Skip to main content

CyLab News

Better Design Improves Understanding of Online Privacy Notices: CyLab Researchers Outline Best Practices

posted by Nichole Dwyer
January 13, 2016

Privacy policies for websites, smartphone apps and, especially, components of the emerging Internet of Things are usually ineffective or ignored by users, but CyLab researchers say properly designed privacy notices — pushed out to users at appropriate times — could help remedy that problem. Schaub and colleagues at policy event

For instance, a notice to a smartphone user that an app is trying to access her contact list will be more effective than just telling the user at the time of installation that the app needs to access a contact list, said Florian Schaub, a post-doctoral researcher in CMU's Institute for Software Research.

Schaub and his CMU colleagues distilled research on privacy notices to create a set of best practices for designing them. A Washington, D.C., think tank, the Future of Privacy Forum, has named the report one of the top five research papers on privacy in 2015 and has incorporated it into a digest for legislators and regulators, "Privacy Papers for Policymakers." The digest will be formally released at an event Wednesday evening in the nation's capital.

"There's been lots of research on improving privacy notices, but little guidance on how to design effective notices," Schaub said. "In this work, we've compiled the best practices and have provided a taxonomy and common vocabulary so we can start incorporating these design principles into privacy notices and privacy policies."

Privacy policies disclose how a website or app will gather, use and manage a consumer's or client's data. Despite growing concerns about how online information about individuals is used by various entities, few people actually read these policies, Schaub noted. In the case of the Internet of Things (IoT) — interconnected devices such as smart thermostats, appliances and environmental sensors — most users now have few, if any, means to know if such a device has detected them or to find their privacy policies.

Schaub and his colleagues said one solution to the IoT dilemma is to use secondary channels, such as a smartphone, to let users know an IoT device is collecting information and how that information will be stored or used. In other cases, when computer displays aren't available, the use of audio signals or recordings may provide an alert.

The use of "just in time" notices that are delivered to the user as an app or a website or after such information has been accessed help users better understand what information is being gathered and when.

"A privacy policy is not an effective privacy notice; it is a starting point," Schaub said.

Federal laws or regulations requiring the use of such notices might be helpful in getting broader adoption of the design principles, Schaub said, but many companies already are motivated to provide better notification. Companies that seek consumer data have come to understand that consumers are more likely to share information if they are confident they understand how the information will be used and that the use will benefit them in some way. The researchers' work helps those companies to better integrate usable and informative privacy notices into their products and services.

In addition to Schaub, the research team included Lorrie Faith Cranor, professor of computer science and engineering and public policy and now the chief technologist of the Federal Trade Commission (FTC); and former CMU students Rebecca Balebako, now at the RAND Corp., and Adam Durity, now with Google.

Also this week, eight CMU faculty members, students and alumni will be among the speakers at PrivacyCon, a conference on consumer privacy and data security sponsored by the FTC on Thursday in the Constitution Center in Washington, D.C.

In the photo, Florian Schaub (center) speaks about his paper with his collaborators alumni Rebecca Balebako and Adam Durity. The panel was moderated by Jeff Brueggeman, Vice President-Public Policy and Deputy Chief Privacy Officer, AT&T (left) and also included Washington University Law professor Neil Richards (right).

See all CyLab News articles