CMU Researcher Making Privacy Notices Better For Users

Jan 18, 2016

If a CMU researcher has his way you might not have to accept a multi-page privacy policy just to download an app.
Credit Highways England / flickr

They come with every new app or piece of software -- they are required to be there by law -- but who actually reads those privacy policy statements that pop up when you are trying to add something to your computer or smart phone?

“Privacy policies that we have at the moment, which are these long legal documents, are important and they play an important roll,” said Florian Schaub, post-doctoral researcher at the Carnegie Mellon University Institute for Software Research. “However, these privacy policies are typically not useful to users and are not meaningful to them.”

Schaub has been researching ways to help users pay more attention to the privacy policies of apps, software and websites. He is in the process of building best practices that can be adopted by content creators.

Topping the list is instituting real-time privacy policy notices that break the multi-page privacy statements into short notices that are relevant to what the user is doing at that moment.

“How can these dialogs be integrated into how you interact with an app or with a website so it’s not annoying, so it’s not obtrusive but it is actually helping you achieve whatever you want to achieve in that moment with that app.”

Facebook and Apple have started to move in this direction. 

But Schaub said users need to be able to opt in and out of specific portions of the privacy and data collection policy without causing the entire app to shut down.

“For example, if you are using an app and it wants to access your location because you are looking something up on a map, then of course your location needs to be accessed at that point in time, but when that same app is also tracking your location when you are not even using it, then maybe that is something you are not OK with,” Schaub said.

But why would a company want to potentially miss out on collecting valuable data by helping users know what is in that dense set of legal language? Schaub said there are good reasons for a company to be as transparent as possible.

“If you do something that users might not expect as a company, but you describe it on a privacy policy on your website, if no one reads the privacy policy it’s the same as if you don’t disclose your practices at all,” Schaub said.  “So when someone actually starts looking at the privacy policy and these things come out, then there is usually backlash and an outcry in the media and social media.”

Schaub said studies have shown that when users are well informed about data practices, it builds user trust and they are willing to share more data.

Schaub’s work has been hailed by privacy advocates and was included in a discussion on the subject of an industry wide gathering last week in Washington D.C.