Societal Computing Thesis Defense

  • Ph.D. Student
  • Ph.d. Program in Societal Computing, Institute for Software Research
  • Carnegie Mellon University
Thesis Orals

Helping Smartphone Users Manage their Privacy through Nudges

The two major smartphone platforms (Android and iOS) have more than two million mobile applications (apps) available to download from their respective app stores, and each store has seen more than 50 billion apps downloaded. Although apps provide desired functionality by accessing users' personal information, they also access personal information for other purposes (e.g., advertising or profiling) that users may or may not desire. Users can exercise control over how apps access their personal information through permission managers. However, a permission manager alone might not be sufficient to help users manage their app privacy because: (1) privacy is typically a secondary task and thus users might not be motivated enough to take advantage of the permission manager's functionality, and (2) even when using the permission manager, users often make suboptimal privacy decisions due to hurdles in decision making such as incomplete information, bounded rationality, and cognitive and behavioral biases. To address these two challenges, the theoretical framework of this dissertation is the concept of nudges: "soft paternalistic" behavioral interventions that do not restrict choice but account for decision making hurdles. Specifically, I designed app privacy nudges that primarily address the incomplete information hurdle. The nudges aim to help users make better privacy decisions by (1) increasing users' awareness of privacy risks associated with apps, and (2) temporarily making privacy users' primary task to motivate them to review and adjust their app settings.

I evaluated app privacy nudges in three user studies. The first and second studies showed that app privacy nudges are indeed a promising approach to help users manage their privacy. App privacy nudges increased users' awareness of privacy risks associated with apps on their phones, switched users' attention to privacy management, and motivated users to review their app privacy settings. Additionally, the second study suggested that not all app privacy nudge contents equally help users manage their privacy. Rather, more effective nudge contents informed users of: (1) contexts in which their personal information has been accessed, (2) purposes for apps' accessing their personal information, and (3) potential implications of secondary usage of users' personal information. The ongoing third study focuses on user engagement with repeated app privacy nudges and evaluating approaches that may maintain users engagement when receiving nudges repeatedly.

The results of this dissertation suggest that mobile operating system providers should enrich their systems with app privacy nudges to assist users in managing their privacy. Additionally, the lessons learned in this dissertation may inform designing privacy nudges in emerging areas such as the Internet of Things.

Thesis Committee:
Norman Sadeh (Chair)
Anind K. Dey (HCII)
Alessandro Acquisti (Heinz)
Adrienne Porter Felt (Google Inc.)

Copy of Thesis Document

For More Information, Please Contact: