Two CyLab papers presented at the FTC’s PrivacyCon 2021

Daniel Tkacik

Jul 29, 2021

PrivacyCon logo

Source: Federal Trade Commission

Each year, the Federal Trade Commission (FTC) hosts PrivacyCon, which brings together policymakers and academic researchers to share and discuss the latest research related to consumer privacy and data security. The FTC selected fewer than 20 papers to be presented at this year’s PrivacyCon, and two of them were written by CyLab researchers.

Privacy and security labels effectively convey risk

Pardis Emami-Naeini, a former CyLab Ph.D. student who is now a postdoctoral researcher at the University of Washington, presented her study on the effectiveness of a privacy and security “nutrition label” in conveying risk to consumers.

In their study, the researchers presented 1,371 participants with several randomly-assigned scenarios about the purchase of a smart device. In each scenario, participants were asked to imagine purchasing a smart device (e.g. a smart speaker or a smart light bulb) for themselves, for a friend, or for a family member. Each scenario ended by mentioning to the participants that there is a label on the package of the device, which discloses a single privacy or security practice of the device. Participants were then asked how the information on the label would change their risk perception and their willingness to purchase, as well as their reasoning.

Our findings pave the path to an improved IoT privacy and security label...

Pardis Emami-Naeini, postdoctoral researcher, University of Washington

“In general, we found that people accurately perceived the risk associated with the vast majority of attributes that we tested for, and their perceptions influenced their willingness to purchase devices,” says Emami-Naeini. “Our findings pave the path to an improved IoT privacy and security label, which can ultimately lead to a safer and more secure IoT ecosystem.”

Read more about their study.

It’s time to make opting out easy

CyLab's Siddhant Arora, an M.S. student in the Language Technologies Institute, presented his study that shows how machine learning can be used to automatically extracting privacy choices from privacy policies, which no one comprehensively reads anyway, research has shown. 

The team, led by CyLab’s Norman Sadeh, a professor in the Institute for Software Research and principal investigator of the Usable Privacy Policy Project, trained a machine learning algorithm to scan privacy policies and identify language and links related to opt-out choices. They ran their algorithm on 7,000 of the most popular websites and found that over 3,600 of them (~ 51 percent) contain zero opt-out choices. A little over 800 (~ 11 percent) provide just one opt-out hyperlink.

To help make opt-out choices more accessible to users, the team developed a browser extension called Opt-Out Easy in collaboration with the University of Michigan School of Information. The extension is now available to Chrome users.

“Our study aimed to provide an in-depth overview of whether popular websites allowed users the ability to opt out of some data collection and use practices,” Sadeh says. “In addition, we wanted to also develop a practical solution to help users access opt-out choices made available to them when such choices are present.”

Read more about their study and the Opt-Out Easy browser extension.

Paper references

Which Privacy and Security Attributes Most Impact Consumers’ Risk Perception and Willingness to Purchase IoT Devices?

Finding a Choice in a Haystack: Automatic Extraction of Opt-Out Statements from Privacy Policy Text

  • Vinayshekhar Bannihatti Kumar, Carnegie Mellon University (CMU)
  • Roger Iyengar, CMU
  • Namita Nisal, University of Michigan (UM)
  • Yuanyuan Feng, CMU
  • Hana Habib, CMU
  • Peter Story, CMU
  • Sushain Cherivirala, CMU
  • Margaret Hagan, Stanford University
  • Lorrie Faith Cranor, CMU
  • Shomir Wilson, Penn State University
  • Florian Schaub, UM
  • Norman Sadeh, CMU