On the impact of privacy policy and app permissions linkage on users' disclosure decisions

Baalous, Rawan (2021) On the impact of privacy policy and app permissions linkage on users' disclosure decisions. PhD thesis, University of Glasgow.

Due to Embargo and/or Third Party Copyright restrictions, this thesis is not available in this service.


Older versions of Android (before version 6.0) require users to make privacy decisions during apps installation process. The privacy decision is either to accept all the requested permissions to access user's data and install the app, or stop the installation process. After several years of criticizing this Android permissions model, a new model (run time model) was announced starting from Android Marshmallow. In the run time permissions model, the app is installed regardless of the required permissions. However, when the app needs access to users' private data (dangerous permissions), such as location or contacts, the user is prompted at the time of requesting this data with allow and deny options.
The context of accessing user's data in the run time permissions model may give users more information about the most likely purpose of requesting to access the resource. However, requiring access to user's storage for example after user pressed "upload photo" button, does not mean that the app will only access user's storage for this purpose. After granting this permission, the app may still access user's storage for other legal purposes described in the app's privacy policy. Hence, it is important for the users to know dangerous permissions rationales in order to make more privacy informed decisions. Unfortunately, unlike Apple iOS, Android run time permissions model does not provide an option for including rationales in the standard permission request dialog.
Android apps' privacy policies are still the main channel for providing users with data collection and usage practices. Nevertheless, the length of these policies discourages the majority of users from reading them. Therefore, it would be helpful to know if presenting users with rationales of requesting dangerous permissions extracted from apps' privacy policies would help them make more privacy informed decisions. To achieve this goal, this thesis addresses three challenges.
The first challenge is to do the linkage between privacy policies statements and dangerous permissions used by Android apps in the run time permissions model. To this end, we built a taxonomy of dangerous permissions related phrases presented in Android apps' privacy policies, since no previous work has provided this dataset. We used this dataset as our gold standard.
Given the amount of time and effort needed to build this dataset, the second challenge was to examine if machine learning methods can help in quickly and effectively identifying dangerous permissions relevant phrases in Android apps' privacy policies. In this regard, we discovered the effectiveness of using semantic sentence embedding for dangerous permissions' extraction. We compared the results generated by the sentence embedding model with the gold standard. The results provided insights into the strengths and limitations of sentence embedding in extracting privacy related information from privacy policies text.
Finally, in a user study, we explored the role of dangerous permission type, clarity of dangerous permission rationales extracted from Android app's privacy policies, and clarity of context of the resource accessed on users' disclosure decisions. The knowledge gained from this experiment sheds more light on what users take into consideration when deciding to grant or deny the data collection requests in the Android run time permissions system.

Item Type: Thesis (PhD)
Qualification Level: Doctoral
Additional Information: Due to copyright issues this thesis is not available for viewing.
Keywords: Android, privacy, permissions, privacy policy
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Colleges/Schools: College of Science and Engineering > School of Computing Science
Supervisor's Name: Poet, Mr Ronald
Date of Award: 2021
Depositing User: Mrs Rawan Baalous
Unique ID: glathesis:2021-82059
Copyright: Copyright of this thesis is held by the author.
Date Deposited: 12 Mar 2021 17:16
Last Modified: 19 Aug 2022 15:54
Thesis DOI: 10.5525/gla.thesis.82059
URI: http://theses.gla.ac.uk/id/eprint/82059

Actions (login required)

View Item View Item