Professional Documents
Culture Documents
Mills College
April 2018
W
by
IE
Kristen M. Cutler
Approved by
EV
__________________________________ ____________________________________
PR
___________________________________ ____________________________________
Andrew Flores, Ph.D Chinyere Oparah, PhD
Interdisciplinary Thesis Advisor Provost & Dean of the Faculty
Assistant Professor of Public Policy Mills College
& Political Science
Mills College
ProQuest Number: 10815490
All rights reserved
INFORMATION TO ALL USERS
The quality of this reproduction is dependent upon the quality of the copy submitted.
In the unlikely event that the author did not send a complete manuscript
and there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.
W
IE
EV
ProQuest 10815490
Published by ProQuest LLC (2018 ). Copyright of the Dissertation is held by the Author.
All rights reserved.
PR
This work is protected against unauthorized copying under Title 17, United States Code
Microform Edition © ProQuest LLC.
ProQuest LLC.
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106 - 1346
Abstract
Smartphone users express a desire to keep their data private; however, most are unaware that
they have limited control over the data collected by their mobile applications. Most are even
unaware of what data is being collected. This lack of transparency and control around privacy
settings is anti-consumer and users are frequently upset when confronted with the types of
information collected by mobile applications. This leads to backlash against mobile application
developers damaging relationships with consumers. In order for users to better understand data
W
inform iOS users of third party applications’ data collection and privacy practices. An evaluation
of PrivacyTrack by testers shows that users are largely unaware of the type of data that common
IE
applications collect. Many users had strong reactions of annoyance to learning this information
EV
during the testing phase. The assessment of PrivacyTrack by testers confirmed that it is an
2
Table of Contents
1. Introduction 4
2. Background 5
3. Related Work 7
4. Methodology 9
4.1 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
W
4.2 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
IE
4.3 Analysis of Privacy Policies . . . . . . . . . . . . . . . . . . . . . 12
6. Research Contributions 19
7. Future Work 20
8. Conclusion 21
A. Appendix 21
3
1. Introduction
The way people communicate has changed drastically with the widespread adoption of
smartphones over the last decade. While mobile phones were largely restricted to making calls or
sending text messages, smartphones can use cellular data or wifi to send emails, retrieve and
send information, and use applications like WhatsApp [1] and Facebook Messenger [2] to
Smartphones now provide additional functions including taking, editing and storing
photographs, editing documents, posting to social media and obtaining directions. Each activity
W
is executed by a different application. Some applications are pre-installed on a smartphone such
as Camera, Weather, and Clock. These are called native applications. Others can be downloaded
IE
onto a user’s smartphone through a digital distribution platform. These are called non-native
EV
applications. The focus of this research is on non-native applications on Apple smartphones.
In 2017, the Apple App Store held 2.2 million applications developed by third parties [3].
These applications provide users with a wide range of services; however, studies show that users
PR
are generally unaware of what applications do with their personal information [4]. For example,
in 2011, many users were shocked to discover the application Color would turn on the phone’s
microphone without their knowledge. Additionally, in 2016, it was discovered that Uber collects
a phones’ battery percentage [5]. Although an Uber representative said the data was not used to
determine fare prices, this revelation created a controversy around Uber’s data collection
practices. This is a recurring problem in part because smartphone users do not know where to
find information about their applications. This information can be found in an application’s
4
Common permissions include location, contacts list, microphone and camera. Some
permissions are required for an application to function properly. However, others are not
necessary for functionality. A Privacy Policy outlines all of the ways in which an application
collects and distributes data. It is required for an application to be approved by the Apple App
Store [6].
If a user takes the steps to find the Privacy Policy, the document is frequently long and
complicated. For my thesis, I have built an iOS application, PrivacyTrack, designed to inform
iOS users of third party applications’ data collection and privacy practices. The term iOS is the
W
abbreviation for the iPhone Operating System. It refers to the mobile operating system created by
Apple. PrivacyTrack provides users with a list where they can add their third party applications.
IE
For each application in the list, there is a corresponding page that displays relevant information
regarding that applications Privacy Policy. PrivacyTrack also provides a section for users to learn
EV
2. Background
The Privacy Policy is the primary source of information about an organization's data collection
practices. In the late 1990s and early 2000s internet companies started to add Privacy Policies to
their websites [7]. Companies did this in order to bypass legislative regulation [7]. The Clinton
Administration created the National Information Infrastructure Task Force (NII) to establish
principles for the collection and use of information [8]. In 1995 and 1997, NII issued documents
that recommended a self-regulatory approach [8, 9]. As a result, no primary piece of legislation
5
The Federal Trade Commission (FTC), Bureau of Consumer Protection, is the governing
body that ensures organizations uphold their Privacy Policy [10]. The FTC actively protects
consumers by filing complaints on organizations [11]. However, consumer advocacy groups are
dissatisfied with the FTC. Multiple organizations have emerged such as Access Now and the
Electronic Privacy Information Center (EPIC) to represent consumers and push the FTC to
investigate data breaches [12, 13]. For example, on March 20, 2018, EPIC filed a complaint to
the FTC that urged them to investigate Facebook’s transfer of user data to Cambridge Analytica
[14]. Consumer advocacy organizations illustrate a lack of regulation from the FTC and a need
W
for changes to privacy laws in the United States. Absent more comprehensive legislation, the
requirement for companies to have a Privacy Policy is mandated by Apple’s App Review
IE
process.
An iOS application is approved for the App Store after it passes the review process. .
EV
The Apple App Review process is organized into five sections: Safety, Performance, Business,
Design and Legal [6]. Privacy is only a consideration in the Legal section of the review process,
PR
which explains what applications should do with regards to privacy [6]. It specifies that:
“Data collected from apps may not be used or shared with third parties for purposes
unrelated to improving the user experience or software/hardware performance connected
to the app’s functionality, or to serve advertising in compliance with the Apple Developer
Program License Agreement.” [6]
While this limits what data is used for, there are no provisions regarding what type of data can or
cannot be collected. Additionally, there is no information non how this requirement is enforced.
Therefore, as long as everything is stated in the Privacy Policy, Apple allows applications to
collect any information a developer wants, including sensitive data such as a users name, phone
6
The Privacy Policy can be found in the mobile application itself or it can be found on the
organizations website. The Uber’s iOS application Privacy Policy can be found in a drop down
list under the Legal tab in the sidebar. This document contains three sections: data collected, how
the data is used, and where the information is used [15]. The Privacy Policy is the best source for
Users can also find some of this information by examining and modifying application
permissions. Uber's Privacy Policy has a section called Choice and Transparency. This section
states that users can control the information Uber collects by adjusting their privacy settings and
W
their device permissions. Uber permissions include Location, Camera, Background App Refresh,
and Cellular Data (see Appendix Figure 1). Permissions for other applications might include
IE
Contacts, Photos, or Microphone. Often permissions are requested from third party
advertisement frameworks and not written by the application developers themselves [16]. While
EV
these two methods exist for finding out what information is being gathered, users are generally
3. Related Work
Many researchers have studied privacy in the Android operating system, but few have examined
Apple's mobile operating system. Currently there is no iOS application that informs users of third
It is important to note that many tools built by researchers require jailbreaking the mobile
phone for the application to work, a process that requires modifying a device by removing
restrictions imposed by the manufacturer or operator [17]. Users jailbreak their devices for many