Three CyLab papers presented at the FTC’s PrivacyCon 2020

One of the most important aspects of privacy research is its communication to lawmakers so that key findings can be applied to make a positive impact on people’s privacy. This is exactly why the Federal Trade Commission (FTC) hosts PrivacyCon each year, an annual meeting between academics and policymakers to share the latest advances in privacy research. 

CyLab researchers presented three of their privacy research papers at this year’s meeting, held virtually this week.

Privacy and security “nutrition labels”

CyLab postdoctoral researcher Pardis Emami-Naeini presented a study that led to the development of a prototype privacy and security nutrition label, which is designed to be placed on a device’s packaging so shoppers can learn about its privacy and security practices before making the decision to buy.

“We include some of the important information about the IoT devices that the IoT companies are not disclosing to consumers such as access control, sensor type, data sharing, and data selling,” Emami-Naeini said during her presentation.

The team behind the label consulted with a group of 22 security and privacy experts across industry, academia, and government to help inform its design. The label performed well in user tests, with some stating that they would be more likely to buy a device whose packaging included the label than one that didn’t.

Emami-Naeini’s whole presentation can be seen starting at the 2:48:00 mark in the FTC’s video recap. Read more about the label and study.

Perceptions of advanced video analytics

CyLab’s Aerin Zhang, a Ph.D. student in the Language Technologies Institute in the School of Computer Science, presented a study about people’s perceptions of advanced video analytics used with facial recognition algorithms.

There are billions of cameras around the world, Zhang said during her presentation, some of which can automatically detect your face, identify who you are, what mood you’re in, or what market demographic you fall into so a specific ad can be placed on a billboard for you to see. Yet, these practices are hardly shared with bystanders despite privacy regulations.

Zhang and her co-authors conducted a survey aiming to learn if people are aware of various video analytics scenarios, how they feel about them, and what choices they would make if they had the ability to decide whether or not to accept the capture and processing of their footage.

“People generally were not aware that video analytics could be used for so many different purposes at such a diverse set of venues and with such powerful capabilities,” Zhang said during her PrivacyCon presentation. “Our study also shows that there’s no scenario that everybody feels uniformly about. People’s responses vary greatly both within and across scenarios.” 

The researchers will use the results from their study to inform the development of Personalized Privacy Assistant, implemented as mobile apps designed to selectively notify people about the presence of different video analytics scenarios and to give people access to privacy choices, such as the ability to consent or not to the capture and processing of their footage for different purposes.

Zhang’s PrivacyCon talk can be seen starting at the 41:00 mark in the FTC’s video recap.

Why is it so hard to make privacy choices online?

CyLab’s Hana Habib, a Ph.D. student in Societal Computing, presented two studies focused on making privacy choices online. In the first study, she and her co-authors performed an empirical analysis of privacy choices on the top 150 most popular websites, and found major inconsistencies in the ways websites offered the choices, making the process of finding them confusing and cumbersome.

In the second study, Habib and her co-authors asked volunteers to come into their lab so they could observe real, average users access privacy choices online. Unsurprisingly–but worth documenting–average users find it very difficult to find many of the privacy choices available on various websites.

“It’s a scavenger hunt,” noted one study participant.

Using these results, Habib’s team compiled a set of recommendations to companies to make privacy choices easier to find and use, such as standardizing where choices are found on websites. The team also recommended making choices accessible from multiple paths on the website, leading the user to a standard location from multiple places.

Habib’s PrivacyCon presentation can be seen starting at the 2:28:00 mark in the FTC’s video recap.

Paper references

Ask the Experts: What Should Be on an IoT Privacy and Security Label?

• Pardis Emami-Naeini, Carnegie Mellon University
• Yuvraj Agarwal, Carnegie Mellon University
• Lorrie Faith Cranor, Carnegie Mellon University
• Hanan Hibshi, Carnegie Mellon University

Understanding People’s Privacy Attitudes Towards Video Analytics Technologies

• Shikun “Aerin” Zhang, Carnegie Mellon University
• Yuanyuan Feng, Carnegie Mellon University
• Anupam Das, NC State (formerly CyLab)
• Lujo Bauer, Carnegie Mellon University
• Lorrie Cranor, Carnegie Mellon University
• Norman Sadeh, Carnegie Mellon University

An Empirical Analysis of Data Deletion and Opt-Out Choices on 150 Websites

• Hana Habib, Carnegie Mellon University
• Yixin Zou, University of Michigan
• Aditi Jannu, Carnegie Mellon University
• Neha Sridhar, Carnegie Mellon University
• Chelse Swoopes, Carnegie Mellon University
• Alessandro Acquisti, Carnegie Mellon University
• Lorrie Faith Cranor, Carnegie Mellon University
• Norman Sadeh, Carnegie Mellon University
• Florian Schaub, University of Michigan

“It’s a scavenger hunt”: Usability of Websites’ Opt-Out and Data Deletion Choices

• Hana Habib, Carnegie Mellon University
• Sarah Pearman, Carnegie Mellon University
• Jiamin Wang, Carnegie Mellon University
• Yixin Zou, University of Michigan
• Alessandro Acquisti, Carnegie Mellon University
• Lorrie Faith Cranor, Carnegie Mellon University
• Norman Sadeh, Carnegie Mellon University
• Florian Schaub, University of Michigan