What is considered personal data under the EU GDPR? https://gdpr.eu/eu-gdpr-personal-data, Accessed: 2023-02-13.
  21. Understand app privacy & security practices with google play’s data safety section, a. https://support.google.com/googleplay/answer/11416267, Accessed: 2023-02-20.
  22. https://support.google.com/googleplay/android-developer/answer/9859455?hl=en#:~:text=The%20privacy%20policy%20must%2C%20together,you%20of%20what%20is%20required, Accessed: 2022-04-30.
  23. Stack overflow - how to request all permission needed when the time user install the app in google play? https://stackoverflow.com/questions/44985078/, Accessed: 2023-04-20.
  24. langdetect. https://pypi.org/project/langdetect/, Accessed: 2022-10-01.
  25. Samsung galaxy store. https://galaxystore.samsung.com/apps, Accessed: 2023-05-04.
  26. Guide to Identifying Personally Identifiable Information (PII). https://www.technology.pitt.edu/help-desk/how-to-documents/guide-identifying-personally-identifiable-information-pii, Accessed: 2023-02-13.
  27. Guidance on the Protection of Personal Identifiable Information. https://www.dol.gov/general/ppii, Accessed: 2023-02-13.
  28. Fair information practice principles, 2010. https://web.archive.org/web/20100309105100/http://www.ftc.gov/reports/privacy3/fairinfo.shtm#Notice/Awareness, Archived March 9, 2010, at the Wayback Machine.
  29. Paul C Adams. Agreeing to surveillance: Digital news privacy policies. Journalism & Mass Communication Quarterly, 97(4):868–889, 2020.
  30. Privacy policies over time: Curation and analysis of a million-document dataset. In Proceedings of the Web Conference 2021, pages 2165–2176, 2021.
  31. Policylint: Investigating internal privacy policy contradictions on google play. In USENIX Security Symposium, pages 585–602, 2019.
  32. Actions speak louder than words:{{\{{Entity-Sensitive}}\}} privacy policy and data flow analysis with {{\{{PoliCheck}}\}}. In 29th USENIX Security Symposium (USENIX Security 20), pages 985–1002, 2020.
  33. AppVelocity. A complete understanding of mobile app vs. mobile website, 2020. URL https://www.appvelocity.ca/blog/mobile-app-vs-mobile-website. Accessed: 2023-10-17.
  34. Privacy policy comparison reveals half have poor readability, 2022. URL https://www.choice.com.au/consumers-and-data/protecting-your-data/data-laws-and-regulation/articles/privacy-policy-comparison. Accessed: 2022-10-10.
  35. “i need it now”: Improving website usability by contextualizing privacy policies. In Web Engineering: 4th International Conference, ICWE 2004, Munich, Germany, July 26-30, 2004. Proceedings 4, pages 31–44. Springer, 2004.
  36. Andrew Buck. Mobile apps vs mobile websites: Which is best for 2023?, 2023. URL https://www.mobiloud.com/blog/mobile-apps-vs-mobile-websites. Accessed: 2023-10-17.
  37. Detection of inconsistencies in privacy practices of browser extensions. In 2023 IEEE Symposium on Security and Privacy (SP), pages 2780–2798. IEEE, 2023.
  38. Vins: Visual search for mobile user interface design. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, pages 1–14, 2021.
  39. João Caramujo and Alberto Manuel Rodrigues Da Silva. Analyzing privacy policies based on a privacy-aware profile: The facebook and linkedin case studies. In 2015 IEEE 17th Conference on Business Informatics, volume 1, pages 77–84. IEEE, 2015.
  40. Object detection for graphical user interface: Old fashioned or deep learning or a combination? In proceedings of the 28th ACM joint meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 1202–1214, 2020.
  41. Towards complete icon labeling in mobile applications. In Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems, pages 1–14, 2022.
  42. Corey A Ciocchetti. The future of privacy policies: A privacy nutrition label filled with fair information practices. J. Marshall J. Computer & Info. L., 26:1, 2008.
  43. Nearest neighbor pattern classification. IEEE transactions on information theory, 13(1):21–27, 1967.
  44. Lorrie Cranor. Web privacy with P3P. " O’Reilly Media, Inc.", 2002.
  45. Lorrie Faith Cranor. Necessary but not sufficient: Standardized mechanisms for privacy notice and choice. J. on Telecomm. & High Tech. L., 10:273, 2012.
  46. {{\{{PoliGraph}}\}}: Automated privacy policy analysis using knowledge graphs. In 32nd USENIX Security Symposium (USENIX Security 23), pages 1037–1054, 2023.
  47. Rico: A mobile app dataset for building data-driven design applications. In Proceedings of the 30th annual ACM symposium on user interface software and technology, pages 845–854, 2017.
