MAPS: Scaling Privacy Compliance Analysis to a Million Apps

Zimmeck, Sebastian; Story, Peter; Smullen, Daniel; Ravichander, Abhilasha; Wang, Ziqi; Reidenberg, Joël R.; Russell, N. Cameron; Sadeh, Norman

doi:10.2478/popets-2019-0037

Cited by 117 publications

(149 citation statements)

References 37 publications

Supporting

Mentioning

146

Contrasting

Order By: Relevance

“…While there is research on making PPs understandable for end users [34,58,72], there is minimal research on helping developers craft PPs. The lack of support can be seen in the wild, where there are still numerous apps without PPs [77] as well PPs that contain misleading and contradictory statements [7]. In our data, many questions ask for help creating privacy policies.…”

Section: Supporting Privacy Policy Creation Tasksmentioning

confidence: 99%

Understanding Privacy-Related Questions on Stack Overflow

Tahaei

Vaniea

Saphra

2020

Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

We analyse Stack Overflow (SO) to understand challenges and confusions developers face while dealing with privacy-related topics. We apply topic modelling techniques to 1,733 privacyrelated questions to identify topics and then qualitatively analyse a random sample of 315 privacy-related questions. Identified topics include privacy policies, privacy concerns, access control, and version changes. Results show that developers do ask SO for support on privacy-related issues. We also find that platforms such as Apple and Google are defining privacy requirements for developers by specifying what "sensitive" information is and what types of information developers need to communicate to users (e.g. privacy policies). We also examine the accepted answers in our sample and find that 28% of them link to official documentation and more than half are answered by SO users without references to any external resources.

show abstract

Section: Supporting Privacy Policy Creation Tasksmentioning

confidence: 99%

Understanding Privacy-Related Questions on Stack Overflow

Tahaei

Vaniea

Saphra

2020

Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

show abstract

“…Overall, our results show that menstruapps employ slightly better privacy practices than those in healthrelated apps or the general app ecosystem [12,31,53,57]. Yet, these apps still have a significant number of issues that could lead to serious consequences given the data they handle consists of information like sexual orientation, menstruation and pregnancy.…”

Section: Discussionmentioning

confidence: 93%

“…Comparatively, menstruapps perform better than average in the market. Zimmeck et al [57] studied the privacy policies of 1 million apps and found that only 50% had policies linked in the Play Store.…”

Section: Policy Availabilitymentioning

confidence: 99%

How private is your period?: A systematic analysis of menstrual app privacy policies

Shipp

Blasco

2020

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Menstruapps are mobile applications that can track a user’s reproductive cycle, sex life and health in order to provide them with algorithmically derived insights into their body. These apps are now hugely popular, with the most favoured boasting over 100 million downloads. In this study, we investigate the privacy practices of a set of 30 Android menstruapps, a set which accounts for nearly 200 million downloads.We measured how the apps present information and behave on a number of privacy related topics, such as the complexity of the language used, the information collected by them, the involvement of third parties and how they describe user rights. Our results show that while common pieces of personal data such as name, email, etc. are treated appropriately by most applications, reproductive-related data is not covered by the privacy policies and in most cases, completely disregarded, even when it is required for the apps to work. We have informed app developers of our findings and have tried to engage them in dialogue around improving their privacy practices.

show abstract

“…In order to achieve compliance for data transfer requests, major tech companies started the Data Transfer Project (DTP) with the goal of connecting any two participating services for the purpose of transferring data upon a user's request from one service to another [8]. Various academic work on compliance analysis seeks, among others, to identify software implementations that are contradictory to privacy laws, e.g., by identifying discrepancies between privacy practices described (or omitted) in privacy policies and actual code functionality [18,28,29,31,32].…”

Section: The Emerging Privacy Tech Industrymentioning

confidence: 99%