  48. Imagenet: A large-scale hierarchical image database. In 2009 IEEE conference on computer vision and pattern recognition, pages 248–255. Ieee, 2009.
  49. An image is worth 16x16 words: Transformers for image recognition at scale. arXiv preprint arXiv:2010.11929, 2020.
  50. The corporate cultivation of digital resignation. New media & society, 21(8):1824–1839, 2019.
  51. Privacy icons: a risk-based approach to visualisation of data processing. Eur. Data Prot. L. Rev., 5:352, 2019.
  52. The effectiveness of install-time permission systems for third-party applications. University of California at Berkely, Electrical Engineering and Computer Sciences, Technical report, 2010.
  53. Denis Feth. Transparency through contextual privacy statements. In Mensch und Computer 2017 - Workshopband, 2017. doi: 10.18420/muc2017-ws05-0406.
  54. Consumer trust, perceived security and privacy policy: three basic elements of loyalty to a web site. Industrial management & data Systems, 106(5):601–620, 2006.
  55. A systematic literature review: Opinion mining studies from mobile app store user reviews. Journal of Systems and Software, 125:207–219, 2017.
  56. Polisis: Automated analysis and presentation of privacy policies using deep learning. In 27th {normal-{\{{USENIX}normal-}\}} security symposium ({normal-{\{{USENIX}normal-}\}} security 18), pages 531–548, 2018.
  57. Hark: A deep learning system for navigating privacy feedback at scale. In 2022 IEEE Symposium on Security and Privacy (SP), pages 2469–2486. IEEE, 2022.
  58. Towards displaying privacy information with icons. In Privacy and Identity Management for Life: 6th IFIP WG 9.2, 9.6/11.7, 11.4, 11.6/PrimeLife International Summer School, Helsingborg, Sweden, August 2-6, 2010, Revised Selected Papers 6, pages 338–348. Springer, 2011a.
  59. Privacy policy icons. In Privacy and Identity Management for Life, pages 279–285. Springer, 2011b.
  60. Searching for mobilenetv3. In Proceedings of the IEEE/CVF international conference on computer vision, pages 1314–1324, 2019.
  61. A comprehensive keyword analysis of online privacy policies. Information Security Journal: A Global Perspective, 27(5-6):260–275, 2018.
  62. A" nutrition label" for privacy. In Proceedings of the 5th Symposium on Usable Privacy and Security, pages 1–12, 2009.
  63. Standardizing privacy notices: an online study of the nutrition label approach. In Proceedings of the SIGCHI Conference on Human factors in Computing Systems, pages 1573–1582, 2010.
  64. Privacy as part of the app decision-making process. In Proceedings of the SIGCHI conference on human factors in computing systems, pages 3393–3402, 2013.
  65. Katharine Kemp. Concealed data practices and competition law: why privacy matters. European Competition Journal, 16(2-3):628–672, 2020.
  66. A large-scale investigation into geodifferences in mobile apps. In 31st USENIX Security Symposium (USENIX Security 22), Boston, MA, August 2022. USENIX Association. URL https://www.usenix.org/conference/usenixsecurity22/presentation/kumar.
  67. AMPLITUDE LABS. 2022 app vs. website report, 2022. URL https://amplitude.com/guides/2022-app-vs-website-report. Accessed: 2023-10-17.
  68. Privacy online: A report to congress. NASA, (19990008264), 1998.
  69. Understanding visual saliency in mobile user interfaces. In 22nd International conference on human-computer interaction with mobile devices and services, pages 1–12, 2020.
  70. Pp-ocrv3: More attempts for the improvement of ultra lightweight ocr system. arXiv preprint arXiv:2206.03001, 2022a.
  71. “it’s up to the consumer to be smart”: Understanding the security and privacy attitudes of smart home users on reddit. In IEEE Symposium on Security and Privacy (SP)(SP), pages 380–396. IEEE Computer Society Los Alamitos, CA, 2023.
  72. Rebooting research on detecting repackaged android apps: Literature review and benchmark. IEEE Transactions on Software Engineering, 47(4):676–693, 2019.
  73. How developers talk about personal data and what it means for user privacy: A case study of a developer forum on reddit. Proceedings of the ACM on Human-Computer Interaction, 4(CSCW3):1–28, 2021.
  74. Understanding challenges for developers to create accurate privacy nutrition labels. In Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems, pages 1–24, 2022b.
  75. Understanding ios privacy nutrition labels: An exploratory large-scale analysis of app store data. In CHI Conference on Human Factors in Computing Systems Extended Abstracts, pages 1–7, 2022c.
  76. Have you been properly notified? automatic compliance analysis of privacy policy text with gdpr article 13. In Proceedings of the Web Conference 2021, pages 2154–2164, 2021.
  77. Appcorp: a corpus for android privacy policy document structure analysis. Frontiers of Computer Science, 17(3):173320, 2023.
  78. Learning design semantics for mobile apps. In The 31st Annual ACM Symposium on User Interface Software and Technology, UIST ’18, pages 569–579, New York, NY, USA, 2018. ACM. ISBN 978-1-4503-5948-1. doi: 10.1145/3242587.3242650. URL http://doi.acm.org/10.1145/3242587.3242650.
  79. Zhongmin Ma. Android application install-time permission validation and run-time malicious pattern detection. PhD thesis, Virginia Tech, 2014.
  80. End users’ perception of hybrid mobile apps in the google play store. In 2015 IEEE International Conference on Mobile Services, pages 25–32. IEEE, 2015.
  81. Transparency of privacy notices and contextualisation: effectively conveying information without words. Behaviour & Information Technology, 41(10), 2022.
  82. George A Miller. Wordnet: a lexical database for english. Communications of the ACM, 38(11):39–41, 1995.
  83. The biggest lie on the internet: Ignoring the privacy policies and terms of service policies of social networking services. Information, Communication & Society, 23(1):128–147, 2020.
  84. Implementation and in situ assessment of contextual privacy policies. In Proceedings of the 2020 ACM Designing Interactive Systems Conference, pages 1765–1778, 2020.
  85. How bold can we be? the impact of adjusting font grade on readability in light and dark polarities. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems, pages 1–11, 2023.
  86. Toward the cure of privacy policy reading phobia: Automated generation of privacy nutrition labels from privacy policies. arXiv preprint arXiv:2306.10923, 2023a.
  87. A large-scale empirical study of online automated privacy policy generators for mobile apps. arXiv preprint arXiv:2305.03271, 2023b.
  88. A review and an empirical analysis of privacy policy and notices for consumer internet of things. Security and Privacy, 1(3):e15, 2018.
  89. Pushkar Pushp. Understanding the iou metric in object detection, 2023. URL https://pub.towardsai.net/understanding-iou-metric-in-object-detection-1e5532f06a76#. Accessed: 2023-07-24.
  90. Stanza: A Python natural language processing toolkit for many human languages. In Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics: System Demonstrations, 2020. URL https://nlp.stanford.edu/pubs/qi2020stanza.pdf.
  91. You only look once: Unified, real-time object detection. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 779–788, 2016.
  92. Generalized intersection over union: A metric and a loss for bounding box regression. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 658–666, 2019.
  93. Mobilenetv2: Inverted residuals and linear bottlenecks. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 4510–4520, 2018.
  94. Quality assessment of online automated privacy policy generators: an empirical study. In Proceedings of the Evaluation and Assessment in Software Engineering, pages 270–275. 2020.
  95. An ai-assisted approach for checking the completeness of privacy policies against gdpr. In 2020 IEEE 28th International Requirements Engineering Conference (RE). IEEE, 2020.
  96. Beyond google play: A large-scale comparative study of chinese android app markets. In Proceedings of the Internet Measurement Conference 2018, pages 293–307, 2018.
  97. A survey on https implementation by android apps: issues and countermeasures. Applied Computing and Informatics, 13(2):101–117, 2017.
  98. The creation and analysis of a website privacy policy corpus. In Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), pages 1330–1340, 2016.
  99. Automating contextual privacy policies: Design and evaluation of a production tool for digital consumer privacy awareness. In Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems, pages 1–18, 2022.
  100. Deepintent: Deep icon-behavior learning for detecting intention-behavior discrepancy in mobile apps. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 2421–2436, 2019.
  101. Iconintent: automatic identification of sensitive ui widgets based on icon classification for android apps. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), pages 257–268. IEEE, 2019.
  102. Lalaine: Measuring and characterizing non-compliance of apple privacy labels.
  103. Scrutinizing privacy policy compliance of virtual personal assistant apps. In 37th IEEE/ACM International Conference on Automated Software Engineering, pages 1–13, 2022.
  104. Uied: a hybrid tool for gui element detection. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 1655–1659, 2020.
  105. Autoppg: Towards automatic generation of privacy policy for android applications. In Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM ’15, page 39–50, New York, NY, USA, 2015. Association for Computing Machinery. ISBN 9781450338196. doi: 10.1145/2808117.2808125. URL https://doi.org/10.1145/2808117.2808125.
  106. Enhancing the description-to-behavior fidelity in android apps with privacy policy. IEEE Transactions on Software Engineering, 44(9), 2018. doi: 10.1109/TSE.2017.2730198.
  107. How does misconfiguration of analytic services compromise mobile privacy? In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, pages 1572–1583, 2020.
  108. Maps: Scaling privacy compliance analysis to a million apps. Proceedings on Privacy Enhancing Technologies, 2019(3):66–86, 2019.
  109. Privacyflash pro: Automating privacy policy generation for mobile apps. In NDSS, 2021.
Citations (3)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now